-
1.发明授权公开(公告)号:US11782849B2
公开(公告)日:2023-10-10
申请号:US17367349
申请日:2021-07-03
申请人: Intel Corporation
发明人: Carlos V. Rozas , Mona Vij , Rebekah M. Leslie-Hurd , Krystof C. Zmudzinski , Somnath Chakrabarti , Francis X. Mckeen , Vincent R. Scarlata , Simon P. Johnson , Ilya Alexandrovich , Gilbert Neiger , Vedvyas Shanbhogue , Ittai Anati
CPC分类号: G06F12/1408 , G06F8/41 , G06F9/30145 , G06F9/45558 , G06F12/1441 , G06F12/1483 , G06F21/53 , G06F21/602 , G06F2009/4557 , G06F2009/45587 , G06F2212/1052
摘要: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
-
公开(公告)号:US20220239507A1
公开(公告)日:2022-07-28
申请号:US17668979
申请日:2022-02-10
申请人: Intel Corporation
IPC分类号: H04L9/32 , H04L9/40 , G06F12/14 , H04L9/08 , G06F9/455 , G06F16/23 , G06F11/10 , H04L9/06 , H04L41/0893 , H04L41/5009 , H04L41/5025 , H04L43/08 , H04L67/1008 , G06F9/54 , G06F21/60 , H04L41/0896 , H04L41/142 , H04L41/5051 , H04L67/141 , H04L41/14 , H04L47/70 , H04L67/12 , G06F8/41 , G06F9/38 , G06F9/445 , G06F9/48 , G06F9/50 , G06F11/34
摘要: Various approaches for memory encryption management within an edge computing system are described. In an edge computing system deployment, a computing device includes capabilities to store and manage encrypted data in memory, through processing circuitry configured to: allocate memory encryption keys according to a data isolation policy for a microservice domain, with respective keys used for encryption of respective sets of data within the memory (e.g., among different tenants or tenant groups); and, share data associated with a first microservice to a second microservice of the domain. Such sharing may be based on the communication of an encryption key, used to encrypt the data in memory, from a proxy (such as a sidecar) associated with the first microservice to a proxy associated with the second microservice; and maintaining the encrypted data within the memory, for use with the second microservice, as accessible with the communicated encryption key.
-
公开(公告)号:US20220222358A1
公开(公告)日:2022-07-14
申请号:US17710723
申请日:2022-03-31
申请人: Intel Corporation
发明人: Ravi Sahita , Dror Caspi , Vedvyas Shanbhogue , Vincent Scarlata , Anjo Lucas Vahldiek-Oberwagner , Haidong Xia , Mona Vij
摘要: Scalable cloning and replication for trusted execution environments is described. An example of a computer-readable storage medium includes instructions for receiving a selection of a point to capture a snapshot of a baseline trust domain (TD) or secure enclave, the TD or secure enclave being associated with a trusted execution environment (TEE) of a processor utilized for processing of a workload; initiating cloning of the TD or secure enclave from a source platform to an escrow platform; generating an escrow key to export the snapshot to the escrow platform; and exporting a state of the TD or secure enclave to the escrow platform, the state being sealed with a sealing key.
-
公开(公告)号:US10528721B2
公开(公告)日:2020-01-07
申请号:US15298416
申请日:2016-10-20
申请人: INTEL CORPORATION
发明人: Kapil Sood , Somnath Chakrabarti , Wei Shen , Carlos V. Rozas , Mona Vij , Vincent R. Scarlata
IPC分类号: G06F21/53 , G06F9/4401 , G06F9/455 , G06F21/79 , G06F12/1036 , G06F12/109 , G06F12/14 , G06F21/57 , G06F8/61 , H04L12/24
摘要: Methods and apparatus for implemented trusted packet processing for multi-domain separatization and security. Secure enclaves are created in system memory of a compute platform configured to support a virtualized execution environment including a plurality of virtual machines (VMs) or containers, each secure enclave occupying a respective protected portion of the system memory, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The software in the secure enclaves is then executed to perform the packet processing operations. Various configurations of secure enclaves and software code may be implemented, including configurations supporting service chains both within a VM or contain or across multiple VMs or containers, as well a parallel packet processing operations.
-
5.发明申请公开(公告)号:US20170286645A1
公开(公告)日:2017-10-05
申请号:US15621864
申请日:2017-06-13
申请人: Intel Corporation
IPC分类号: G06F21/12 , G06F12/0875 , G06F13/24 , G06F12/0811 , G06F12/0817 , G06F12/14
CPC分类号: G06F21/12 , G06F12/0811 , G06F12/0822 , G06F12/0875 , G06F12/14 , G06F12/1425 , G06F13/24 , G06F2212/1052 , G06F2212/283 , G06F2212/452
摘要: Instructions and logic fork processes and establish child enclaves in a secure enclave page cache (EPC). Instructions specify addresses for secure storage allocated to enclaves of a parent and a child process to store secure enclave control structure (SECS) data, application data, code, etc. The processor includes an EPC to store enclave data of the parent and child processes. Embodiments of the parent may execute, or a system may execute an instruction to copy parent SECS to secure storage for the child, initialize a unique child ID and link to the parent's SECS/ID. Embodiments of the child may execute, or the system may execute an instruction to copy pages from the parent enclave to the enclave of the child where both have the same key, set an entry for EPC mapping to partial completion, and record a page state in the child enclave, if interrupted. Thus copying can be resumed.
-
公开(公告)号:US09716710B2
公开(公告)日:2017-07-25
申请号:US14752259
申请日:2015-06-26
申请人: Intel Corporation
发明人: Mona Vij , Carlos V. Rozas , Vincent R. Scarlata , Francis X. McKeen , Bo Zhang
CPC分类号: H04L63/0823 , G06F9/45558 , G06F2009/45587 , H04L63/0281 , H04L63/10
摘要: Technologies for secure access to platform security services include a computing device having a processor and a security engine. The computing device establishes a platform services enclave in a virtual machine of the computing device using secure enclave support of the processor. The platform services enclave receives a platform services request from an application enclave via a first authenticated session and transmits the platform services request to a virtual security engine established by a host environment via a second authenticated session. The first and second authenticated sessions may be authenticated by report-based attestation and quote-based attestation, respectively. The virtual security engine transmits the platform services request to the security engine via a long-term pairing session established by the virtual security engine with the security engine. The security engine performs the platform services request using hardware resources shared with other platform services enclaves. Other embodiments are described and claimed.
-
公开(公告)号:US09710622B2
公开(公告)日:2017-07-18
申请号:US14629132
申请日:2015-02-23
申请人: INTEL CORPORATION
IPC分类号: G06F21/12 , G06F12/0817 , G06F12/14 , G06F13/24 , G06F12/0875 , G06F12/0811
CPC分类号: G06F21/12 , G06F12/0811 , G06F12/0822 , G06F12/0875 , G06F12/14 , G06F12/1425 , G06F13/24 , G06F2212/1052 , G06F2212/283 , G06F2212/452
摘要: Instructions and logic fork processes and establish child enclaves in a secure enclave page cache (EPC). Instructions specify addresses for secure storage allocated to enclaves of a parent and a child process to store secure enclave control structure (SECS) data, application data, code, etc. The processor includes an EPC to store enclave data of the parent and child processes. Embodiments of the parent may execute, or a system may execute an instruction to copy parent SECS to secure storage for the child, initialize a unique child ID and link to the parent's SECS/ID. Embodiments of the child may execute, or the system may execute an instruction to copy pages from the parent enclave to the enclave of the child where both have the same key, set an entry for EPC mapping to partial completion, and record a page state in the child enclave, if interrupted. Thus copying can be resumed.
-
8.发明申请INSTRUCTIONS AND LOGIC TO FORK PROCESSES OF SECURE ENCLAVES AND ESTABLISH CHILD ENCLAVES IN A SECURE ENCLAVE PAGE CACHE 有权指示和逻辑安全保护程序,并在安全的页面缓存中建立儿童安全公开(公告)号:US20160246720A1
公开(公告)日:2016-08-25
申请号:US14629132
申请日:2015-02-23
申请人: Intel Corporation
CPC分类号: G06F21/12 , G06F12/0811 , G06F12/0822 , G06F12/0875 , G06F12/14 , G06F12/1425 , G06F13/24 , G06F2212/1052 , G06F2212/283 , G06F2212/452
摘要: Instructions and logic fork processes and establish child enclaves in a secure enclave page cache (EPC). Instructions specify addresses for secure storage allocated to enclaves of a parent and a child process to store secure enclave control structure (SECS) data, application data, code, etc. The processor includes an EPC to store enclave data of the parent and child processes. Embodiments of the parent may execute, or a system may execute an instruction to copy parent SECS to secure storage for the child, initialize a unique child ID and link to the parent's SECS/ID. Embodiments of the child may execute, or the system may execute an instruction to copy pages from the parent enclave to the enclave of the child where both have the same key, set an entry for EPC mapping to partial completion, and record a page state in the child enclave, if interrupted. Thus copying can be resumed.
摘要翻译: 指令和逻辑fork处理并在安全的飞地页面缓存(EPC)中建立子空间。 指令指定分配给父节点和子进程的子进程的安全存储地址,以存储安全区域控制结构(SECS)数据,应用程序数据,代码等。处理器包括用于存储父进程和子进程的飞地数据的EPC。 父级的实施例可以执行,或者系统可以执行复制父SECS以保护儿童的存储的指令,初始化唯一的子ID并链接到父级的SECS / ID。 子系统的实施例可以执行,或者系统可以执行将父页面的页面复制到具有相同密钥的小孩的飞地的指令,将用于EPC映射的条目设置为部分完成,并将页面状态记录在 孩子飞散,如果中断。 因此可以恢复复印。
-
公开(公告)号:US12113902B2
公开(公告)日:2024-10-08
申请号:US17131684
申请日:2020-12-22
申请人: Intel Corporation
发明人: Anjo Lucas Vahldiek-Oberwagner , Ravi L. Sahita , Mona Vij , Dayeol Lee , Haidong Xia , Rameshkumar Illikkal , Samuel Ortiz , Kshitij Arun Doshi , Mourad Cherfaoui , Andrzej Kuriata , Teck Joo Goh
CPC分类号: H04L9/321 , H04L9/3242
摘要: In function-as-a-service (FaaS) environments, a client makes use of a function executing within a trusted execution environment (TEE) on a FaaS server. Multiple tenants of the FaaS platform may provide functions to be executed by the FaaS platform via a gateway. Each tenant may provide code and data for any number of functions to be executed within any number of TEEs on the FaaS platform and accessed via the gateway. Additionally, each tenant may provide code and data for a single surrogate attester TEE. The client devices of the tenant use the surrogate attester TEE to attest each of the other TEEs of the tenant and establish trust with the functions in those TEEs. Once the functions have been attested, the client devices have confidence that the other TEEs of the tenant are running on the same platform as the gateway.
-
公开(公告)号:US20240330466A1
公开(公告)日:2024-10-03
申请号:US18676413
申请日:2024-05-28
申请人: Intel Corporation
发明人: Scott Douglas Constable , Marcin Andrzej Chrapek , Marcin Spoczynski , Cory Cornelius , Mona Vij , Anjo Lucas Vahldiek-Oberwagner
IPC分类号: G06F21/57
CPC分类号: G06F21/57
摘要: Methods, apparatus, systems, and articles of manufacture to verify integrity of a model are disclosed. An example apparatus includes programmable circuitry to initialize an instance of a trusted execution environment; upload a security manifest of the trusted execution environment and a machine learning model; determine whether to store the machine learning model into a memory based on checking of the security manifest; determine whether the machine learning model is valid; and output a validation result.
-
-
-
-
-
-
-
-
-
搜索结果
51 条记录 (耗时 0.032 秒)
