公开(公告)号：US20220027287A1

公开(公告)日：2022-01-27

申请号：US17496327

申请日：2021-10-07

Applicant: Intel Corporation

Inventor： Ravi L. SAHITA ,  Gilbert NEIGER ,  Vedvyas SHANBHOGUE ,  David M. DURHAM ,  Andrew V. ANDERSON ,  David A. KOUFATY ,  Asit K. MALLICK ,  Arumugam THIYAGARAJAH ,  Barry E. HUNTLEY ,  Deepak K. GUPTA ,  Michael LEMAY ,  Joseph F. CIHULA ,  Baiju V. PATEL

IPC: G06F12/14 ,  G06F12/1009 ,  G06F12/1027 ,  G06F9/455

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

公开(公告)号：US20210258311A1

公开(公告)日：2021-08-19

申请号：US17307992

申请日：2021-05-04

Applicant: Intel Corporation

Inventor： Barry E. HUNTLEY ,  Gilbert NEIGER ,  H. Peter ANVIN ,  Asit K. MALLICK ,  Adriaan VAN DE VEN ,  Scott D. RODGERS

IPC: H04L29/06 ,  G06F21/74

Abstract: Embodiments of an invention for protecting supervisor mode information are disclosed. In one embodiment, an apparatus includes a storage location, instruction hardware, execution hardware, and control logic. The storage location is to store an indicator to enable supervisor mode information protection. The instruction hardware is to receive an instruction to access supervisor mode information. The execution hardware is to execute the instruction. The control logic is to prevent execution of the instruction if supervisor mode information protection is enabled and a current privilege level is less privileged than a supervisor mode.

公开(公告)号：US20190089709A1

公开(公告)日：2019-03-21

申请号：US16194648

申请日：2018-11-19

Applicant: Intel Corporation

Inventor： Barry E. HUNTLEY ,  Gilbert NEIGER ,  H. Peter ANVIN ,  Asit K. MALLICK ,  Adriaan VAN DE VEN ,  Scott D. RODGERS

IPC: H04L29/06 ,  G06F21/74

Abstract: Embodiments of an invention for protecting supervisor mode information are disclosed. In one embodiment, an apparatus includes a storage location, instruction hardware, execution hardware, and control logic. The storage location is to store an indicator to enable supervisor mode information protection. The instruction hardware is to receive an instruction to access supervisor mode information. The execution hardware is to execute the instruction. The control logic is to prevent execution of the instruction if supervisor mode information protection is enabled and a current privilege level is less privileged than a supervisor mode.

公开(公告)号：US20220206951A1

公开(公告)日：2022-06-30

申请号：US17134052

申请日：2020-12-24

Applicant: Intel Corporation

Inventor： Thomas TOLL ,  Ramya JAYARAM MASTI ,  Barry E. HUNTLEY ,  Vincent VON BOKERN ,  Siddhartha CHHABRA ,  Hormuzd M. KHOSRAVI ,  Vedvyas SHANBHOGUE ,  Gideon GERZON

IPC: G06F12/0895 ,  G06F12/06 ,  G06F9/455 ,  G06F21/53 ,  G06F12/14

Abstract: A method is described. The method includes executing a memory access instruction for a software process or thread. The method includes creating a memory access request for the memory access instruction having a physical memory address and a first identifier of a realm that the software process or thread execute from. The method includes receiving the memory access request and determining a second identifier of a realm from the physical memory address. The method also includes servicing the memory access request because the first identifier matches the second identifier.

公开(公告)号：US20210399882A1

公开(公告)日：2021-12-23

申请号：US17465311

申请日：2021-09-02

Applicant: Intel Corporation

Inventor： Ido OUZIEL ,  Arie AHARON ,  Dror CASPI ,  Baruch CHAIKIN ,  Jacob DOWECK ,  Gideon GERZON ,  Barry E. HUNTLEY ,  Francis X. MCKEEN ,  Gilbert NEIGER ,  Carlos V. ROZAS ,  Ravi L. SAHITA ,  Vedvyas SHANBHOGUE ,  Assaf ZALTSMAN

IPC: H04L9/08 ,  G06F9/455 ,  G06F12/1009 ,  G06F21/60 ,  G06F21/62

Abstract: A processor includes a processor core. A register of the core is to store: a bit range for a number of address bits of physical memory addresses used for key identifiers (IDs), and a first key ID to identify a boundary between non-restricted key IDs and restricted key IDs of the key identifiers. A memory controller is to: determine, via access to bit range and the first key ID in the register, a key ID range of the restricted key IDs within the physical memory addresses; access a processor state that a first logical processor of the processor core executes in an untrusted domain mode; receive a memory transaction, from the first logical processor, including an address associated with a second key ID; and generate a fault in response to a determination that the second key ID is within a key ID range of the restricted key IDs.

公开(公告)号：US20210200880A1

公开(公告)日：2021-07-01

申请号：US16728712

申请日：2019-12-27

Applicant: Intel Corporation

Inventor： Hormuzd M. KHOSRAVI ,  Siddhartha CHHABRA ,  Vincent VON BOKERN ,  Barry E. HUNTLEY ,  Vedvyas SHANBHOGUE ,  Ramya Jayaram MASTI

IPC: G06F21/60 ,  G06F21/53 ,  G06F9/455 ,  H04L9/08

Abstract: Disclosed embodiments relate to Multi-Key Total Memory Encryption based on dynamic key derivation. In one example, a processor includes cryptographic circuitry, storage with multiple key splits and multiple full encryption keys, fetch and decode circuitry to fetch and decode an instruction specifying an opcode, an address, and a keyID, the opcode calling for the processor to use the address to determine whether to use an explicit key, in which case the keyID is used to select one of the multiple full encryption keys to use as a cryptographic key, and, otherwise, the processor is to dynamically derive the cryptographic key by using the keyID to select one of the multiple key splits, and provide the key split and a root key to a key derivation function to derive the cryptographic key, which is used by the encryption circuitry to perform a cryptographic operation on an the addressed memory location.

公开(公告)号：US20210200879A1

公开(公告)日：2021-07-01

申请号：US16727608

申请日：2019-12-26

Applicant: Intel Corporation

Inventor： Gideon GERZON ,  Hormuzd M. KHOSRAVI ,  Vincent VON BOKERN ,  Barry E. HUNTLEY ,  Dror CASPI

IPC: G06F21/60 ,  G06F9/455 ,  H04L9/06 ,  G06F21/72

Abstract: Disclosed embodiments relate to trust domain islands with self-contained scope. In one example, a system includes multiple sockets, each including multiple cores, multiple multi-key total memory encryption (MK-TME) circuits, multiple memory controllers, and a trust domain island resource manager (TDIRM) to: initialize a trust domain island (TDI) island control structure (TDICS) associated with a TD island, initialize a trust domain island protected memory (TDIPM) associated with the TD island, identify a host key identifier (HKID) in a key ownership table (KOT), assign the HKID to a cryptographic key and store the HKID in the TDICS, associate one of the plurality of cores with the TD island, add a memory page from an address space of the first core to the TDIPM, and transfer execution control to the first core to execute the TDI, and wherein a number of HKIDs available in the system is increased as the memory mapped to the TD island is decreased.

公开(公告)号：US20210117535A1

公开(公告)日：2021-04-22

申请号：US17114246

申请日：2020-12-07

Applicant: INTEL CORPORATION

Inventor： Michael LEMAY ,  David M. DURHAM ,  Michael E. KOUNAVIS ,  Barry E. HUNTLEY ,  Vedvyas SHANBHOGUE ,  Jason W. BRANDT ,  Josh TRIPLETT ,  Gilbert NEIGER ,  Karanvir GREWAL ,  Baiju PATEL ,  Ye ZHUANG ,  Jr-Shian TSAI ,  Vadim SUKHOMLINOV ,  Ravi SAHITA ,  Mingwei ZHANG ,  James C. FARWELL ,  Amitabh DAS ,  Krishna BHUYAN

IPC: G06F21/53 ,  G06F12/02

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

公开(公告)号：US20210051149A1

公开(公告)日：2021-02-18

申请号：US17084406

申请日：2020-10-29

Applicant: Intel Corporation

Inventor： Barry E. HUNTLEY ,  Gilbert NEIGER ,  H. Peter ANVIN ,  Asit K. MALLICK ,  Adriaan VAN DE VEN ,  Scott D. RODGERS

IPC: H04L29/06 ,  G06F21/74

Abstract: Embodiments of an invention for protecting supervisor mode information are disclosed. In one embodiment, an apparatus includes a storage location, instruction hardware, execution hardware, and control logic. The storage location is to store an indicator to enable supervisor mode information protection. The instruction hardware is to receive an instruction to access supervisor mode information. The execution hardware is to execute the instruction. The control logic is to prevent execution of the instruction if supervisor mode information protection is enabled and a current privilege level is less privileged than a supervisor mode.

公开(公告)号：US20180181755A1

公开(公告)日：2018-06-28

申请号：US15391895

申请日：2016-12-28

Applicant: Intel Corporation

Inventor： Xiaoning LI ,  Ravi L. SAHITA ,  Barry E. HUNTLEY

IPC: G06F21/56 ,  G06F21/51 ,  G06F12/14

CPC classification number: G06F21/567 ,  G06F12/0875 ,  G06F21/51 ,  G06F21/566 ,  G06F2212/1052 ,  G06F2212/452 ,  G06F2221/034

Abstract: In an embodiment, a processor comprises Return Oriented Programming (ROP) logic to: detect a first branch event at a first point in time; determine whether the first branch event is indirect; in response to a determination that the first branch event is an indirect branch event, determine whether a memory location referenced by the indirect branch event is specified as read-only; and in response to a determination that the memory location referenced by the indirect branch event is specified as read-only, convert the first branch event to a direct branch event. Other embodiments are described and claimed.