公开(公告)号：US09058494B2

公开(公告)日：2015-06-16

申请号：US13838038

申请日：2013-03-15

Applicant: Intel Corporation

Inventor： Bin Xing

IPC: G06F21/00 ,  G06F21/60 ,  G06F21/62 ,  G06F21/72 ,  G06F21/74

CPC classification number: G06F21/60 ,  G06F21/53 ,  G06F21/6218 ,  G06F21/72 ,  G06F21/74

Abstract: Technologies are provided in embodiments for receiving an enclave program for operation in an enclave, identifying at least one shared object dependency of the enclave program, determining whether the shared object dependency corresponds to at least one enclave shared object, causing association between the shared object dependency and the enclave shared object in circumstances where the shared object dependency corresponds to the enclave shared object, and causing association between the shared object dependency and an enclave-loadable non-enclave shared object in circumstances where the shared object dependency fails to correspond to the enclave shared object.

Abstract translation: 技术在实施例中提供用于接收用于在飞地中操作的飞地程序，识别飞地程序的至少一个共享对象依赖性，确定共享对象依赖关系是否对应于至少一个飞地共享对象，从而引起共享对象依赖关系 以及在共享对象依赖关系对应于包围共享对象的情况下的包围共享对象，并且在共享对象依赖关系不能对应于飞地的情况下引起共享对象依赖关系和可扩展可加载非共享共享对象之间的关联 共享对象。

公开(公告)号：US12242875B2

公开(公告)日：2025-03-04

申请号：US17484825

申请日：2021-09-24

Applicant: Intel Corporation

Inventor： Bin Xing

IPC: G06F9/455 ,  G06F12/14

Abstract: Providing multiple virtual processors (VPs) for a trusted domain (TD) includes creating a virtual processor control structure (VPCS) for one or more of a plurality of VPs of the TD of a processor in a computing system, the TD including a trust domain control structure (TDCS), the plurality of VPs having views into addresses of private memory of the TD, the VPCS for a VP including a secure extended page table (SEPT) for the VP; and for the VP, initializing the VPCS for the VP by copying selected entries of the TDCS to the SEPT of the VPCS, pointing a SEPT pointer to the VPCS, and setting an entry point for starting execution of the VP by the processor.

公开(公告)号：US12135801B2

公开(公告)日：2024-11-05

申请号：US17820628

申请日：2022-08-18

Applicant: Intel Corporation

Inventor： Soham Jayesh Desai ,  Siddhartha Chhabra ,  Bin Xing ,  Pradeep M. Pappachan ,  Reshma Lal

IPC: G06F21/00 ,  G06F13/20 ,  G06F13/28 ,  G06F21/57 ,  G06F21/60 ,  G06F21/62 ,  G06F21/85 ,  G09C1/00 ,  H04L9/32 ,  H04L9/40 ,  G06F21/51 ,  H04L9/06

Abstract: Technologies for trusted I/O include a computing device having a hardware cryptographic agent, a cryptographic engine, and an I/O controller. The hardware cryptographic agent intercepts a message from the I/O controller and identifies boundaries of the message. The message may include multiple DMA transactions, and the start of message is the start of the first DMA transaction. The cryptographic engine encrypts the message and stores the encrypted data in a memory buffer. The cryptographic engine may skip and not encrypt header data starting at the start of message or may read a value from the header to determine the skip length. In some embodiments, the cryptographic agent and the cryptographic engine may be an inline cryptographic engine. In some embodiments, the cryptographic agent may be a channel identifier filter, and the cryptographic engine may be processor-based. Other embodiments are described and claimed.

公开(公告)号：US20240202314A1

公开(公告)日：2024-06-20

申请号：US18084428

申请日：2022-12-19

Applicant: Intel Corporation

Inventor： Mona Vij ,  Dmitrii Kuvaiskii ,  Bin Xing ,  Krystof Zmudzinski ,  Scott Constable

IPC: G06F21/53

CPC classification number: G06F21/53 ,  G06F2221/034

Abstract: Techniques and mechanisms for a processor core to execute an instruction for a hardware (HW) thread to have access to a trusted execution environment (TEE). In an embodiment, execution of the instruction includes determining whether any sibling HW thread, which is currently active, is also currently approved to access the TEE. TEE access by the HW thread is conditioned upon a requirement that any sibling HW thread is either currently inactive, is currently in the same TEE, or is currently approved to enter the TEE. In another embodiment, execution of another instruction, for the HW thread to exit the TEE, includes or otherwise results in system software being conditionally notified of an opportunity to wake up one or more sibling HW threads.

公开(公告)号：US11741230B2

公开(公告)日：2023-08-29

申请号：US17451922

申请日：2021-10-22

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Siddhartha Chhabra ,  Vincent R. Scarlata ,  Steven B. McGowan

IPC: G06F21/57 ,  G06F21/60

CPC classification number: G06F21/57 ,  G06F21/602

Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information. The computing device may collect application attestation information for a trusted application that uses the trusted I/O usage and verify the application attestation information. Other embodiments are described and claimed.

公开(公告)号：US11157623B2

公开(公告)日：2021-10-26

申请号：US16280351

申请日：2019-02-20

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Siddhartha Chhabra ,  Vincent R. Scarlata ,  Steven B. McGowan

IPC: G06F21/57 ,  G06F21/60

Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information. The computing device may collect application attestation information for a trusted application that uses the trusted I/O usage and verify the application attestation information. Other embodiments are described and claimed.

公开(公告)号：US20200349265A1

公开(公告)日：2020-11-05

申请号：US16931543

申请日：2020-07-17

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Gideon Gerzon ,  Baruch Chaikin ,  Siddhartha Chhabra ,  Pradeep M. Pappachan ,  Bin Xing

IPC: G06F21/60 ,  H04L29/06 ,  G06F21/57 ,  G06F13/28 ,  H04L9/32 ,  G06F21/62 ,  G06F21/85 ,  G09C1/00 ,  G06F13/20

Abstract: Technologies for trusted I/O include a computing device having a processor, a channel identifier filter, and an I/O controller. The I/O controller may generate an I/O transaction that includes a channel identifier and a memory address. The channel identifier filter verifies that the memory address of the I/O transaction is within a processor reserved memory region associated with the channel identifier. The processor reserved memory region is not accessible to software executed by the computing device. The processor encrypts I/O data at the memory address in response to invocation of a processor feature and copies the encrypted data to a memory buffer outside of the processor reserved memory region. The processor may securely clean the processor reserved memory region before encrypting and copying the data. The processor may wrap and unwrap programming information for the channel identifier filter. Other embodiments are described and claimed.

公开(公告)号：US10416890B2

公开(公告)日：2019-09-17

申请号：US14849222

申请日：2015-09-09

Applicant: Intel Corporation

Inventor： Bin Xing ,  Mark W. Shanahan ,  Bo Zhang

IPC: G06F3/06 ,  G06F12/0875 ,  G06F12/0893

Abstract: Apparatuses, methods and storage medium associated with application execution enclave cache management, are disclosed herein. In embodiments, an apparatus may include one or more processors with supports for application execution enclaves; cache memory coupled with the one or more processors to be organized into a plurality of cache pages; and an exception handler to be operated by the one or more processors to handle cache page fault exceptions, wherein to handle cache page fault exceptions includes to handle a cache page fault triggered to request additional allocation of one or more cache pages to an execution enclave of an application. Other embodiments may be described and/or claimed.

公开(公告)号：US20190272394A1

公开(公告)日：2019-09-05

申请号：US16417907

申请日：2019-05-21

Applicant: Intel Corporation

Inventor： Soham Jayesh Desai ,  Reshma Lal ,  Pradeep Pappachan ,  Bin Xing

IPC: G06F21/85 ,  G06F13/42 ,  G06F13/38 ,  G06F21/72 ,  G06F21/44

Abstract: Technologies for secure enumeration of USB devices include a computing device having a USB controller and a trusted execution environment (TEE). The TEE may be a secure enclave protected secure enclave support of the processor. In response to a USB device connecting to the USB controller, the TEE sends a secure command to the USB controller to protect a device descriptor for the USB device. The secure command may be sent over a secure channel to a static USB device. A driver sends a get device descriptor request to the USB device, and the USB device responds with the device descriptor. The USB controller redirects the device descriptor to a secure memory buffer, which may be located in a trusted I/O processor reserved memory region. The TEE retrieves and validates the device descriptor. If validated, the TEE may enable the USB device for use. Other embodiments are described and claimed.

公开(公告)号：US20190251257A1

公开(公告)日：2019-08-15

申请号：US15897406

申请日：2018-02-15

Applicant: Intel Corporation

Inventor： Francis McKeen ,  Bin Xing ,  Krystof Zmudzinski ,  Carlos Rozas ,  Mona Vij

IPC: G06F21/55 ,  G06F21/53

CPC classification number: G06F21/556 ,  G06F12/145 ,  G06F12/1491 ,  G06F21/53 ,  G06F2212/1052 ,  G06F2221/2149

Abstract: A processor includes a processing core to identify a code comprising a plurality of instructions to be executed in the architecturally-protected environment, determine that a first physical memory page stored in the architecturally-protected memory matches a first virtual memory page referenced by a first instruction of the plurality of instructions, generate a first address mapping between a first address of the first virtual memory page and a second address of the first physical memory page, store, in the cache memory, the address translation data structure comprising the first address mapping, and execute the code by retrieving the first address mapping in the address translation data structures to be executed in the architecturally-protected environment, determine that a first physical memory page stored in the architecturally-protected memory matches a first virtual memory page referenced by a first instruction of the plurality of instructions, generate a first address mapping between a first address of the first virtual memory page and a second address of the first physical memory page, store, in the cache memory, an address translation data structure comprising the first address mapping, and execute the code by retrieving the first address mapping stored in the address translation data structure.