公开(公告)号：US20180091551A1

公开(公告)日：2018-03-29

申请号：US15277912

申请日：2016-09-27

Applicant: QUALCOMM Incorporated

Inventor： Anand PALANIGOUNDER ,  Rosario CAMMAROTA ,  Darren LASKO

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/166 ,  G06F9/45558 ,  G06F21/00 ,  G06F21/53 ,  G06F21/606 ,  G06F2009/45587 ,  G06F2009/45595 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/06 ,  H04L63/0853 ,  H04L63/0869 ,  H04L63/12

Abstract: Techniques for establishing one or more end-to-end secure channels in a data center are provided. A method according to these techniques includes obtaining, at a secure module (SM) associated with a virtual machine (VM) operating on a node of the data center, a VM-specific signature key for the VM from a Hardware Security Module (HSM), and performing a cryptographic signing operation at the SM associated with establishing an end-to-end secure channel between the VM and another networked entity using the VM-specific signature key responsive to a request from the VM.

公开(公告)号：US20190215160A1

公开(公告)日：2019-07-11

申请号：US15865994

申请日：2018-01-09

Applicant: QUALCOMM Incorporated

Inventor： Darren LASKO ,  Roberto Avanzi ,  Thomas Speier ,  Harb Abdulhamid ,  Vikramjit Sethi

IPC: H04L9/08 ,  G06F21/60 ,  G06F21/72

CPC classification number: H04L9/0894 ,  G06F21/602 ,  G06F21/71 ,  G06F21/72 ,  G06F21/79 ,  G06F21/85 ,  G06F2009/45587

Abstract: Embodiments of the disclosure include systems and methods for storage of a first plurality of cryptographic keys associated with a first plurality of corresponding Protected Software Environments (PSEs) supervised by a PSE-management software running on a computer system and configured to supervise a superset of the plurality of PSEs. The computer system stores currently unused keys of the superset in a relatively cheap, large, and slow memory and caches the keys of the first plurality in a relatively fast, small, and expensive memory. In one embodiment, in a computer system having a first processor, a first memory controller, and a first RAM, the first memory controller has a memory cryptography circuit connected between the first processor and the first RAM, the memory cryptography circuit has a keystore and a first cryptographic engine, and the keystore is configured to store a first plurality of cryptographic keys accessible by a cryptographic-key identification.

公开(公告)号：US20200042746A1

公开(公告)日：2020-02-06

申请号：US16053626

申请日：2018-08-02

Applicant: QUALCOMM Incorporated

Inventor： Roberto AVANZI ,  Darren LASKO

IPC: G06F21/72 ,  G06F12/14 ,  H04L9/08 ,  H04L9/06

Abstract: Some embodiments include systems and methods for the management of a plurality of expanded cryptographic keys associated with a plurality of corresponding Protected Software Environments (PSEs) supervised by PSE-management software running on a computer system. In one embodiment, a computer system has a first processor, a first memory controller, and a first RAM. The first memory controller has a first memory cryptography circuit connected between the first processor and the first RAM. The memory cryptography circuit comprises a keystore and a first cryptographic engine. The keystore comprises a seedstore and a key-expansion engine. The seedstore is configured to store a first plurality of cryptographic key seeds accessible by a key identifier, for use by the key-expansion engine to generate expanded keys, where each key seed corresponds to a corresponding client.

公开(公告)号：US20190384725A1

公开(公告)日：2019-12-19

申请号：US16547527

申请日：2019-08-21

Applicant: QUALCOMM Incorporated

Inventor： Darren LASKO ,  Roberto AVANZI ,  Thomas Philip SPEIER ,  Harb ABDULHAMID ,  Vikramjit SETHI

IPC: G06F12/14 ,  H04L9/14 ,  H04L9/06 ,  G06F21/72

Abstract: A method, apparatus, and system for storing memory encryption realm key IDs is disclosed. A method comprises accessing a memory ownership table with a physical address to determine a realm ID associated with the physical address, accessing a key ID association structure with the realm ID to determine a realm key IS associated with the realm ID, and initiating a memory transaction based on the realm key ID. Once retrieved, the realm key ID may be stored in a translation lookaside buffer.

公开(公告)号：US20190196984A1

公开(公告)日：2019-06-27

申请号：US15855184

申请日：2017-12-27

Applicant: QUALCOMM Incorporated

Inventor： Darren LASKO ,  Roberto Avanzi

IPC: G06F12/14

CPC classification number: G06F12/1433 ,  G06F12/1441 ,  G06F21/64 ,  G06F21/79 ,  G06F2212/1052 ,  G11C7/24 ,  G11C29/52

Abstract: In certain aspects of the disclosure, an apparatus, comprises a first memory having a plurality of bits. Each bit of the plurality of bits of the first memory is associated with a region of a second memory, and each bit indicates whether the associated region of the second memory is to be integrity-protected. The first memory further stores a first minimum set of data necessary for integrity protection (MSD) of an associated first integrity protection tree when a first bit of the plurality of bits is set to a value indicating that the first associated region of the second memory is to be integrity-protected. Regions of the second memory that are integrity-protected may be non-contiguous, and may be adjusted during run-time.

公开(公告)号：US20180091315A1

公开(公告)日：2018-03-29

申请号：US15277501

申请日：2016-09-27

Applicant: QUALCOMM Incorporated

Inventor： Ashish SINGHAL ,  David HUGHES ,  Darren LASKO ,  Jeffrey BRASEN ,  Raghavendar BHAVANSIKAR

IPC: H04L9/32 ,  G06F9/44 ,  G06F21/57 ,  G06F12/02

CPC classification number: H04L9/3268 ,  G06F8/654 ,  G06F9/4401 ,  G06F11/1417 ,  G06F12/0238 ,  G06F12/0661 ,  G06F12/0676 ,  G06F21/57 ,  G06F21/575 ,  G06F2212/1052 ,  G06F2212/7209 ,  G06F2221/2111 ,  G06F2221/2133

Abstract: Disclosed are implementation for revoking and updating a compromised root-of-trust (ROT), including a method comprising determining whether a current validation value, representative of an expected value resulting from application of a validation function to a current certificate, is to be replaced, with the current validation value being stored in a write-restricted non-volatile memory unit of the device. The method also comprises determining at boot time whether a physical presence indicator, configured to be non-actuatable from non-proximate locations, is set to a value indicating that an actuation mechanism (for actuating the physical presence indicator so as to cause content change for the write-restricted memory), has established physical presence with the device, and providing a new validation value in response to determining that the current validation value is to be replaced and that the physical presence indicator indicates that physical presence has been established.

公开(公告)号：US20180046808A1

公开(公告)日：2018-02-15

申请号：US15234909

申请日：2016-08-11

Applicant: QUALCOMM Incorporated

Inventor： Rosario CAMMAROTA ,  Roberto AVANZI ,  Ramesh Chandra CHAUHAN ,  Harold Wade CAIN, III ,  Darren LASKO

IPC: G06F21/57 ,  G06F12/0891 ,  G06F12/0877

CPC classification number: G06F21/57 ,  G06F12/0877 ,  G06F12/0891 ,  G06F21/556 ,  G06F21/75 ,  G06F21/79 ,  G06F2212/1052 ,  G06F2212/603

Abstract: Techniques for preventing side-channel attacks on a cache are provided. A method according to these techniques includes executing a software instruction indicating that a portion of software requiring data protection is about to be executed, setting the cache to operate in a randomized mode to de-correlate cache timing and cache miss behavior from data being processed by the portion of software requiring data protection responsive to the instruction indicating that the portion of software requiring data protection is about to be executed, executing the portion of software requiring data protection, storing the data being processed by the portion of software requiring data protection, and setting the cache to operate in a standard operating mode responsive to an instruction indicating that execution of the portion of software requiring data protection has completed.