公开(公告)号：WO2022139850A1

公开(公告)日：2022-06-30

申请号：PCT/US2020/067076

申请日：2020-12-26

Applicant: INTEL CORPORATION

Inventor： BASAK, Abhishek ,  DEUTSCH, Sergej ,  DURHAM, David M. ,  GREWAL, Karanvir S. ,  LEMAY, Michael D. ,  TRIKALINOU, Anna ,  VAHLDIEK-OBERWAGNER, Anjo Lucas

IPC: G06F21/72 ,  G06F21/78 ,  H04L9/06 ,  H04L9/08 ,  H04L9/32

Abstract: An apparatus comprising a processor unit comprising circuitry to generate, for a first network host, a request for an object of a second network host, wherein the request comprises an address comprising a routable host ID of the second network host and an at least partially encrypted object ID, wherein the address uniquely identifies the object within a distributed computing domain; and a memory element to store at least a portion of the object.

公开(公告)号：WO2017112282A1

公开(公告)日：2017-06-29

申请号：PCT/US2016/063542

申请日：2016-11-23

Applicant: INTEL CORPORATION

Inventor： DURHAM, David M. ,  CHHABRA, Siddhartha ,  DEUTSCH, Sergej ,  LONG, Men ,  NARENDRA TRIVEDI, Alpa T.

IPC: G06F11/07 ,  G06F12/14

CPC classification number: G06F11/1004 ,  G06F12/0886 ,  G06F12/1408 ,  G06F21/00 ,  G06F21/79 ,  G06F2212/401 ,  H04L9/0858 ,  H04L9/304

Abstract: Apparatus, systems, and/or methods may provide for identifying unencrypted data including a plurality of bits, wherein the unencrypted data may be encrypted and stored in memory. In addition, a determination may be made as to whether the unencrypted data includes a random distribution of the plurality of bits, for example based on a compressibility function. An integrity action may be implemented when the unencrypted data includes a random distribution of the plurality of bits, which may include error correction including a modification to ciphertext of the unencrypted data. Independently of error correction, a diffuser may generate intermediate and final ciphertext. In addition, a key and/or a tweak may be derived for a location in the memory. Moreover, an integrity value may be generated from a portion of the unencrypted data, and/or stored in a slot of an integrity check line based on the location.

Abstract translation: 装置，系统和/或方法可以提供用于识别包括多个比特的未加密数据，其中未加密数据可以被加密并存储在存储器中。 另外，可以确定未加密的数据是否包括例如基于可压缩性函数的多个比特的随机分布。 当未加密数据包括多个比特的随机分布时可以实现完整性动作，其可以包括包括对未加密数据的密文的修改的纠错。 独立于纠错，扩散器可以生成中间密文和最终密文。 另外，可以为存储器中的位置导出密钥和/或调整。 此外，可以从未加密数据的一部分生成完整性值，和/或基于位置存储在完整性检查行的槽中。

公开(公告)号：WO2018063670A1

公开(公告)日：2018-04-05

申请号：PCT/US2017/049125

申请日：2017-08-29

Applicant: INTEL CORPORATION

Inventor： DURHAM, David D. ,  CHHABRA, Siddhartha ,  DEUTSCH, Sergej ,  KOUNAVIS, Michael E. ,  NARENDRA TRIVEDI, Alpa T.

IPC: G06F21/53 ,  G06F21/60 ,  G06F21/62

CPC classification number: G06F12/1408 ,  G06F12/0831 ,  G06F12/12 ,  G06F12/128 ,  G06F12/1475 ,  G06F2212/1052 ,  G06F2212/621

Abstract: Embodiments of apparatus, method, and storage medium associated with MCCG memory integrity for securing/protecting memory content/data of VM or enclave are described herein. In some embodiments, an apparatus may include one or more encryption engines to encrypt a unit of data to be stored in a memory in response to a write operation from a VM or an enclave of an application, prior to storing the unit of data into the memory in an encrypted form; wherein to encrypt the unit of data, the one or more encryption engines are to encrypt the unit of data using at least a key domain selector associated with the VM or enclave, and a tweak based on a color within a color group associated with the VM or enclave. Other embodiments may be described and/or claimed.

Abstract translation: 这里描述了与用于保护/保护VM或飞地的存储器内容/数据的MCCG存储器完整性相关联的设备，方法和存储介质的实施例。 在一些实施例中，装置可以包括一个或多个加密引擎，用于在将数据单元存储到存储单元中之前，响应于来自VM或应用程序的飞地的写入操作来加密要存储在存储器中的数据单元 内存以加密形式; 其中为了加密所述数据单元，所述一个或多个加密引擎将使用与所述VM或飞地相关联的至少一个关键域选择器以及基于与所述VM相关联的颜色组内的颜色的调整来加密所述数据单元 或飞地。 其他实施例可以被描述和/或要求保护。

公开(公告)号：WO2018052577A1

公开(公告)日：2018-03-22

申请号：PCT/US2017/045960

申请日：2017-08-08

Applicant: INTEL CORPORATION

Inventor： DEUTSCH, Sergej ,  DURHAM, David D. ,  GREWAL, Karanvir S. ,  KOUNAVIS, Michael E.

IPC: G06F12/14

CPC classification number: G06F12/1408 ,  G06F3/0619 ,  G06F3/0623 ,  G06F3/065 ,  G06F3/0673 ,  G06F13/28 ,  G06F21/72 ,  G06F21/79 ,  G06F2212/1052 ,  G06F2221/2107 ,  H04L9/0631 ,  H04L9/0637 ,  H04L2209/12

Abstract: Embodiments of apparatus, method, and storage medium associated with multi-stage memory integrity for securing/protecting memory content are described herein. In some embodiments, an apparatus may include multiple stages having respective encryption engines to encrypt data in response to a write or restore operation; wherein the encryption engines are to successively encrypt the data in a plurality of encryption stages using a plurality of tweaks based on a plurality of selectors of different types. In embodiments, the multiple stages may further comprise one or more decryption engines to partially, fully, or pseudo decrypt the plural encrypted data, in response to a read, move or copy operation; wherein the one or more decryption engines are to partially, fully, or pseudo decrypt the plural encrypted data in one or more decryption stages using one or more tweaks based on a subset of the selectors of different types.

Abstract translation: 这里描述了与用于保护/保护存储器内容的多级存储器完整性相关联的设备，方法和存储介质的实施例。 在一些实施例中，装置可以包括多个级，其具有各自的加密引擎以响应于写或恢复操作来加密数据; 其中所述加密引擎将基于多个不同类型的选择器使用多个调整来在多个加密阶段中连续加密所述数据。 在实施例中，响应于读取，移动或复制操作，多个阶段可以进一步包括一个或多个解密引擎以部分，完全或伪解密多个加密数据; 其中所述一个或多个解密引擎将基于不同类型的选择器的子集使用一个或多个调整来在一个或多个解密阶段中部分，完全或伪解密所述多个加密数据。

公开(公告)号：WO2021162792A1

公开(公告)日：2021-08-19

申请号：PCT/US2020/067072

申请日：2020-12-26

Applicant: INTEL CORPORATION

Inventor： DURHAM, David M. ,  LEMAY, Michael D. ,  SULTANA, Salmin ,  GREWAL, Karanvir S. ,  KOUNAVIS, Michael E. ,  DEUTSCH, Sergej ,  WEILER, Andrew James ,  BASAK, Abhishek ,  BAUM, Dan ,  GHOSH, Santosh

IPC: G06F21/78 ,  G06F21/72 ,  G06F12/14 ,  H04L9/06 ,  H04L9/08

Abstract: A processor, a system, a machine readable medium, and a method. The processor comprises first circuitry to: encrypt a first code image using a first code key; load the encrypted first code image into a memory area allocated in memory for the first code image by an operating system running on the processor; and send to the operating system a substitute key that corresponds to the first code key, wherein the first code key is concealed from the operating system; and an instruction cache including control circuitry; and second circuitry coupled to the instruction cache, the second circuitry to: receive the substitute key from the operating system; in response to a first request from the operating system to execute the first code image to instantiate a first process, perform a first cryptographic function using a hardware key to generate the first code key from the substitute key; and program the control circuitry of the instruction cache with the first code key to enable the first code image to be decrypted using the first code key.