公开(公告)号：US20170289151A1

公开(公告)日：2017-10-05

申请号：US15083988

申请日：2016-03-29

Applicant: Mark W. Shanahan ,  Bin Xing

Inventor： Mark W. Shanahan ,  Bin Xing

IPC: H04L29/06 ,  G06F12/14

Abstract: Technologies for dynamic loading of integrity protected modules into a secure enclave include a computing device having a processor with secure enclave support. The computing device divides an executable image into multiple chunks, hashes each of the chunks with corresponding attributes that affect security to generate a corresponding hash value, and generates a hash tree as a function of the hash values. The computing device generates an initial secure enclave memory image that includes the root value of the hash tree. At runtime, the computing device accesses a chunk of the executable image from within the secure enclave, which generates a page fault. In response to the page fault, the secure enclave verifies the associated chunk based on the hash tree and accepts the chunk into the secure enclave in response to successful verification. The root value of the hash tree is integrity-protected. Other embodiments are described and claimed.

公开(公告)号：US20140013095A1

公开(公告)日：2014-01-09

申请号：US13935767

申请日：2013-07-05

Applicant: Vincent J. Zimmer ,  Bin Xing ,  Scott H. Robinson

Inventor： Vincent J. Zimmer ,  Bin Xing ,  Scott H. Robinson

IPC: G06F9/44

CPC classification number: G06F9/4401 ,  G06F11/073 ,  G06F11/076 ,  G06F11/1092 ,  G06F21/14 ,  G06F21/572 ,  G06F21/575

Abstract: In one embodiment, a semiconductor integrated code (SIC) may be provided in a binary format by a processor manufacturer. This SIC may include platform independent code of the processor manufacturer. Such code may include embedded processor logic to initialize the processor and at least one link that couples the processor to a memory, and embedded memory logic to initialize the memory. Other embodiments are described and claimed.

Abstract translation: 在一个实施例中，半导体集成代码（SIC）可由处理器制造商以二进制格式提供。 该SIC可以包括处理器制造商的平台无关代码。 这样的代码可以包括用于初始化处理器的嵌入式处理器逻辑和将处理器耦合到存储器的至少一个链路以及嵌入式存储器逻辑以初始化存储器。 描述和要求保护其他实施例。

公开(公告)号：US08429387B2

公开(公告)日：2013-04-23

申请号：US12785135

申请日：2010-05-21

Applicant: Vincent J. Zimmer ,  Bin Xing

Inventor： Vincent J. Zimmer ,  Bin Xing

IPC: G06F9/00

CPC classification number: G06F21/73 ,  G06F21/305 ,  G06F21/44 ,  G06F2221/2129 ,  G06F2221/2153

Abstract: A method and system for remote configuration of a computing device includes generating initialization code configured to initialize a memory and/or processor of the computing device dependent on initialization data. The initialization data is generated based on platform data, which is validate based on predetermined criteria. The platform data identifies platform-specific parameters and may be received over a network from a platform manufacturer. In response to validation of the platform data, the initialization data is generated and transmitted to the platform manufacturer for incorporation into the computing device. Upon a processor reset, the initialization code is configured to use the initialization data to perform initialization procedures to initialize the memory and/or processor of the computing device. The platform data may be updated periodically by an end-user of the computing device.

Abstract translation: 用于计算设备的远程配置的方法和系统包括生成被配置为根据初始化数据初始化计算设备的存储器和/或处理器的初始化代码。 基于平台数据生成初始化数据，该数据根据预定标准进行验证。 平台数据识别平台特定的参数，并且可以通过来自平台制造商的网络来接收。 响应于平台数据的验证，生成初始化数据并将其发送到平台制造商以并入计算设备。 在处理器重置时，初始化代码被配置为使用初始化数据来执行初始化过程以初始化计算设备的存储器和/或处理器。 平台数据可以由计算设备的最终用户周期性地更新。

公开(公告)号：US20110289305A1

公开(公告)日：2011-11-24

申请号：US12785135

申请日：2010-05-21

Applicant: Vincent J. Zimmer ,  Bin Xing

Inventor： Vincent J. Zimmer ,  Bin Xing

IPC: G06F15/177 ,  H04L9/00 ,  G06F15/16

CPC classification number: G06F21/73 ,  G06F21/305 ,  G06F21/44 ,  G06F2221/2129 ,  G06F2221/2153

Abstract: A method and system for remote configuration of a computing device includes generating initialization code configured to initialize a memory and/or processor of the computing device dependent on initialization data. The initialization data is generated based on platform data, which is validate based on predetermined criteria. The platform data identifies platform-specific parameters and may be received over a network from a platform manufacturer. In response to validation of the platform data, the initialization data is generated and transmitted to the platform manufacturer for incorporation into the computing device. Upon a processor reset, the initialization code is configured to use the initialization data to perform initialization procedures to initialize the memory and/or processor of the computing device. The platform data may be updated periodically by an end-user of the computing device.

Abstract translation: 用于计算设备的远程配置的方法和系统包括生成被配置为根据初始化数据初始化计算设备的存储器和/或处理器的初始化代码。 基于平台数据生成初始化数据，该数据根据预定标准进行验证。 平台数据识别平台特定的参数，并且可以通过来自平台制造商的网络来接收。 响应于平台数据的验证，生成初始化数据并将其发送到平台制造商以并入计算设备。 在处理器重置时，初始化代码被配置为使用初始化数据来执行初始化过程以初始化计算设备的存储器和/或处理器。 平台数据可以由计算设备的最终用户周期性地更新。

公开(公告)号：US07568021B2

公开(公告)日：2009-07-28

申请号：US10849866

申请日：2004-05-21

Applicant: Bin Xing ,  Yuanhao Sun ,  Caidong Song ,  Jianfeng Mei ,  Feng Jin

Inventor： Bin Xing ,  Yuanhao Sun ,  Caidong Song ,  Jianfeng Mei ,  Feng Jin

IPC: G06F15/173

CPC classification number: H04L69/16 ,  H04L69/28

Abstract: A method of transmitting data through network stack choosing one of a synchronous and an asynchronous mode depending on requests of applications. The method may involve changing frequencies of a timer, for example, adjusting the frequency in the asynchronous Application Programming Interface (API) according to a load of network traffic and even stopping the timer for the synchronous API. In the asynchronous API, as heavier network traffic load is expected, the timer may increase its frequency. Accordingly, the timer decreases its frequency detecting the lighter network traffic and the remaining Central Processing Unit (CPU) cycles may be used to execute the foreground task, while the network stack still may respond to Internet Control Message Protocol (ICMP) and Address Resolution Protocol (ARP) requests. As the application tries to receive packets, for example, downloading a large volume of data, such as the kernel of an Operating System (OS), the network stack may even shut down the timer temporarily and switch to a synchronous mode to improve overall system performance. Here, the network stack may use a busy waiting signal to notify its status.

Abstract translation: 根据应用的请求，通过选择同步和异步模式之一的网络堆栈传输数据的方法。 该方法可以包括改变定时器的频率，例如，根据网络流量的负载调整异步应用编程接口（API）中的频率，甚至停止用于同步API的定时器。 在异步API中，由于预期更大的网络流量负载，定时器可能会增加其频率。 因此，定时器降低其检测较轻网络流量的频率，并且剩余的中央处理单元（CPU）周期可用于执行前台任务，而网络栈仍然可以响应因特网控制消息协议（ICMP）和地址解析协议 （ARP）请求。 当应用程序尝试接收数据包时，例如下载大量数据，例如操作系统（OS）的内核，网络堆栈甚至可以临时关闭定时器，并切换到同步模式以改善整个系统 性能。 这里，网络堆栈可以使用忙等待信号来通知其状态。

公开(公告)号：US20060047927A1

公开(公告)日：2006-03-02

申请号：US10931320

申请日：2004-08-31

Applicant: Bin Xing ,  Lechong Chen ,  Ke Yu ,  Jianfeng Mei ,  Yi Chen

Inventor： Bin Xing ,  Lechong Chen ,  Ke Yu ,  Jianfeng Mei ,  Yi Chen

IPC: G06F12/16 ,  G06F9/24 ,  G06F13/28

CPC classification number: G06F11/1417 ,  G06F9/4416

Abstract: Methods and apparatuses provide for incremental provisioning of software for a processing system. For instance, a processing system may include a machine accessible medium and a processor in communication with the machine accessible medium. In addition, instructions encoded in the machine accessible medium may cause the processing system to automatically determine whether a storage device in the processing system includes modified blocks, based at least in part on a write log file that identifies blocks that were modified during a user session on the processing system. In response to identifying at least one modified block in the storage device, the processing system may automatically replace data in the modified block with backup data from a different storage device. Other embodiments are described and claimed.

公开(公告)号：US20250124132A1

公开(公告)日：2025-04-17

申请号：US18619211

申请日：2024-03-28

Applicant: Bin XING ,  Daniel MIDDLETON

Inventor： Bin XING ,  Daniel MIDDLETON

IPC: G06F21/57

Abstract: A method and system for implementing a virtual trusted platform module (vTPM). Software components are sequentially loaded and measured from a core root of trust for measurement (CRTM) in a user confidential virtual machine (CVM). The measurements of the software components are recorded in a runtime measurement register (RTMR) log and a digest of each entry of the RTMR log is extended into an RTMR configured for the user CVM. A signed quote and corresponding measurement entries of the RTMR log are provided to a verifier. The signed quote includes a value of the RTMR. A state of the user CVM may be verified based on the RTMR value and the RTMR log entries. The measurement entries of the RTMR log may be replayed to calculate platform configuration register (PCR) values and the TCG event log may be verified using the PCR values.

公开(公告)号：US20250013487A1

公开(公告)日：2025-01-09

申请号：US18896647

申请日：2024-09-25

Applicant: Vincent SCARLATA ,  James BEANEY, JR. ,  Bin XING ,  Ned M. SMITH

Inventor： Vincent SCARLATA ,  James BEANEY, JR. ,  Bin XING ,  Ned M. SMITH

IPC: G06F9/455 ,  H04L9/30

Abstract: It is provided an apparatus comprising interface circuitry, machine-readable instructions, and processing circuitry to execute the machine-readable instructions. The machine-readable instructions include instructions to generate first attestation evidence based on a measurement of the system software proving the integrity of a system software running on the processing circuitry based on a root of trust of the processing circuitry. The machine-readable instructions further include instructions to generate second attestation evidence for verifying the integrity of a first confidential computing environment based on a measurement of the first confidential computing environment and on the generated first attestation evidence. The first confidential computing environment is operating on the system software and is executed by the processing circuitry. The first confidential computing environment is a virtual machine environment.

公开(公告)号：US20170024584A1

公开(公告)日：2017-01-26

申请号：US14979002

申请日：2015-12-22

Applicant: Siddhartha Chhabra ,  Gideon Gerzon ,  Reshma Lal ,  Bin Xing ,  Pradeep M. Pappachan ,  Steven B. McGowan

Inventor： Siddhartha Chhabra ,  Gideon Gerzon ,  Reshma Lal ,  Bin Xing ,  Pradeep M. Pappachan ,  Steven B. McGowan

IPC: G06F21/72 ,  H04L9/32 ,  H04L9/08

CPC classification number: G06F21/72 ,  G06F21/57 ,  H04L9/0822 ,  H04L9/0861 ,  H04L9/3242

Abstract: Technologies for secure programming of a cryptographic engine include a computing device with a cryptographic engine and one or more I/O controllers. The computing device establishes, an invoking secure enclave using secure enclave support of a processor. The invoking enclave configures channel programming information, including a channel key, and invokes a processor instruction with the channel programming information as a parameter. The processor generates wrapped programming information including an encrypted channel key and a message authentication code. The encrypted channel key is protected with a key known only to the processor. The invoking enclave provides the wrapped programming information to untrusted software, which invokes a processor instruction with the wrapped programming information as a parameter. The processor unwraps and verifies the wrapped programming information and then programs the cryptographic engine. The processor generates an authenticated response that may be verified by the invoking enclave. Other embodiments are described and claimed.

Abstract translation: 用于加密引擎的安全编程的技术包括具有密码引擎和一个或多个I / O控制器的计算设备。 计算设备使用处理器的安全飞地支持来建立调用安全飞地。 调用飞地配置信道编程信息，包括信道密钥，并且以通道编程信息为参数来调用处理器指令。 处理器产生包括加密的信道密钥和消息认证码的包装节目信息。 加密的通道密钥由仅对处理器已知的密钥进行保护。 调用的包层将包装的编程信息提供给不受信任的软件，该软件以包装的编程信息作为参数调用处理器指令。 处理器解封装并验证封装的编程信息，然后对加密引擎进行编程。 处理器生成可以通过调用飞地验证的认证响应。 描述和要求保护其他实施例。

公开(公告)号：US20170024568A1

公开(公告)日：2017-01-26

申请号：US14974874

申请日：2015-12-18

Applicant: Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Steven B. McGowan ,  Siddhartha Chhabra ,  Reouven Elbaz

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Steven B. McGowan ,  Siddhartha Chhabra ,  Reouven Elbaz

IPC: G06F21/60 ,  G06F13/28 ,  G06F17/30

CPC classification number: G06F21/602 ,  G06F13/28 ,  G06F17/30371 ,  G06F21/606 ,  G06F21/64 ,  G06F2221/031

Abstract: Technologies for authenticity assurance for I/O data include a computing device with a cryptographic engine and one or more I/O controllers. A metadata producer of the computing device performs an authenticated encryption operation on I/O data to generate encrypted I/O data and an authentication tag. The metadata producer stores the encrypted I/O data in a DMA buffer and the authentication tag in an authentication tag queue. A metadata consumer decrypts the encrypted I/O data from the DMA buffer and determines whether the encrypted I/0 data is authentic using the authentication tag from the authentication tag queue. For input, the metadata producer may be embodied as the cryptographic engine and the metadata consumer may be embodied as a trusted software component. For output, the metadata producer may be embodied as the trusted software component and the metadata consumer may be embodied as the cryptographic engine. Other embodiments are described and claimed.

Abstract translation: 用于I / O数据的真实性保证的技术包括具有加密引擎和一个或多个I / O控制器的计算设备。 计算设备的元数据生成器对I / O数据执行认证加密操作以产生加密的I / O数据和认证标签。 元数据生成器将加密的I / O数据存储在DMA缓冲器中，认证标签存储在认证标签队列中。 元数据消费者从DMA缓冲器解密加密的I / O数据，并使用来自认证标签队列的认证标签来确定加密的I / O数据是否是真实的。 对于输入，元数据生成器可以体现为加密引擎，并且元数据消费者可以被实现为可信软件组件。 对于输出，元数据生成器可以被实现为可信软件组件，并且元数据消费者可以被体现为密码引擎。 描述和要求保护其他实施例。