公开(公告)号：US20220075738A1

公开(公告)日：2022-03-10

申请号：US17475768

申请日：2021-09-15

Applicant: Intel Corporation

Inventor： Santosh Ghosh ,  Kirk Yap ,  Siddhartha Chhabra

IPC: G06F12/14 ,  H04L9/32 ,  H04L9/06

Abstract: The disclosed embodiments generally relate to methods, systems and apparatuses to authenticate instructions on a memory circuitry. In an exemplary embodiment, the disclosure relates to a computing device (e.g., a memory protection engine) to protect integrity of one or more memory circuitry. The computing device may include: a key-hash operator configured to provide a Message Authentication Code (MAC) for a secure Hash Algorithm (SHA) as a function of a hash-key, MAC-key, metadata and data; a multi-round (MR) circuitry configured to receive the MAC from the key-hash operator and to compute substantially all SHA round-functions during each clock cycle, the multi-round circuitry further comprising combination logic to process all sub-round functions of the SHA function substantially simultaneously; and a Memory Integrity Pipeline (MIP) engine to compute a hash digest, the hash digest further comprising a MAC key, a metadata and the cache line data; the MIP further comprising an input prep logic, an SHA pipeline logic and an MAC validation logic.

公开(公告)号：US11239997B2

公开(公告)日：2022-02-01

申请号：US16426746

申请日：2019-05-30

Applicant: INTEL CORPORATION

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: H04L9/06 ,  G06F21/53 ,  G06F12/14 ,  G06F21/72 ,  G06F12/08 ,  G06F21/60 ,  G06F3/06

Abstract: Various embodiments are generally directed to techniques for converting between different cipher systems, such as, for instance, between a cipher system used for a first encryption environment and a different cipher system used for a second encryption environment, for instance. Some embodiments are particularly directed to an encryption engine that supports memory operations between two or more encryption environments. Each encryption environment can use different cipher systems while the encryption engine can translate ciphertext between the different cipher systems. In various embodiments, for instance, the first encryption environment may include a main memory that uses a position dependent cipher system and the second encrypted environment may include a secondary memory that uses a position independent cipher system.

公开(公告)号：US11171955B2

公开(公告)日：2021-11-09

申请号：US16298588

申请日：2019-03-11

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Siddhartha Chhabra

IPC: H04L29/06 ,  G06F21/60 ,  H04L9/08

Abstract: A system on a chip (SoC) includes memory, a processor coupled to the memory, and link protection circuitry coupled to the memory and the processor. The link protection circuitry includes an SoC encryption engine to receive first data from the memory and a first key, generate, by an SoC encryption counter of the SoC encryption engine, an SoC encryption counter value, encrypt the first data using the SoC encryption counter value and the first key to generate first encrypted data, and cause the first encrypted data to be transmitted to a device including a device decryption counter synchronized with the SoC encryption counter.

公开(公告)号：US11169934B2

公开(公告)日：2021-11-09

申请号：US16021496

申请日：2018-06-28

Applicant: Intel Corporation

Inventor： Santosh Ghosh ,  Kirk Yap ,  Siddhartha Chhabra

IPC: G06F12/14 ,  H04L9/32 ,  H04L9/06

Abstract: The disclosed embodiments generally relate to methods, systems and apparatuses to authenticate instructions on a memory circuitry. In an exemplary embodiment, the disclosure relates to a computing device (e.g., a memory protection engine) to protect integrity of one or more memory circuitry. The computing device may include: a key-hash operator configured to provide a Message Authentication Code (MAC) for a secure Hash Algorithm (SHA) as a function of a hash-key, MAC-key, metadata and data; a multi-round (MR) circuitry configured to receive the MAC from the key-hash operator and to compute substantially all SHA round-functions during each clock cycle, the multi-round circuitry further comprising combination logic to process all sub-round functions of the SHA function substantially simultaneously; and a Memory Integrity Pipeline (MIP) engine to compute a hash digest, the hash digest further comprising a MAC key, a metadata and the cache line data; the MIP further comprising an input prep logic, an SHA pipeline logic and an MAC validation logic.

公开(公告)号：US11126566B2

公开(公告)日：2021-09-21

申请号：US16690614

申请日：2019-11-21

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: G06F12/14 ,  G06F21/64 ,  G06F21/79 ,  G06F21/53 ,  G06F21/60 ,  H04L9/06

Abstract: The presently disclosed method and apparatus for sharing security metadata memory space proposes a technique to allow metadata sharing two different encryption techniques. A section of memory encrypted using a first type of encryption and having first security metadata associated therewith is converted to a section of memory encrypted using a second type of encryption and having second security metadata associated therewith. At least a portion of said first security metadata shares a memory space with at least a portion of said second security metadata for a same section of memory.

公开(公告)号：US11030120B2

公开(公告)日：2021-06-08

申请号：US16454481

申请日：2019-06-27

Applicant: Intel Corporation

Inventor： Krystof C. Zmudzinski ,  Simon P. Johnson ,  Raghunandan Makaram ,  Francis X. McKeen ,  Carlos V. Rozas ,  Meltem Ozsoy ,  Ilya Alexandrovich ,  Siddhartha Chhabra

IPC: G06F12/14 ,  G06F12/1045 ,  G06F12/0882 ,  G06F11/30 ,  G06F12/0871 ,  G06F9/4401 ,  G06F11/07 ,  G06F12/0891

Abstract: A processor includes a cryptographic engine to control access, using an secure region key identifier (ID), to one or more memory range of memory allocable for flexible conversion to secure pages of architecturally-protected memory regions, and a processor core. The processor core is to, responsive to receipt of a request to access the memory, perform a walk of page tables and extended page tables to translate a linear address of the request to a physical address of the memory. The processor core is further to determine that the physical address corresponds to an secure page within the one or more memory range of the memory, that a first key ID located within the physical address does not match the secure region key ID, and issue a page fault and deny access to the secure page in the memory.

公开(公告)号：US11003584B2

公开(公告)日：2021-05-11

申请号：US16288844

申请日：2019-02-28

Applicant: Intel Corporation

Inventor： Kai Cong ,  Karanvir Grewal ,  Siddhartha Chhabra ,  Sergej Deutsch ,  David Michael Durham

IPC: G06F12/10 ,  G06F21/60 ,  G06F21/78 ,  G06F12/14 ,  G06F12/0802 ,  G06F11/10 ,  G06F3/06

Abstract: A data processing system includes support for sub-page granular memory tags. The data processing system comprises at least one core, a memory controller responsive to the core, random access memory (RAM) responsive to the memory controller, and a memory protection module in the memory controller. The memory protection module enables the memory controller to use a memory tag value supplied as part of a memory address to protect data stored at a location that is based on a location value supplied as another part of the memory address. The data processing system also comprises an operating system (OS) which, when executed in the data processing system, manages swapping a page of data out of the RAM to non-volatile storage (NVS) by using a memory tag map (MTM) to apply memory tags to respective subpages within the page being swapped out. Other embodiments are described and claimed.

公开(公告)号：US20210006395A1

公开(公告)日：2021-01-07

申请号：US16948460

申请日：2020-09-18

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra

IPC: H04L9/08 ,  G06F9/455 ,  G06F12/0882

Abstract: An apparatus including a processor comprising at least one core to execute instructions of a plurality of virtual machines and a virtual machine monitor; and a cryptographic engine comprising circuitry to protect data associated with the plurality of virtual machines through use of a plurality of private keys and an accessor key, wherein each of the plurality of private keys are to protect a respective virtual machine and the accessor key is to protect management structures of the plurality of virtual machines; and wherein the processor is to provide, to the virtual machine monitor, direct read access to the management structures of the plurality of virtual machines through the accessor key and indirect write access to the management structures of the plurality of virtual machines through a secure software module.

公开(公告)号：US10789061B2

公开(公告)日：2020-09-29

申请号：US16143334

申请日：2018-09-26

Applicant: Intel Corporation

Inventor： Prashant Dewan ,  Siddhartha Chhabra ,  Uttam Sengupta

IPC: G06F8/65 ,  H04L9/30 ,  G06F21/57 ,  H04L9/32 ,  G06F8/654

Abstract: Apparatuses, methods and storage mediums associated with updating firmware of a component of a computer platform, are disclosed herein. In some embodiments, a processor includes an instruction decoder; and a storage having microcode arranged to implement an instruction to verify updates to firmware of a component of a computer platform hosting the processor and the component. The computer platform may include a component firmware update manager. The firmware of a component may include a firmware update plug-in. Other embodiments are also described, and may be claimed.

公开(公告)号：US20200293668A1

公开(公告)日：2020-09-17

申请号：US16830379

申请日：2020-03-26

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Ravi L. Sahita ,  Barry E. Huntley ,  Gilbert Neiger ,  Gideon Gerzon ,  Baiju V. Patel

IPC: G06F21/60 ,  G06F3/06 ,  G06F12/1009 ,  G06F21/57 ,  G06F21/53

Abstract: A computer-readable medium comprises instructions that, when executed, cause a processor to execute an untrusted workload manager to manage execution of at least one guest workload. The instructions, when executed, also cause the processor to (i) receive a request from a guest workload managed by the untrusted workload manager to access a memory using a requested guest address; (ii) obtain, from the untrusted workload manager, a translated workload manager-provided hardware physical address to correspond to the requested guest address; (iii) determine whether a stored mapping exists for the translated workload manager-provided hardware physical address; (iv) in response to finding the stored mapping, determine whether a stored expected guest address from the stored mapping matches the requested guest address; and (v) if the stored expected guest address from the stored mapping matches the requested guest address, enable the guest workload to access contents of the translated workload-manager provided hardware physical address.