-
公开(公告)号:US11609766B2
公开(公告)日:2023-03-21
申请号:US16315890
申请日:2019-01-04
申请人: Baidu USA LLC , Baidu.com Times Technology (Beijing) Co., Ltd. , KUNLUNXIN TECHNOLOGY (BEIJING) COMPANY LIMITED
发明人: Yueqiang Cheng , Yong Liu , Tao Wei , Jian Ouyang
IPC分类号: G06F9/4401 , G06F9/30 , G06F9/38 , G06F9/54
摘要: According to one embodiment, a data processing system performs a secure boot using a security module (e.g., a trusted platform module (TPM)) of a host system. The system verifies that an operating system (OS) and one or more drivers including an accelerator driver associated with a data processing (DP) accelerator is provided by a trusted source. The system launches the accelerator driver within the OS. The system generates a trusted execution environment (TEE) associated with one or more processors of the host system. The system launches an application and a runtime library within the TEE, where the application communicates with the DP accelerator via the runtime library and the accelerator driver.
-
公开(公告)号:US11616651B2
公开(公告)日:2023-03-28
申请号:US16315973
申请日:2019-01-04
申请人: Baidu USA LLC , Baidu.com Times Technology (Beijing) Co., Ltd. , KUNLUNXIN TECHNOLOGY (BEIJING) COMPANY LIMITED
发明人: Yong Liu , Yueqiang Cheng , Jian Ouyang , Tao Wei
摘要: According to one embodiment, a system receives, at a host channel manager (HCM) of a host system, a request from an application to establish a secure channel with a data processing (DP) accelerator, where the DP accelerator is coupled to the host system over a bus. In response to the request, the system generates a first session key for the secure channel based on a first private key of a first key pair associated with the HCM and a second public key of a second key pair associated with the DP accelerator. In response to a first data associated with the application to be sent to the DP accelerator, the system encrypts the first data using the first session key. The system then transmits the encrypted first data to the DP accelerator via the secure channel over the bus.
-
公开(公告)号:US11374734B2
公开(公告)日:2022-06-28
申请号:US16315998
申请日:2019-01-04
申请人: Baidu USA LLC , Baidu.com Times Technology (Beijing) Co., Ltd. , KUNLUNXIN TECHNOLOGY (BEIJING) COMPANY LIMITED
发明人: Yueqiang Cheng , Yong Liu , Tao Wei , Jian Ouyang
摘要: A system is disclosed that receives, at a host system from a data processing (DP) accelerator, an accelerator identifier (ID) that uniquely identifies the DP accelerator, wherein the host system is coupled to the DP accelerator over a bus. The system transmits the accelerator ID to a predetermined trusted server over a network. The system receives a certificate from the predetermined trusted server over the network, the certificate certifying the DP accelerator. The system extracts a public root key (PK_RK) from the certificate for verification, the PK_RK corresponding to a private root key (SK_RK) associated with the DP accelerator. The system establishes a secure channel with the DP accelerator using the PK_RK based on the verification to exchange data securely between the host system and the DP accelerator.
-
公开(公告)号:US11409534B2
公开(公告)日:2022-08-09
申请号:US16315987
申请日:2019-01-04
发明人: Yueqiang Cheng , Yong Liu , Tao Wei , Jian Ouyang
摘要: According to one embodiment, a system receives, at a host system a public attestation key (PK_ATT) or a signed PK_ATT from a data processing (DP) accelerator over a bus. The system verifies the PK_ATT using a public root key (PK_RK) associated with the DP accelerator. In response to successfully verifying the PK_ATT, the system transmits a kernel identifier (ID) to the DP accelerator to request attesting a kernel object stored in the DP accelerator. In response to the system receives a kernel digest or a signed kernel digest corresponding to the kernel object from the DP accelerator, verifying the kernel digest using the PK_ATT. The system sends the verification results to the DP accelerator for the DP accelerator to access the kernel object based on the verification results.
-
公开(公告)号:US11281251B2
公开(公告)日:2022-03-22
申请号:US16315924
申请日:2019-01-04
发明人: Yong Liu , Yueqiang Cheng , Jian Ouyang , Tao Wei
IPC分类号: G06F1/00 , G06F1/10 , G06F1/08 , G06F9/38 , H04L67/142
摘要: According to one embodiment, a DP accelerator includes one or more execution units (EUs) configured to perform data processing operations in response to an instruction received from a host system coupled over a bus. The DP accelerator includes a security unit (SU) configured to establish and maintain a secure channel with the host system to exchange commands and data associated with the data processing operations. The DP accelerator includes a time unit (TU) coupled to the security unit to provide timestamp services to the security unit, where the time unit includes a clock generator to generate clock signals locally without having to derive the clock signals from an external source. The TU includes a timestamp generator coupled to the clock generator to generate a timestamp based on the clock signals, and a power supply to provide power to the clock generator and the timestamp generator.
-
公开(公告)号:US11328075B2
公开(公告)日:2022-05-10
申请号:US16315939
申请日:2019-01-04
发明人: Yong Liu , Yueqiang Cheng , Jian Ouyang , Tao Wei
摘要: According to one embodiment, a system establishes a secure connection between a host system and a data processing (DP) accelerator over a bus, the secure connection including one or more data channels. The system transmits a first instruction from the host system to the DP accelerator over a command channel, the first instruction requesting the DP accelerator to perform a data preparation operation. The system receives a first request to read a first data from a first memory location of the host system from the DP accelerator over one data channel. In response to the request, the system transmits the first data to the DP accelerator over the data channel, where the first data is utilized for a computation or a configuration operation. The system transmits a second instruction from the host system to the DP accelerator over the command channel to perform the computation or the configuration operation.
-
公开(公告)号:US11233652B2
公开(公告)日:2022-01-25
申请号:US16316011
申请日:2019-01-04
发明人: Yueqiang Cheng , Yong Liu , Tao Wei , Jian Ouyang
摘要: According to one embodiment, in response to receiving a temporary public key (PK_d) from a data processing (DP) accelerator, a system generates a first nonce (nc) at the host system, where the DP accelerator is coupled to the host system over a bus. The system transmits a request to create a session key from the host system to the DP accelerator, the request including a host public key (PK_O) and the first nonce. The system receives a second nonce (ns) from the DP accelerator, where the second nonce is encrypted using the host public key and a temporary private key (SK_d) corresponding to the temporary public key. The system generates a first session key based on the first nonce and the second nonce, which is utilized to encrypt or decrypt subsequent data exchanges between the host system and the DP accelerator.
-
公开(公告)号:US11558357B2
公开(公告)日:2023-01-17
申请号:US16693015
申请日:2019-11-22
发明人: Yong Liu , Yueqiang Cheng
摘要: A host processing device (“host”) instructs a plurality of data processing (DP) accelerators to configure themselves for secure communications. The host generates an adjacency table of each of the plurality of DP accelerators (“DPAs”). The host is communicatively coupled to the plurality of DPAs via a switch. The host transmits, to the switch, a list of the DPAs and instructs the switch to generate an adjacency table of the DPAs that includes a unique identifier of each DPAs and a communication port of the switch associated with the DPA. The host establishes a session key communication with each DPA and sends the DPA a list of other DPAs that the DPA is to establish a session key with, for secure communications between the DPAs. The DPA establishes a different session key for each pair of the plurality of DPAs. When all DPAs have established a session key for communication with other DPAs, the host can assign work tasks for performance by a plurality of DPAs, each communicating over a separately secured communication channel.
-
公开(公告)号:US11516010B2
公开(公告)日:2022-11-29
申请号:US16709240
申请日:2019-12-10
发明人: Yong Liu , Yueqiang Cheng
摘要: Embodiments disclosed systems and methods to broadcast a message to one or more virtual data processing (DP) accelerators. In response to receiving a broadcast instruction from an application, the broadcast instruction designating one or more virtual DP accelerators of a plurality of virtual DP accelerators to receive a broadcast message, the system encrypts the broadcast message based on a broadcast session key for a broadcast communication session. The system determines one or more public keys of one or more security key pairs each associated with one of the designated virtual DP accelerators. The system encrypts the broadcast session key based on the determined one or more public keys. The system broadcasts the encrypted broadcast message, and the one or more encrypted broadcast session keys to adjacent virtual DP accelerators for propagation.
-
公开(公告)号:US11552790B2
公开(公告)日:2023-01-10
申请号:US16693019
申请日:2019-11-22
发明人: Yong Liu , Yueqiang Cheng
摘要: A host processing device instructs a plurality of data processing (DP) accelerators to configure themselves for secure communications. The host device generates an adjacency table of each of the plurality of DP accelerators. Then the host device then establishes a session key communication with each DP accelerator and sends the DP accelerator a list of other DP accelerators that the DP accelerator is to establish a session key with, for secure communications between the DP accelerators. The DP accelerator establishes a different session key for each pair of the plurality of DP accelerators. When all DP accelerators have established a session key for communication with other DP accelerators, according to the respective list of other DP accelerators sent by the host device, then the host device can assign work tasks for performance by a plurality of DP accelerators, each communicating over a separately secured communication channel.
-
-
-
-
-
-
-
-
-