公开(公告)号：US20230409340A1

公开(公告)日：2023-12-21

申请号：US18307650

申请日：2023-04-26

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Ravi L. Sahita ,  Vincent Scarlata ,  Barry E. Huntley

IPC: G06F9/4401 ,  G06F9/455 ,  G06F12/1009 ,  H04L9/30 ,  H04L9/32 ,  G06F21/78

CPC classification number: G06F9/4403 ,  G06F9/45558 ,  G06F12/1009 ,  H04L9/30 ,  G06F2009/45579 ,  G06F21/78 ,  G06F2009/45583 ,  G06F2009/45591 ,  G06F2009/45595 ,  H04L9/32

Abstract: A processor includes a range register to store information that identifies a reserved range of memory associated with a secure arbitration mode (SEAM) and a core coupled to the range register. The core includes security logic to unlock the range register on a logical processor, of the processor core, that is to initiate the SEAM. The logical processor is to, via execution of the security logic, store, in the reserved range, a SEAM module and a manifest associated with the SEAM module, wherein the SEAM module supports execution of one or more trust domains; initialize a SEAM virtual machine control structure (VMCS) within the reserved range of the memory that is to control state transitions between a virtual machine monitor (VMM) and the SEAM module; and authenticate the SEAM module using a manifest signature of the manifest.

公开(公告)号：US20220245070A1

公开(公告)日：2022-08-04

申请号：US17724743

申请日：2022-04-20

Applicant: Intel Corporation

Inventor： Vincent Scarlata ,  Reshma Lal ,  Alpa Narendra Trivedi ,  Eric Innis

IPC: G06F12/14 ,  H04L9/32 ,  G06F21/76 ,  G06F21/60 ,  H04L9/08 ,  G06F9/455 ,  G06F21/57 ,  G06F21/64 ,  H04L41/28 ,  G06F21/79 ,  H04L41/046 ,  H04L9/06 ,  G06F9/38 ,  G06F12/0802

Abstract: Technologies for secure authentication and programming of an accelerator device are described. In one example, a computing is disclosed comprising an accelerator device to: provide a unique device identifier to an accelerator services enclave (ASE) of a processor of the computing device; authenticate with the ASE by: performing a secure key exchange with the ASE to establish a shared secret tunnel key; verifying an enclave certificate of the ASE; and providing an attestation response to the ASE indicative of an accelerator device configuration; establish a secure channel with the ASE protected by the shared secret tunnel key; receive bitstream image key and bitstream data key from the ASE via the secure channel; program the accelerator device via the secure channel using the bitstream image key; and exchange data with a tenant enclave of the processor, the data protected by the bitstream data key.

公开(公告)号：US20220222358A1

公开(公告)日：2022-07-14

申请号：US17710723

申请日：2022-03-31

Applicant: Intel Corporation

Inventor： Ravi Sahita ,  Dror Caspi ,  Vedvyas Shanbhogue ,  Vincent Scarlata ,  Anjo Lucas Vahldiek-Oberwagner ,  Haidong Xia ,  Mona Vij

IPC: G06F21/60 ,  G06F21/53 ,  G06F21/54 ,  G06F9/455

Abstract: Scalable cloning and replication for trusted execution environments is described. An example of a computer-readable storage medium includes instructions for receiving a selection of a point to capture a snapshot of a baseline trust domain (TD) or secure enclave, the TD or secure enclave being associated with a trusted execution environment (TEE) of a processor utilized for processing of a workload; initiating cloning of the TD or secure enclave from a source platform to an escrow platform; generating an escrow key to export the snapshot to the escrow platform; and exporting a state of the TD or secure enclave to the escrow platform, the state being sealed with a sealing key.

公开(公告)号：US20200310972A1

公开(公告)日：2020-10-01

申请号：US16367527

申请日：2019-03-28

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Ravi L. Sahita ,  Vincent Scarlata ,  Barry E. Huntley

IPC: G06F12/0817 ,  G06F12/1009 ,  H04L9/30 ,  H04L9/32 ,  G06F9/455

Abstract: A processor includes a range register to store information that identifies a reserved range of memory associated with a secure arbitration mode (SEAM) and a core coupled to the range register. The core includes security logic to unlock the range register on a logical processor, of the processor core, that is to initiate the SEAM. The logical processor is to, via execution of the security logic, store, in the reserved range, a SEAM module and a manifest associated with the SEAM module, wherein the SEAM module supports execution of one or more trust domains; initialize a SEAM virtual machine control structure (VMCS) within the reserved range of the memory that is to control state transitions between a virtual machine monitor (VMM) and the SEAM module; and authenticate the SEAM module using a manifest signature of the manifest.

公开(公告)号：US20200153629A1

公开(公告)日：2020-05-14

申请号：US16723599

申请日：2019-12-20

Applicant: Intel Corporation

Inventor： Salessawi Ferede Yitbarek ,  Luis Kida ,  Vincent Scarlata ,  Reshma Lal ,  Simon Johnson

IPC: H04L9/32 ,  H04L9/08 ,  G06F21/60

Abstract: A method comprises initializing a compute platform in a cloud computing environment, assigning at least a first cryptographic key associated with the platform manufacturer and a second cryptographic key associated with a workload owner to a debug/management interface of the compute platform, and encrypting device information generated by the debug/management interface of the compute platform using at least one of the first cryptographic key or the second cryptographic key.

公开(公告)号：US10102380B2

公开(公告)日：2018-10-16

申请号：US13802272

申请日：2013-03-13

Applicant: INTEL CORPORATION

Inventor： Francis X. McKeen ,  Carlos V. Rozas ,  Uday R. Savagaonkar ,  Simon P. Johnson ,  Vincent Scarlata ,  Michael A. Goldsmith ,  Ernie Brickell ,  Jiang Tao Li ,  Howard C. Herbert ,  Prashant Dewan ,  Stephen J. Tolopka ,  Gilbert Neiger ,  David Durham ,  Gary Graunke ,  Bernard Lint ,  Don A. Van Dyke ,  Joseph Cihula ,  Stalinselvaraj Jeyasingh ,  Stephen R. Van Doren ,  Dion Rodgers ,  John Garney ,  Asher Altman

IPC: G06F21/60 ,  G06F21/72 ,  G06F21/53

Abstract: A technique to enable secure application and data integrity within a computer system. In one embodiment, one or more secure enclaves are established in which an application and data may be stored and executed.

公开(公告)号：US09355262B2

公开(公告)日：2016-05-31

申请号：US14141941

申请日：2013-12-27

Applicant: Intel Corporation

Inventor： Rebekah Leslie-Hurd ,  Ilya Alexandrovich ,  Ittai Anati ,  Alex Berenzon ,  Michael Goldsmith ,  Simon Johnson ,  Francis McKeen ,  Carlos Rozas ,  Uday Savagaonkar ,  Vincent Scarlata ,  Vedvyas Shanbhogue ,  Wesley Smith

IPC: G06F21/60 ,  G06F12/08 ,  G06F12/14 ,  G06F9/30 ,  G06F21/72

CPC classification number: G06F21/604 ,  G06F9/3004 ,  G06F12/0875 ,  G06F12/145 ,  G06F12/1466 ,  G06F12/1491 ,  G06F21/72

Abstract: Embodiments of an invention for modifying memory permissions in a secure processing environment are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to modify access permissions for a page in a secure enclave. The execution unit is to execute the instruction. Execution of the instruction includes setting new access permissions in an enclave page cache map entry. Furthermore, the page is immediately accessible from inside the secure enclave according to the new access permissions.

Abstract translation: 公开了用于在安全处理环境中修改存储器许可的发明的实施例。 在一个实施例中，处理器包括指令单元和执行单元。 指令单元将接收修改安全飞地中页面访问权限的指令。 执行单元执行指令。 执行该指令包括在飞地页面缓存映射条目中设置新的访问权限。 此外，根据新的访问权限，该页面可以从安全飞地内部立即访问。

公开(公告)号：US09171163B2

公开(公告)日：2015-10-27

申请号：US13844101

申请日：2013-03-15

Applicant: Intel Corporation

Inventor： Vinay Phegade ,  Anand Rajan ,  Simon Johnson ,  Vincent Scarlata ,  Carlos Rozas ,  Nikhil Deshpande

IPC: G06F21/60 ,  G06F21/57 ,  G06F21/64

CPC classification number: H04L63/0428 ,  G06F21/57 ,  G06F21/60 ,  G06F21/64 ,  G06F2221/2105 ,  H04L63/126 ,  H04L63/302

Abstract: An apparatus for sharing information between entities includes a processor and a trusted execution module executing on the processor. The trusted execution module is configured to receive first confidential information from a first client device associated with a first entity, seal the first confidential information within a trusted execution environment, receive second confidential information from a second client device associated with a second entity, seal the second confidential information within the trusted execution environment, and execute code within the trusted execution environment. The code is configured to compute a confidential result based upon the first confidential information and the second confidential information.

Abstract translation: 用于在实体之间共享信息的装置包括处理器和在处理器上执行的可信执行模块。 可信执行模块被配置为从与第一实体相关联的第一客户端设备接收第一机密信息，将可信执行环境中的第一机密信息密封，从与第二实体相关联的第二客户端设备接收第二机密信息， 可信执行环境中的第二机密信息，并在可信执行环境内执行代码。 代码被配置为基于第一机密信息和第二机密信息来计算机密结果。

公开(公告)号：US12013954B2

公开(公告)日：2024-06-18

申请号：US17710723

申请日：2022-03-31

Applicant: Intel Corporation

Inventor： Ravi Sahita ,  Dror Caspi ,  Vedvyas Shanbhogue ,  Vincent Scarlata ,  Anjo Lucas Vahldiek-Oberwagner ,  Haidong Xia ,  Mona Vij

IPC: G06F21/60 ,  G06F9/455 ,  G06F21/53 ,  G06F21/54

CPC classification number: G06F21/602 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/54 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: Scalable cloning and replication for trusted execution environments is described. An example of a computer-readable storage medium includes instructions for receiving a selection of a point to capture a snapshot of a baseline trust domain (TD) or secure enclave, the TD or secure enclave being associated with a trusted execution environment (TEE) of a processor utilized for processing of a workload; initiating cloning of the TD or secure enclave from a source platform to an escrow platform; generating an escrow key to export the snapshot to the escrow platform; and exporting a state of the TD or secure enclave to the escrow platform, the state being sealed with a sealing key.

公开(公告)号：US11637868B2

公开(公告)日：2023-04-25

申请号：US17133803

申请日：2020-12-24

Applicant: Intel Corporation

Inventor： Vincent Scarlata ,  Alpa Trivedi ,  Reshma Lal

IPC: H04L9/40 ,  G06F9/50

Abstract: Attestation support in cloud computing environments is described. An example of an apparatus includes one or more processors to process data, including data related to hosting of workloads for one or more tenants; an orchestration element to receive a request for support of a workload of a tenant according to a selected membership policy, the orchestration element to select a set of one or more compute nodes to provide computation for the workload; and a security manager to receive the membership policy and to receive attestations from the selected compute nodes and, upon determining that the attestations meet the requirements of the membership policy, to add the one or more compute nodes to a group of compute nodes to provide computation for the workload.