-
公开(公告)号:US11023622B2
公开(公告)日:2021-06-01
申请号:US16458016
申请日:2019-06-29
Applicant: Intel Corporation
Inventor: Carlos V. Rozas , Mona Vij , Somnath Chakrabarti
Abstract: A method performed by a processor of an aspect includes accessing an encrypted copy of a protected container page stored in a regular memory. A determination is made whether the protected container page was live stored out, while able to remain useable in, protected container memory. The method also includes either performing a given security check, before determining to store the protected container page to a destination page in a first protected container memory, if it was determined that the protected container page was live stored out, or not performing the given security check, if it was determined that the protected container page was not live stored out. Other methods, as well as processors, computer systems, and machine-readable medium providing instructions are also disclosed.
-
公开(公告)号:US10540291B2
公开(公告)日:2020-01-21
申请号:US15592089
申请日:2017-05-10
Applicant: Intel Corporation
Inventor: Krystof C. Zmudzinski , Carlos V. Rozas , Francis X. McKeen , Rebekah M. Leslie-Hurd , Meltem Ozsoy , Somnath Chakrabarti , Mona Vij
IPC: G06F12/1027 , G06F12/1009 , G06F12/14 , G06F9/455
Abstract: Translation lookaside buffer (TLB) tracking and managing technologies are described. A processing device comprises a translation lookaside buffer (TLB) and a processing core to execute a virtual machine monitor (VMM), the VMM to manage a virtual machine (VM) including virtual processors. The processing core to execute, via the VM, a plurality of conversion instructions on at least one of the virtual processors to convert a plurality of non-secure pages to a plurality of secure pages. The processing core also to execute, via the VM, one or more allocation instructions on the at least one of the virtual processors to allocate at least one secure page of the plurality of secure pages, execution of the one or more allocation instructions to include determining whether the TLB is cleared of mappings to the at least one secure page prior to allocating the at least one secure page.
-
公开(公告)号:US10346641B2
公开(公告)日:2019-07-09
申请号:US15274217
申请日:2016-09-23
Applicant: Intel Corporation
Inventor: Carlos V. Rozas , Mona Vij , Somnath Chakrabarti
Abstract: A method performed by a processor of an aspect includes accessing an encrypted copy of a protected container page stored in a regular memory. A determination is made whether the protected container page was live stored out, while able to remain useable in, protected container memory. The method also includes either performing a given security check, before determining to store the protected container page to a destination page in a first protected container memory, if it was determined that the protected container page was live stored out, or not performing the given security check, if it was determined that the protected container page was not live stored out. Other methods, as well as processors, computer systems, and machine-readable medium providing instructions are also disclosed.
-
公开(公告)号:US10089447B2
公开(公告)日:2018-10-02
申请号:US15621864
申请日:2017-06-13
Applicant: Intel Corporation
Inventor: Prashant Pandey , Mona Vij , Somnath Chakrabarti , Krystof C. Zmudzinski
IPC: G06F21/12 , G06F12/0817 , G06F12/14 , G06F13/24 , G06F12/0875 , G06F12/0811
Abstract: Instructions and logic fork processes and establish child enclaves in a secure enclave page cache (EPC). Instructions specify addresses for secure storage allocated to enclaves of a parent and a child process to store secure enclave control structure (SECS) data, application data, code, etc. The processor includes an EPC to store enclave data of the parent and child processes. Embodiments of the parent may execute, or a system may execute an instruction to copy parent SECS to secure storage for the child, initialize a unique child ID and link to the parent's SECS/ID. Embodiments of the child may execute, or the system may execute an instruction to copy pages from the parent enclave to the enclave of the child where both have the same key, set an entry for EPC mapping to partial completion, and record a page state in the child enclave, if interrupted. Thus copying can be resumed.
-
公开(公告)号:US20180183578A1
公开(公告)日:2018-06-28
申请号:US15391268
申请日:2016-12-27
Applicant: Intel Corporation
Inventor: Somnath Chakrabarti , Vincent R. Scarlata , Mona Vij , Carlos V. Rozas , Ilya Alexandrovich , Simon P. Johnson
CPC classification number: H04L9/3247 , G06F21/53 , G06F21/602 , H04L9/0861 , H04L9/0897
Abstract: A secure key manager enclave is provided on a host computing system to send an attestation quote to a secure key store system identifying attributes of the key manager enclave and signed by a hardware-based key of the host computing system to attest to trustworthiness of the secure key manager enclave. The secure key manager enclave receives a request to provide a root key for a particular virtual machine to be run on the host computing system, generates a secure data structure in secure memory of the host computing system to be associated with the particular virtual machine, and provisions the root key in the secure data structure using the key manager enclave, where the key manager enclave is to have privileged access to the secure data structure.
-
Patent Agency Ranking
公开(公告)号:US09942035B2
公开(公告)日:2018-04-10
申请号:US14829340
申请日:2015-08-18
Applicant: INTEL CORPORATION
Inventor: Carlos V. Rozas , Mona Vij , Rebekah M. Leslie-Hurd , Krystof C. Zmudzinski , Somnath Chakrabarti , Francis X. McKeen , Vincent R. Scarlata , Simon P. Johnson , Ilya Alexandrovich
CPC classification number: H04L9/0891 , G06F9/45558 , G06F2009/45575 , G06F2009/45587 , H04L63/061 , H04L63/10 , H04L67/34
Abstract: A processor to support platform migration of secure enclaves is disclosed. In one embodiment, the processor includes a memory controller unit to access secure enclaves and a processor core coupled to the memory controller unit. The processor core to identify a control structure associated with a secure enclave. The control structure comprises a plurality of data slots and keys associated with a first platform comprising the memory controller unit and the processor core. A version of data from the secure enclave is associated with the plurality of data slots. Migratable keys are generated as a replacement for the keys associated with the control structure. The migratable keys control access to the secure enclave. Thereafter, the control structure is migrated to a second platform to enable access to the secure enclave on the second platform.
-
公开(公告)号:US09798881B2
公开(公告)日:2017-10-24
申请号:US14721138
申请日:2015-05-26
Applicant: Intel Corporation
Inventor: Jason A Davidson , Somnath Chakrabarti , Neeru S Pahwa , Micah K Bhakti
CPC classification number: G06F21/575 , G06F8/62 , G06F9/4416 , G06F9/44526 , G06F9/45533 , H04L67/34 , H04L67/42
Abstract: Generally, this disclosure provides methods and systems for dynamic feature enhancement in client server applications and for high volume server deployment with dynamic app store integration and further enable the delivery of a secure server in a pre-configured turnkey state through an automated process with increased efficiency tailored to mass production. The system may include a server application module configured to receive request packets from, and send response packets to, a web based client application, the packets comprising input data, output data and control commands associated with a feature; and a script engine module coupled to the server application module, the script engine module configured to identify a plug-in application on a remote server, download the plug-in application and execute the plug-in application under control of the server application module, wherein the plug-in application implements the feature.
-
28.发明授权公开(公告)号:US09710401B2
公开(公告)日:2017-07-18
申请号:US14752227
申请日:2015-06-26
Applicant: Intel Corporation
Inventor: Carlos V. Rozas , Mona Vij , Rebekah M. Leslie-Hurd , Krystof C. Zmudzinski , Somnath Chakrabarti , Francis X. McKeen , Vincent R. Scarlata , Simon P. Johnson , Ilya Alexandrovich , Gilbert Neiger , Vedvyas Shanbhogue , Ittai Anati
CPC classification number: G06F12/1408 , G06F8/41 , G06F9/30145 , G06F9/45558 , G06F21/53 , G06F21/602 , G06F2009/4557 , G06F2009/45587 , G06F2212/1052
Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
-
29.发明申请Apparatus and Method for Implementing A Forked System Call In A System With A Protected Region 有权在具有受保护区域的系统中实现分岔系统的装置和方法公开(公告)号:US20160283409A1
公开(公告)日:2016-09-29
申请号:US14671346
申请日:2015-03-27
Applicant: Intel Corporation
Inventor: Prashant Pandey , Mona Vij , Somnath Chakrabarti , Krystof C. Zmudzinski
Abstract: In an embodiment, at least one machine-readable storage medium includes instructions that when executed enable a system to receive, at a special library of a parent process located outside of a parent protected region of the parent process, from the parent protected region of the parent process, a call to create a child process and responsive to the call received at the special library, issue by the special library a first request and a second request. The first request is to execute, by a processor, a non-secure instruction to create the child process. The second request is to execute, by the processor, a first secure instruction to create a child protected region within the child process. Responsive to the first request the child process is to be created and responsive to the second request the child protected region is to be created. Other embodiments are described and claimed.
Abstract translation: 在一个实施例中,至少一个机器可读存储介质包括指令,当被执行时,系统可以在位于父进程的父保护区域之外的父进程的特殊库处接收来自父进程的父保护区域 父进程,调用创建子进程并响应在特殊库中接收的呼叫,由特殊库发出第一请求和第二请求。 第一个请求是由处理器执行非安全指令来创建子进程。 第二个请求是由处理器执行第一个安全指令,以在子进程中创建子保护区域。 响应于第一个请求,子进程将被创建并响应第二个请求创建子保护区域。 描述和要求保护其他实施例。
-
30.发明授权公开(公告)号:US11055236B2
公开(公告)日:2021-07-06
申请号:US16729251
申请日:2019-12-27
Applicant: Intel Corporation
Inventor: Carlos V. Rozas , Mona Vij , Rebekah M. Leslie-Hurd , Krystof C. Zmudzinski , Somnath Chakrabarti , Francis X. Mckeen , Vincent R. Scarlata , Simon P. Johnson , Ilya Alexandrovich , Gilbert Neiger , Vedvyas Shanbhogue , Ittai Anati
Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
-
-
-
-
-
-
-
-
-
Search Results
41
records
(took 0.036 seconds)
