-
公开(公告)号:US10922114B2
公开(公告)日:2021-02-16
申请号:US15735578
申请日:2016-12-12
Applicant: Intel Corporation
Inventor: Bing Zhu , Kai Wang , Peng Zou , Fangjian Zhong
Abstract: A processing system includes a first register to store an invalidation mode flag associated with a virtual processor identifier (VPID) and a processing core, communicatively coupled to the first register, the processing core comprising a logic circuit to execute a virtual machine monitor (VMM) environment, the VMM environment comprising a root mode VMM supporting a non-root mode VMM, the non-root mode VMM to execute a virtual machine (VM) identified by the VPID, the logic circuit further comprising an invalidation circuit to execute a virtual processor invalidation (INVVPID) instruction issued by the non-root mode VMM, the INVVPID instruction comprising a reference to an INVVPID descriptor that specifies a linear address and the VPID and responsive to determining that the invalidation mode flag is set, invalidate, without triggering a VM exit event, a memory address mapping associated with the linear address.
-
公开(公告)号:US20200249983A1
公开(公告)日:2020-08-06
申请号:US16648751
申请日:2017-12-27
Applicant: INTEL CORPORATION
Inventor: Kai Wang , Bing Zhu , Fangjian Zhong , Yadong Qi , Peng Zou
Abstract: The systems and methods for enabling a lightweight VMM to efficiently interrupt virtual machines are provided. In some examples, the lightweight VMM is configured to utilize a self IPI to deliver external interrupts to the virtual machines. The self IPI may be generated by writing one or more values, including an identifier of the external interrupt, to an ICR of a programmable interrupt controller. The programmable interrupt controller may retrieve the one or more values from the ICR, identify the external interrupt and process the external interrupt, which culminates in the external interrupt being written to an IDT of a virtual machine targeted for interrupt delivery by the lightweight VMM.
-
3.发明授权公开(公告)号:US10970103B2
公开(公告)日:2021-04-06
申请号:US16234731
申请日:2018-12-28
Applicant: Intel Corporation
Inventor: Ned Smith , Bing Zhu , Vincent Scarlata , Kapil Sood , Francesc Guim Bernat
IPC: G06F9/455
Abstract: Technologies for hybrid virtualization and secure enclave include a computing device and an edge orchestrator. The edge orchestrator securely provisions a container-enclave policy to the computing device. A VMM of the computing device constructs a platform services enclave that includes the container-enclave policy. The platform services enclave requests a local attestation report from an application enclave, and the application enclave generates the attestation report using secure enclave support of a compute engine of the computing device. The attestation report is indicative of a virtualization context of the application enclave, and may include a VM flag, a VMM flag, and a source address of the application enclave. The platform services enclave enforces the container-enclave policy based on the virtualization context of the application enclave. The platform services enclave may control access to functions of the computing device based on the virtualization context. Other embodiments are described and claimed.
-
公开(公告)号:US12086256B2
公开(公告)日:2024-09-10
申请号:US17638694
申请日:2019-09-27
Applicant: Intel Corporation
Inventor: Ned M. Smith , Bing Zhu
CPC classification number: G06F21/57 , G06F21/53 , G06F2221/034
Abstract: Methods, apparatus, systems and machine-readable storage media to enable fast boot of secure and unsecure environments in a computing system are disclosed. Root of trust hardware is used to provide dynamic root of trust measurements of various virtual machines, operating systems, and application environments within the computing system. In an example, a trusted application for a trusted environment is initiated with a fast boot process, with use of a secure enclave accessed by an operating system and virtual machine. The root of trust hardware is used to perform dynamic integrity measurements of a second virtual machine and an untrusted application, to later initiate this untrusted application securely after verification of the integrity measurements. Further uses and coordination of dynamic root of trust measurements and application execution, booting, and security verification processes are also described.
-
公开(公告)号:US20220358220A1
公开(公告)日:2022-11-10
申请号:US17638694
申请日:2019-09-27
Applicant: Intel Corporation
Inventor: Ned M. Smith , Bing Zhu
Abstract: Methods, apparatus, systems and machine-readable storage media to enable fast boot of secure and unsecure environments in a computing system are disclosed. Root of trust hardware is used to provide dynamic root of trust measurements of various virtual machines, operating systems, and application environments within the computing system. In an example, a trusted application for a trusted environment is initiated with a fast boot process, with use of a secure enclave accessed by an operating system and virtual machine. The root of trust hardware is used to perform dynamic integrity measurements of a second virtual machine and an untrusted application, to later initiate this untrusted application securely after verification of the integrity measurements. Further uses and coordination of dynamic root of trust measurements and application execution, booting, and security verification processes are also described.
-
Patent Agency Ranking
公开(公告)号:US10884784B2
公开(公告)日:2021-01-05
申请号:US16648751
申请日:2017-12-27
Applicant: INTEL CORPORATION
Inventor: Kai Wang , Bing Zhu , Fangjian Zhong , Yadong Qi , Peng Zou
Abstract: The systems and methods for enabling a lightweight VMM to efficiently interrupt virtual machines are provided. In some examples, the lightweight VMM is configured to utilize a self IPI to deliver external interrupts to the virtual machines. The self IPI may be generated by writing one or more values, including an identifier of the external interrupt, to an ICR of a programmable interrupt controller. The programmable interrupt controller may retrieve the one or more values from the ICR, identify the external interrupt and process the external interrupt, which culminates in the external interrupt being written to an IDT of a virtual machine targeted for interrupt delivery by the lightweight VMM.
-
7.发明申请公开(公告)号:US20190155636A1
公开(公告)日:2019-05-23
申请号:US16234731
申请日:2018-12-28
Applicant: Intel Corporation
Inventor: Ned Smith , Bing Zhu , Vincent Scarlata , Kapil Sood , Francesc Guim Bernat
IPC: G06F9/455
Abstract: Technologies for hybrid virtualization and secure enclave include a computing device and an edge orchestrator. The edge orchestrator securely provisions a container-enclave policy to the computing device. A VMM of the computing device constructs a platform services enclave that includes the container-enclave policy. The platform services enclave requests a local attestation report from an application enclave, and the application enclave generates the attestation report using secure enclave support of a compute engine of the computing device. The attestation report is indicative of a virtualization context of the application enclave, and may include a VM flag, a VMM flag, and a source address of the application enclave. The platform services enclave enforces the container-enclave policy based on the virtualization context of the application enclave. The platform services enclave may control access to functions of the computing device based on the virtualization context. Other embodiments are described and claimed.
-
8.发明申请PROCESSORS, METHODS, AND SYSTEMS TO ENFORCE BLACKLISTED PAGING STRUCTURE INDICATION VALUES 审中-公开处理器,方法和系统,以执行黑名单结构指示值公开(公告)号:US20160077864A1
公开(公告)日:2016-03-17
申请号:US14947416
申请日:2015-11-20
Applicant: INTEL CORPORATION
Inventor: Bing Zhu , Luhai Chen , Peng Zou , Kai Wang
IPC: G06F9/455
CPC classification number: G06F9/45558 , G06F9/3004 , G06F9/30076 , G06F9/45533 , G06F2009/45583
Abstract: A method of an aspect includes receiving an indication of an attempt by a virtual machine to modify a paging structure identification storage location to have a given value. It is determined that the given value matches at least one of a set of one or more blacklist values. The attempt by the virtual machine to modify the paging structure identification storage location to have the given value is trapped to a virtual machine monitor. Other methods, apparatus, and systems are also disclosed.
Abstract translation: 一种方面的方法包括:接收虚拟机尝试的指示,以修改寻呼结构标识存储位置以具有给定值。 确定给定值与一个或多个黑名单值的集合中的至少一个匹配。 虚拟机尝试将分页结构标识存储位置修改为具有给定值被捕获到虚拟机监视器。 还公开了其它方法,装置和系统。
-
9.发明授权公开(公告)号:US10360055B2
公开(公告)日:2019-07-23
申请号:US14947416
申请日:2015-11-20
Applicant: Intel Corporation
Inventor: Bing Zhu , Luhai Chen , Peng Zou , Kai Wang
Abstract: A method of an aspect includes receiving an indication of an attempt by a virtual machine to modify a paging structure identification storage location to have a given value. It is determined that the given value matches at least one of a set of one or more blacklist values. The attempt by the virtual machine to modify the paging structure identification storage location to have the given value is trapped to a virtual machine monitor. Other methods, apparatus, and systems are also disclosed.
-
公开(公告)号:US11816039B2
公开(公告)日:2023-11-14
申请号:US17441214
申请日:2019-04-19
Applicant: Intel Corporation
Inventor: Adrian Pearson , Bing Zhu , Elena Agranovsky , Tomas Winkler , Yang Huang
IPC: G06F12/14
CPC classification number: G06F12/1408 , G06F12/1425 , G06F12/1466
Abstract: Multi-mode protected memory in accordance with the present description includes a permanent mode and a transient mode of operation. In one embodiment of the permanent mode, an authentication key is programmable once and a write counter is not decrementable or resettable. In one embodiment of the transient mode, an authentication key may be programmed many times and a write counter may be reset many times. Other features and advantages may be realized, depending upon the particular application.
-
-
-
-
-
-
-
-
-
Search Results
14
records
(took 0.027 seconds)
