公开(公告)号：US20230077623A1

公开(公告)日：2023-03-16

申请号：US17950205

申请日：2022-09-22

Applicant: Google LLC

Inventor： Matthew Gingell ,  Peter Gonda ,  Alexander Thomas Cope ,  Sergey Karamov ,  Keith Moyer ,  Uday Savagaonkar ,  Chong Cai

IPC: G06F21/53 ,  G06F21/12 ,  G06F21/57 ,  G06F21/62 ,  G06F21/74

Abstract: A uniform enclave interface is provided for creating and operating enclaves across multiple different types of backends and system configurations. For instance, an enclave manager may be created in an untrusted environment of a host computing device. The enclave manager may include instructions for creating one or more enclaves. An enclave may be generated in memory of the host computing device using the enclave manager. One or more enclave clients of the enclave may be generated by the enclave manager such that the enclave clients configured to provide one or more entry points into the enclave. One or more trusted application instances may be created in the enclave.

公开(公告)号：US10949547B2

公开(公告)日：2021-03-16

申请号：US16153039

申请日：2018-10-05

Applicant: Google LLC

Inventor： Keith Moyer ,  Uday Savagaonkar ,  Chong Cai ,  Matthew Gingell ,  Anna Sapek

IPC: H04L9/32 ,  G06F21/60 ,  G06F21/62 ,  H04L9/08 ,  H04L9/14 ,  H04L9/30

Abstract: A fork support is provided for duplicating an application running inside an enclave entity. In this regard, a request to duplicate an application running inside a first enclave may be received by one or more processors of a host computing device of the first enclave. A snapshot of the first enclave including the application may be generated. The snapshot may be encrypted with a snapshot key and copied to untrusted memory of the host. A second enclave may be generated. The snapshot key may be sent from the first enclave to the second enclave through a secure communication channel. The encrypted snapshot may be copied from the untrusted memory of the host into the second enclave. The encrypted snapshot may be decrypted inside the second enclave with the snapshot key.

公开(公告)号：US20240380595A1

公开(公告)日：2024-11-14

申请号：US18314933

申请日：2023-05-10

Applicant: Google LLC

Inventor： Keith Moyer ,  Alex Wu ,  Jiankun Lu ,  Joe Richey ,  Catalin Daniel Sandu

IPC: H04L9/32 ,  H04L9/08 ,  H04L9/40

Abstract: A method includes obtaining a container associated with a first entity, the container executing a workload, the workload requiring access to private resources associated with a second entity. The method also includes obtaining encrypted resources including the private resources associated with the second entity. The method further includes generating a verifiable attestation. The method includes transmitting the verifiable attestation to an attestation service and, after transmitting the verifiable attestation, receiving, from an access policy verifier, a federated identity token. The method further includes generating a decrypt request including the federated identity token. The method includes transmitting, to a key management service, the decrypt request, and, after transmitting the decrypt request, receiving, from the key management service, a data encryption key. The method includes decrypting, using the data encryption key, the encrypted resources to access the private resources and providing the workload access to the private resources.

公开(公告)号：US20230297697A1

公开(公告)日：2023-09-21

申请号：US18200648

申请日：2023-05-23

Applicant: Google LLC

Inventor： Keith Moyer ,  Uday Savagaonkar ,  Chong Cai ,  Matthew Gingell ,  Anna Sapek

IPC: G06F21/60 ,  G06F21/62 ,  H04L9/08 ,  H04L9/14 ,  H04L9/30

CPC classification number: G06F21/602 ,  G06F21/6245 ,  H04L9/0861 ,  H04L9/14 ,  H04L9/30

Abstract: A fork support is provided for duplicating an application running inside an enclave entity. In this regard, a request to duplicate an application running inside a first enclave may be received by one or more processors of a host computing device of the first enclave. A snapshot of the first enclave including the application may be generated. The snapshot may be encrypted with a snapshot key and copied to untrusted memory of the host. A second enclave may be generated. The snapshot key may be sent from the first enclave to the second enclave through a secure communication channel. The encrypted snapshot may be copied from the untrusted memory of the host into the second enclave. The encrypted snapshot may be decrypted inside the second enclave with the snapshot key.

公开(公告)号：US12235951B2

公开(公告)日：2025-02-25

申请号：US18428842

申请日：2024-01-31

Applicant: Google LLC

Inventor： Matthew Gingell ,  Peter Gonda ,  Alexander Thomas Cope ,  Sergey Karamov ,  Keith Moyer ,  Uday Ramesh Savagaonkar ,  Chong Cai

IPC: G06F21/53 ,  G06F21/12 ,  G06F21/57 ,  G06F21/62 ,  G06F21/74

Abstract: A uniform enclave interface is provided for creating and operating enclaves across multiple different types of backends and system configurations. For instance, an enclave manager may be created in an untrusted environment of a host computing device. The enclave manager may include instructions for creating one or more enclaves. An enclave may be generated in memory of the host computing device using the enclave manager. One or more enclave clients of the enclave may be generated by the enclave manager such that the enclave clients configured to provide one or more entry points into the enclave. One or more trusted application instances may be created in the enclave.

公开(公告)号：US20240169054A1

公开(公告)日：2024-05-23

申请号：US18428842

申请日：2024-01-31

Applicant: Google LLC

Inventor： Matthew Gingell ,  Peter Gonda ,  Alexander Thomas Cope ,  Sergey Karamov ,  Keith Moyer ,  Uday Ramesh Savagaonkar ,  Chong Cai

IPC: G06F21/53 ,  G06F21/12 ,  G06F21/57 ,  G06F21/62 ,  G06F21/74

CPC classification number: G06F21/53 ,  G06F21/12 ,  G06F21/57 ,  G06F21/6245 ,  G06F21/74

Abstract: A uniform enclave interface is provided for creating and operating enclaves across multiple different types of backends and system configurations. For instance, an enclave manager may be created in an untrusted environment of a host computing device. The enclave manager may include instructions for creating one or more enclaves. An enclave may be generated in memory of the host computing device using the enclave manager. One or more enclave clients of the enclave may be generated by the enclave manager such that the enclave clients configured to provide one or more entry points into the enclave. One or more trusted application instances may be created in the enclave.

公开(公告)号：US11494485B2

公开(公告)日：2022-11-08

申请号：US17046593

申请日：2018-07-18

Applicant: Google LLC

Inventor： Matthew Gingell ,  Peter Gonda ,  Alexander Thomas Cope ,  Sergey Karamov ,  Keith Moyer ,  Uday Savagaonkar ,  Chong Cai

IPC: G06F21/53 ,  G06F21/12 ,  G06F21/57 ,  G06F21/62 ,  G06F21/74

Abstract: A uniform enclave interface is provided for creating and operating enclaves across multiple different types of backends and system configurations. For instance, an enclave manager may be created in an untrusted environment of a host computing device. The enclave manager may include instructions for creating one or more enclaves. An enclave may be generated in memory of the host computing device using the enclave manager. One or more enclave clients of the enclave may be generated by the enclave manager such that the enclave clients configured to provide one or more entry points into the enclave. One or more trusted application instances may be created in the enclave.

公开(公告)号：US11947662B2

公开(公告)日：2024-04-02

申请号：US17950205

申请日：2022-09-22

Applicant: Google LLC

Inventor： Matthew Gingell ,  Peter Gonda ,  Alexander Thomas Cope ,  Sergey Karamov ,  Keith Moyer ,  Uday Savagaonkar ,  Chong Cai

IPC: G06F21/53 ,  G06F21/12 ,  G06F21/57 ,  G06F21/62 ,  G06F21/74

CPC classification number: G06F21/53 ,  G06F21/12 ,  G06F21/57 ,  G06F21/6245 ,  G06F21/74

Abstract: A uniform enclave interface is provided for creating and operating enclaves across multiple different types of backends and system configurations. For instance, an enclave manager may be created in an untrusted environment of a host computing device. The enclave manager may include instructions for creating one or more enclaves. An enclave may be generated in memory of the host computing device using the enclave manager. One or more enclave clients of the enclave may be generated by the enclave manager such that the enclave clients configured to provide one or more entry points into the enclave. One or more trusted application instances may be created in the enclave.

公开(公告)号：US11743293B2

公开(公告)日：2023-08-29

申请号：US17305958

申请日：2021-07-19

Applicant: Google LLC

Inventor： Keith Moyer ,  Benjamin Seth Moore ,  Ari Medvinksy ,  Kevin Yap ,  Ivan Petrov ,  Tiziano Santoro ,  Ariel Joseph Feldman ,  Marcel Catalin Rosu

IPC: H04L29/06 ,  H04L9/40 ,  H04L9/08 ,  H04L9/32

CPC classification number: H04L63/166 ,  H04L9/083 ,  H04L9/085 ,  H04L9/0861 ,  H04L9/0894 ,  H04L9/3236 ,  H04L63/0823

Abstract: A method for remote attestation includes establishing, using a cryptographic protocol, a communication session between a first computing device and a second computing device. The communication session includes communications encrypted by an ephemeral session key. The method includes receiving, at the first communication device via the communication session, from the second computing device, an attestation request requesting the first computing device to provide an attestation report. The method includes generating, by the first computing device, the attestation report based on the ephemeral session key and sending, using the communication session, the attestation report to the second computing device.

公开(公告)号：US20230013347A1

公开(公告)日：2023-01-19

申请号：US17305958

申请日：2021-07-19

Applicant: Google LLC

Inventor： Keith Moyer ,  Benjamin Seth Moore ,  Ari Medvinksy ,  Kevin Yap ,  Ivan Petrov ,  Tiziano Santoro ,  Ariel Joseph Feldman ,  Marcel Catalin Rosu

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32

Abstract: A method for remote attestation includes establishing, using a cryptographic protocol, a communication session between a first computing device and a second computing device. The communication session includes communications encrypted by an ephemeral session key. The method includes receiving, at the first communication device via the communication session, from the second computing device, an attestation request requesting the first computing device to provide an attestation report. The method includes generating, by the first computing device, the attestation report based on the ephemeral session key and sending, using the communication session, the attestation report to the second computing device.