公开(公告)号：US20190052469A1

公开(公告)日：2019-02-14

申请号：US16162776

申请日：2018-10-17

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata ,  Francis X. McKeen ,  Carlos V. Rozas ,  Simon P. Johnson ,  Bo Zhang ,  James D. Beaney, JR. ,  Piotr Zmijewski ,  Wesley H. Smith ,  Eduardo Cabre

IPC: H04L9/32 ,  G06F21/53 ,  G09C1/00 ,  H04L29/06 ,  G06F21/44 ,  H04L9/30 ,  H04L9/14 ,  H04L9/08

Abstract: A computing platform implements one or more secure enclaves including a first provisioning enclave to interface with a first provisioning service to obtain a first attestation key from the first provisioning service, a second provisioning enclave to interface with a different, second provisioning service to obtain a second attestation key from the second provisioning service, and a provisioning certification enclave to sign first data from the first provisioning enclave and second data from the second provisioning enclave using a hardware-based provisioning attestation key. The signed first data is used by the first provisioning enclave to authenticate to the first provisioning service to obtain the first attestation key and the signed second data is used by the second provisioning enclave to authenticate to the second provisioning service to obtain the second attestation key.

公开(公告)号：US20180329707A1

公开(公告)日：2018-11-15

申请号：US15972573

申请日：2018-05-07

Applicant: Intel Corporation

Inventor： Rebekah Leslie-Hurd ,  Carlos V. Rozas ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Uday R. Savagaonkar ,  Barry E. Huntley ,  Vedvyas Shanbhogue ,  Ittai Anati ,  Francis X. Mckeen ,  Michael A. Goldsmith ,  Ilya Alexandrovich ,  Alex Berenzon ,  Wesley H. Smith ,  Gilbert Neiger

IPC: G06F9/30 ,  G06F12/084 ,  G06F12/14 ,  G06F12/0875 ,  G06F9/44

CPC classification number: G06F9/3004 ,  G06F9/30047 ,  G06F9/30076 ,  G06F9/44 ,  G06F12/084 ,  G06F12/0875 ,  G06F12/1483 ,  G06F2212/452

Abstract: Embodiments of an invention for memory management in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction and a second instruction. The execution unit is to execute the first instruction, wherein execution of the first instruction includes allocating a page in an enclave page cache to a secure enclave. The execution unit is also to execute the second instruction, wherein execution of the second instruction includes confirming the allocation of the page.

公开(公告)号：US20180183578A1

公开(公告)日：2018-06-28

申请号：US15391268

申请日：2016-12-27

Applicant: Intel Corporation

Inventor： Somnath Chakrabarti ,  Vincent R. Scarlata ,  Mona Vij ,  Carlos V. Rozas ,  Ilya Alexandrovich ,  Simon P. Johnson

IPC: H04L9/08 ,  H04L9/32

CPC classification number: H04L9/3247 ,  G06F21/53 ,  G06F21/602 ,  H04L9/0861 ,  H04L9/0897

Abstract: A secure key manager enclave is provided on a host computing system to send an attestation quote to a secure key store system identifying attributes of the key manager enclave and signed by a hardware-based key of the host computing system to attest to trustworthiness of the secure key manager enclave. The secure key manager enclave receives a request to provide a root key for a particular virtual machine to be run on the host computing system, generates a secure data structure in secure memory of the host computing system to be associated with the particular virtual machine, and provisions the root key in the secure data structure using the key manager enclave, where the key manager enclave is to have privileged access to the secure data structure.

公开(公告)号：US09990197B2

公开(公告)日：2018-06-05

申请号：US15683331

申请日：2017-08-22

Applicant: Intel Corporation

Inventor： Rebekah Leslie-Hurd ,  Carlos V. Rozas ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Uday R. Savagaonkar ,  Barry E. Huntley ,  Vedvyas Shanbhogue ,  Ittai Anati ,  Francis X. Mckeen ,  Michael A. Goldsmith ,  Ilya Alexandrovich ,  Alex Berenzon ,  Wesley H. Smith ,  Gilbert Neiger

IPC: G06F12/00 ,  G06F9/30 ,  G06F12/14 ,  G06F12/084 ,  G06F9/44 ,  G06F12/0875

CPC classification number: G06F9/3004 ,  G06F9/30047 ,  G06F9/30076 ,  G06F9/44 ,  G06F12/084 ,  G06F12/0875 ,  G06F12/1483 ,  G06F2212/452

Abstract: Embodiments of an invention for memory management in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction and a second instruction. The execution unit is to execute the first instruction, wherein execution of the first instruction includes allocating a page in an enclave page cache to a secure enclave. The execution unit is also to execute the second instruction, wherein execution of the second instruction includes confirming the allocation of the page.

公开(公告)号：US09942035B2

公开(公告)日：2018-04-10

申请号：US14829340

申请日：2015-08-18

Applicant: INTEL CORPORATION

Inventor： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. McKeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich

IPC: H04L9/08 ,  G06F9/455 ,  H04L29/08 ,  H04L29/06

CPC classification number: H04L9/0891 ,  G06F9/45558 ,  G06F2009/45575 ,  G06F2009/45587 ,  H04L63/061 ,  H04L63/10 ,  H04L67/34

Abstract: A processor to support platform migration of secure enclaves is disclosed. In one embodiment, the processor includes a memory controller unit to access secure enclaves and a processor core coupled to the memory controller unit. The processor core to identify a control structure associated with a secure enclave. The control structure comprises a plurality of data slots and keys associated with a first platform comprising the memory controller unit and the processor core. A version of data from the secure enclave is associated with the plurality of data slots. Migratable keys are generated as a replacement for the keys associated with the control structure. The migratable keys control access to the secure enclave. Thereafter, the control structure is migrated to a second platform to enable access to the secure enclave on the second platform.

公开(公告)号：US20170351515A1

公开(公告)日：2017-12-07

申请号：US15683331

申请日：2017-08-22

Applicant: Intel Corporation

Inventor： Rebekah Leslie-Hurd ,  Carlos V. Rozas ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Uday R. Savagaonkar ,  Barry E. Huntley ,  Vedvyas Shanbhogue ,  Ittai Anati ,  Francis X. Mckeen ,  Michael A. Goldsmith ,  Ilya Alexandrovich ,  Alex Berenzon ,  Wesley H. Smith ,  Gilbert Neiger

IPC: G06F9/30 ,  G06F9/44 ,  G06F12/0875 ,  G06F12/084 ,  G06F12/14

CPC classification number: G06F9/3004 ,  G06F9/30047 ,  G06F9/30076 ,  G06F9/44 ,  G06F12/084 ,  G06F12/0875 ,  G06F12/1483 ,  G06F2212/452

Abstract: Embodiments of an invention for memory management in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction and a second instruction. The execution unit is to execute the first instruction, wherein execution of the first instruction includes allocating a page in an enclave page cache to a secure enclave. The execution unit is also to execute the second instruction, wherein execution of the second instruction includes confirming the allocation of the page.

公开(公告)号：US09710401B2

公开(公告)日：2017-07-18

申请号：US14752227

申请日：2015-06-26

Applicant: Intel Corporation

Inventor： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. McKeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich ,  Gilbert Neiger ,  Vedvyas Shanbhogue ,  Ittai Anati

IPC: G06F11/30 ,  G06F12/14 ,  G06F21/60 ,  G06F9/30 ,  G06F21/53

CPC classification number: G06F12/1408 ,  G06F8/41 ,  G06F9/30145 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/602 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2212/1052

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

公开(公告)号：US09690704B2

公开(公告)日：2017-06-27

申请号：US15091926

申请日：2016-04-06

Applicant: Intel Corporation

Inventor： Francis X. Mckeen ,  Michael A. Goldsmith ,  Barry E. Huntley ,  Simon P. Johnson ,  Rebekah Leslie-Hurd ,  Carlos V. Rozas ,  Uday R. Savagaonkar ,  Vincent R. Scarlata ,  Vedvyas Shanbhogue ,  Wesley H. Smith ,  Ittai Anati ,  Ilya Alexandrovich ,  Alex Berenzon ,  Gilbert Neiger

IPC: G06F12/00 ,  G06F12/0804 ,  G06F9/30 ,  G06F12/0875 ,  G06F12/14

CPC classification number: G06F12/0804 ,  G06F9/30047 ,  G06F12/0875 ,  G06F12/1408 ,  G06F2212/1052 ,  G06F2212/402

Abstract: Embodiments of an invention for paging in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction. The execution unit is to execute the first instruction, wherein execution of the first instruction includes evicting a first page from an enclave page cache.

公开(公告)号：US20160381005A1

公开(公告)日：2016-12-29

申请号：US14752259

申请日：2015-06-26

Applicant: Intel Corporation

Inventor： Mona Vij ,  Carlos V. Rozas ,  Vincent R. Scarlata ,  Francis X. McKeen ,  Bo Zhang

IPC: H04L29/06

CPC classification number: H04L63/0823 ,  G06F9/45558 ,  G06F2009/45587 ,  H04L63/0281 ,  H04L63/10

Abstract: Technologies for secure access to platform security services include a computing device having a processor and a security engine. The computing device establishes a platform services enclave in a virtual machine of the computing device using secure enclave support of the processor. The platform services enclave receives a platform services request from an application enclave via a first authenticated session and transmits the platform services request to a virtual security engine established by a host environment via a second authenticated session. The first and second authenticated sessions may be authenticated by report-based attestation and quote-based attestation, respectively. The virtual security engine transmits the platform services request to the security engine via a long-term pairing session established by the virtual security engine with the security engine. The security engine performs the platform services request using hardware resources shared with other platform services enclaves. Other embodiments are described and claimed.

Abstract translation: 用于安全访问平台安全服务的技术包括具有处理器和安全引擎的计算设备。 计算设备使用处理器的安全飞行支持在计算设备的虚拟机中建立平台服务飞地。 平台服务飞地通过第一认证会话从应用飞地接收平台服务请求，并通过第二认证会话将平台服务请求发送到由主机环境建立的虚拟安全引擎。 第一次和第二次认证会话可以分别通过基于报告的认证和基于报价的认证进行认证。 虚拟安全引擎通过虚拟安全引擎与安全引擎建立的长期配对会话将平台服务请求发送到安全引擎。 安全引擎使用与其他平台服务飞地共享的硬件资源来执行平台服务请求。 描述和要求保护其他实施例。

公开(公告)号：US09524400B2

公开(公告)日：2016-12-20

申请号：US14723937

申请日：2015-05-28

Applicant: INTEL CORPORATION

Inventor： Vincent R. Scarlata

IPC: G06F21/72 ,  G06F21/57 ,  H04L29/06 ,  G06F9/455 ,  G06F21/00 ,  H04L9/08 ,  G06F21/60 ,  H04L29/08

CPC classification number: G06F21/72 ,  G06F9/45533 ,  G06F9/45558 ,  G06F21/00 ,  G06F21/57 ,  G06F21/602 ,  G06F2009/4557 ,  G06F2009/45583 ,  G06F2009/45595 ,  H04L9/08 ,  H04L9/0825 ,  H04L9/0897 ,  H04L63/0428 ,  H04L67/10

Abstract: A virtual security coprocessor is created in a first processing system. The virtual security coprocessor is then transferred to a second processing system, for use by the second processing system. For instance, the second processing system may use the virtual security coprocessor to provide attestation for the second processing system. In an alternative embodiment, a virtual security coprocessor from a first processing system is received at a second processing system. After receiving the virtual security coprocessor from the first processing system, the second processing system uses the virtual security coprocessor. Other embodiments are described and claimed.