公开(公告)号：US20200167294A1

公开(公告)日：2020-05-28

申请号：US16777956

申请日：2020-01-31

Applicant: Intel Corporation

Inventor： Prashant Dewan ,  Siddhartha Chhabra ,  David M. Durham ,  Karanvir S. Grewal ,  Alpa T. Narendra Trivedi

IPC: G06F12/14 ,  G06F21/62 ,  G06F21/60 ,  G06F21/10 ,  G06F3/06 ,  G06F21/74

Abstract: In one embodiment, an apparatus includes: at least one core to execute instructions, the at least one core formed on a semiconductor die; a first memory formed on the semiconductor die, the first memory comprising a non-volatile random access memory, the first memory to store a first entry to be a monotonic counter, the first entry including a value field and a status field; and a control circuit, wherein the control circuit is to enable access to the first entry if the apparatus is in a secure mode and otherwise prevent the access to the first entry. Other embodiments are described and claimed.

公开(公告)号：US20200159675A1

公开(公告)日：2020-05-21

申请号：US16717374

申请日：2019-12-17

Applicant: Intel Corporation

Inventor： David M. Durham ,  Baiju Patel

IPC: G06F12/14 ,  H04L29/06 ,  G06F21/55 ,  G06F21/72

Abstract: A computing device includes technologies for securing indirect addresses (e.g., pointers) that are used by a processor to perform memory access (e.g., read/write/execute) operations. The computing device encodes the indirect address using metadata and a cryptographic algorithm. The metadata may be stored in an unused portion of the indirect address.

公开(公告)号：US10546157B2

公开(公告)日：2020-01-28

申请号：US15792350

申请日：2017-10-24

Applicant: INTEL CORPORATION

Inventor： Jungju Oh ,  Siddhartha Chhabra ,  David M. Durham

IPC: G06F21/78 ,  G06F21/72 ,  G06F21/52

Abstract: The present disclosure is directed to a flexible counter system for memory protection. In general, a counter system for supporting memory protection operations in a device may be made more efficient utilizing flexible counter structures. A device may comprise a processing module and a memory module. A flexible counter system in the memory module may comprise at least one data line including a plurality of counters. The bit-size of the counters may be reduced and/or varied from existing implementations through an overflow counter that may account for smaller counters entering an overflow state. Counters that utilize the overflow counter may be identified using a bit indicator. In at least one embodiment selectors corresponding to each of the plurality of counters may be able to map particular memory locations to particular counters.

公开(公告)号：US10540198B2

公开(公告)日：2020-01-21

申请号：US15640478

申请日：2017-07-01

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Michael E. Kounavis

IPC: G06F21/78 ,  G06F9/455 ,  G06F12/0891 ,  G06F12/14 ,  G06F21/53 ,  H04L29/06 ,  G06F21/62 ,  G06F21/64

Abstract: Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to generate a compressed line in response to determining that the data line is compressible, where the compressed line includes compression metadata and compressed data, adding encryption metadata to the compressed line, where the encryption metadata is indicative of the encryption key, encrypting a part of the compressed line with the encryption key to generate an encrypted line in response to adding the encryption metadata, and writing the encrypted line to a memory device at the physical memory address. Other embodiments are described and claimed.

公开(公告)号：US10372628B2

公开(公告)日：2019-08-06

申请号：US15720521

申请日：2017-09-29

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: G06F12/14 ,  H04L9/14 ,  H04L9/08 ,  G06F12/0811

Abstract: Solutions for secure memory access in a computing platform, include a multi-key encryption (MKE) engine as part of the memory interface between processor core(s) and memory of a computing platform. The processor core(s) perform workloads, each utilizing allocated portions of memory. The MKE engine performs key-based cryptography operations on data to isolate portions of the memory from workloads to which those portions of the memory are not allocated. A key-mapping data store is accessible to the MKE engine and contains associations between identifiers of portions of the memory, and corresponding key identification data from which cryptographic keys are obtained. A key tracking log is maintained by the MKE engine, and the MKE engine temporarily stores entries in the key tracking log containing the identifiers of the portions of the memory and key identification data for those portions of memory during memory-access operations of those portions of memory.

公开(公告)号：US10341087B2

公开(公告)日：2019-07-02

申请号：US15394516

申请日：2016-12-29

Applicant: INTEL CORPORATION

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: H04L9/06 ,  G06F3/06 ,  G06F21/53 ,  G06F12/14 ,  G06F21/72

Abstract: Various embodiments are generally directed to techniques for converting between different cipher systems, such as, for instance, between a cipher system used for a first encryption environment and a different cipher system used for a second encryption environment, for instance. Some embodiments are particularly directed to an encryption engine that supports memory operations between two or more encryption environments. Each encryption environment can use different cipher systems while the encryption engine can translate ciphertext between the different cipher systems. In various embodiments, for instance, the first encryption environment may include a main memory that uses a position dependent cipher system and the second encrypted environment may include a secondary memory that uses a position independent cipher system.

公开(公告)号：US20190102539A1

公开(公告)日：2019-04-04

申请号：US15721553

申请日：2017-09-29

Applicant: Intel Corporation

Inventor： David M. Durham ,  Karanvir S. Grewal ,  Sergej Deutsch ,  Michael Lemay

IPC: G06F21/53 ,  G06F9/455

CPC classification number: G06F21/53 ,  G06F9/45554 ,  G06F9/45558 ,  G06F21/57 ,  G06F2009/45562 ,  G06F2009/4557 ,  H04L63/062

Abstract: Systems, apparatuses and methods may provide for technology that associates a key domain of a plurality of key domains with a customer boot image, receives the customer boot image from the customer, and verifies the integrity of the customer boot image that is to be securely installed at memory locations determined from an untrusted privileged entity (e.g., a virtual machine manager).

公开(公告)号：US20190102323A1

公开(公告)日：2019-04-04

申请号：US15720799

申请日：2017-09-29

Applicant: Intel Corporation

Inventor： David M. Durham ,  Kai Cong ,  Vedvyas Shanbhogue ,  Barry E. Huntley ,  Jason W. Brandt ,  Siddhartha Chhabra ,  Ravi L. Sahita

IPC: G06F12/14 ,  G06F9/455 ,  G06F12/1009

Abstract: An embodiment of a semiconductor package apparatus may include technology to identify a first encrypted memory alias corresponding to a first portion of memory based on a verification indicator, where the first portion is decryptable and readable by both a privileged component and an unprivileged component, and identify a second encrypted memory alias corresponding to a second portion of memory based on the verification indicator, where the second portion is accessible by only the unprivileged component. Other embodiments are disclosed and claimed.

公开(公告)号：US20190095351A1

公开(公告)日：2019-03-28

申请号：US15714323

申请日：2017-09-25

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Reouven Elbaz ,  Krishnakumar Narasimhan ,  Prashant Dewan ,  David M. Durham

IPC: G06F12/14 ,  H04L9/32 ,  G06F21/72 ,  G06F21/79 ,  G06F21/85

Abstract: Technologies for secure memory usage include a computing device having a processor that includes a memory encryption engine and a memory device coupled to the processor. The processor supports multiple processor usages, such as secure enclaves, system management firmware, and a virtual machine monitor. The memory encryption engine is configured to protect a memory region stored in the memory device for a processor usage. The memory encryption engine restricts access to one or more configuration registers to a trusted code base of the processor usage. The processor executes the processor usage and the memory encryption engine protects contents of the memory region during execution. The memory encryption engine may access integrity metadata based on the address of the protected memory region. The memory encryption engine may prepare top-level counter metadata for entering a low-power state. Other embodiments are described and claimed.

公开(公告)号：US20190087575A1

公开(公告)日：2019-03-21

申请号：US15705562

申请日：2017-09-15

Applicant: Intel Corporation

Inventor： Ravi L. Sahita ,  Baiju V. Patel ,  Barry E. Huntley ,  Gilbert Neiger ,  Hormuzd M. Khosravi ,  Ido Ouziel ,  David M. Durham ,  Ioannis T. Schoinas ,  Siddhartha Chhabra ,  Carlos V. Rozas ,  Gideon Gerzon

IPC: G06F21/57 ,  G06F21/62 ,  G06F12/14 ,  H04L9/06 ,  H04L29/06 ,  G06F21/53

Abstract: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.