中科微点-全球专利检索

  1. Login
  2. Sign Up

Search Results

37 records (took 0.024 seconds)

    FLEXIBLE PROVISIONING OF ATTESTATION KEYS IN SECURE ENCLAVES
    1.
    发明申请
    FLEXIBLE PROVISIONING OF ATTESTATION KEYS IN SECURE ENCLAVES 审中-公开
    在安全环境中灵活地提供证明密钥

    公开(公告)号:WO2017210145A1

    公开(公告)日:2017-12-07

    申请号:PCT/US2017/034897

    申请日:2017-05-28

    Applicant: INTEL CORPORATION

    Inventor: SCARLATA, Vincent R. MCKEEN, Francis X. ROZAS, Carlos V. JOHNSON, Simon P. ZHANG, Bo BEANEY, JR., James D. ZMIJEWSKI, Piotr SMITH, Wesley Hamilton CABRE, Eduardo

    IPC: G06F21/53 G06F21/62 H04L9/08

    CPC classification number: H04L9/3252 G06F21/44 G06F21/53 G09C1/00 H04L9/0866 H04L9/14 H04L9/302 H04L9/3066 H04L9/3234 H04L9/3247 H04L9/3249 H04L63/06 H04L63/062 H04L63/0823 H04L63/12 H04L2209/127

    Abstract: A computing platform implements one or more secure enclaves including a first provisioning enclave to interface with a first provisioning service to obtain a first attestation key from the first provisioning service, a second provisioning enclave to interface with a different, second provisioning service to obtain a second attestation key from the second provisioning service, and a provisioning certification enclave to sign first data from the first provisioning enclave and second data from the second provisioning enclave using a hardware-based provisioning attestation key. The signed first data is used by the first provisioning enclave to authenticate to the first provisioning service to obtain the first attestation key and the signed second data is used by the second provisioning enclave to authenticate to the second provisioning service to obtain the second attestation key.

    Abstract translation: 计算平台实现一个或多个安全区域,所述安全区域包括第一供应区域和第一供应服务,以从第一供应服务获得第一认证密钥,第二供应区域与不同的 ,第二供应服务以从第二供应服务获得第二认证密钥,以及供应认证区域,以使用基于硬件的供应认证密钥来对来自第一供应区域的第一数据和来自第二供应区域的第二数据进行签名。 经签名的第一数据由第一供应区域用于向第一供应服务认证以获得第一认证密钥,并且由第二供应区域使用经签署的第二数据来向第二供应服务认证以获得第二认证密钥。

    TECHNOLOGIES FOR VIRTUALIZED ACCESS TO SECURITY SERVICES PROVIDED BY A CONVERGED MANAGEABILITY AND SECURITY ENGINE
    2.
    发明申请
    TECHNOLOGIES FOR VIRTUALIZED ACCESS TO SECURITY SERVICES PROVIDED BY A CONVERGED MANAGEABILITY AND SECURITY ENGINE 审中-公开
    用于虚拟化访问由可转换的可管理性和安全引擎提供的安全服务的技术

    公开(公告)号:WO2016209526A1

    公开(公告)日:2016-12-29

    申请号:PCT/US2016/034333

    申请日:2016-05-26

    Applicant: INTEL CORPORATION

    Inventor: VIJ, Mona ROZAS, Carlos V. SCARLATA, Vincent R. MCKEEN, Francis X. ZHANG, Bo

    IPC: G06F21/62 G06F21/57 G06F9/455

    CPC classification number: H04L63/0823 G06F9/45558 G06F2009/45587 H04L63/0281 H04L63/10

    Abstract: Technologies for secure access to platform security services include a computing device having a processor and a security engine. The computing device establishes a platform services enclave in a virtual machine of the computing device using secure enclave support of the processor. The platform services enclave receives a platform services request from an application enclave via a first authenticated session and transmits the platform services request to a virtual security engine established by a host environment via a second authenticated session. The first and second authenticated sessions may be authenticated by report-based attestation and quote-based attestation, respectively. The virtual security engine transmits the platform services request to the security engine via a long-term pairing session established by the virtual security engine with the security engine. The security engine performs the platform services request using hardware resources shared with other platform services enclaves. Other embodiments are described and claimed.

    Abstract translation: 用于安全访问平台安全服务的技术包括具有处理器和安全引擎的计算设备。 计算设备使用处理器的安全飞行支持在计算设备的虚拟机中建立平台服务飞地。 平台服务飞地通过第一认证会话从应用飞地接收平台服务请求,并通过第二认证会话将平台服务请求发送到由主机环境建立的虚拟安全引擎。 第一次和第二次认证的会话可以分别通过基于报告的认证和基于报价的认证进行认证。 虚拟安全引擎通过虚拟安全引擎与安全引擎建立的长期配对会话将平台服务请求发送到安全引擎。 安全引擎使用与其他平台服务飞地共享的硬件资源来执行平台服务请求。 描述和要求保护其他实施例。

    INSTRUCTIONS AND LOGIC TO SUSPEND/RESUME MIGRATION OF ENCLAVES IN A SECURE ENCLAVE PAGE CACHE
    4.
    发明申请
    INSTRUCTIONS AND LOGIC TO SUSPEND/RESUME MIGRATION OF ENCLAVES IN A SECURE ENCLAVE PAGE CACHE 审中-公开
    指示和逻辑在挂起页面缓存中暂停/恢复Enclve的迁移

    公开(公告)号:WO2017112908A1

    公开(公告)日:2017-06-29

    申请号:PCT/US2016/068447

    申请日:2016-12-22

    Applicant: INTEL CORPORATION

    Inventor: ROZAS, Carlos V. ALEXANDROVICH, Ilya NEIGER, Gilbert MCKEEN, Francis X. ANATI, Ittai SHANBHOGUE, Vedvyas VIJ, Mona LESLIE-HURD, Rebekah M. ZMUDZINSKI, Krystof C. CHAKRABARTI, Somnath SCARLATA, Vincent R. JOHNSON, Simon P.

    IPC: G06F12/14

    CPC classification number: G06F12/1408 G06F12/0802 G06F12/1466 G06F2212/1052 G06F2212/402 G06F2212/60 H04L9/0891 H04L9/0894 H04L9/14 H04L9/32 H04L9/3226

    Abstract: Instructions and logic support suspending and resuming migration of enclaves in a secure enclave page cache (EPC). An EPC stores a secure domain control structure (SDCS) in storage accessible by an enclave for a management process, and by a domain of enclaves. A second processor checks if a corresponding version array (VA) page is bound to the SDCS, and if so: increments a version counter in the SDCS for the page, performs an authenticated encryption of the page from the EPC using the version counter in the SDCS, and writes the encrypted page to external memory. A second processor checks if a corresponding VA page is bound to a second SDCS of the second processor, and if so: performs an authenticated decryption of the page using a version counter in the second SDCS, and loads the decrypted page to the EPC in the second processor if authentication passes.

    Abstract translation:

    指令和逻辑支持暂停和恢复安全区域页面缓存(EPC)中的区域迁移。 EPC将安全域控制结构(SDCS)存储在可由管理进程的飞地访问的存储中,并且通过飞地域来存储。 第二个处理器检查相应版本阵列(VA)页面是否绑定到SDCS,如果是:在页面的SDCS中递增版本计数器,使用版本计数器在EPC中使用版本计数器对EPC进行认证加密 SDCS,并将加密的页面写入外部存储器。 第二处理器检查相应的VA页面是否绑定到第二处理器的第二SDCS,并且如果是:使用第二SDCS中的版本计数器执行对页面的认证解密,并且将解密的页面加载到EPC中的 第二个处理器,如果验证通过。

    PLATFORM MIGRATION OF SECURE ENCLAVES
    5.
    发明申请
    PLATFORM MIGRATION OF SECURE ENCLAVES 审中-公开
    平台安全移民安全

    公开(公告)号:WO2017030822A1

    公开(公告)日:2017-02-23

    申请号:PCT/US2016/046062

    申请日:2016-08-08

    Applicant: INTEL CORPORATION

    Inventor: ROZAS, Carlos V. VIJ, Mona LESLIE-HURD, Rebekah M. ZMUDZINSKI, Krystof C. CHAKRABARTI, Somnath MCKEEN, Francis X. SCARLATA, Vincent R. JOHNSON, Simon P. ALEXANDROVICH, Ilya

    IPC: G06F12/14

    CPC classification number: H04L9/0891 G06F9/45558 G06F2009/45575 G06F2009/45587 H04L63/061 H04L63/10 H04L67/34

    Abstract: A processor to support platform migration of secure enclaves is disclosed. In one embodiment, the processor includes a memory controller unit to access secure enclaves and a processor core coupled to the memory controller unit. The processor core to identify a control structure associated with a secure enclave. The control structure comprises a plurality of data slots and keys associated with a first platform comprising the memory controller unit and the processor core. A version of data from the secure enclave is associated with the plurality of data slots. Migratable keys are generated as a replacement for the keys associated with the control structure. The migratable keys control access to the secure enclave. Thereafter, the control structure is migrated to a second platform to enable access to the secure enclave on the second platform.

    Abstract translation: 公开了一种用于支持安全飞行器的平台迁移的处理器。 在一个实施例中,处理器包括存储器控制器单元以访问安全的包围层和耦合到存储器控制器单元的处理器核心。 处理器核心,用于识别与安全飞地相关联的控制结构。 控制结构包括与包括存储器控制器单元和处理器核心的第一平台相关联的多个数据时隙和密钥。 来自安全飞地的数据的版本与多个数据时隙相关联。 生成可迁移键作为与控制结构相关联的键的替代。 可移植键控制对安全飞地的访问。 此后,将控制结构迁移到第二平台以使得能够访问第二平台上的安全飞地。

    PROCESSORS, METHODS, SYSTEMS, AND INSTRUCTIONS TO ALLOW SECURE COMMUNICATIONS BETWEEN PROTECTED CONTAINER MEMORY AND INPUT/OUTPUT DEVICES
    9.
    发明申请
    PROCESSORS, METHODS, SYSTEMS, AND INSTRUCTIONS TO ALLOW SECURE COMMUNICATIONS BETWEEN PROTECTED CONTAINER MEMORY AND INPUT/OUTPUT DEVICES 审中-公开
    处理器,方法,系统和指示,以保护受保护的容器内存和输入/输出设备之间的安全通信

    公开(公告)号:WO2017052916A1

    公开(公告)日:2017-03-30

    申请号:PCT/US2016/048361

    申请日:2016-08-24

    Applicant: INTEL CORPORATION

    Inventor: ALEXANDROVICH, Ilya BEKER, Vladimir GERZON, Gideon SCARLATA, Vincent R.

    IPC: G06F12/14

    CPC classification number: G06F3/0622 G06F3/0637 G06F3/0673 G06F13/16 G06F13/4068

    Abstract: An integrated circuit of an aspect includes protected container access control logic to perform a set of access control checks and to determine to allow a device protected container module (DPCM) and an input and/or output (I/O) device to communicate securely through one of direct memory access (DMA) and memory-mapped input/output (MMIO). This is done after it has been determined that at least the DPCM and the I/O device are mapped to one another, an access address associated with the communication resolves into a protected container memory, and a page of the protected container memory into which the access address resolves allows for said one of DMA and MMIO.

    Abstract translation: 一个方面的集成电路包括受保护的容器访问控制逻辑以执行一组访问控制检查并且确定允许设备受保护的容器模块(DPCM)以及输入和/或输出(I / O)设备通过 直接存储器访问(DMA)和存储器映射输入/输出(MMIO)之一。 这是在确定至少DPCM和I / O设备被映射到彼此之后完成的,与该通信相关联的访问地址解析为受保护的容器存储器,以及受保护的容器存储器的页面,其中 访问地址解析允许DMA和MMIO中的所述一个。

    SYSTEM FOR ESTABLISHING OWNERSHIP OF A SECURE WORKSPACE
    10.
    发明申请
    SYSTEM FOR ESTABLISHING OWNERSHIP OF A SECURE WORKSPACE 审中-公开
    建立安全工作场所所有权制度

    公开(公告)号:WO2016073114A1

    公开(公告)日:2016-05-12

    申请号:PCT/US2015/054186

    申请日:2015-10-06

    Applicant: INTEL CORPORATION

    Inventor: JOHNSON, Simon P. ALTMAN, Asher M. DAS, Abhishek SCARLATA, Vincent R.

    IPC: H04L9/32 H04L9/08 H04L9/14

    CPC classification number: H04L63/0876 G06F21/51 G06F21/53 G06F21/57 G06F21/60 H04L63/061 H04L63/08

    Abstract: The present application is directed to establishing ownership of a secure workspace (SW). A client device may provide a SW data structure (SWDS) to a SW configurator. A SWDS may comprise a hash of an original SW and a public key, and may be signed by a private key corresponding to the public key. The SW configurator may cause an execution container (EC) to be generated including a SW initiated using the SWDS. The client device may claim SW ownership using a request (signed by the private key) transmitted along with a copy of the public key. SW ownership may be determined by an ownership determination module that verifies the signature of the request using the public key received with the request, determines a hash of the received public key and compares the hash of the received public key to a hash of the public key in the SWDS.

    Abstract translation: 本申请旨在建立安全工作区(SW)的所有权。 客户端设备可以向SW配置器提供SW数据结构(SWDS)。 SWDS可以包括原始SW和公共密钥的散列,并且可以由对应于公开密钥的私有密钥进行签名。 SW配置程序可能会导致生成执行容器(EC),包括使用SWDS启动的SW。 客户端设备可以使用与公钥的副本一起发送的请求(由私钥签名)来声明SW所有权。 SW所有权可以由所有权确定模块确定,该模块使用通过该请求接收到的公开密钥来验证请求的签名,确定所接收的公开密钥的散列,并将接收到的公开密钥的散列与公钥的散列进行比较 在SWDS。

Patent Agency Ranking