公开(公告)号：WO2018176339A1

公开(公告)日：2018-10-04

申请号：PCT/CN2017/078865

申请日：2017-03-30

Applicant: INTEL CORPORATION ,  SHI, Junjing ,  LONG, Qin ,  GAO, Liming ,  ROTHMAN, Michael A. ,  ZIMMER, Vincent J.

Inventor： SHI, Junjing ,  LONG, Qin ,  GAO, Liming ,  ROTHMAN, Michael A. ,  ZIMMER, Vincent J.

IPC: G06F21/52

Abstract: A disclosed example to protect memory from buffer overflow or underflow includes defining an implicit bound pointer based on an implicit bound pointer definition in a configuration file for a memory region; instrumenting object code with an implicit buffer bound check based on the implicit bound pointer; and generating hardened executable object code based on the object code, the implicit buffer bound check, and the implicit bound pointer, the implicit bound pointer located in the hardened executable object code during a compilation phase to facilitate loading the implicit bound pointer in a global bounds table during runtime for access by the implicit buffer bound check.

公开(公告)号：WO2013116073A1

公开(公告)日：2013-08-08

申请号：PCT/US2013/022856

申请日：2013-01-24

Applicant: INTEL CORPORATION

Inventor： ROTHMAN, Michael A. ,  ZIMMER, Vincent J. ,  DORAN, Mark S. ,  KINNEY, Michael D.

IPC: G06F9/24 ,  G06F9/30

CPC classification number: G06F9/4406

Abstract: Methods, systems and computer program products are disclosed for enhanced system boot processing that is faster to launch an operating system, as certain devices such as user input hardware devices may not be initialized unless it is determined that a user-interruption to the boot process is likely. That is, although an interface for the devices is exposed, no initialization occurs unless a call to the interface occurs. Other embodiments are described and claimed.

Abstract translation: 公开了用于增强系统启动处理的方法，系统和计算机程序产品，其更快地启动操作系统，因为某些设备（例如用户输入硬件设备）可能不被初始化，除非确定用户中断引导过程是 有可能。 也就是说，虽然暴露了设备的接口，但是除非发生对接口的调用，否则不会进行初始化。 描述和要求保护其他实施例。

公开(公告)号：WO2015200581A1

公开(公告)日：2015-12-30

申请号：PCT/US2015/037600

申请日：2015-06-25

Applicant: INTEL CORPORATION

Inventor： ZIMMER, Vincent J. ,  ADAMS, Nicholas J. ,  MUDUSURU, Giri P. ,  ROSENBAUM, Lee G. ,  ROTHMAN, Michael A.

IPC: G06F21/57 ,  G06F21/72

CPC classification number: G06F21/72 ,  G06F21/575 ,  G06F2221/034 ,  G09C1/00 ,  H04L9/3234 ,  H04L2209/12

Abstract: An embodiment includes an apparatus comprising: an out-of-band cryptoprocessor coupled to secure non-volatile storage; and at least one storage medium having firmware instructions stored thereon for causing, during runtime and after an operating system for the apparatus has booted, the cryptoprocessor to (a) store a key within the secure non-volatile storage, (b) sign an object with the key, while the key is within the cryptoprocessor, to produce a signature, and (c) verify the signature. Other embodiments are described herein.

Abstract translation: 实施例包括一种装置，包括：耦合到固定非易失性存储器的带外密码处理器; 以及至少一个具有存储在其上的固件指令的存储介质，用于在运行时以及在所述装置的操作系统启动之后使所述密码处理器（a）将密钥存储在所述安全非易失性存储器内，（b） 使用密钥，而密钥在密码处理器内，生成签名，（c）验证签名。 本文描述了其它实施例。

公开(公告)号：WO2015065360A1

公开(公告)日：2015-05-07

申请号：PCT/US2013/067451

申请日：2013-10-30

Applicant: INTEL CORPORATION ,  ROTHMAN, Michael A. ,  ZIMMER, Vincent J. ,  KROGH, Daniel M.

Inventor： ROTHMAN, Michael A. ,  ZIMMER, Vincent J. ,  KROGH, Daniel M.

IPC: G06F9/24 ,  G06F9/44

CPC classification number: G06F3/0607 ,  G06F3/0655 ,  G06F3/0688 ,  G06F9/44505 ,  G06F12/0246 ,  G06F21/575 ,  G06F21/79 ,  G06F2212/7202

Abstract: Technologies for providing services to a non-volatile store include a computing device having a non-volatile store policy that defines a minimum amount of reserved space in the non-volatile store. The mobile computing device receives a call for services to the non-volatile store, determines useable free space in the non-volatile store based on the non-volatile store policy, and responds to the call for services based on the useable free space. Technologies for platform configuration include a computing device having a firmware environment and an operating system. The firmware environment determines information on configuration settings inaccessible to the operating system and exports the information to the operating system. The operating system determines a new configuration setting based on the exported information, and may configure the computing device at runtime. The operating system may securely pass a configuration directive to the firmware environment for configuration during boot. Other embodiments are described and claimed.

Abstract translation: 向非易失性存储器提供服务的技术包括具有非易失性存储策略的计算设备，该非易失性存储策略定义非易失性存储器中的最小保留空间量。 移动计算设备接收对非易失性存储的服务的呼叫，基于非易失性存储策略确定非易失性存储器中的可用空闲空间，并且基于可用的可用空间来响应对服务的呼叫。 用于平台配置的技术包括具有固件环境和操作系统的计算设备。 固件环境确定关于操作系统无法访问的配置设置的信息，并将信息导出到操作系统。 操作系统基于导出的信息确定新的配置设置，并且可以在运行时配置计算设备。 操作系统可以安全地将配置指令传递给固件环境，以便在引导期间进行配置。 描述和要求保护其他实施例。

公开(公告)号：WO2015060853A1

公开(公告)日：2015-04-30

申请号：PCT/US2013/066608

申请日：2013-10-24

Applicant: INTEL CORPORATION ,  ZIMMER, Vincent J. ,  ROTHMAN, Michael A. ,  BAHNSEN, Robert B. ,  SWANSON, Robert C.

Inventor： ZIMMER, Vincent J. ,  ROTHMAN, Michael A. ,  BAHNSEN, Robert B. ,  SWANSON, Robert C.

IPC: G06F9/22 ,  G06F9/24

CPC classification number: G06F9/445 ,  G06F8/52 ,  G06F8/65 ,  G06F8/654 ,  G06F9/22 ,  G06F9/24 ,  G06F9/4403 ,  G06F9/4411 ,  G06F9/45516 ,  G06F21/572 ,  G06F21/575 ,  G06F2221/033

Abstract: Methods and apparatus relating to pre-OS (pre Operating System) image rewriting to provide cross-architecture support, security introspection, and/or performance optimization are described. In an embodiment, logic rewrites a non-native firmware interface driver into a native firmware interface driver in response to a determination that sufficient space is available in an integrity cache storage device to store the native firmware interface driver. The logic rewrites the non-native firmware interface driver into the native firmware interface driver by performing one or more of its operations during operating system runtime. Other embodiments are also claimed and described.

Abstract translation: 描述与前OS（预操作系统）图像重写相关以提供交叉架构支持，安全内省和/或性能优化的方法和装置。 在一个实施例中，响应于在完整性高速缓存存储设备中有足够的空间可用于存储本地固件接口驱动程序的确定，逻辑将非本地固件接口驱动程序重写为本机固件接口驱动程序。 逻辑通过在操作系统运行时执行其一个或多个操作，将非本地固件接口驱动程序重写为本机固件接口驱动程序。 还要求保护和描述其它实施例。

公开(公告)号：WO2012045038A1

公开(公告)日：2012-04-05

申请号：PCT/US2011/054419

申请日：2011-09-30

Applicant: INTEL CORPORATION ,  SAKTHIKUMAR, Palsamy ,  SWANSON, Robert C. ,  ROTHMAN, Michael A. ,  BULUSU, Mallik ,  ZIMMER, Vincent J.

Inventor： SAKTHIKUMAR, Palsamy ,  SWANSON, Robert C. ,  ROTHMAN, Michael A. ,  BULUSU, Mallik ,  ZIMMER, Vincent J.

IPC: G06F21/22 ,  G06F13/14 ,  G06F9/22 ,  G06F9/44

CPC classification number: G06F13/105 ,  G06F9/4812 ,  G06F21/572 ,  G06F2221/2105

Abstract: A method, apparatus, system, and computer program product for secure server system management. A payload containing system software and/or firmware updates is distributed in an on-demand, secure I/O operation. The I/O operation is performed via a secured communication channel inaccessible by the server operating system to an emulated USB drive. The secure communication channel can be established for the I/O operation only after authenticating the recipient of the payload, and the payload can be protected from access by a potentially-infected server operating system. Furthermore, the payload can be delivered on demand rather than relying on a BIOS update schedule, and the payload can be delivered at speeds of a write operation to a USB drive.

Abstract translation: 一种用于安全服务器系统管理的方法，设备，系统和计算机程序产品。 包含系统软件和/或固件更新的有效载荷以按需安全I / O操作分发。 I / O操作通过服务器操作系统无法访问到模拟USB驱动器的安全通信通道执行。 只有在验证有效负载的收件人之后，才能为I / O操作建立安全通信通道，并且可以保护有效负载免受潜在感染的服务器操作系统的访问。 此外，有效载荷可以按需传送，而不是依赖于BIOS更新计划，并且有效载荷可以以写入操作的速度传送到USB驱动器。

公开(公告)号：WO2015119855A1

公开(公告)日：2015-08-13

申请号：PCT/US2015/013786

申请日：2015-01-30

Applicant: INTEL CORPORATION

Inventor： ROTHMAN, Michael A. ,  ZIMMER, Vincent J. ,  DORAN, Mark S.

IPC: G06F21/62

CPC classification number: G06F21/572 ,  G06F9/441 ,  G06F21/604 ,  G06F21/6281

Abstract: Technologies for media protection policy enforcement include a computing device having multiple operating systems and a data storage device partitioned into a number of regions. During execution of each of the operating systems, a policy enforcement module may intercept media access requests and determine whether to allow the media access requests based on platform media access policies. The media access policies may allow requests based on the identity of the executing operating system, the region of the data storage device, or the requested storage operation. Prior to loading a selected operating system, a firmware policy enforcement module may determine a region of the disk storage device to protect from the selected operating system. The firmware policy enforcement module may configure the data storage device to prevent access to that region. The media access policies may be stored in one or more firmware variables. Other embodiments are described and claimed.

Abstract translation: 用于媒体保护策略实施的技术包括具有多个操作系统的计算设备和分割成多个区域的数据存储设备。 在执行每个操作系统期间，策略执行模块可以拦截媒体访问请求并且基于平台媒体访问策略来确定是否允许媒体访问请求。 媒体访问策略可以允许基于执行操作系统的身份，数据存储设备的区域或所请求的存储操作的请求。 在加载所选择的操作系统之前，固件策略执行模块可以确定磁盘存储设备的区域以保护所选择的操作系统。 固件策略执行模块可以配置数据存储设备以防止访问该区域。 媒体访问策略可以存储在一个或多个固件变量中。 描述和要求保护其他实施例。

公开(公告)号：WO2015099698A1

公开(公告)日：2015-07-02

申请号：PCT/US2013/077656

申请日：2013-12-24

Applicant: INTEL CORPORATION ,  SMITH, Ned M. ,  HELDT-SHELLER, Nathan ,  MICHELIS, Pablo A. ,  ZIMMER, Vincent J. ,  WOOD, Matthew D. ,  BECKWITH, Richard T. ,  ROTHMAN, Michael A.

Inventor： SMITH, Ned M. ,  HELDT-SHELLER, Nathan ,  MICHELIS, Pablo A. ,  ZIMMER, Vincent J. ,  WOOD, Matthew D. ,  BECKWITH, Richard T. ,  ROTHMAN, Michael A.

IPC: G06F21/10

CPC classification number: H04L63/0428 ,  G06F21/10 ,  G06F21/60 ,  H04L63/0485 ,  H04L2463/101 ,  H04N21/4405 ,  H04N21/4627

Abstract: The present disclosure is directed to content protection for Data as a Service (DaaS). A device may receive encrypted data from a content provider via DaaS, the encrypted data comprising at least content for presentation on the device. For example, the content provider may utilize a secure multiplex transform (SMT) module in a trusted execution environment (TEE) module to generate encoded data from the content and digital rights management (DRM) data and to generate the encrypted data from the encoded data. The device may also comprise a TEE module including a secure demultiplex transform (SDT) module to decrypt the encoded data from the encrypted data and to decode the content and DRM data from the encoded data. The SMT and SDT modules may interact via a secure communication session to validate security, distribute decryption key(s), etc. In one embodiment, a trust broker may perform TEE module validation and key distribution.

Abstract translation: 本公开涉及数据即服务（DaaS）的内容保护。 设备可以经由DaaS从内容提供商接收加密数据，所述加密数据至少包括用于在设备上呈现的内容。 例如，内容提供商可以利用可信执行环境（TEE）模块中的安全多路转换（SMT）模块来从内容和数字版权管理（DRM）数据生成编码数据，并从编码数据生成加密数据 。 该设备还可以包括TEE模块，该TEE模块包括安全解复用变换（SDT）模块，用于从加密数据解密编码数据，并从编码数据解码内容和DRM数据。 SMT和SDT模块可以通过安全通信会话交互以验证安全性，分发解密密钥等。在一个实施例中，信任代理可以执行TEE模块验证和密钥分发。

公开(公告)号：WO2014063330A1

公开(公告)日：2014-05-01

申请号：PCT/CN2012/083498

申请日：2012-10-25

Applicant: INTEL CORPORATION ,  QIAN, Ouyang ,  WANG, Jian J. ,  ZIMMER, Vincent J. ,  ROTHMAN, Michael A. ,  ZHANG, Chao B.

Inventor： QIAN, Ouyang ,  WANG, Jian J. ,  ZIMMER, Vincent J. ,  ROTHMAN, Michael A. ,  ZHANG, Chao B.

IPC: G06F21/00

CPC classification number: G06F21/602 ,  G06F9/4406 ,  G06F21/32 ,  G06F21/575

Abstract: Methods, systems and storage media are disclosed for enhanced system boot processing that authenticates boot code based on biometric information of the user before loading the boot code to system memory. For at least some embodiments, the biometric authentication augments authentication of boot code based on a unique platform identifier. The enhanced boot code authentication occurs before loading of the operating system, and may be performed during a Unified Extensible Firmware Interface (UEFI) boot sequence. Other embodiments are described and claimed.

Abstract translation: 公开了用于增强的系统引导处理的方法，系统和存储介质，其在将引导代码加载到系统存储器之前，基于用户的生物特征信息认证引导代码。 对于至少一些实施例，生物认证认证增强了基于唯一平台标识符的引导代码的认证。 增强的引导代码认证在加载操作系统之前发生，并且可以在统一的可扩展固件接口（UEFI）引导序列期间执行。 描述和要求保护其他实施例。

公开(公告)号：WO2012040606A2

公开(公告)日：2012-03-29

申请号：PCT/US2011/053045

申请日：2011-09-23

Applicant: INTEL CORPORATION ,  SWANSON, Robert ,  ROTHMAN, Michael A. ,  BULUSU, Mallik ,  ZIMMER, Vincent J. ,  SAKTHIKUMAR, Palsamy

Inventor： SWANSON, Robert ,  ROTHMAN, Michael A. ,  BULUSU, Mallik ,  ZIMMER, Vincent J. ,  SAKTHIKUMAR, Palsamy

IPC: G06F9/22 ,  G06F9/06 ,  G06F13/14

CPC classification number: G06F9/4416

Abstract: A network interface card with read-only memory having at least a micro-kernel of a cluster computing operation system, a server formed with such network interface card, and a computing cluster formed with such servers are disclosed herein. In various embodiments, on transfer, after an initial initialization phase during an initialization of a server, the network interface card loads the cluster computing operation system into system memory of the server, to enable the server, in conjunction with other similarly provisioned servers to form a computing cluster. Other embodiments are also disclosed and claimed.

Abstract translation: 本文公开了一种具有只读存储器的网络接口卡，其具有至少集群计算操作系统的微内核，形成有这种网络接口卡的服务器以及与这种服务器形成的计算集群。 在各种实施例中，在传输时，在服务器的初始化期间的初始初始化阶段之后，网络接口卡将集群计算操作系统加载到服务器的系统存储器中，以使服务器与其他类似的供应服务器一起形成 一个计算集群。 还公开并要求保护其他实施例。