公开(公告)号：US20160328335A1

公开(公告)日：2016-11-10

申请号：US14703420

申请日：2015-05-04

Applicant: Intel Corporation

Inventor： BINATA BHATTACHARYYA ,  AMY L. SANTONI ,  RAGHUNANDAN MAKARAM ,  FRANCIS X. MCKEEN ,  SIMON P. JOHNSON ,  GEORGE Z. CHRYSOS ,  SIDDHARTHA CHHABRA

IPC: G06F12/14 ,  H04L9/08

CPC classification number: H04L9/3242 ,  H04L9/0637 ,  H04L2209/12

Abstract: Systems and methods for memory protection for implementing trusted execution environment. An example processing system comprises: an on-package memory; a memory encryption engine (MEE) comprising a MEE cache, the MEE to: responsive to failing to locate, within the MEE cache, an encryption metadata associated with a data item loaded from an external memory, retrieve at least part of the encryption metadata from the OPM, and validate the data item using the encryption metadata.

Abstract translation: 用于实现可信执行环境的内存保护的系统和方法。 一个示例性处理系统包括：一个包装内存储器; 包括MEE缓存的存储器加密引擎（MEE），所述MEE响应于在所述MEE缓存内未能定位与从外部存储器加载的数据项相关联的加密元数据，从所述MEE缓存中检索至少部分所述加密元数据 OPM，并使用加密元数据验证数据项。

公开(公告)号：US20160085695A1

公开(公告)日：2016-03-24

申请号：US14495074

申请日：2014-09-24

Applicant: Intel Corporation

Inventor： REBEKAH M. LESLIE-HURD ,  FRANCIS X. MCKEEN ,  CARLOS V. ROZAS ,  KRYSTOF C. ZMUDZINSKI

IPC: G06F12/14 ,  G06F12/06

CPC classification number: G06F12/1441 ,  G06F9/52 ,  G06F21/53 ,  G06F21/74 ,  G06F21/79

Abstract: Secure memory allocation technologies are described. A processor includes a processor core and a memory controller that is coupled between the processor core and main memory. The main memory comprises a protected region including secured pages. The processor, in response to a content copy instruction, is to initialize a target page in the protected region of an application address space. The processor, in response to the content copy instruction, is also to select content of a source page in the protected region to be copied. The processor, in response to the content copy instruction, is also to copy the selected content to the target page in the protected region of the application address space.

Abstract translation: 描述了安全的内存分配技术。 处理器包括耦合在处理器核心和主存储器之间的处理器核心和存储器控制器。 主存储器包括保护区域，包括安全页面。 响应于内容复制指令的处理器是初始化应用地址空间的受保护区域中的目标页面。 处理器响应于内容复制指令，也是选择要复制的受保护区域中的源页面的内容。 响应于内容复制指令，处理器还将所选择的内容复制到应用地址空间的受保护区域中的目标页面。

公开(公告)号：US20160378688A1

公开(公告)日：2016-12-29

申请号：US14752227

申请日：2015-06-26

Applicant: Intel Corporation

Inventor： CARLOS V. ROZAS ,  MONA VIJ ,  REBEKAH M. LESLIE-HURD ,  KRYSTOF C. ZMUDZINSKI ,  SOMNATH CHAKRABARTI ,  FRANCIS X. MCKEEN ,  VINCENT R. SCARLATA ,  SIMON P. JOHNSON ,  ILYA ALEXANDROVICH ,  GILBERT NEIGER ,  VEDVYAS SHANBHOGUE ,  ITTAI ANATI

IPC: G06F12/14 ,  G06F9/30 ,  G06F21/60

CPC classification number: G06F12/1408 ,  G06F8/41 ,  G06F9/30145 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/602 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2212/1052

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

Abstract translation: 处理器包括解码单元，用于解码指示受保护的容器存储器的页面的指令以及受保护的容器存储器之外的存储位置。 执行单元响应于该指令，是确保在受保护的容器存储器具有写保护状态时不存在对受保护的容器存储器的页的可写引用。 执行单元是加密受保护的容器存储器的页面的副本。 在确保没有可写入引用之后，执行单元将页面的加密副本存储到受保护的容器存储器外部的存储位置。 执行单元将保护的容器存储器的页面保留在写保护状态中，该保护状态在加密的副本已被存储到存储位置之后也是有效和可读的。

公开(公告)号：US20160371191A1

公开(公告)日：2016-12-22

申请号：US15250787

申请日：2016-08-29

Applicant: Intel Corporation

Inventor： CARLOS V. ROZAS ,  ILYA ALEXANDROVICH ,  ITTAI ANATI ,  ALEX BERENZON ,  MICHAEL A. GOLDSMITH ,  BARRY E. HUNTLEY ,  ANTON IVANOV ,  SIMON P. JOHNSON ,  REBEKAH M. LESLIE-HURD ,  FRANCIS X. MCKEEN ,  GILBERT NEIGER ,  RINAT RAPPOPORT ,  SCOTT D. RODGERS ,  UDAY R. SAVAGAONKAR ,  VINCENT R. SCARLATA ,  VEDVYAS SHANBHOGUE ,  WESLEY H. SMITH ,  WILLIAM C. WOOD

IPC: G06F12/0875 ,  G06F12/1027

Abstract: Instructions and logic provide advanced paging capabilities for secure enclave page caches. Embodiments include multiple hardware threads or processing cores, a cache to store secure data for a shared page address allocated to a secure enclave accessible by the hardware threads. A decode stage decodes a first instruction specifying said shared page address as an operand, and execution units mark an entry corresponding to an enclave page cache mapping for the shared page address to block creation of a new translation for either of said first or second hardware threads to access the shared page. A second instruction is decoded for execution, the second instruction specifying said secure enclave as an operand, and execution units record hardware threads currently accessing secure data in the enclave page cache corresponding to the secure enclave, and decrement the recorded number of hardware threads when any of the hardware threads exits the secure enclave.

Abstract translation: 说明和逻辑为安全的飞地页面缓存提供了高级分页功能。 实施例包括多个硬件线程或处理核心，用于存储分配给由硬件线程可访问的安全空间的共享页面地址的安全数据的高速缓存。 解码级将指定所述共享页地址的第一指令解码为操作数，并且执行单元标记对应于共享页地址的飞地页高速缓存映射的条目，以阻止所述第一或第二硬件线程中的任一个的新转换的创建 访问共享页面。 第二指令被解码以执行，第二指令指定所述安全飞地作为操作数，并且执行单元记录当前访问与安全飞地相对应的飞地页面高速缓存中的安全数据的硬件线程，并且当任何 的硬件线程退出安全飞地。