公开(公告)号：US10943013B2

公开(公告)日：2021-03-09

申请号：US16786742

申请日：2020-02-10

Applicant: Amazon Technologies, Inc.

Inventor： Ron Diamant ,  Alex Levin ,  Ihab Bishara

IPC: H04L29/06 ,  G06F21/57 ,  G06F9/4401 ,  H04L9/08

Abstract: Methods and apparatus are disclosed for securing executable code for execution with a processor using a trusted platform module (TPM). In one example of the disclosed technology, a method of decrypting executable code for execution includes measuring values stored in a CPU boot ROM and measuring second values for executable code stored in non-volatile memory, storing the resulting measurement value in a TPM platform configuration register. The PCR value is used to unseal a key stored in non-volatile memory of the TPM, which key is used to decrypt executable code for execution. Security can be further enhanced by destroying the values stored in the PCR by performing additional measurement operations with the TPM PCR used to generate the measurement value.

公开(公告)号：US10678721B1

公开(公告)日：2020-06-09

申请号：US15422793

申请日：2017-02-02

Applicant: Amazon Technologies, Inc.

Inventor： Christopher James BeSerra ,  Ron Diamant ,  Alex Levin

IPC: G06F3/01 ,  G06F13/22 ,  G06F13/10 ,  G06F13/40 ,  G06F13/42 ,  G06F11/22

Abstract: A smart add-in card can be leveraged to perform testing on a host server computer. The add-in card can include an embedded processor and memory. Tests can be downloaded to the add-in card to test analog features of a communication bus between the host server computer (motherboard) and the add-in card. In a particular example, a PCIe communication bus couples the motherboard to the add-in card and the tests can test a connection or communication link negotiated between the add-in card and another device using the PCIe communication bus. The tests can be developed to test errors that are typically difficult to test without the use of special hardware. However, the smart add-in card can be a simple Network Interface Card (NIC) that resides on the host server computer during normal operation and is used for communication other than error testing.

公开(公告)号：US10303621B1

公开(公告)日：2019-05-28

申请号：US15452117

申请日：2017-03-07

Applicant: AMAZON TECHNOLOGIES, INC.

Inventor： Ron Diamant ,  Alex Levin ,  Barak Wasserstrom

IPC: G06F21/00 ,  G06F12/14 ,  G06F12/02 ,  G06F15/78

Abstract: An electronic system includes a secret value (e.g., an encryption key) which is used for its intended purpose after which the address translations in the system's memory management unit are modified to prevent further access to the secret value. The address translation modifications also include modification of a translation for the memory management unit itself thereby preventing further modification of the address translations. The secret value cannot again be accessed until the system is reinitialized, but the address translations are modified during each system initialization so that the secret value is only usable for its intended purpose during the initialization process. In other implementations, the system modifies mappings between physical addresses and hardware components to preclude further access to the secret value.

公开(公告)号：US10972449B1

公开(公告)日：2021-04-06

申请号：US16022271

申请日：2018-06-28

Applicant: Amazon Technologies, Inc.

Inventor： Alex Levin ,  Barak Wasserstrom ,  Georgy Zorik Machulsky ,  Saar Gross ,  Or Yochanan

IPC: H04L29/06 ,  G06F21/44

Abstract: Disclosed herein are techniques for enabling device communication in a secure environment. In one example, a system comprises a storage in a server, a first component in the server, the first component being isolated in a secure environment in the server, and an entry point device authorized to access the first component via the secure environment. The entry point device may receive a request to access the first component. The entry point device may store a notification in a region of the storage accessible by the first component, wherein the notification is to be read by the first component from the storage to set the first component to an operation mode. The entry point device may store operation data in the storage, wherein the operation data is to be acquired by the first component from the storage to control an operation of the first component in the operation mode.

公开(公告)号：US10891140B1

公开(公告)日：2021-01-12

申请号：US16144267

申请日：2018-09-27

Applicant: Amazon Technologies, Inc.

Inventor： Alex Levin ,  Georgy Zorik Machulsky ,  Idan Aharoni ,  Barak Wasserstrom ,  Erez Tsidon

IPC: G06F9/455 ,  G06F9/445

Abstract: Configuration snapshots can be obtained from various connected devices, such as network interface cards or hardware offload devices, to determine whether the configuration matches expected values. If discrepancies are determined then the appropriate values can be automatically applied to those devices. For each type and version of device, there can be a set of expected configuration values, or a golden model of configuration, that is determined and stored. The models can also be used to test updated configuration values, as the new values can be pushed to a subset of devices and the impact on performance determined. If acceptable performance improvement is detected, or another such target achieved, then the golden model can be updated with the new values and those values can be pushed out to the remainder of the devices.

公开(公告)号：US10708129B1

公开(公告)日：2020-07-07

申请号：US15298208

申请日：2016-10-19

Applicant: Amazon Technologies, Inc.

Inventor： Alex Levin ,  Ihab Bishara ,  Georgy Machulsky

IPC: H04L29/06 ,  H04L29/08 ,  G06F17/30 ,  H04L12/24 ,  H04L9/32 ,  H04L9/30

Abstract: A technology is provided for changing a hardware capability of an internet capable device. A hardware capability of an internet capable device is restrained to a first limit based on a first configuration definition. A second configuration definition is requested to change the first limit set by the first configuration definition from a service provider environment. A second configuration definition is received from the service provider environment at the internet capable device. The hardware capability of the internet capable device are changed to a second limit based on the second configuration definition.

公开(公告)号：US10587406B1

公开(公告)日：2020-03-10

申请号：US15380956

申请日：2016-12-15

Applicant: Amazon Technologies, Inc.

Inventor： Alex Levin ,  Ron Diamant ,  Georgy Zorik Machulsky

IPC: H04L9/16 ,  H04L9/06 ,  H04L9/08 ,  G06F21/62

Abstract: Data within a file system may be protected using a key rotation scheme. The key rotation scheme may include a data key and a metadata key. The data key may be used to encrypt data portions of the file system while the metadata key may be used to encrypt the metadata of the file system. The metadata key may be generated based at least in part on a user input and may be rotated at the end of a key rotation interval.

公开(公告)号：US10255151B1

公开(公告)日：2019-04-09

申请号：US15384031

申请日：2016-12-19

Applicant: Amazon Technologies, Inc.

Inventor： Alex Levin ,  Christopher James BeSerra ,  Ron Diamant

IPC: G06F11/22 ,  G06F11/30

Abstract: A smart add-in card can be leveraged to perform testing on a host server computer. The add-in card can include an embedded processor and memory. Tests can be downloaded to the add-in card to test a protocol under which the add-in card operates. In a particular example, a PCIe communication bus couples the motherboard to the add-in card and the tests can purposely violate the PCIe specification. The tests can be developed to test conditions that are typically difficult to test without the use of special hardware. However, the smart add-in card can be a simple Network Interface Card (NIC) that resides on the host server computer during normal operation and is used for communication other than security testing. By using the NIC as a testing device, repeatable and reliable testing can be obtained.

公开(公告)号：US11323317B1

公开(公告)日：2022-05-03

申请号：US15298206

申请日：2016-10-19

Applicant: Amazon Technologies, Inc.

Inventor： Alex Levin ,  Ihab Bishara ,  Georgy Machulsky

IPC: G06F15/177 ,  H04L41/0806 ,  H04L67/00 ,  G06F8/656 ,  G06F8/70

Abstract: A technology is described for managing network communication device software capabilities. An example method may include sending a connection request from a network communication device electronically to a service provider environment. Software capabilities for the network communication device may be verified from the service provider environment. A software capabilities modification instruction for the network communication device may be received from the service provider environment. The software capabilities of the network communication device may be modified based on the software capabilities modification instruction.

公开(公告)号：US10904086B1

公开(公告)日：2021-01-26

申请号：US15282610

申请日：2016-09-30

Applicant: Amazon Technologies, Inc.

Inventor： Jinesh Varia ,  Aditya Bhalla ,  Alex Levin ,  Bhadri Pani

IPC: H04L29/06 ,  H04L12/24 ,  H04L29/08 ,  H04L12/26 ,  G06F9/4401

Abstract: A technology is described for managing device performance capabilities. An example method may include connecting a physical device electronically to a service provider environment using a computer network and identifying performance capabilities of the physical device at the service provider environment via the connection. A request may be received at the service provider environment to upgrade the performance capabilities of the physical device and an authorization may also be received at the service provider environment for the upgrade. The performance capabilities of the physical device may be upgraded by sending an upgrade instruction from the service provider environment to the physical device to unlock additional performance capabilities based on the authorization. The performance capabilities of the physical device may later be downgraded to by disabling the additional performance capabilities of the physical device.