公开(公告)号：US11048588B2

公开(公告)日：2021-06-29

申请号：US16787333

申请日：2020-02-11

Applicant: Intel Corporation

Inventor： Gilbert Neiger ,  Andrew V. Anderson ,  Richard A. Uhlig ,  David M. Durham ,  Ronak Singhal ,  Xiangbin Wu ,  Sailesh Kottapalli

IPC: G06F11/14 ,  G06F9/455 ,  G06F11/30 ,  G06F11/34 ,  G06F13/24

Abstract: Embodiments of an invention for monitoring the operation of a processor are disclosed. In one embodiment, a system includes a processor and a hardware agent external to the processor. The processor includes virtualization logic to provide for the processor to operate in a root mode and in a non-root mode. The hardware agent is to verify operation of the processor in the non-root mode based on tracing information to be collected by a software agent to be executed by the processor in the root mode.

公开(公告)号：US11030113B1

公开(公告)日：2021-06-08

申请号：US16728928

申请日：2019-12-27

Applicant: Intel Corporation

Inventor： David M. Durham ,  Jacob Doweck ,  Michael Lemay ,  Deepak Gupta

IPC: G06F12/10 ,  G06F12/1027

Abstract: An apparatus and method for efficient process-based compartmentalization. For example, one embodiment of a processor comprises: execution circuitry to execute instructions and process data; memory management circuitry coupled to the execution circuitry, the memory management circuitry to manage access to a system memory by a plurality of related processes using one or more process-specific translation structures and one or more shared translation structures to be shared by the related processes; and one or more control registers to store a process-specific base address pointer associated with a first process of the plurality of related processes and to store a shared base address pointer to identify the shared translation structures; wherein the memory management circuitry is to use the process-specific base address pointer in combination with a first linear address provided by the first process to walk the process-specific translation structures to identify any permissions and/or physical address associated with the first linear address, wherein if permissions are identified, the memory management circuitry is to use the permissions in place of any permissions specified in the shared translation structures.

公开(公告)号：US20210073145A1

公开(公告)日：2021-03-11

申请号：US17022029

申请日：2020-09-15

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Prashant Dewan ,  Abhishek Basak ,  David M. Durham

IPC: G06F12/14 ,  G06F12/0831 ,  G06F21/78 ,  G06F21/60 ,  G06F13/28 ,  G06F21/85

Abstract: The present disclosure includes systems and methods for securing data direct I/O (DDIO) for a secure accelerator interface, in accordance with various embodiments. Historically, DDIO has enabled performance advantages that have outweighed its security risks. DDIO circuitry may be configured to secure DDIO data by using encryption circuitry that is manufactured for use in communications with main memory along the direct memory access (DMA) path. DDIO circuitry may be configured to secure DDIO data by using DDIO encryption circuitry manufactured for use by or manufactured within the DDIO circuitry. Enabling encryption and decryption in the DDIO path by the DDIO circuitry has the potential to close a security gap in modern data central processor units (CPUs).

公开(公告)号：US10810321B2

公开(公告)日：2020-10-20

申请号：US15293967

申请日：2016-10-14

Applicant: Intel Corporation

Inventor： David M. Durham ,  Ravi L. Sahita ,  Barry E. Huntley ,  Nikhil M. Deshpande

IPC: G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  G06F21/53 ,  H04L29/06

Abstract: A method, system, computer-readable media, and apparatus for ensuring a secure cloud environment is provided, where public cloud services providers can remove their code from the Trusted Computing Base (TCB) of their cloud services consumers. The method for ensuring a secure cloud environment keeps the Virtual Machine Monitor (VMM), devices, firmware and the physical adversary (where a bad administrator/technician attempts to directly access the cloud host hardware) outside of a consumer's Virtual Machine (VM) TCB. Only the consumer that owns this secure VM can modify the VM or access contents of the VM (as determined by the consumer).

公开(公告)号：US20200327241A1

公开(公告)日：2020-10-15

申请号：US16913224

申请日：2020-06-26

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: G06F21/60 ,  H04L9/08 ,  G06F21/31 ,  G06F21/78

Abstract: A server includes a processor core including system memory, and a cryptographic engine storing a key data structure. The data structure is to store multiple keys for multiple secure domains. The core receives a request to program a first secure domain into the cryptographic engine. The request includes first domain information within a first wrapped binary large object (blob). In response a determination that there is no available entry in the data structure, the core selects a second secure domain within the data structure to de-schedule and issues a read key command to read second domain information from a target entry of the data structure. The core encrypts the second domain information to generate a second wrapped blob and stores the second wrapped blob in a determined region of the system memory, which frees up the target entry for use to program the first secure domain.

公开(公告)号：US10783089B2

公开(公告)日：2020-09-22

申请号：US16023661

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Prashant Dewan ,  Abhishek Basak ,  David M. Durham

IPC: G06F21/85 ,  G06F12/14 ,  G06F12/0831 ,  G06F21/78 ,  G06F21/60 ,  G06F13/28

Abstract: The present disclosure includes systems and methods for securing data direct I/O (DDIO) for a secure accelerator interface, in accordance with various embodiments. Historically, DDIO has enabled performance advantages that have outweighed its security risks. DDIO circuitry may be configured to secure DDIO data by using encryption circuitry that is manufactured for use in communications with main memory along the direct memory access (DMA) path. DDIO circuitry may be configured to secure DDIO data by using DDIO encryption circuitry manufactured for use by or manufactured within the DDIO circuitry. Enabling encryption and decryption in the DDIO path by the DDIO circuitry has the potential to close a security gap in modern data central processor units (CPUs).

公开(公告)号：US20200257827A1

公开(公告)日：2020-08-13

申请号：US16862022

申请日：2020-04-29

Applicant: Intel Corporation

Inventor： Michael E. Kounavis ,  Santosh Ghosh ,  Sergej Deutsch ,  Michael LeMay ,  David M. Durham

IPC: G06F21/64 ,  H04L9/32 ,  G06F21/60 ,  G06F3/06

Abstract: Technologies disclosed herein provide cryptographic computing with memory write access in the core. An example method comprises executing a first instruction of a software entity. The first instruction comprises a first operand comprising a certificate for a memory region in memory. Executing the first instruction includes computing encrypted first data based, at least in part, on a cryptographic algorithm and a first data parameter, determining whether the certificate authorizes the software entity to access the memory region of the memory, and based on determining the certificate in the first operand authorizes the software entity to access the memory region, performing a write operation to store the encrypted first data in the memory region. More specific embodiments include performing the write operation without performing a preceding read operation on the memory region, which may be called a write for ownership.

公开(公告)号：US10691813B2

公开(公告)日：2020-06-23

申请号：US15942122

申请日：2018-03-30

Applicant: INTEL CORPORATION

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: G06F21/60 ,  H04L9/08 ,  H04L9/06 ,  G06F21/79 ,  G06F12/1009 ,  G06F12/14 ,  G06F12/1027

Abstract: Various embodiments are generally directed to techniques for enclave confidentiality management, such as for protecting cross enclave confidentiality on servers, for instance. Some embodiments are particularly directed to a computing platform including hardware and/or instruction set architecture (ISA) extensions that ensure enclaves cannot access confidential data of other enclaves. For example, key programming ISA extensions and/or hardware changes to the page miss handler (PMH) may ensure that the key uniquely associated with an enclave is used for its memory accesses.

公开(公告)号：US10691482B2

公开(公告)日：2020-06-23

申请号：US16108395

申请日：2018-08-22

Applicant: Intel Corporation

Inventor： Kai Cong ,  Karanvir Grewal ,  David M. Durham

IPC: G06F9/00 ,  G06F9/455 ,  G06F21/60 ,  G06F12/109 ,  G06F12/14 ,  G06F21/62 ,  G06F21/53

Abstract: A data processing system with technology to secure a VMCS comprises random access memory (RAM) and a processor in communication with the RAM. The processor comprises virtualization technology that enables the processor to (a) execute host software in root mode and (b) execute guest software from the RAM in non-root mode in a virtual machine (VM) that is based at least in part on a virtual machine control data structure (VMCDS) for the VM. The processor also comprises a root security profile to specify access restrictions to be imposed when the host software attempts to read the VMCDS in root mode. Other embodiments are described and claimed.

公开(公告)号：US20200183730A1

公开(公告)日：2020-06-11

申请号：US16748176

申请日：2020-01-21

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Michael E. Kounavis

IPC: G06F9/455 ,  H04L29/06 ,  G06F21/79 ,  G06F21/53 ,  G06F12/14 ,  G06F12/0891

Abstract: Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to generate a compressed line in response to determining that the data line is compressible, where the compressed line includes compression metadata and compressed data, adding encryption metadata to the compressed line, where the encryption metadata is indicative of the encryption key, encrypting a part of the compressed line with the encryption key to generate an encrypted line in response to adding the encryption metadata, and writing the encrypted line to a memory device at the physical memory address. Other embodiments are described and claimed.