公开(公告)号：US20150188710A1

公开(公告)日：2015-07-02

申请号：US14142837

申请日：2013-12-28

申请人： Simon Johnson ,  Francis McKeen ,  Vincent Scarlata ,  Carlos Rozas ,  Uday Savagaonkar ,  Michael Goldsmith ,  Ernie Brickell

发明人： Simon Johnson ,  Francis McKeen ,  Vincent Scarlata ,  Carlos Rozas ,  Uday Savagaonkar ,  Michael Goldsmith ,  Ernie Brickell

IPC分类号： H04L9/32

CPC分类号： H04L9/3247 ,  G06F21/53 ,  G06F21/74

摘要： Embodiments of an invention for offloading functionality from a secure processing environment are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to initialize a secure enclave. The execution unit is to execute the instruction. Execution of the instruction includes verifying that a signature structure key matches a hardware key that permits functionality to be offloaded.

摘要翻译： 公开了一种用于从安全处理环境卸载功能的发明的实施例。 在一个实施例中，处理器包括指令单元和执行单元。 指令单元将接收初始化安全飞地的指令。 执行单元执行指令。 指令的执行包括验证签名结构密钥与允许卸载功能的硬件密钥相匹配。

公开(公告)号：US20150033316A1

公开(公告)日：2015-01-29

申请号：US13949213

申请日：2013-07-23

申请人： Vincent Scarlata ,  Carlos Rozas ,  Simon Johnson ,  Uday Savagaonkar ,  Ittai Anati ,  Francis McKeen ,  Michael Goldsmith

发明人： Vincent Scarlata ,  Carlos Rozas ,  Simon Johnson ,  Uday Savagaonkar ,  Ittai Anati ,  Francis McKeen ,  Michael Goldsmith

IPC分类号： G06F21/10 ,  H04L9/32

CPC分类号： H04L9/3213 ,  G06F21/12 ,  G06F21/53 ,  H04L9/3263

摘要： Embodiments of an invention for feature licensing in a secure processing environment are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to initialize a secure enclave. The execution unit is to execute the instruction. Execution of the instruction includes determining whether a requested feature is licensed for use in the secure enclave.

摘要翻译： 公开了在安全处理环境中的特征许可的发明的实施例。 在一个实施例中，处理器包括指令单元和执行单元。 指令单元将接收初始化安全飞地的指令。 执行单元执行指令。 指令的执行包括确定所请求的特征是否被许可用于安全飞地。

公开(公告)号：US09276750B2

公开(公告)日：2016-03-01

申请号：US13949192

申请日：2013-07-23

申请人： Vincent R. Scarlata ,  Carlos Rozas ,  Simon Johnson ,  Uday Savagaonkar ,  Rebekah Leslie-Hurd ,  Barry Huntley ,  Vedvyas Shanbhogue ,  Ittai Anati ,  Francis McKeen ,  Michael Goldsmith ,  William Wood ,  Shay Gueron

发明人： Vincent R. Scarlata ,  Carlos Rozas ,  Simon Johnson ,  Uday Savagaonkar ,  Rebekah Leslie-Hurd ,  Barry Huntley ,  Vedvyas Shanbhogue ,  Ittai Anati ,  Francis McKeen ,  Michael Goldsmith ,  William Wood ,  Shay Gueron

IPC分类号： H04L29/06 ,  H04L9/32

CPC分类号： H04L9/3242 ,  G06F9/3004 ,  H04L9/3234 ,  H04L2209/127

摘要： Embodiments of an invention for secure processing environment measurement and attestation are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction associated with a build or a rebuild of a secure enclave. The execution unit is to execute the first instruction. Execution of the first instruction, when associated with the build, includes calculation of a first measurement and a second measurement of the secure enclave. Execution of the first instruction, when associated with the rebuild, includes calculation of the second measurement without calculation of the first measurement.

摘要翻译： 公开了用于安全处理环境测量和认证的发明的实施例。 在一个实施例中，处理器包括指令单元和执行单元。 指令单元将接收与构建或重建安全飞地相关联的第一条指令。 执行单元执行第一条指令。 当与构建相关联时，执行第一条指令包括对安全飞地的第一测量和第二测量的计算。 当与重建相关联时，第一条指令的执行包括第二次测量的计算，而不计算第一次测量。

公开(公告)号：US20150033012A1

公开(公告)日：2015-01-29

申请号：US13949192

申请日：2013-07-23

申请人： Vincent R. Scarlata ,  Carlos Rozas ,  Simon Johnson ,  Uday Savagaonkar ,  Rebekah Leslie-Hurd ,  Barry Huntley ,  Vedvyas Shanbhogue ,  Ittai Anati ,  Francis McKeen ,  Michael Goldsmith ,  William Wood ,  Shay Gueron

发明人： Vincent R. Scarlata ,  Carlos Rozas ,  Simon Johnson ,  Uday Savagaonkar ,  Rebekah Leslie-Hurd ,  Barry Huntley ,  Vedvyas Shanbhogue ,  Ittai Anati ,  Francis McKeen ,  Michael Goldsmith ,  William Wood ,  Shay Gueron

IPC分类号： H04L9/32

CPC分类号： H04L9/3242 ,  G06F9/3004 ,  H04L9/3234 ,  H04L2209/127

摘要： Embodiments of an invention for secure processing environment measurement and attestation are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction associated with a build or a rebuild of a secure enclave. The execution unit is to execute the first instruction. Execution of the first instruction, when associated with the build, includes calculation of a first measurement and a second measurement of the secure enclave. Execution of the first instruction, when associated with the rebuild, includes calculation of the second measurement without calculation of the first measurement.

摘要翻译： 公开了用于安全处理环境测量和认证的发明的实施例。 在一个实施例中，处理器包括指令单元和执行单元。 指令单元将接收与构建或重建安全飞地相关联的第一条指令。 执行单元执行第一条指令。 当与构建相关联时，执行第一条指令包括对安全飞地的第一测量和第二测量的计算。 当与重建相关联时，第一条指令的执行包括第二次测量的计算，而不计算第一次测量。

公开(公告)号：US20210110070A1

公开(公告)日：2021-04-15

申请号：US17131716

申请日：2020-12-22

申请人： Anjo Lucas Vahldiek-Oberwagner ,  Ravi L. Sahita ,  Mona Vij ,  Rameshkumar Illikkal ,  Michael Steiner ,  Thomas Knauth ,  Dmitrii Kuvaiskii ,  Sudha Krishnakumar ,  Krystof C. Zmudzinski ,  Vincent Scarlata ,  Francis McKeen

发明人： Anjo Lucas Vahldiek-Oberwagner ,  Ravi L. Sahita ,  Mona Vij ,  Rameshkumar Illikkal ,  Michael Steiner ,  Thomas Knauth ,  Dmitrii Kuvaiskii ,  Sudha Krishnakumar ,  Krystof C. Zmudzinski ,  Vincent Scarlata ,  Francis McKeen

IPC分类号： G06F21/79 ,  H04L9/14 ,  H04L9/32 ,  G06F12/14 ,  G06F3/06

摘要： Example methods and systems are directed to reducing latency in providing trusted execution environments (TEES). Initializing a TEE includes multiple steps before the TEE starts executing. Besides workload-specific initialization, workload-independent initialization is performed, such as adding memory to the TEE. In function-as-a-service (FaaS) environments, a large portion of the TEE is workload-independent, and thus can be performed prior to receiving the workload. Certain steps performed during TEE initialization are identical for certain classes of workloads. Thus, the common parts of the TEE initialization sequence may be performed before the TEE is requested. When a TEE is requested for a workload in the class and the parts to specialize the TEE for its particular purpose are known, the final steps to initialize the TEE are performed.

公开(公告)号：US20060206943A1

公开(公告)日：2006-09-14

申请号：US11386269

申请日：2006-03-21

申请人： Carl Ellison ,  Roger Golliver ,  Howard Herbert ,  Derrick Lin ,  Francis McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James Sutton ,  Shreekant Thakkar ,  Millind Mittal

发明人： Carl Ellison ,  Roger Golliver ,  Howard Herbert ,  Derrick Lin ,  Francis McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James Sutton ,  Shreekant Thakkar ,  Millind Mittal

IPC分类号： H04N7/16

CPC分类号： G06F21/53 ,  G06F9/468 ,  G06F21/562 ,  G06F21/57 ,  G06F21/74 ,  G06F2221/2105

摘要： A processing system has a processor that can operate in a normal ring 0 operating mode and one or more higher ring operating modes above the normal ring 0 operating mode. In addition, the processor can operate in an isolated execution mode. A memory in the processing system may include an ordinary memory area that can be accessed from the normal ring 0 operating mode, as well as an isolated memory area that can be accessed from the isolated execution mode but not from the normal ring 0 operating mode. The processing system may also include an operating system (OS) nub, as well as a key generator. The key generator may generate an OS nub key (OSNK) based at least in part on an identification of the OS nub and a master binding key (BK0) of the platform. Other embodiments are described and claimed.

摘要翻译： 处理系统具有处理器，该处理器可以在正常环0操作模式和高于正常环0操作模式的一个或多个较高环操作模式下操作。 此外，处理器可以在隔离的执行模式下操作。 处理系统中的存储器可以包括可以从正常环0操作模式访问的普通存储器区域以及可以从隔离执行模式而不是从正常环0操作模式访问的隔离存储器区域。 处理系统还可以包括操作系统（OS）nub以及密钥生成器。 密钥生成器可以至少部分地基于OS nub的标识和平台的主绑定密钥（BK 0）来生成OS nub密钥（OSNK）。 描述和要求保护其他实施例。

公开(公告)号：US20050044292A1

公开(公告)日：2005-02-24

申请号：US10644399

申请日：2003-08-19

申请人： Francis McKeen

发明人： Francis McKeen

IPC分类号： G06F21/00 ,  G06F3/00

CPC分类号： G06F21/52

摘要： In one embodiment, a method is provided. The method comprises encountering a function call instruction that calls a called function during program execution; saving a return address in a first stack and in a second stack, the return address containing an instruction to be executed after execution of the called function; executing the called function; and determining if the return address stored in the first stack matches the return address stored in the second stack.

摘要翻译： 在一个实施例中，提供了一种方法。 该方法包括在程序执行期间遇到调用被调用函数的函数调用指令; 在第一堆栈和第二堆栈中保存返回地址，返回地址包含执行被调用函数之后要执行的指令; 执行被叫函数; 以及确定存储在第一堆栈中的返回地址是否与存储在第二堆栈中的返回地址匹配。

公开(公告)号：US20060225135A1

公开(公告)日：2006-10-05

申请号：US11095719

申请日：2005-03-31

申请人： Antonio Cheng ,  Francis McKeen

发明人： Antonio Cheng ,  Francis McKeen

IPC分类号： H04N7/16

CPC分类号： G06F12/145 ,  G06F12/1063

摘要： In one embodiment, the present invention provides for extended memory protection for memory of a system. The embodiment includes a method for associating a protection indicator of a protection record maintained outside of an application's data space with a memory location, and preventing access to the memory location based on the status of the protection indicator. In such manner, more secure operation is provided, as malicious code or other malware is prevented from accessing protected memory locations. Other embodiments are described and claimed.

摘要翻译： 在一个实施例中，本发明提供用于系统的存储器的扩展存储器保护。 该实施例包括一种用于将维护在应用程序的数据空间外部的保护记录的保护指示符与存储器位置相关联的方法，以及基于保护指示符的状态来阻止对存储器位置的访问。 以这种方式，提供更安全的操作，因为防止恶意代码或其他恶意软件访问受保护的存储器位置。 描述和要求保护其他实施例。

公开(公告)号：US20060099991A1

公开(公告)日：2006-05-11

申请号：US10986482

申请日：2004-11-10

申请人： Sundeep Bajikar ,  Francis McKeen ,  Kelan Silvester

发明人： Sundeep Bajikar ,  Francis McKeen ,  Kelan Silvester

IPC分类号： H04M1/66 ,  H04M1/68 ,  H04B1/38

CPC分类号： G06F21/77 ,  G06F21/57 ,  G06F2221/2105

摘要： An approach for determining a type of credential card in a reader and, for some aspects, implementing a protection approach based on the determined type of credential card. For one aspect, an indication that a credential card has been received at a credential reader is received. In response, an instruction to be received by the credential card is provided, the instruction being recognizable by a first type of credential card, but not by a second type of credential card. The card is determined to be the first type of credential card if the response indicates that the instruction was recognized by the credential card. A protection policy may then be implemented for some aspects depending on the type of card detected.

摘要翻译： 一种用于在阅读器中确定凭证卡的类型的方法，并且在某些方面，基于所确定的凭证卡类型实施保护方法。 一方面，接收到在证书读取器处已经接收到证书卡的指示。 作为响应，提供由凭证卡接收的指令，该指令可由第一类型的凭证卡识别，但不由第二类型的凭证卡识别。 该卡被确定为第一种类型的凭证卡，如果响应表明该指令被凭证卡识别。 然后可以根据检测到的卡的类型在一些方面实现保护策略。

公开(公告)号：US20050250472A1

公开(公告)日：2005-11-10

申请号：US10839271

申请日：2004-05-04

申请人： Kelan Silvester ,  Francis McKeen ,  Sundeep Bajikar ,  Luke Girard

发明人： Kelan Silvester ,  Francis McKeen ,  Sundeep Bajikar ,  Luke Girard

IPC分类号： G06F21/00 ,  H04L9/00 ,  H04L9/08 ,  H04L9/30 ,  H04L9/32

CPC分类号： G06F21/35 ,  H04L9/0844 ,  H04L9/3231 ,  H04L9/3263 ,  H04L2209/805

摘要： A method for providing security to a computer system is described. Specifically, the computer periodically polls for a Bluetooth electronic device or other similar wireless electronic device. If the computer locates such a Bluetooth electronic device, the computer requests authentication from the Bluetooth electronic device. The user of the electronic device is given access to the computer system only if the computer recognizes the identification of the Bluetooth electronic device and is able to validate the authentication information provided by the Bluetooth electronic device through an encrypted channel.

摘要翻译： 描述了一种向计算机系统提供安全性的方法。 具体地，计算机周期性地轮询蓝牙电子设备或其他类似的无线电子设备。 如果计算机定位这样的蓝牙电子设备，则计算机从蓝牙电子设备请求认证。 仅当计算机识别蓝牙电子设备的标识并且能够通过加密的信道验证由蓝牙电子设备提供的认证信息时，才允许电子设备的用户访问计算机系统。