-
公开(公告)号:US20220222143A1
公开(公告)日:2022-07-14
申请号:US17708984
申请日:2022-03-30
Applicant: Intel Corporation
Inventor: Siddhartha Chhabra , Ronald Perez , Hsing-Min Chen , Manjula Peddireddy
Abstract: A write request causes controller circuitry to write an encrypted data line and First Tier metadata portion including MAC data and a first portion of ECC data to a first memory circuitry portion and a second portion of ECC data to a sequestered, second memory circuitry portion. A read request causes the controller circuitry to read the encrypted data line and the First Tier metadata portion from the first memory circuitry portion. Using the first portion of the ECC data included in the First Tier metadata portion, the controller circuitry determines if an error exists in the encrypted data line. If no error is detected, the controller circuitry decrypts and verifies the data line using the MAC data included in the First Tier metadata portion. If an error in the data line is detected by the controller circuitry, the Second Tier metadata portion, containing the second portion of the ECC data is fetched from the sequestered, second memory circuitry portion and the error corrected.
-
公开(公告)号:US20220019667A1
公开(公告)日:2022-01-20
申请号:US17354733
申请日:2021-06-22
Applicant: Intel Corporation
Inventor: Kapil Sood , Ioannis T. Schoinas , Yu-Yuan Chen , Raghunandan Makaram , David J. Harriman , Baiju Patel , Ronald Perez , Matthew E. Hoekstra , Reshma Lal
Abstract: In one embodiment, an apparatus comprises a processor to: receive a request to configure a secure execution environment for a first workload; configure a first set of secure execution enclaves for execution of the first workload, wherein the first set of secure execution enclaves is configured on a first set of processing resources, wherein the first set of processing resources comprises one or more central processing units and one or more accelerators; configure a first set of secure datapaths for communication among the first set of secure execution enclaves during execution of the first workload, wherein the first set of secure datapaths is configured over a first set of interconnect resources; configure the secure execution environment for the first workload, wherein the secure execution environment comprises the first set of secure execution enclaves and the first set of secure datapaths.
-
公开(公告)号:US11048800B2
公开(公告)日:2021-06-29
申请号:US16362218
申请日:2019-03-22
Applicant: Intel Corporation
Inventor: Kapil Sood , Ioannis T. Schoinas , Yu-Yuan Chen , Raghunandan Makaram , David J. Harriman , Baiju Patel , Ronald Perez , Matthew E. Hoekstra , Reshma Lal
Abstract: In one embodiment, an apparatus comprises a processor to: receive a request to configure a secure execution environment for a first workload; configure a first set of secure execution enclaves for execution of the first workload, wherein the first set of secure execution enclaves is configured on a first set of processing resources, wherein the first set of processing resources comprises one or more central processing units and one or more accelerators; configure a first set of secure datapaths for communication among the first set of secure execution enclaves during execution of the first workload, wherein the first set of secure datapaths is configured over a first set of interconnect resources; configure the secure execution environment for the first workload, wherein the secure execution environment comprises the first set of secure execution enclaves and the first set of secure datapaths.
-
公开(公告)号:US20240045968A1
公开(公告)日:2024-02-08
申请号:US18492007
申请日:2023-10-23
Applicant: Intel Corporation
Inventor: Kapil Sood , Ioannis T. Schoinas , Yu-Yuan Chen , Raghunandan Makaram , David J. Harriman , Baiju Patel , Ronald Perez , Matthew E. Hoekstra , Reshma Lal
Abstract: In one embodiment, an apparatus comprises a processor to: receive a request to configure a secure execution environment for a first workload; configure a first set of secure execution enclaves for execution of the first workload, wherein the first set of secure execution enclaves is configured on a first set of processing resources, wherein the first set of processing resources comprises one or more central processing units and one or more accelerators; configure a first set of secure datapaths for communication among the first set of secure execution enclaves during execution of the first workload, wherein the first set of secure datapaths is configured over a first set of interconnect resources; configure the secure execution environment for the first workload, wherein the secure execution environment comprises the first set of secure execution enclaves and the first set of secure datapaths.
-
公开(公告)号:US11520611B2
公开(公告)日:2022-12-06
申请号:US16370924
申请日:2019-03-30
Applicant: Intel Corporation
Inventor: David Durham , Siddhartha Chhabra , Geoffrey Strongin , Ronald Perez
IPC: G06F9/455 , G06F12/1009 , H04L9/32
Abstract: A host Virtual Machine Monitor (VMM) operates “blindly,” without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, using VMPageIn and VMPageOut instructions, can build virtual machines in key domains and page VM pages in and out of key domains.
-
Patent Agency Ranking
公开(公告)号:US11301325B2
公开(公告)日:2022-04-12
申请号:US16888449
申请日:2020-05-29
Applicant: Intel Corporation
Inventor: Siddhartha Chhabra , Ronald Perez , Hsing-Min Chen , Manjula Peddireddy
Abstract: A write request causes controller circuitry to write an encrypted data line and First Tier metadata portion including MAC data and a first portion of ECC data to a first memory circuitry portion and a second portion of ECC data to a sequestered, second memory circuitry portion. A read request causes the controller circuitry to read the encrypted data line and the First Tier metadata portion from the first memory circuitry portion. Using the first portion of the ECC data in the First Tier metadata portion, the controller circuitry determines if an error exists in the encrypted data line. If no error is detected, the controller circuitry decrypts and verifies the data line using the MAC data in the First Tier metadata portion. If an error in the data line is detected, the Second Tier metadata portion, is fetched from the sequestered, second memory circuitry portion and the error corrected.
-
公开(公告)号:US20200057664A1
公开(公告)日:2020-02-20
申请号:US16370924
申请日:2019-03-30
Applicant: Intel Corporation
Inventor: David Durham , Siddhartha Chhabra , Geoffrey Strongin , Ronald Perez
IPC: G06F9/455 , G06F12/1009 , H04L9/32
Abstract: A host Virtual Machine Monitor (VMM) operates “blindly,” without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, using VMPageIn and VMPageOut instructions, can build virtual machines in key domains and page VM pages in and out of key domains.
-
公开(公告)号:US12079341B2
公开(公告)日:2024-09-03
申请号:US17354733
申请日:2021-06-22
Applicant: Intel Corporation
Inventor: Kapil Sood , Ioannis T. Schoinas , Yu-Yuan Chen , Raghunandan Makaram , David J. Harriman , Baiju Patel , Ronald Perez , Matthew E. Hoekstra , Reshma Lal
Abstract: In one embodiment, an apparatus comprises a processor to: receive a request to configure a secure execution environment for a first workload; configure a first set of secure execution enclaves for execution of the first workload, wherein the first set of secure execution enclaves is configured on a first set of processing resources, wherein the first set of processing resources comprises one or more central processing units and one or more accelerators; configure a first set of secure datapaths for communication among the first set of secure execution enclaves during execution of the first workload, wherein the first set of secure datapaths is configured over a first set of interconnect resources; configure the secure execution environment for the first workload, wherein the secure execution environment comprises the first set of secure execution enclaves and the first set of secure datapaths.
-
公开(公告)号:US20210374000A1
公开(公告)日:2021-12-02
申请号:US16888449
申请日:2020-05-29
Applicant: Intel Corporation
Inventor: Siddhartha Chhabra , Ronald Perez , Hsing-Min Chen , Manjula Peddireddy
Abstract: A write request causes controller circuitry to write an encrypted data line and First Tier metadata portion including MAC data and a first portion of ECC data to a first memory circuitry portion and a second portion of ECC data to a sequestered, second memory circuitry portion. A read request causes the controller circuitry to read the encrypted data line and the First Tier metadata portion from the first memory circuitry portion. Using the first portion of the ECC data included in the First Tier metadata portion, the controller circuitry determines if an error exists in the encrypted data line. If no error is detected, the controller circuitry decrypts and verifies the data line using the MAC data included in the First Tier metadata portion. If an error in the data line is detected by the controller circuitry, the Second Tier metadata portion, containing the second portion of the ECC data is fetched from the sequestered, second memory circuitry portion and the error corrected.
-
公开(公告)号:US20190220601A1
公开(公告)日:2019-07-18
申请号:US16362218
申请日:2019-03-22
Applicant: Intel Corporation
Inventor: Kapil Sood , Ioannis T. Schoinas , Yu-Yuan Chen , Raghunandan Makaram , David J. Harriman , Baiju Patel , Ronald Perez , Matthew E. Hoekstra , Reshma Lal
CPC classification number: G06F21/57 , G06F9/505 , G06F21/72 , G06F21/85 , G06F2221/034
Abstract: In one embodiment, an apparatus comprises a processor to: receive a request to configure a secure execution environment for a first workload; configure a first set of secure execution enclaves for execution of the first workload, wherein the first set of secure execution enclaves is configured on a first set of processing resources, wherein the first set of processing resources comprises one or more central processing units and one or more accelerators; configure a first set of secure datapaths for communication among the first set of secure execution enclaves during execution of the first workload, wherein the first set of secure datapaths is configured over a first set of interconnect resources; configure the secure execution environment for the first workload, wherein the secure execution environment comprises the first set of secure execution enclaves and the first set of secure datapaths.
-
-
-
-
-
-
-
-
-
Search Results
10
records
(took 0.017 seconds)
