公开(公告)号：US11599621B2

公开(公告)日：2023-03-07

申请号：US16370921

申请日：2019-03-30

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Rajesh Sankaran ,  Abhishek Basak ,  Pradeep Pappachan ,  Utkarsh Y. Kakaiya ,  Ravi Sahita ,  Rupin Vakharwala

IPC: G06F21/44 ,  G06F13/16 ,  G06F3/06 ,  G06F21/79

Abstract: Systems, methods, and apparatuses relating to performing an attachment of an input-output memory management unit (IOMMU) to a device, and a verification of the attachment. In one embodiment, a protocol and IOMMU extensions are used by a secure arbitration mode (SEAM) module and/or circuitry to determine if the IOMMU that is attached to the device requested to be mapped to a trusted domain.

公开(公告)号：US20220309008A1

公开(公告)日：2022-09-29

申请号：US17842094

申请日：2022-06-16

Applicant: Intel Corporation

Inventor： David Koufaty ,  Rajesh Sankaran ,  Anna Trikalinou ,  Rupin Vakharwala

IPC: G06F12/14 ,  G06F12/0862 ,  G06F12/1009 ,  G06F13/16 ,  G06F13/42

Abstract: Embodiments are directed to providing a secure address translation service. An embodiment of a system includes memory for storage of data, an IOMMU coupled to the memory, and a host-to-device link to couple the IOMMU with one or more devices and to operate as a translation agent on behalf of one or more devices in connection with memory operations relating to the memory, including receiving a translated request from a discrete device via the host-to-device link specifying a memory operation and a physical address within the memory pertaining to the memory operation, determining page access permissions assigned to a context of the discrete device for a physical page of the memory within which the physical address resides, allowing the memory operation to proceed when the page access permissions permit the memory operation, and blocking the memory operation when the page access permissions do not permit the memory operation.

公开(公告)号：US20230409493A1

公开(公告)日：2023-12-21

申请号：US17836468

申请日：2022-06-09

Applicant: Intel Corporation

Inventor： Rupin Vakharwala ,  Garrett Drown

IPC: G06F12/14 ,  G06F12/02

CPC classification number: G06F12/1491 ,  G06F12/1433 ,  G06F2212/7201 ,  G06F12/0292 ,  G06F12/0246

Abstract: Embodiments described herein may include apparatus, systems, techniques, or processes that are directed to optimizing memory access and minimizing performance degradation due to faulty or malicious devices attempting to access improper memory locations. Faulty/malicious devices' memory accesses are quickly blocked reducing performance degradation due to the avoidance of costly memory lookups and fault generation/processing. Other embodiments may be described and/or claimed.

公开(公告)号：US11614939B2

公开(公告)日：2023-03-28

申请号：US17359337

申请日：2021-06-25

Applicant: Intel Corporation

Inventor： Ashok Raj ,  Andreas Kleen ,  Gilbert Neiger ,  Beeman Strong ,  Jason Brandt ,  Rupin Vakharwala ,  Jeff Huxel ,  Larisa Novakovsky ,  Ido Ouziel ,  Sarathy Jayakumar

IPC: G06F9/30 ,  G06F15/80 ,  G06F9/50 ,  G06F9/48

Abstract: An apparatus and method for processing non-maskable interrupt source information. For example, one embodiment of a processor comprises: a plurality of cores comprising execution circuitry to execute instructions and process data; local interrupt circuitry comprising a plurality of registers to store interrupt-related data including non-maskable interrupt (NMI) data related to a first NMI; and non-maskable interrupt (NMI) processing mode selection circuitry, responsive to a request, to select between at least two NMI processing modes to process the first NMI including: a first NMI processing mode in which the plurality of registers are to store first data related to a first NMI, wherein no NMI source information related to a source of the NMI is included in the first data, and a second NMI processing mode in which the plurality of registers are to store both the first data related to the first NMI and second data comprising NMI source information indicating the NMI source.

公开(公告)号：US10761996B2

公开(公告)日：2020-09-01

申请号：US16147191

申请日：2018-09-28

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Ravi Sahita ,  Rajesh Sankaran ,  Siddhartha Chhabra ,  Abhishek Basak ,  Krystof Zmudzinski ,  Rupin Vakharwala

IPC: G06F12/00 ,  G06F12/1009 ,  G06F12/14 ,  G06F9/30 ,  G06F9/455 ,  G06F21/57 ,  G06F21/53

Abstract: Examples include an apparatus which accesses secure pages in a trust domain using secure lookups in first and second sets of page tables. For example, one embodiment of the processor comprises: a decoder to decode a plurality of instructions including instructions related to a trusted domain; execution circuitry to execute a first one or more of the instructions to establish a first trusted domain using a first trusted domain key, the trusted domain key to be used to encrypt memory pages within the first trusted domain; and the execution circuitry to execute a second one or more of the instructions to associate a first process address space identifier (PASID) with the first trusted domain, the first PASID to uniquely identify a first execution context associated with the first trusted domain.

公开(公告)号：US12164444B2

公开(公告)日：2024-12-10

申请号：US17357829

申请日：2021-06-24

Applicant: Intel Corporation

Inventor： Ashok Raj ,  Rajesh Sankaran ,  Rupin Vakharwala ,  Utkarsh Y. Kakaiya

IPC: G06F13/16 ,  G06F13/42 ,  G06F9/455

Abstract: Techniques and mechanisms for an input-output memory management module (IOMMU) to indicate to software whether a page request by an endpoint device is to be serviced. In an embodiment, the IOMMU receives from the endpoint device a response to an invalidation wait message. Based on the response, the IOMMU provides first information which indicates to software that page requests have been flushed from the endpoint device. Page request message from the endpoint device are compatible with an interface standard which also comprises a stop marker message type. The first information is provided independent of the endpoint device providing any message which is of the stop marker message type. In another embodiment, the first information includes a drain marker generated by the IOMMU, or a snapshot of an address corresponding to an end of a page request queue.

公开(公告)号：US20220414029A1

公开(公告)日：2022-12-29

申请号：US17357829

申请日：2021-06-24

Applicant: Intel Corporation

Inventor： Ashok Raj ,  Rajesh Sankaran ,  Rupin Vakharwala ,  Utkarsh Y. Kakaiya

IPC: G06F13/16 ,  G06F13/42

Abstract: Techniques and mechanisms for an input-output memory management module (IOMMU) to indicate to software whether a page request by an endpoint device is to be serviced. In an embodiment, the IOMMU receives from the endpoint device a response to an invalidation wait message. Based on the response, the IOMMU provides first information which indicates to software that page requests have been flushed from the endpoint device. Page request message from the endpoint device are compatible with an interface standard which also comprises a stop marker message type. The first information is provided independent of the endpoint device providing any message which is of the stop marker message type. In another embodiment, the first information includes a drain marker generated by the IOMMU, or a snapshot of an address corresponding to an end of a page request queue.

公开(公告)号：US11526290B2

公开(公告)日：2022-12-13

申请号：US16458013

申请日：2019-06-29

Applicant: Intel Corporation

Inventor： David Koufaty ,  Rajesh Sankaran ,  Rupin Vakharwala

IPC: G06F3/06 ,  G06F12/0882 ,  G06F12/1009

Abstract: A system for tracking memory access patterns to be used in making data placement and migration policies. The system includes a processing unit and a system memory. The system memory includes a local memory and a remote memory, each of which having mapped thereon, a plurality of memory pages. Each of the plurality of memory pages corresponds to one or more physical addresses. A set of attributes for each memory page is stored in a physical attribute table (PAT). The PAT is looked up and the attributes updated when a memory access is detected. Attributes stored in the PAT are used to control the movement of memory pages between the local memory and the remote memory. When the attributes in the PAT indicate a remote memory page is being accessed frequently by the processing unit, the remote memory page is moved from the remote memory to the local memory.

公开(公告)号：US10949358B2

公开(公告)日：2021-03-16

申请号：US16582919

申请日：2019-09-25

Applicant: Intel Corporation

Inventor： Michael Kounavis ,  David Koufaty ,  Anna Trikalinou ,  Rupin Vakharwala

IPC: G06F12/14 ,  G06F12/1081 ,  G06F12/1027 ,  G06F12/0831 ,  G11C15/04 ,  G06F12/0868

Abstract: Embodiments are directed to providing a secure address translation service. An embodiment of a system includes a memory for storage of data, an Input/Output Memory Management Unit (IOMMU) coupled to the memory via a host-to-device link the IOMMU to perform operations, comprising receiving a memory access request from a remote device via a host-to-device link, wherein the memory access request comprises a host physical address (HPA) that identifies a physical address within the memory pertaining to the memory access request and a first message authentication code (MAC), generating a second message authentication code (MAC) using the host physical address received with the memory access request and a private key associated with the remote device, and performing at least one of allowing the memory access to proceed when the first MAC and the second MAC match and the HPA is not in an invalidation tracking table (ITT) maintained by the IOMMU; or blocking the memory operation when the first MAC and the second MAC do not match.

公开(公告)号：US12248561B2

公开(公告)日：2025-03-11

申请号：US17485421

申请日：2021-09-25

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Ravi Sahita ,  Utkarsh Y KAKAIYA ,  Abhishek Basak ,  Lee Albion ,  Filip Schmole ,  Rupin Vakharwala ,  Vinit M Abraham ,  Raghunandan Makaram

IPC: G06F21/54 ,  G06F9/455 ,  G06F13/40 ,  G06F21/56

Abstract: Apparatus and method for role-based register protection. For example, one embodiment of an apparatus comprises: one or more processor cores to execute instructions and process data, the one or more processor cores to execute one or more security instructions to protect a virtual machine or trusted application from a virtual machine monitor (VMM) or operating system (OS); an interconnect fabric to couple the one or more processor cores to a device; and security hardware logic to determine whether to allow a read or write transaction directed to a protected register to proceed over the interconnect fabric, the security hardware logic to evaluate one or more security attributes associated with an initiator of the transaction to make the determination.