公开(公告)号：US10135622B2

公开(公告)日：2018-11-20

申请号：US15279527

申请日：2016-09-29

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata ,  Francis X. McKeen ,  Carlos V. Rozas ,  Simon P. Johnson ,  Bo Zhang ,  James D. Beaney, Jr. ,  Piotr Zmijewski ,  Wesley H. Smith ,  Eduardo Cabre

IPC: H04L9/36 ,  H04L9/32 ,  H04L9/08 ,  H04L9/14 ,  H04L9/30 ,  H04L29/06 ,  G09C1/00 ,  G06F21/53

Abstract: A computing platform implements one or more secure enclaves including a first provisioning enclave to interface with a first provisioning service to obtain a first attestation key from the first provisioning service, a second provisioning enclave to interface with a different, second provisioning service to obtain a second attestation key from the second provisioning service, and a provisioning certification enclave to sign first data from the first provisioning enclave and second data from the second provisioning enclave using a hardware-based provisioning attestation key. The signed first data is used by the first provisioning enclave to authenticate to the first provisioning service to obtain the first attestation key and the signed second data is used by the second provisioning enclave to authenticate to the second provisioning service to obtain the second attestation key.

公开(公告)号：US20170366359A1

公开(公告)日：2017-12-21

申请号：US15201400

申请日：2016-07-02

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata ,  Francis X. McKeen ,  Carlos V. Rozas ,  Simon P, Johnson ,  Bo Zhang ,  James D. Beaney, JR. ,  Piotr Zmijewski ,  Wesley Hamilton Smith ,  Eduardo Cabre ,  Uday R. Savagaonkar

IPC: H04L9/32 ,  H04L9/08 ,  H04L9/14 ,  H04L29/06

CPC classification number: H04L9/3263 ,  G09C1/00 ,  H04L9/0816 ,  H04L9/0822 ,  H04L9/14 ,  H04L9/3268 ,  H04L63/06 ,  H04L63/0823 ,  H04L63/12

Abstract: Embodiments include systems, methods, computer readable media, and devices configured to, for a first processor of a platform, generate a platform root key; create a data structure to encapsulate the platform root key, the data structure comprising a platform provisioning key and an identification of a registration service; and transmit, on a secure connection, the data structure to the registration service to register the platform root key for the first processor of the platform. Embodiments include systems, methods, computer readable media, and devices configured to store a device certificate received from a key generation facility; receive a manifest from a platform, the manifest comprising an identification of a processor associated with the platform; and validate the processor using a stored device certificate.

公开(公告)号：US10826690B2

公开(公告)日：2020-11-03

申请号：US15856568

申请日：2017-12-28

Applicant: Intel Corporation

Inventor： Bo Zhang ,  Siddhartha Chhabra ,  William A. Stevens ,  Reshma Lal

IPC: H04L9/08 ,  H04L9/32 ,  H04L29/06 ,  H04L9/06 ,  G06F21/85

Abstract: Technologies for establishing device locality are disclosed. A processor in a computing device generates an identifier distinct to the computing device. The processor transmits the identifier to a management controller via a hardware bus in the computing device. The processor generates a key and encrypts the key with the identifier to generate a wrapped key. The processor transmits the wrapped key to the management controller. In turn, the management controller unwraps the key using the identifier. Other embodiments are described and claimed.

公开(公告)号：US10416890B2

公开(公告)日：2019-09-17

申请号：US14849222

申请日：2015-09-09

Applicant: Intel Corporation

Inventor： Bin Xing ,  Mark W. Shanahan ,  Bo Zhang

IPC: G06F3/06 ,  G06F12/0875 ,  G06F12/0893

Abstract: Apparatuses, methods and storage medium associated with application execution enclave cache management, are disclosed herein. In embodiments, an apparatus may include one or more processors with supports for application execution enclaves; cache memory coupled with the one or more processors to be organized into a plurality of cache pages; and an exception handler to be operated by the one or more processors to handle cache page fault exceptions, wherein to handle cache page fault exceptions includes to handle a cache page fault triggered to request additional allocation of one or more cache pages to an execution enclave of an application. Other embodiments may be described and/or claimed.

公开(公告)号：US10353831B2

公开(公告)日：2019-07-16

申请号：US14998065

申请日：2015-12-24

Applicant: Intel Corporation

Inventor： Scott H. Robinson ,  Ravi L. Sahita ,  Mark W. Shanahan ,  Karanvir S. Grewal ,  Nitin V. Sarangdhar ,  Carlos V. Rozas ,  Bo Zhang ,  Shanwei Cen

IPC: G06F12/00 ,  G06F12/14 ,  G06F9/455 ,  G06F21/57

Abstract: Systems, apparatuses and methods may provide for verifying, from outside a trusted computing base of a computing system, an identity an enclave instance prior to the enclave instance being launched in the trusted computing base, determining a memory location of the enclave instance and confirming that the memory location is local to the computing system. In one example, the enclave instance is a proxy enclave instance, wherein communications are conducted with one or more additional enclave instances in the trusted computing base via the proxy enclave instance and an unencrypted channel.

公开(公告)号：US20190052469A1

公开(公告)日：2019-02-14

申请号：US16162776

申请日：2018-10-17

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata ,  Francis X. McKeen ,  Carlos V. Rozas ,  Simon P. Johnson ,  Bo Zhang ,  James D. Beaney, JR. ,  Piotr Zmijewski ,  Wesley H. Smith ,  Eduardo Cabre

IPC: H04L9/32 ,  G06F21/53 ,  G09C1/00 ,  H04L29/06 ,  G06F21/44 ,  H04L9/30 ,  H04L9/14 ,  H04L9/08

Abstract: A computing platform implements one or more secure enclaves including a first provisioning enclave to interface with a first provisioning service to obtain a first attestation key from the first provisioning service, a second provisioning enclave to interface with a different, second provisioning service to obtain a second attestation key from the second provisioning service, and a provisioning certification enclave to sign first data from the first provisioning enclave and second data from the second provisioning enclave using a hardware-based provisioning attestation key. The signed first data is used by the first provisioning enclave to authenticate to the first provisioning service to obtain the first attestation key and the signed second data is used by the second provisioning enclave to authenticate to the second provisioning service to obtain the second attestation key.

公开(公告)号：US20160381005A1

公开(公告)日：2016-12-29

申请号：US14752259

申请日：2015-06-26

Applicant: Intel Corporation

Inventor： Mona Vij ,  Carlos V. Rozas ,  Vincent R. Scarlata ,  Francis X. McKeen ,  Bo Zhang

IPC: H04L29/06

CPC classification number: H04L63/0823 ,  G06F9/45558 ,  G06F2009/45587 ,  H04L63/0281 ,  H04L63/10

Abstract: Technologies for secure access to platform security services include a computing device having a processor and a security engine. The computing device establishes a platform services enclave in a virtual machine of the computing device using secure enclave support of the processor. The platform services enclave receives a platform services request from an application enclave via a first authenticated session and transmits the platform services request to a virtual security engine established by a host environment via a second authenticated session. The first and second authenticated sessions may be authenticated by report-based attestation and quote-based attestation, respectively. The virtual security engine transmits the platform services request to the security engine via a long-term pairing session established by the virtual security engine with the security engine. The security engine performs the platform services request using hardware resources shared with other platform services enclaves. Other embodiments are described and claimed.

Abstract translation: 用于安全访问平台安全服务的技术包括具有处理器和安全引擎的计算设备。 计算设备使用处理器的安全飞行支持在计算设备的虚拟机中建立平台服务飞地。 平台服务飞地通过第一认证会话从应用飞地接收平台服务请求，并通过第二认证会话将平台服务请求发送到由主机环境建立的虚拟安全引擎。 第一次和第二次认证会话可以分别通过基于报告的认证和基于报价的认证进行认证。 虚拟安全引擎通过虚拟安全引擎与安全引擎建立的长期配对会话将平台服务请求发送到安全引擎。 安全引擎使用与其他平台服务飞地共享的硬件资源来执行平台服务请求。 描述和要求保护其他实施例。

公开(公告)号：US20210006416A1

公开(公告)日：2021-01-07

申请号：US16856968

申请日：2020-04-23

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata ,  Francis X. McKeen ,  Carlos V. Rozas ,  Simon P. Johnson ,  Bo Zhang ,  James D. Beaney, JR. ,  Piotr Zmijewski ,  Wesley Hamilton Smith ,  Eduardo Cabre ,  Uday R. Savagaonkar

IPC: H04L9/32 ,  H04L9/08 ,  G09C1/00 ,  H04L29/06 ,  H04L9/14

Abstract: Embodiments include systems, methods, computer readable media, and devices configured to, for a first processor of a platform, generate a platform root key; create a data structure to encapsulate the platform root key, the data structure comprising a platform provisioning key and an identification of a registration service; and transmit, on a secure connection, the data structure to the registration service to register the platform root key for the first processor of the platform. Embodiments include systems, methods, computer readable media, and devices configured to store a device certificate received from a key generation facility; receive a manifest from a platform, the manifest comprising an identification of a processor associated with the platform; and validate the processor using a stored device certificate.

公开(公告)号：US11997192B2

公开(公告)日：2024-05-28

申请号：US17033135

申请日：2020-09-25

Applicant: Intel Corporation

Inventor： Bo Zhang ,  Siddhartha Chhabra ,  William A. Stevens ,  Reshma Lal

IPC: H04L9/08 ,  G06F21/85 ,  H04L9/06 ,  H04L9/32 ,  H04L9/40

CPC classification number: H04L9/0825 ,  G06F21/85 ,  H04L9/0631 ,  H04L9/0637 ,  H04L9/0861 ,  H04L9/3271 ,  H04L63/04 ,  H04L63/18 ,  G06F2221/2107 ,  G06F2221/2111

Abstract: Technologies for establishing device locality are disclosed. A processor in a computing device generates an identifier distinct to the computing device. The processor transmits the identifier to a management controller via a hardware bus in the computing device. The processor generates a key and encrypts the key with the identifier to generate a wrapped key. The processor transmits the wrapped key to the management controller. In turn, the management controller unwraps the key using the identifier. Other embodiments are described and claimed.

公开(公告)号：US10708067B2

公开(公告)日：2020-07-07

申请号：US15201400

申请日：2016-07-02

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata ,  Francis X. McKeen ,  Carlos V. Rozas ,  Simon P. Johnson ,  Bo Zhang ,  James D. Beaney, Jr. ,  Piotr Zmijewski ,  Wesley Hamilton Smith ,  Eduardo Cabre ,  Uday R. Savagaonkar

IPC: H04L9/32 ,  H04L9/08 ,  G09C1/00 ,  H04L29/06 ,  H04L9/14

Abstract: Embodiments include systems, methods, computer readable media, and devices configured to, for a first processor of a platform, generate a platform root key; create a data structure to encapsulate the platform root key, the data structure comprising a platform provisioning key and an identification of a registration service; and transmit, on a secure connection, the data structure to the registration service to register the platform root key for the first processor of the platform. Embodiments include systems, methods, computer readable media, and devices configured to store a device certificate received from a key generation facility; receive a manifest from a platform, the manifest comprising an identification of a processor associated with the platform; and validate the processor using a stored device certificate.