公开(公告)号：US11775332B2

公开(公告)日：2023-10-03

申请号：US17532886

申请日：2021-11-22

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Michael E. Kounavis

IPC: G06F12/14 ,  G06F21/64 ,  G06F21/79 ,  G06F9/455 ,  H04L9/40 ,  H04L69/04 ,  G06F12/0891 ,  G06F21/53 ,  G06F12/16 ,  G06F21/80

CPC classification number: G06F9/45558 ,  G06F12/0891 ,  G06F12/1408 ,  G06F21/53 ,  G06F21/79 ,  H04L63/0227 ,  H04L63/0428 ,  H04L63/0435 ,  H04L63/0471 ,  H04L69/04 ,  H04L63/123

Abstract: Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to generate a compressed line in response to determining that the data line is compressible, where the compressed line includes compression metadata and compressed data, adding encryption metadata to the compressed line, where the encryption metadata is indicative of the encryption key, encrypting a part of the compressed line with the encryption key to generate an encrypted line in response to adding the encryption metadata, and writing the encrypted line to a memory device at the physical memory address. Other embodiments are described and claimed.

公开(公告)号：US11687654B2

公开(公告)日：2023-06-27

申请号：US15705562

申请日：2017-09-15

Applicant: Intel Corporation

Inventor： Ravi L. Sahita ,  Baiju V. Patel ,  Barry E. Huntley ,  Gilbert Neiger ,  Hormuzd M. Khosravi ,  Ido Ouziel ,  David M. Durham ,  Ioannis T. Schoinas ,  Siddhartha Chhabra ,  Carlos V. Rozas ,  Gideon Gerzon

IPC: G06F21/57 ,  G06F21/62 ,  G06F12/14 ,  H04L9/06 ,  H04L9/40 ,  G06F21/53 ,  G06F21/71 ,  G06F21/79 ,  G06F9/455

CPC classification number: G06F21/57 ,  G06F12/1408 ,  G06F21/53 ,  G06F21/6218 ,  G06F21/71 ,  G06F21/79 ,  H04L9/0618 ,  H04L63/061 ,  G06F9/45558 ,  G06F2009/45587 ,  G06F2212/1052 ,  G06F2221/2107 ,  G06F2221/2149

Abstract: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.

公开(公告)号：US11641272B2

公开(公告)日：2023-05-02

申请号：US16948460

申请日：2020-09-18

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra

IPC: H04L9/08 ,  G06F9/455 ,  G06F12/0882

Abstract: An apparatus including a processor comprising at least one core to execute instructions of a plurality of virtual machines and a virtual machine monitor; and a cryptographic engine comprising circuitry to protect data associated with the plurality of virtual machines through use of a plurality of private keys and an accessor key, wherein each of the plurality of private keys are to protect a respective virtual machine and the accessor key is to protect management structures of the plurality of virtual machines; and wherein the processor is to provide, to the virtual machine monitor, direct read access to the management structures of the plurality of virtual machines through the accessor key and indirect write access to the management structures of the plurality of virtual machines through a secure software module.

公开(公告)号：US11630920B2

公开(公告)日：2023-04-18

申请号：US16024257

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael Lemay ,  Siddhartha Chhabra ,  Kai Cong

IPC: G06F21/72 ,  G06F21/73 ,  G06F21/64 ,  G06F21/53 ,  G06F12/0895 ,  H04L9/06 ,  H04L9/00 ,  H04L9/32 ,  G06F21/75

Abstract: A system may use memory tagging for side-channel defense, memory safety, and sandboxing to reduce the likelihood of successful attacks. The system may include memory tagging circuitry to address existing and potential hardware and software architectures security vulnerabilities. The memory tagging circuitry may prevent memory pointers from being overwritten, prevent memory pointer manipulation (e.g., by adding values), and increase the granularity of memory tagging to include byte-level tagging in cache. The memory tagging circuitry may sandbox untrusted code by tagging portions of memory to indicate when the tagged portions of memory include contain a protected pointer. The memory tagging circuitry provides security features while enabling CPUs to continue using and benefiting from speculatively performing operations. By co-locating all tagging information at a cacheline granularity with its associated data, the processor has all the information needed to perform access control decisions immediately and non-speculatively, while maintaining high performance and cache coherency.

公开(公告)号：US11625337B2

公开(公告)日：2023-04-11

申请号：US17134355

申请日：2020-12-26

Applicant: Intel Corporation

Inventor： David M. Durham

IPC: G06F12/14 ,  G06F21/79 ,  G06F9/34 ,  G06F21/60

Abstract: Technologies disclosed herein provide cryptographic computing. An example method comprises storing, in a register, an encoded pointer to a memory location, wherein the encoded pointer comprises first context information and a slice of a memory address of the memory location, wherein the first context information includes an identification of a data key; decoding the encoded pointer to obtain the memory address of the memory location; using the memory address obtained by decoding the encoded pointer to access encrypted data at the memory location; and decrypting the encrypted data based on the data key.

公开(公告)号：US11601283B2

公开(公告)日：2023-03-07

申请号：US17493171

申请日：2021-10-04

Applicant: Intel Corporation

Inventor： David M. Durham

IPC: H04L9/32 ,  H04L9/40

Abstract: Embodiments are generally directed to message authentication code (MAC) based compression and decompression. An embodiment of an apparatus includes one or processors to process data; and a computer memory; wherein the one or more processors are to perform compression of a fixed transmission or storage unit, the transmission or storage unit including multiple slots, the compression of the transmission or storage unit including the one or more processors to calculate a MAC for data in the transmission or storage unit, determine whether a special value is present in any slot of the transmission or storage unit, and upon determining that the special value is present in a respective slot of the transmission or storage unit, remove the special value from the transmission or storage unit, shift remaining data of the transmission or storage unit to provide room in a first slot the transmission or storage unit, and insert the MAC in the first slot to generate a compressed transmission or storage unit.

公开(公告)号：US11575504B2

公开(公告)日：2023-02-07

申请号：US16776467

申请日：2020-01-29

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael LeMay ,  Michael E. Kounavis ,  Santosh Ghosh ,  Sergej Deutsch ,  Anant Vithal Nori ,  Jayesh Gaur ,  Sreenivas Subramoney ,  Karanvir S. Grewal

IPC: H04L9/06 ,  G06F9/30 ,  G06F12/1027

Abstract: A processor comprises a first register to store an encoded pointer to a memory location. First context information is stored in first bits of the encoded pointer and a slice of a linear address of the memory location is stored in second bits of the encoded pointer. The processor also includes circuitry to execute a memory access instruction to obtain a physical address of the memory location, access encrypted data at the memory location, derive a first tweak based at least in part on the encoded pointer, and generate a keystream based on the first tweak and a key. The circuitry is to further execute the memory access instruction to store state information associated with memory access instruction in a first buffer, and to decrypt the encrypted data based on the keystream. The keystream is to be generated at least partly in parallel with accessing the encrypted data.

公开(公告)号：US20220350785A1

公开(公告)日：2022-11-03

申请号：US17868467

申请日：2022-07-19

Applicant: Intel Corporation

Inventor： Michael E. Kounavis ,  Santosh Ghosh ,  Sergej Deutsch ,  Michael LeMay ,  David M. Durham

IPC: G06F16/22 ,  G06F16/2457 ,  G06F16/2455 ,  G06F9/38 ,  G06F21/60 ,  G06F21/62 ,  H03M13/00

Abstract: Embodiments are directed to collision-free hashing for accessing cryptographic computing metadata and for cache expansion. An embodiment of an apparatus includes one or more processors to: receive a physical address; compute a set of hash functions using a set of different indexes corresponding to the set of hash functions, wherein the set of hash functions combine additions, bit-level reordering, bit-linear mixing, and wide substitutions, wherein the plurality of hash functions differ in the bit-linear mixing; access a plurality of cache units utilizing the set of hash functions; read different sets of the plurality of cache units in parallel, where a set of the different sets is obtained from each cache unit of the plurality of cache units; and responsive to the physical address being located one of the different sets, return cache line data of the set corresponding to the set of the cache unit having the physical address.

公开(公告)号：US20220300626A1

公开(公告)日：2022-09-22

申请号：US17833515

申请日：2022-06-06

Applicant: Intel Corporation

Inventor： Michael E. Kounavis ,  Santosh Ghosh ,  Sergej Deutsch ,  Michael LeMay ,  David M. Durham

IPC: G06F21/60 ,  G06F12/0897 ,  G06F9/30 ,  G06F9/48 ,  G06F21/72 ,  H04L9/06 ,  G06F12/06 ,  G06F12/0875 ,  G06F21/79 ,  G06F9/455 ,  G06F12/0811 ,  G06F21/12 ,  H04L9/08 ,  G06F12/14 ,  G06F9/32 ,  G06F9/50 ,  G06F12/02 ,  H04L9/14 ,  G06F21/62

Abstract: Technologies disclosed herein provide cryptographic computing. An example method comprises executing a first instruction of a first software entity to receive a first input operand indicating a first key associated with a first memory compartment of a plurality of memory compartments stored in a first memory unit, and execute a cryptographic algorithm in a core of a processor to compute first encrypted contents based at least in part on the first key. Subsequent to computing the first encrypted contents in the core, the first encrypted contents are stored at a memory location in the first memory compartment of the first memory unit. More specific embodiments include, prior to storing the first encrypted contents at the memory location in the first memory compartment and subsequent to computing the first encrypted contents in the core, moving the first encrypted contents into a level one (L1) cache outside a boundary of the core.

公开(公告)号：US20220206960A1

公开(公告)日：2022-06-30

申请号：US17699593

申请日：2022-03-21

Applicant: Intel Corporation

Inventor： David M. Durham ,  Anna Trikalinou ,  Michael LeMay

IPC: G06F12/14 ,  G06F12/1009 ,  G06F12/02

Abstract: A method comprises identifying a first page in a computer readable memory communicatively coupled to the apparatus that has been marked as being stored in memory as plaintext even if accessed using cryptographic addresses, the first page in the computer readable memory comprising at least one encrypted data object, and set a page table entry bit for the first page to a first value which indicates that at least one memory allocation in the first page has been marked as being stored in memory as plaintext even if accessed using cryptographic addresses.