公开(公告)号：US20170364707A1

公开(公告)日：2017-12-21

申请号：US15628008

申请日：2017-06-20

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Gideon Gerzon ,  Baruch Chaikin ,  Siddhartha Chhabra ,  Pradeep M. Pappachan ,  Bin Xing

IPC: G06F21/62 ,  G06F21/57 ,  G06F21/60 ,  G06F13/20 ,  G06F21/51

Abstract: Technologies for trusted I/O include a computing device having a processor, a channel identifier filter, and an I/O controller. The I/O controller may generate an I/O transaction that includes a channel identifier and a memory address. The channel identifier filter verifies that the memory address of the I/O transaction is within a processor reserved memory region associated with the channel identifier. The processor reserved memory region is not accessible to software executed by the computing device. The processor encrypts I/O data at the memory address in response to invocation of a processor feature and copies the encrypted data to a memory buffer outside of the processor reserved memory region. The processor may securely clean the processor reserved memory region before encrypting and copying the data. The processor may wrap and unwrap programming information for the channel identifier filter. Other embodiments are described and claimed.

公开(公告)号：US09678894B2

公开(公告)日：2017-06-13

申请号：US14671659

申请日：2015-03-27

Applicant: Intel Corporation

Inventor： Jungju Oh ,  Siddhartha Chhabra ,  David M. Durham

IPC: G06F12/14 ,  G06F21/60

CPC classification number: G06F12/1408 ,  G06F12/0875 ,  G06F21/602 ,  G06F2212/1052

Abstract: Systems, apparatuses and methods may provide for receiving an incoming request to access a memory region protected by counter mode encryption and a counter tree structure having a plurality of levels. Additionally, the incoming request may be accepted and a determination may be made as to whether to suspend the incoming request on a per-level basis with respect to the counter tree structure.

公开(公告)号：US20170091119A1

公开(公告)日：2017-03-30

申请号：US14865304

申请日：2015-09-25

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Binata Bhattacharyya ,  Raghunandan Makaram ,  Brian S. Morris

IPC: G06F12/14 ,  H04L9/30 ,  G06F12/0802 ,  H04L9/32

CPC classification number: G06F12/1408 ,  G06F12/08 ,  G06F12/0802 ,  G06F12/1466 ,  G06F2212/1052 ,  G06F2212/402 ,  G06F2212/60 ,  H04L9/0637 ,  H04L9/30 ,  H04L9/3242

Abstract: A server, processing device and/or processor includes a processing core and a memory controller, operatively coupled to the processing core, to access data in an off-chip memory. A memory encryption engine (MEE) may be operatively coupled to the memory controller and the off-chip memory. The MEE may store non-MEE metadata bits within a modified version line corresponding to ones of a plurality of data lines stored in a protected region of the off-chip memory, compute an embedded message authentication code (eMAC) using the modified version line, and detect an attempt to modify one of the non-MEE metadata bits by using the eMAC within a MEE tree walk to authenticate access to the plurality of data lines. The non-MEE metadata bits may store coherence bits that track changes to a cache line in a remote socket, poison bits that track error containment within the data lines, and possibly other metadata bits.

公开(公告)号：US20160380985A1

公开(公告)日：2016-12-29

申请号：US14752379

申请日：2015-06-26

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Prashant Dewan ,  Reshma Lal ,  Ulhas S. Warrier

IPC: H04L29/06

CPC classification number: H04L63/061 ,  G06F21/74 ,  G06F21/82 ,  H04L63/062 ,  H04L63/0876 ,  H04L67/146 ,  H04L2463/062

Abstract: According to an embodiment provided herein, there is provided a system that binds a trusted output session to a trusted input session. The system includes a processor to execute an enclave application in an architecturally protected memory. The system includes at least one logic unit forming a trusted entity to, responsive to a request to set up a trusted I/O session, generate a unique session identifier logically associated with the trusted I/O session and set a trusted I/O session indicator to a first state. The system includes at least one logic unit forming a cryptographic module to, responsive to the request to set up the trusted I/O session, receive an encrypted encryption key and the unique session identifier from the enclave application; verify the unique session identifier; and responsive a successful verification, decrypt and save the decrypted encryption key in an encryption key register.

Abstract translation: 根据本文提供的实施例，提供了将可信输出会话绑定到可信输入会话的系统。 该系统包括处理器，用于在架构受保护的存储器中执行飞地应用。 系统包括形成可信实体的至少一个逻辑单元，以响应于建立可信I / O会话的请求，生成与可信I / O会话逻辑关联的唯一会话标识符，并设置可信任I / O会话 指标到第一个状态。 该系统包括形成加密模块的至少一个逻辑单元，以响应于建立可信I / O会话的请求，从飞地应用接收加密的加密密钥和唯一的会话标识符; 验证唯一会话标识符; 并响应成功的验证，解密并将解密的加密密钥保存在加密密钥寄存器中。

公开(公告)号：US20160364338A1

公开(公告)日：2016-12-15

申请号：US14738037

申请日：2015-06-12

Applicant: INTEL CORPORATION

Inventor： Krystof C. Zmudzinski ,  Siddhartha Chhabra ,  Uday R. Savagaonkar ,  Simon P. Johnson ,  Rebekah M. Leslie-Hurd ,  Francis X. McKeen ,  Gilbert Neiger ,  Raghunandan Makaram ,  Carlos V. Rozas ,  Amy L. Santoni ,  Vincent R. Scarlata ,  Vedvyas Shanbhogue ,  Ilya Alexandrovich ,  Ittai Anati ,  Wesley H. Smith ,  Michael Goldsmith

IPC: G06F12/10

CPC classification number: G06F12/1009 ,  G06F9/455 ,  G06F9/45558 ,  G06F12/1027 ,  G06F12/1036 ,  G06F12/1045 ,  G06F12/109 ,  G06F12/1441 ,  G06F2009/45583 ,  G06F2212/1016 ,  G06F2212/1052 ,  G06F2212/151 ,  G06F2212/657 ,  G06F2212/684

Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.

Abstract translation: 公开了一种用于支持安全存储器意图的处理器。 本公开的处理器包括存储器存储器执行单元和耦合到存储器执行单元的处理器核心。 处理器核心是接收访问存储器可转换页面的请求。 响应于该请求，处理器核心鉴于对应于可转换页面的页表项目（PTE）来确定可转换页面的意图。 意图表示可转换页面是作为安全页面还是非安全页面中的至少一个访问。

公开(公告)号：US09465933B2

公开(公告)日：2016-10-11

申请号：US13690111

申请日：2012-11-30

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Reshma Lal ,  Jason Martin ,  Daniel Nemiroff

IPC: G06F21/00 ,  G06F21/50 ,  G06F21/54 ,  G06F21/71

CPC classification number: G06F21/50 ,  G06F21/54 ,  G06F21/71

Abstract: Embodiments of an invention for virtualizing a hardware monotonic counter are disclosed. In one embodiment, an apparatus includes a hardware monotonic counter, virtualization logic, a first non-volatile storage location, and a second non-volatile storage location. The virtualization logic is to create a virtual monotonic counter from the hardware monotonic counter. The first non-volatile storage location is to store an indicator that the count of the hardware monotonic counter has changed. The second non-volatile storage location is to store an indicator that the count of the virtual monotonic counter has changed.

Abstract translation: 公开了用于虚拟化硬件单调计数器的发明的实施例。 在一个实施例中，装置包括硬件单调计数器，虚拟化逻辑，第一非易失性存储位置和第二非易失性存储位置。 虚拟化逻辑是从硬件单调计数器创建一个虚拟单调计数器。 第一个非易失性存储位置是存储硬件单调计数器的计数改变的指示符。 第二非易失性存储位置是存储虚拟单调计数器的计数改变的指示符。

公开(公告)号：US20160283405A1

公开(公告)日：2016-09-29

申请号：US14671659

申请日：2015-03-27

Applicant: Intel Corporation

Inventor： Jungju Oh ,  Siddhartha Chhabra ,  David M. Durham

IPC: G06F12/14 ,  G06F21/60

CPC classification number: G06F12/1408 ,  G06F12/0875 ,  G06F21/602 ,  G06F2212/1052

Abstract: Systems, apparatuses and methods may provide for receiving an incoming request to access a memory region protected by counter mode encryption and a counter tree structure having a plurality of levels. Additionally, the incoming request may be accepted and a determination may be made as to whether to suspend the incoming request on a per-level basis with respect to the counter tree structure.

Abstract translation: 系统，装置和方法可以提供接收访问由计数器模式加密保护的存储器区域的输入请求以及具有多个级别的计数器树结构。 此外，可以接受传入请求，并且可以确定是否根据对等树结构在每个级别的基础上挂起传入请求。

公开(公告)号：US20250103514A1

公开(公告)日：2025-03-27

申请号：US18974472

申请日：2024-12-09

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan ,  Luis Kida ,  Krystof Zmudzinski ,  Siddhartha Chhabra ,  Abhishek Basak ,  Alpa Narendra Trivedi ,  Anna Trikalinou ,  David M. Lee ,  Vedvyas Shanbhogue ,  Utkarsh Y. Kakaiya

IPC: G06F12/14 ,  G06F9/38 ,  G06F9/455 ,  G06F12/0802 ,  G06F21/57 ,  G06F21/60 ,  G06F21/64 ,  G06F21/76 ,  G06F21/79 ,  H04L9/06 ,  H04L9/08 ,  H04L9/32 ,  H04L41/046 ,  H04L41/28

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.

公开(公告)号：US20250053668A1

公开(公告)日：2025-02-13

申请号：US18929329

申请日：2024-10-28

Applicant: Intel Corporation

Inventor： Barry E. Huntley ,  Hormuzd M. Khosravi ,  Thomas Toll ,  Ramya Jayaram Masti ,  Siddhartha Chhabra ,  Vincent Von Bokern

IPC: G06F21/60 ,  G06F12/06 ,  H04L9/14

Abstract: Embodiments of apparatuses, methods, and systems for scalable multi-key memory encryption are disclosed. In an embodiment, an apparatus includes a core, an encryption unit, and key identification hardware. The core is to write data to and read data from memory regions, each to be identified by a corresponding address. The encryption unit to encrypt data to be written and decrypt data to be read. The key identification hardware is to use a portion of the corresponding address to look up a corresponding key identifier in a key information data structure. The corresponding key identifier is one multiple key identifiers. The corresponding key identifier is to identify which one of multiple encryption keys is to be used to encrypt and decrypt the data.

公开(公告)号：US12189542B2

公开(公告)日：2025-01-07

申请号：US17543267

申请日：2021-12-06

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan ,  Luis Kida ,  Krystof Zmudzinski ,  Siddhartha Chhabra ,  Abhishek Basak ,  Alpa Narendra Trivedi ,  Anna Trikalinou ,  David M. Lee ,  Vedvyas Shanbhogue ,  Utkarsh Y. Kakaiya

IPC: G06F12/14 ,  G06F9/38 ,  G06F9/455 ,  G06F12/0802 ,  G06F21/57 ,  G06F21/60 ,  G06F21/64 ,  G06F21/76 ,  G06F21/79 ,  H04L9/06 ,  H04L9/08 ,  H04L9/32 ,  H04L41/046 ,  H04L41/28

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.