公开(公告)号：US08953806B2

公开(公告)日：2015-02-10

申请号：US14039440

申请日：2013-09-27

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata

IPC: H04L9/00 ,  G06F21/00 ,  G06F21/57 ,  G06F21/72 ,  H04L29/06 ,  G06F9/455 ,  H04L9/08

CPC classification number: G06F21/72 ,  G06F9/45533 ,  G06F9/45558 ,  G06F21/00 ,  G06F21/57 ,  G06F21/602 ,  G06F2009/4557 ,  G06F2009/45583 ,  G06F2009/45595 ,  H04L9/08 ,  H04L9/0825 ,  H04L9/0897 ,  H04L63/0428 ,  H04L67/10

Abstract: A virtual security coprocessor is created in a first processing system. The virtual security coprocessor is then transferred to a second processing system, for use by the second processing system. For instance, the second processing system may use the virtual security coprocessor to provide attestation for the second processing system. In an alternative embodiment, a virtual security coprocessor from a first processing system is received at a second processing system. After receiving the virtual security coprocessor from the first processing system, the second processing system uses the virtual security coprocessor. Other embodiments are described and claimed.

公开(公告)号：US11782849B2

公开(公告)日：2023-10-10

申请号：US17367349

申请日：2021-07-03

Applicant: Intel Corporation

Inventor： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. Mckeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich ,  Gilbert Neiger ,  Vedvyas Shanbhogue ,  Ittai Anati

IPC: G06F12/14 ,  G06F21/60 ,  G06F9/30 ,  G06F21/53 ,  G06F8/41 ,  G06F9/455

CPC classification number: G06F12/1408 ,  G06F8/41 ,  G06F9/30145 ,  G06F9/45558 ,  G06F12/1441 ,  G06F12/1483 ,  G06F21/53 ,  G06F21/602 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2212/1052

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

公开(公告)号：US10708067B2

公开(公告)日：2020-07-07

申请号：US15201400

申请日：2016-07-02

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata ,  Francis X. McKeen ,  Carlos V. Rozas ,  Simon P. Johnson ,  Bo Zhang ,  James D. Beaney, Jr. ,  Piotr Zmijewski ,  Wesley Hamilton Smith ,  Eduardo Cabre ,  Uday R. Savagaonkar

IPC: H04L9/32 ,  H04L9/08 ,  G09C1/00 ,  H04L29/06 ,  H04L9/14

Abstract: Embodiments include systems, methods, computer readable media, and devices configured to, for a first processor of a platform, generate a platform root key; create a data structure to encapsulate the platform root key, the data structure comprising a platform provisioning key and an identification of a registration service; and transmit, on a secure connection, the data structure to the registration service to register the platform root key for the first processor of the platform. Embodiments include systems, methods, computer readable media, and devices configured to store a device certificate received from a key generation facility; receive a manifest from a platform, the manifest comprising an identification of a processor associated with the platform; and validate the processor using a stored device certificate.

公开(公告)号：US10592421B2

公开(公告)日：2020-03-17

申请号：US15250787

申请日：2016-08-29

Applicant: Intel Corporation

Inventor： Carlos V. Rozas ,  Ilya Alexandrovich ,  Ittai Anati ,  Alex Berenzon ,  Michael A. Goldsmith ,  Barry E. Huntley ,  Anton Ivanov ,  Simon P. Johnson ,  Rebekah M. Leslie-Hurd ,  Francis X. McKeen ,  Gilbert Neiger ,  Rinat Rappoport ,  Scott D. Rodgers ,  Uday R. Savagaonkar ,  Vincent R. Scarlata ,  Vedvyas Shanbhogue ,  Wesley H. Smith ,  William C. Wood

IPC: G06F12/00 ,  G06F12/08 ,  G06F13/00 ,  G06F12/0875 ,  G06F12/0808 ,  G06F12/1027

Abstract: Instructions and logic provide advanced paging capabilities for secure enclave page caches. Embodiments include multiple hardware threads or processing cores, a cache to store secure data for a shared page address allocated to a secure enclave accessible by the hardware threads. A decode stage decodes a first instruction specifying said shared page address as an operand, and execution units mark an entry corresponding to an enclave page cache mapping for the shared page address to block creation of a new translation for either of said first or second hardware threads to access the shared page. A second instruction is decoded for execution, the second instruction specifying said secure enclave as an operand, and execution units record hardware threads currently accessing secure data in the enclave page cache corresponding to the secure enclave, and decrement the recorded number of hardware threads when any of the hardware threads exits the secure enclave.

公开(公告)号：US10528721B2

公开(公告)日：2020-01-07

申请号：US15298416

申请日：2016-10-20

Applicant: INTEL CORPORATION

Inventor： Kapil Sood ,  Somnath Chakrabarti ,  Wei Shen ,  Carlos V. Rozas ,  Mona Vij ,  Vincent R. Scarlata

IPC: G06F21/53 ,  G06F9/4401 ,  G06F9/455 ,  G06F21/79 ,  G06F12/1036 ,  G06F12/109 ,  G06F12/14 ,  G06F21/57 ,  G06F8/61 ,  H04L12/24

Abstract: Methods and apparatus for implemented trusted packet processing for multi-domain separatization and security. Secure enclaves are created in system memory of a compute platform configured to support a virtualized execution environment including a plurality of virtual machines (VMs) or containers, each secure enclave occupying a respective protected portion of the system memory, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The software in the secure enclaves is then executed to perform the packet processing operations. Various configurations of secure enclaves and software code may be implemented, including configurations supporting service chains both within a VM or contain or across multiple VMs or containers, as well a parallel packet processing operations.

公开(公告)号：US10409597B2

公开(公告)日：2019-09-10

申请号：US15972573

申请日：2018-05-07

Applicant: Intel Corporation

Inventor： Rebekah Leslie-Hurd ,  Carlos V. Rozas ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Uday R. Savagaonkar ,  Barry E. Huntley ,  Vedvyas Shanbhogue ,  Ittai Anati ,  Francis X. Mckeen ,  Michael A. Goldsmith ,  Ilya Alexandrovich ,  Alex Berenzon ,  Wesley H. Smith ,  Gilbert Neiger

IPC: G06F12/00 ,  G06F9/30 ,  G06F12/0875 ,  G06F9/44 ,  G06F12/084 ,  G06F12/14

Abstract: Embodiments of an invention for memory management in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction and a second instruction. The execution unit is to execute the first instruction, wherein execution of the first instruction includes allocating a page in an enclave page cache to a secure enclave. The execution unit is also to execute the second instruction, wherein execution of the second instruction includes confirming the allocation of the page.

公开(公告)号：US20190228159A1

公开(公告)日：2019-07-25

申请号：US16369279

申请日：2019-03-29

Applicant: Intel Corporation

Inventor： Anna Trikalinou ,  Krystof Zmudzinski ,  Reshma Lal ,  Luis S. Kida ,  Pradeep M. Pappachan ,  Raghunandan Makaram ,  Siddhartha Chhabra ,  Vincent R. Scarlata

IPC: G06F21/57

Abstract: Technologies for filtering transactions includes a compute device, which further includes an accelerator device and an I/O subsystem having an accelerator port. The I/O subsystem is configured to determine whether to enable a global attestation during a boot process of the compute device, receive a transaction from the accelerator device connected to the accelerator port via a coherent accelerator link, and filter the transaction based on a determination of whether to enable the global attestation.

公开(公告)号：US20190034617A1

公开(公告)日：2019-01-31

申请号：US15664489

申请日：2017-07-31

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata ,  Carlos V. Rozas ,  Baiju Patel ,  Barry Huntley ,  Ravi L. Sahita ,  Hormuzd M. Khosravi

IPC: G06F21/44 ,  G06F9/30

Abstract: Data integrity logic is executable by a processor to generate a data integrity code using a hardware-based secret. A container manager, executable by the processor, creates a secured container including report generation logic that determines measurements of the secured container, generates a report according to a defined report format, and sends a quote request including the report. The defined report format includes a field to include the measurements and a field to include the data integrity code, and the report format is compatible for consumption by any one of a plurality of different quote creator types.

公开(公告)号：US10152600B2

公开(公告)日：2018-12-11

申请号：US15059485

申请日：2016-03-03

Applicant: Intel Corporation

Inventor： Carlos V. Rozas ,  Vincent R. Scarlata

IPC: G06F21/57 ,  G06F9/455 ,  G06F21/53

Abstract: An embodiment: (a) receives a request for a measurement of a hypervisor from at least one computing node that is external to the at least one machine; (b) executes a previously measured measuring agent to measure the hypervisor, after the hypervisor is measured and booted, to generate a measurement while: (b)(i) the at least one machine is in virtual machine extension (VMX) root operation, and (b)(ii) the measuring agent is in a protected mode; (c) attest to the measurement, based on at least one encryption credential, to generate an attested measurement output; and (d) communicate the attested measurement output to the at least one computing node. The hypervisor does not include the at least one encryption credential while the measuring agent is measuring the booted hypervisor. Other embodiments are described herein.

公开(公告)号：US10019601B2

公开(公告)日：2018-07-10

申请号：US15079579

申请日：2016-03-24

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata ,  Simon P. Johnson ,  Carlos V. Rozas ,  Francis X. McKeen ,  Ittai Anati ,  Ilya Alexandrovich ,  Rebekah M. Leslie-Hurd

IPC: G06F21/64 ,  H04L29/06 ,  G06F21/62 ,  G06F21/74 ,  G06F21/81 ,  G06F21/85

CPC classification number: G06F21/64 ,  G06F21/62 ,  G06F21/74 ,  G06F21/81 ,  G06F21/85 ,  H04L63/061 ,  H04L63/0876

Abstract: An apparatus and method for securely suspending and resuming the state of a processor. For example, one embodiment of a method comprises: generating a data structure including at least the monotonic counter value; generating a message authentication code (MAC) over the data structure using a first key; securely providing the data structure and the MAC to a module executed on the processor; the module verifying the MAC, comparing the monotonic counter value with a counter value stored during a previous suspend operation and, if the counter values match, then loading processor state required for the resume operation to complete. Another embodiment of a method comprises: generating a first key by a processor; securely sharing the first key with an off-processor component; and using the first key to generate a pairing ID usable to identify a pairing between the processor and the off-processor component.