公开(公告)号：US11531475B2

公开(公告)日：2022-12-20

申请号：US16882637

申请日：2020-05-25

Applicant: Intel Corporation

Inventor： Ilya Alexandrovich ,  Vladimir Beker ,  Gideon Gerzon ,  Vincent R. Scarlata

IPC: G06F3/06 ,  G06F21/79 ,  G06F21/85 ,  G06F21/78 ,  G06F13/16 ,  G06F13/40

Abstract: An integrated circuit includes protected container access control logic to perform a set of access control checks and to determine whether to allow a device protected container module (DPCM) and an input and/or output (I/O) device to communicate securely through one of direct memory access (DMA) and memory-mapped input/output (MMIO). The DPCM and the I/O device are allowed to communicate securely if it is determined that at least the DPCM and the I/O device are mapped to one another, an access address associated with the communication resolves into a protected container memory, and a page of the protected container memory into which the access address resolves allows for the aforementioned one of DMA and MMIO. In some cases, a Security Attributes of Initiator (SAI) or security identifier may be used to obtain a DPCM identifier or attest that access is from a DPCM mapped to the I/O device. In some cases, a determination may be made that a type of access is compatible with one or more allowed access types for the page as represented in a protected container page metadata structure.

公开(公告)号：US20180091554A1

公开(公告)日：2018-03-29

申请号：US15274793

申请日：2016-09-23

Applicant: INTEL CORPORATION

Inventor： Nagaraju N. Kodalapura ,  Vladimir Beker ,  Raghunandan Makaram

IPC: H04L29/06 ,  G06F21/62 ,  G11C7/10 ,  G06F12/14

CPC classification number: G06F12/1491 ,  G06F21/6281 ,  G06F21/71 ,  G06F2212/1052 ,  G06F2221/032 ,  G11C7/1072

Abstract: An example method for remapping a group of system registers. The method may include receiving, by a secure access control mechanism, a request to remap one of a group of system registers from an association with a first access policy group to an association with a second access policy group. The method may include storing the remapping array at a memory of the secure access control mechanism, where a first value stored in a first entry of the remapping array maps the one of the group of system registers to the second access policy group. The method may include remapping, by the secure access control mechanism, the one of a group of system registers from the association with the first access policy group to the association with the second access policy group using the remapping array.

公开(公告)号：US09448950B2

公开(公告)日：2016-09-20

申请号：US14140254

申请日：2013-12-24

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata ,  Simon P. Johnson ,  Vladimir Beker ,  Jesse Walker ,  Carlos V. Rozas ,  Amy L. Santoni ,  Ittai Anati ,  Raghunandan Makaram ,  Francis X. McKeen ,  Uday R. Savagaonkar

IPC: G06F21/00 ,  H04L29/06 ,  G06F12/14 ,  G06F21/74 ,  H04L9/32 ,  H04L12/24 ,  G06F21/62 ,  G06F21/57

CPC classification number: G06F12/1466 ,  G06F21/74 ,  G06F2212/1052

Abstract: Systems and methods for secure delivery of output surface bitmaps to a display engine. An example processing system comprises: an architecturally protected memory; and a plurality of processing devices communicatively coupled to the architecturally protected memory, each processing device comprising a first processing logic to implement an architecturally-protected execution environment by performing at least one of: executing instructions residing in the architecturally protected memory, or preventing an unauthorized access to the architecturally protected memory; wherein each processing device further comprises a second processing logic to establish a secure communication channel with a second processing device of the processing system, employ the secure communication channel to synchronize a platform identity key representing the processing system, and transmit a platform manifest comprising the platform identity key to a certification system.

Abstract translation: 用于将输出表面位图安全传递到显示引擎的系统和方法。 一个示例处理系统包括：架构受保护的存储器; 以及多个处理设备，通信地耦合到架构保护的存储器，每个处理设备包括第一处理逻辑，以通过执行以下至少一个来实现架构保护的执行环境：执行驻留在架构保护的存储器中的指令，或者防止未授权的 访问架构受保护的内存; 其中每个处理设备还包括第二处理逻辑，用于与所述处理系统的第二处理设备建立安全通信信道，采用所述安全通信信道来同步代表所述处理系统的平台标识密钥，并发送包括所述平台的平台清单 认证系统的身份密钥。

公开(公告)号：US20230266888A1

公开(公告)日：2023-08-24

申请号：US18083277

申请日：2022-12-16

Applicant: INTEL CORPORATION

Inventor： Ilya Alexandrovich ,  Vladimir Beker ,  Gideon Gerzon ,  Vincent R. Scarlata

IPC: G06F3/06 ,  G06F21/85 ,  G06F21/78 ,  G06F21/79 ,  G06F13/16 ,  G06F13/40

CPC classification number: G06F3/0622 ,  G06F21/85 ,  G06F21/78 ,  G06F21/79 ,  G06F3/0637 ,  G06F3/0673 ,  G06F13/16 ,  G06F13/4068

Abstract: An integrated circuit includes protected container access control logic to perform a set of access control checks and to determine whether to allow a device protected container module (DPCM) and an input and/or output (I/O) device to communicate securely through one of direct memory access (DMA) and memory-mapped input/output (MMIO). The DPCM and the I/O device are allowed to communicate securely if it is determined that at least the DPCM and the I/O device are mapped to one another, an access address associated with the communication resolves into a protected container memory, and a page of the protected container memory into which the access address resolves allows for the aforementioned one of DMA and MMIO. In some cases, a Security Attributes of Initiator (SAI) or security identifier may be used to obtain a DPCM identifier or attest that access is from a DPCM mapped to the I/O device. In some cases, a determination may be made that a type of access is compatible with one or more allowed access types for the page as represented in a protected container page metadata structure.

公开(公告)号：US10664179B2

公开(公告)日：2020-05-26

申请号：US14866478

申请日：2015-09-25

Applicant: Intel Corporation

Inventor： Ilya Alexandrovich ,  Vladimir Beker ,  Gideon Gerzon ,  Vincent R. Scarlata

IPC: G06F3/06 ,  G06F21/79 ,  G06F21/85 ,  G06F21/78 ,  G06F13/16 ,  G06F13/40

Abstract: An integrated circuit includes protected container access control logic to perform a set of access control checks and to determine whether to allow a device protected container module (DPCM) and an input and/or output (I/O) device to communicate securely through one of direct memory access (DMA) and memory-mapped input/output (MMIO). The DPCM and the I/O device are allowed to communicate securely if it is determined that at least the DPCM and the I/O device are mapped to one another, an access address associated with the communication resolves into a protected container memory, and a page of the protected container memory into which the access address resolves allows for the aforementioned one of DMA and MMIO. In some cases, a Security Attributes of Initiator (SAI) or security identifier may be used to obtain a DPCM identifier or attest that access is from a DPCM mapped to the I/O device. In some cases, a determination may be made that a type of access is compatible with one or more allowed access types for the page as represented in a protected container page metadata structure.

公开(公告)号：US10318440B2

公开(公告)日：2019-06-11

申请号：US15274793

申请日：2016-09-23

Applicant: INTEL CORPORATION

Inventor： Nagaraju N. Kodalapura ,  Vladimir Beker ,  Raghunandan Makaram

IPC: G06F12/14 ,  G06F21/62 ,  G06F21/71 ,  G11C7/10

Abstract: An example method for remapping a group of system registers. The method may include receiving, by a secure access control mechanism, a request to remap one of a group of system registers from an association with a first access policy group to an association with a second access policy group. The method may include storing the remapping array at a memory of the secure access control mechanism, where a first value stored in a first entry of the remapping array maps the one of the group of system registers to the second access policy group. The method may include remapping, by the secure access control mechanism, the one of a group of system registers from the association with the first access policy group to the association with the second access policy group using the remapping array.

公开(公告)号：US20250028455A1

公开(公告)日：2025-01-23

申请号：US18909658

申请日：2024-10-08

Applicant: Intel Corporation

Inventor： Ilya Alexandrovich ,  Vladimir Beker ,  Gideon Gerzon ,  Vincent R. Scarlata

IPC: G06F3/06 ,  G06F13/16 ,  G06F13/40 ,  G06F21/78 ,  G06F21/79 ,  G06F21/85

Abstract: An integrated circuit includes protected container access control logic to perform a set of access control checks and to determine whether to allow a device protected container module (DPCM) and an input and/or output (I/O) device to communicate securely through one of direct memory access (DMA) and memory-mapped input/output (MMIO). The DPCM and the I/O device are allowed to communicate securely if it is determined that at least the DPCM and the I/O device are mapped to one another, an access address associated with the communication resolves into a protected container memory, and a page of the protected container memory into which the access address resolves allows for the aforementioned one of DMA and MMIO. In some cases, a Security Attributes of Initiator (SAI) or security identifier may be used to obtain a DPCM identifier or attest that access is from a DPCM mapped to the I/O device. In some cases, a determination may be made that a type of access is compatible with one or more allowed access types for the page as represented in a protected container page metadata structure.

公开(公告)号：US12141450B2

公开(公告)日：2024-11-12

申请号：US18083277

申请日：2022-12-16

Applicant: INTEL CORPORATION

Inventor： Ilya Alexandrovich ,  Vladimir Beker ,  Gideon Gerzon ,  Vincent R. Scarlata

IPC: G06F3/06 ,  G06F13/16 ,  G06F13/40 ,  G06F21/78 ,  G06F21/79 ,  G06F21/85

Abstract: An integrated circuit includes protected container access control logic to perform a set of access control checks and to determine whether to allow a device protected container module (DPCM) and an input and/or output (I/O) device to communicate securely through one of direct memory access (DMA) and memory-mapped input/output (MMIO). The DPCM and the I/O device are allowed to communicate securely if it is determined that at least the DPCM and the I/O device are mapped to one another, an access address associated with the communication resolves into a protected container memory, and a page of the protected container memory into which the access address resolves allows for the aforementioned one of DMA and MMIO. In some cases, a Security Attributes of Initiator (SAI) or security identifier may be used to obtain a DPCM identifier or attest that access is from a DPCM mapped to the I/O device. In some cases, a determination may be made that a type of access is compatible with one or more allowed access types for the page as represented in a protected container page metadata structure.

公开(公告)号：US20170090800A1

公开(公告)日：2017-03-30

申请号：US14866478

申请日：2015-09-25

Applicant: Intel Corporation

Inventor： Ilya Alexandrovich ,  Vladimir Beker ,  Gideon Gerzon ,  Vincent R. Scarlata

IPC: G06F3/06 ,  G06F13/40 ,  G06F13/16

Abstract: An integrated circuit of an aspect includes protected container access control logic to perform a set of access control checks and to determine to allow a device protected container module (DPCM) and an input and/or output (I/O) device to communicate securely through one of direct memory access (DMA) and memory-mapped input/output (MMIO). This is done after it has been determined that at least the DPCM and the I/O device are mapped to one another, an access address associated with the communication resolves into a protected container memory, and a page of the protected container memory into which the access address resolves allows for said one of DMA and MMIO.