公开(公告)号：US11816040B2

公开(公告)日：2023-11-14

申请号：US17712109

申请日：2022-04-02

Applicant: Intel Corporation

Inventor： Vidhya Krishnan ,  Siddhartha Chhabra ,  David Puffer ,  Ankur Shah ,  Daniel Nemiroff ,  Utkarsh Y. Kakaiya

IPC: G06F12/00 ,  G06F12/14 ,  G06F11/10 ,  G06F12/02

CPC classification number: G06F12/1433 ,  G06F11/1004 ,  G06F12/0292 ,  G06F12/1408 ,  G06F12/1466 ,  G06F12/1483

Abstract: Device memory protection for supporting trust domains is described. An example of a computer-readable storage medium includes instructions for allocating device memory for one or more trust domains (TDs) in a system including one or more processors and a graphics processing unit (GPU); allocating a trusted key ID for a TD of the one or more TDs; creating LMTT (Local Memory Translation Table) mapping for address translation tables, the address translation tables being stored in a device memory of the GPU; transitioning the TD to a secure state; and receiving and processing a memory access request associated with the TD, processing the memory access request including accessing a secure version of the address translation tables.

公开(公告)号：US20230289433A1

公开(公告)日：2023-09-14

申请号：US18154334

申请日：2023-01-13

Applicant: Intel Corporation

Inventor： Utkarsh Y. Kakaiya ,  Jiewen Yao

IPC: G06F21/53

CPC classification number: G06F21/53 ,  G06F2221/033

Abstract: Systems, methods, and apparatuses for implementing device security manager architecture for trusted execution environment input/output (TEE-IO) capable system-on-a-chip integrated devices are described. In one example, a system includes a hardware processor core configurable to implement a trust domain manager to manage one or more virtual machines as a respective trust domain isolated from a virtual machine monitor, and an input/output device coupled to the hardware processor core and comprising a device security manager circuit, wherein the device security manager circuit is to, in response to an trusted request from the trust domain manager to a control interface of the device security manager circuit, access a state of a trusted device interface of the input/output device for a trust domain of the trust domain manager, and provide a corresponding response to the trust domain manager.

公开(公告)号：US11734209B2

公开(公告)日：2023-08-22

申请号：US17550977

申请日：2021-12-14

Applicant: Intel Corporation

Inventor： Sanjay Kumar ,  Rajesh M. Sankaran ,  Philip R. Lantz ,  Utkarsh Y. Kakaiya ,  Kun Tian

IPC: G06F13/28 ,  G06F13/24 ,  G06F9/455 ,  G06F9/48

CPC classification number: G06F13/24 ,  G06F9/45558 ,  G06F9/4812 ,  G06F2009/45579

Abstract: Implementations of the disclosure provide processing device comprising: an interrupt managing circuit to receive an interrupt message directed to an application container from an assignable interface (AI) of an input/output (I/O) device. The interrupt message comprises an address space identifier (ASID), an interrupt handle and a flag to distinguish the interrupt message from a direct memory access (DMA) message. Responsive to receiving the interrupt message, a data structure associated with the interrupt managing circuit is identified. An interrupt entry from the data structure is selected based on the interrupt handle. It is determined that the ASID associated with the interrupt message matches an ASID in the interrupt entry. Thereupon, an interrupt in the interrupt entry is forwarded to the application container.

公开(公告)号：US20230032236A1

公开(公告)日：2023-02-02

申请号：US17875198

申请日：2022-07-27

Applicant: Intel Corporation

Inventor： Rajesh M. Sankaran ,  Philip R. Lantz ,  Narayan Ranganathan ,  Saurabh Gayen ,  Sanjay Kumar ,  Nikhil Rao ,  Dhananjay A. Joshi ,  Hai Ming Khor ,  Utkarsh Y. Kakaiya

IPC: G06F3/06

Abstract: Methods and apparatus relating to data streaming accelerators are described. In an embodiment, a hardware accelerator such as a Data Streaming Accelerator (DSA) logic circuitry provides high-performance data movement and/or data transformation for data to be transferred between a processor (having one or more processor cores) and a storage device. Other embodiments are also disclosed and claimed.

公开(公告)号：US11556436B2

公开(公告)日：2023-01-17

申请号：US16211930

申请日：2018-12-06

Applicant: Intel Corporation

Inventor： Manasi Deval ,  Nrupal Jani ,  Parthasarathy Sarangam ,  Mitu Aggarwal ,  Kiran Patil ,  Rajesh M. Sankaran ,  Sanjay K. Kumar ,  Utkarsh Y. Kakaiya ,  Philip Lantz ,  Kun Tian

IPC: G06F11/20 ,  G06F3/06 ,  G06F13/16 ,  G06F13/42 ,  G06F13/40 ,  G06F15/173 ,  G06F9/455 ,  G06F9/48

Abstract: Examples may include a method of protecting memory and I/O transactions. The method includes allocating memory for an application, assigning a resource of a physical device to the application, assigning a process address space identifier to the assigned resource, creating a security enclave to protect the allocated memory of the application, and associating the security enclave with the process address space identifier to protect the allocated memory and the assigned resource.

公开(公告)号：US11556363B2

公开(公告)日：2023-01-17

申请号：US16479395

申请日：2017-03-31

Applicant: Intel Corporation

Inventor： Sanjay Kumar ,  Philip R. Lantz ,  Kun Tian ,  Utkarsh Y. Kakaiya ,  Rajesh M. Sankaran

IPC: G06F9/455 ,  G06F9/30 ,  G06F12/1009

Abstract: Techniques for transferring virtual machines and resource management in a virtualized computing environment are described. In one embodiment, for example, an apparatus may include at least one memory, at least one processor, and logic for transferring a virtual machine (VM), at least a portion of the logic comprised in hardware coupled to the at least one memory and the at least one processor, the logic to generate a plurality of virtualized capability registers for a virtual device (VDEV) by virtualizing a plurality of device-specific capability registers of a physical device to be virtualized by the VM, the plurality of virtualized capability registers comprising a plurality of device-specific capabilities of the physical device, determine a version of the physical device to support via a virtual machine monitor (VMM), and expose a subset of the virtualized capability registers associated with the version to the VM. Other embodiments are described and claimed.

公开(公告)号：US11550746B2

公开(公告)日：2023-01-10

申请号：US16727466

申请日：2019-12-26

Applicant: Intel Corporation

Inventor： Vinay Raghav ,  David J. Harriman ,  Utkarsh Y. Kakaiya

IPC: G06F13/12 ,  G06F13/40 ,  G06F9/30 ,  G06F12/06 ,  G06F13/42

Abstract: A device includes a plurality of ports and a plurality of capability registers that correspond to a respective one of the plurality of ports. The device is to connect to one or more processors of a host device through the plurality of ports, and each of the plurality of ports comprises a respective protocol stack to support a respective link between the corresponding port and the host device according to a particular interconnect protocol. Each of the plurality of capability registers comprises a respective set of fields for use in configuration of the link between its corresponding port and one of the one or more processors of the host device. The fields include a field to indicate an association between the port and a particular processor, a field to indicate a port identifier for the port, and a field to indicate a total number of ports of the device.

公开(公告)号：US11416415B2

公开(公告)日：2022-08-16

申请号：US16444053

申请日：2019-06-18

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan ,  Luis Kida ,  Krystof Zmudzinski ,  Siddhartha Chhabra ,  Abhishek Basak ,  Alpa Narendra Trivedi ,  Anna Trikalinou ,  David M. Lee ,  Vedvyas Shanbhogue ,  Utkarsh Y. Kakaiya

IPC: G06F12/14 ,  H04L9/32 ,  G06F21/76 ,  G06F21/60 ,  H04L9/08 ,  G06F9/455 ,  G06F21/57 ,  G06F21/64 ,  H04L41/28 ,  G06F21/79 ,  H04L41/046 ,  H04L9/06 ,  G06F9/38 ,  G06F12/0802

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.

公开(公告)号：US20220222340A1

公开(公告)日：2022-07-14

申请号：US17711883

申请日：2022-04-01

Applicant: Intel Corporation

Inventor： Vidhya Krishnan ,  Ankur Shah ,  Bryan White ,  Daniel Nemiroff ,  David Puffer ,  Julien Carreno ,  Scott Janus ,  Ravi Sahita ,  Hema Nalluri ,  Utkarsh Y. Kakaiya

IPC: G06F21/55 ,  G06F21/54 ,  G06F21/60 ,  G06F9/50

Abstract: Security and support for trust domain operation is described. An example of a method includes processing, at an accelerator, one or more compute workloads received from a host system; upon receiving a notification that a trust domain has transitioned to a secure state, transition an original set of privileges for the accelerator to a downgraded set of privileges; upon receiving a command from the host system for the trust domain, processing the command in accordance with the trust domain; and upon receiving a request from the host system to access a register, for a register included in an allowed list of registers for access, allow access to the register, and, for a register that is not within the allowed list of registers for access, disallowing access to the register.

公开(公告)号：US20220100911A1

公开(公告)日：2022-03-31

申请号：US17548170

申请日：2021-12-10

Applicant: Intel Corporation

Inventor： Anna Trikalinou ,  Abhishek Basak ,  Rupin H. Vakharwala ,  Utkarsh Y. Kakaiya

IPC: G06F21/83 ,  G06F21/62 ,  G06F21/78

Abstract: In one embodiment, a read request is received from a peripheral device across an interconnect, with the read request including a process identifier and an encrypted virtual address. One or more keys are obtained based on the process identifier of the read request, and the encrypted virtual address of the read request is decrypted based on the one or more keys to obtain an unencrypted virtual address. Encrypted data is retrieved from memory based on the unencrypted virtual address, and the encrypted data is decrypted based on the one or more keys to obtain plaintext data. The plaintext data is transmitted to the peripheral device across the interconnect.