公开(公告)号：US11625275B2

公开(公告)日：2023-04-11

申请号：US17109742

申请日：2020-12-02

Applicant: Intel Corporation

Inventor： Krystof Zmudzinski ,  Siddhartha Chhabra ,  Reshma Lal ,  Alpa Narendra Trivedi ,  Luis S. Kida ,  Pradeep M. Pappachan ,  Abhishek Basak ,  Anna Trikalinou

IPC: G06F9/445 ,  G06F9/50 ,  G06F9/455 ,  G06F21/62 ,  G06F12/1009 ,  G06F9/46 ,  G06F13/28 ,  G06F21/85 ,  G06F21/78 ,  G06F21/53 ,  G06F21/57 ,  H04L9/32 ,  H04W12/30 ,  H04W12/48 ,  H04L69/16

Abstract: Technologies for secure I/O include a compute device, which further includes a processor, a memory, a trusted execution environment (TEE), one or more input/output (I/O) devices, and an I/O subsystem. The I/O subsystem includes a device memory access table (DMAT) programmed by the TEE to establish bindings between the TEE and one or more I/O devices that the TEE trusts and a memory ownership table (MOT) programmed by the TEE when a memory page is allocated to the TEE.

公开(公告)号：US11531770B2

公开(公告)日：2022-12-20

申请号：US16725267

申请日：2019-12-23

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Luis S. Kida ,  Reshma Lal

IPC: G06F21/60 ,  G06F12/1009 ,  G06F12/14 ,  G06F21/78 ,  G06T1/20 ,  H04L9/14

Abstract: Embodiments are directed to trusted local memory management in a virtualized GPU. An embodiment of an apparatus includes one or more processors including a trusted execution environment (TEE); a GPU including a trusted agent; and a memory, the memory including GPU local memory, the trusted agent to ensure proper allocation/deallocation of the local memory and verify translations between graphics physical addresses (PAs) and PAs for the apparatus, wherein the local memory is partitioned into protection regions including a protected region and an unprotected region, and wherein the protected region to store a memory permission table maintained by the trusted agent, the memory permission table to include any virtual function assigned to a trusted domain, a per process graphics translation table to translate between graphics virtual address (VA) to graphics guest PA (GPA), and a local memory translation table to translate between graphics GPAs and PAs for the local memory.

公开(公告)号：US20220272076A1

公开(公告)日：2022-08-25

申请号：US17743659

申请日：2022-05-13

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal

IPC: H04L9/40 ,  H04W12/04 ,  H04W12/06 ,  H04L9/08 ,  G06F21/57

Abstract: Embodiments are directed to a session management framework for secure communications between host systems and trusted devices. An embodiment of computer-readable storage mediums includes instructions for establishing a security agreement between a host system and a trusted device, the host device including a trusted execution environment (TEE); initiating a key exchange between the host system and the trusted device, including sending a key agreement message from the host system to the trusted device; sending an initialization message to the trusted device; validating capabilities of the trusted device for a secure communication session between the host system and the trusted device; provisioning secrets to the trusted device and initializing cryptographic parameters with the trusted device; and sending an activate session message to the trusted device to activate the secure communication session over a secure communication channel.

公开(公告)号：US11423171B2

公开(公告)日：2022-08-23

申请号：US16725187

申请日：2019-12-23

Applicant: Intel Corporation

Inventor： Lawrence A. Booth, Jr. ,  Salessawi Ferede Yitbarek ,  Reshma Lal ,  Pradeep M. Pappachan ,  Brent D. Thomas

IPC: H04L29/06 ,  G06F21/62 ,  G06F21/31 ,  G06F16/783 ,  G06F16/14 ,  G06F21/44

Abstract: Embodiments are directed to protection of privacy and data on smart edge devices. An embodiment of an apparatus includes a sensor to produce a stream of sensor data; an analytics mechanism; and a trusted execution environment (TEE) including multiple keys for data security, the apparatus to exchange keys with a host server to establish one or more secure communication channels between the apparatus and a TEE on a host server, process the stream of sensor data utilizing the analytics mechanism to generate metadata, perform encryption and integrity protection of the metadata utilizing a key from the TEE for the sensor, sign the metadata utilizing a private key for the analytics mechanism, and transfer the encrypted and integrity protected metadata and the signature to the host server via the one or more secure communication channels in a manner that prevents privileged users on the host from accessing the data.

公开(公告)号：US11423159B2

公开(公告)日：2022-08-23

申请号：US16704168

申请日：2019-12-05

Applicant: Intel Corporation

Inventor： Soham Jayesh Desai ,  Siddhartha Chhabra ,  Bin Xing ,  Pradeep M. Pappachan ,  Reshma Lal

IPC: H04L29/06 ,  G06F21/60 ,  H04L9/40 ,  G06F21/57 ,  G06F13/28 ,  H04L9/32 ,  G06F21/62 ,  G06F21/85 ,  G09C1/00 ,  G06F13/20 ,  H04L9/06 ,  G06F21/51

Abstract: Technologies for trusted I/O include a computing device having a hardware cryptographic agent, a cryptographic engine, and an I/O controller. The hardware cryptographic agent intercepts a message from the I/O controller and identifies boundaries of the message. The message may include multiple DMA transactions, and the start of message is the start of the first DMA transaction. The cryptographic engine encrypts the message and stores the encrypted data in a memory buffer. The cryptographic engine may skip and not encrypt header data starting at the start of message or may read a value from the header to determine the skip length. In some embodiments, the cryptographic agent and the cryptographic engine may be an inline cryptographic engine. In some embodiments, the cryptographic agent may be a channel identifier filter, and the cryptographic engine may be processor-based. Other embodiments are described and claimed.

公开(公告)号：US11349817B2

公开(公告)日：2022-05-31

申请号：US16725343

申请日：2019-12-23

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal

IPC: H04L29/06 ,  H04L9/40 ,  H04W12/04 ,  H04W12/06 ,  H04L9/08 ,  G06F21/57

Abstract: Embodiments are directed to a session management framework for secure communications between host systems and trusted devices. An embodiment of computer-readable storage mediums includes instructions for establishing a security agreement between a host system and a trusted device, the host device including a trusted execution environment (TEE); initiating a key exchange between the host system and the trusted device, including sending a key agreement message from the host system to the trusted device; sending an initialization message to the trusted device; validating capabilities of the trusted device for a secure communication session between the host system and the trusted device; provisioning secrets to the trusted device and initializing cryptographic parameters with the trusted device; and sending an activate session message to the trusted device to activate the secure communication session over a secure communication channel.

公开(公告)号：US20220091998A1

公开(公告)日：2022-03-24

申请号：US17543267

申请日：2021-12-06

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan ,  Luis Kida ,  Krystof Zmudzinski ,  Siddhartha Chhabra ,  Abhishek Basak ,  Alpa Narendra Trivedi ,  Anna Trikalinou ,  David M. Lee ,  Vedvyas Shanbhogue ,  Utkarsh Y. Kakaiya

IPC: G06F12/14 ,  H04L9/32 ,  G06F21/76 ,  G06F21/60 ,  H04L9/08 ,  G06F9/455 ,  G06F21/57 ,  G06F21/64 ,  H04L12/24 ,  G06F21/79 ,  H04L9/06 ,  G06F9/38 ,  G06F12/0802

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.

公开(公告)号：US11228420B2

公开(公告)日：2022-01-18

申请号：US16706095

申请日：2019-12-06

Applicant: INTEL CORPORATION

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Rakesh A. Ughreja ,  Kumar N. Dwarakanath ,  Victoria C. Moore

IPC: H04L29/06 ,  H04L9/00 ,  G06F9/54 ,  G06F21/83 ,  G06F21/44 ,  G06F21/84 ,  G06F21/57 ,  G06F21/60 ,  H04L9/08

Abstract: Systems and methods include establishing a cryptographically secure communication between an application module and an audio module. The application module is configured to execute on an information-handling machine, and the audio module is coupled to the information-handling machine. The establishment of the cryptographically secure communication may be at least partially facilitated by a mutually trusted module.

公开(公告)号：US20210319118A1

公开(公告)日：2021-10-14

申请号：US17304391

申请日：2021-06-21

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Siddhartha Chhabra ,  Bin Xing ,  Reshma Lal ,  Baruch Chaikin

IPC: G06F21/60 ,  G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  G06F21/53 ,  G06F21/57 ,  G06F21/82

Abstract: In one embodiment, an apparatus includes a channel filter and a security processor. The security processor is to: receive a plurality of device access control policies from a protected non-volatile storage of a platform; determine whether the plurality of device access control policies are verified; program the channel filter with a plurality of filter entries each associated with one of the plurality of device access control policies based on the determination; and remove a security attribute of the security processor from a policy register of the channel filter, to lock the channel filter for a boot cycle of the platform. Other embodiments are described and claimed.

公开(公告)号：US20210117576A1

公开(公告)日：2021-04-22

申请号：US17109742

申请日：2020-12-02

Applicant: Intel Corporation

Inventor： Krystof Zmudzinski ,  Siddhartha Chhabra ,  Reshma Lal ,  Alpa Narendra Trivedi ,  Luis S. Kida ,  Pradeep M. Pappachan ,  Abhishek Basak ,  Anna Trikalinou

IPC: G06F21/78 ,  G06F9/455 ,  G06F9/46 ,  G06F9/50 ,  G06F12/1009 ,  G06F13/28 ,  G06F21/53 ,  G06F21/57 ,  G06F21/62 ,  G06F21/85 ,  H04L9/32

Abstract: Technologies for secure I/O include a compute device, which further includes a processor, a memory, a trusted execution environment (TEE), one or more input/output (I/O) devices, and an I/O subsystem. The I/O subsystem includes a device memory access table (DMAT) programmed by the TEE to establish bindings between the TEE and one or more I/O devices that the TEE trusts and a memory ownership table (MOT) programmed by the TEE when a memory page is allocated to the TEE.