公开(公告)号：US10437310B2

公开(公告)日：2019-10-08

申请号：US15387214

申请日：2016-12-21

Applicant: Intel Corporation

Inventor： Karunakara Kotary ,  Ashish Hira ,  Krishnakumar Narasimhan

IPC: G06F1/32 ,  G06F1/3234 ,  G06F9/4401 ,  G06F1/3228

Abstract: Technologies for secure hybrid standby power management include a computing device with a processor supporting low-power idle standby. An operating system writes a power management sleep request, such as an ACPI S3 request, to a power management control register of the computing device. The processor traps the write to the power management control register and executes a firmware sleep mapper that causes the processor to enter an idle standby power state such as S0ix. The firmware sleep mapper may be included in a firmware isolated memory region. The address of the firmware sleep mapper may be included in a model-specific register of the processor. The processor may verify the firmware sleep mapper before execution. In response to a wake event, the processor resumes the firmware sleep mapper, which switches the processor to real mode and jumps to a waking vector of the operating system. Other embodiments are described and claimed.

公开(公告)号：US20190095623A1

公开(公告)日：2019-03-28

申请号：US15715773

申请日：2017-09-26

Applicant: INTEL CORPORATION

Inventor： Krishnakumar Narasimhan ,  Sudhakar Otturu ,  Karunakara Kotary ,  Vincent J. Zimmer

IPC: G06F21/57 ,  G06F21/62 ,  G06F21/44

CPC classification number: G06F21/572 ,  G06F8/65 ,  G06F21/44 ,  G06F21/6209

Abstract: A computing device that implements a secure and transparent firmware update process is provided. The computing device includes a secure memory area and a secure device that separately executes firmware updates in parallel with other processes executed by a CPU. The secure memory area may be allocated by the CPU and/or a memory controller using any of a variety of memory protection techniques. System software executed by the CPU receives update firmware requests from a trusted source, stores a firmware payload included in these requests in the secure memory area, and executes the next scheduled process. Firmware executed by the secure device retrieves the firmware payload from the secure memory area, authenticates the firmware payload, and applies the firmware payload to a firmware storage device. The secure device performs these acts transparently from the point of view of the CPU, these avoiding consumption of resources of the CPU.

公开(公告)号：US10565130B2

公开(公告)日：2020-02-18

申请号：US15714323

申请日：2017-09-25

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Reouven Elbaz ,  Krishnakumar Narasimhan ,  Prashant Dewan ,  David M. Durham

IPC: G06F12/14 ,  H04L9/32 ,  G06F21/72 ,  G06F21/79 ,  G06F21/85

Abstract: Technologies for secure memory usage include a computing device having a processor that includes a memory encryption engine and a memory device coupled to the processor. The processor supports multiple processor usages, such as secure enclaves, system management firmware, and a virtual machine monitor. The memory encryption engine is configured to protect a memory region stored in the memory device for a processor usage. The memory encryption engine restricts access to one or more configuration registers to a trusted code base of the processor usage. The processor executes the processor usage and the memory encryption engine protects contents of the memory region during execution. The memory encryption engine may access integrity metadata based on the address of the protected memory region. The memory encryption engine may prepare top-level counter metadata for entering a low-power state. Other embodiments are described and claimed.

公开(公告)号：US10402281B2

公开(公告)日：2019-09-03

申请号：US15086293

申请日：2016-03-31

Applicant: INTEL CORPORATION

Inventor： Krishnakumar Narasimhan ,  Nicholas J. Adams ,  Karunakara Kotary ,  Brett P Wang

IPC: G06F11/14 ,  G06F21/57 ,  G06F8/654

Abstract: A mechanism is described for facilitating dynamic capsule generation and recovery in computing environments according to one embodiment. A method of embodiments, as described herein, includes accessing a current firmware and a capsule driver binary file (“capsule file”) from a storage device, and merging the current firmware with the capsule file and a capsule header into a capsule payload. The method may further include assigning a security protocol to the capsule payload to ensure a secured capsule payload, and storing the secured capsule payload at the storage device for subsequent updates.

公开(公告)号：US10552613B2

公开(公告)日：2020-02-04

申请号：US15715773

申请日：2017-09-26

Applicant: INTEL CORPORATION

Inventor： Krishnakumar Narasimhan ,  Sudhakar Otturu ,  Karunakara Kotary ,  Vincent J. Zimmer

IPC: G06F21/57 ,  G06F21/44 ,  G06F21/62 ,  G06F8/65

Abstract: A computing device that implements a secure and transparent firmware update process is provided. The computing device includes a secure memory area and a secure device that separately executes firmware updates in parallel with other processes executed by a CPU. The secure memory area may be allocated by the CPU and/or a memory controller using any of a variety of memory protection techniques. System software executed by the CPU receives update firmware requests from a trusted source, stores a firmware payload included in these requests in the secure memory area, and executes the next scheduled process. Firmware executed by the secure device retrieves the firmware payload from the secure memory area, authenticates the firmware payload, and applies the firmware payload to a firmware storage device. The secure device performs these acts transparently from the point of view of the CPU, these avoiding consumption of resources of the CPU.

公开(公告)号：US20190095351A1

公开(公告)日：2019-03-28

申请号：US15714323

申请日：2017-09-25

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Reouven Elbaz ,  Krishnakumar Narasimhan ,  Prashant Dewan ,  David M. Durham

IPC: G06F12/14 ,  H04L9/32 ,  G06F21/72 ,  G06F21/79 ,  G06F21/85

Abstract: Technologies for secure memory usage include a computing device having a processor that includes a memory encryption engine and a memory device coupled to the processor. The processor supports multiple processor usages, such as secure enclaves, system management firmware, and a virtual machine monitor. The memory encryption engine is configured to protect a memory region stored in the memory device for a processor usage. The memory encryption engine restricts access to one or more configuration registers to a trusted code base of the processor usage. The processor executes the processor usage and the memory encryption engine protects contents of the memory region during execution. The memory encryption engine may access integrity metadata based on the address of the protected memory region. The memory encryption engine may prepare top-level counter metadata for entering a low-power state. Other embodiments are described and claimed.

公开(公告)号：US10318278B2

公开(公告)日：2019-06-11

申请号：US14850733

申请日：2015-09-10

Applicant: INTEL CORPORATION

Inventor： Krishnakumar Narasimhan ,  Nicholas J. Adams

IPC: G06F9/24 ,  G06F15/177 ,  G06F8/654

Abstract: Apparatuses, methods and storage medium associated with provision of power management data packages are disclosed herein. In embodiments, an apparatus may include one or more processors, memory to store a power management data package having a first plurality of descriptions of always present fixed platform devices and a second plurality of descriptions of potentially present variable platform devices; and firmware coupled with the one or more processors and memory to provide basic input/output services to an operating system operated by the one or more processors, wherein the operating system has an operational requirement for the power management data package. The basic input/output services may include a service to modify the power management data package to bring the power management data package into compliance with the operational requirement of the operating system. Other embodiments may be described and/or claimed.

公开(公告)号：US20180173294A1

公开(公告)日：2018-06-21

申请号：US15387214

申请日：2016-12-21

Applicant: Intel Corporation

Inventor： Karunakara Kotary ,  Ashish Hira ,  Krishnakumar Narasimhan

IPC: G06F1/32 ,  G06F9/44

CPC classification number: G06F1/3234 ,  G06F1/3228 ,  G06F9/4416 ,  G06F9/4418

Abstract: Technologies for secure hybrid standby power management include a computing device with a processor supporting low-power idle standby. An operating system writes a power management sleep request, such as an ACPI S3 request, to a power management control register of the computing device. The processor traps the write to the power management control register and executes a firmware sleep mapper that causes the processor to enter an idle standby power state such as S0ix. The firmware sleep mapper may be included in a firmware isolated memory region. The address of the firmware sleep mapper may be included in a model-specific register of the processor. The processor may verify the firmware sleep mapper before execution. In response to a wake event, the processor resumes the firmware sleep mapper, which switches the processor to real mode and jumps to a waking vector of the operating system. Other embodiments are described and claimed.

公开(公告)号：US20170277530A1

公开(公告)日：2017-09-28

申请号：US15079725

申请日：2016-03-24

Applicant: Intel Corporation

Inventor： Nicholas J. Adams ,  Krishnakumar Narasimhan ,  Vincent J. Zimmer

IPC: G06F9/445 ,  G06F13/42 ,  H04L29/08 ,  G06F12/10 ,  G06F12/14 ,  G06F9/44 ,  G06F13/28 ,  G06F3/06

CPC classification number: G06F8/65 ,  G06F8/654 ,  G06F9/4403 ,  G06F12/10 ,  G06F12/1081 ,  G06F12/14 ,  G06F12/1441 ,  G06F13/28 ,  G06F13/4282 ,  G06F2212/1052 ,  G06F2212/65 ,  G06F2213/0024 ,  G06F2213/0042 ,  G06F2213/28

Abstract: Technologies for performing a secure firmware update include a compute device that includes a memory device to store firmware update payload, one or more devices that have direct memory access (DMA) to the memory, a DMA remap module, and a firmware update module. The DMA remap module is to create a memory isolation domain for each of the one or more devices. Each memory isolation domain comprises a physical address space in the memory that is mutually exclusive to the physical address spaces of the other memory isolation domains. The firmware update module is to (i) analyze the firmware update payload to identify one or more of the devices associated with the firmware update payload and (ii) move the firmware update payload to the memory isolation domains of each associated device to enable secure transmission of the firmware update payload to the associated devices.