公开(公告)号：US10339327B2

公开(公告)日：2019-07-02

申请号：US15628012

申请日：2017-06-20

申请人： Intel Corporation

发明人： Pradeep M. Pappachan ,  Reshma Lal ,  Siddhartha Chhabra ,  Gideon Gerzon ,  Baruch Chaikin ,  Bin Xing ,  William A. Stevens, Jr.

IPC分类号： G06F21/76 ,  G06F21/60 ,  H04L29/06 ,  G06F21/57 ,  G06F13/28 ,  H04L9/32 ,  G06F13/20 ,  G06F21/62 ,  G06F21/85 ,  G09C1/00 ,  G06F21/70 ,  G06F21/51 ,  H04L9/06

摘要： Technologies for securely binding a manifest to a platform include a computing device having a security engine and a field-programmable fuse. The computing device receives a platform manifest indicative of a hardware configuration of the computing device and a manifest hash. The security engine of the computing device blows a bit of a field programmable fuse and then stores the manifest hash and a counter value of the field-programmable fuse in integrity-protected non-volatile storage. In response to a platform reset, the security engine verifies the stored manifest hash and counter value and then determines whether the stored counter value matches the field-programmable fuse. If verified and current, trusted software may calculate a hash of the platform manifest and compare the calculated hash to the stored manifest hash. If matching, the platform manifest may be used to discover platform hardware. Other embodiments are described and claimed.

公开(公告)号：US20190087575A1

公开(公告)日：2019-03-21

申请号：US15705562

申请日：2017-09-15

申请人： Intel Corporation

发明人： Ravi L. Sahita ,  Baiju V. Patel ,  Barry E. Huntley ,  Gilbert Neiger ,  Hormuzd M. Khosravi ,  Ido Ouziel ,  David M. Durham ,  Ioannis T. Schoinas ,  Siddhartha Chhabra ,  Carlos V. Rozas ,  Gideon Gerzon

IPC分类号： G06F21/57 ,  G06F21/62 ,  G06F12/14 ,  H04L9/06 ,  H04L29/06 ,  G06F21/53

摘要： Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.

公开(公告)号：US20190004973A1

公开(公告)日：2019-01-03

申请号：US15635548

申请日：2017-06-28

申请人： Intel Corporation

发明人： Siddhartha Chhabra ,  Hormuzd M. Khosravi ,  Gideon Gerzon ,  Barry E. Huntley ,  Gilbert Neiger ,  Ido Ouziel ,  Baiju Patel ,  Ravi L. Sahita ,  Amy L. Santoni ,  Ioannis T. Schoinas

IPC分类号： G06F12/14 ,  H04L29/06 ,  H04L9/06

摘要： In one embodiment, an apparatus comprises a processor to execute instruction(s), wherein the instructions comprise a memory access operation associated with a memory location of a memory. The apparatus further comprises a memory encryption controller to: identify the memory access operation; determine that the memory location is associated with a protected domain, wherein the protected domain is associated with a protected memory region of the memory, and wherein the protected domain is identified from a plurality of protected domains associated with a plurality of protected memory regions of the memory; identify an encryption key associated with the protected domain; perform a cryptography operation on data associated with the memory access operation, wherein the cryptography operation is performed based on the encryption key associated with the protected domain; and return a result of the cryptography operation, wherein the result is to be used for the memory access operation.

公开(公告)号：US20180129619A1

公开(公告)日：2018-05-10

申请号：US15865430

申请日：2018-01-09

申请人： Intel Corporation

发明人： Gilbert Neiger ,  Rajesh Sankaran ,  Gideon Gerzon ,  Richard Uhlig ,  Sergiu Ghetie ,  Michael Neve de Mevergnies ,  Adil Karrar

IPC分类号： G06F13/26 ,  G06F13/24 ,  G06F9/455 ,  G06F9/30

CPC分类号： G06F13/26 ,  G06F9/30076 ,  G06F9/45541 ,  G06F9/45558 ,  G06F13/24 ,  G06F2009/45579 ,  G06F2213/0058

摘要： Embodiments of processors, methods, and systems for virtualizing interrupt prioritization and delivery are disclosed. In one embodiment, a processor includes instruction hardware and execution hardware. The instruction hardware is to receive a plurality of instructions, including a first instruction to transfer the processor from a root mode to a non-root mode for executing guest software in a virtual machine, wherein the processor is to return to the root mode upon the detection of any of a plurality of virtual machine exit events. The execution hardware is to execute the first instruction, execution of the first instruction to include determining a first virtual processor-priority value and storing the first virtual processor-priority value in a virtual copy of a processor-priority field, where the virtual copy of the processor-priority field is a virtual resource corresponding to a physical resource associated with an interrupt controller.

公开(公告)号：US11176059B2

公开(公告)日：2021-11-16

申请号：US16831976

申请日：2020-03-27

申请人： Intel Corporation

发明人： David M. Durham ,  Siddhartha Chhabra ,  Amy L. Santoni ,  Gilbert Neiger ,  Barry E. Huntley ,  Hormuzd M. Khosravi ,  Baiju V. Patel ,  Ravi L. Sahita ,  Gideon Gerzon ,  Ido Ouziel ,  Ioannis T. Schoinas ,  Rajesh M. Sankaran

IPC分类号： G06F12/14 ,  G06F21/53 ,  G06F21/78 ,  G06F21/60 ,  G06F21/82 ,  G06F3/06

摘要： In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.

公开(公告)号：US20210064254A1

公开(公告)日：2021-03-04

申请号：US16643836

申请日：2017-09-29

申请人： Intel Corporation

发明人： David M. Durham ,  Ravi L. Sahita ,  Vedvyas Shanbhogue ,  Barry E. Huntley ,  Baiju Patel ,  Gideon Gerzon ,  Ioannis T. Schoinas ,  Hormuzd M. Khosravi ,  Siddhartha Chhabra ,  Carlos V. Rozas

IPC分类号： G06F3/06 ,  G06F9/455

摘要： There is disclosed a microprocessor, including: a processing core; and a total memory encryption (TME) engine to provide TME for a first trust domain (TD), and further to: allocate a block of physical memory to the first TD and a first cryptographic key to the first TD; map within an extended page table (EPT) a host physical address (HPA) space to a guest physical address (GPA) space of the TD; create a memory ownership table (MOT) entry for a memory page within the block of physical memory, wherein the MOT table comprises a GPA reverse mapping; encrypt the MOT entry using the first cryptographic key; and append to the MOT entry verification data, wherein the MOT entry verification data enables detection of an attack on the MOT entry.

公开(公告)号：US20200226074A1

公开(公告)日：2020-07-16

申请号：US16831976

申请日：2020-03-27

申请人： Intel Corporation

发明人： David M. Durham ,  Siddhartha Chhabra ,  Amy L. Santoni ,  Gilbert Neiger ,  Barry E. Huntley ,  Hormuzd M. Khosravi ,  Baiju V. Patel ,  Ravi L. Sahita ,  Gideon Gerzon ,  Ido Ouziel ,  Ioannis T. Schoinas ,  Rajesh M. Sankaran

IPC分类号： G06F12/14 ,  G06F21/53 ,  G06F21/78 ,  G06F3/06 ,  G06F21/60 ,  G06F21/82

摘要： In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.

公开(公告)号：US20190042764A1

公开(公告)日：2019-02-07

申请号：US15808986

申请日：2017-11-10

申请人： Intel Corporation

发明人： David M. Durham ,  Siddhartha Chhabra ,  Ravi L. Sahita ,  Barry E. Huntley ,  Gilbert Neiger ,  Gideon Gerzon ,  Baiju V. Patel

IPC分类号： G06F21/60 ,  G06F3/06 ,  G06F12/1009

摘要： In a public cloud environment, each consumer's/guest's workload is encrypted in a cloud service provider's (CSP's) server memory using a consumer-provided key unknown to the CSP's workload management software. An encrypted consumer/guest workload image is loaded into the CSP's server memory at a memory location specified by the CSP's workload management software. Based upon the CSP-designated memory location, the guest workload determines expected hardware physical addresses into which memory mapping structures and other types of consumer data should be loaded. These expected hardware physical addresses are specified by the guest workload in a memory ownership table (MOT), which is used to check that subsequently CSP-designated memory mappings are as expected. Memory ownership table entries also may be encrypted by the consumer-provided key unknown to the CSP.

公开(公告)号：US09971705B2

公开(公告)日：2018-05-15

申请号：US15048400

申请日：2016-02-19

申请人： Intel Corporation

发明人： Gur Hildesheim ,  Shlomo Raikin ,  Ittai Anati ,  Gideon Gerzon ,  Uday Savagaonkar ,  Francis Mckeen ,  Carlos Rozas ,  Michael Goldsmith ,  Prashant Dewan

IPC分类号： G06F12/10 ,  G06F12/109 ,  G06F12/1036 ,  G06F12/02

CPC分类号： G06F12/109 ,  G06F12/0284 ,  G06F12/1036 ,  G06F2212/656 ,  G06F2212/657

摘要： Embodiments of apparatuses and methods including virtual address memory range registers are disclosed. In one embodiment, a processor includes a memory interface, address translation hardware, and virtual memory address comparison hardware. The memory interface is to access a system memory using a physical memory address. The address translation hardware is to support translation of a virtual memory address to the physical memory address. The virtual memory address is used by software to access a virtual memory location in the virtual memory address space of the processor. The virtual memory address comparison hardware is to determine whether the virtual memory address is within a virtual memory address range.

公开(公告)号：US09892069B2

公开(公告)日：2018-02-13

申请号：US14800419

申请日：2015-07-15

申请人： Intel Corporation

发明人： Rajesh Sankaran Madukkarumukumana ,  Gilbert Neiger ,  Ohad Falik ,  Sridhar Muthrasanallur ,  Gideon Gerzon

IPC分类号： G06F13/24 ,  G06F9/48

CPC分类号： G06F13/24 ,  G06F9/4812

摘要： Embodiments of systems, apparatuses, and methods for posting interrupts to virtual processors are disclosed. In one embodiment, an apparatus includes look-up logic and posting logic. The look-up logic is to look-up an entry associated with an interrupt request to a virtual processor in a data structure. The posting logic is to post the interrupt request in a data structure specified by information in the first data structure.