公开(公告)号：US20190044729A1

公开(公告)日：2019-02-07

申请号：US15859295

申请日：2017-12-29

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Vedvyas Shanbhogue

IPC: H04L9/32 ,  H04L9/06 ,  H04L9/14 ,  G06F12/14

Abstract: A processer is provided that includes on-die memory, a protected memory region, and a memory encryption engine (MEE). The MEE includes logic to: receive a request for data in a particular page in the protected region of memory, and access a pointer in an indirection directory, where the pointer is to point to a particular metadata page stored outside the protected region of memory. The particular metadata page includes a first portion of security metadata for use in securing the data of the particular page. The MEE logic is further to access a second portion of the security metadata associated with the particular page from the protected region of memory, and determine authenticity of the data of the particular page based on the first and second portions of the security metadata.

公开(公告)号：US20190044710A1

公开(公告)日：2019-02-07

申请号：US15856568

申请日：2017-12-28

Applicant: Intel Corporation

Inventor： Bo Zhang ,  Siddhartha Chhabra ,  William A. Stevens ,  Reshma Lal

IPC: H04L9/08 ,  H04L9/32 ,  H04L29/06

Abstract: Technologies for establishing device locality are disclosed. A processor in a computing device generates an identifier distinct to the computing device. The processor transmits the identifier to a management controller via a hardware bus in the computing device. The processor generates a key and encrypts the key with the identifier to generate a wrapped key. The processor transmits the wrapped key to the management controller. In turn, the management controller unwraps the key using the identifier. Other embodiments are described and claimed.

公开(公告)号：US20190042764A1

公开(公告)日：2019-02-07

申请号：US15808986

申请日：2017-11-10

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Ravi L. Sahita ,  Barry E. Huntley ,  Gilbert Neiger ,  Gideon Gerzon ,  Baiju V. Patel

IPC: G06F21/60 ,  G06F3/06 ,  G06F12/1009

Abstract: In a public cloud environment, each consumer's/guest's workload is encrypted in a cloud service provider's (CSP's) server memory using a consumer-provided key unknown to the CSP's workload management software. An encrypted consumer/guest workload image is loaded into the CSP's server memory at a memory location specified by the CSP's workload management software. Based upon the CSP-designated memory location, the guest workload determines expected hardware physical addresses into which memory mapping structures and other types of consumer data should be loaded. These expected hardware physical addresses are specified by the guest workload in a memory ownership table (MOT), which is used to check that subsequently CSP-designated memory mappings are as expected. Memory ownership table entries also may be encrypted by the consumer-provided key unknown to the CSP.

公开(公告)号：US20190042485A1

公开(公告)日：2019-02-07

申请号：US15857803

申请日：2017-12-29

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Siddhartha Chhabra

IPC: G06F13/12 ,  G06F21/85 ,  G06F21/60 ,  G06F21/57 ,  G06F1/16

Abstract: Technologies for secure I/O with an external peripheral device link controller include a computing device coupled to an external dock device by an external peripheral link, such as a Thunderbolt link. The external dock device includes an I/O controller that receives device data from an I/O device, generates a channel identifier associated with the I/O device, and transmits I/O data that includes the channel identifier to a dock controller. The dock controller encapsulates the I/O data to generate peripheral link protocol data and transmits the peripheral link protocol data to a host controller of the computing device over the external peripheral link. The host controller de-encapsulates the peripheral link protocol data and forwards the I/O data to memory. The channel identifier may be a predetermined value associated with the I/O controller, or may include a controller identifier associated with the host controller. Other embodiments are described and claimed.

公开(公告)号：US20190042475A1

公开(公告)日：2019-02-07

申请号：US16021496

申请日：2018-06-28

Applicant: Intel Corporation

Inventor： Santosh Ghosh ,  Kirk Yap ,  Siddhartha Chhabra

IPC: G06F12/14 ,  H04L9/32

Abstract: The disclosed embodiments generally relate to methods, systems and apparatuses to authenticate instructions on a memory circuitry. In an exemplary embodiment, the disclosure relates to a computing device (e.g., a memory protection engine) to protect integrity of one or more memory circuitry. The computing device may include: a key-hash operator configured to provide a Message Authentication Code (MAC) for a secure Hash Algorithm (SHA) as a function of a hash-key, MAC-key, metadata and data; a multi-round (MR) circuitry configured to receive the MAC from the key-hash operator and to compute substantially all SHA round-functions during each clock cycle, the multi-round circuitry further comprising combination logic to process all sub-round functions of the SHA function substantially simultaneously; and a Memory Integrity Pipeline (MIP) engine to compute a hash digest, the hash digest further comprising a MAC key, a metadata and the cache line data; the MIP further comprising an input prep logic, an SHA pipeline logic and an MAC validation logic.

公开(公告)号：US10185842B2

公开(公告)日：2019-01-22

申请号：US14661044

申请日：2015-03-18

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Raghunandan Makaram ,  Jim McCormick ,  Binata Bhattacharyya

IPC: G06F21/79 ,  G06F9/54 ,  H04L9/08 ,  H04L29/06

Abstract: This disclosure is directed to cache and data organization for memory protection. Memory protection operations in a device may be expedited by organizing cache and/or data structure while providing memory protection for encrypted data. An example device may comprise processing module and a memory module. The processing module may include a memory encryption engine (MEE) to decrypt encrypted data loaded from the memory module, or to encrypt plaintext data prior to storage in the memory module, using security metadata also stored in the memory module. Example security metadata may include version (VER) data, memory authentication code (MAC) data and counter data. Consistent with the present disclosure, a cache associated with the MEE may be partitioned to separate the VER and MAC data from counter data. Data organization may comprise including the VER and MAC data corresponding to particular data in the same data line.

公开(公告)号：US20190004843A1

公开(公告)日：2019-01-03

申请号：US15640478

申请日：2017-07-01

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Michael E. Kounavis

IPC: G06F9/455 ,  G06F12/14 ,  H04L29/06 ,  G06F12/0891 ,  G06F21/53

CPC classification number: G06F9/45558 ,  G06F12/0891 ,  G06F12/1408 ,  G06F21/53 ,  G06F21/79 ,  H04L63/0227 ,  H04L63/0428 ,  H04L63/0435 ,  H04L63/0471 ,  H04L63/123 ,  H04L69/04

Abstract: Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to generate a compressed line in response to determining that the data line is compressible, where the compressed line includes compression metadata and compressed data, adding encryption metadata to the compressed line, where the encryption metadata is indicative of the encryption key, encrypting a part of the compressed line with the encryption key to generate an encrypted line in response to adding the encryption metadata, and writing the encrypted line to a memory device at the physical memory address. Other embodiments are described and claimed.

公开(公告)号：US10108557B2

公开(公告)日：2018-10-23

申请号：US14750664

申请日：2015-06-25

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Men Long ,  Eugene M. Kishinevsky

IPC: G06F11/30 ,  G06F12/14 ,  G06F12/0864 ,  H04L9/32

Abstract: Technologies for memory encryption include a computing device to generate a keyed hash of a data line based on a statistical counter value and a memory address to which to write the data line and to store the keyed hash to a cache line. The statistical counter value has a reference probability of incrementing at each write operation. The cache line includes a plurality of keyed hashes and each of the keyed hashes corresponds with a different data line. The computing device further encrypts the data line based on the keyed hash, the memory address, and the statistical counter value.

公开(公告)号：US10102370B2

公开(公告)日：2018-10-16

申请号：US14977391

申请日：2015-12-21

Applicant: INTEL CORPORATION

Inventor： Alpa Narendra Trivedi ,  Siddhartha Chhabra ,  David Durham

IPC: G06F3/06 ,  G06F21/55 ,  G06F12/0891 ,  G06F12/0893 ,  G06F12/14 ,  G06F21/60 ,  G06F12/1009 ,  G06F21/78

Abstract: Techniques to enable scalable cryptographically protected memory using on-chip memory are described. In one embodiment, an apparatus may comprise a processor component implemented on a first integrated circuit, an on-chip memory component implemented on the first integrated circuit, the on-chip memory component to include a memory page handler to manage memory pages stored on the on-chip memory component, and a cryptographic engine to encrypt and decrypt memory pages for the memory page handler, and an off-chip memory component implemented on a second integrated circuit coupled to the first integrated circuit, the off-chip memory component to store encrypted memory pages evicted from the on-chip memory component. Other embodiments are described and claimed.

公开(公告)号：US10068068B2

公开(公告)日：2018-09-04

申请号：US15395399

申请日：2016-12-30

Applicant: Intel Corporation

Inventor： Alpa T. Narendra Trivedi ,  Siddhartha Chhabra ,  Karanvir S. Grewal ,  David M. Durham

IPC: G06F21/12

CPC classification number: G06F21/126 ,  G06F21/725 ,  G06F2221/0735

Abstract: A trusted time service is provided that can detect resets of a real-time clock and re-initialize the real-time clock with the correct time. The trusted time service provides a secure communication channel from an application requesting a timestamp to the real-time clock, so that malicious code (such as a compromised operating system) cannot intercept a timestamp as it is communicated from the real-time clock to the application. The trusted time service synchronizes wall-clock time with a trusted time server, as well as protects against replay attacks, where a valid data transmission (such as transmission of a valid timestamp) is maliciously or fraudulently repeated or delayed.