公开(公告)号：US10705976B2

公开(公告)日：2020-07-07

申请号：US16023537

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： Ravi Sahita ,  Barry E. Huntley ,  Vedvyas Shanbhogue ,  Dror Caspi ,  Baruch Chaikin ,  Gilbert Neiger ,  Arie Aharon ,  Arumugam Thiyagarajah

IPC: G06F12/1036 ,  G06F12/14 ,  G06F9/455 ,  G06F12/109 ,  G06F21/53 ,  G06F21/78 ,  G06F12/1009 ,  G06F12/02

Abstract: Examples include a processor including at least one untrusted extended page table (EPT), circuitry to execute a set of instructions of the instruction set architecture (ISA) of the processor to manage at least one secure extended page table (SEPT), and a physical address translation component to translate a guest physical address of a guest physical memory to a host physical address of a host physical memory using one of the at least one untrusted EPT and the at least one SEPT.

公开(公告)号：US10552344B2

公开(公告)日：2020-02-04

申请号：US15854278

申请日：2017-12-26

Applicant: Intel Corporation

Inventor： Carlos V. Rozas ,  Ittai Anati ,  Francis X. McKeen ,  Krystof Zmudzinski ,  Ilya Alexandrovich ,  Somnath Chakrabarti ,  Dror Caspi ,  Meltem Ozsoy

IPC: G06F12/14 ,  G06F12/08 ,  G06F12/10 ,  G06F3/06 ,  G06F12/0806 ,  G06F12/0868 ,  G06F12/1009 ,  G06F12/1027 ,  G06F12/128

Abstract: A secure enclave circuit stores an enclave page cache map to track contents of a secure enclave in system memory that stores secure data containing a page having a virtual address. An execution unit is to, in response to a request to evict the page from the secure enclave: block creation of translations of the virtual address; record one or more hardware threads currently accessing the secure data in the secure enclave; send an inter-processor interrupt to one or more cores associated with the one or more hardware threads, to cause the one or more hardware threads to exit the secure enclave and to flush translation lookaside buffers of the one or more cores; and in response to detection of a page fault associated with the virtual address for the page in the secure enclave, unblock the creation of translations of the virtual address.

公开(公告)号：US10180854B2

公开(公告)日：2019-01-15

申请号：US15278592

申请日：2016-09-28

Applicant: Intel Corporation

Inventor： Rebekah M. Leslie-Hurd ,  Carlos V. Rozas ,  Dror Caspi

IPC: G06F9/455 ,  G06F12/1045 ,  G06F12/0817

Abstract: A processing system includes an execution unit, communicatively coupled to an architecturally-protected memory, the execution unit comprising a logic circuit to execute a virtual machine monitor (VMM) that supports a virtual machine (VM) comprising a guest operating system (OS) and to implement an architecturally-protected execution environment, wherein the logic circuit is to responsive to executing a blocking instruction by the guest OS directed at a first page stored in the architecturally-protected memory during a first time period identified by a value stored in a first counter, copy the value from the first counter to a second counter, responsive to executing a first tracking instruction issued by the VMM, increment the value stored in the first counter, and set a flag to indicate successful execution of the second tracking instruction.

公开(公告)号：US12174972B2

公开(公告)日：2024-12-24

申请号：US17464163

申请日：2021-09-01

Applicant: Intel Corporation

Inventor： Dror Caspi ,  Arie Aharon ,  Gideon Gerzon ,  Hormuzd Khosravi

IPC: G06F21/00 ,  G06F21/60 ,  H04L9/08 ,  H04L9/14

Abstract: Implementations describe providing secure encryption key management in trust domains. In one implementation, a processing device includes a key ownership table (KOT) that is protected against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to create a trust domain (TD) and a randomly-generated encryption key corresponding to the TD, the randomly-generated encryption key identified by a guest key identifier (GKID) and protected against software access from at least one of the TDRM or other TDs, the TDRM is to reference the KOT to obtain at least one unassigned host key identifier (HKID) utilized to encrypt a TD memory, the TDRM is to assign the HKID to the TD by marking the HKID in the KOT as assigned, and configure the randomly-generated encryption key on the processing device by associating the randomly-generated encryption key with the HKID.

公开(公告)号：US12021980B2

公开(公告)日：2024-06-25

申请号：US17465311

申请日：2021-09-02

Applicant: Intel Corporation

Inventor： Ido Ouziel ,  Arie Aharon ,  Dror Caspi ,  Baruch Chaikin ,  Jacob Doweck ,  Gideon Gerzon ,  Barry E. Huntley ,  Francis X. McKeen ,  Gilbert Neiger ,  Carlos V. Rozas ,  Ravi L. Sahita ,  Vedvyas Shanbhogue ,  Assaf Zaltsman

IPC: H04L9/08 ,  G06F9/455 ,  G06F12/1009 ,  G06F21/60 ,  G06F21/62

CPC classification number: H04L9/088 ,  G06F9/45558 ,  G06F12/1009 ,  G06F21/602 ,  G06F21/62 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/1044 ,  G06F2212/657

Abstract: A processor includes a processor core. A register of the core is to store: a bit range for a number of address bits of physical memory addresses used for key identifiers (IDs), and a first key ID to identify a boundary between non-restricted key IDs and restricted key IDs of the key identifiers. A memory controller is to: determine, via access to bit range and the first key ID in the register, a key ID range of the restricted key IDs within the physical memory addresses; access a processor state that a first logical processor of the processor core executes in an untrusted domain mode; receive a memory transaction, from the first logical processor, including an address associated with a second key ID; and generate a fault in response to a determination that the second key ID is within a key ID range of the restricted key IDs.

公开(公告)号：US11829517B2

公开(公告)日：2023-11-28

申请号：US16227858

申请日：2018-12-20

Applicant: INTEL CORPORATION

Inventor： Hormuzd Khosravi ,  Dror Caspi ,  Arie Aharon

IPC: G06F21/72 ,  G06F9/455 ,  G06F9/50 ,  H04L9/08 ,  G06F21/57

CPC classification number: G06F21/72 ,  G06F9/45558 ,  G06F9/5016 ,  G06F21/575 ,  H04L9/088 ,  H04L9/0894 ,  H04L9/0897 ,  G06F2009/45583 ,  G06F2009/45587

Abstract: A method of creating a trusted execution domain includes initializing, by a processing device executing a trust domain resource manager (TDRM), a trust domain control structure (TDCS) and a trust domain protected memory (TDPM) associated with a trust domain (TD). The method further includes generating a one-time cryptographic key, assigning the one-time cryptographic key to an available host key id (HKID) in a multi-key total memory encryption (MK-TME) engine, and storing the HKID in the TDCS. The method further includes associating a logical processor to the TD, adding a memory page from an address space of the logical processor to the TDPM, and transferring execution control to the logical processor to execute the TD.

公开(公告)号：US11436342B2

公开(公告)日：2022-09-06

申请号：US16727608

申请日：2019-12-26

Applicant: Intel Corporation

Inventor： Gideon Gerzon ,  Hormuzd M. Khosravi ,  Vincent Von Bokern ,  Barry E. Huntley ,  Dror Caspi

IPC: G06F21/60 ,  G06F9/455 ,  G06F21/72 ,  H04L9/06

Abstract: Disclosed embodiments relate to trust domain islands with self-contained scope. In one example, a system includes multiple sockets, each including multiple cores, multiple multi-key total memory encryption (MK-TME) circuits, multiple memory controllers, and a trust domain island resource manager (TDIRM) to: initialize a trust domain island (TDI) island control structure (TDICS) associated with a TD island, initialize a trust domain island protected memory (TDIPM) associated with the TD island, identify a host key identifier (HKID) in a key ownership table (KOT), assign the HKID to a cryptographic key and store the HKID in the TDICS, associate one of the plurality of cores with the TD island, add a memory page from an address space of the first core to the TDIPM, and transfer execution control to the first core to execute the TDI, and wherein a number of HKIDs available in the system is increased as the memory mapped to the TD island is decreased.

公开(公告)号：US20210200858A1

公开(公告)日：2021-07-01

申请号：US16729340

申请日：2019-12-28

Applicant: Intel Corporation

Inventor： Dror Caspi ,  Vedvyas Shanbhogue ,  Ido Ouziel ,  Francis McKeen ,  Baruch Chaikin ,  Carlos V. Rozas

IPC: G06F21/53

Abstract: Embodiments of processors, methods, and systems for executing code in a protected memory container by a trust domain are disclosed. In an embodiment, a processor includes a memory controller to enable creation of a trust domain and a core to enable the trust domain to execute code in a protected memory container.