-
1.发明公开公开(公告)号:US20230273991A1
公开(公告)日:2023-08-31
申请号:US18311404
申请日:2023-05-03
申请人: Intel Corporation
发明人: Bin Xing , Daniel Middleton
IPC分类号: G06F21/53
CPC分类号: G06F21/53 , G06F2221/034
摘要: A computing system to receive a new workload by a trusted execution environment virtual machine (TVM); validate the new workload; in response to the new workload being successfully validated, evaluate a launch policy of the new workload against one or more launch policies of one or more existing workloads of the TVM; and in response to the launch policy of the new workload being successfully validated, load the new workload into the TVM.
-
公开(公告)号:US11423159B2
公开(公告)日:2022-08-23
申请号:US16704168
申请日:2019-12-05
申请人: Intel Corporation
IPC分类号: H04L29/06 , G06F21/60 , H04L9/40 , G06F21/57 , G06F13/28 , H04L9/32 , G06F21/62 , G06F21/85 , G09C1/00 , G06F13/20 , H04L9/06 , G06F21/51
摘要: Technologies for trusted I/O include a computing device having a hardware cryptographic agent, a cryptographic engine, and an I/O controller. The hardware cryptographic agent intercepts a message from the I/O controller and identifies boundaries of the message. The message may include multiple DMA transactions, and the start of message is the start of the first DMA transaction. The cryptographic engine encrypts the message and stores the encrypted data in a memory buffer. The cryptographic engine may skip and not encrypt header data starting at the start of message or may read a value from the header to determine the skip length. In some embodiments, the cryptographic agent and the cryptographic engine may be an inline cryptographic engine. In some embodiments, the cryptographic agent may be a channel identifier filter, and the cryptographic engine may be processor-based. Other embodiments are described and claimed.
-
公开(公告)号:US20220012086A1
公开(公告)日:2022-01-13
申请号:US17484825
申请日:2021-09-24
申请人: Intel Corporation
发明人: Bin Xing
摘要: Providing multiple virtual processors (VPs) for a trusted domain (TD) includes creating a virtual processor control structure (VPCS) for one or more of a plurality of VPs of the TD of a processor in a computing system, the TD including a trust domain control structure (TDCS), the plurality of VPs having views into addresses of private memory of the TD, the VPCS for a VP including a secure extended page table (SEPT) for the VP; and for the VP, initializing the VPCS for the VP by copying selected entries of the TDCS to the SEPT of the VPCS, pointing a SEPT pointer to the VPCS, and setting an entry point for starting execution of the VP by the processor.
-
4.发明申请公开(公告)号:US20210319118A1
公开(公告)日:2021-10-14
申请号:US17304391
申请日:2021-06-21
申请人: Intel Corporation
摘要: In one embodiment, an apparatus includes a channel filter and a security processor. The security processor is to: receive a plurality of device access control policies from a protected non-volatile storage of a platform; determine whether the plurality of device access control policies are verified; program the channel filter with a plurality of filter entries each associated with one of the plurality of device access control policies based on the determination; and remove a security attribute of the security processor from a policy register of the channel filter, to lock the channel filter for a boot cycle of the platform. Other embodiments are described and claimed.
-
公开(公告)号:US10552619B2
公开(公告)日:2020-02-04
申请号:US14974944
申请日:2015-12-18
申请人: Intel Corporation
摘要: Technologies for trusted I/O (TIO) include a computing device with a cryptographic engine and one or more I/O controllers. The computing device executes a TIO core service that has a cryptographic engine programming privileged granted by an operating system. The TIO core service receives a request from an application to protect a DMA channel. The TIO core service requests the operating system to protect the DMA channel, and the operating system verifies the cryptographic engine programming privilege of the TIO core service in response. The operating system programs the cryptographic engine to protect the DMA channel in response to verifying the cryptographic engine programming privilege of the TIO core service. If a privileged delegate determines that a user has confirmed termination of protection of the DMA channel, the TIO core service may unprotect the DMA channel. Other embodiments are described and claimed.
-
公开(公告)号:US10469265B2
公开(公告)日:2019-11-05
申请号:US15087254
申请日:2016-03-31
申请人: Intel Corporation
发明人: Bin Xing
摘要: Technologies for secure inter-enclave communication include a computing device having a processor with secure enclave support. The computing device establishes a first secure enclave and a second secure enclave with the secure enclave support of the processor. The first secure enclave invokes a report instruction to cause the processor to generate a report targeted to the second secure enclave. The report includes a report body and a message authentication code generated using a report key associated with the second secure enclave. The second secure enclave invokes a get key instruction to cause the processor to generate the report key associated with the second secure enclave and generates the message authentication code over the report body using the report key. The first secure enclave and second secure enclave each perform a cryptographic operation on a message using the message authentication code as a cryptographic key. Other embodiments are described and claimed.
-
公开(公告)号:US20190042805A1
公开(公告)日:2019-02-07
申请号:US15868634
申请日:2018-01-11
申请人: Intel Corporation
发明人: Soham Jayesh Desai , Reshma Lal , Pradeep Pappachan , Bin Xing
摘要: Technologies for secure enumeration of USB devices include a computing device having a USB controller and a trusted execution environment (TEE). The TEE may be a secure enclave protected secure enclave support of the processor. In response to a USB device connecting to the USB controller, the TEE sends a secure command to the USB controller to protect a device descriptor for the USB device. The secure command may be sent over a secure channel to a static USB device. A driver sends a get device descriptor request to the USB device, and the USB device responds with the device descriptor. The USB controller redirects the device descriptor to a secure memory buffer, which may be located in a trusted I/O processor reserved memory region. The TEE retrieves and validates the device descriptor. If validated, the TEE may enable the USB device for use. Other embodiments are described and claimed.
-
8.发明申请公开(公告)号:US20170364707A1
公开(公告)日:2017-12-21
申请号:US15628008
申请日:2017-06-20
申请人: Intel Corporation
发明人: Reshma Lal , Gideon Gerzon , Baruch Chaikin , Siddhartha Chhabra , Pradeep M. Pappachan , Bin Xing
摘要: Technologies for trusted I/O include a computing device having a processor, a channel identifier filter, and an I/O controller. The I/O controller may generate an I/O transaction that includes a channel identifier and a memory address. The channel identifier filter verifies that the memory address of the I/O transaction is within a processor reserved memory region associated with the channel identifier. The processor reserved memory region is not accessible to software executed by the computing device. The processor encrypts I/O data at the memory address in response to invocation of a processor feature and copies the encrypted data to a memory buffer outside of the processor reserved memory region. The processor may securely clean the processor reserved memory region before encrypting and copying the data. The processor may wrap and unwrap programming information for the channel identifier filter. Other embodiments are described and claimed.
-
公开(公告)号:US09798666B2
公开(公告)日:2017-10-24
申请号:US14752109
申请日:2015-06-26
申请人: Intel Corporation
发明人: Rebekah M. Leslie-Hurd , Carlos V. Rozas , Francis X. McKeen , Ilya Alexandrovich , Vedvyas Shanbhogue , Bin Xing , Mark W. Shanahan , Simon P. Johnson
IPC分类号: G06F12/08 , G06F12/0844 , G06F12/0882
CPC分类号: G06F12/0844 , G06F11/073 , G06F11/0775 , G06F12/0882 , G06F2212/1032 , G06F2212/1052 , G06F2212/281 , G06F2212/312 , G06F2212/402 , G06F2212/608
摘要: A processor implementing techniques to supporting fault information delivery is disclosed. In one embodiment, the processor includes a memory controller unit to access an enclave page cache (EPC) and a processor core coupled to the memory controller unit. The processor core to detect a fault associated with accessing the EPC and generate an error code associated with the fault. The error code reflects an EPC-related fault cause. The processor core is further to encode the error code into a data structure associated with the processor core. The data structure is for monitoring a hardware state related to the processor core.
-
公开(公告)号:US09606940B2
公开(公告)日:2017-03-28
申请号:US14671222
申请日:2015-03-27
申请人: Intel Corporation
发明人: Micah J. Sheller , Bin Xing , Vincent R. Scarlata
CPC分类号: G06F12/1458 , G06F21/51 , G06F21/57 , G06F21/6218 , G06F2212/1052
摘要: An embodiment includes at least one machine readable medium on which is stored code that, when executed enables a system to initialize a trusted loader enclave (TL) and a measurement and storage manager enclave (MSM) within a memory of the system, to receive by the MSM a TL measurement of the TL from a trusted processor of the system, to determine whether to establish a secure channel between the MSM and the TL based at least in part on the TL measurement, and responsive to a determination to establish the secure channel, to establish the secure channel and store particular code in the TL. Additional embodiments are described and claimed.
-
-
-
-
-
-
-
-
-
搜索结果
66 条记录 (耗时 0.031 秒)
