公开(公告)号：US20160246720A1

公开(公告)日：2016-08-25

申请号：US14629132

申请日：2015-02-23

Applicant: Intel Corporation

Inventor： Prashant Pandey ,  Mona Vij ,  Somnath Chakrabarti ,  Krystof C. Zmudzinski

IPC: G06F12/08 ,  G06F12/14 ,  G06F13/24 ,  G06F9/30

CPC classification number: G06F21/12 ,  G06F12/0811 ,  G06F12/0822 ,  G06F12/0875 ,  G06F12/14 ,  G06F12/1425 ,  G06F13/24 ,  G06F2212/1052 ,  G06F2212/283 ,  G06F2212/452

Abstract: Instructions and logic fork processes and establish child enclaves in a secure enclave page cache (EPC). Instructions specify addresses for secure storage allocated to enclaves of a parent and a child process to store secure enclave control structure (SECS) data, application data, code, etc. The processor includes an EPC to store enclave data of the parent and child processes. Embodiments of the parent may execute, or a system may execute an instruction to copy parent SECS to secure storage for the child, initialize a unique child ID and link to the parent's SECS/ID. Embodiments of the child may execute, or the system may execute an instruction to copy pages from the parent enclave to the enclave of the child where both have the same key, set an entry for EPC mapping to partial completion, and record a page state in the child enclave, if interrupted. Thus copying can be resumed.

Abstract translation: 指令和逻辑fork处理并在安全的飞地页面缓存（EPC）中建立子空间。 指令指定分配给父节点和子进程的子进程的安全存储地址，以存储安全区域控制结构（SECS）数据，应用程序数据，代码等。处理器包括用于存储父进程和子进程的飞地数据的EPC。 父级的实施例可以执行，或者系统可以执行复制父SECS以保护儿童的存储的指令，初始化唯一的子ID并链接到父级的SECS / ID。 子系统的实施例可以执行，或者系统可以执行将父页面的页面复制到具有相同密钥的小孩的飞地的指令，将用于EPC映射的条目设置为部分完成，并将页面状态记录在 孩子飞散，如果中断。 因此可以恢复复印。

公开(公告)号：US11010309B2

公开(公告)日：2021-05-18

申请号：US16114241

申请日：2018-08-28

Applicant: Intel Corporation

Inventor： Somnath Chakrabarti ,  Mona Vij ,  Matthew Hoekstra

IPC: G06F12/14 ,  G06F21/79 ,  G06F21/71 ,  G06F21/62 ,  G06F21/60 ,  G06F12/0831

Abstract: A computer system for executing one or more software applications includes a host computer device configured to execute the one or more software applications. The computer system further includes one or more memory devices configured to cryptographically protect volatile memory of the one or more memory devices. The one or more memory devices are configured to provide access to the cryptographically protected volatile memory for the one or more software applications. The host computer device is configured to execute the one or more software applications by executing a portion of the one or more software applications associated with the cryptographically protected volatile memory using a processor of the one or more memory devices.

公开(公告)号：US10338957B2

公开(公告)日：2019-07-02

申请号：US15391208

申请日：2016-12-27

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata ,  Carlos V. Rozas ,  Simon P. Johnson ,  Francis X. McKeen ,  Mona Vij ,  Somnath Chakrabarti ,  Brandon Baker ,  Ittai Anati ,  Ilya Alexandrovich

IPC: G06F9/48 ,  H04L9/08 ,  H04L9/32 ,  G06F21/53 ,  G06F21/60

Abstract: A secure migration enclave is provided to identify a launch of a particular virtual machine on a host computing system, where the particular virtual machine is launched to include a secure quoting enclave to perform an attestation of one or more aspects of the virtual machine. A root key for the particular virtual machine is generated using the secure migration enclave hosted on the host computing system for use in association with provisioning the secure quoting enclave with an attestation key to be used in the attestation. The migration enclave registers the root key with a virtual machine registration service.

公开(公告)号：US10263988B2

公开(公告)日：2019-04-16

申请号：US15201447

申请日：2016-07-02

Applicant: Intel Corporation

Inventor： Mona Vij ,  Somnath Chakrabarti ,  Carlos V. Rozas ,  Asit K. Mallick

IPC: H04L29/06 ,  G06F21/10 ,  G06F21/62

Abstract: A processor of an aspect includes a decode unit to decode an instruction. The instruction to indicate a first structure in a protected container memory and to indicate a second structure in the protected container memory. The processor also includes an execution unit coupled with the decode unit. The execution unit, in response to the instruction, is to determine whether a status indicator is configured to allow at least one key to be exchanged between the first and second structures, and is to exchange the at least one key between the first and second structures when the status indicator is configured to allow the at least one key to be exchanged between the first and second structures.

公开(公告)号：US10120805B2

公开(公告)日：2018-11-06

申请号：US15408774

申请日：2017-01-18

Applicant: Intel Corporation

Inventor： Rebekah M. Leslie-Hurd ,  Francis X. McKeen ,  Carlos V. Rozas ,  Gilbert Neiger ,  Asit Mallick ,  Ittai Anati ,  Ilya Alexandrovich ,  Vedvyas Shanbhogue ,  Somnath Chakrabarti

IPC: G06F9/30 ,  G06F12/0837 ,  G06F9/455 ,  G06F12/1045

Abstract: A processing device includes a conflict resolution logic circuit to initiate a tracking phase to track translation look aside buffer (TLB) mappings to an enclave memory cache (EPC) page of a secure enclave. The conflict resolution logic circuit is further to execute a tracking instruction as part of the tracking phase, wherein the tracking instruction takes any page in the secure enclave as an argument parameter to the tracking instruction.

公开(公告)号：US20180203801A1

公开(公告)日：2018-07-19

申请号：US15408774

申请日：2017-01-18

Applicant: Intel Corporation

Inventor： Rebekah M. Leslie-Hurd ,  Francis X. McKeen ,  Carlos V. Rozas ,  Gilbert Neiger ,  Asit Mallick ,  Ittai Anati ,  Ilya Alexandrovich ,  Vedvyas Shanbhogue ,  Somnath Chakrabarti

IPC: G06F12/0837 ,  G06F9/30 ,  G06F9/455 ,  G06F12/1045

CPC classification number: G06F12/0837 ,  G06F9/30003 ,  G06F9/45558 ,  G06F12/1063 ,  G06F2009/45583 ,  G06F2009/45591 ,  G06F2212/152 ,  G06F2212/60 ,  G06F2212/621 ,  G06F2212/68

Abstract: A processing device includes a conflict resolution logic circuit to initiate a tracking phase to track translation look aside buffer (TLB) mappings to an enclave memory cache (EPC) page of a secure enclave. The conflict resolution logic circuit is further to execute a tracking instruction as part of the tracking phase, wherein the tracking instruction takes any page in the secure enclave as an argument parameter to the tracking instruction.

公开(公告)号：US20180060237A1

公开(公告)日：2018-03-01

申请号：US15252719

申请日：2016-08-31

Applicant: Intel Corporation

Inventor： Rebekah M. Leslie-Hurd ,  Francis X. McKeen ,  Carlos V. Rozas ,  Somnath Chakrabarti ,  Asit Mallick

IPC: G06F12/0817 ,  G06F21/57 ,  G06F12/0808 ,  G06F12/0811 ,  G06F12/084

CPC classification number: G06F12/0824 ,  G06F12/0808 ,  G06F12/0811 ,  G06F12/084 ,  G06F21/53 ,  G06F21/572 ,  G06F2212/1008 ,  G06F2212/1052 ,  G06F2212/152 ,  G06F2212/60 ,  G06F2212/62 ,  G06F2221/032

Abstract: A processing device includes a first counter having a first count value of a number of child pages among a plurality of child pages present in an enclave memory of a first virtual machine (VM). The plurality of child pages are associated with a parent page in the enclave memory. The processing device includes a second counter having a second count value of a number of child pages among the plurality of child pages not present in the enclave memory and being shared by a second VM, wherein the second VM is different from the first VM. A non-zero value of at least one of the first counter or the second counter prevents eviction of the parent page from the enclave memory.

公开(公告)号：US20180006809A1

公开(公告)日：2018-01-04

申请号：US15200604

申请日：2016-07-01

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata ,  Francis X. McKeen ,  Carlos V. Rozas ,  Simon P. Johnson ,  Bo Zhang ,  Mona Vij ,  Brandon Baker ,  Mohan J. Kumar ,  Asit K. Mallick ,  Mark A. Gentry ,  Somnath Chakrabarti

IPC: H04L9/08 ,  H04L29/06 ,  G06F21/62

CPC classification number: H04L9/0816 ,  G06F21/6218 ,  H04L9/0861 ,  H04L9/088 ,  H04L9/0894 ,  H04L9/14 ,  H04L63/06

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to store data in a secure domain in a cloud network, create encryption keys, where each encryption key is to provide a different type of access to the data, and store the encryption keys in a secure domain key store in the cloud network. In an example, each encryption key provides access to a different version of the data. In another example, a counter engine stores the location of each version of the data in the cloud network.

公开(公告)号：US12242391B2

公开(公告)日：2025-03-04

申请号：US18378124

申请日：2023-10-09

Applicant: Intel Corporation

Inventor： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. McKeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich ,  Gilbert Neiger ,  Vedvyas Shanbhogue ,  Ittai Anati

IPC: G06F12/14 ,  G06F8/41 ,  G06F9/30 ,  G06F9/455 ,  G06F21/53 ,  G06F21/60

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

公开(公告)号：US20210406201A1

公开(公告)日：2021-12-30

申请号：US17367349

申请日：2021-07-03

Applicant: Intel Corporation

Inventor： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. Mckeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich ,  Gilbert Neiger ,  Vedvyas Shanbhogue ,  Ittai Anati

IPC: G06F12/14 ,  G06F21/60 ,  G06F9/30 ,  G06F21/53 ,  G06F8/41 ,  G06F9/455

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.