公开(公告)号：US12216922B2

公开(公告)日：2025-02-04

申请号：US17947072

申请日：2022-09-16

Applicant: Intel Corporation

Inventor： Hans G. Liljestrand ,  Sergej Deutsch ,  David M. Durham ,  Michael LeMay ,  Karanvir S. Grewal

IPC: G06F3/06 ,  H04L9/32

Abstract: A processor is to execute a first instruction to perform a simulated return in a program from a callee function to a caller function based on a first input stack pointer encoded with a first security context of a first callee stack frame. To perform the simulated return is to include generating a first simulated stack pointer to the caller stack frame. The processor is further to, in response to identifying an exception handler in the first caller function, execute a second instruction to perform a simulated call based on a second input stack pointer encoded with a second security context of the caller stack frame. To perform the simulated call is to include generating a second simulated stack pointer to a new stack frame containing an encrypted instruction pointer associated with the exception handler. The second simulated stack pointer is to be encoded with a new security context.

公开(公告)号：US11784786B2

公开(公告)日：2023-10-10

申请号：US17214222

申请日：2021-03-26

Applicant: Intel Corporation

Inventor： Sergej Deutsch ,  David M. Durham ,  Karanvir S. Grewal ,  Michael D. LeMay ,  Michael E. Kounavis

IPC: G06F9/50 ,  G06F12/121 ,  G06F12/14 ,  H04L9/06 ,  H04L9/08 ,  H04L9/32

CPC classification number: H04L9/0618 ,  G06F9/5016 ,  G06F12/121 ,  G06F12/1408 ,  G06F12/1441 ,  G06F12/1458 ,  G06F2212/7207

Abstract: Technologies disclosed herein provide one example of a processor that includes a register to store a first encoded pointer for a first memory allocation for an application and circuitry coupled to memory. Size metadata is stored in first bits of the first encoded pointer and first memory address data associated with the first memory allocation is stored in second bits of the first encoded pointer. The circuitry is configured to determine a first memory address of a first marker region in the first memory allocation, obtain current data from the first marker region at the first memory address, compare the current data to a reference marker stored separately from the first memory allocation, and determine that the first memory allocation is in a first state in response to a determination that the current data corresponds to the reference marker.

公开(公告)号：US20210011995A1

公开(公告)日：2021-01-14

申请号：US16937155

申请日：2020-07-23

Applicant: Intel Corporation

Inventor： David M. Durham ,  Karanvir S. Grewal ,  Sergej Deutsch ,  Michael Lemay

IPC: G06F21/53 ,  G06F9/455 ,  G06F21/57 ,  H04L29/06

Abstract: Systems, apparatuses and methods may provide for technology that associates a key domain of a plurality of key domains with a customer boot image, receives the customer boot image from the customer, and verifies the integrity of the customer boot image that is to be securely installed at memory locations determined from an untrusted privileged entity (e.g., a virtual machine manager).

公开(公告)号：US10802910B2

公开(公告)日：2020-10-13

申请号：US16133574

申请日：2018-09-17

Applicant: Intel Corporation

Inventor： Sergej Deutsch ,  Wei Wu ,  David M. Durham ,  Karanvir S. Grewal

IPC: G06F11/10 ,  G06F11/14 ,  G06F3/06 ,  G06F21/62

Abstract: In one embodiment, an apparatus comprises a controller comprising circuitry, the controller to generate an error correction code for a memory line, the memory line comprising a plurality of first data blocks, wherein the error correction code comprises parity bits generated based on first portions of a plurality of second data blocks, wherein the plurality of second data blocks are the first data blocks or diffused data blocks generated from the plurality of first data blocks; generate a metadata block corresponding to the memory line, wherein the metadata block comprises the error correction code for the memory line and at least one metadata bit; encode the first data blocks and the metadata block; and provide the encoded data blocks and the encoded metadata block for storage on a memory module.

公开(公告)号：US10594491B2

公开(公告)日：2020-03-17

申请号：US15816901

申请日：2017-11-17

Applicant: INTEL CORPORATION

Inventor： David M. Durham ,  Rajat Agarwal ,  Siddhartha Chhabra ,  Sergej Deutsch ,  Karanvir S. Grewal ,  Ioannis T. Schoinas

IPC: H04L9/32 ,  G06F12/14 ,  G06F3/06 ,  G11C29/52 ,  H04L9/06 ,  G06F11/10 ,  G06F12/0886 ,  G06F21/79 ,  H04L9/08 ,  G06F21/78 ,  G11C29/44

Abstract: In one example, a system for managing encrypted memory comprises a processor to store a first MAC based on data stored in system memory in response to a write operation to the system memory. The processor can also detect a read operation corresponding to the data stored in the system memory, calculate a second MAC based on the data retrieved from the system memory, determine that the second MAC does not match the first MAC, and recalculate the second MAC with a correction operation, wherein the correction operation comprises an XOR operation based on the data retrieved from the system memory and a replacement value for a device of the system memory. Furthermore, the processor can decrypt the data stored in the system memory in response to detecting the recalculated second MAC matches the first MAC and transmit the decrypted data to cache thereby correcting memory errors.

公开(公告)号：US20190044954A1

公开(公告)日：2019-02-07

申请号：US15831633

申请日：2017-12-05

Applicant: Intel Corporation

Inventor： Michael Kounavis ,  Amitabh Das ,  Sergej Deutsch ,  Karanvir S. Grewal ,  David M. Durham

IPC: H04L29/06 ,  H04L9/06

Abstract: Before sending a message to a destination device, a source device automatically uses a pattern matching algorithm to analyze entropy characteristics of a plaintext version of the message. The pattern matching algorithm uses at least one pattern matching test to generate at least one entropy metric for the message. The source device automatically determines whether the message has sufficiently low entropy, based on results of the pattern matching algorithm. In response to a determination that the message does not have sufficiently low entropy, the source device automatically generates integrity metadata for the message and sends the integrity metadata to the destination device. However, in response to a determination that the message has sufficiently low entropy, the source device sends the message to the destination device without sending any integrity metadata for the message to the destination device. Other embodiments are described and claimed.

公开(公告)号：US20190036699A1

公开(公告)日：2019-01-31

申请号：US16133952

申请日：2018-09-18

Applicant: Intel Corporation

Inventor： Ansuya Negi ,  Nitin V. Sarangdhar ,  Ulhas S. Warrier ,  Ramkumar Venkatachary ,  Ravi L. Sahita ,  Scott H. Robinson ,  Karanvir S. Grewal

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/3231 ,  H04L9/0816 ,  H04L9/0825

Abstract: Technologies for end-to-end biometric-based authentication and locality assertion include a computing device with one or more biometric devices. The computing device may securely exchange a key between a driver and a secure enclave. The driver may receive biometric data from the biometric sensor in a virtualization-protected memory buffer and encrypt the biometric data with the shared key. The secure enclave may decrypt the biometric data and perform a biometric authentication operation. The computing device may measure a virtual machine monitor (VMM) to generate attestation information for the VMM. A secure enclave may execute a virtualization report instruction to request the attestation information. The processor may copy the attestation information into the secure enclave memory. The secure enclave may verify the attestation information with a remote attestation server. If verified, the secure enclave may provide a shared secret to the VMM. Other embodiments are described and claimed.

公开(公告)号：US09519803B2

公开(公告)日：2016-12-13

申请号：US13690401

申请日：2012-11-30

Applicant: Intel Corporation

Inventor： Prashant Dewan ,  Uday R. Savagaonkar ,  David M. Durham ,  Paul S. Schmitz ,  Jason Martin ,  Michael Goldsmith ,  Ravi L. Sahita ,  Francis X. McKeen ,  Carlos Rozas ,  Balaji Vembu ,  Scott Janus ,  Geoffrey S. Strongin ,  Xiaozhu Kang ,  Karanvir S. Grewal ,  Siddhartha Chhabra ,  Alpha T. Narendra Trivedi

IPC: G06F21/00 ,  G06F21/64 ,  G06F21/53 ,  G06F21/56

CPC classification number: G06F21/64 ,  G06F21/53 ,  G06F21/56

Abstract: In accordance with some embodiments, a protected execution environment may be defined for a graphics processing unit. This framework not only protects the workloads from malware running on the graphics processing unit but also protects those workloads from malware running on the central processing unit. In addition, the trust framework may facilitate proof of secure execution by measuring the code and data structures used to execute the workload. If a part of the trusted computing base of this framework or protected execution environment is compromised, that part can be patched remotely and the patching can be proven remotely throughout attestation in some embodiments.

Abstract translation: 根据一些实施例，可以为图形处理单元定义受保护的执行环境。 该框架不仅保护了图形处理单元上运行的恶意软件的工作负载，还保护了这些工作负载免受中央处理单元上运行的恶意软件。 此外，信任框架可以通过测量用于执行工作负载的代码和数据结构来促进安全执行的证明。 如果该框架或受保护的执行环境的可信计算基础的一部分受到损害，那么该部分可以被远程修补，并且在一些实施例中可以通过验证远程验证修补。

公开(公告)号：US08903084B2

公开(公告)日：2014-12-02

申请号：US13916027

申请日：2013-06-12

Applicant: Intel Corporation

Inventor： Men Long ,  Jesse Walker ,  Karanvir S. Grewal

IPC: H04L9/00 ,  H04L9/08 ,  G06F7/04 ,  G06F21/00 ,  H04L29/06 ,  H04L9/06

CPC classification number: H04L9/0866 ,  H04L9/0631 ,  H04L63/0428 ,  H04L63/06 ,  H04L2209/125

Abstract: Both end-to-end security and traffic visibility may be achieved by a system using a controller that derives a cryptographic key that is different for each client based on a derivation key and a client identifier that is conveyed in each data packet. The controller distributes the derivation key to information technology monitoring devices and a server to provide traffic visibility. For large key sizes, the key may be derived using a derivation formula as follows: client_key_MSB=AES128(base_key_1,client_ID),  (1) client_key_LSB=AES128(base_key_2,client_ID+pad),and  (2) client_key=client_key_MSB∥client_key_LSB, where (1) and (2) are executed in parallel. The client key and a client identifier may be used so that end-to-end security may be achieved.

Abstract translation: 端到端安全性和流量可见性可以由使用控制器的系统来实现，所述控制器基于在每个数据分组中传送的导出密钥和客户端标识符来导出每个客户端不同的密码密钥。 控制器将派生密钥分发到信息技术监控设备和服务器，以提供流量可视性。 对于较大的密钥大小，可以使用如下的推导公式来导出密钥：client_key_MSB = AES128（base_key_1，client_ID），（1）client_key_LSB = AES128（base_key_2，client_ID + pad）和（2）cli​​ent_key =client_key_MSB‖client_key_LSB， 其中（1）和（2）并行执行。 可以使用客户端密钥和客户端标识符，以便可以实现端到端的安全性。

公开(公告)号：US11575504B2

公开(公告)日：2023-02-07

申请号：US16776467

申请日：2020-01-29

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael LeMay ,  Michael E. Kounavis ,  Santosh Ghosh ,  Sergej Deutsch ,  Anant Vithal Nori ,  Jayesh Gaur ,  Sreenivas Subramoney ,  Karanvir S. Grewal

IPC: H04L9/06 ,  G06F9/30 ,  G06F12/1027

Abstract: A processor comprises a first register to store an encoded pointer to a memory location. First context information is stored in first bits of the encoded pointer and a slice of a linear address of the memory location is stored in second bits of the encoded pointer. The processor also includes circuitry to execute a memory access instruction to obtain a physical address of the memory location, access encrypted data at the memory location, derive a first tweak based at least in part on the encoded pointer, and generate a keystream based on the first tweak and a key. The circuitry is to further execute the memory access instruction to store state information associated with memory access instruction in a first buffer, and to decrypt the encrypted data based on the keystream. The keystream is to be generated at least partly in parallel with accessing the encrypted data.