公开(公告)号：US20180114013A1

公开(公告)日：2018-04-26

申请号：US15298419

申请日：2016-10-20

申请人： Kapil Sood ,  Somnath Chakrabarti ,  Wei Shen ,  Carlos V. Rozas ,  Mona Vij ,  Vincent R. Scarlata

发明人： Kapil Sood ,  Somnath Chakrabarti ,  Wei Shen ,  Carlos V. Rozas ,  Mona Vij ,  Vincent R. Scarlata

IPC分类号： G06F21/53 ,  G06F12/14 ,  G06F21/57 ,  G06F21/44 ,  G06F9/455 ,  G06F9/445

CPC分类号： G06F21/53 ,  G06F8/61 ,  G06F9/45558 ,  G06F12/1408 ,  G06F21/44 ,  G06F21/572 ,  G06F21/606 ,  G06F2009/45587 ,  G06F2212/1052 ,  G06F2212/152 ,  G06F2212/402

摘要： Methods and apparatus for extending packet processing to trusted programmable and fixed-function accelerators. Secure enclaves are created in system memory of a compute platform, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The compute platform further includes one or more hardware-based accelerators that are used by the software to offload packet processing operations. The accelerators are configured to read packet data from input queues, process the data, and output processed data to output queues, wherein the input and output queues are located in encrypted portions of memory that may be in a secure enclave or external to the secure enclaves. Tokens are used by accelerators to validate access to memory in secure enclaves, and used by both accelerators and secure enclaves to access encrypted memory external to secure enclaves.

公开(公告)号：US20180114012A1

公开(公告)日：2018-04-26

申请号：US15298416

申请日：2016-10-20

申请人： Kapil Sood ,  Somnath Chakrabarti ,  Wei Shen ,  Carlos V. Rozas ,  Mona Vij ,  Vincent R. Scarlata

发明人： Kapil Sood ,  Somnath Chakrabarti ,  Wei Shen ,  Carlos V. Rozas ,  Mona Vij ,  Vincent R. Scarlata

IPC分类号： G06F21/53 ,  G06F9/44 ,  G06F21/57 ,  G06F21/60 ,  G06F9/455 ,  G06F9/445

CPC分类号： G06F21/53 ,  G06F8/61 ,  G06F9/4406 ,  G06F9/45558 ,  G06F12/1036 ,  G06F12/109 ,  G06F12/1425 ,  G06F21/575 ,  G06F21/79 ,  G06F2009/45587 ,  G06F2212/1052 ,  H04L41/5041

摘要： Methods and apparatus for implemented trusted packet processing for multi-domain separatization and security. Secure enclaves are created in system memory of a compute platform configured to support a virtualized execution environment including a plurality of virtual machines (VMs) or containers, each secure enclave occupying a respective protected portion of the system memory, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The software in the secure enclaves is then executed to perform the packet processing operations. Various configurations of secure enclaves and software code may be implemented, including configurations supporting service chains both within a VM or contain or across multiple VMs or containers, as well a parallel packet processing operations.

公开(公告)号：US20170054557A1

公开(公告)日：2017-02-23

申请号：US14829340

申请日：2015-08-18

申请人： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. McKeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich

发明人： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. McKeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich

IPC分类号： H04L9/08 ,  H04L29/08 ,  G06F9/455

CPC分类号： H04L9/0891 ,  G06F9/45558 ,  G06F2009/45575 ,  G06F2009/45587 ,  H04L63/061 ,  H04L63/10 ,  H04L67/34

摘要： A processor to support platform migration of secure enclaves is disclosed. In one embodiment, the processor includes a memory controller unit to access secure enclaves and a processor core coupled to the memory controller unit. The processor core to identify a control structure associated with a secure enclave. The control structure comprises a plurality of data slots and keys associated with a first platform comprising the memory controller unit and the processor core. A version of data from the secure enclave is associated with the plurality of data slots. Migratable keys are generated as a replacement for the keys associated with the control structure. The migratable keys control access to the secure enclave. Thereafter, the control structure is migrated to a second platform to enable access to the secure enclave on the second platform.

摘要翻译： 公开了一种用于支持安全飞行器的平台迁移的处理器。 在一个实施例中，处理器包括存储器控制器单元以访问安全的包围层和耦合到存储器控制器单元的处理器核心。 处理器核心，用于识别与安全飞地相关联的控制结构。 控制结构包括与包括存储器控制器单元和处理器核心的第一平台相关联的多个数据时隙和密钥。 来自安全飞地的数据的版本与多个数据时隙相关联。 生成可迁移键作为与控制结构相关联的键的替代。 可移植键控制对安全飞地的访问。 此后，将控制结构迁移到第二平台以使得能够访问第二平台上的安全飞地。

公开(公告)号：US07587595B2

公开(公告)日：2009-09-08

申请号：US11171133

申请日：2005-06-29

申请人： Vincent R. Scarlata ,  Carlos V. Rozas

发明人： Vincent R. Scarlata ,  Carlos V. Rozas

IPC分类号： H04L9/00

CPC分类号： G06F21/72 ,  G06F21/53 ,  G06F21/552 ,  G06F21/577 ,  G06F21/602 ,  G06F21/74 ,  G06F21/79 ,  G06F2221/2103 ,  G06F2221/2105 ,  G06F2221/2149

摘要： A virtual security coprocessor framework supports creation of at least one device model to emulate a predetermined cryptographic coprocessor. In one embodiment, the virtual security coprocessor framework uses a cryptographic coprocessor in a processing system to create an instance of the device model (DM) in the processing system. The DM may be based at least in part on a predetermined device model design. The DM may emulate the predetermined cryptographic coprocessor in accordance with the control logic of the device model design. In one embodiment, the virtual security coprocessor framework uses a physical trusted platform module (TPM) in a processing system to support one or more virtual TPMs (vTPMs) for one or more virtual machines (VMs) in the processing system. Other embodiments are described and claimed.

摘要翻译： 虚拟安全协处理器框架支持创建至少一个设备模型以模拟预定的密码协处理器。 在一个实施例中，虚拟安全协处理器框架在处理系统中使用密码协处理器来在处理系统中创建设备模型（DM）的实例。 DM可以至少部分地基于预定的设备模型设计。 DM可以根据设备模型设计的控制逻辑来模拟预定的密码协处理器。 在一个实施例中，虚拟安全协处理器框架使用处理系统中的物理信任平台模块（TPM）来支持处理系统中的一个或多个虚拟机（VM）的一个或多个虚拟TPM（vTPM）。 描述和要求保护其他实施例。

公开(公告)号：US09189411B2

公开(公告)日：2015-11-17

申请号：US13729348

申请日：2012-12-28

申请人： Francis X. Mckeen ,  Michael A. Goldsmith ,  Barrey E. Huntley ,  Simon P. Johnson ,  Rebekah Leslie ,  Carlos V. Rozas ,  Uday R. Savagaonkar ,  Vincent R. Scarlata ,  Vedvyas Shanbhogue ,  Wesley H. Smith

发明人： Francis X. Mckeen ,  Michael A. Goldsmith ,  Barrey E. Huntley ,  Simon P. Johnson ,  Rebekah Leslie ,  Carlos V. Rozas ,  Uday R. Savagaonkar ,  Vincent R. Scarlata ,  Vedvyas Shanbhogue ,  Wesley H. Smith

IPC分类号： G06F12/00 ,  G06F12/08 ,  G06F12/14

CPC分类号： G06F21/60 ,  G06F12/0875 ,  G06F12/14 ,  G06F12/145 ,  G06F21/72 ,  G06F2212/1052 ,  G06F2212/152 ,  G06F2212/452

摘要： Embodiments of an invention for logging in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction having an associated enclave page cache address. The execution unit is to execute the instruction without causing a virtual machine exit, wherein execution of the instruction includes logging the instruction and the associated enclave page cache address.

摘要翻译： 公开了用于登录安全飞行器的发明的实施例。 在一个实施例中，处理器包括指令单元和执行单元。 该指令单元用于接收具有关联的飞地页面缓存地址的指令。 执行单元执行指令而不引起虚拟机退出，其中指令的执行包括记录指令和关联的飞地页面缓存地址。

公开(公告)号：US20150033034A1

公开(公告)日：2015-01-29

申请号：US13949110

申请日：2013-07-23

申请人： Gideon Gerzon ,  Shay Gueron ,  Simon P. Johnson ,  Francis X. Mckeen ,  Carlos V. Rozas ,  Uday R. Savagaonkar ,  Vincent R. Scarlata ,  Ittai Anati

发明人： Gideon Gerzon ,  Shay Gueron ,  Simon P. Johnson ,  Francis X. Mckeen ,  Carlos V. Rozas ,  Uday R. Savagaonkar ,  Vincent R. Scarlata ,  Ittai Anati

IPC分类号： H04L9/32 ,  G06F12/14

CPC分类号： H04L9/3239 ,  G06F9/3004 ,  G06F12/1441 ,  G06F21/71 ,  G06F2221/2111

摘要： Embodiments of an invention for measuring a secure enclave are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first, a second, and a third instruction. The execution unit is to execute the first, the second, and the third instruction. Execution of the first instruction includes initializing a measurement field in a control structure of a secure enclave with an initial value. Execution of the second instruction includes adding a region to the secure enclave. Execution of the third instruction includes measuring a subregion of the region.

摘要翻译： 公开了用于测量安全飞地的发明的实施例。 在一个实施例中，处理器包括指令单元和执行单元。 指令单元将接收第一，第二和第三指令。 执行单元执行第一，第二和第三指令。 执行第一指令包括初始化具有初始值的安全飞地的控制结构中的测量场。 执行第二条指令包括将一个区域添加到安全飞地。 执行第三条指令包括测量该区域的一个子区域。

公开(公告)号：US20120137137A1

公开(公告)日：2012-05-31

申请号：US12956793

申请日：2010-11-30

申请人： Ernest F. Brickell ,  Shay Gueron ,  Jiangtao Li ,  Carlos V. Rozas ,  Daniel Nemiroff ,  Vincent R. Scarlata ,  Uday R. Savagaonkar ,  Simon P. Johnson

发明人： Ernest F. Brickell ,  Shay Gueron ,  Jiangtao Li ,  Carlos V. Rozas ,  Daniel Nemiroff ,  Vincent R. Scarlata ,  Uday R. Savagaonkar ,  Simon P. Johnson

IPC分类号： G06F21/00

CPC分类号： H04L9/0816 ,  G06F21/572 ,  G06F21/73

摘要： Keying materials used for providing security in a platform are securely provisioned both online and offline to devices in a remote platform. The secure provisioning of the keying materials is based on a revision of firmware installed in the platform.

摘要翻译： 用于在平台中提供安全性的键控材料可以安全地在线和离线地配置到远程平台中的设备。 密钥材料的安全配置基于安装在平台中的固件的修订版本。

公开(公告)号：US20110191574A1

公开(公告)日：2011-08-04

申请号：US13016145

申请日：2011-01-28

申请人： Alexander Iliev ,  Vincent R. Scarlata ,  Carlos V. Rozas

发明人： Alexander Iliev ,  Vincent R. Scarlata ,  Carlos V. Rozas

IPC分类号： G06F15/177 ,  H04L9/32

CPC分类号： G06F21/57 ,  G06F21/72 ,  G06F2221/2141 ,  H04L9/0897

摘要： A method and apparatus for binding trusted platform module (TPM) keys to execution entities are described. In one embodiment, the method includes the receipt of an authorization request issued by an execution entity for authorization data. According to the authorization request, the execution entity may be measured to generate an entity digest value. Once the entity digest value is generated, a platform reference module may grant the authorization request if the entity digest value verifies that the execution entity is an owner of the key held by the TPM. Accordingly, in one embodiment, a platform reference module, rather than an execution entity, holds the authorization data required by a TPM to use a key owned by the execution entity and held within sealed storage by the TPM. Other embodiments are described and claimed.

摘要翻译： 描述了将可信平台模块（TPM）密钥绑定到执行实体的方法和装置。 在一个实施例中，该方法包括接收由执行实体发出的授权数据的授权请求。 根据授权请求，可以测量执行实体以生成实体摘要值。 一旦生成实体摘要值，如果实体摘要值验证执行实体是TPM持有的密钥的所有者，则平台引用模块可以授予授权请求。 因此，在一个实施例中，平台参考模块而不是执行实体保存TPM所需的授权数据，以使用由执行实体拥有的密钥并由TPM保存在密封存储器内。 描述和要求保护其他实施例。

公开(公告)号：US20080244746A1

公开(公告)日：2008-10-02

申请号：US11692672

申请日：2007-03-28

申请人： Carlos V. Rozas ,  David Bowler ,  Vincent R. Scarlata ,  Burzin Daruwala

发明人： Carlos V. Rozas ,  David Bowler ,  Vincent R. Scarlata ,  Burzin Daruwala

IPC分类号： G06F15/18

CPC分类号： G06F21/57 ,  G06F2221/2101

摘要： A method and system are disclosed. In one embodiment, the method includes invoking a run-time measurement agent (RTMA) to run on a trusted platform, the RTMA measuring a core system code block multiple times after a single boot on the trusted platform; and a trusted platform module storing these multiple measurements.

摘要翻译： 公开了一种方法和系统。 在一个实施例中，该方法包括调用在受信任平台上运行的运行时测量代理（RTMA），RTMA在可信平台上单次引导之后多次测量核心系统代码块; 以及存储这些多个测量的可信平台模块。

公开(公告)号：US20150178226A1

公开(公告)日：2015-06-25

申请号：US14140254

申请日：2013-12-24

申请人： Vincent R. Scarlata ,  Simon P. Johnson ,  Vladimir Beker ,  Jesse Walker ,  Carlos V. Rozas ,  Amy L. Santoni ,  Ittai Anati ,  Raghunandan Makaram ,  Francis X. McKeen ,  Uday R. Savagaonkar

发明人： Vincent R. Scarlata ,  Simon P. Johnson ,  Vladimir Beker ,  Jesse Walker ,  Carlos V. Rozas ,  Amy L. Santoni ,  Ittai Anati ,  Raghunandan Makaram ,  Francis X. McKeen ,  Uday R. Savagaonkar

IPC分类号： G06F12/14

CPC分类号： G06F12/1466 ,  G06F21/74 ,  G06F2212/1052

摘要： Systems and methods for secure delivery of output surface bitmaps to a display engine. An example processing system comprises: an architecturally protected memory; and a plurality of processing devices communicatively coupled to the architecturally protected memory, each processing device comprising a first processing logic to implement an architecturally-protected execution environment by performing at least one of: executing instructions residing in the architecturally protected memory, or preventing an unauthorized access to the architecturally protected memory; wherein each processing device further comprises a second processing logic to establish a secure communication channel with a second processing device of the processing system, employ the secure communication channel to synchronize a platform identity key representing the processing system, and transmit a platform manifest comprising the platform identity key to a certification system.

摘要翻译： 用于将输出表面位图安全传递到显示引擎的系统和方法。 一个示例处理系统包括：架构受保护的存储器; 以及多个处理设备，通信地耦合到架构保护的存储器，每个处理设备包括第一处理逻辑，以通过执行以下至少一个来实现架构保护的执行环境：执行驻留在架构保护的存储器中的指令，或者防止未授权的 访问架构受保护的内存; 其中每个处理设备还包括第二处理逻辑，用于与所述处理系统的第二处理设备建立安全通信信道，采用所述安全通信信道来同步代表所述处理系统的平台标识密钥，并发送包括所述平台的平台清单 认证系统的身份密钥。