公开(公告)号：US20240184717A1

公开(公告)日：2024-06-06

申请号：US18378124

申请日：2023-10-09

Applicant: Intel Corporation

Inventor： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. Mckeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich ,  Gilbert Neiger ,  Vedvyas Shanbhogue ,  Ittai Anati

IPC: G06F12/14 ,  G06F8/41 ,  G06F9/30 ,  G06F9/455 ,  G06F21/53 ,  G06F21/60

CPC classification number: G06F12/1408 ,  G06F8/41 ,  G06F9/30145 ,  G06F9/45558 ,  G06F12/1441 ,  G06F12/1483 ,  G06F21/53 ,  G06F21/602 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2212/1052

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

公开(公告)号：US20190042478A1

公开(公告)日：2019-02-07

申请号：US16114241

申请日：2018-08-28

Applicant: Intel Corporation

Inventor： Somnath Chakrabarti ,  Mona Vij ,  Matthew Hoekstra

IPC: G06F12/14 ,  G06F21/79 ,  G06F21/71 ,  G06F21/62 ,  G06F21/60 ,  G06F12/0831

Abstract: A computer system for executing one or more software applications includes a host computer device configured to execute the one or more software applications. The computer system further includes one or more memory devices configured to cryptographically protect volatile memory of the one or more memory devices. The one more memory devices are configured to provide access to the cryptographically protected volatile memory for the one or more software applications. The host computer device is configured to execute the one or more software applications by executing a portion of the one or more software applications associated with the cryptographically protected volatile memory using a processor of the one or more memory devices.

公开(公告)号：US20180183580A1

公开(公告)日：2018-06-28

申请号：US15391208

申请日：2016-12-27

Applicant: Intel Corporation

Inventor： Vincent R. Scarlata ,  Carlos V. Rozas ,  Simon P. Johnson ,  Francis X. McKeen ,  Mona Vij ,  Somnath Chakrabarti ,  Brandon Baker ,  Ittai Anati ,  Ilya Alexandrovich

IPC: H04L9/08 ,  H04L9/32 ,  G06F9/48

CPC classification number: G06F9/4856 ,  G06F21/53 ,  G06F21/602 ,  H04L9/0861 ,  H04L9/0897 ,  H04L9/3247 ,  H04L9/3268

Abstract: A secure migration enclave is provided to identify a launch of a particular virtual machine on a host computing system, where the particular virtual machine is launched to include a secure quoting enclave to perform an attestation of one or more aspects of the virtual machine. A root key for the particular virtual machine is generated using the secure migration enclave hosted on the host computing system for use in association with provisioning the secure quoting enclave with an attestation key to be used in the attestation. The migration enclave registers the root key with a virtual machine registration service.

公开(公告)号：US20180089468A1

公开(公告)日：2018-03-29

申请号：US15274217

申请日：2016-09-23

Applicant: Intel Corporation

Inventor： Carlos V. Rozas ,  Mona Vij ,  Somnath Chakrabarti

IPC: G06F21/78 ,  G06F9/30 ,  G06F21/62 ,  G06F21/57

CPC classification number: G06F21/78 ,  G06F9/30145 ,  G06F21/57 ,  G06F21/6245

Abstract: A method performed by a processor of an aspect includes accessing an encrypted copy of a protected container page stored in a regular memory. A determination is made whether the protected container page was live stored out, while able to remain useable in, protected container memory. The method also includes either performing a given security check, before determining to store the protected container page to a destination page in a first protected container memory, if it was determined that the protected container page was live stored out, or not performing the given security check, if it was determined that the protected container page was not live stored out. Other methods, as well as processors, computer systems, and machine-readable medium providing instructions are also disclosed.

公开(公告)号：US09870467B2

公开(公告)日：2018-01-16

申请号：US14671346

申请日：2015-03-27

Applicant: Intel Corporation

Inventor： Prashant Pandey ,  Mona Vij ,  Somnath Chakrabarti ,  Krystof C. Zmudzinski

IPC: G06F9/46 ,  G06F21/53 ,  G06F21/57

CPC classification number: G06F21/53 ,  G06F21/57

Abstract: In an embodiment, at least one machine-readable storage medium includes instructions that when executed enable a system to receive, at a special library of a parent process located outside of a parent protected region of the parent process, from the parent protected region of the parent process, a call to create a child process and responsive to the call received at the special library, issue by the special library a first request and a second request. The first request is to execute, by a processor, a non-secure instruction to create the child process. The second request is to execute, by the processor, a first secure instruction to create a child protected region within the child process. Responsive to the first request the child process is to be created and responsive to the second request the child protected region is to be created. Other embodiments are described and claimed.

公开(公告)号：US11782849B2

公开(公告)日：2023-10-10

申请号：US17367349

申请日：2021-07-03

Applicant: Intel Corporation

Inventor： Carlos V. Rozas ,  Mona Vij ,  Rebekah M. Leslie-Hurd ,  Krystof C. Zmudzinski ,  Somnath Chakrabarti ,  Francis X. Mckeen ,  Vincent R. Scarlata ,  Simon P. Johnson ,  Ilya Alexandrovich ,  Gilbert Neiger ,  Vedvyas Shanbhogue ,  Ittai Anati

IPC: G06F12/14 ,  G06F21/60 ,  G06F9/30 ,  G06F21/53 ,  G06F8/41 ,  G06F9/455

CPC classification number: G06F12/1408 ,  G06F8/41 ,  G06F9/30145 ,  G06F9/45558 ,  G06F12/1441 ,  G06F12/1483 ,  G06F21/53 ,  G06F21/602 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2212/1052

Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.

公开(公告)号：US10528721B2

公开(公告)日：2020-01-07

申请号：US15298416

申请日：2016-10-20

Applicant: INTEL CORPORATION

Inventor： Kapil Sood ,  Somnath Chakrabarti ,  Wei Shen ,  Carlos V. Rozas ,  Mona Vij ,  Vincent R. Scarlata

IPC: G06F21/53 ,  G06F9/4401 ,  G06F9/455 ,  G06F21/79 ,  G06F12/1036 ,  G06F12/109 ,  G06F12/14 ,  G06F21/57 ,  G06F8/61 ,  H04L12/24

Abstract: Methods and apparatus for implemented trusted packet processing for multi-domain separatization and security. Secure enclaves are created in system memory of a compute platform configured to support a virtualized execution environment including a plurality of virtual machines (VMs) or containers, each secure enclave occupying a respective protected portion of the system memory, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The software in the secure enclaves is then executed to perform the packet processing operations. Various configurations of secure enclaves and software code may be implemented, including configurations supporting service chains both within a VM or contain or across multiple VMs or containers, as well a parallel packet processing operations.

公开(公告)号：US20180095894A1

公开(公告)日：2018-04-05

申请号：US15282300

申请日：2016-09-30

Applicant: Intel Corporation

Inventor： Rebekah M. Leslie-Hurd ,  Francis X. McKeen ,  Carlos V. Rozas ,  Gilbert Neiger ,  Asit K. Mallick ,  Ittai Anati ,  Ilya Alexandrovich ,  Vedvyas Shanbhogue ,  Somnath Chakrabarti

IPC: G06F12/12 ,  G06F3/06 ,  G06F12/0875 ,  G06F9/455

CPC classification number: G06F12/12 ,  G06F3/0604 ,  G06F3/0631 ,  G06F3/064 ,  G06F3/0664 ,  G06F3/0665 ,  G06F3/0673 ,  G06F9/45558 ,  G06F12/0875 ,  G06F2009/45583 ,  G06F2212/1016 ,  G06F2212/151 ,  G06F2212/152 ,  G06F2212/402 ,  G06F2212/604

Abstract: Implementations of the disclosure provide for supporting oversubscription of guest enclave memory pages. In one implementation, a processing device comprising a memory controller unit to access a secure enclave and a processor core, operatively coupled to the memory controller unit. The processing device is to identify a target memory page in memory. The target memory page is associated with a secure enclave of a virtual machine (VM). A data structure comprising context information corresponding to the target memory page is received. A state of the target memory page is determined based on the received data structure. The state indicating whether the target memory page is associated with at least one of: a child memory page or a parent memory page of the VM. Thereupon, an instruction to evict the target memory page from the secure enclave is generated based on the determined state.

公开(公告)号：US20170286645A1

公开(公告)日：2017-10-05

申请号：US15621864

申请日：2017-06-13

Applicant: Intel Corporation

Inventor： Prashant Pandey ,  Mona Vij ,  Somnath Chakrabarti ,  Krystof C. Zmudzinski

IPC: G06F21/12 ,  G06F12/0875 ,  G06F13/24 ,  G06F12/0811 ,  G06F12/0817 ,  G06F12/14

CPC classification number: G06F21/12 ,  G06F12/0811 ,  G06F12/0822 ,  G06F12/0875 ,  G06F12/14 ,  G06F12/1425 ,  G06F13/24 ,  G06F2212/1052 ,  G06F2212/283 ,  G06F2212/452

Abstract: Instructions and logic fork processes and establish child enclaves in a secure enclave page cache (EPC). Instructions specify addresses for secure storage allocated to enclaves of a parent and a child process to store secure enclave control structure (SECS) data, application data, code, etc. The processor includes an EPC to store enclave data of the parent and child processes. Embodiments of the parent may execute, or a system may execute an instruction to copy parent SECS to secure storage for the child, initialize a unique child ID and link to the parent's SECS/ID. Embodiments of the child may execute, or the system may execute an instruction to copy pages from the parent enclave to the enclave of the child where both have the same key, set an entry for EPC mapping to partial completion, and record a page state in the child enclave, if interrupted. Thus copying can be resumed.

公开(公告)号：US09710622B2

公开(公告)日：2017-07-18

申请号：US14629132

申请日：2015-02-23

Applicant: INTEL CORPORATION

Inventor： Prashant Pandey ,  Mona Vij ,  Somnath Chakrabarti ,  Krystof C. Zmudzinski

IPC: G06F21/12 ,  G06F12/0817 ,  G06F12/14 ,  G06F13/24 ,  G06F12/0875 ,  G06F12/0811

CPC classification number: G06F21/12 ,  G06F12/0811 ,  G06F12/0822 ,  G06F12/0875 ,  G06F12/14 ,  G06F12/1425 ,  G06F13/24 ,  G06F2212/1052 ,  G06F2212/283 ,  G06F2212/452

Abstract: Instructions and logic fork processes and establish child enclaves in a secure enclave page cache (EPC). Instructions specify addresses for secure storage allocated to enclaves of a parent and a child process to store secure enclave control structure (SECS) data, application data, code, etc. The processor includes an EPC to store enclave data of the parent and child processes. Embodiments of the parent may execute, or a system may execute an instruction to copy parent SECS to secure storage for the child, initialize a unique child ID and link to the parent's SECS/ID. Embodiments of the child may execute, or the system may execute an instruction to copy pages from the parent enclave to the enclave of the child where both have the same key, set an entry for EPC mapping to partial completion, and record a page state in the child enclave, if interrupted. Thus copying can be resumed.