公开(公告)号：US20230015537A1

公开(公告)日：2023-01-19

申请号：US17950826

申请日：2022-09-22

Applicant: Intel Corporation

Inventor： Anjo Lucas Vahldiek-Oberwagner ,  Ravi L. Sahita ,  Mona Vij ,  Rameshkumar Illikkal ,  Michael Steiner ,  Thomas Knauth ,  Dmitrii Kuvaiskii ,  Sudha Krishnakumar ,  Krystof C. Zmudzinski ,  Vincent Scarlata ,  Francis McKeen

IPC: G06F21/79 ,  G06F3/06 ,  G06F12/14 ,  H04L9/32 ,  H04L9/14

Abstract: Example methods and systems are directed to reducing latency in providing trusted execution environments (TEEs). Initializing a TEE includes multiple steps before the TEE starts executing. Besides workload-specific initialization, workload-independent initialization is performed, such as adding memory to the TEE. In function-as-a-service (FaaS) environments, a large portion of the TEE is workload-independent, and thus can be performed prior to receiving the workload. Certain steps performed during TEE initialization are identical for certain classes of workloads. Thus, the common parts of the TEE initialization sequence may be performed before the TEE is requested. When a TEE is requested for a workload in the class and the parts to specialize the TEE for its particular purpose are known, the final steps to initialize the TEE are performed.

公开(公告)号：US20220206764A1

公开(公告)日：2022-06-30

申请号：US17133880

申请日：2020-12-24

Applicant: Intel Corporation

Inventor： Vincent Scarlata ,  Alpa Trivedi ,  Reshma Lal ,  Marcela S. Melara ,  Michael Steiner ,  Anjo Vahldiek-Oberwagner

IPC: G06F8/40

Abstract: Attestation of operations by tool chains is described. An example of a storage medium includes instructions for receiving source code for processing of a secure workload of a tenant; selecting at least a first compute node to provide computation for the workload; processing the source code by an attestable tool chain to generate machine code for the first compute node, including performing one or more conversions of the source code by one or more convertors to generate converted code and generating an attestation associated with each code conversion, and receiving machine code for the first compute node and generating an attestation associated with the first compute node; and providing each of the attestations from the first stage and the second stage for verification.

公开(公告)号：US20220058045A1

公开(公告)日：2022-02-24

申请号：US17222791

申请日：2021-04-05

Applicant: Intel Corporation

Inventor： Ned Smith ,  Bing Zhu ,  Vincent Scarlata ,  Kapil Sood ,  Francesc Guim Bernat

IPC: G06F9/455

Abstract: Technologies for hybrid virtualization and secure enclave include a computing device and an edge orchestrator. The edge orchestrator securely provisions a container-enclave policy to the computing device. A VMM of the computing device constructs a platform services enclave that includes the container-enclave policy. The platform services enclave requests a local attestation report from an application enclave, and the application enclave generates the attestation report using secure enclave support of a compute engine of the computing device. The attestation report is indicative of a virtualization context of the application enclave, and may include a VM flag, a VMM flag, and a source address of the application enclave. The platform services enclave enforces the container-enclave policy based on the virtualization context of the application enclave. The platform services enclave may control access to functions of the computing device based on the virtualization context. Other embodiments are described and claimed.

公开(公告)号：US09407636B2

公开(公告)日：2016-08-02

申请号：US14281651

申请日：2014-05-19

Applicant: INTEL CORPORATION

Inventor： Vincent Scarlata ,  Simon Johnson ,  Carlos Rozas ,  Francis McKeen ,  Ittai Anati ,  Ilya Alexandrovich ,  Rebekah Leslie-Hurd

IPC: G06F21/64 ,  H04L29/06 ,  G06F21/74

CPC classification number: G06F21/64 ,  G06F21/62 ,  G06F21/74 ,  G06F21/81 ,  G06F21/85 ,  H04L63/061 ,  H04L63/0876

Abstract: An apparatus and method for securely suspending and resuming the state of a processor. For example, one embodiment of a method comprises: generating a data structure including at least the monotonic counter value; generating a message authentication code (MAC) over the data structure using a first key; securely providing the data structure and the MAC to a module executed on the processor; the module verifying the MAC, comparing the monotonic counter value with a counter value stored during a previous suspend operation and, if the counter values match, then loading processor state required for the resume operation to complete. Another embodiment of a method comprises: generating a first key by a processor; securely sharing the first key with an off-processor component; and using the first key to generate a pairing ID usable to identify a pairing between the processor and the off-processor component.

Abstract translation: 一种用于安全地挂起并恢复处理器状态的装置和方法。 例如，方法的一个实施例包括：生成至少包括单调计数器值的数据结构; 使用第一密钥在数据结构上生成消息认证码（MAC）; 将数据结构和MAC安全地提供给在处理器上执行的模块; 所述模块验证所述MAC，将所述单调计数器值与在先前暂停操作期间存储的计数器值进行比较，并且如果所述计数器值匹配，则加载完成所述恢复操作所需的处理器状态。 方法的另一实施例包括：由处理器生成第一密钥; 用脱离处理器组件安全地共享第一个密钥; 以及使用所述第一密钥来生成可用于识别所述处理器和所述关闭处理器组件之间的配对的配对ID。

公开(公告)号：US11934843B2

公开(公告)日：2024-03-19

申请号：US18307650

申请日：2023-04-26

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Ravi L. Sahita ,  Vincent Scarlata ,  Barry E. Huntley

IPC: G06F9/44 ,  G06F9/4401 ,  G06F9/455 ,  G06F12/1009 ,  G06F21/78 ,  H04L9/30 ,  H04L9/32

CPC classification number: G06F9/4403 ,  G06F9/45558 ,  G06F12/1009 ,  G06F21/78 ,  H04L9/30 ,  H04L9/32 ,  G06F2009/45579 ,  G06F2009/45583 ,  G06F2009/45591 ,  G06F2009/45595

Abstract: A processor includes a range register to store information that identifies a reserved range of memory associated with a secure arbitration mode (SEAM) and a core coupled to the range register. The core includes security logic to unlock the range register on a logical processor, of the processor core, that is to initiate the SEAM. The logical processor is to, via execution of the security logic, store, in the reserved range, a SEAM module and a manifest associated with the SEAM module, wherein the SEAM module supports execution of one or more trust domains; initialize a SEAM virtual machine control structure (VMCS) within the reserved range of the memory that is to control state transitions between a virtual machine monitor (VMM) and the SEAM module; and authenticate the SEAM module using a manifest signature of the manifest.

公开(公告)号：US11720503B2

公开(公告)日：2023-08-08

申请号：US17724743

申请日：2022-04-20

Applicant: Intel Corporation

Inventor： Vincent Scarlata ,  Reshma Lal ,  Alpa Narendra Trivedi ,  Eric Innis

IPC: G06F12/14 ,  H04L9/32 ,  G06F21/76 ,  G06F21/60 ,  H04L9/08 ,  G06F9/455 ,  G06F21/57 ,  G06F21/64 ,  H04L41/28 ,  G06F21/79 ,  H04L41/046 ,  H04L9/06 ,  G06F9/38 ,  G06F12/0802

CPC classification number: G06F12/1408 ,  G06F9/3877 ,  G06F9/45558 ,  G06F12/0802 ,  G06F21/57 ,  G06F21/602 ,  G06F21/606 ,  G06F21/64 ,  G06F21/76 ,  G06F21/79 ,  H04L9/0631 ,  H04L9/0637 ,  H04L9/083 ,  H04L9/085 ,  H04L9/0838 ,  H04L9/0844 ,  H04L9/0891 ,  H04L9/321 ,  H04L9/3215 ,  H04L9/3226 ,  H04L9/3268 ,  H04L9/3278 ,  H04L41/046 ,  H04L41/28 ,  G06F2009/45591 ,  G06F2009/45595

Abstract: Technologies for secure authentication and programming of an accelerator device are described. In one example, a computing is disclosed comprising an accelerator device to: provide a unique device identifier to an accelerator services enclave (ASE) of a processor of the computing device; authenticate with the ASE by: performing a secure key exchange with the ASE to establish a shared secret tunnel key; verifying an enclave certificate of the ASE; and providing an attestation response to the ASE indicative of an accelerator device configuration; establish a secure channel with the ASE protected by the shared secret tunnel key; receive bitstream image key and bitstream data key from the ASE via the secure channel; program the accelerator device via the secure channel using the bitstream image key; and exchange data with a tenant enclave of the processor, the data protected by the bitstream data key.

公开(公告)号：US11669335B2

公开(公告)日：2023-06-06

申请号：US16367527

申请日：2019-03-28

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Ravi L. Sahita ,  Vincent Scarlata ,  Barry E. Huntley

IPC: G06F9/44 ,  G06F9/4401 ,  G06F9/455 ,  G06F12/1009 ,  H04L9/30 ,  H04L9/32 ,  G06F21/78

CPC classification number: G06F9/4403 ,  G06F9/45558 ,  G06F12/1009 ,  G06F21/78 ,  H04L9/30 ,  H04L9/32 ,  G06F2009/45579 ,  G06F2009/45583 ,  G06F2009/45591 ,  G06F2009/45595

Abstract: A processor includes a range register to store information that identifies a reserved range of memory associated with a secure arbitration mode (SEAM) and a core coupled to the range register. The core includes security logic to unlock the range register on a logical processor, of the processor core, that is to initiate the SEAM. The logical processor is to, via execution of the security logic, store, in the reserved range, a SEAM module and a manifest associated with the SEAM module, wherein the SEAM module supports execution of one or more trust domains; initialize a SEAM virtual machine control structure (VMCS) within the reserved range of the memory that is to control state transitions between a virtual machine monitor (VMM) and the SEAM module; and authenticate the SEAM module using a manifest signature of the manifest.

公开(公告)号：US11650800B2

公开(公告)日：2023-05-16

申请号：US17133880

申请日：2020-12-24

Applicant: Intel Corporation

Inventor： Vincent Scarlata ,  Alpa Trivedi ,  Reshma Lal ,  Marcela S. Melara ,  Michael Steiner ,  Anjo Vahldiek-Oberwagner

IPC: G06F8/40

CPC classification number: G06F8/40

Abstract: Attestation of operations by tool chains is described. An example of a storage medium includes instructions for receiving source code for processing of a secure workload of a tenant; selecting at least a first compute node to provide computation for the workload; processing the source code by an attestable tool chain to generate machine code for the first compute node, including performing one or more conversions of the source code by one or more convertors to generate converted code and generating an attestation associated with each code conversion, and receiving machine code for the first compute node and generating an attestation associated with the first compute node; and providing each of the attestations from the first stage and the second stage for verification.

公开(公告)号：US10970103B2

公开(公告)日：2021-04-06

申请号：US16234731

申请日：2018-12-28

Applicant: Intel Corporation

Inventor： Ned Smith ,  Bing Zhu ,  Vincent Scarlata ,  Kapil Sood ,  Francesc Guim Bernat

IPC: G06F9/455

Abstract: Technologies for hybrid virtualization and secure enclave include a computing device and an edge orchestrator. The edge orchestrator securely provisions a container-enclave policy to the computing device. A VMM of the computing device constructs a platform services enclave that includes the container-enclave policy. The platform services enclave requests a local attestation report from an application enclave, and the application enclave generates the attestation report using secure enclave support of a compute engine of the computing device. The attestation report is indicative of a virtualization context of the application enclave, and may include a VM flag, a VMM flag, and a source address of the application enclave. The platform services enclave enforces the container-enclave policy based on the virtualization context of the application enclave. The platform services enclave may control access to functions of the computing device based on the virtualization context. Other embodiments are described and claimed.

公开(公告)号：US10885202B2

公开(公告)日：2021-01-05

申请号：US16123593

申请日：2018-09-06

Applicant: Intel Corporation

Inventor： Francis X. McKeen ,  Carlos V. Rozas ,  Uday R. Savagaonkar ,  Simon P. Johnson ,  Vincent Scarlata ,  Michael A. Goldsmith ,  Ernie Brickell ,  Jiang Tao Li ,  Howard C. Herbert ,  Prashant Dewan ,  Stephen J. Tolopka ,  Gilbert Neiger ,  David Durham ,  Gary Graunke ,  Bernard Lint ,  Don A. Van Dyke ,  Joseph Cihula ,  Stalinselvaraj Jeyasingh ,  Stephen R. Van Doren ,  Dion Rodgers ,  John Garney ,  Asher Altman

IPC: G06F21/60 ,  G06F21/72 ,  G06F21/53

Abstract: A technique to enable secure application and data integrity within a computer system. In one embodiment, one or more secure enclaves are established in which an application and data may be stored and executed.