公开(公告)号：US12282567B2

公开(公告)日：2025-04-22

申请号：US17878322

申请日：2022-08-01

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael LeMay ,  Ramya Jayaram Masti ,  Gilbert Neiger ,  Jason W. Brandt

IPC: G06F21/60 ,  G06F9/30 ,  G06F9/32 ,  G06F9/455 ,  G06F9/48 ,  G06F9/50 ,  G06F12/02 ,  G06F12/06 ,  G06F12/0811 ,  G06F12/0875 ,  G06F12/0897 ,  G06F12/14 ,  G06F21/12 ,  G06F21/62 ,  G06F21/72 ,  G06F21/79 ,  H04L9/06 ,  H04L9/08 ,  H04L9/14

Abstract: Technologies disclosed herein provide cryptographic computing with cryptographically encoded pointers in multi-tenant environments. An example method comprises executing, by a trusted runtime, first instructions to generate a first address key for a private memory region in the memory and generate a first cryptographically encoded pointer to the private memory region in the memory. Generating the first cryptographically encoded pointer includes storing first context information associated with the private memory region in first bits of the first cryptographically encoded pointer and performing a cryptographic algorithm on a slice of a first linear address of the private memory region based, at least in part, on the first address key and a first tweak, the first tweak including the first context information. The method further includes permitting a first tenant in the multi-tenant environment to access the first address key and the first cryptographically encoded pointer to the private memory region.

公开(公告)号：US20250094275A1

公开(公告)日：2025-03-20

申请号：US18808871

申请日：2024-08-19

Applicant: Intel Corporation

Inventor： Sergej Deutsch ,  David M. Durham ,  Karanvir Grewal ,  Rajat Agarwal

IPC: G06F11/10 ,  G06F3/06

Abstract: The technology disclosed herein comprises a processor; a memory to store data and a plurality of error correcting code (ECC) bits associated with the data; and a memory controller coupled to the memory, the memory controller to receive a write request from the processor and, when an access control field is selected in the write request, perform an exclusive OR (XOR) operation on the plurality of ECC bits and a fixed encoding pattern to generate a plurality of encoded ECC bits and store the data and the plurality of encoded ECC bits in the memory.

公开(公告)号：US20250004879A1

公开(公告)日：2025-01-02

申请号：US18346034

申请日：2023-06-30

Applicant: Intel Corporation

Inventor： David M. Durham ,  Sergej Deutsch ,  Salmin Sultana ,  Karanvir Grewal

IPC: G06F11/10 ,  G06F9/30 ,  G06F21/60

Abstract: Techniques for error correction with memory safety and compartmentalization are described. In an embodiment, an apparatus includes a processor to provide a first set of data bits and a first tag in connection with a store operation, and an error correcting code (ECC) generation circuit to generate a first set of ECC bits based on a first set of data bits and a first tag.

公开(公告)号：US12045174B2

公开(公告)日：2024-07-23

申请号：US17704771

申请日：2022-03-25

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael Lemay

IPC: G06F12/14 ,  G06F9/30

CPC classification number: G06F12/1408 ,  G06F9/30043 ,  G06F12/1441 ,  G06F12/1458

Abstract: Embodiments are directed to tagless implicit integrity with multi-perspective pattern search for memory safety. An embodiment of an apparatus includes one or more processors comprising hardware circuitry to: access encrypted data stored in a memory hierarchy using a pointer; decrypt the encrypted data using a current version of a pointer tag of the pointer to yield first decrypted data; perform an entropy test on the first decrypted data; responsive to the entropy test failing to detect patterns in the first decrypted data, re-decrypt the encrypted data using one or more different versions of the pointer tag of the pointer to yield one or more other decrypted data; perform the entropy test on the one or more other decrypted versions; and responsive to the entropy test detecting the patterns in the one or more other decrypted data, signal an exception to the one or more processors with respect to the encrypted data.

公开(公告)号：US20240176749A1

公开(公告)日：2024-05-30

申请号：US18528124

申请日：2023-12-04

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: G06F12/14 ,  G06F21/52 ,  G06F21/53 ,  G06F21/60 ,  G06F21/64 ,  G06F21/71 ,  G06F21/72 ,  H04L9/06 ,  H04L9/08 ,  H04L9/14 ,  H04L9/32 ,  H04L9/40

CPC classification number: G06F12/1408 ,  G06F21/52 ,  G06F21/53 ,  G06F21/602 ,  G06F21/64 ,  G06F21/71 ,  G06F21/72 ,  H04L9/0631 ,  H04L9/0637 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/3273 ,  H04L63/0428 ,  H04L63/061 ,  H04L63/126 ,  H04L63/1466 ,  H04L2463/062

Abstract: In one embodiment, a multi-tenant computing system includes a processor including a plurality of cores on which agents of tenants of the multi-tenant computing system are to execute, a configuration storage, and a memory execution circuit. The configuration storage includes a first configuration register to store configuration information associated with the memory execution circuit. The first configuration register is to store a mode identifier to identify a mode of operation of the memory execution circuit. The memory execution circuit, in a first mode of operation, is to receive encrypted data of a first tenant, the encrypted data encrypted by the first tenant, generate an integrity value for the encrypted data, and send the encrypted data and the integrity value to a memory, the integrity value not visible to the software of the multi-tenant computing system. Other embodiments are described and claimed.

公开(公告)号：US11954045B2

公开(公告)日：2024-04-09

申请号：US17485213

申请日：2021-09-24

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael LeMay ,  Santosh Ghosh ,  Sergej Deutsch

IPC: G06F12/14 ,  G06F12/0802 ,  G06F21/55 ,  G06F21/56 ,  G06F21/79

CPC classification number: G06F12/1408 ,  G06F12/0802 ,  G06F21/554 ,  G06F2212/466

Abstract: Technologies disclosed herein provide one example of a system that includes processor circuitry and integrity circuitry. The processor circuitry is to receive a first request associated with an application to perform a memory access operation for an address range in a memory allocation of memory circuitry. The integrity circuitry is to determine a location of a metadata region within a cacheline that includes at least some of the address range, identify a first portion of the cacheline based at least in part on a first data bounds value stored in the metadata region, generate a first integrity value based on the first portion of the cacheline, and prevent the memory access operation in response to determining that the first integrity value does not correspond to a second integrity value stored in the metadata region.

公开(公告)号：US11940927B2

公开(公告)日：2024-03-26

申请号：US17839877

申请日：2022-06-14

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael D. LeMay

IPC: G06F12/00 ,  G06F12/02 ,  G06F12/1009 ,  G06F12/1045 ,  G06F12/14

CPC classification number: G06F12/1009 ,  G06F12/0238 ,  G06F12/1063 ,  G06F12/1408

Abstract: Techniques for memory tagging are disclosed. In the illustrative embodiment, 16 bits of a virtual memory address are used as memory tag bits. In a page table entry corresponding to the virtual memory address, page tag bits indicate which of the 16 bits of the virtual memory address are to be sent to the memory as memory tag bits when a memory operation is requested on the virtual memory address. The memory can then compare the memory tag bits sent with the physical memory address to memory tag bits stored on the memory that correspond to the physical memory address. If the memory tag bits match, then the operation is allowed to proceed.

公开(公告)号：US20240053904A1

公开(公告)日：2024-02-15

申请号：US17944352

申请日：2022-09-14

Applicant: Intel Corporation

Inventor： Sergej Deutsch ,  David M. Durham ,  Karanvir Grewal ,  Rajat Agarwal

IPC: G06F3/06

CPC classification number: G06F3/0622 ,  G06F3/0673 ,  G06F3/0629

Abstract: The technology disclosed herein comprises a processor; a memory to store data and a plurality of error correcting code (ECC) bits associated with the data; and a memory controller coupled to the memory, the memory controller to receive a write request from the processor and, when an access control field is selected in the write request, perform an exclusive OR (XOR) operation on the plurality of ECC bits and a fixed encoding pattern to generate a plurality of encoded ECC bits and store the data and the plurality of encoded ECC bits in the memory.

公开(公告)号：US20240004659A1

公开(公告)日：2024-01-04

申请号：US17853087

申请日：2022-06-29

Applicant: Intel Corporation

Inventor： Michael LeMay ,  Dan Baum ,  Joseph Cihula ,  Joao Batista Correa Gomes Moreira ,  Anjo Lucas Vahldiek-Oberwagner ,  Scott Constable ,  Andreas Kleen ,  Konrad Lai ,  Henrique de Medeiros Kawakami ,  David M. Durham

IPC: G06F9/30

CPC classification number: G06F9/3016

Abstract: Techniques for an instruction for a Runtime Call operation are described. An example apparatus comprises decoder circuitry to decode a single instruction, the single instruction to include a field for an identifier of an opcode, the opcode to indicate execution circuitry is to execute a no operation when a runtime call destination equals a predetermined value; and execute an indirect call with the runtime call destination as a destination address when the runtime call destination does not equal the predetermined value. Other examples are described and claimed.

公开(公告)号：US11783081B2

公开(公告)日：2023-10-10

申请号：US17022177

申请日：2020-09-16

Applicant: Intel Corporation

Inventor： David M. Durham ,  Ravi L. Sahita ,  Barry E. Huntley ,  Nikhil M. Deshpande

IPC: G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  G06F21/53 ,  H04L29/06 ,  H04L9/40

CPC classification number: G06F21/6245 ,  G06F21/53 ,  H04L9/08 ,  H04L9/0894 ,  H04L9/3236 ,  H04L63/06

Abstract: In a method to utilize a secure public cloud, a computer receives a domain manager image and memory position-dependent address information in response to requesting a service from a cloud services provider. The computer also verifies the domain manager image and identifies a key domain key to be used to encrypt data stored in a key domain of a key domain-capable server. The computer also uses the key domain key and the memory-position dependent address information to encrypt a domain launch image such that the encrypted domain launch image is cryptographically bound to at least one memory location of the key domain. The computer also encrypts the key domain key and sends the encrypted domain launch image and the encrypted key domain key to the key domain-capable server, to cause a processor of the key domain-capable server to create the key domain. Other embodiments are described and claimed.