公开(公告)号：US20150381368A1

公开(公告)日：2015-12-31

申请号：US14318278

申请日：2014-06-27

申请人： William A. Stevens, JR. ,  Alberto J. Martinez ,  Mukesh Kataria ,  Purushottam Goel ,  Tim Abels ,  Mahesh S. Natu

发明人： William A. Stevens, JR. ,  Alberto J. Martinez ,  Mukesh Kataria ,  Purushottam Goel ,  Tim Abels ,  Mahesh S. Natu

IPC分类号： H04L9/32 ,  G06Q30/04 ,  G06F9/44

CPC分类号： G06Q30/04 ,  G06F21/44 ,  G06F21/629 ,  G06F21/82 ,  H04L63/0876 ,  H04L63/126

摘要： Technologies for secure offline activation of hardware features include a target computing device having a platform controller hub (PCH) including a converged security and manageability engine (CSME) and a number of in-field programmable fuses (IFPs). During assembly of the target computing device by an original equipment manufacturer (OEM), the CSME is provided a list of hardware features to be activated. The CSME configures the IFPs to enable the requested features, generates a digital receipt including the activated features and a unique device ID, and signs the receipt using a unique device key. Signed receipts may be periodically submitted to a vendor computing device, which verifies the signed receipts, extracts the active feature list, and bills the OEM for activated features of the PCHs. The vendor computing device may bill the OEM a maximum price for PCHs for which there is no associated signed receipt. Other embodiments are described and claimed.

摘要翻译： 用于硬件特征的安全离线激活的技术包括具有包括融合安全性和可管理性引擎（CSME）的平台控制器集线器（PCH）以及多个现场可编程保险丝（IFP））的目标计算设备。 在由原始设备制造商（OEM）组装目标计算设备的过程中，CSME提供要激活的硬件功能的列表。 CSME配置IFP以启用所请求的功能，生成包含激活的功能和唯一设备ID的数字收据，并使用唯一的设备密钥对收据进行签名。 签署的收据可以定期地提交给供应商计算设备，该设备验证签署的收据，提取活动的特征列表，并为OEM的PCH的激活特征收费。 供应商计算设备可以向OEM收取没有相关签名收据的PCH的最高价格。 描述和要求保护其他实施例。

公开(公告)号：US20110161672A1

公开(公告)日：2011-06-30

申请号：US12655579

申请日：2009-12-31

申请人： Alberto J. Martinez ,  William A. Stevens, JR. ,  Purushottam Goel ,  Ernie Brickell

发明人： Alberto J. Martinez ,  William A. Stevens, JR. ,  Purushottam Goel ,  Ernie Brickell

IPC分类号： H04L9/32 ,  G06F15/177 ,  H04L9/00 ,  G06F21/00

CPC分类号： H04L63/08 ,  G06F21/57 ,  H04L9/3249 ,  H04L63/06 ,  H04L2209/56

摘要： In some embodiments a secure permit request to change a hardware configuration is created. The secure permit request is sent to a remote location, and a permit sent from the remote location in response to the permit request is received. The hardware configuration is changed in response to the received permit. Other embodiments are described and claimed.

摘要翻译： 在一些实施例中，创建了用于改变硬件配置的安全许可证请求。 安全许可请求被发送到远程位置，并且接收到响应于许可请求从远程位置发送的许可证。 硬件配置根据接收到的许可证而改变。 描述和要求保护其他实施例。

公开(公告)号：US20160182238A1

公开(公告)日：2016-06-23

申请号：US14574969

申请日：2014-12-18

申请人： Prashant Dewan ,  Kapil Sood ,  Kumar N. Dwarakanath ,  Ioannis T. Schoinas ,  William A. Stevens, JR. ,  Ned M. Smith

发明人： Prashant Dewan ,  Kapil Sood ,  Kumar N. Dwarakanath ,  Ioannis T. Schoinas ,  William A. Stevens, JR. ,  Ned M. Smith

IPC分类号： H04L9/32 ,  G06F12/14

CPC分类号： H04L9/3263 ,  G06F21/572 ,  G06F21/74 ,  G09C1/00 ,  H04L9/321 ,  H04L9/3234 ,  H04L9/3242 ,  H04L2209/12 ,  H04L2209/68

摘要： In one embodiment, a processor has at least one core to execute instructions, a security engine coupled to the at least one core, a first storage to store a first immutable key associated with a vendor of the processor, and a second storage to store a second immutable key associated with an original equipment manufacturer (OEM) of the system. A first portion of firmware is to be verified based at least in part on the first immutable key and a second portion of firmware is to be verified based at least in part on the second immutable key, the first portion of firmware associated with the vendor and the second portion of firmware associated with the OEM. Other embodiments are described and claimed.

摘要翻译： 在一个实施例中，处理器具有执行指令的至少一个核心，耦合到所述至少一个核心的安全引擎，用于存储与所述处理器的供应商相关联的第一不可变密钥的第一存储器，以及存储 与系统的原始设备制造商（OEM）相关联的第二个不可变键。 至少部分地基于第一不可变密钥验证固件的第一部分，并且至少部分地基于第二不可变密钥，与供应商相关联的固件的第一部分和 与OEM相关联的固件的第二部分。 描述和要求保护其他实施例。

公开(公告)号：US20190042725A1

公开(公告)日：2019-02-07

申请号：US16021275

申请日：2018-06-28

申请人： Xiaoyu Ruan ,  William A. Stevens, JR.

发明人： Xiaoyu Ruan ,  William A. Stevens, JR.

IPC分类号： G06F21/44 ,  G06F21/60 ,  H04L9/08

摘要： In one embodiment, an apparatus includes a non-volatile storage to store a seed value and a signature that is based on an iterative execution of a function for a predetermined number of intervals. The apparatus may further include the security processor coupled to the non-volatile storage, where the security processor is to independently recover a credential for an updated version of the firmware based at least in part on the seed value and a security version number for the updated version of the firmware. Other embodiments are described and claimed.

公开(公告)号：US20190258539A1

公开(公告)日：2019-08-22

申请号：US16398076

申请日：2019-04-29

申请人： Zhenyu Zhu ,  William A. Stevens, JR. ,  Michael T. Klinglesmith ,  Mikal Hunsaker

发明人： Zhenyu Zhu ,  William A. Stevens, JR. ,  Michael T. Klinglesmith ,  Mikal Hunsaker

IPC分类号： G06F11/10 ,  G06F13/42 ,  G06F13/16

摘要： Embodiments include a serial bus controller that may be coupled to an in band serial peripheral interface (SPI) link, to request a write of data and a subsequent read of the data from a slave device and in response to the request to read the data, receive a bit error report and optionally correct the bit error over the in band SPI link. Embodiments include a slave device, e.g., a flash memory device, to detect and report the bit error over the in band SPI link, where the flash memory device, in response to a request to write and/or erase data, calculates or determines an error correction code (ECC) and stores corresponding parity data. In embodiments, after receiving a subsequent request to read the data, the flash memory device accesses the stored parity data to check the ECC for a bit error and if a bit error is detected, reports the detected bit error over the in band SPI link. Other embodiments may be described and claimed.

公开(公告)号：US20110320742A1

公开(公告)日：2011-12-29

申请号：US12822034

申请日：2010-06-23

申请人： Kie Woon Lim ,  Khee Wooi Lee ,  William A. Stevens, JR.

发明人： Kie Woon Lim ,  Khee Wooi Lee ,  William A. Stevens, JR.

IPC分类号： G06F12/00

CPC分类号： G06F12/123

摘要： Techniques for generating access information indicating a least recently used (LRU) memory region in a set of memory regions. In an embodiment, data is stored in an entry of an LRU tracking list (LTL) based on a touch message indicating when a memory group has been touched—e.g. read from, written to and/or associated with a memory region. The data stored in an LTL entry may include an identifier of a memory group and/or validity data specifying whether that LTL entry stores a set of default data. In another embodiment, access information may be generated based on the memory group identifier and the validity data.

摘要翻译： 用于产生指示一组存储器区域中的最近最少使用（LRU）存储器区域的访问信息的技术。 在一个实施例中，基于指示何时触摸存储器组的触摸消息，将数据存储在LRU跟踪列表（LTL）的条目中 - 例如， 读取，写入和/或与存储器区域相关联。 存储在LTL条目中的数据可以包括存储器组的标识符和/或指定该LTL条目是否存储一组默认数据的有效性数据。 在另一个实施例中，可以基于存储器组标识符和有效性数据来生成访问信息。

公开(公告)号：US20140223198A1

公开(公告)日：2014-08-07

申请号：US13997896

申请日：2011-12-20

申请人： Nitin V. Saranghar ,  William A. Stevens, JR. ,  John J. Vranich

发明人： Nitin V. Saranghar ,  William A. Stevens, JR. ,  John J. Vranich

IPC分类号： G06F12/14

CPC分类号： G06F12/1408 ,  G06F13/14 ,  G06F21/44 ,  G06F21/79 ,  G06F2212/1052

摘要： Embodiments of the invention create an underlying infrastructure in a flash memory device (e.g., a serial peripheral interface (SPI) flash memory device) such that it may be protected against user attacks—e.g., replacing the SPI flash memory device or a man-in-the-middle (MITM) attack to modify the SPI flash memory contents on the fly. In the prior art, monotonic counters cannot be stored in SPI flash memory devices because said devices do not provide replay protection for the counters. A user may also remove the flash memory device and reprogram it. Host platforms alone cannot protect against such hardware attacks.Embodiments of the invention enable secure standard storage flash memory devices such as SPI flash memory devices to achieve replay protection for securely stored data. Embodiments of the invention utilize flash memory controllers, flash memory devices, unique device keys and HMAC key logic to create secure execution environments for various components.

摘要翻译： 本发明的实施例在闪存设备（例如，串行外围设备接口（SPI）闪存设备）中创建底层基础设施，使得其可以被保护免受用户攻击 - 例如，替换SPI闪存设备或管理员 - 中间（MITM）攻击，即时修改SPI闪存内容。 在现有技术中，单调计数器不能存储在SPI闪存设备中，因为所述设备不为计数器提供重放保护。 用户还可以移除闪存设备并对其进行重新编程。 仅主机平台无法防范此类硬件攻击。 本发明的实施例使得诸如SPI闪存设备之类的安全标准存储闪存设备能够实现用于安全存储的数据的重放保护。 本发明的实施例利用闪存控制器，闪存设备，唯一设备密钥和HMAC密钥逻辑来为各种组件创建安全的执行环境。

公开(公告)号：US20130159727A1

公开(公告)日：2013-06-20

申请号：US13631556

申请日：2012-09-28

申请人： Nitin V. Sarangdhar ,  William A. Stevens, JR. ,  John J. Vranich

发明人： Nitin V. Sarangdhar ,  William A. Stevens, JR. ,  John J. Vranich

IPC分类号： G06F12/14

CPC分类号： G06F12/1408 ,  G06F21/445 ,  G06F21/79

摘要： Embodiments of the invention create an underlying infrastructure in a flash memory device (e.g., a serial peripheral interface (SPI) flash memory device) such that it may be protected against user attacks—e.g., replacing the SPI flash memory device or a man-in-the-middle (MITM) attack to modify the SPI flash memory contents on the fly. In the prior art, monotonic counters cannot be stored in SPI flash memory devices because said devices do not provide replay protection for the counters. A user may also remove the flash memory device and reprogram it. Host platforms alone cannot protect against such hardware attacks.Embodiments of the invention enable secure standard storage flash memory devices such as SPI flash memory devices to achieve replay protection for securely stored data. Embodiments of the invention utilize flash memory controllers, flash memory devices, unique device keys and HMAC key logic to create secure execution environments for various components.

摘要翻译： 本发明的实施例在闪存设备（例如，串行外围设备接口（SPI）闪存设备）中创建底层基础设施，使得其可以被保护免受用户攻击 - 例如，替换SPI闪存设备或管理员 - 中间（MITM）攻击，即时修改SPI闪存内容。 在现有技术中，单调计数器不能存储在SPI闪存设备中，因为所述设备不为计数器提供重放保护。 用户还可以移除闪存设备并对其进行重新编程。 仅主机平台无法防范此类硬件攻击。 本发明的实施例使得诸如SPI闪存设备之类的安全标准存储闪存设备能够实现用于安全存储的数据的重放保护。 本发明的实施例利用闪存控制器，闪存设备，唯一设备密钥和HMAC密钥逻辑来为各种组件创建安全的执行环境。