公开(公告)号：US12210660B2

公开(公告)日：2025-01-28

申请号：US17548170

申请日：2021-12-10

Applicant: Intel Corporation

Inventor： Anna Trikalinou ,  Abhishek Basak ,  Rupin H. Vakharwala ,  Utkarsh Y. Kakaiya

IPC: G06F21/83 ,  G06F21/62 ,  G06F21/78

Abstract: In one embodiment, a read request is received from a peripheral device across an interconnect, with the read request including a process identifier and an encrypted virtual address. One or more keys are obtained based on the process identifier of the read request, and the encrypted virtual address of the read request is decrypted based on the one or more keys to obtain an unencrypted virtual address. Encrypted data is retrieved from memory based on the unencrypted virtual address, and the encrypted data is decrypted based on the one or more keys to obtain plaintext data. The plaintext data is transmitted to the peripheral device across the interconnect.

公开(公告)号：US12189542B2

公开(公告)日：2025-01-07

申请号：US17543267

申请日：2021-12-06

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan ,  Luis Kida ,  Krystof Zmudzinski ,  Siddhartha Chhabra ,  Abhishek Basak ,  Alpa Narendra Trivedi ,  Anna Trikalinou ,  David M. Lee ,  Vedvyas Shanbhogue ,  Utkarsh Y. Kakaiya

IPC: G06F12/14 ,  G06F9/38 ,  G06F9/455 ,  G06F12/0802 ,  G06F21/57 ,  G06F21/60 ,  G06F21/64 ,  G06F21/76 ,  G06F21/79 ,  H04L9/06 ,  H04L9/08 ,  H04L9/32 ,  H04L41/046 ,  H04L41/28

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.

公开(公告)号：US11921645B2

公开(公告)日：2024-03-05

申请号：US17946762

申请日：2022-09-16

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Prashant Dewan ,  Abhishek Basak ,  David M. Durham

IPC: G06F21/60 ,  G06F12/0831 ,  G06F12/14 ,  G06F13/28 ,  G06F21/78 ,  G06F21/85

CPC classification number: G06F12/1408 ,  G06F12/0835 ,  G06F12/1466 ,  G06F13/28 ,  G06F21/602 ,  G06F21/78 ,  G06F21/85 ,  G06F2212/1052 ,  G06F2212/402

Abstract: The present disclosure includes systems and methods for securing data direct I/O (DDIO) for a secure accelerator interface, in accordance with various embodiments. Historically, DDIO has enabled performance advantages that have outweighed its security risks. DDIO circuitry may be configured to secure DDIO data by using encryption circuitry that is manufactured for use in communications with main memory along the direct memory access (DMA) path. DDIO circuitry may be configured to secure DDIO data by using DDIO encryption circuitry manufactured for use by or manufactured within the DDIO circuitry. Enabling encryption and decryption in the DDIO path by the DDIO circuitry has the potential to close a security gap in modern data central processor units (CPUs).

公开(公告)号：US20230297725A1

公开(公告)日：2023-09-21

申请号：US18200543

申请日：2023-05-22

Applicant: Intel Corporation

Inventor： Luis Kida ,  Krystof Zmudzinski ,  Reshma Lal ,  Pradeep Pappachan ,  Abhishek Basak ,  Anna Trikalinou

IPC: G06F21/78 ,  G06F21/44 ,  G06F21/85

CPC classification number: G06F21/78 ,  G06F21/44 ,  G06F21/85

Abstract: Technologies for secure I/O include a compute device having a processor, a memory, an input/output (I/O) device, and a filter logic. The filter logic is configured to receive a first key identifier from the processor, wherein the first key identifier is indicative of a shared memory range includes a shared key identifier range to be used for untrusted I/O devices and receive a transaction from the I/O device, wherein the transaction includes a second key identifier and a trust device ID indicator associated with the I/O device. The filter logic is further configured to determine whether the transaction is asserted with the trust device ID indicator indicative of whether the I/O device is assigned to a trust domain and determine, in response to a determination that the transaction is not asserted with the trust device ID indicator, whether the second key identifier matches the first key identifier.

公开(公告)号：US11599621B2

公开(公告)日：2023-03-07

申请号：US16370921

申请日：2019-03-30

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Rajesh Sankaran ,  Abhishek Basak ,  Pradeep Pappachan ,  Utkarsh Y. Kakaiya ,  Ravi Sahita ,  Rupin Vakharwala

IPC: G06F21/44 ,  G06F13/16 ,  G06F3/06 ,  G06F21/79

Abstract: Systems, methods, and apparatuses relating to performing an attachment of an input-output memory management unit (IOMMU) to a device, and a verification of the attachment. In one embodiment, a protocol and IOMMU extensions are used by a secure arbitration mode (SEAM) module and/or circuitry to determine if the IOMMU that is attached to the device requested to be mapped to a trusted domain.

公开(公告)号：US20230032740A1

公开(公告)日：2023-02-02

申请号：US17946762

申请日：2022-09-16

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Prashant Dewan ,  Abhishek Basak ,  David M. Durham

IPC: G06F12/14 ,  G06F12/0831 ,  G06F13/28 ,  G06F21/78 ,  G06F21/85 ,  G06F21/60

Abstract: The present disclosure includes systems and methods for securing data direct I/O (DDIO) for a secure accelerator interface, in accordance with various embodiments. Historically, DDIO has enabled performance advantages that have outweighed its security risks. DDIO circuitry may be configured to secure DDIO data by using encryption circuitry that is manufactured for use in communications with main memory along the direct memory access (DMA) path. DDIO circuitry may be configured to secure DDIO data by using DDIO encryption circuitry manufactured for use by or manufactured within the DDIO circuitry. Enabling encryption and decryption in the DDIO path by the DDIO circuitry has the potential to close a security gap in modem data central processor units (CPUs).

公开(公告)号：US11481337B2

公开(公告)日：2022-10-25

申请号：US17022029

申请日：2020-09-15

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Prashant Dewan ,  Abhishek Basak ,  David M. Durham

IPC: G06F21/60 ,  G06F12/14 ,  G06F12/0831 ,  G06F21/78 ,  G06F13/28 ,  G06F21/85

Abstract: The present disclosure includes systems and methods for securing data direct I/O (DDIO) for a secure accelerator interface, in accordance with various embodiments. Historically, DDIO has enabled performance advantages that have outweighed its security risks. DDIO circuitry may be configured to secure DDIO data by using encryption circuitry that is manufactured for use in communications with main memory along the direct memory access (DMA) path. DDIO circuitry may be configured to secure DDIO data by using DDIO encryption circuitry manufactured for use by or manufactured within the DDIO circuitry. Enabling encryption and decryption in the DDIO path by the DDIO circuitry has the potential to close a security gap in modern data central processor units (CPUs).

公开(公告)号：US11455392B2

公开(公告)日：2022-09-27

申请号：US16370849

申请日：2019-03-29

Applicant: Intel Corporation

Inventor： Abhishek Basak ,  Li Chen ,  Salmin Sultana ,  Anna Trikalinou ,  Erdem Aktas ,  Saeedeh Komijani

IPC: G06F21/56 ,  G06F12/1027 ,  G06N20/00 ,  G06F21/55 ,  G06F21/79

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed for anomalous memory access pattern detection for translational lookaside buffers. An example apparatus includes a communication interface to retrieve a first eviction data set from a translational lookaside buffer associated with a central processing unit; a machine learning engine to: generate an anomaly detection model based upon at least one of a second eviction data set not including an anomaly and a third eviction data set including the anomaly; and determine whether the anomaly is present in the first eviction data set based on the anomaly detection model; and an alert generator to at least one of modify a bit value or terminate memory access operations when the anomaly is determined to be present.

公开(公告)号：US20220207147A1

公开(公告)日：2022-06-30

申请号：US17134343

申请日：2020-12-26

Applicant: Intel Corporation

Inventor： Carlos Rozas ,  Fangfei Liu ,  Xiang Zou ,  Francis McKeen ,  Jason W. Brandt ,  Joseph Nuzman ,  Alaa Alameldeen ,  Abhishek Basak ,  Scott Constable ,  Thomas Unterluggauer ,  Asit Mallick ,  Matthew Fernandez

IPC: G06F21/57 ,  G06F21/54 ,  G06F9/30

Abstract: Embodiments for dynamically mitigating speculation vulnerabilities are disclosed. In an embodiment, an apparatus includes decode circuitry and execution circuitry coupled to the decode circuitry. The decode circuitry is to decode a register hardening instruction to mitigate vulnerability to a speculative execution attack. The execution circuitry is to be hardened in response to the register hardening instruction.

公开(公告)号：US11216556B2

公开(公告)日：2022-01-04

申请号：US16222785

申请日：2018-12-17

Applicant: Intel Corporation

Inventor： Ken Grewal ,  Ravi Sahita ,  David Durham ,  Erdem Aktas ,  Sergej Deutsch ,  Abhishek Basak

IPC: G08B23/00 ,  G06F12/16 ,  G06F12/14 ,  G06F11/00 ,  G06F21/55 ,  G06F9/38 ,  G06F12/0891

Abstract: The present disclosure is directed to systems and methods that maintain consistency between a system architectural state and a microarchitectural state in the system cache circuitry to prevent a side-channel attack from accessing secret information. Speculative execution of one or more instructions by the processor circuitry causes memory management circuitry to transition the cache circuitry from a first microarchitectural state to a second microarchitectural state. The memory management circuitry maintains the cache circuitry in the second microarchitectural state in response to a successful completion and/or retirement of the speculatively executed instruction. The memory management circuitry reverts the cache circuitry from the second microarchitectural state to the first microarchitectural state in response to an unsuccessful completion, flushing, and/or retirement of the speculatively executed instruction.