公开(公告)号：US09904632B2

公开(公告)日：2018-02-27

申请号：US13838237

申请日：2013-03-15

Applicant: Intel Corporation

Inventor： Simon P. Johnson ,  Uday R. Savagaonkar ,  Vincent R. Scarlata ,  Francis X. McKeen ,  Carlos V. Rozas

IPC: G06F12/14 ,  G06F21/62

CPC classification number: G06F12/1466 ,  G06F21/53 ,  G06F21/6218 ,  G06F21/64 ,  G06F21/645

Abstract: A technique to enable secure application and data integrity within a computer system. In one embodiment, one or more secure enclaves are established in which an application and data may be stored and executed.

公开(公告)号：US20170353319A1

公开(公告)日：2017-12-07

申请号：US15279527

申请日：2016-09-29

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata ,  Francis X. McKeen ,  Carlos V. Rozas ,  Simon P. Johnson ,  Bo Zhang ,  James D. Beaney, JR. ,  Piotr Zmijewski ,  Wesley H. Smith ,  Eduardo Cabre

IPC: H04L9/32 ,  H04L9/14 ,  H04L9/30 ,  H04L29/06 ,  H04L9/08

CPC classification number: H04L9/3252 ,  G06F21/44 ,  G06F21/53 ,  G09C1/00 ,  H04L9/0866 ,  H04L9/14 ,  H04L9/302 ,  H04L9/3066 ,  H04L9/3234 ,  H04L9/3247 ,  H04L9/3249 ,  H04L63/06 ,  H04L63/062 ,  H04L63/0823 ,  H04L63/12 ,  H04L2209/127

Abstract: A computing platform implements one or more secure enclaves including a first provisioning enclave to interface with a first provisioning service to obtain a first attestation key from the first provisioning service, a second provisioning enclave to interface with a different, second provisioning service to obtain a second attestation key from the second provisioning service, and a provisioning certification enclave to sign first data from the first provisioning enclave and second data from the second provisioning enclave using a hardware-based provisioning attestation key. The signed first data is used by the first provisioning enclave to authenticate to the first provisioning service to obtain the first attestation key and the signed second data is used by the second provisioning enclave to authenticate to the second provisioning service to obtain the second attestation key.

公开(公告)号：US20170270058A1

公开(公告)日：2017-09-21

申请号：US15612837

申请日：2017-06-02

Applicant: Intel Corporation

Inventor： Francis X. McKeen ,  Vincent R. Scarlata ,  Carlos V. Rozas ,  Ittai Anati ,  Vedvyas Shanbhogue

IPC: G06F12/14 ,  G06F12/0875

CPC classification number: G06F12/1416 ,  G06F9/4418 ,  G06F12/0804 ,  G06F12/0875 ,  G06F12/1408 ,  G06F12/1441 ,  G06F21/53 ,  G06F2212/1016 ,  G06F2212/1028 ,  G06F2212/1052 ,  G06F2212/152 ,  G06F2212/452 ,  Y02D10/13

Abstract: Embodiments of an invention for maintaining a secure processing environment across power cycles are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to evict a root version array page entry from a secure cache. The execution unit is to execute the instruction. Execution of the instruction includes generating a blob to contain information to maintain a secure processing environment across a power cycle and storing the blob in a non-volatile memory.

公开(公告)号：US09716710B2

公开(公告)日：2017-07-25

申请号：US14752259

申请日：2015-06-26

Applicant: Intel Corporation

Inventor： Mona Vij ,  Carlos V. Rozas ,  Vincent R. Scarlata ,  Francis X. McKeen ,  Bo Zhang

IPC: G06F7/04 ,  H04L29/06

CPC classification number: H04L63/0823 ,  G06F9/45558 ,  G06F2009/45587 ,  H04L63/0281 ,  H04L63/10

Abstract: Technologies for secure access to platform security services include a computing device having a processor and a security engine. The computing device establishes a platform services enclave in a virtual machine of the computing device using secure enclave support of the processor. The platform services enclave receives a platform services request from an application enclave via a first authenticated session and transmits the platform services request to a virtual security engine established by a host environment via a second authenticated session. The first and second authenticated sessions may be authenticated by report-based attestation and quote-based attestation, respectively. The virtual security engine transmits the platform services request to the security engine via a long-term pairing session established by the virtual security engine with the security engine. The security engine performs the platform services request using hardware resources shared with other platform services enclaves. Other embodiments are described and claimed.

公开(公告)号：US09703715B2

公开(公告)日：2017-07-11

申请号：US14142838

申请日：2013-12-28

Applicant: Intel Corporation

Inventor： Michael A. Goldsmith ,  Simon P. Johnson ,  Carlos V. Rozas ,  Vincent R. Scarlata

IPC: G06F12/00 ,  G06F12/084 ,  G06F12/14 ,  G06F9/46 ,  G06F21/60 ,  G06F21/71 ,  G06F21/79

CPC classification number: G06F12/084 ,  G06F9/468 ,  G06F12/1483 ,  G06F21/606 ,  G06F21/71 ,  G06F21/79 ,  G06F2212/608 ,  G06F2221/2141

Abstract: Embodiments of an invention for sharing memory in a secure processing environment are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to match an offer to make a page in an enclave page cache shareable to a bid to make the page shareable. The execution unit is to execute the instruction. Execution of the instruction includes making the page shareable.

公开(公告)号：US09665724B2

公开(公告)日：2017-05-30

申请号：US14919350

申请日：2015-10-21

Applicant: Intel Corporation

Inventor： Francis X. McKeen ,  Michael A. Goldsmith ,  Barrey E. Huntley ,  Simon P. Johnson ,  Rebekah M. Leslie-Hurd ,  Carlos V. Rozas ,  Uday R. Savagaonkar ,  Vincent R. Scarlata ,  Vedvyas Shanbhogue ,  Wesley H. Smith ,  Gilbert Neiger

IPC: G06F12/00 ,  G06F21/60 ,  G06F12/0875 ,  G06F12/14 ,  G06F21/72

CPC classification number: G06F21/60 ,  G06F12/0875 ,  G06F12/14 ,  G06F12/145 ,  G06F21/72 ,  G06F2212/1052 ,  G06F2212/152 ,  G06F2212/452

Abstract: Embodiments of an invention for logging in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction having an associated enclave page cache address. The execution unit is to execute the instruction without causing a virtual machine exit, wherein execution of the instruction includes logging the instruction and the associated enclave page cache address.

公开(公告)号：US09606940B2

公开(公告)日：2017-03-28

申请号：US14671222

申请日：2015-03-27

Applicant: Intel Corporation

Inventor： Micah J. Sheller ,  Bin Xing ,  Vincent R. Scarlata

IPC: G06F7/04 ,  G06F12/14 ,  G06F21/62

CPC classification number: G06F12/1458 ,  G06F21/51 ,  G06F21/57 ,  G06F21/6218 ,  G06F2212/1052

Abstract: An embodiment includes at least one machine readable medium on which is stored code that, when executed enables a system to initialize a trusted loader enclave (TL) and a measurement and storage manager enclave (MSM) within a memory of the system, to receive by the MSM a TL measurement of the TL from a trusted processor of the system, to determine whether to establish a secure channel between the MSM and the TL based at least in part on the TL measurement, and responsive to a determination to establish the secure channel, to establish the secure channel and store particular code in the TL. Additional embodiments are described and claimed.

公开(公告)号：US20170024317A1

公开(公告)日：2017-01-26

申请号：US15091926

申请日：2016-04-06

Applicant: Intel Corporation

Inventor： Francis X. Mckeen ,  Michael A. Goldsmith ,  Barry E. Huntley ,  Simon P. Johnson ,  Rebekah Leslie-Hurd ,  Carlos V. Rozas ,  Uday R. Savagaonkar ,  Vincent R. Scarlata ,  Vedvyas Shanbhogue ,  Wesley H. Smith ,  Ittai Anati ,  Ilya Alexandrovich ,  Alex Berenzon ,  Gilbert Neiger

IPC: G06F12/0804 ,  G06F12/14 ,  G06F12/0875

CPC classification number: G06F12/0804 ,  G06F9/30047 ,  G06F12/0875 ,  G06F12/1408 ,  G06F2212/1052 ,  G06F2212/402

Abstract: Embodiments of an invention for paging in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction. The execution unit is to execute the first instruction, wherein execution of the first instruction includes evicting a first page from an enclave page cache.

Abstract translation: 公开了用于在安全飞行器中寻呼的发明的实施例。 在一个实施例中，处理器包括指令单元和执行单元。 指令单元接收第一条指令。 执行单元执行第一指令，其中第一指令的执行包括从飞地页面缓存中逐出第一页。

公开(公告)号：US20160364338A1

公开(公告)日：2016-12-15

申请号：US14738037

申请日：2015-06-12

Applicant: INTEL CORPORATION

Inventor： Krystof C. Zmudzinski ,  Siddhartha Chhabra ,  Uday R. Savagaonkar ,  Simon P. Johnson ,  Rebekah M. Leslie-Hurd ,  Francis X. McKeen ,  Gilbert Neiger ,  Raghunandan Makaram ,  Carlos V. Rozas ,  Amy L. Santoni ,  Vincent R. Scarlata ,  Vedvyas Shanbhogue ,  Ilya Alexandrovich ,  Ittai Anati ,  Wesley H. Smith ,  Michael Goldsmith

IPC: G06F12/10

CPC classification number: G06F12/1009 ,  G06F9/455 ,  G06F9/45558 ,  G06F12/1027 ,  G06F12/1036 ,  G06F12/1045 ,  G06F12/109 ,  G06F12/1441 ,  G06F2009/45583 ,  G06F2212/1016 ,  G06F2212/1052 ,  G06F2212/151 ,  G06F2212/657 ,  G06F2212/684

Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.

Abstract translation: 公开了一种用于支持安全存储器意图的处理器。 本公开的处理器包括存储器存储器执行单元和耦合到存储器执行单元的处理器核心。 处理器核心是接收访问存储器可转换页面的请求。 响应于该请求，处理器核心鉴于对应于可转换页面的页表项目（PTE）来确定可转换页面的意图。 意图表示可转换页面是作为安全页面还是非安全页面中的至少一个访问。

公开(公告)号：US09448950B2

公开(公告)日：2016-09-20

申请号：US14140254

申请日：2013-12-24

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata ,  Simon P. Johnson ,  Vladimir Beker ,  Jesse Walker ,  Carlos V. Rozas ,  Amy L. Santoni ,  Ittai Anati ,  Raghunandan Makaram ,  Francis X. McKeen ,  Uday R. Savagaonkar

IPC: G06F21/00 ,  H04L29/06 ,  G06F12/14 ,  G06F21/74 ,  H04L9/32 ,  H04L12/24 ,  G06F21/62 ,  G06F21/57

CPC classification number: G06F12/1466 ,  G06F21/74 ,  G06F2212/1052

Abstract: Systems and methods for secure delivery of output surface bitmaps to a display engine. An example processing system comprises: an architecturally protected memory; and a plurality of processing devices communicatively coupled to the architecturally protected memory, each processing device comprising a first processing logic to implement an architecturally-protected execution environment by performing at least one of: executing instructions residing in the architecturally protected memory, or preventing an unauthorized access to the architecturally protected memory; wherein each processing device further comprises a second processing logic to establish a secure communication channel with a second processing device of the processing system, employ the secure communication channel to synchronize a platform identity key representing the processing system, and transmit a platform manifest comprising the platform identity key to a certification system.

Abstract translation: 用于将输出表面位图安全传递到显示引擎的系统和方法。 一个示例处理系统包括：架构受保护的存储器; 以及多个处理设备，通信地耦合到架构保护的存储器，每个处理设备包括第一处理逻辑，以通过执行以下至少一个来实现架构保护的执行环境：执行驻留在架构保护的存储器中的指令，或者防止未授权的 访问架构受保护的内存; 其中每个处理设备还包括第二处理逻辑，用于与所述处理系统的第二处理设备建立安全通信信道，采用所述安全通信信道来同步代表所述处理系统的平台标识密钥，并发送包括所述平台的平台清单 认证系统的身份密钥。