公开(公告)号：US20240311234A1

公开(公告)日：2024-09-19

申请号：US18676811

申请日：2024-05-29

Applicant: Intel Corporation

Inventor： David M. Durham ,  Sergej Deutsch ,  Karanvir Grewal

IPC: G06F11/10 ,  H04L9/08

CPC classification number: G06F11/1044 ,  H04L9/0816

Abstract: The technology disclosed herein includes a memory to store a plurality of pages, a page of the plurality of pages configured as one of a trusted execution environment (TEE) configuration and a non-TEE configuration, and a memory controller to attempt to access the page using a memory address and the TEE configuration and generate a first error correcting code (ECC); and when data for the first ECC is at least one of correct and correctable by ECC for the attempt to access the page using the TEE configuration, attempt to access the page using the memory address and the non-TEE configuration and generate a second ECC, and when data the second ECC is at least one of correct and correctable by ECC for the attempt to access the page using the non-TEE configuration, store the memory address as an unknown cacheline address.

公开(公告)号：US20230402077A1

公开(公告)日：2023-12-14

申请号：US18145095

申请日：2022-12-22

Applicant: Intel Corporation

Inventor： Sergej Deutsch ,  Christoph Dobraunig ,  Rajat Agarwal ,  David M. Durham ,  Santosh Ghosh ,  Karanvir Grewal ,  Krystian Matusiewicz

IPC: G06F11/10

CPC classification number: G06F11/1044

Abstract: The technology described herein includes a first plurality of bijection diffusion function circuits to diffuse data bits into diffused data bits and store the diffused data bits into a memory; an error correcting code (ECC) generation circuit to generate ECC bits for the data bits; and a second plurality of bijection diffusion function circuits to diffuse the ECC bits into diffused ECC bits and store the diffused ECC bits into the memory.

公开(公告)号：US20210406199A1

公开(公告)日：2021-12-30

申请号：US16912542

申请日：2020-06-25

Applicant: Intel Corporation

Inventor： Michael Kounavis ,  David Koufaty ,  Anna Trikalinou ,  Karanvir Grewal ,  Philip Lantz ,  Utkarsh Y. Kakaiya ,  Vedvyas Shanbhogue

IPC: G06F12/14 ,  G06F12/1036 ,  G06F12/1081 ,  G06F12/0831 ,  G06F12/0882 ,  G06F12/06 ,  G06F21/60 ,  H04L9/32

Abstract: Embodiments are directed to providing a secure address translation service. An embodiment of a system includes a memory for storage of data, an Input/Output Memory Management Unit (IOMMU) coupled to the memory via a host-to-device link the IOMMU to perform operations, comprising receiving an address translation request from a remote device via a host-to-device link, wherein the address translation request comprises a virtual address (VA), determining a physical address (PA) associated with the virtual address (VA), generating an encrypted physical address (EPA) using at least the physical address (PA) and a cryptographic key, and sending the encrypted physical address (EPA) to the remote device via the host-to-device link.

公开(公告)号：US11019098B2

公开(公告)日：2021-05-25

申请号：US16023941

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： Sergej Deutsch ,  David Durham ,  Karanvir Grewal ,  Rajat Agarwal

IPC: H04L29/06 ,  H04L9/14 ,  H04L9/08 ,  G09C1/00 ,  H04L9/00

Abstract: The present disclosure is directed to systems and methods for providing protection against replay attacks on memory, by refreshing or updating encryption keys. The disclosed replay protected computing system may employ encryption refresh of memory so that unauthorized copies of data are usable for a limited amount of time (e.g., 500 milliseconds or less). The replay protected computing system initially encrypts protected data prior to storage in memory. After a predetermined time or after a number of memory accesses have occurred, the replay protected computing system decrypts the data with the existing key and re-encrypts data with a new key. Unauthorized copies of data (such as those made by an adversary system/program) are not refreshed with subsequent new keys. When an adversary program attempts to use the unauthorized copies of data, the unauthorized copies of data are decrypted with the incorrect keys, which renders the decrypted data unintelligible.

公开(公告)号：US20190196977A1

公开(公告)日：2019-06-27

申请号：US16288844

申请日：2019-02-28

Applicant: Intel Corporation

Inventor： Kai Cong ,  Karanvir Grewal ,  Siddhartha Chhabra ,  Sergej Deutsch ,  David Michael Durham

IPC: G06F12/10 ,  G06F11/10 ,  G06F3/06 ,  G06F21/60

CPC classification number: G06F12/10 ,  G06F3/0604 ,  G06F3/065 ,  G06F3/0673 ,  G06F11/1076 ,  G06F21/602 ,  G06F2212/657

Abstract: A data processing system includes support for sub-page granular memory tags. The data processing system comprises at least one core, a memory controller responsive to the core, random access memory (RAM) responsive to the memory controller, and a memory protection module in the memory controller. The memory protection module enables the memory controller to use a memory tag value supplied as part of a memory address to protect data stored at a location that is based on a location value supplied as another part of the memory address. The data processing system also comprises an operating system (OS) which, when executed in the data processing system, manages swapping a page of data out of the RAM to non-volatile storage (NVS) by using a memory tag map (MTM) to apply memory tags to respective subpages within the page being swapped out. Other embodiments are described and claimed.

公开(公告)号：US10079813B2

公开(公告)日：2018-09-18

申请号：US15085114

申请日：2016-03-30

Applicant: Intel Corporation

Inventor： Karanvir Grewal ,  Men Long ,  Prashant Dewan

IPC: H04L9/32 ,  H04L29/06 ,  H04L9/08

CPC classification number: H04L9/083 ,  H04L9/321 ,  H04L9/3247 ,  H04L63/061

Abstract: Methods and apparatus are disclosed to provide for security within a network enclave. In one embodiment authentication logic initiates authentication with a central network authority. Packet processing logic receives a key and an identifier from the central network authority. Security protocol logic then establishes a client-server security association through a communication that includes a client identifier and an encrypted portion and/or an authorization signature, wherein a client authorization key allocated by the central network authority can be reproduced by a server, other than said central network authority, from the client identifier and a derivation key provided to the server by the central network authority to decrypt the encrypted portion and/or to validate the communication using the authorization signature. The server may also provide the client with new session keys and/or new client session identifiers using server-generated derivation keys if desired, protecting these with the client authorization key.

公开(公告)号：US20250007706A1

公开(公告)日：2025-01-02

申请号：US18343718

申请日：2023-06-28

Applicant: Intel Corporation

Inventor： Pascal Nasahl ,  Salmin Sultana ,  Hans Goran Liljestrand ,  Karanvir Grewal ,  Michael LeMay ,  David M. Durham

IPC: H04L9/08

Abstract: Techniques for cryptographically enforcing control-flow integrity are described. In certain examples, a processor includes: a cryptographic circuit to encrypt, with a first key, a first code section to be stored in a single page of memory, and to encrypt, with a second key, a second code section to be stored in the single page of memory; decoder circuitry to decode a single instruction into a decoded single instruction, the single instruction comprising a key identifier, an identifier of the second code section, and an opcode that is to indicate execution circuitry is to, when executing the first code section, determine if the key identifier corresponds to the second key, and in response to corresponding, cause the cryptographic circuit to switch to using the second key to decrypt the second code section, and transfer execution from the first code section to the second code section; and the execution circuitry to execute the decoded instruction according to the opcode.

公开(公告)号：US12066888B2

公开(公告)日：2024-08-20

申请号：US17944352

申请日：2022-09-14

Applicant: Intel Corporation

Inventor： Sergej Deutsch ,  David M. Durham ,  Karanvir Grewal ,  Rajat Agarwal

IPC: G06F11/10 ,  G06F3/06

CPC classification number: G06F11/1004 ,  G06F3/0622 ,  G06F3/0629 ,  G06F3/0673

Abstract: The technology disclosed herein comprises a processor; a memory to store data and a plurality of error correcting code (ECC) bits associated with the data; and a memory controller coupled to the memory, the memory controller to receive a write request from the processor and, when an access control field is selected in the write request, perform an exclusive OR (XOR) operation on the plurality of ECC bits and a fixed encoding pattern to generate a plurality of encoded ECC bits and store the data and the plurality of encoded ECC bits in the memory.

公开(公告)号：US11995006B2

公开(公告)日：2024-05-28

申请号：US17559258

申请日：2021-12-22

Applicant: Intel Corporation

Inventor： Sergej Deutsch ,  Karanvir Grewal ,  David M. Durham ,  Rajat Agarwal

IPC: G06F21/00 ,  G06F11/07 ,  G06F11/10 ,  G06F12/0853 ,  G06F12/14

CPC classification number: G06F12/1466 ,  G06F11/0772 ,  G06F11/1068 ,  G06F12/0853 ,  G06F12/1408

Abstract: A method comprises generating, for a cacheline, a first tag and a second tag, the first tag and the second tag generated as a function of user data stored and metadata in the cacheline stored in a first memory device, and a multiplication parameter derived from a secret key, storing the user data, the metadata, the first tag and the second tag in the first cacheline of the first memory device; generating, for the cacheline, a third tag and a fourth tag, the third tag and the fourth tag generated as a function of the user data stored and metadata in the cacheline stored in a second memory device, and the multiplication parameter; storing the user data, the metadata, the third tag and the fourth tag in the corresponding cache line of the second memory device; receiving, from a requesting device, a read operation directed to the cacheline; and using the first tag, the second tag, the third tag, and the fourth tag to determine whether a read error occurred during the read operation.

公开(公告)号：US20190045030A1

公开(公告)日：2019-02-07

申请号：US15839194

申请日：2017-12-12

Applicant: Intel Corporation

Inventor： Michael Kounavis ,  David M. Durham ,  Karanvir Grewal ,  Wenjie Xiong ,  Sergej Deutsch

IPC: H04L29/06 ,  H04L29/12 ,  H04W12/06

Abstract: A method of data nibble-histogram compression can include determining a first amount of space freed by compressing the input data using a first compression technique, determining a second amount of space freed by compressing the input data using a second, different compression technique, compressing the input data using the compression technique of the first and second compression techniques determined to free up more space to create compressed input data, and inserting into the compressed input data, security data including one of a message authentication control (MAC) and an inventory control tag (ICT).