公开(公告)号：WO2017105800A3

公开(公告)日：2017-06-22

申请号：PCT/US2016/063357

申请日：2016-11-22

Applicant: INTEL CORPORATION

Inventor： SARANGDHAR, Nitin V. ,  MOORE, Victoria C. ,  DWARAKANATH, Kumar N.

IPC: H05B33/08 ,  H05B37/02

Abstract: Disclosed in some examples are devices, methods, and machine-readable mediums for reliable control of IR LEDs. In some examples, a microcontroller running firmware controls whether the LED is activated or not by use of a disable signal. The microcontroller enables or disables the operation of the LED based upon a user's proximity to the LED, a watchdog timer, and a confirmation that only trusted software is executing.

公开(公告)号：WO2017105800A2

公开(公告)日：2017-06-22

申请号：PCT/US2016/063357

申请日：2016-11-22

Applicant: INTEL CORPORATION

Inventor： SARANGDHAR, Nitin V. ,  MOORE, Victoria C. ,  DWARAKANATH, Kumar N.

IPC: H05B33/08 ,  H05B37/02

CPC classification number: H05B37/0227 ,  G06F21/32 ,  G06F21/82 ,  G08B5/36 ,  G08B21/182 ,  H04N5/33 ,  H05B33/0842 ,  H05B37/0281 ,  Y02B20/42

Abstract: Disclosed in some examples are devices, methods, and machine-readable mediums for reliable control of IR LEDs. In some examples, a microcontroller running firmware controls whether the LED is activated or not by use of a disable signal. The microcontroller enables or disables the operation of the LED based upon a user's proximity to the LED, a watchdog timer, and a confirmation that only trusted software is executing.

Abstract translation: 在一些示例中公开了用于可靠控制IR LED的设备，方法和机器可读介质。 在一些示例中，运行固件的微控制器通过使用禁用信号来控制LED是否被激活。 微控制器根据用户对LED的接近度，看门狗定时器以及只有可信软件正在执行的确认，启用或禁用LED的操作。

公开(公告)号：WO2016077031A1

公开(公告)日：2016-05-19

申请号：PCT/US2015/056083

申请日：2015-10-16

Applicant: INTEL CORPORATION

Inventor： STEVENS, William A. Jr. ,  SARANGDHAR, Nitin V.

IPC: G06F21/62 ,  G06F21/60

CPC classification number: G06F3/062 ,  G06F3/0622 ,  G06F3/0637 ,  G06F3/0673 ,  G06F3/0689 ,  G06F21/6227

Abstract: Provided are a system, memory controller, and method for using counters and a table to protect data in a storage device. Upon initiating operations to modify a file in the storage device, a storage write counter is incremented in response to initiating the operations to modify the file. In response to incrementing the storage write counter, write table operations are initiated including setting a table write counter to a storage write counter and setting a table commit counter to the storage commit counter plus a value. The operation to modify the file in response to completing the write table operations. The system commit counter is incremented by the value in response to completing the operation to modify the file.

Abstract translation: 提供了一种用于使用计数器和表来保护存储设备中的数据的系统，存储器控制器和方法。 在启动操作以修改存储设备中的文件时，存储写计数器响应于启动修改文件的操作而增加。 响应于增加存储写计数器，启动写表操作，包括将表写计数器设置为存储写计数器，并将存储提交计数器的表提交计数器加上值。 响应完成写表操作来修改文件的操作。 响应完成修改文件的操作，系统提交计数器将增加值。

公开(公告)号：WO2013095387A1

公开(公告)日：2013-06-27

申请号：PCT/US2011/066188

申请日：2011-12-20

Applicant: INTEL CORPORATION ,  SARANGDHAR, Nitin V. ,  STEVENS, William A. ,  VRANICH, John J.

Inventor： SARANGDHAR, Nitin V. ,  STEVENS, William A. ,  VRANICH, John J.

IPC: G06F21/20 ,  G06F13/14

CPC classification number: G06F12/1408 ,  G06F13/14 ,  G06F21/44 ,  G06F21/79 ,  G06F2212/1052

Abstract: Embodiments of the invention create an underlying infrastructure in a flash memory device (e.g., a serial peripheral interface (SPI) flash memory device) such that it may be protected against user attacks - e.g., replacing the SPI flash memory device or a man-in-the-middle (MITM) attack to modify the SPI flash memory contents on the fly. In the prior art, monotonic counters cannot be stored in SPI flash memory devices because said devices do not provide replay protection for the counters. A user may also remove the flash memory device and reprogram it. Host platforms alone cannot protect against such hardware attacks. Embodiments of the invention enable secure standard storage flash memory devices such as SPI flash memory devices to achieve replay protection for securely stored data. Embodiments of the invention utilize flash memory controllers, flash memory devices, unique device keys and HMAC key logic to create secure execution environments for various components.

Abstract translation: 本发明的实施例在闪存设备（例如，串行外设接口（SPI）闪存设备）中创建底层基础设施，使得其可以被保护免受用户攻击 - 例如，替换SPI闪存设备或人 - 中间（MITM）攻击，即时修改SPI闪存内容。 在现有技术中，单调计数器不能存储在SPI闪存设备中，因为所述设备不为计数器提供重放保护。 用户也可以移除闪存设备并对其进行重新编程。 主机平台本身不能防止这种硬件攻击。 本发明的实施例使诸如SPI闪存设备之类的安全标准存储闪存设备能够实现安全存储的数据的重放保护。 本发明的实施例利用闪存控制器，闪存设备，唯一设备密钥和HMAC密钥逻辑来为各种组件创建安全的执行环境。

公开(公告)号：WO2017112258A1

公开(公告)日：2017-06-29

申请号：PCT/US2016/063336

申请日：2016-11-22

Applicant: INTEL CORPORATION

Inventor： SARANGDHAR, Nitin V. ,  GUTIERREZ, Raul

IPC: G06F21/62 ,  G06F21/82 ,  G06F21/50

CPC classification number: G06F21/32 ,  G06F21/62

Abstract: Systems and techniques for privacy protected input-output port control are described herein. In an example, an indication may be obtained that a protected port is disabled. A set of application attributes stored in a secure memory location may be compared to a set of attested application attributes to create a verification flag. At least one port attribute of the protected port may be obtained based on the verification flag. The protected port may be enabled using the at least one port attribute. Other examples, for controlling an input-output port using computer firmware and trusted execution techniques are further disclosed.

Abstract translation: 本文描述了用于隐私保护的输入 - 输出端口控制的系统和技术。 在一个示例中，可以获得禁用受保护端口的指示。 存储在安全存储器位置中的一组应用程序属性可以与一组证明的应用程序属性进行比较以创建验证标志。 可以基于验证标志来获得受保护端口的至少一个端口属性。 受保护的端口可以使用至少一个端口属性来启用。 进一步公开了用于使用计算机固件和可信执行技术来控制输入输出端口的其他例子。

公开(公告)号：WO2016195880A1

公开(公告)日：2016-12-08

申请号：PCT/US2016/030356

申请日：2016-05-02

Applicant: INTEL CORPORATION

Inventor： POORNACHANDRAN, Rajesh ,  SMITH, Ned M. ,  SARANGDHAR, Nitin V. ,  GREWAL, Karanvir S. ,  SAHITA, Ravi L. ,  ROBINSON, Scott H.

IPC: G06F21/53 ,  G06F21/57 ,  G06F21/62 ,  G06F21/44

CPC classification number: G06F21/57 ,  G06F2221/034

Abstract: In an embodiment, a system is adapted to: record at least one measurement of a virtual trusted execution environment in a storage of the system and generate a secret sealed to a state of this measurement; create, using the virtual trusted execution environment, an isolated environment including a secure enclave and an application, the virtual trusted execution environment to protect the isolated environment; receive, in the application, a first measurement quote associated with the virtual trusted execution environment and a second measurement quote associated with the secure enclave; and communicate quote information regarding the first and second measurement quotes to a remote attestation service to enable the remote attestation service to verify the virtual trusted execution environment and the secure enclave, and responsive to the verification the secret is to be provided to the virtual trusted execution environment and the isolated environment. Other embodiments are described and claimed.

Abstract translation: 在一个实施例中，系统适于：将虚拟可信执行环境的至少一个测量记录在系统的存储器中，并生成密封到该测量的状态的秘密; 创建，使用虚拟可信执行环境，包括安全飞地和应用程序的隔离环境，保护隔离环境的虚拟可信执行环境; 在所述应用中接收与所述虚拟可信执行环境相关联的第一测量报价和与所述安全飞地相关联的第二测量报价; 并且将关于第一和第二测量报价的报价信息传达到远程认证服务，以使远程认证服务能够验证虚拟可信执行环境和安全飞地，并且响应于验证，将秘密提供给虚拟可信执行 环境和孤立的环境。 描述和要求保护其他实施例。

公开(公告)号：WO2016077017A2

公开(公告)日：2016-05-19

申请号：PCT/US2015/055508

申请日：2015-10-14

Applicant: INTEL CORPORATION

Inventor： SARANGDHAR, Nitin V. ,  NEMIROFF, Daniel ,  SMITH, Ned M. ,  BRICKELL, Ernie ,  LI, Jiangtao

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/3234 ,  G06F21/57 ,  G06F21/64 ,  H04L9/0861 ,  H04L9/0866 ,  H04L9/14 ,  H04L9/3263 ,  H04L2209/127

Abstract: This application is directed to trusted platform module certification and attestation utilizing an anonymous key system. In general, TPM certification and TPM attestation may be supported in a device utilizing integrated TPM through the use of anonymous key system (AKS) certification. An example device may comprise at least combined AKS and TPM resources that load AKS and TPM firmware (FW) into a runtime environment that may further include at least an operating system (OS) encryption module, an AKS service module and a TPM Certification and Attestation (CA) module. For TPM certification, the CA module may interact with the other modules in the runtime environment to generate a TPM certificate, signed by an AKS certificate, that may be transmitted to a certification platform for validation. For TPM attestation, the CA module may cause TPM credentials to be provided to the attestation platform for validation along with the TPM and/or AKS certificates.

Abstract translation: 该应用程序针对使用匿名密钥系统的可信平台模块认证和认证。 一般来说，通过使用匿名密钥系统（AKS）认证，可以在使用集成TPM的设备中支持TPM认证和TPM认证。 一个示例设备可以包括将AKS和TPM固件（FW）加载到可以进一步包括至少一个操作系统（OS）加密模块，AKS服务模块和TPM认证和认证的运行时环境中的至少组合的AKS和TPM资源 （CA）模块。 对于TPM认证，CA模块可以与运行时环境中的其他模块进行交互，以生成由AKS证书签名的TPM证书，该证书可能被传送到认证平台进行验证。 对于TPM认证，CA模块可能会将TPM凭据与TPM和/或AKS证书一起提供给认证平台进行验证。

公开(公告)号：WO2017112248A1

公开(公告)日：2017-06-29

申请号：PCT/US2016/063301

申请日：2016-11-22

Applicant: INTEL CORPORATION

Inventor： ROBINSON, Scott H. ,  SAHITA, Ravi L. ,  SHANAHAN, Mark W. ,  GREWAL, Karanvir S. ,  SARANGDHAR, Nitin V. ,  ROZAS, Carlos V. ,  ZHANG, Bo ,  CEN, Shanwei

IPC: G06F21/53 ,  G06F21/54

CPC classification number: G06F12/145 ,  G06F9/45558 ,  G06F12/0815 ,  G06F21/575 ,  G06F2009/45579 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2009/45591 ,  G06F2212/1052 ,  G06F2212/621 ,  G06F2221/034

Abstract: Systems, apparatuses and methods may provide for verifying, from outside a trusted computing base of a computing system, an identity an enclave instance prior to the enclave instance being launched in the trusted computing base, determining a memory location of the enclave instance and confirming that the memory location is local to the computing system. In one example, the enclave instance is a proxy enclave instance, wherein communications are conducted with one or more additional enclave instances in the trusted computing base via the proxy enclave instance and an unencrypted channel.

Abstract translation: 系统，装置和方法可以提供用于从计算系统的可信计算基础的外部验证在可靠计算库中启动包围区实例之前的包围区实例的身份，确定存储器 飞地实例的位置以及确认存储位置对于计算系统是本地的。 在一个示例中，飞地实例是代理飞地实例，其中经由代理飞地实例和未加密信道与可信计算库中的一个或多个附加飞地实例进行通信。

公开(公告)号：WO2017062128A2

公开(公告)日：2017-04-13

申请号：PCT/US2016/050762

申请日：2016-09-08

Applicant: INTEL CORPORATION

Inventor： NEGI, Ansuya ,  SARANGDHAR, Nitin V. ,  WARRIER, Ulhas S. ,  VENKATACHARY, Ramkumar ,  SAHITA, Ravi L. ,  ROBINSON, Scott H. ,  GREWAL, Karanvir S.

IPC: G06F21/32 ,  G06K9/00 ,  G06F21/45

CPC classification number: H04L9/3231 ,  H04L9/0816 ,  H04L9/0825

Abstract: Technologies for end-to-end biometric-based authentication and locality assertion include a computing device with one or more biometric devices. The computing device may securely exchange a key between a driver and a secure enclave. The driver may receive biometric data from the biometric sensor in a virtualization-protected memory buffer and encrypt the biometric data with the shared key. The secure enclave may decrypt the biometric data and perform a biometric authentication operation. The computing device may measure a virtual machine monitor (VMM) to generate attestation information for the VMM. A secure enclave may execute a virtualization report instruction to request the attestation information. The processor may copy the attestation information into the secure enclave memory. The secure enclave may verify the attestation information with a remote attestation server. If verified, the secure enclave may provide a shared secret to the VMM. Other embodiments are described and claimed.

Abstract translation: 用于基于端到端生物特征的认证和位置断言的技术包括具有一个或多个生物测定装置的计算装置。 计算设备可以安全地交换驾驶员和安全飞地之间的钥匙。 驾驶员可以在虚拟化保护的存储器缓冲器中从生物特征传感器接收生物特征数据，并用共享密钥加密生物特征数据。 安全飞地可以解密生物特征数据并执行生物特征认证操作。 计算设备可以测量虚拟机监视器（VMM）以产生VMM的认证信息。 安全飞地可以执行虚拟化报告指令来请求认证信息。 处理器可以将认证信息复制到安全飞地存储器中。 安全飞地可以使用远程认证服务器验证认证信息。 如果验证，安全飞地可能为VMM提供共享的秘密。 描述和要求保护其他实施例。

公开(公告)号：WO2016160147A1

公开(公告)日：2016-10-06

申请号：PCT/US2016/017948

申请日：2016-02-15

Applicant: INTEL CORPORATION

Inventor： SARANGDHAR, Nitin V. ,  MCGOWAN, Steven B. ,  GUTIERREZ, Raul ,  VADIVELU, Karthi R.

IPC: G06F21/85 ,  G06F9/455 ,  G06F13/38 ,  G06F13/40

CPC classification number: G06F13/362 ,  G06F13/4068 ,  G06F13/4282

Abstract: An apparatus is described herein. The apparatus includes a Universal Serial Bus (USB) component and a controller interface. The controller interface is to allocate register space for interfacing with the USB component and the USB component is virtualized into multiple instantiations. The apparatus also includes a secure environment, and the secure environment further virtualizes the multiple instantiations such that the multiple instantiations are owned by the secure environment.

Abstract translation: 这里描述了一种装置。 该装置包括通用串行总线（USB）组件和控制器接口。 控制器接口是分配与USB组件接口的寄存器空间，并将USB组件虚拟化为多个实例。 该装置还包括安全环境，并且安全环境进一步虚拟化多个实例，使得多个实例由安全环境所拥有。