公开(公告)号：US20230291567A1

公开(公告)日：2023-09-14

申请号：US17692930

申请日：2022-03-11

申请人： Intel Corporation

发明人： VIDHYA KRISHNAN ,  SIDDHARTHA CHHABRA ,  VEDVYAS SHANBHOGUE ,  XIAOYU RUAN ,  ADITYA NAVALE ,  JULIEN CARRENO

IPC分类号： H04L9/32 ,  H04L9/08 ,  G06F12/14 ,  G06T1/60

CPC分类号： H04L9/3242 ,  H04L9/0877 ,  G06F12/1408 ,  G06T1/60

摘要： Described herein is a paging technique that can be implemented in any accelerator with attached memory and support for operating on encrypted data when the CPU is not within the trusted compute base (TCB). Memory storing data that is encrypted using hardware physical address (HPA)-based encrypted can be paged out of accelerator device memory by decoupling encryption from the hardware physical address and re-encrypting the data for page-out. Upon page-in, the data is decrypted, the integrity and authenticity of the data is verified, then the data is re-encrypted using HPA-based encryption.

公开(公告)号：US20160330216A1

公开(公告)日：2016-11-10

申请号：US14703609

申请日：2015-05-04

申请人： Intel Corporation

发明人： EUGENE KISHINEVSKY ,  SIDDHARTHA CHHABRA

IPC分类号： H04L29/06

CPC分类号： H04L63/1416 ,  H04L63/1441

摘要： The present disclosure is directed to attack detection through signal delay monitoring. An example system may comprise at least one device including a physical interface. At least one signal delay monitor may determine whether a signal being transmitted to the device is received as expected at the physical interface and indicate a potential attack when the signal is determined to not be received as expected. Determining whether the signal is received as expected may include determining whether the signal is received within a window defining a time period in which receipt of the signal is expected. An example signal monitor may comprise at least a new data reception monitoring module and an expected reception window monitoring module. These modules may include logic to determine whether the signal is received within the window. An indication of a potential attack may trigger, for example, security-related actions in the system.

摘要翻译： 本发明涉及通过信号延迟监测进行的攻击检测。 示例系统可以包括至少一个包括物理接口的设备。 至少一个信号延迟监视器可以确定正在传输到设备的信号是否如物理接口所期望的那样被接收，并且当信号被确定为不按预期被接收时指示潜在的攻击。 确定信号是否按预期接收可以包括确定信号是否在限定期望接收信号的时间段的窗口内被接收。 示例信号监视器可以包括至少一个新的数据接收监视模块和预期的接收窗口监视模块。 这些模块可以包括用于确定信号是否在窗口内被接收的逻辑。 潜在攻击的指示可能会触发，例如系统中与安全相关的操作。

公开(公告)号：US20160275018A1

公开(公告)日：2016-09-22

申请号：US14661044

申请日：2015-03-18

申请人： Intel Corporation

发明人： SIDDHARTHA CHHABRA ,  RAGHUNANDAN MAKARAM ,  JIM MCCORMICK ,  BINATA BHATTACHARYYA

IPC分类号： G06F12/14 ,  G06F12/08

CPC分类号： G06F21/79

摘要： This disclosure is directed to cache and data organization for memory protection. Memory protection operations in a device may be expedited by organizing cache and/or data structure while providing memory protection for encrypted data. An example device may comprise processing module and a memory module. The processing module may include a memory encryption engine (MEE) to decrypt encrypted data loaded from the memory module, or to encrypt plaintext data prior to storage in the memory module, using security metadata also stored in the memory module. Example security metadata may include version (VER) data, memory authentication code (MAC) data and counter data. Consistent with the present disclosure, a cache associated with the MEE may be partitioned to separate the VER and MAC data from counter data. Data organization may comprise including the VER and MAC data corresponding to particular data in the same data line.

摘要翻译： 本公开涉及用于存储器保护的缓存和数据组织。 可以通过组织高速缓存和/或数据结构同时为加密的数据提供存储器保护来加速设备中的存储器保护操作。 示例设备可以包括处理模块和存储器模块。 处理模块可以包括用于解密从存储器模块加载的加密数据的存储器加密引擎（MEE），或者使用也存储在存储器模块中的安全元数据，在存储在存储器模块中之前加密明文数据。 示例安全元数据可以包括版本（VER）数据，存储器认证码（MAC）数据和计数器数据。 与本公开一致，可以将与MEE相关联的缓存分区以将VER和MAC数据与计数器数据分离。 数据组织可以包括在相同数据线中包括对应于特定数据的VER和MAC数据。

公开(公告)号：US20200183861A1

公开(公告)日：2020-06-11

申请号：US16690614

申请日：2019-11-21

申请人： Intel Corporation

发明人： SIDDHARTHA CHHABRA ,  DAVID M. DURHAM

IPC分类号： G06F12/14 ,  H04L9/06 ,  G06F21/60 ,  G06F21/79 ,  G06F21/64 ,  G06F21/53

摘要： The presently disclosed method and apparatus for sharing security metadata memory space proposes a technique to allow metadata sharing two different encryption techniques. A section of memory encrypted using a first type of encryption and having first security metadata associated therewith is converted to a section of memory encrypted using a second type of encryption and having second security metadata associated therewith. At least a portion of said first security metadata shares a memory space with at least a portion of said second security metadata for a same section of memory.

公开(公告)号：US20180095899A1

公开(公告)日：2018-04-05

申请号：US15283339

申请日：2016-10-01

申请人： Intel Corporation

发明人： DAVID E. DURHAM ,  SIDDHARTHA CHHABRA ,  SERGE J. DEUTSCH ,  MICHAEL E. KOUNAVIS ,  ALPA T. NARENDRA TRIVEDI

IPC分类号： G06F12/14 ,  G06F12/128 ,  G06F12/0831

CPC分类号： G06F12/1408 ,  G06F12/0831 ,  G06F12/12 ,  G06F12/128 ,  G06F12/1475 ,  G06F2212/1052 ,  G06F2212/621

摘要： Embodiments of apparatus, method, and storage medium associated with MCCG memory integrity for securing/protecting memory content/data of VM or enclave are described herein. In some embodiments, an apparatus may include one or more encryption engines to encrypt a unit of data to be stored in a memory in response to a write operation from a VM or an enclave of an application, prior to storing the unit of data into the memory in an encrypted form; wherein to encrypt the unit of data, the one or more encryption engines are to encrypt the unit of data using at least a key domain selector associated with the VM or enclave, and a tweak based on a color within a color group associated with the VM or enclave. Other embodiments may be described and/or claimed.

公开(公告)号：US20170372063A1

公开(公告)日：2017-12-28

申请号：US15656992

申请日：2017-07-21

申请人： Intel Corporation

发明人： PRASHANT DEWAN ,  UTTAM SENGUPTA ,  SIDDHARTHA CHHABRA ,  DAVID DURHAM ,  XIAOZHU KANG ,  UDAY SAVAGAONKAR ,  ALPA NARENDRA TRIVEDI

IPC分类号： G06F21/53 ,  G06F9/455 ,  G06F21/84 ,  H04L9/32

CPC分类号： G06F21/53 ,  G06F9/45504 ,  G06F9/45558 ,  G06F9/5011 ,  G06F9/5072 ,  G06F21/554 ,  G06F21/84 ,  G06F2009/45587 ,  G06F2213/0038 ,  H04L9/3247

摘要： Generally, this disclosure provides systems, devices, methods and computer readable media for virtualization-based intra-block workload isolation. The system may include a virtual machine manager (VMM) module to create a secure virtualization environment or sandbox. The system may also include a processor block to load data into a first region of the sandbox and to generate a workload package based on the data. The workload package is stored in a second region of the sandbox. The system may further include an operational block to fetch and execute instructions from the workload package.

公开(公告)号：US20170286320A1

公开(公告)日：2017-10-05

申请号：US15089280

申请日：2016-04-01

申请人： Intel Corporation

发明人： SIDDHARTHA CHHABRA ,  DAVID M. DURHAM ,  PRASHANT DEWAN

IPC分类号： G06F12/14 ,  G06F13/28

摘要： This disclosure is directed to avoiding redundant memory encryption in a cryptographic protection system. Data stored in a device may be protected using different encryption systems. Data associated with at least one trusted execution environment (TEE) may be encrypted using a first encryption system. Main memory in the device may comprise data important to maintaining the integrity of an operating system (OS), etc. and may be encrypted using a second encryption system. Data may also be placed into a memory location via direct memory access (DMA) and may be protected utilizing a third encryption system. Redundant encryption may be avoided by encryption circuitry capable of determining when data is already protected by encryption provided by another system. For example, the encryption circuitry may comprise encryption control circuitry that monitors indicators set at different points during data handling, and may bypass certain data encryption or decryption operations based on the indicator settings.

公开(公告)号：US20150278512A1

公开(公告)日：2015-10-01

申请号：US14228994

申请日：2014-03-28

申请人： Intel Corporation

发明人： PRASHANT DEWAN ,  UTTAM K. SENGUPTA ,  SIDDHARTHA CHHABRA ,  DAVID M. DURHAM ,  XIAOZHU KANG ,  UDAY R. SAVAGAONKAR ,  ALPA T. NARENDRA TRIVEDI

IPC分类号： G06F21/53 ,  H04L9/32 ,  G06F9/455

CPC分类号： G06F21/53 ,  G06F9/45504 ,  G06F9/45558 ,  G06F9/5011 ,  G06F9/5072 ,  G06F21/554 ,  G06F21/84 ,  G06F2009/45587 ,  G06F2213/0038 ,  H04L9/3247

摘要： Generally, this disclosure provides systems, devices, methods and computer readable media for virtualization-based intra-block workload isolation. The system may include a virtual machine manager (VMM) module to create a secure virtualization environment or sandbox. The system may also include a processor block to load data into a first region of the sandbox and to generate a workload package based on the data. The workload package is stored in a second region of the sandbox. The system may further include an operational block to fetch and execute instructions from the workload package.

摘要翻译： 通常，本公开提供了用于基于虚拟化的块内工作负载隔离的系统，设备，方法和计算机可读介质。 该系统可以包括用于创建安全虚拟化环境或沙箱的虚拟机管理器（VMM）模块。 该系统还可以包括处理器块，用于将数据加载到沙箱的第一区域中，并且基于该数据生成工作负载包。 工作负载包存储在沙箱的第二个区域。 系统还可以包括用于从工作负载包获取和执行指令的操作块。

公开(公告)号：US20240193263A1

公开(公告)日：2024-06-13

申请号：US18266379

申请日：2020-12-26

申请人： INTEL CORPORATION

发明人： SIDDHARTHA CHHABRA

IPC分类号： G06F21/54 ,  G06F11/10 ,  G06F21/60

CPC分类号： G06F21/54 ,  G06F11/1016 ,  G06F21/602

摘要： Techniques for dynamically configurable Scalable Memory Integrity and Enhanced Reliability, Availability, and Serviceability (SMIRAS) are described. A SMIRAS based system may be enabled to use an integrity-based metadata organization, a replay protection-based metadata organization, or a combination of both metadata organizations.

公开(公告)号：US20220038505A1

公开(公告)日：2022-02-03

申请号：US17502787

申请日：2021-10-15

申请人： INTEL CORPORATION

发明人： SIDDHARTHA CHHABRA ,  Prashant Dewan

IPC分类号： H04L29/06 ,  H04L9/32 ,  G06F9/30 ,  G06F21/57 ,  G06F21/62 ,  G06F21/74

摘要： Various embodiments are generally directed to techniques to enforce policies for computing platform resources, such as to prevent denial of service (DoS) attacks on the computing platform resources. Some embodiments are particularly directed to ISA instructions that allow trusted software/applications to securely enforce policies on a platform resource/device while allowing untrusted software to control allocation of the platform resource. In many embodiments, the ISA instructions may enable secure communication between a trusted application and a platform resource. In several embodiments, a first ISA instruction implemented by microcode may enable a trusted application to wrap policy information for secure transmission through an untrusted stack. In several such embodiments, a second ISA instruction implemented by microcode may enable untrusted software to verify the validity of the wrapped blobs and program registers associated with the platform resource with policy information provided via the wrapped blobs.