公开(公告)号：US20220206842A1

公开(公告)日：2022-06-30

申请号：US17134339

申请日：2020-12-26

Applicant: INTEL CORPORATION

Inventor： Ravi SAHITA ,  Dror CASPI ,  Vincent SCARLATA ,  Sharon YANIV ,  Baruch CHAIKIN ,  Vedvyas SHANBHOGUE ,  Jun NAKAJIMA ,  Arumugam THIYAGARAJAH ,  Sean CHRISTOPHERSON ,  Haidong XIA ,  Vinay AWASTHI ,  Isaku YAMAHATA ,  Wei WANG ,  Thomas ADELMEYER

IPC: G06F9/48 ,  G06F9/455 ,  G06F9/38 ,  G06F21/60

Abstract: Techniques for migration of a source protected virtual machine from a source platform to a destination platform are descried. A method of an aspect includes enforcing that bundles of state, of a first protected virtual machine (VM), received at a second platform over a stream, during an in-order phase of a migration of the first protected VM from a first platform to the second platform, are imported to a second protected VM of the second platform, in a same order that they were exported from the first protected VM. Receiving a marker over the stream marking an end of the in-order phase. Determining that all bundles of state exported from the first protected VM prior to export of the marker have been imported to the second protected VM. Starting an out-of-order phase of the migration based on the determination that said all bundles of the state exported have been imported.

公开(公告)号：US20230195652A1

公开(公告)日：2023-06-22

申请号：US17554190

申请日：2021-12-17

Applicant: Intel Corporation

Inventor： Dror CASPI ,  Ravi SAHITA ,  Kunal MEHTA ,  Tin-Cheung KUNG ,  Hormuzd KHOSRAVI

IPC: G06F12/14 ,  G06F12/06 ,  G06F9/455

CPC classification number: G06F12/1408 ,  G06F12/0646 ,  G06F9/45558 ,  G06F2212/1052 ,  G06F2009/45583

Abstract: Methods and apparatus to set guest physical address mapping attributes for a trusted domain In one embodiment, the method includes executing a first one or more of instructions to establish a trusted domain and executing a second one or more of the instructions to add a first memory page to the trusted domain, where the first memory page is private to the trusted domain and a first set of page attributes is set for the first memory page based on the second one or more of the instructions, where the first set of page attributes indicates how the first memory page is mapped in a secure extended page table. The method further includes storing the first set of page attributes for the first memory page in the secure extended page table at a storage location responsive to executing the second one or more of the instructions.

公开(公告)号：US20210200879A1

公开(公告)日：2021-07-01

申请号：US16727608

申请日：2019-12-26

Applicant: Intel Corporation

Inventor： Gideon GERZON ,  Hormuzd M. KHOSRAVI ,  Vincent VON BOKERN ,  Barry E. HUNTLEY ,  Dror CASPI

IPC: G06F21/60 ,  G06F9/455 ,  H04L9/06 ,  G06F21/72

Abstract: Disclosed embodiments relate to trust domain islands with self-contained scope. In one example, a system includes multiple sockets, each including multiple cores, multiple multi-key total memory encryption (MK-TME) circuits, multiple memory controllers, and a trust domain island resource manager (TDIRM) to: initialize a trust domain island (TDI) island control structure (TDICS) associated with a TD island, initialize a trust domain island protected memory (TDIPM) associated with the TD island, identify a host key identifier (HKID) in a key ownership table (KOT), assign the HKID to a cryptographic key and store the HKID in the TDICS, associate one of the plurality of cores with the TD island, add a memory page from an address space of the first core to the TDIPM, and transfer execution control to the first core to execute the TDI, and wherein a number of HKIDs available in the system is increased as the memory mapped to the TD island is decreased.

公开(公告)号：US20210064375A1

公开(公告)日：2021-03-04

申请号：US17098129

申请日：2020-11-13

Applicant: Intel Corporation

Inventor： Gideon GERZON ,  Dror CASPI ,  Arie AHARON ,  Ido OUZIEL

IPC: G06F9/30 ,  G06F9/455 ,  G06F12/0804

Abstract: A processor includes a global register to store a value of an interrupted block count. A processor core, communicably coupled to the global register, may, upon execution of an instruction to flush blocks of a cache that are associated with a security domain: flush the blocks of the cache sequentially according to a flush loop of the cache; and in response to detection of a system interrupt: store a value of a current cache block count to the global register as the interrupted block count; and stop execution of the instruction to pause the flush of the blocks of the cache. After handling of the interrupt, the instruction may be called again to restart the flush of the cache.

公开(公告)号：US20210399882A1

公开(公告)日：2021-12-23

申请号：US17465311

申请日：2021-09-02

Applicant: Intel Corporation

Inventor： Ido OUZIEL ,  Arie AHARON ,  Dror CASPI ,  Baruch CHAIKIN ,  Jacob DOWECK ,  Gideon GERZON ,  Barry E. HUNTLEY ,  Francis X. MCKEEN ,  Gilbert NEIGER ,  Carlos V. ROZAS ,  Ravi L. SAHITA ,  Vedvyas SHANBHOGUE ,  Assaf ZALTSMAN

IPC: H04L9/08 ,  G06F9/455 ,  G06F12/1009 ,  G06F21/60 ,  G06F21/62

Abstract: A processor includes a processor core. A register of the core is to store: a bit range for a number of address bits of physical memory addresses used for key identifiers (IDs), and a first key ID to identify a boundary between non-restricted key IDs and restricted key IDs of the key identifiers. A memory controller is to: determine, via access to bit range and the first key ID in the register, a key ID range of the restricted key IDs within the physical memory addresses; access a processor state that a first logical processor of the processor core executes in an untrusted domain mode; receive a memory transaction, from the first logical processor, including an address associated with a second key ID; and generate a fault in response to a determination that the second key ID is within a key ID range of the restricted key IDs.

公开(公告)号：US20190095357A1

公开(公告)日：2019-03-28

申请号：US15719222

申请日：2017-09-28

Applicant: Intel Corporation

Inventor： Meltem OZSOY ,  Vedvyas SHANBHOGUE ,  Krystof C. ZMUDZINSKI ,  Francis X. MCKEEN ,  Carlos V. ROZAS ,  Ilya ALEXANDROVICH ,  Ittai ANATI ,  Raghunandan MAKARAM ,  Dror CASPI ,  Hisham SHAFI

IPC: G06F12/14 ,  G06F9/44

Abstract: A system includes a processor core and main memory. The processor core is to, in response to execution of a patch-load instruction, retrieve, from a predetermined area of the main memory, memory protection metadata and a memory range of reserved memory, wherein the reserved memory is not flexibly convertible to enclave pages. The processor core is further to retrieve a bit from an architectural control register, wherein a value of the bit is to indicate whether an operating system is capable of management of flexibly-convertible enclave pages. The processor core is further to activate, using the memory protection metadata and one of the first information or the second information, a mode of protected memory management for the processor core in response to the value of the bit in the architectural control register.

公开(公告)号：US20240169099A1

公开(公告)日：2024-05-23

申请号：US18493709

申请日：2023-10-24

Applicant: Intel Corporation

Inventor： Hormuzd KHOSRAVI ,  Dror CASPI ,  Arie AHARON

IPC: G06F21/72 ,  G06F9/455 ,  G06F9/50 ,  G06F21/57 ,  H04L9/08

CPC classification number: G06F21/72 ,  G06F9/45558 ,  G06F9/5016 ,  G06F21/575 ,  H04L9/088 ,  H04L9/0894 ,  H04L9/0897 ,  G06F2009/45583 ,  G06F2009/45587

Abstract: A method of creating a trusted execution domain includes initializing, by a processing device executing a trust domain resource manager (TDRM), a trust domain control structure (TDCS) and a trust domain protected memory (TDPM) associated with a trust domain (TD). The method further includes generating a one-time cryptographic key, assigning the one-time cryptographic key to an available host key id (HKID) in a multi-key total memory encryption (MK-TME) engine, and storing the HKID in the TDCS. The method further includes associating a logical processor to the TD, adding a memory page from an address space of the logical processor to the TDPM, and transferring execution control to the logical processor to execute the TD.

公开(公告)号：US20210397721A1

公开(公告)日：2021-12-23

申请号：US17464163

申请日：2021-09-01

Applicant: Intel Corporation

Inventor： Dror CASPI ,  Arie AHARON ,  Gideon GERZON ,  Hormuzd KHOSRAVI

IPC: G06F21/60 ,  H04L9/08 ,  H04L9/14

Abstract: Implementations describe providing secure encryption key management in trust domains. In one implementation, a processing device includes a key ownership table (KOT) that is protected against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to create a trust domain (TD) and a randomly-generated encryption key corresponding to the TD, the randomly-generated encryption key identified by a guest key identifier (GKID) and protected against software access from at least one of the TDRM or other TDs, the TDRM is to reference the KOT to obtain at least one unassigned host key identifier (HKID) utilized to encrypt a TD memory, the TDRM is to assign the HKID to the TD by marking the HKID in the KOT as assigned, and configure the randomly-generated encryption key on the processing device by associating the randomly-generated encryption key with the HKID.

公开(公告)号：US20190196982A1

公开(公告)日：2019-06-27

申请号：US15854278

申请日：2017-12-26

Applicant: Intel Corporation

Inventor： Carlos V. ROZAS ,  Ittai ANATI ,  Francis X. MCKEEN ,  Krystof ZMUDZINSKI ,  Ilya ALEXANDROVICH ,  Somnath CHAKRABARTI ,  Dror CASPI ,  Meltem OZSOY

IPC: G06F12/14 ,  G06F12/128 ,  G06F3/06 ,  G06F12/0806 ,  G06F12/0868 ,  G06F12/1009 ,  G06F12/1027

Abstract: A secure enclave circuit stores an enclave page cache map to track contents of a secure enclave in system memory that stores secure data containing a page having a virtual address. An execution unit is to, in response to a request to evict the page from the secure enclave: block creation of translations of the virtual address; record one or more hardware threads currently accessing the secure data in the secure enclave; send an inter-processor interrupt to one or more cores associated with the one or more hardware threads, to cause the one or more hardware threads to exit the secure enclave and to flush translation lookaside buffers of the one or more cores; and in response to detection of a page fault associated with the virtual address for the page in the secure enclave, unblock the creation of translations of the virtual address.

公开(公告)号：US20190042467A1

公开(公告)日：2019-02-07

申请号：US16023537

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： Ravi SAHITA ,  Barry E. HUNTLEY ,  Vedvyas SHANBHOGUE ,  Dror CASPI ,  Baruch CHAIKIN ,  Gilbert NEIGER ,  Arie AHARON ,  Arumugam THIYAGARAJAH

IPC: G06F12/1036 ,  G06F12/1009 ,  G06F12/14 ,  G06F12/02 ,  G06F9/455

Abstract: Examples include a processor including at least one untrusted extended page table (EPT), circuitry to execute a set of instructions of the instruction set architecture (ISA) of the processor to manage at least one secure extended page table (SEPT), and a physical address translation component to translate a guest physical address of a guest physical memory to a host physical address of a host physical memory using one of the at least one untrusted EPT and the at least one SEPT.