Abstract:
A flexible aes instruction set for a general purpose processor is provided. The instruction set includes instructions to perform a “one round” pass for aes encryption or decryption and also includes instructions to perform key generation. An immediate may be used to indicate round number and key size for key generation for 128/192/256 bit keys. The flexible aes instruction set enables full use of pipelining capabilities because it does not require tracking of implicit registers.
Abstract:
In one embodiment, an apparatus includes: an integrity circuit to receive data and generate a protection code based at least in part on the data; a cryptographic circuit coupled to the integrity circuit to encrypt the data into encrypted data and encrypt the protection code into an encrypted protection code; a message authentication code (MAC) circuit coupled to the cryptographic circuit to compute a MAC comprising a tag using header information, the encrypted data, and the encrypted protection code; and an output circuit to send the header information, the encrypted data, and the tag to a receiver via a link. Other embodiments are described and claimed.
Abstract:
This disclosure is directed to cache and data organization for memory protection. Memory protection operations in a device may be expedited by organizing cache and/or data structure while providing memory protection for encrypted data. An example device may comprise processing module and a memory module. The processing module may include a memory encryption engine (MEE) to decrypt encrypted data loaded from the memory module, or to encrypt plaintext data prior to storage in the memory module, using security metadata also stored in the memory module. Example security metadata may include version (VER) data, memory authentication code (MAC) data and counter data. Consistent with the present disclosure, a cache associated with the MEE may be partitioned to separate the VER and MAC data from counter data. Data organization may comprise including the VER and MAC data corresponding to particular data in the same data line.
Abstract:
Apparatus and method for role-based register protection. For example, one embodiment of an apparatus comprises: one or more processor cores to execute instructions and process data, the one or more processor cores to execute one or more security instructions to protect a virtual machine or trusted application from a virtual machine monitor (VMM) or operating system (OS); an interconnect fabric to couple the one or more processor cores to a device; and security hardware logic to determine whether to allow a read or write transaction directed to a protected register to proceed over the interconnect fabric, the security hardware logic to evaluate one or more security attributes associated with an initiator of the transaction to make the determination.
Abstract:
Systems and methods for memory protection for implementing trusted execution environment. An example processing system comprises: an on-package memory; a memory encryption engine (MEE) comprising a MEE cache, the MEE to: responsive to failing to locate, within the MEE cache, an encryption metadata associated with a data item loaded from an external memory, retrieve at least part of the encryption metadata from the OPM, and validate the data item using the encryption metadata.