公开(公告)号：US20160378688A1

公开(公告)日：2016-12-29

申请号：US14752227

申请日：2015-06-26

Applicant: Intel Corporation

Inventor： CARLOS V. ROZAS ,  MONA VIJ ,  REBEKAH M. LESLIE-HURD ,  KRYSTOF C. ZMUDZINSKI ,  SOMNATH CHAKRABARTI ,  FRANCIS X. MCKEEN ,  VINCENT R. SCARLATA ,  SIMON P. JOHNSON ,  ILYA ALEXANDROVICH ,  GILBERT NEIGER ,  VEDVYAS SHANBHOGUE ,  ITTAI ANATI

IPC: G06F12/14 ,  G06F9/30 ,  G06F21/60

CPC classification number: G06F12/1408 ,  G06F8/41 ,  G06F9/30145 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/602 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2212/1052

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

Abstract translation: 处理器包括解码单元，用于解码指示受保护的容器存储器的页面的指令以及受保护的容器存储器之外的存储位置。 执行单元响应于该指令，是确保在受保护的容器存储器具有写保护状态时不存在对受保护的容器存储器的页的可写引用。 执行单元是加密受保护的容器存储器的页面的副本。 在确保没有可写入引用之后，执行单元将页面的加密副本存储到受保护的容器存储器外部的存储位置。 执行单元将保护的容器存储器的页面保留在写保护状态中，该保护状态在加密的副本已被存储到存储位置之后也是有效和可读的。

公开(公告)号：US20160371191A1

公开(公告)日：2016-12-22

申请号：US15250787

申请日：2016-08-29

Applicant: Intel Corporation

Inventor： CARLOS V. ROZAS ,  ILYA ALEXANDROVICH ,  ITTAI ANATI ,  ALEX BERENZON ,  MICHAEL A. GOLDSMITH ,  BARRY E. HUNTLEY ,  ANTON IVANOV ,  SIMON P. JOHNSON ,  REBEKAH M. LESLIE-HURD ,  FRANCIS X. MCKEEN ,  GILBERT NEIGER ,  RINAT RAPPOPORT ,  SCOTT D. RODGERS ,  UDAY R. SAVAGAONKAR ,  VINCENT R. SCARLATA ,  VEDVYAS SHANBHOGUE ,  WESLEY H. SMITH ,  WILLIAM C. WOOD

IPC: G06F12/0875 ,  G06F12/1027

Abstract: Instructions and logic provide advanced paging capabilities for secure enclave page caches. Embodiments include multiple hardware threads or processing cores, a cache to store secure data for a shared page address allocated to a secure enclave accessible by the hardware threads. A decode stage decodes a first instruction specifying said shared page address as an operand, and execution units mark an entry corresponding to an enclave page cache mapping for the shared page address to block creation of a new translation for either of said first or second hardware threads to access the shared page. A second instruction is decoded for execution, the second instruction specifying said secure enclave as an operand, and execution units record hardware threads currently accessing secure data in the enclave page cache corresponding to the secure enclave, and decrement the recorded number of hardware threads when any of the hardware threads exits the secure enclave.

Abstract translation: 说明和逻辑为安全的飞地页面缓存提供了高级分页功能。 实施例包括多个硬件线程或处理核心，用于存储分配给由硬件线程可访问的安全空间的共享页面地址的安全数据的高速缓存。 解码级将指定所述共享页地址的第一指令解码为操作数，并且执行单元标记对应于共享页地址的飞地页高速缓存映射的条目，以阻止所述第一或第二硬件线程中的任一个的新转换的创建 访问共享页面。 第二指令被解码以执行，第二指令指定所述安全飞地作为操作数，并且执行单元记录当前访问与安全飞地相对应的飞地页面高速缓存中的安全数据的硬件线程，并且当任何 的硬件线程退出安全飞地。

公开(公告)号：US20150334114A1

公开(公告)日：2015-11-19

申请号：US14281651

申请日：2014-05-19

Applicant: INTEL CORPORATION

Inventor： VINCENT SCARLATA ,  SIMON JOHNSON ,  CARLOS ROZAS ,  FRANCIS MCKEEN ,  ITTAI ANATI ,  ILYA ALEXANDROVICH ,  REBEKAH LESLIE-HURD

IPC: H04L29/06

CPC classification number: G06F21/64 ,  G06F21/62 ,  G06F21/74 ,  G06F21/81 ,  G06F21/85 ,  H04L63/061 ,  H04L63/0876

Abstract: An apparatus and method for securely suspending and resuming the state of a processor. For example, one embodiment of a method comprises: generating a data structure including at least the monotonic counter value; generating a message authentication code (MAC) over the data structure using a first key; securely providing the data structure and the MAC to a module executed on the processor; the module verifying the MAC, comparing the monotonic counter value with a counter value stored during a previous suspend operation and, if the counter values match, then loading processor state required for the resume operation to complete. Another embodiment of a method comprises: generating a first key by a processor; securely sharing the first key with an off-processor component; and using the first key to generate a pairing ID usable to identify a pairing between the processor and the off-processor component.

Abstract translation: 一种用于安全地挂起并恢复处理器状态的装置和方法。 例如，方法的一个实施例包括：生成至少包括单调计数器值的数据结构; 使用第一密钥在数据结构上生成消息认证码（MAC）; 将数据结构和MAC安全地提供给在处理器上执行的模块; 所述模块验证所述MAC，将所述单调计数器值与在先前暂停操作期间存储的计数器值进行比较，并且如果所述计数器值匹配，则加载完成所述恢复操作所需的处理器状态。 方法的另一实施例包括：由处理器生成第一密钥; 用脱离处理器组件安全地共享第一个密钥; 以及使用所述第一密钥来生成可用于识别所述处理器和所述关闭处理器组件之间的配对的配对ID。