公开(公告)号：WO2015060853A1

公开(公告)日：2015-04-30

申请号：PCT/US2013/066608

申请日：2013-10-24

Applicant: INTEL CORPORATION ,  ZIMMER, Vincent J. ,  ROTHMAN, Michael A. ,  BAHNSEN, Robert B. ,  SWANSON, Robert C.

Inventor： ZIMMER, Vincent J. ,  ROTHMAN, Michael A. ,  BAHNSEN, Robert B. ,  SWANSON, Robert C.

IPC: G06F9/22 ,  G06F9/24

CPC classification number: G06F9/445 ,  G06F8/52 ,  G06F8/65 ,  G06F8/654 ,  G06F9/22 ,  G06F9/24 ,  G06F9/4403 ,  G06F9/4411 ,  G06F9/45516 ,  G06F21/572 ,  G06F21/575 ,  G06F2221/033

Abstract: Methods and apparatus relating to pre-OS (pre Operating System) image rewriting to provide cross-architecture support, security introspection, and/or performance optimization are described. In an embodiment, logic rewrites a non-native firmware interface driver into a native firmware interface driver in response to a determination that sufficient space is available in an integrity cache storage device to store the native firmware interface driver. The logic rewrites the non-native firmware interface driver into the native firmware interface driver by performing one or more of its operations during operating system runtime. Other embodiments are also claimed and described.

Abstract translation: 描述与前OS（预操作系统）图像重写相关以提供交叉架构支持，安全内省和/或性能优化的方法和装置。 在一个实施例中，响应于在完整性高速缓存存储设备中有足够的空间可用于存储本地固件接口驱动程序的确定，逻辑将非本地固件接口驱动程序重写为本机固件接口驱动程序。 逻辑通过在操作系统运行时执行其一个或多个操作，将非本地固件接口驱动程序重写为本机固件接口驱动程序。 还要求保护和描述其它实施例。

公开(公告)号：WO2012087457A1

公开(公告)日：2012-06-28

申请号：PCT/US2011/061049

申请日：2011-11-16

Applicant: INTEL CORPORATION ,  ROTHMAN, Michael, A. ,  SAKTHIKUMAR, Palsamy ,  ZIMMER, Vincent, J. ,  BULUSU, Mallik ,  SWANSON, Robert, C.

Inventor： ROTHMAN, Michael, A. ,  SAKTHIKUMAR, Palsamy ,  ZIMMER, Vincent, J. ,  BULUSU, Mallik ,  SWANSON, Robert, C.

IPC: G06F9/06 ,  G06F13/14 ,  G06F12/00

CPC classification number: G06F9/4418

Abstract: A method and apparatus for improving the resume time of a platform. In one embodiment of the invention, the context of the platform is saved prior to entering an inactive state of the platform. When the platform is switched back to an active state, it reads the saved context and restores the platform to its original state prior to entering the inactive state. In one embodiment of the invention, the platform determines whether it should compress the saved context before storing it in a non-volatile memory based on the operating condition of the platform. This allows the platform to select the optimum method to allow faster resume time of the platform.

Abstract translation: 一种用于改善平台恢复时间的方法和装置。 在本发明的一个实施例中，平台的上下文在进入平台的不活动状态之前被保存。 当平台切换回活动状态时，它读取保存的上下文，并在进入非活动状态之前将平台恢复到原始状态。 在本发明的一个实施例中，平台基于平台的操作条件来确定在将保存的上下文存储在非易失性存储器之前是否应该压缩保存的上下文。 这允许平台选择最佳方法以允许更快的平台恢复时间。

公开(公告)号：WO2012045038A1

公开(公告)日：2012-04-05

申请号：PCT/US2011/054419

申请日：2011-09-30

Applicant: INTEL CORPORATION ,  SAKTHIKUMAR, Palsamy ,  SWANSON, Robert C. ,  ROTHMAN, Michael A. ,  BULUSU, Mallik ,  ZIMMER, Vincent J.

Inventor： SAKTHIKUMAR, Palsamy ,  SWANSON, Robert C. ,  ROTHMAN, Michael A. ,  BULUSU, Mallik ,  ZIMMER, Vincent J.

IPC: G06F21/22 ,  G06F13/14 ,  G06F9/22 ,  G06F9/44

CPC classification number: G06F13/105 ,  G06F9/4812 ,  G06F21/572 ,  G06F2221/2105

Abstract: A method, apparatus, system, and computer program product for secure server system management. A payload containing system software and/or firmware updates is distributed in an on-demand, secure I/O operation. The I/O operation is performed via a secured communication channel inaccessible by the server operating system to an emulated USB drive. The secure communication channel can be established for the I/O operation only after authenticating the recipient of the payload, and the payload can be protected from access by a potentially-infected server operating system. Furthermore, the payload can be delivered on demand rather than relying on a BIOS update schedule, and the payload can be delivered at speeds of a write operation to a USB drive.

Abstract translation: 一种用于安全服务器系统管理的方法，设备，系统和计算机程序产品。 包含系统软件和/或固件更新的有效载荷以按需安全I / O操作分发。 I / O操作通过服务器操作系统无法访问到模拟USB驱动器的安全通信通道执行。 只有在验证有效负载的收件人之后，才能为I / O操作建立安全通信通道，并且可以保护有效负载免受潜在感染的服务器操作系统的访问。 此外，有效载荷可以按需传送，而不是依赖于BIOS更新计划，并且有效载荷可以以写入操作的速度传送到USB驱动器。

公开(公告)号：WO2011162914A3

公开(公告)日：2012-04-05

申请号：PCT/US2011038504

申请日：2011-05-31

Applicant: INTEL CORP ,  ZHOU HUA ,  ZIMMER VINCENT J ,  ROTHMAN MICHAEL A ,  QIAN YI ,  CHEN JUNWEI STANLEY ,  HUANG FUJIN

Inventor： ZHOU HUA ,  ZIMMER VINCENT J ,  ROTHMAN MICHAEL A ,  QIAN YI ,  CHEN JUNWEI STANLEY ,  HUANG FUJIN

IPC: G06F9/445

CPC classification number: G06F9/45558 ,  G06F2009/45579

Abstract: In a computing system having a processor package, an operating system, and a physical I/O device, a partial virtual machine is provided to instantiate a virtual I/O device corresponding to the physical I/O device, the virtual I/O device having a virtual I/O controller. The partial virtual machine includes an I/O port trap to capture an I/O request to the virtual I/O device by the operating system; an I/O controller emulator coupled to the I/O port trap to handle an I/O control request to the virtual I/O controller, when the I/O request comprises an I/O control request; an I/O device emulator coupled to the I/O port trap component to handle an I/O access request to communicate with the virtual I/O device, when the I/O request comprises an I/O access request; and a device driver coupled to the I/O controller emulator and the I/O device emulator to communicate with the physical I/O device based at least in part on the I/O control request and the I/O access request. The partial virtual machine executes within a secure enclave session within the processor package, improving security of I/O transactions by preventing access to the partial virtual machine by the operating system.

Abstract translation: 在具有处理器包，操作系统和物理I / O设备的计算系统中，提供部分虚拟机来实例化对应于物理I / O设备的虚拟I / O设备，虚拟I / O设备 具有虚拟I / O控制器。 部分虚拟机包括I / O端口陷阱，以捕获操作系统对虚拟I / O设备的I / O请求; 当I / O请求包括I / O控制请求时，耦合到I / O端口陷阱的I / O控制器仿真器来处理对虚拟I / O控制器的I / O控制请求; 当I / O请求包括I / O访问请求时，I / O设备仿真器耦合到I / O端口陷阱组件以处理与虚拟I / O设备通信的I / O访问请求; 以及耦合到I / O控制器仿真器和I / O设备仿真器以至少部分地基于I / O控制请求和I / O访问请求与物理I / O设备通信的设备驱动器。 部分虚拟机在处理器包内的安全飞地会话内执行，通过防止操作系统访问部分虚拟机来提高I / O事务的安全性。

公开(公告)号：WO2018176388A1

公开(公告)日：2018-10-04

申请号：PCT/CN2017/079002

申请日：2017-03-31

Applicant: INTEL CORPORATION ,  YAO, Jiewen ,  ROTHMAN, Michael, A. ,  ZIMMER, Vincent, J.

Inventor： YAO, Jiewen ,  ROTHMAN, Michael, A. ,  ZIMMER, Vincent, J.

IPC: G11C16/06

CPC classification number: G11C16/22 ,  G06F21/79 ,  G11C5/148 ,  G11C7/20 ,  G11C7/24

Abstract: Various embodiments are generally directed to techniques to maintain confidentiality of non-volatile memoryin a computer system through power state changes, such as, between a hibernation state and an awake state, for instance. Some embodiments are particularly directed a memory confidentiality manager (MCM) that clears content in a protected non-volatile memory unless appropriate session data is provided after a power state change. In various embodiments, the MCM may comprise one or more portions of a state machine (SM). In some embodiments, a memory controller associated with the protected memory may provide the session data to the MCM as part of an authentication operation. In some such embodiments, the memory controller may comprise one or more portions of a system on chip (SOC).

公开(公告)号：WO2015065323A1

公开(公告)日：2015-05-07

申请号：PCT/US2013/067172

申请日：2013-10-29

Applicant: INTEL CORPORATION ,  ZIMMER, Vincent J. ,  ANVIN, H.P. ,  ROTHMAN, Michael A. ,  ESTRADA, David C. ,  YOKE, Nicholas J. ,  SELVARAJE, Gopinatth

Inventor： ZIMMER, Vincent J. ,  ANVIN, H.P. ,  ROTHMAN, Michael A. ,  ESTRADA, David C. ,  YOKE, Nicholas J. ,  SELVARAJE, Gopinatth

IPC: G06F9/24

CPC classification number: G06F9/4401 ,  G06F9/4403 ,  G06F9/441

Abstract: The present disclosure is directed to flexible bootstrap code architecture. A device may comprise equipment for operating the device and an operating system (OS) for operating the equipment. A boot module may also be included in the device to execute boot operations. At least one flexible boot (FB) module in the boot module may interact with the equipment and/or OS during the boot operations to cause the boot operations to become device-specific. An example boot module may comprise a plurality of FB modules. An example FB module may verify a device/chipset identification and may control the boot operations based on the identification. Other example FB modules may select resources to load based on an OS type, may provide a boot configuration table location for use in OS runtime boot configuration or may load variables from a preload variable directory for use in configuring boot operations.

Abstract translation: 本公开涉及灵活的引导代码架构。 设备可以包括用于操作设备的设备和用于操作设备的操作系统（OS）。 引导模块也可以被包括在设备中以执行引导操作。 引导模块中的至少一个灵活启动（FB）模块可能在引导操作期间与设备和/或OS进行交互，以使引导操作成为设备特定的。 示例性引导模块可以包括多个FB模块。 示例FB模块可以验证设备/芯片组标识，并且可以基于识别来控制引导操作。 其他示例FB模块可以基于OS类型选择要加载的资源，可以提供用于OS运行时引导配置的引导配置表位置，或者可以从用于配置引导操作的预加载变量目录加载变量。

公开(公告)号：WO2015012878A1

公开(公告)日：2015-01-29

申请号：PCT/US2013/068985

申请日：2013-11-07

Applicant: INTEL CORPORATION ,  ROTHMAN, Michael A. ,  ZIMMER, Vincent J. ,  WU, Ping ,  YOU, Zijian

Inventor： ROTHMAN, Michael A. ,  ZIMMER, Vincent J. ,  WU, Ping ,  YOU, Zijian

IPC: G06F9/48 ,  G06F9/44

CPC classification number: G06F9/4843 ,  G06F9/45558 ,  G06F2009/45575

Abstract: Apparatuses, methods and storage media associated with switching operating systems are disclosed herewith. In embodiments, an apparatus for computing may include one or more processors; and a virtual machine manager to be operated by the one or more processors to instantiate a first virtual machine with a first operating system in a background, and a second virtual machine with a second operating system in a foreground; wherein the virtual machine manager is further to place the first virtual machine, on instantiation, in background into a standby state. Other embodiments may be disclosed or claimed.

Abstract translation: 本文公开了与切换操作系统相关联的装置，方法和存储介质。 在实施例中，用于计算的装置可以包括一个或多个处理器; 以及由所述一个或多个处理器操作的虚拟机管理器，以使具有后台的第一操作系统的第一虚拟机实例化;以及具有前台的第二操作系统的第二虚拟机; 其中所述虚拟机管理器进一步将所述第一虚拟机在实例化中置于后台进入待机状态。 可以公开或要求保护其他实施例。

公开(公告)号：WO2013077867A1

公开(公告)日：2013-05-30

申请号：PCT/US2011/061921

申请日：2011-11-22

Applicant: INTEL CORPORATION ,  ZIMMER, Vincent J. ,  ROTHMAN, Michael A.

Inventor： ZIMMER, Vincent J. ,  ROTHMAN, Michael A.

IPC: G06F13/14 ,  G06F13/16

CPC classification number: G06F12/0246 ,  G06F13/14 ,  G06F13/16 ,  G06F13/1668

Abstract: A controller is used in a computer system to control access to an NVRAM. The computer system includes a processor coupled to a non-volatile random access memory (NVRAM). The NVRAM is byte-rewritable and byte-erasable. The NVRAM stores data to be used by a set of agents including in-band agents and an out-of-band agent. The in-band agents run on a processor having one or more cores, and the out-of-band agent that runs on a non-host processing element. When the controller receives an access request from the out-of-band agent, the controller determines, based on attributes associated with the out-of-band agent, whether a region in the NVRAM is shareable by the out-of-band agent and at least one of the in-band agents.

Abstract translation: 在计算机系统中使用控制器来控制对NVRAM的访问。 计算机系统包括耦合到非易失性随机存取存储器（NVRAM）的处理器。 NVRAM是字节可重写和字节可擦除。 NVRAM存储要由一组代理使用的数据，包括带内代理和带外代理。 带内代理在具有一个或多个内核的处理器上运行，以及在非主机处理元件上运行的带外代理。 当控制器从带外代理接收到访问请求时，控制器基于与带外代理相关联的属性来确定NVRAM中的区域是否可由带外代理共享;以及 至少一个带内代理。

公开(公告)号：WO2013048483A1

公开(公告)日：2013-04-04

申请号：PCT/US2011/054404

申请日：2011-09-30

Applicant: INTEL CORPORATION ,  ZIMMER, Vincent, J. ,  ROTHMAN, Michael, A. ,  DORAN, Mark, S.

Inventor： ZIMMER, Vincent, J. ,  ROTHMAN, Michael, A. ,  DORAN, Mark, S.

IPC: G06F12/00

CPC classification number: G06F12/0246 ,  G06F9/4401 ,  G06F12/0238 ,  G06F12/0638 ,  G06F12/0653 ,  G06F2212/1016 ,  G06F2212/1041 ,  G06F2212/2024 ,  G06F2212/214 ,  Y02D10/13

Abstract: A non-volatile random access memory (NVRAM) is used in a computer system to perform multiple roles in a platform storage hierarchy. The NVRAM is byte-addressable by the processor and can be configured into one or more partitions, with each partition implementing a different tier of the platform storage hierarchy. The NVRAM can be used as mass storage that can be accessed without a storage driver.

Abstract translation: 在计算机系统中使用非易失性随机存取存储器（NVRAM）来在平台存储层级中执行多个角色。 NVRAM可由处理器进行字节寻址，并且可以配置为一个或多个分区，每个分区实现平台存储层次结构的不同层。 NVRAM可用作大容量存储，无需存储驱动程序即可访问。

公开(公告)号：WO2012040606A3

公开(公告)日：2012-05-10

申请号：PCT/US2011053045

申请日：2011-09-23

Applicant: INTEL CORP ,  SWANSON ROBERT ,  ROTHMAN MICHAEL A ,  BULUSU MALLIK ,  ZIMMER VINCENT J ,  SAKTHIKUMAR PALSAMY

Inventor： SWANSON ROBERT ,  ROTHMAN MICHAEL A ,  BULUSU MALLIK ,  ZIMMER VINCENT J ,  SAKTHIKUMAR PALSAMY

IPC: G06F9/22 ,  G06F9/06 ,  G06F13/14

CPC classification number: G06F9/4416

Abstract: A network interface card with read-only memory having at least a micro-kernel of a cluster computing operation system, a server formed with such network interface card, and a computing cluster formed with such servers are disclosed herein. In various embodiments, on transfer, after an initial initialization phase during an initialization of a server, the network interface card loads the cluster computing operation system into system memory of the server, to enable the server, in conjunction with other similarly provisioned servers to form a computing cluster. Other embodiments are also disclosed and claimed.

Abstract translation: 本文公开了一种具有至少具有集群计算操作系统的微内核的只读存储器的网络接口卡，由该网络接口卡形成的服务器以及由这种服务器形成的计算集群。 在各种实施例中，在传送时，在服务器初始化期间的初始初始化阶段之后，网络接口卡将群集计算操作系统加载到服务器的系统存储器中，以使服务器结合其他类似配置的服务器来形成 一个计算集群。 其他实施例也被公开和要求保护。