公开(公告)号：US20190156038A1

公开(公告)日：2019-05-23

申请号：US16260850

申请日：2019-01-29

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Siddhartha Chhabra ,  Vincent R. Scarlata ,  Steven B. McGowan

IPC: G06F21/57 ,  G06F13/28 ,  G06F21/60

Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information. The computing device may collect application attestation information for a trusted application that uses the trusted I/O usage and verify the application attestation information. Other embodiments are described and claimed.

公开(公告)号：US10296766B2

公开(公告)日：2019-05-21

申请号：US15868634

申请日：2018-01-11

Applicant: Intel Corporation

Inventor： Soham Jayesh Desai ,  Reshma Lal ,  Pradeep Pappachan ,  Bin Xing

IPC: G06F11/30 ,  G06F21/85 ,  G06F13/38 ,  G06F13/42 ,  G06F21/44 ,  G06F21/72

Abstract: Technologies for secure enumeration of USB devices include a computing device having a USB controller and a trusted execution environment (TEE). The TEE may be a secure enclave protected secure enclave support of the processor. In response to a USB device connecting to the USB controller, the TEE sends a secure command to the USB controller to protect a device descriptor for the USB device. The secure command may be sent over a secure channel to a static USB device. A driver sends a get device descriptor request to the USB device, and the USB device responds with the device descriptor. The USB controller redirects the device descriptor to a secure memory buffer, which may be located in a trusted I/O processor reserved memory region. The TEE retrieves and validates the device descriptor. If validated, the TEE may enable the USB device for use. Other embodiments are described and claimed.

公开(公告)号：US10181946B2

公开(公告)日：2019-01-15

申请号：US14974956

申请日：2015-12-18

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Steven B. McGowan ,  Siddhartha Chhabra ,  Gideon Gerzon ,  Bin Xing ,  Pradeep M. Pappachan ,  Reouven Elbaz

IPC: H04L9/06 ,  G06F13/28 ,  H04L9/08 ,  H04L9/32

Abstract: Technologies for cryptographic protection of I/O data include a computing device with one or more I/O controllers. Each I/O controller may generate a direct memory access (DMA) transaction that includes a channel identifier that is indicative of the I/O controller and that is indicative of an I/O device coupled to the I/O controller. The computing device intercepts the DMA transaction and determines whether to protect the DMA transaction as a function of the channel identifier. If so, the computing device performs a cryptographic operation using an encryption key associated with the channel identifier. The computing device may include a cryptographic engine that intercepts the DMA transaction and determines whether to protect the DMA transaction by determining whether the channel identifier matches an entry in a channel identifier table of the cryptographic engine. Other embodiments are described and claimed.

公开(公告)号：US20180011793A1

公开(公告)日：2018-01-11

申请号：US15711615

申请日：2017-09-21

Applicant: Intel Corporation

Inventor： Rebekah M. Leslie-Hurd ,  Carlos V. Rozas ,  Francis X. Mckeen ,  Ilya Alexandrovich ,  Vedvyas Shanbhogue ,  Bin Xing ,  Mark W. Shanahan ,  Simon P. Johnson

IPC: G06F12/0844 ,  G06F12/0882

CPC classification number: G06F12/0844 ,  G06F11/073 ,  G06F11/0775 ,  G06F12/0882 ,  G06F2212/1032 ,  G06F2212/1052 ,  G06F2212/281 ,  G06F2212/312 ,  G06F2212/402 ,  G06F2212/608

Abstract: A processor implementing techniques to supporting fault information delivery is disclosed. In one embodiment, the processor includes a memory controller unit to access an enclave page cache (EPC) and a processor core coupled to the memory controller unit. The processor core to detect a fault associated with accessing the EPC and generate an error code associated with the fault. The error code reflects an EPC-related fault cause. The processor core is further to encode the error code into a data structure associated with the processor core. The data structure is for monitoring a hardware state related to the processor core.

公开(公告)号：US20170364689A1

公开(公告)日：2017-12-21

申请号：US15628012

申请日：2017-06-20

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Siddhartha Chhabra ,  Gideon Gerzon ,  Baruch Chaikin ,  Bin Xing ,  William A. Stevens, JR.

IPC: G06F21/60 ,  G06F21/57 ,  H04L9/32

CPC classification number: G06F21/602 ,  G06F13/20 ,  G06F13/28 ,  G06F21/51 ,  G06F21/57 ,  G06F21/6218 ,  G06F21/6281 ,  G06F21/85 ,  G09C1/00 ,  H04L9/0637 ,  H04L9/32 ,  H04L9/3242 ,  H04L63/12 ,  H04L63/126

Abstract: Technologies for securely binding a manifest to a platform include a computing device having a security engine and a field-programmable fuse. The computing device receives a platform manifest indicative of a hardware configuration of the computing device and a manifest hash. The security engine of the computing device blows a bit of a field programmable fuse and then stores the manifest hash and a counter value of the field-programmable fuse in integrity-protected non-volatile storage. In response to a platform reset, the security engine verifies the stored manifest hash and counter value and then determines whether the stored counter value matches the field-programmable fuse. If verified and current, trusted software may calculate a hash of the platform manifest and compare the calculated hash to the stored manifest hash. If matching, the platform manifest may be used to discover platform hardware. Other embodiments are described and claimed.

公开(公告)号：US20170026171A1

公开(公告)日：2017-01-26

申请号：US14974956

申请日：2015-12-18

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Steven B. McGowan ,  Siddhartha Chhabra ,  Gideon Gerzon ,  Bin Xing ,  Pradeep M. Pappachan ,  Reouven Elbaz

IPC: H04L9/06 ,  G06F13/28 ,  H04L9/08

CPC classification number: H04L9/0631 ,  G06F13/28 ,  H04L9/0618 ,  H04L9/0822 ,  H04L9/3242

Abstract: Technologies for cryptographic protection of I/O data include a computing device with one or more I/O controllers. Each I/O controller may be coupled to one or more I/O devices. Each I/O controller may generate a direct memory access (DMA) transaction that includes a channel identifier that is indicative of the I/O controller and that is indicative of an I/O device coupled to the I/O controller. The computing device intercepts the DMA transaction and determines whether to protect the DMA transaction as a function of the channel identifier. If so, the computing device performs a cryptographic operation using an encryption key associated with the channel identifier. The computing device may include a cryptographic engine that intercepts the DMA transaction and determines whether to protect the DMA transaction by determining whether the channel identifier matches an entry in a channel identifier table of the cryptographic engine. Other embodiments are described and claimed.

Abstract translation: 用于I / O数据加密保护的技术包括具有一个或多个I / O控制器的计算设备。 每个I / O控制器可以耦合到一个或多个I / O设备。 每个I / O控制器可以生成包括指示I / O控制器并且指示耦合到I / O控制器的I / O设备的信道标识符的直接存储器访问（DMA）事务。 计算设备拦截DMA事务，并根据信道标识确定是否保护DMA事务。 如果是这样，则计算设备使用与该信道标识符相关联的加密密钥来执行密码操作。 计算设备可以包括密码引擎，其拦截DMA事务并且通过确定信道标识符是否匹配密码引擎的信道标识符表中的条目来确定是否保护DMA事务。 描述和要求保护其他实施例。

公开(公告)号：US20160054945A1

公开(公告)日：2016-02-25

申请号：US14701228

申请日：2015-04-30

Applicant: INTEL CORPORATION

Inventor： Bin Xing

IPC: G06F3/06 ,  G06F21/53

CPC classification number: G06F3/0634 ,  G06F3/0623 ,  G06F3/0644 ,  G06F3/0664 ,  G06F3/0673 ,  G06F12/0223 ,  G06F12/08 ,  G06F12/0802 ,  G06F12/0866 ,  G06F12/10 ,  G06F21/53 ,  G06F21/74 ,  G06F2212/1041 ,  G06F2212/1056 ,  G06F2221/033

Abstract: A system and method for adapting a secure application execution environment to support multiple configurations includes determining a maximum configuration for the secure application execution environment, determining an optimal configuration for the secure application environment, and, at load time, configuring the secure application execution environment for the optimal configuration.

Abstract translation: 用于调整安全应用执行环境以支持多个配置的系统和方法包括确定用于安全应用执行环境的最大配置，确定用于安全应用环境的最佳配置，以及在加载时配置安全应用执行环境 最佳配置。

公开(公告)号：US09058494B2

公开(公告)日：2015-06-16

申请号：US13838038

申请日：2013-03-15

Applicant: Intel Corporation

Inventor： Bin Xing

IPC: G06F21/00 ,  G06F21/60 ,  G06F21/62 ,  G06F21/72 ,  G06F21/74

CPC classification number: G06F21/60 ,  G06F21/53 ,  G06F21/6218 ,  G06F21/72 ,  G06F21/74

Abstract: Technologies are provided in embodiments for receiving an enclave program for operation in an enclave, identifying at least one shared object dependency of the enclave program, determining whether the shared object dependency corresponds to at least one enclave shared object, causing association between the shared object dependency and the enclave shared object in circumstances where the shared object dependency corresponds to the enclave shared object, and causing association between the shared object dependency and an enclave-loadable non-enclave shared object in circumstances where the shared object dependency fails to correspond to the enclave shared object.

Abstract translation: 技术在实施例中提供用于接收用于在飞地中操作的飞地程序，识别飞地程序的至少一个共享对象依赖性，确定共享对象依赖关系是否对应于至少一个飞地共享对象，从而引起共享对象依赖关系 以及在共享对象依赖关系对应于包围共享对象的情况下的包围共享对象，并且在共享对象依赖关系不能对应于飞地的情况下引起共享对象依赖关系和可扩展可加载非共享共享对象之间的关联 共享对象。

公开(公告)号：US20220083347A1

公开(公告)日：2022-03-17

申请号：US17019880

申请日：2020-09-14

Applicant: Intel Corporation

Inventor： Scott Constable ,  Bin Xing ,  Fangfei Liu ,  Thomas Unterluggauer ,  Krystof Zmudzinski

IPC: G06F9/4401 ,  G06F9/30

Abstract: A method comprises receiving an instruction to resume operations of an enclave in a cloud computing environment and generating a pseud-random time delay before resuming operations of the enclave in the cloud computing environment.

公开(公告)号：US20220035923A1

公开(公告)日：2022-02-03

申请号：US17451922

申请日：2021-10-22

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Siddhartha Chhabra ,  Vincent R. Scarlata ,  Steven B. McGowan

IPC: G06F21/57 ,  G06F21/60

Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information. The computing device may collect application attestation information for a trusted application that uses the trusted I/O usage and verify the application attestation information. Other embodiments are described and claimed.