公开(公告)号：US12189792B2

公开(公告)日：2025-01-07

申请号：US17033748

申请日：2020-09-26

Applicant: Intel Corporation

Inventor： Barry E. Huntley ,  Hormuzd M. Khosravi ,  Thomas Toll ,  Ramya Jayaram Masti ,  Siddhartha Chhabra ,  Vincent Von Bokern

IPC: G06F21/60 ,  G06F12/06 ,  H04L9/14

Abstract: Embodiments of apparatuses, methods, and systems for scalable multi-key memory encryption are disclosed. In an embodiment, an apparatus includes a core, an encryption unit, and key identification hardware. The core is to write data to and read data from memory regions, each to be identified by a corresponding address. The encryption unit to encrypt data to be written and decrypt data to be read. The key identification hardware is to use a portion of the corresponding address to look up a corresponding key identifier in a key information data structure. The corresponding key identifier is one multiple key identifiers. The corresponding key identifier is to identify which one of multiple encryption keys is to be used to encrypt and decrypt the data.

公开(公告)号：US12126706B2

公开(公告)日：2024-10-22

申请号：US17134351

申请日：2020-12-26

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  John Sell

IPC: G06F21/78 ,  G06F21/60 ,  H04L9/00 ,  H04L9/06 ,  H04L9/32

CPC classification number: H04L9/002 ,  G06F21/602 ,  H04L9/0643 ,  H04L9/3242

Abstract: Detailed herein are embodiments which allow for integrity protected access control to provide defense against deterministic software attacks. Software attacks such as rowhammer attacks which target the TD bit itself are defended against using cryptographic integrity which the data itself is protected by the TD-bit alone. As such, software is reduced to performing only non-deterministic attacks (e.g., random corruption), but all the deterministic attacks are defended against. Additionally, integrity-protected access control bits are protected against simple hardware attacks where the adversary with physical access to the machine can flip TD bits to get ciphertext access in software which can break confidentiality.

公开(公告)号：US12022013B2

公开(公告)日：2024-06-25

申请号：US17134363

申请日：2020-12-26

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Prashant Dewan ,  Baiju Patel

IPC: H04L29/06 ,  G06F9/30 ,  H04L9/08 ,  H04L9/32

CPC classification number: H04L9/3278 ,  G06F9/30098 ,  G06F9/30145 ,  H04L9/0861 ,  H04L9/0894

Abstract: Techniques for encrypting data using a key generated by a physical unclonable function (PUF) are described. An apparatus according to the present disclosure may include decoder circuitry to decode an instruction and generate a decoded instruction. The decoded instruction includes operands and an opcode. The opcode indicates that execution circuitry is to encrypt data using a key generated by a PUF. The apparatus may further include execution circuitry to execute the decoded instruction according to the opcode to encrypt the data to generate encrypted data using the key generated by the PUF.

公开(公告)号：US11997192B2

公开(公告)日：2024-05-28

申请号：US17033135

申请日：2020-09-25

Applicant: Intel Corporation

Inventor： Bo Zhang ,  Siddhartha Chhabra ,  William A. Stevens ,  Reshma Lal

IPC: H04L9/08 ,  G06F21/85 ,  H04L9/06 ,  H04L9/32 ,  H04L9/40

CPC classification number: H04L9/0825 ,  G06F21/85 ,  H04L9/0631 ,  H04L9/0637 ,  H04L9/0861 ,  H04L9/3271 ,  H04L63/04 ,  H04L63/18 ,  G06F2221/2107 ,  G06F2221/2111

Abstract: Technologies for establishing device locality are disclosed. A processor in a computing device generates an identifier distinct to the computing device. The processor transmits the identifier to a management controller via a hardware bus in the computing device. The processor generates a key and encrypts the key with the identifier to generate a wrapped key. The processor transmits the wrapped key to the management controller. In turn, the management controller unwraps the key using the identifier. Other embodiments are described and claimed.

公开(公告)号：US20230315857A1

公开(公告)日：2023-10-05

申请号：US18131199

申请日：2023-04-05

Applicant: Intel Corporation

Inventor： Ravi L. Sahita ,  Baiju V. Patel ,  Barry E. Huntley ,  Gilbert Neiger ,  Hormuzd M. Khosravi ,  Ido Ouziel ,  David M. Durham ,  Ioannis T. Schoinas ,  Siddhartha Chhabra ,  Carlos V. Rozas ,  Gideon Gerzon

IPC: G06F21/57 ,  G06F21/62 ,  G06F12/14 ,  H04L9/06 ,  H04L9/40 ,  G06F21/53 ,  G06F21/71 ,  G06F21/79

CPC classification number: G06F21/57 ,  G06F21/6218 ,  G06F12/1408 ,  H04L9/0618 ,  H04L63/061 ,  G06F21/53 ,  G06F21/71 ,  G06F21/79 ,  G06F2009/45587

Abstract: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.

公开(公告)号：US11706039B2

公开(公告)日：2023-07-18

申请号：US17134364

申请日：2020-12-26

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Prashant Dewan ,  Baiju Patel

IPC: H04L9/32 ,  G06F9/30 ,  H04L9/08

CPC classification number: H04L9/3278 ,  G06F9/30098 ,  G06F9/30145 ,  H04L9/0861

Abstract: Techniques for encrypting data using a key generated by a physical unclonable function (PUF) are described. An apparatus according to the present disclosure may include decoder circuitry to decode an instruction and generate a decoded instruction. The decoded instruction includes operands and an opcode. The opcode indicates that execution circuitry is to encrypt data using a key generated by a PUF. The apparatus may further include execution circuitry to execute the decoded instruction according to the opcode to encrypt the data to generate encrypted data using the key generated by the PUF.

公开(公告)号：US11700135B2

公开(公告)日：2023-07-11

申请号：US17134360

申请日：2020-12-26

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Prashant Dewan ,  Baiju Patel ,  Vedvyas Shanbhogue

IPC: H04L9/32 ,  G06F9/30 ,  G06F12/14 ,  H04L9/08

CPC classification number: H04L9/3278 ,  G06F9/30145 ,  G06F12/1408 ,  H04L9/0866 ,  H04L9/3242

Abstract: Techniques for encrypting data using a key generated by a physical unclonable function (PUF) are described. An apparatus according to the present disclosure may include decoder circuitry to decode an instruction and generate a decoded instruction. The decoded instruction includes operands and an opcode. The opcode indicates that execution circuitry is to encrypt data using a key generated by a PUF. The apparatus may further include execution circuitry to execute the decoded instruction according to the opcode to encrypt the data to generate encrypted data using the key generated by the PUF.

公开(公告)号：US11651085B2

公开(公告)日：2023-05-16

申请号：US16934089

申请日：2020-07-21

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Ravi L. Sahita ,  Barry E. Huntley ,  Gilbert Neiger ,  Gideon Gerzon ,  Baiju V. Patel

IPC: G06F21/60 ,  G06F3/06 ,  G06F12/1009 ,  G06F21/57 ,  G06F21/53

CPC classification number: G06F21/602 ,  G06F3/067 ,  G06F3/0623 ,  G06F3/0661 ,  G06F12/1009 ,  G06F21/53 ,  G06F21/57 ,  G06F2212/1052

Abstract: A processor executes an untrusted VMM that manages execution of a guest workload. The processor also populates an entry in a memory ownership table for the guest workload. The memory ownership table is indexed by an original hardware physical address, the entry comprises an expected guest address that corresponds to the original hardware physical address, and the entry is encrypted with a key domain key. In response to receiving a request from the guest workload to access memory using a requested guest address, the processor (a) obtains, from the untrusted VMM, a hardware physical address that corresponds to the requested guest address; (b) uses that physical address as an index to find an entry in the memory ownership table; and (c) verifies whether the expected guest address from the found entry matches the requested guest address. Other embodiments are described and claimed.

公开(公告)号：US11625275B2

公开(公告)日：2023-04-11

申请号：US17109742

申请日：2020-12-02

Applicant: Intel Corporation

Inventor： Krystof Zmudzinski ,  Siddhartha Chhabra ,  Reshma Lal ,  Alpa Narendra Trivedi ,  Luis S. Kida ,  Pradeep M. Pappachan ,  Abhishek Basak ,  Anna Trikalinou

IPC: G06F9/445 ,  G06F9/50 ,  G06F9/455 ,  G06F21/62 ,  G06F12/1009 ,  G06F9/46 ,  G06F13/28 ,  G06F21/85 ,  G06F21/78 ,  G06F21/53 ,  G06F21/57 ,  H04L9/32 ,  H04W12/30 ,  H04W12/48 ,  H04L69/16

Abstract: Technologies for secure I/O include a compute device, which further includes a processor, a memory, a trusted execution environment (TEE), one or more input/output (I/O) devices, and an I/O subsystem. The I/O subsystem includes a device memory access table (DMAT) programmed by the TEE to establish bindings between the TEE and one or more I/O devices that the TEE trusts and a memory ownership table (MOT) programmed by the TEE when a memory page is allocated to the TEE.

公开(公告)号：US20230100106A1

公开(公告)日：2023-03-30

申请号：US17483904

申请日：2021-09-24

Applicant: Intel Corporation

Inventor： Prashant Dewan ,  Siddhartha Chhabra ,  Robert Royer, JR. ,  Baiju Patel

IPC: G06F12/14 ,  G06F3/06

Abstract: In one embodiment, an apparatus includes: an access control circuit to receive a memory transaction directed to a storage, the memory transaction having a requester ID and a key ID; a first memory to store an access control table, the access control table having a plurality of entries each to store a requester ID and at least one key ID; and a cryptographic circuit coupled to the access control circuit, the cryptographic circuit to perform a cryptographic operation on data associated with the memory transaction based at least in part on the key ID. The apparatus may be implemented as an inline engine coupled between the storage and an accelerator, the inline engine to provide decrypted data to the accelerator, the storage to store encrypted data. Other embodiments are described and claimed.