公开(公告)号：US20210200687A1

公开(公告)日：2021-07-01

申请号：US16728928

申请日：2019-12-27

申请人： Intel Corporation

发明人： DAVID M. DURHAM ,  JACOB DOWECK ,  MICHAEL LEMAY ,  DEEPAK GUPTA

IPC分类号： G06F12/1027

摘要： An apparatus and method for efficient process-based compartmentalization. For example, one embodiment of a processor comprises: execution circuitry to execute instructions and process data; memory management circuitry coupled to the execution circuitry, the memory management circuitry to manage access to a system memory by a plurality of related processes using one or more process-specific translation structures and one or more shared translation structures to be shared by the related processes; and one or more control registers to store a process-specific base address pointer associated with a first process of the plurality of related processes and to store a shared base address pointer to identify the shared translation structures; wherein the memory management circuitry is to use the process-specific base address pointer in combination with a first linear address provided by the first process to walk the process-specific translation structures to identify any permissions and/or physical address associated with the first linear address, wherein if permissions are identified, the memory management circuitry is to use the permissions in place of any permissions specified in the shared translation structures.

公开(公告)号：US20180129808A1

公开(公告)日：2018-05-10

申请号：US15811469

申请日：2017-11-13

申请人： INTEL CORPORATION

发明人： MICHAEL LEMAY ,  DAVID M. DURHAM

IPC分类号： G06F21/56 ,  H04L29/06

CPC分类号： G06F21/566 ,  G06F21/567 ,  G06F2221/032 ,  H04L63/1416 ,  H04L63/145

摘要： Various embodiments are generally directed to techniques for detecting malware in a manner that mitigates the consumption of processing and/or storage resources of a processing device. An apparatus may include a first processor component of a processing device to generate entries in a chronological order within a first page modification log maintained within a first storage divided into multiple pages, each entry to indicate a write access made by the first processor component to a page of the multiple pages; a retrieval component of a graphics controller of the processing device to recurringly retrieve indications from the first page modification log of at least one recently written page of the multiple pages; and a scan component of the graphics controller to recurringly scan the at least one recently written page to detect malware within the at least one recently written page.

公开(公告)号：US20210311883A1

公开(公告)日：2021-10-07

申请号：US17321087

申请日：2021-05-14

申请人： Intel Corporation

发明人： DAVID M. DURHAM ,  JACOB DOWECK ,  MICHAEL LEMAY ,  DEEPAK GUPTA

IPC分类号： G06F12/1027

摘要： An apparatus and method for efficient process-based compartmentalization. For example, one embodiment of a processor comprises: execution circuitry to execute instructions and process data; memory management circuitry coupled to the execution circuitry, the memory management circuitry to manage access to a system memory by a plurality of related processes using one or more process-specific translation structures and one or more shared translation structures to be shared by the related processes; and one or more control registers to store a process-specific base address pointer associated with a first process of the plurality of related processes and to store a shared base address pointer to identify the shared translation structures; wherein the memory management circuitry is to use the process-specific base address pointer in combination with a first linear address provided by the first process to walk the process-specific translation structures to identify any permissions and/or physical address associated with the first linear address, wherein if permissions are identified, the memory management circuitry is to use the permissions in place of any permissions specified in the shared translation structures.

公开(公告)号：US20200183861A1

公开(公告)日：2020-06-11

申请号：US16690614

申请日：2019-11-21

申请人： Intel Corporation

发明人： SIDDHARTHA CHHABRA ,  DAVID M. DURHAM

IPC分类号： G06F12/14 ,  H04L9/06 ,  G06F21/60 ,  G06F21/79 ,  G06F21/64 ,  G06F21/53

摘要： The presently disclosed method and apparatus for sharing security metadata memory space proposes a technique to allow metadata sharing two different encryption techniques. A section of memory encrypted using a first type of encryption and having first security metadata associated therewith is converted to a section of memory encrypted using a second type of encryption and having second security metadata associated therewith. At least a portion of said first security metadata shares a memory space with at least a portion of said second security metadata for a same section of memory.

公开(公告)号：US20200159673A1

公开(公告)日：2020-05-21

申请号：US16686379

申请日：2019-11-18

申请人： Intel Corporation

发明人： RAVI L. SAHITA ,  GILBERT NEIGER ,  VEDVYAS SHANBHOGUE ,  DAVID M. DURHAM ,  ANDREW V. ANDERSON ,  DAVID A. KOUFATY ,  ASIT K. MALLICK ,  ARUMUGAM THIYAGARAJAH ,  BARRY E. HUNTLEY ,  DEEPAK K. GUPTA ,  MICHAEL LEMAY ,  JOSEPH F. CIHULA ,  BAIJU V. PATEL

IPC分类号： G06F12/14 ,  G06F9/455 ,  G06F12/1009 ,  G06F12/1027

摘要： This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

公开(公告)号：US20170286320A1

公开(公告)日：2017-10-05

申请号：US15089280

申请日：2016-04-01

申请人： Intel Corporation

发明人： SIDDHARTHA CHHABRA ,  DAVID M. DURHAM ,  PRASHANT DEWAN

IPC分类号： G06F12/14 ,  G06F13/28

摘要： This disclosure is directed to avoiding redundant memory encryption in a cryptographic protection system. Data stored in a device may be protected using different encryption systems. Data associated with at least one trusted execution environment (TEE) may be encrypted using a first encryption system. Main memory in the device may comprise data important to maintaining the integrity of an operating system (OS), etc. and may be encrypted using a second encryption system. Data may also be placed into a memory location via direct memory access (DMA) and may be protected utilizing a third encryption system. Redundant encryption may be avoided by encryption circuitry capable of determining when data is already protected by encryption provided by another system. For example, the encryption circuitry may comprise encryption control circuitry that monitors indicators set at different points during data handling, and may bypass certain data encryption or decryption operations based on the indicator settings.

公开(公告)号：US20160378490A1

公开(公告)日：2016-12-29

申请号：US14752079

申请日：2015-06-26

申请人： Intel Corporation

发明人： MICHAEL LEMAY ,  DAVID M. DURHAM ,  BARRY E. HUNTLEY ,  VEDVYAS SHANBHOGUE ,  RAVI L. SAHITA ,  RAVI RAJWAR

IPC分类号： G06F9/38 ,  G06F11/07

CPC分类号： G06F9/3802 ,  G06F9/3004 ,  G06F9/30076 ,  G06F9/30145 ,  G06F9/30167 ,  G06F9/30189 ,  G06F9/46 ,  G06F11/0745 ,  G06F11/0751

摘要： Generally, this disclosure provides systems, devices, methods and computer readable media for protecting confidential data with transactional processing in execute-only memory. The system may include a memory module configured to store an execute-only code page. The system may also include a transaction processor configured to enforce a transaction region associated with at least a portion of the code page. The system may further include a processor configured to execute a load instruction fetched from the code page, the load instruction configured to load at least a portion of the confidential data from an immediate operand of the load instruction if a transaction mode of the transaction region is enabled.

摘要翻译： 通常，本公开提供了用于在仅执行存储器中用事务处理保护机密数据的系统，设备，方法和计算机可读介质。 该系统可以包括被配置为存储仅执行代码页的存储器模块。 系统还可以包括配置成强制与代码页的至少一部分相关联的事务区域的事务处理器。 该系统还可以包括：处理器，其被配置为执行从代码页取出的加载指令，所述加载指令被配置为如果交易区域的交易模式是来自加载指令的即时操作数，则加载秘密数据的至少一部分 启用

公开(公告)号：US20150278512A1

公开(公告)日：2015-10-01

申请号：US14228994

申请日：2014-03-28

申请人： Intel Corporation

发明人： PRASHANT DEWAN ,  UTTAM K. SENGUPTA ,  SIDDHARTHA CHHABRA ,  DAVID M. DURHAM ,  XIAOZHU KANG ,  UDAY R. SAVAGAONKAR ,  ALPA T. NARENDRA TRIVEDI

IPC分类号： G06F21/53 ,  H04L9/32 ,  G06F9/455

CPC分类号： G06F21/53 ,  G06F9/45504 ,  G06F9/45558 ,  G06F9/5011 ,  G06F9/5072 ,  G06F21/554 ,  G06F21/84 ,  G06F2009/45587 ,  G06F2213/0038 ,  H04L9/3247

摘要： Generally, this disclosure provides systems, devices, methods and computer readable media for virtualization-based intra-block workload isolation. The system may include a virtual machine manager (VMM) module to create a secure virtualization environment or sandbox. The system may also include a processor block to load data into a first region of the sandbox and to generate a workload package based on the data. The workload package is stored in a second region of the sandbox. The system may further include an operational block to fetch and execute instructions from the workload package.

摘要翻译： 通常，本公开提供了用于基于虚拟化的块内工作负载隔离的系统，设备，方法和计算机可读介质。 该系统可以包括用于创建安全虚拟化环境或沙箱的虚拟机管理器（VMM）模块。 该系统还可以包括处理器块，用于将数据加载到沙箱的第一区域中，并且基于该数据生成工作负载包。 工作负载包存储在沙箱的第二个区域。 系统还可以包括用于从工作负载包获取和执行指令的操作块。

公开(公告)号：US20210200673A1

公开(公告)日：2021-07-01

申请号：US16728800

申请日：2019-12-27

申请人： Intel Corporation

发明人： DEEPAK GUPTA ,  MINGWEI ZHANG ,  RAVI SAHITA ,  VEDVYAS SHANBHOGUE ,  MICHAEL LEMAY ,  DAVID M. DURHAM

IPC分类号： G06F12/02 ,  G06F12/0895 ,  G06F9/30

摘要： An apparatus and method for memory management using compartmentalization. For example, one embodiment of a processor comprises: execution circuitry to execute instructions and process data, at least one instruction to generate a system memory access request using a first linear address; and address translation circuitry to perform a first walk operation through a set of one or more address translation tables to translate the first linear address to a first physical address, the address translation circuitry to concurrently perform a second walk operation through a set of one or more linear address metadata tables to identify metadata associated with the linear address, and to use one or more portions of the metadata to validate access by the at least one instruction to the first physical address.

公开(公告)号：US20200004696A1

公开(公告)日：2020-01-02

申请号：US16558705

申请日：2019-09-03

申请人： INTEL CORPORATION

发明人： SIDDHARTHA CHHABRA ,  DAVID M. DURHAM

IPC分类号： G06F12/14 ,  G06F21/57 ,  G06F21/60 ,  H04L9/08 ,  H04L9/32

摘要： Various embodiments are generally directed to techniques for multi-domain memory encryption, such as with a plurality of cryptographically isolated domains, for instance. Some embodiments are particularly directed to a multi-domain encryption system that provides one or more of memory encryption, integrity, and replay protection services to a plurality of cryptographic domains. In one embodiment, for example, an apparatus may comprise a memory and logic for an encryption engine, at least a portion of the logic implemented in circuitry coupled to the memory. In various embodiments, the logic may receive a memory operation request associated with a data line of a set of data lines stored in a protected memory separate from the memory.