公开(公告)号：US20230315857A1

公开(公告)日：2023-10-05

申请号：US18131199

申请日：2023-04-05

Applicant: Intel Corporation

Inventor： Ravi L. Sahita ,  Baiju V. Patel ,  Barry E. Huntley ,  Gilbert Neiger ,  Hormuzd M. Khosravi ,  Ido Ouziel ,  David M. Durham ,  Ioannis T. Schoinas ,  Siddhartha Chhabra ,  Carlos V. Rozas ,  Gideon Gerzon

IPC: G06F21/57 ,  G06F21/62 ,  G06F12/14 ,  H04L9/06 ,  H04L9/40 ,  G06F21/53 ,  G06F21/71 ,  G06F21/79

CPC classification number: G06F21/57 ,  G06F21/6218 ,  G06F12/1408 ,  H04L9/0618 ,  H04L63/061 ,  G06F21/53 ,  G06F21/71 ,  G06F21/79 ,  G06F2009/45587

Abstract: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.

公开(公告)号：US11651085B2

公开(公告)日：2023-05-16

申请号：US16934089

申请日：2020-07-21

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Ravi L. Sahita ,  Barry E. Huntley ,  Gilbert Neiger ,  Gideon Gerzon ,  Baiju V. Patel

IPC: G06F21/60 ,  G06F3/06 ,  G06F12/1009 ,  G06F21/57 ,  G06F21/53

CPC classification number: G06F21/602 ,  G06F3/067 ,  G06F3/0623 ,  G06F3/0661 ,  G06F12/1009 ,  G06F21/53 ,  G06F21/57 ,  G06F2212/1052

Abstract: A processor executes an untrusted VMM that manages execution of a guest workload. The processor also populates an entry in a memory ownership table for the guest workload. The memory ownership table is indexed by an original hardware physical address, the entry comprises an expected guest address that corresponds to the original hardware physical address, and the entry is encrypted with a key domain key. In response to receiving a request from the guest workload to access memory using a requested guest address, the processor (a) obtains, from the untrusted VMM, a hardware physical address that corresponds to the requested guest address; (b) uses that physical address as an index to find an entry in the memory ownership table; and (c) verifies whether the expected guest address from the found entry matches the requested guest address. Other embodiments are described and claimed.

公开(公告)号：US20220413859A1

公开(公告)日：2022-12-29

申请号：US17358082

申请日：2021-06-25

Applicant: Intel Corporation

Inventor： Kameswar Subramaniam ,  Jason W. Brandt ,  H. Peter Anvin ,  Christopher M. Russell ,  Gilbert Neiger

IPC: G06F9/30 ,  G06F9/455 ,  G06F9/48

Abstract: In one embodiment, a processor includes: a front end circuit to fetch and decode a read list instruction, the read list instruction to cause storage to a memory of a software-provided list of processor state information; and an execution circuit coupled to the front end circuit. The execution circuit, in response to the decoded read list instruction, is to read the processor state information stored in the processor and store each datum of the processor state information into an entry of a data table in the memory. Other embodiments are described and claimed.

公开(公告)号：US11416624B2

公开(公告)日：2022-08-16

申请号：US16722707

申请日：2019-12-20

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael LeMay ,  Ramya Jayaram Masti ,  Gilbert Neiger ,  Jason W. Brandt

IPC: G06F21/60 ,  G06F9/30 ,  G06F21/72 ,  G06F21/79 ,  G06F21/12 ,  H04L9/08 ,  G06F12/14 ,  H04L9/14 ,  G06F21/62 ,  G06F12/0897 ,  G06F9/48 ,  H04L9/06 ,  G06F12/06 ,  G06F12/0875 ,  G06F12/0811 ,  G06F9/32 ,  G06F9/50 ,  G06F12/02 ,  G06F9/455

Abstract: Technologies disclosed herein provide cryptographic computing with cryptographically encoded pointers in multi-tenant environments. An example method comprises executing, by a trusted runtime, first instructions to generate a first address key for a private memory region in the memory and generate a first cryptographically encoded pointer to the private memory region in the memory. Generating the first cryptographically encoded pointer includes storing first context information associated with the private memory region in first bits of the first cryptographically encoded pointer and performing a cryptographic algorithm on a slice of a first linear address of the private memory region based, at least in part, on the first address key and a first tweak, the first tweak including the first context information. The method further includes permitting a first tenant in the multi-tenant environment to access the first address key and the first cryptographically encoded pointer to the private memory region.

公开(公告)号：US11416281B2

公开(公告)日：2022-08-16

申请号：US16474978

申请日：2016-12-31

Applicant: Intel Corporation

Inventor： Rajesh M. Sankaran ,  Gilbert Neiger ,  Narayan Ranganathan ,  Stephen R. Van Doren ,  Joseph Nuzman ,  Niall D. McDonnell ,  Michael A. O'Hanlon ,  Lokpraveen B. Mosur ,  Tracy Garrett Drysdale ,  Eriko Nurvitadhi ,  Asit K. Mishra ,  Ganesh Venkatesh ,  Deborah T. Marr ,  Nicholas P. Carter ,  Jonathan D. Pearce ,  Edward T. Grochowski ,  Richard J. Greco ,  Robert Valentine ,  Jesus Corbal ,  Thomas D. Fletcher ,  Dennis R. Bradford ,  Dwight P. Manley ,  Mark J. Charney ,  Jeffrey J. Cook ,  Paul Caprioli ,  Koichi Yamada ,  Kent D. Glossop ,  David B. Sheffield

IPC: G06F9/48 ,  G06F9/30 ,  G06F9/38

Abstract: Embodiments of systems, methods, and apparatuses for heterogeneous computing are described. In some embodiments, a hardware heterogeneous scheduler dispatches instructions for execution on one or more plurality of heterogeneous processing elements, the instructions corresponding to a code fragment to be processed by the one or more of the plurality of heterogeneous processing elements, wherein the instructions are native instructions to at least one of the one or more of the plurality of heterogeneous processing elements.

公开(公告)号：US11301309B2

公开(公告)日：2022-04-12

申请号：US16586028

申请日：2019-09-27

Applicant: Intel Corporation

Inventor： Hisham Shafi ,  Vedvyas Shanbhogue ,  Gilbert Neiger ,  James A. Coleman

IPC: G06F9/52 ,  G06F9/30 ,  G06F12/084 ,  G06F12/1009 ,  G06F13/16 ,  G06F12/0804 ,  G06F12/0868 ,  G06F9/22 ,  G06F9/38

Abstract: Systems, methods, and apparatuses relating to processor non-write-back capabilities are described. In one embodiment, a processor includes a plurality of logical processors, a control register comprising a non-write-back lock disable bit, a cache shared by the plurality of logical processors, a bus to couple the cache to a memory to service a memory request for the memory from the plurality of logical processors, and a memory controller to disable a non-write-back lock access of the bus for a read-modify-write type of the memory request issued by a logical processor of the plurality of logical processors when the non-write-back lock disable bit is set to a first value, and implement the non-write-back lock access of the bus for the read-modify-write type of the memory request when the non-write-back lock disable bit is set to a second value.

公开(公告)号：US20220019698A1

公开(公告)日：2022-01-20

申请号：US17449343

申请日：2021-09-29

Applicant: Intel Corporation

Inventor： David M. Durham ,  Gilbert Neiger ,  Barry E. Huntley ,  Ravi L. Sahita ,  Baiju V. Patel

IPC: G06F21/71 ,  G06F9/455 ,  G06F21/53 ,  G06F21/57 ,  G06F21/78 ,  G06F8/61 ,  H04L9/08

Abstract: According to one embodiment, a method comprises executing an untrusted host virtual machine monitor (VMM) to manage execution of at least one guest virtual machine (VM). The VMM receives an encrypted key domain key, an encrypted guest code image, and an encrypted guest control structure. The VM also issues a create command. In response, a processor creates a first key domain comprising a region of memory to be encrypted by a key domain key. The encrypted key domain key is decrypted to produce the key domain key, which is inaccessible to the VMM. The VMM issues a launch command. In response, a first guest VM is launched within the first key domain. In response to a second launch command, a second guest VM is launched within the first key domain. The second guest VM provides an agent to act on behalf of the VMM. Other embodiments are described and claimed.

公开(公告)号：US11176059B2

公开(公告)日：2021-11-16

申请号：US16831976

申请日：2020-03-27

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Amy L. Santoni ,  Gilbert Neiger ,  Barry E. Huntley ,  Hormuzd M. Khosravi ,  Baiju V. Patel ,  Ravi L. Sahita ,  Gideon Gerzon ,  Ido Ouziel ,  Ioannis T. Schoinas ,  Rajesh M. Sankaran

IPC: G06F12/14 ,  G06F21/53 ,  G06F21/78 ,  G06F21/60 ,  G06F21/82 ,  G06F3/06

Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.

公开(公告)号：US11157303B2

公开(公告)日：2021-10-26

申请号：US16554885

申请日：2019-08-29

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Gilbert Neiger ,  Arumugam Thiyagarajah

IPC: G06F11/30 ,  G06F9/455 ,  G06F11/22 ,  G06F12/1045 ,  G06F12/14

Abstract: A processor may include a register to store a bus-lock-disable bit and an execution unit to execute instructions. The execution unit may receive an instruction that includes a memory access request. The execution may further determine that the memory access request requires acquiring a bus lock, and, responsive to detecting that the bus-lock-disable bit indicates that bus locks are disabled, signal a fault to an operating system.

公开(公告)号：US20210096930A1

公开(公告)日：2021-04-01

申请号：US16586028

申请日：2019-09-27

Applicant: Intel Corporation

Inventor： Hisham Shafi ,  Vedvyas Shanbhogue ,  Gilbert Neiger ,  James A. Coleman

IPC: G06F9/52 ,  G06F12/1009 ,  G06F12/084 ,  G06F13/16 ,  G06F9/30

Abstract: Systems, methods, and apparatuses relating to processor non-write-back capabilities are described. In one embodiment, a processor includes a plurality of logical processors, a control register comprising a non-write-back lock disable bit, a cache shared by the plurality of logical processors, a bus to couple the cache to a memory to service a memory request for the memory from the plurality of logical processors, and a memory controller to disable a non-write-back lock access of the bus for a read-modify-write type of the memory request issued by a logical processor of the plurality of logical processors when the non-write-back lock disable bit is set to a first value, and implement the non-write-back lock access of the bus for the read-modify-write type of the memory request when the non-write-back lock disable bit is set to a second value.