公开(公告)号：US20220100581A1

公开(公告)日：2022-03-31

申请号：US17528374

申请日：2021-11-17

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep Pappachan ,  Luis Kida ,  Soham Jayesh Desai ,  Sujoy Sen ,  Selvakumar Panneer ,  Robert Sharp

IPC: G06F9/50 ,  G06T1/60 ,  G06T1/20 ,  G06F9/38

Abstract: An apparatus to facilitate disaggregated computing for a distributed confidential computing environment is disclosed. The apparatus includes a graphics processing unit (GPU) to: provide a virtual GPU monitor (VGM) to interface over a network with a middleware layer of a client platform, the VGM to interface with the middleware layer using a message passing interface; configure and expose, by the VGM, virtual functions (VFs) of the GPU to the middleware layer of the client platform; intercept, by the VGM, request messages directed to the GPU from the middleware layer, the request messages corresponding to VFs of the GPU to be utilized by the client platform; and generate, by the VGM, a response to the request messages for the middleware client.

公开(公告)号：US20220092223A1

公开(公告)日：2022-03-24

申请号：US17515092

申请日：2021-10-29

Applicant: Intel Corporation

Inventor： Luis Kida ,  Krystof Zmudzinski ,  Reshma Lal ,  Pradeep Pappachan ,  Abhishek Basak ,  Anna Trikalinou

IPC: G06F21/78 ,  G06F21/44 ,  G06F21/85

Abstract: Technologies for secure I/O include a compute device having a processor, a memory, an input/output (I/O) device, and a filter logic. The filter logic is configured to receive a first key identifier from the processor, wherein the first key identifier is indicative of a shared memory range includes a shared key identifier range to be used for untrusted I/O devices and receive a transaction from the I/O device, wherein the transaction includes a second key identifier and a trust device ID indicator associated with the I/O device. The filter logic is further configured to determine whether the transaction is asserted with the trust device ID indicator indicative of whether the I/O device is assigned to a trust domain and determine, in response to a determination that the transaction is not asserted with the trust device ID indicator, whether the second key identifier matches the first key identifier.

公开(公告)号：US11138132B2

公开(公告)日：2021-10-05

申请号：US16232146

申请日：2018-12-26

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Alpa Narendra Trivedi ,  Luis Kida ,  Pradeep M. Pappachan ,  Soham Jayesh Desai ,  Nanda Kumar Unnikrishnan

IPC: G06F12/14 ,  H04L9/32 ,  G06F21/76 ,  G06F21/60 ,  H04L9/08 ,  G06F9/455 ,  G06F21/57 ,  G06F21/64 ,  H04L12/24 ,  G06F21/79 ,  H04L9/06 ,  G06F9/38 ,  G06F12/0802

Abstract: Technologies for secure I/O data transfer with an accelerator device include a computing device having a processor and an accelerator. The processor establishes a trusted execution environment. The trusted execution environment may generate an authentication tag based on a memory-mapped I/O transaction, write the authentication tag to a register of the accelerator, and dispatch the transaction to the accelerator. The accelerator performs a cryptographic operation associated with the transaction, generates an authentication tag based on the transaction, and compares the generated authentication tag to the authentication tag received from the trusted execution environment. The accelerator device may initialize an authentication tag in response to a command from the trusted execution environment, transfer data between host memory and accelerator memory, perform a cryptographic operation in response to transferring the data, and update the authentication tag in response to transferrin the data. Other embodiments are described and claimed.

公开(公告)号：US20190311123A1

公开(公告)日：2019-10-10

申请号：US16444053

申请日：2019-06-18

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan ,  Luis Kida ,  Krystof Zmudzinski ,  Siddhartha Chhabra ,  Abhishek Basak ,  Alpa Narendra Trivedi ,  Anna Trikalinou ,  David M. Lee ,  Vedvyas Shanbhogue ,  Utkarsh Y. Kakaiya

IPC: G06F21/57 ,  G06F21/64 ,  H04L12/24 ,  H04L9/08 ,  G06F9/455

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.

公开(公告)号：US20190138755A1

公开(公告)日：2019-05-09

申请号：US16234871

申请日：2018-12-28

Applicant: Intel Corporation

Inventor： Luis Kida ,  Krystof Zmudzinski ,  Reshma Lal ,  Pradeep Pappachan ,  Abhishek Basak ,  Anna Trikalinou

IPC: G06F21/78 ,  G06F21/44

Abstract: Technologies for secure I/O include a compute device having a processor, a memory, an input/output (I/O) device, and a filter logic. The filter logic is configured to receive a first key identifier from the processor, wherein the first key identifier is indicative of a shared memory range includes a shared key identifier range to be used for untrusted I/O devices and receive a transaction from the I/O device, wherein the transaction includes a second key identifier and a trust device ID indicator associated with the I/O device. The filter logic is further configured to determine whether the transaction is asserted with the trust device ID indicator indicative of whether the I/O device is assigned to a trust domain and determine, in response to a determination that the transaction is not asserted with the trust device ID indicator, whether the second key identifier matches the first key identifier.

公开(公告)号：US12289301B2

公开(公告)日：2025-04-29

申请号：US18416569

申请日：2024-01-18

Applicant: Intel Corporation

Inventor： Luis Kida ,  Reshma Lal

IPC: H04L29/06 ,  G06F9/50 ,  G06F13/28 ,  H04L9/08 ,  H04L9/32 ,  H04L9/40

Abstract: An apparatus to facilitate protecting data transfer between a secure application and networked devices is disclosed. The apparatus includes a processor to provide a trusted execution environment (TEE) to run an application, wherein the processor is to: generate, via the application in the TEE, encrypted data, wherein the encrypted data comprises a payload; copy, via the application in the TEE, the encrypted data to a local buffer; interface, using the application in the TEE, with a source network interface controller (NIC) to initiate a copy over a network of the encrypted data from the local buffer to a remote buffer of a remote platform; and communicate, after completing the copy of the network of the encrypted data, at least one message with the remote platform to indicate that the encrypted data is available and to enable the remote platform to verify integrity of the encrypted data.

公开(公告)号：US12229605B2

公开(公告)日：2025-02-18

申请号：US18538171

申请日：2023-12-13

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep Pappachan ,  Luis Kida ,  Soham Jayesh Desai ,  Sujoy Sen ,  Selvakumar Panneer ,  Robert Sharp

IPC: G06F9/50 ,  G06F9/38 ,  G06T1/20 ,  G06T1/60

Abstract: An apparatus to facilitate disaggregated computing for a distributed confidential computing environment is disclosed. The apparatus includes one or more processors to facilitate receiving a manifest corresponding to graph nodes representing regions of memory of a remote client machine, the graph nodes corresponding to a command buffer and to associated data structures and kernels of the command buffer used to initialize a hardware accelerator and execute the kernels, and the manifest indicating a destination memory location of each of the graph nodes and dependencies of each of the graph nodes; identifying, based on the manifest, the command buffer and the associated data structures to copy to the host memory; identifying, based on the manifest, the kernels to copy to local memory of the hardware accelerator; and patching addresses in the command buffer copied to the host memory with updated addresses of corresponding locations in the host memory.

公开(公告)号：US20240281302A1

公开(公告)日：2024-08-22

申请号：US18636749

申请日：2024-04-16

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep Pappachan ,  Luis Kida ,  Soham Jayesh Desai ,  Sujoy Sen ,  Selvakumar Panneer ,  Robert Sharp

IPC: G06F9/50 ,  G06F9/38 ,  G06T1/20 ,  G06T1/60

CPC classification number: G06F9/5083 ,  G06F9/3814 ,  G06F9/5027 ,  G06T1/20 ,  G06T1/60

Abstract: An apparatus to facilitate disaggregated computing for a distributed confidential computing environment is disclosed. The apparatus includes one or more processors to: provide a remote GPU middleware layer to act as a proxy for an application stack on a client platform that is separate from the remote server platform, wherein the remote GPU middleware layer comprises is to expose an abstraction of the remote GPU to userspace components of a remote GPU stack, the userspace components running on the client machine; communicate with a kernel mode driver of the one or more processors to cause the host memory to be allocated for data structures used to communicate commands between the client and the remote GPU; and invoke the kernel mode driver to submit a workload generated by the application stack, the workload submitted for processing by the remote GPU using the data structures allocated in the host memory.

公开(公告)号：US11941457B2

公开(公告)日：2024-03-26

申请号：US17525143

申请日：2021-11-12

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep Pappachan ,  Luis Kida ,  Soham Jayesh Desai ,  Sujoy Sen ,  Selvakumar Panneer ,  Robert Sharp

IPC: G06F9/50 ,  G06F9/38 ,  G06T1/20 ,  G06T1/60

CPC classification number: G06F9/5083 ,  G06F9/3814 ,  G06F9/5027 ,  G06T1/20 ,  G06T1/60

Abstract: An apparatus to facilitate disaggregated computing for a distributed confidential computing environment is disclosed. The apparatus includes a source remote direct memory access (RDMA) network interface controller (RNIC); a queue to store a data entry corresponding to an RDMA request between the source RNIC and a sink RNIC; a data buffer to store data for an RDMA transfer corresponding to the RDMA request, the RDMA transfer between the source RNIC and the sink RNIC; and a trusted execution environment (TEE) comprising an authentication tag controller to: initialize a first authentication tag calculated using a first key known between a source consumer generating the RDMA request and the source RNIC; associate the first authentication tag with the data entry as integrity verification; initialize a second authentication tag calculated using a second key; and associate the second authentication tag with the data buffer as integrity verification for the data buffer.

公开(公告)号：US20230396599A1

公开(公告)日：2023-12-07

申请号：US18453970

申请日：2023-08-22

Applicant: Intel Corporation

Inventor： Luis Kida ,  Reshma Lal

IPC: H04L9/40 ,  G06F13/28 ,  H04L9/08 ,  G06F9/50 ,  H04L9/32

CPC classification number: H04L63/0485 ,  H04L63/0435 ,  H04L63/123 ,  H04L63/061 ,  G06F13/28 ,  H04L9/0825 ,  G06F9/5044 ,  H04L9/085 ,  G06F9/5083 ,  H04L9/3242

Abstract: An apparatus to facilitate protecting data transfer between a secure application and networked devices is disclosed. The apparatus includes a processor to provide a trusted execution environment (TEE) to run an application, wherein the processor is to utilize the application in the TEE to: generate encrypted data of the application; copy the encrypted data to a local shared buffer; interface with a source network interface controller (NIC) to initiate a copy over a network of the encrypted data from the local shared buffer to a remote buffer of a remote platform, wherein the source NIC operates outside of a trust boundary of the TEE; and communicate at least one message with the remote platform to indicate that the encrypted data is available and to enable the remote platform to verify integrity of the encrypted data, wherein the one least one message comprises an authentication tag.