公开(公告)号：US10558588B2

公开(公告)日：2020-02-11

申请号：US15651771

申请日：2017-07-17

Applicant: Intel Corporation

Inventor： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. Mckeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich ,  Gilbert Neiger ,  Vedvyas Shanbhogue ,  Ittai Anati

IPC: G06F11/30 ,  G06F12/14 ,  G06F21/60 ,  G06F9/30 ,  G06F21/53 ,  G06F8/41 ,  G06F9/455

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

公开(公告)号：US10534724B2

公开(公告)日：2020-01-14

申请号：US14998157

申请日：2015-12-24

Applicant: INTEL CORPORATION

Inventor： Carlos V. Rozas ,  Ilya Alexandrovich ,  Gilbert Neiger ,  Francis X. McKeen ,  Ittai Anati ,  Vedvyas Shanbhogue ,  Mona Vij ,  Rebekah Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Vincent R. Scarlata ,  Simon P. Johnson

IPC: G06F12/14 ,  H04L9/32 ,  G06F12/0802 ,  H04L9/14

Abstract: Instructions and logic support suspending and resuming migration of enclaves in a secure enclave page cache (EPC). An EPC stores a secure domain control structure (SDCS) in storage accessible by an enclave for a management process, and by a domain of enclaves. A second processor checks if a corresponding version array (VA) page is bound to the SDCS, and if so: increments a version counter in the SDCS for the page, performs an authenticated encryption of the page from the EPC using the version counter in the SDCS, and writes the encrypted page to external memory. A second processor checks if a corresponding VA page is bound to a second SDCS of the second processor, and if so: performs an authenticated decryption of the page using a version counter in the second SDCS, and loads the decrypted page to the EPC in the second processor if authentication passes.

公开(公告)号：US20190012273A1

公开(公告)日：2019-01-10

申请号：US16036654

申请日：2018-07-16

Applicant: Intel Corporation

Inventor： Rebekah M. Leslie-Hurd ,  Francis X. McKeen ,  Carlos V. Rozas ,  Krystof C. Zmudzinski

IPC: G06F12/14 ,  G06F9/52 ,  G06F21/79 ,  G06F21/53 ,  G06F21/74

CPC classification number: G06F12/1441 ,  G06F9/52 ,  G06F21/53 ,  G06F21/74 ,  G06F21/79

Abstract: Secure memory allocation technologies are described. A processor includes a processor core and a memory controller that is coupled between the processor core and main memory. The main memory comprises a protected region including secured pages. The processor, in response to a content copy instruction, is to initialize a target page in the protected region of an application address space. The processor, in response to the content copy instruction, is also to select content of a source page in the protected region to be copied. The processor, in response to the content copy instruction, is also to copy the selected content to the target page in the protected region of the application address space.

公开(公告)号：US20180329829A1

公开(公告)日：2018-11-15

申请号：US15592089

申请日：2017-05-10

Applicant: Intel Corporation

Inventor： Krystof C. Zmudzinski ,  Carlos V. Rozas ,  Francis X. McKeen ,  Rebekah M. Leslie-Hurd ,  Meltem Ozsoy ,  Somnath Chakrabarti ,  Mona Vij

IPC: G06F12/1027 ,  G06F12/1009 ,  G06F12/14 ,  G06F9/455

Abstract: Translation lookaside buffer (TLB) tracking and managing technologies are described. A processing device comprises a translation lookaside buffer (TLB) and a processing core to execute a virtual machine monitor (VMM), the VMM to manage a virtual machine (VM) including virtual processors. The processing core to execute, via the VM, a plurality of conversion instructions on at least one of the virtual processors to convert a plurality of non-secure pages to a plurality of secure pages. The processing core also to execute, via the VM, one or more allocation instructions on the at least one of the virtual processors to allocate at least one secure page of the plurality of secure pages, execution of the one or more allocation instructions to include determining whether the TLB is cleared of mappings to the at least one secure page prior to allocating the at least one secure page.

公开(公告)号：US20170091445A1

公开(公告)日：2017-03-30

申请号：US14866856

申请日：2015-09-26

Applicant: Intel Corporation

Inventor： Bin Xing ,  Krystof C. Zmudzinski ,  Wei Wu ,  Shih-Lien L. Lu ,  Carlos V. Rozas ,  Francis X. McKeen ,  Siddhartha Chhabra ,  Mark W. Shanahan

IPC: G06F21/53

CPC classification number: G06F21/53 ,  G06F21/79 ,  G06F2221/033

Abstract: Technologies for software attack detection include a computing device with a processor and a memory external to the processor. The processor originates a memory transaction with an associated secure enclave status bit that indicates whether the memory transaction originated in a secure execution mode, such as from a secure enclave. The processor computes an error-correcting code (ECC) based as a function of memory transaction data and the secure enclave status bit, and performs the memory transaction based on the ECC and the memory transaction data using the memory of the computing device. The processor may store the ECC and the memory transaction data to memory. The processor may load a stored ECC and data from the memory and compare the computed ECC to the stored ECC to detect memory transactions with an invalid secure enclave status bit. Other embodiments are described and claimed.

公开(公告)号：US09369441B2

公开(公告)日：2016-06-14

申请号：US14127533

申请日：2013-06-04

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan ,  Krystof C. Zmudzinski ,  Micah J. Sheller

IPC: H04L29/06 ,  H04L9/14 ,  H04L9/32

CPC classification number: H04L63/0428 ,  H04L9/14 ,  H04L9/3223 ,  H04L63/062 ,  H04L63/08 ,  H04L2209/60

Abstract: The present disclosure is directed to an end-to-end secure communication system wherein, in addition to encrypting transmissions between clients, communication-related operations occurring within each client may also be secured. Each client may comprise a secure processing environment to process encrypted communication information received from other clients and locally-captured media information for transmission to other clients. The secure processing environment may include resources to decrypt received encrypted communication information and to process the communication information into media information for presentation by the client. The secure processing environment may also operate in reverse to provide locally recorded audio, image, video, etc. to other clients. Encryption protocols may be employed at various stages of information processing in the client to help ensure that information being transferred between the processing resources cannot be read, copied, altered, etc. In one example implementation, a server may manage interaction between clients, provision encryption keys, etc.

Abstract translation: 本公开涉及一种端到端安全通信系统，其中除了加密客户端之间的传输之外，还可以确保在每个客户端内发生的与通信相关的操作。 每个客户端可以包括用于处理从其他客户端接收的加密通信信息和本地捕获的媒体信息以便传输到其他客户端的安全处理环境。 安全处理环境可以包括用于解密所接收的加密通信信息并将通信信息处理成媒体信息以供客户呈现的资源。 安全处理环境也可以相反地操作，以向其他客户端提供本地记录的音频，图像，视频等。 可以在客户端的信息处理的各个阶段采用加密协议，以帮助确保在处理资源之间传递的信息不能被读取，复制，改变等。在一个示例实现中，服务器可以管理客户端之间的交互，提供加密 钥匙等

公开(公告)号：US20240184717A1

公开(公告)日：2024-06-06

申请号：US18378124

申请日：2023-10-09

Applicant: Intel Corporation

Inventor： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. Mckeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich ,  Gilbert Neiger ,  Vedvyas Shanbhogue ,  Ittai Anati

IPC: G06F12/14 ,  G06F8/41 ,  G06F9/30 ,  G06F9/455 ,  G06F21/53 ,  G06F21/60

CPC classification number: G06F12/1408 ,  G06F8/41 ,  G06F9/30145 ,  G06F9/45558 ,  G06F12/1441 ,  G06F12/1483 ,  G06F21/53 ,  G06F21/602 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2212/1052

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

公开(公告)号：US11204874B2

公开(公告)日：2021-12-21

申请号：US16838418

申请日：2020-04-02

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Krystof C. Zmudzinski ,  Carlos V. Rozas ,  Francis X. McKeen ,  Raghunandan Makaram ,  Ilya Alexandrovich ,  Ittai Anati ,  Meltem Ozsoy

IPC: G06F12/0862 ,  G06F12/0846 ,  G06F12/1027 ,  G06F12/14 ,  G06F12/1009

Abstract: Secure memory repartitioning technologies are described. Embodiments of the disclosure may include a processing device including a processor core and a memory controller coupled between the processor core and a memory device. The memory device includes a memory range including a section of convertible pages that are convertible to secure pages or non-secure pages. The processor core is to receive a non-secure access request to a page in the memory device, responsive to a determination, based on one or more secure state bits in one or more secure state bit arrays, that the page is a secure page, insert an abort page address into a translation lookaside buffer, and responsive to a determination, based on the one or more secure state bits in the one or more secure state bit arrays, that the page is a non-secure page, insert the page into the translation lookaside buffer.

公开(公告)号：US11030120B2

公开(公告)日：2021-06-08

申请号：US16454481

申请日：2019-06-27

Applicant: Intel Corporation

Inventor： Krystof C. Zmudzinski ,  Simon P. Johnson ,  Raghunandan Makaram ,  Francis X. McKeen ,  Carlos V. Rozas ,  Meltem Ozsoy ,  Ilya Alexandrovich ,  Siddhartha Chhabra

IPC: G06F12/14 ,  G06F12/1045 ,  G06F12/0882 ,  G06F11/30 ,  G06F12/0871 ,  G06F9/4401 ,  G06F11/07 ,  G06F12/0891

Abstract: A processor includes a cryptographic engine to control access, using an secure region key identifier (ID), to one or more memory range of memory allocable for flexible conversion to secure pages of architecturally-protected memory regions, and a processor core. The processor core is to, responsive to receipt of a request to access the memory, perform a walk of page tables and extended page tables to translate a linear address of the request to a physical address of the memory. The processor core is further to determine that the physical address corresponds to an secure page within the one or more memory range of the memory, that a first key ID located within the physical address does not match the secure region key ID, and issue a page fault and deny access to the secure page in the memory.

公开(公告)号：US20200310990A1

公开(公告)日：2020-10-01

申请号：US16807872

申请日：2020-03-03

Applicant: Intel Corporation

Inventor： Rebekah M. Leslie-Hurd ,  Francis X. McKeen ,  Carlos V. Rozas ,  Krystof C. Zmudzinski

IPC: G06F12/14 ,  G06F9/52 ,  G06F21/74 ,  G06F21/79 ,  G06F21/53

Abstract: Secure memory allocation technologies are described. A processor includes a processor core and a memory controller that is coupled between the processor core and main memory. The main memory comprises a protected region including secured pages. The processor, in response to a content copy instruction, is to initialize a target page in the protected region of an application address space. The processor, in response to the content copy instruction, is also to select content of a source page in the protected region to be copied. The processor, in response to the content copy instruction, is also to copy the selected content to the target page in the protected region of the application address space.