公开(公告)号：US09710401B2

公开(公告)日：2017-07-18

申请号：US14752227

申请日：2015-06-26

Applicant: Intel Corporation

Inventor： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. McKeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich ,  Gilbert Neiger ,  Vedvyas Shanbhogue ,  Ittai Anati

IPC: G06F11/30 ,  G06F12/14 ,  G06F21/60 ,  G06F9/30 ,  G06F21/53

CPC classification number: G06F12/1408 ,  G06F8/41 ,  G06F9/30145 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/602 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2212/1052

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

公开(公告)号：US20160283409A1

公开(公告)日：2016-09-29

申请号：US14671346

申请日：2015-03-27

Applicant: Intel Corporation

Inventor： Prashant Pandey ,  Mona Vij ,  Somnath Chakrabarti ,  Krystof C. Zmudzinski

IPC: G06F12/14 ,  G11C7/10

CPC classification number: G06F21/53 ,  G06F21/57

Abstract: In an embodiment, at least one machine-readable storage medium includes instructions that when executed enable a system to receive, at a special library of a parent process located outside of a parent protected region of the parent process, from the parent protected region of the parent process, a call to create a child process and responsive to the call received at the special library, issue by the special library a first request and a second request. The first request is to execute, by a processor, a non-secure instruction to create the child process. The second request is to execute, by the processor, a first secure instruction to create a child protected region within the child process. Responsive to the first request the child process is to be created and responsive to the second request the child protected region is to be created. Other embodiments are described and claimed.

Abstract translation: 在一个实施例中，至少一个机器可读存储介质包括指令，当被执行时，系统可以在位于父进程的父保护区域之外的父进程的特殊库处接收来自父进程的父保护区域 父进程，调用创建子进程并响应在特殊库中接收的呼叫，由特殊库发出第一请求和第二请求。 第一个请求是由处理器执行非安全指令来创建子进程。 第二个请求是由处理器执行第一个安全指令，以在子进程中创建子保护区域。 响应于第一个请求，子进程将被创建并响应第二个请求创建子保护区域。 描述和要求保护其他实施例。

公开(公告)号：US09444627B2

公开(公告)日：2016-09-13

申请号：US14582980

申请日：2014-12-24

Applicant: INTEL CORPORATION

Inventor： Srikanth Varadarajan ,  Reshma Lal ,  Krystof C. Zmudzinski

IPC: H04L29/06 ,  H04L9/32 ,  G06F9/54 ,  G06F9/48 ,  G06F9/44 ,  G06F9/455

CPC classification number: H04L9/3234 ,  G06F9/4406 ,  G06F9/45533 ,  G06F9/45558 ,  G06F9/4843 ,  G06F9/54 ,  G06F21/74 ,  G06F2009/45587 ,  G09C1/00 ,  H04L2209/127

Abstract: Method of providing a Global Platform (GP) compliant Trusted Execution Environment (TEE) starts with main processor executing an application stored in memory device. Application includes client application (CA) and trusted application (TA). Executing the application includes running CA in client process and TA in TEE host process. Client process and TEE host process are separate. Using TEE host process, a request including identifier of the TA is received from client process to open session. Using GP Trusted Services enclave included in TEE host process, TA enclave associated with the identifier is determined and loaded in the TEE host process using the GP Trusted Services enclave to establish the session. Using TEE host process, commands to be invoked in TA enclave and set of parameters needed for commands are received from client process. Using GP Internal APIs, commands in TA enclave associated with identifier are executed. Other embodiments are also described.

Abstract translation: 提供全球平台（GP）兼容的可执行环境（TEE）的方法从执行存储在存储设备中的应用程序的主处理器开始。 应用程序包括客户端应用程序（CA）和可信应用程序（TA）。 执行应用程序包括在客户端进程中运行CA，在TEE主机进程中运行TA。 客户端进程和TEE主机进程是分开的。 使用TEE主机进程，从客户端进程接收到包括TA标识符的请求以打开会话。 使用包含在TEE主机进程中的GP可信服务飞地，使用GP可信服务飞地来确定和加载与TID主机进程相关联的TA标识符以建立会话。 使用TEE主机进程，可以从客户端进程接收在TA包中调用的命令和命令所需的参数集。 使用GP Internal API，执行与标识符相关联的TA包层中的命令。 还描述了其它实施例。