公开(公告)号：US10374805B2

公开(公告)日：2019-08-06

申请号：US14974948

申请日：2015-12-18

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Reshma Lal ,  Ravi L. Sahita ,  Reouven Elbaz ,  Bin Xing

IPC: H04L9/32 ,  G06F9/455 ,  G06F13/28 ,  G06F21/53

Abstract: Technologies for secure programming of a cryptographic engine include a computing device with a cryptographic engine and one or more I/O controllers. The computing device establishes one or more trusted execution environments (TEEs). A TEE generates a request to program the cryptographic engine with respect to a DMA channel. The computing device may verify a signed manifest that indicates the TEEs permitted to program DMA channels and, if verified, determine whether the TEE is permitted to program the requested DMA channel. The computing device may record the TEE for a request to protect the DMA channel and may determine whether the programming TEE matches the recorded TEE for a request to unprotect a DMA channel. The computing device may allow the request to unprotect the DMA channel if the programming TEE matches the recorded TEE. Other embodiments are described and claimed.

公开(公告)号：US10303900B2

公开(公告)日：2019-05-28

申请号：US14979002

申请日：2015-12-22

Applicant: INTEL CORPORATION

Inventor： Siddhartha Chhabra ,  Gideon Gerzon ,  Reshma Lal ,  Bin Xing ,  Pradeep M. Pappachan ,  Steven B. McGowan

IPC: H04L9/08 ,  H04L9/32 ,  G06F21/72 ,  G06F21/57

Abstract: Technologies for secure programming of a cryptographic engine include a computing device with a cryptographic engine and one or more I/O controllers. The computing device establishes, an invoking secure enclave using secure enclave support of a processor. The invoking enclave configures channel programming information, including a channel key, and invokes a processor instruction with the channel programming information as a parameter. The processor generates wrapped programming information including an encrypted channel key and a message authentication code. The encrypted channel key is protected with a key known only to the processor. The invoking enclave provides the wrapped programming information to untrusted software, which invokes a processor instruction with the wrapped programming information as a parameter. The processor unwraps and verifies the wrapped programming information and then programs the cryptographic engine. The processor generates an authenticated response that may be verified by the invoking enclave. Other embodiments are described and claimed.

公开(公告)号：US10248791B2

公开(公告)日：2019-04-02

申请号：US14974960

申请日：2015-12-18

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Siddhartha Chhabra ,  Vincent R. Scarlata ,  Steven B. McGowan

IPC: G06F21/57 ,  G06F13/28 ,  G06F21/60

Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information. The computing device may collect application attestation information for a trusted application that uses the trusted I/O usage and verify the application attestation information. Other embodiments are described and claimed.

公开(公告)号：US09971702B1

公开(公告)日：2018-05-15

申请号：US15332841

申请日：2016-10-24

Applicant: INTEL CORPORATION

Inventor： Bin Xing

IPC: G06F12/00 ,  G06F12/1009 ,  G06F12/128

CPC classification number: G06F12/1009 ,  G06F12/08 ,  G06F12/109 ,  G06F12/128 ,  G06F12/145 ,  G06F21/00 ,  G06F2212/1052 ,  G06F2212/657 ,  G06F2212/684 ,  G06F2212/69 ,  G06F2212/70

Abstract: An example system that includes a processor and a memory device. The processor may include multiple execution units to execute instructions and a memory device coupled to the processor. The memory device stores the instructions in an unprotected region and a protected region. The processor may determine that a first exception occurred while executing a first set of instructions for an application stored in a secured page of the protected region. The processor may invoke a first subroutine to forward exception context for the first exception to a second subroutine, where the first subroutine is stored in the protected region and the second subroutine is stored in the unprotected region. The processor may invoke, by the second subroutine, a third subroutine to execute a second set of instructions associated with the exception context for the first exception.

公开(公告)号：US20170364688A1

公开(公告)日：2017-12-21

申请号：US15628006

申请日：2017-06-20

Applicant: Intel Corporation

Inventor： Soham Jayesh Desai ,  Siddhartha Chhabra ,  Bin Xing ,  Pradeep M. Pappachan ,  Reshma Lal

IPC: G06F21/60 ,  G06F21/57 ,  G06F13/28 ,  H04L29/06 ,  H04L9/32

CPC classification number: G06F21/602 ,  G06F13/20 ,  G06F13/28 ,  G06F21/51 ,  G06F21/57 ,  G06F21/6218 ,  G06F21/6281 ,  G06F21/85 ,  G09C1/00 ,  H04L9/0637 ,  H04L9/32 ,  H04L9/3242 ,  H04L63/12 ,  H04L63/126

Abstract: Technologies for trusted I/O include a computing device having a hardware cryptographic agent, a cryptographic engine, and an I/O controller. The hardware cryptographic agent intercepts a message from the I/O controller and identifies boundaries of the message. The message may include multiple DMA transactions, and the start of message is the start of the first DMA transaction. The cryptographic engine encrypts the message and stores the encrypted data in a memory buffer. The cryptographic engine may skip and not encrypt header data starting at the start of message or may read a value from the header to determine the skip length. In some embodiments, the cryptographic agent and the cryptographic engine may be an inline cryptographic engine. In some embodiments, the cryptographic agent may be a channel identifier filter, and the cryptographic engine may be processor-based. Other embodiments are described and claimed.

公开(公告)号：US20170286721A1

公开(公告)日：2017-10-05

申请号：US15087029

申请日：2016-03-31

Applicant: Intel Corporation

Inventor： Bin Xing

IPC: G06F21/71 ,  G06F9/445

CPC classification number: G06F21/71 ,  G06F9/44505 ,  G06F12/00 ,  G06F21/74

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to initialize enclaves on target processors. An example apparatus includes an image file retriever to retrieve configuration parameters associated with an enclave file, and an address space manager to calculate a minimum virtual address space value for an enclave image layout based on the configuration parameters, and generate an optimized enclave image layout to allow enclave image execution on unknown target processor types by multiplying the minimum address space value with a virtual address factor to determine an optimized virtual address space value for the optimized enclave image layout.

公开(公告)号：US20160378664A1

公开(公告)日：2016-12-29

申请号：US14752109

申请日：2015-06-26

Applicant: Intel Corporation

Inventor： Rebekah M. Leslie-Hurd ,  Carlos V. Rozas ,  Francis X. McKeen ,  Ilya Alexandrovich ,  Vedvyas Shanbhogue ,  Bin Xing ,  Mark W. Shanahan ,  Simon P. Johnson

IPC: G06F12/08

CPC classification number: G06F12/0844 ,  G06F11/073 ,  G06F11/0775 ,  G06F12/0882 ,  G06F2212/1032 ,  G06F2212/1052 ,  G06F2212/281 ,  G06F2212/312 ,  G06F2212/402 ,  G06F2212/608

Abstract: A processor implementing techniques to supporting fault information delivery is disclosed. In one embodiment, the processor includes a memory controller unit to access an enclave page cache (EPC) and a processor core coupled to the memory controller unit. The processor core to detect a fault associated with accessing the EPC and generate an error code associated with the fault. The error code reflects an EPC-related fault cause. The processor core is further to encode the error code into a data structure associated with the processor core. The data structure is for monitoring a hardware state related to the processor core.

Abstract translation: 公开了一种实现技术支持故障信息传递的处理器。 在一个实施例中，处理器包括存储器控制器单元，用于访问耦合到存储器控制器单元的飞地页面缓存（EPC）和处理器核心。 处理器核心，用于检测与访问EPC相关的故障并生成与故障相关的错误代码。 错误代码反映了与EPC相关的故障原因。 处理器核心还将错误代码编码成与处理器核心相关联的数据结构。 数据结构用于监视与处理器核心相关的硬件状态。

公开(公告)号：US09116739B2

公开(公告)日：2015-08-25

申请号：US13829214

申请日：2013-03-14

Applicant: Intel Corporation

Inventor： Bin Xing ,  Juan B. Del Cuvillo

IPC: G06F9/46 ,  G06F9/48

CPC classification number: G06F9/46 ,  G06F9/4881 ,  G06F9/52 ,  G06F9/526 ,  G06F2209/548

Abstract: This disclosure is directed to a fast and scalable concurrent queuing system. A device may comprise, for example, at least a memory module and a processing module. The memory module may be to store a queue comprising at least a head and a tail. The processing module may be to execute at least one thread desiring to enqueue at least one new node to the queue, enqueue the at least one new node to the queue, a first state being observed based on information in the tail identifying a predecessor node when the at least one new node is enqueued, observe a second state based on the predecessor node, determine if the predecessor node has changed based on comparing the first state to the second state, and set ordering in the queue based on the determination.

Abstract translation: 本公开涉及一种快速且可扩展的并发排队系统。 设备可以包括例如至少一个存储器模块和一个处理模块。 存储器模块可以存储包括至少头部和尾部的队列。 所述处理模块可以是执行至少一个希望将至少一个新节点排入队列的线程，将至少一个新节点排队到队列;基于尾部中的信息来识别第一状态，标识前一个节点， 所述至少一个新节点被排队，基于所述前导节点观察第二状态，基于所述第一状态与所述第二状态的比较来确定所述前导节点是否已经改变，并且基于所述确定来设置所述队列中的排序。