-
11.发明授权公开(公告)号:US10657071B2
公开(公告)日:2020-05-19
申请号:US15714217
申请日:2017-09-25
Applicant: Intel Corporation
Inventor: David M. Durham , Siddhartha Chhabra , Amy L. Santoni , Gilbert Neiger , Barry E. Huntley , Hormuzd M. Khosravi , Baiju V. Patel , Ravi L. Sahita , Gideon Gerzon , Ido Ouziel , Ioannis T. Schoinas , Rajesh M. Sankaran
Abstract: In one embodiment, a cryptographic circuit is adapted to receive a data line including at least an encrypted portion from a memory in response to a read request having a memory address from a first agent, obtain a key identifier for a key of the first agent from the data line, obtain the key using the key identifier, decrypt the at least encrypted portion of the data line using the key and send decrypted data of the at least encrypted portion of the data line to the first agent. Other embodiments are described and claimed.
-
公开(公告)号:US10331564B2
公开(公告)日:2019-06-25
申请号:US15825730
申请日:2017-11-29
Applicant: Intel Corporation
Inventor: Gideon Gerzon , Pradeep Pappachan , Reshma Lal , Siddhartha Chhabra , Bin Xing
IPC: G06T7/00 , H04L9/32 , G06F13/28 , H04L29/06 , G06F12/0831 , G06F12/1081
Abstract: Technologies for secure I/O with MIPI camera devices include a computing device having a camera controller coupled to a camera and a channel identifier filter. The channel identifier filter detects DMA transactions issued by the camera controller and related to the camera. The channel identifier filter determines whether a DMA transaction includes a secure channel identifier or a non-secure channel identifier. If the DMA transaction includes the non-secure channel identifier, the channel identifier filter allows the DMA transaction. If the DMA transaction includes the secure channel identifier, the channel identifier filter determines whether the DMA transaction is targeted to a memory address in a protected memory range associated with the secure channel identifier. If so, the channel identifier filter allows the DMA transaction. If not, the channel identifier filter blocks the DMA transaction. Other embodiments are described and claimed.
-
公开(公告)号:US20190042431A1
公开(公告)日:2019-02-07
申请号:US15825730
申请日:2017-11-29
Applicant: Intel Corporation
Inventor: Gideon Gerzon , Pradeep Pappachan , Reshma Lal , Siddhartha Chhabra , Bin Xing
IPC: G06F12/0831 , H04L9/32 , G06F13/28 , H04L29/06 , G06F12/1081
CPC classification number: G06F12/0835 , G06F12/1081 , G06F13/28 , G06T7/00 , H04L9/3242 , H04L63/126
Abstract: Technologies for secure I/O with MIPI camera devices include a computing device having a camera controller coupled to a camera and a channel identifier filter. The channel identifier filter detects DMA transactions issued by the camera controller and related to the camera. The channel identifier filter determines whether a DMA transaction includes a secure channel identifier or a non-secure channel identifier. If the DMA transaction includes the non-secure channel identifier, the channel identifier filter allows the DMA transaction. If the DMA transaction includes the secure channel identifier, the channel identifier filter determines whether the DMA transaction is targeted to a memory address in a protected memory range associated with the secure channel identifier. If so, the channel identifier filter allows the DMA transaction. If not, the channel identifier filter blocks the DMA transaction. Other embodiments are described and claimed.
-
14.发明授权公开(公告)号:US09183161B2
公开(公告)日:2015-11-10
申请号:US13730563
申请日:2012-12-28
Applicant: Intel Corporation
Inventor: Gur Hildesheim , Ittai Anati , Hisham Shafi , Shlomo Raikin , Gideon Gerzon , Uday R Savagaonkar , Carlos V Rozas , Francis X McKeen , Michael A Goldsmith , Dewan Prashant
CPC classification number: G06F12/145 , G06F12/084 , G06F12/1027 , G06F12/1483 , G06F21/53
Abstract: An apparatus and method for managing a protection table by a processor. For example, a processor according to one embodiment of the invention comprises: protection table management logic to manage a protection table, the protection table having an entry for each protected page or each group of protected pages in memory; wherein the protection table management logic prevents direct access to the protection table by user application program code and operating system program code but permits direct access by the processor.
Abstract translation: 一种用于由处理器管理保护表的装置和方法。 例如,根据本发明的一个实施例的处理器包括:保护表管理逻辑以管理保护表,所述保护表具有用于每个受保护页面的条目或存储器中每组受保护页面; 其中保护表管理逻辑防止用户应用程序代码和操作系统程序代码直接访问保护表,但允许处理器直接访问。
-
公开(公告)号:US20230315857A1
公开(公告)日:2023-10-05
申请号:US18131199
申请日:2023-04-05
Applicant: Intel Corporation
Inventor: Ravi L. Sahita , Baiju V. Patel , Barry E. Huntley , Gilbert Neiger , Hormuzd M. Khosravi , Ido Ouziel , David M. Durham , Ioannis T. Schoinas , Siddhartha Chhabra , Carlos V. Rozas , Gideon Gerzon
CPC classification number: G06F21/57 , G06F21/6218 , G06F12/1408 , H04L9/0618 , H04L63/061 , G06F21/53 , G06F21/71 , G06F21/79 , G06F2009/45587
Abstract: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.
-
Patent Agency Ranking
公开(公告)号:US11651085B2
公开(公告)日:2023-05-16
申请号:US16934089
申请日:2020-07-21
Applicant: Intel Corporation
Inventor: David M. Durham , Siddhartha Chhabra , Ravi L. Sahita , Barry E. Huntley , Gilbert Neiger , Gideon Gerzon , Baiju V. Patel
IPC: G06F21/60 , G06F3/06 , G06F12/1009 , G06F21/57 , G06F21/53
CPC classification number: G06F21/602 , G06F3/067 , G06F3/0623 , G06F3/0661 , G06F12/1009 , G06F21/53 , G06F21/57 , G06F2212/1052
Abstract: A processor executes an untrusted VMM that manages execution of a guest workload. The processor also populates an entry in a memory ownership table for the guest workload. The memory ownership table is indexed by an original hardware physical address, the entry comprises an expected guest address that corresponds to the original hardware physical address, and the entry is encrypted with a key domain key. In response to receiving a request from the guest workload to access memory using a requested guest address, the processor (a) obtains, from the untrusted VMM, a hardware physical address that corresponds to the requested guest address; (b) uses that physical address as an index to find an entry in the memory ownership table; and (c) verifies whether the expected guest address from the found entry matches the requested guest address. Other embodiments are described and claimed.
-
17.发明授权公开(公告)号:US11176059B2
公开(公告)日:2021-11-16
申请号:US16831976
申请日:2020-03-27
Applicant: Intel Corporation
Inventor: David M. Durham , Siddhartha Chhabra , Amy L. Santoni , Gilbert Neiger , Barry E. Huntley , Hormuzd M. Khosravi , Baiju V. Patel , Ravi L. Sahita , Gideon Gerzon , Ido Ouziel , Ioannis T. Schoinas , Rajesh M. Sankaran
Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.
-
公开(公告)号:US20210064254A1
公开(公告)日:2021-03-04
申请号:US16643836
申请日:2017-09-29
Applicant: Intel Corporation
Inventor: David M. Durham , Ravi L. Sahita , Vedvyas Shanbhogue , Barry E. Huntley , Baiju Patel , Gideon Gerzon , Ioannis T. Schoinas , Hormuzd M. Khosravi , Siddhartha Chhabra , Carlos V. Rozas
Abstract: There is disclosed a microprocessor, including: a processing core; and a total memory encryption (TME) engine to provide TME for a first trust domain (TD), and further to: allocate a block of physical memory to the first TD and a first cryptographic key to the first TD; map within an extended page table (EPT) a host physical address (HPA) space to a guest physical address (GPA) space of the TD; create a memory ownership table (MOT) entry for a memory page within the block of physical memory, wherein the MOT table comprises a GPA reverse mapping; encrypt the MOT entry using the first cryptographic key; and append to the MOT entry verification data, wherein the MOT entry verification data enables detection of an attack on the MOT entry.
-
19.发明申请公开(公告)号:US20200226074A1
公开(公告)日:2020-07-16
申请号:US16831976
申请日:2020-03-27
Applicant: Intel Corporation
Inventor: David M. Durham , Siddhartha Chhabra , Amy L. Santoni , Gilbert Neiger , Barry E. Huntley , Hormuzd M. Khosravi , Baiju V. Patel , Ravi L. Sahita , Gideon Gerzon , Ido Ouziel , Ioannis T. Schoinas , Rajesh M. Sankaran
Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.
-
公开(公告)号:US20190042764A1
公开(公告)日:2019-02-07
申请号:US15808986
申请日:2017-11-10
Applicant: Intel Corporation
Inventor: David M. Durham , Siddhartha Chhabra , Ravi L. Sahita , Barry E. Huntley , Gilbert Neiger , Gideon Gerzon , Baiju V. Patel
IPC: G06F21/60 , G06F3/06 , G06F12/1009
Abstract: In a public cloud environment, each consumer's/guest's workload is encrypted in a cloud service provider's (CSP's) server memory using a consumer-provided key unknown to the CSP's workload management software. An encrypted consumer/guest workload image is loaded into the CSP's server memory at a memory location specified by the CSP's workload management software. Based upon the CSP-designated memory location, the guest workload determines expected hardware physical addresses into which memory mapping structures and other types of consumer data should be loaded. These expected hardware physical addresses are specified by the guest workload in a memory ownership table (MOT), which is used to check that subsequently CSP-designated memory mappings are as expected. Memory ownership table entries also may be encrypted by the consumer-provided key unknown to the CSP.
-
-
-
-
-
-
-
-
-
Search Results
50
records
(took 0.015 seconds)
