公开(公告)号：US20170024569A1

公开(公告)日：2017-01-26

申请号：US14974944

申请日：2015-12-18

Applicant: Intel Corporation

Inventor： Bin Xing ,  Pradeep M. Pappachan ,  Siddhartha Chhabra ,  Reshma Lal ,  Steven B. McGowan

IPC: G06F21/60 ,  G06F13/28

Abstract: Technologies for trusted I/O (TIO) include a computing device with a cryptographic engine and one or more I/O controllers. The computing device executes a TIO core service that has a cryptographic engine programming privileged granted by an operating system. The TIO core service receives a request from an application to protect a DMA channel. The TIO core service requests the operating system to protect the DMA channel, and the operating system verifies the cryptographic engine programming privilege of the TIO core service in response. The operating system programs the cryptographic engine to protect the DMA channel in response to verifying the cryptographic engine programming privilege of the TIO core service. If a privileged delegate determines that a user has confirmed termination of protection of the DMA channel, the TIO core service may unprotect the DMA channel. Other embodiments are described and claimed.

Abstract translation: 可信任I / O（TIO）技术包括具有加密引擎和一个或多个I / O控制器的计算设备。 计算设备执行具有由操作系统许可的加密引擎编程的TIO核心服务。 TIO核心服务接收来自应用程序的请求以保护DMA通道。 TIO核心服务请求操作系统保护DMA通道，操作系统会对TIO核心服务的加密引擎编程权限进行验证。 响应于验证TIO核心服务的加密引擎编程权限，操作系统对加密引擎进行编程以保护DMA通道。 如果特权代表确定用户已经确认终止对DMA通道的保护，TIO核心服务可能会取消保护DMA通道。 描述和要求保护其他实施例。

公开(公告)号：US20160283411A1

公开(公告)日：2016-09-29

申请号：US14671222

申请日：2015-03-27

Applicant: Intel Corporation

Inventor： Micah J. Sheller ,  Bin Xing ,  Vincent R. Scarlata

IPC: G06F12/14 ,  G06F21/62

CPC classification number: G06F12/1458 ,  G06F21/51 ,  G06F21/57 ,  G06F21/6218 ,  G06F2212/1052

Abstract: An embodiment includes at least one machine readable medium on which is stored code that, when executed enables a system to initialize a trusted loader enclave (TL) and a measurement and storage manager enclave (MSM) within a memory of the system, to receive by the MSM a TL measurement of the TL from a trusted processor of the system, to determine whether to establish a secure channel between the MSM and the TL based at least in part on the TL measurement, and responsive to a determination to establish the secure channel, to establish the secure channel and store particular code in the TL. Additional embodiments are described and claimed.

Abstract translation: 一个实施例包括至少一个机器可读介质，其上存储有代码，当被执行时，系统能够使系统初始化系统的存储器内的受信任加载器飞地（TL）和测量和存储管理器飞地（MSM），以便通过 MSM是来自系统的可信处理器的TL的TL测量，以至少部分地基于TL测量来确定是否在MSM和TL之间建立安全信道，并且响应于建立安全信道的确定 ，以建立安全通道并将特定代码存储在TL中。 描述和要求保护附加的实施例。

公开(公告)号：US12093432B2

公开(公告)日：2024-09-17

申请号：US17485077

申请日：2021-09-24

Applicant: Intel Corporation

Inventor： Scott Constable ,  Yuan Xiao ,  Bin Xing ,  Mona Vij ,  Mark Shanahan

IPC: H04L29/06 ,  G06F12/0862 ,  G06F12/14 ,  G06F21/52 ,  G06F21/55 ,  G06F21/57 ,  G06F21/74

CPC classification number: G06F21/74 ,  G06F12/0862 ,  G06F12/1416 ,  G06F21/52 ,  G06F21/554 ,  G06F21/577 ,  G06F2201/88

Abstract: In one embodiment, an apparatus comprises a processing circuitry to detect an occurrence of at least one of a single-stepping event or a zero-stepping event in an execution thread on an architecturally protected enclave and in response to the occurrence, implement at least one mitigation process to inhibit further occurrences of the at least one of a single-stepping event or a zero-stepping event in the architecturally protected enclave.

公开(公告)号：US20230205869A1

公开(公告)日：2023-06-29

申请号：US17561412

申请日：2021-12-23

Applicant: Intel Corporation

Inventor： Scott Constable ,  Bin Xing ,  Yuan Xiao ,  Krystof Zmudzinski ,  Mona Vij ,  Mark Shanahan ,  Francis McKeen ,  Ittai Anati

IPC: G06F21/53 ,  G06F9/30

CPC classification number: G06F21/53 ,  G06F9/30145 ,  G06F9/30105

Abstract: Systems, methods, and apparatuses relating efficient exception handling in trusted execution environments are described. In an embodiment, a hardware processor includes a register, a decoder, and execution circuitry. The register has a field to be set to enable an architecturally protected execution environment at one of a plurality of contexts for code in an architecturally protected enclave in memory. The decoder is to decode an instruction having a format including a field for an opcode, the opcode to indicate that the execution circuitry is to perform a context change. The execution circuitry is to perform one or more operations corresponding to the instruction, the one or more operations including changing, within the architecturally protected enclave, from a first context to a second context.

公开(公告)号：US20230128711A1

公开(公告)日：2023-04-27

申请号：US18062957

申请日：2022-12-07

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Gideon Gerzon ,  Baruch Chaikin ,  Siddhartha Chhabra ,  Pradeep M. Pappachan ,  Bin Xing

IPC: G06F21/60 ,  H04L9/40 ,  G06F21/57 ,  G06F13/28 ,  H04L9/32 ,  G06F21/62 ,  G06F21/85 ,  G09C1/00 ,  G06F13/20

Abstract: Technologies for trusted I/O include a computing device having a processor, a channel identifier filter, and an I/O controller. The I/O controller may generate an I/O transaction that includes a channel identifier and a memory address. The channel identifier filter verifies that the memory address of the I/O transaction is within a processor reserved memory region associated with the channel identifier. The processor reserved memory region is not accessible to software executed by the computing device. The processor encrypts I/O data at the memory address in response to invocation of a processor feature and copies the encrypted data to a memory buffer outside of the processor reserved memory region. The processor may securely clean the processor reserved memory region before encrypting and copying the data. The processor may wrap and unwrap programming information for the channel identifier filter. Other embodiments are described and claimed.

公开(公告)号：US11630904B2

公开(公告)日：2023-04-18

申请号：US17304391

申请日：2021-06-21

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Siddhartha Chhabra ,  Bin Xing ,  Reshma Lal ,  Baruch Chaikin

IPC: G06F21/00 ,  G06F21/60 ,  G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  G06F21/53 ,  G06F21/57 ,  G06F21/82

Abstract: In one embodiment, an apparatus includes a channel filter and a security processor. The security processor is to: receive a plurality of device access control policies from a protected non-volatile storage of a platform; determine whether the plurality of device access control policies are verified; program the channel filter with a plurality of filter entries each associated with one of the plurality of device access control policies based on the determination; and remove a security attribute of the security processor from a policy register of the channel filter, to lock the channel filter for a boot cycle of the platform. Other embodiments are described and claimed.

公开(公告)号：US20220012369A1

公开(公告)日：2022-01-13

申请号：US17485077

申请日：2021-09-24

Applicant: Intel Corporation

Inventor： Scott Constable ,  Yuan Xiao ,  Bin Xing ,  Mona Vij ,  Mark Shanahan

IPC: G06F21/74 ,  G06F12/0862 ,  G06F12/14 ,  G06F9/38 ,  G06F21/57

Abstract: In one embodiment, an apparatus comprises a processing circuitry to detect an occurrence of at least one of a single-stepping event or a zero-stepping event in an execution thread on an architecturally protected enclave and in response to the occurrence, implement at least one mitigation process to inhibit further occurrences of the at least one of a single-stepping event or a zero-stepping event in the architecturally protected enclave.

公开(公告)号：US11126733B2

公开(公告)日：2021-09-21

申请号：US16113013

申请日：2018-08-27

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Siddhartha Chhabra ,  Bin Xing ,  Reshma Lal ,  Baruch Chaikin

IPC: G06F21/00 ,  G06F21/60 ,  G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  G06F21/53 ,  G06F21/57 ,  G06F21/82

Abstract: In one embodiment, an apparatus includes: a memory encryption circuit to encrypt data from a protected device, the data to be stored to a memory; and a filter circuit coupled to the memory encryption circuit, the filter circuit including a plurality of filter entries, each filter entry to store a channel identifier corresponding to a protected device, an access control policy for the protected device, and a session encryption key provided by an enclave, the enclave permitted to access the data according to the access control policy, where the filter circuit is to receive the session encryption key from the enclave in response to validation of the enclave. Other embodiments are described and claimed.

公开(公告)号：US10789371B2

公开(公告)日：2020-09-29

申请号：US15628008

申请日：2017-06-20

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Gideon Gerzon ,  Baruch Chaikin ,  Siddhartha Chhabra ,  Pradeep M. Pappachan ,  Bin Xing

IPC: G06F21/00 ,  G06F21/60 ,  H04L29/06 ,  G06F21/57 ,  G06F13/28 ,  H04L9/32 ,  G06F21/62 ,  G06F21/85 ,  G09C1/00 ,  G06F13/20 ,  H04L9/06 ,  G06F21/51

Abstract: Technologies for trusted I/O include a computing device having a processor, a channel identifier filter, and an I/O controller. The I/O controller may generate an I/O transaction that includes a channel identifier and a memory address. The channel identifier filter verifies that the memory address of the I/O transaction is within a processor reserved memory region associated with the channel identifier. The processor reserved memory region is not accessible to software executed by the computing device. The processor encrypts I/O data at the memory address in response to invocation of a processor feature and copies the encrypted data to a memory buffer outside of the processor reserved memory region. The processor may securely clean the processor reserved memory region before encrypting and copying the data. The processor may wrap and unwrap programming information for the channel identifier filter. Other embodiments are described and claimed.

公开(公告)号：US20190278911A1

公开(公告)日：2019-09-12

申请号：US16280351

申请日：2019-02-20

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Bin Xing ,  Siddhartha Chhabra ,  Vincent R. Scarlata ,  Steven B. McGowan

IPC: G06F21/57 ,  G06F13/28 ,  G06F21/60

Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information. The computing device may collect application attestation information for a trusted application that uses the trusted I/O usage and verify the application attestation information. Other embodiments are described and claimed.