公开(公告)号：US20220188224A1

公开(公告)日：2022-06-16

申请号：US17686854

申请日：2022-03-04

Applicant: Intel Corporation

Inventor： Luis S. Kida ,  Reshma Lal ,  Soham Jayesh Desai

IPC: G06F12/06 ,  G06F12/14 ,  G06F21/76 ,  G06F9/48 ,  G06F12/0895

Abstract: Technologies for cryptographic separation of MMIO operations with an accelerator device include a computing device having a processor and an accelerator. The processor establishes a trusted execution environment. The accelerator determines, based on a target memory address, a first memory address range associated with the memory-mapped I/O transaction, generates a second authentication tag using a first cryptographic key from a set of cryptographic keys, wherein the first key is uniquely associated with the first memory address range. An accelerator validator determines whether the first authentication tag matches the second authentication tag, and a memory mapper commits the memory-mapped I/O transaction in response to a determination that the first authentication tag matches the second authentication tag. Other embodiments are described and claimed.

公开(公告)号：US20220100582A1

公开(公告)日：2022-03-31

申请号：US17531005

申请日：2021-11-19

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep Pappachan ,  Luis Kida ,  Soham Jayesh Desai ,  Sujoy Sen ,  Selvakumar Panneer ,  Robert Sharp

IPC: G06F9/50 ,  G06T1/60 ,  G06T1/20 ,  G06F9/38

Abstract: An apparatus to facilitate disaggregated computing for a distributed confidential computing environment is disclosed. The apparatus includes a processor executing a trusted execution environment (TEE) comprising a field-programmable gate array (FPGA) driver to interface with an FPGA device that is remote to the apparatus; and a remote memory-mapped input/output (MMIO) driver to expose the FPGA device as a legacy device to the FPGA driver, wherein the processor to utilize the remote MMIO driver to: enumerate the FPGA device using FPGA enumeration data provided by a remote management controller of the FPGA device, the FPGA enumeration data comprising a configuration space and device details; load function drivers for the FPGA device in the TEE; create corresponding device files in the TEE based on the FPGA enumeration data; and handle remote MMIO reads and writes to the FPGA device via a network transport protocol.

公开(公告)号：US20220012095A1

公开(公告)日：2022-01-13

申请号：US17482155

申请日：2021-09-22

Applicant: Intel Corporation

Inventor： Mikko Ylinen ,  Ismo Puustinen ,  Reshma Lal ,  Soham Jayesh Desai

IPC: G06F9/50 ,  G06F9/48 ,  H04L29/06 ,  H04L9/08 ,  G06F21/53

Abstract: An apparatus to facilitate metrics and security-based accelerator service rescheduling and auto-scaling using a programmable network device is disclosed. The apparatus includes processors to collect metrics corresponding to communication links between microservices of a service managed by a service mesh; determine, based on analysis of the metrics, that a workload of the service can be accelerated by offload to a hardware accelerator device; generate a scaling request to cause the hardware accelerator device to be allocated to a cluster of hardware devices configured for the service; cause the scaling request to be transmitted to a programmable network device managing the hardware accelerator device, the programmable network device to allocate the hardware accelerator device to the cluster and to register the hardware accelerator device with the service mesh; and schedule the workload of the service to the hardware accelerator device.

公开(公告)号：US20210390063A1

公开(公告)日：2021-12-16

申请号：US17446194

申请日：2021-08-27

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Alpa Narendra Trivedi ,  Luis Kida ,  Pradeep M. Pappachan ,  Soham Jayesh Desai ,  Nanda Kumar Unnikrishnan

IPC: G06F12/14 ,  H04L9/32 ,  G06F21/76 ,  G06F21/60 ,  H04L9/08 ,  G06F9/455 ,  G06F21/57 ,  G06F21/64 ,  H04L12/24 ,  G06F21/79 ,  H04L9/06 ,  G06F9/38 ,  G06F12/0802

Abstract: Technologies for secure I/O data transfer with an accelerator device include a computing device having a processor and an accelerator. The processor establishes a trusted execution environment. The trusted execution environment may generate an authentication tag based on a memory-mapped I/O transaction, write the authentication tag to a register of the accelerator, and dispatch the transaction to the accelerator. The accelerator performs a cryptographic operation associated with the transaction, generates an authentication tag based on the transaction, and compares the generated authentication tag to the authentication tag received from the trusted execution environment. The accelerator device may initialize an authentication tag in response to a command from the trusted execution environment, transfer data between host memory and accelerator memory, perform a cryptographic operation in response to transferring the data, and update the authentication tag in response to transferrin the data. Other embodiments are described and claimed.

公开(公告)号：US20210365591A1

公开(公告)日：2021-11-25

申请号：US16881584

申请日：2020-05-22

Applicant: Intel Corporation

Inventor： Soham Jayesh Desai ,  Reshma Lal

IPC: G06F21/72 ,  H04L9/08 ,  H04L29/06 ,  G06F21/76

Abstract: Technologies to perform a secure debug of a FPGA are described. In some examples an apparatus comprises an accelerator device comprising processing circuitry to facilitate acceleration of a processing workload executable on a remote processing device, a computer-readable memory to store logic operations executable on the accelerator device, and a debug module. The debug module comprises one or more debug registers to store debug data for the logic operations executable on the accelerator device and processing circuitry to receive, from a debug application on the remote processing device, a memory access request directed to a target debug register of the one or more debug registers, encrypt the debug data in the target debug register to generate encrypted debug data, and return the encrypted debug data to the debug application. Other embodiments are described and claimed.

公开(公告)号：US20210117246A1

公开(公告)日：2021-04-22

申请号：US17133066

申请日：2020-12-23

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep Pappachan ,  Luis Kida ,  Soham Jayesh Desai ,  Sujoy Sen ,  Selvakumar Panneer ,  Robert Sharp

IPC: G06F9/50 ,  G06F9/38 ,  G06T1/20 ,  G06T1/60

Abstract: An apparatus to facilitate disaggregated computing for a distributed confidential computing environment is disclosed. The apparatus includes one or more processors to facilitate receiving a manifest corresponding to graph nodes representing regions of memory of a remote client machine, the graph nodes corresponding to a command buffer and to associated data structures and kernels of the command buffer used to initialize a hardware accelerator and execute the kernels, and the manifest indicating a destination memory location of each of the graph nodes and dependencies of each of the graph nodes; identifying, based on the manifest, the command buffer and the associated data structures to copy to the host memory; identifying, based on the manifest, the kernels to copy to local memory of the hardware accelerator; and patching addresses in the command buffer copied to the host memory with updated addresses of corresponding locations in the host memory.

公开(公告)号：US10824766B2

公开(公告)日：2020-11-03

申请号：US15833298

申请日：2017-12-06

Applicant: Intel Corporation

Inventor： Soham Jayesh Desai ,  Reshma Lal ,  Pradeep Pappachan ,  David Hines

IPC: G06F21/73 ,  G06F13/20 ,  G06F21/44 ,  G06F13/40 ,  G06F13/42 ,  G06F21/85 ,  G06F21/53

Abstract: Technologies for USB device policy enforcement include a computing device having a USB controller and secure enclave support. On boot, a firmware enclave randomly generates a binding identity and then securely provisions the binding identity to the USB controller. The firmware enclave also seals the binding identity to a policy enforcement enclave. At runtime, the policy enforcement enclave unseals the binding identity and includes the binding identity in a policy enforcement command sent to the USB controller. The USB controller verifies that the binding identity included in the command matches the binding identity that was previously provisioned. If the binding identities are successfully verified, the USB controller enforces the command. The USB controller may block data transfers or device configuration changes for one or more specified devices. Each of the firmware enclave and the policy enforcement enclave are trusted execution environments. Other embodiments are described and claimed.

公开(公告)号：US20200159657A1

公开(公告)日：2020-05-21

申请号：US16774293

申请日：2020-01-28

Applicant: Intel Corporation

Inventor： Luis S. Kida ,  Reshma Lal ,  Soham Jayesh Desai

IPC: G06F12/06 ,  G06F12/14 ,  G06F12/0895 ,  G06F9/48 ,  G06F21/76

Abstract: Technologies for cryptographic separation of MMIO operations with an accelerator device include a computing device having a processor and an accelerator. The processor establishes a trusted execution environment. The accelerator determines, based on a target memory address, a first memory address range associated with the memory-mapped I/O transaction, generates a second authentication tag using a first cryptographic key from a set of cryptographic keys, wherein the first key is uniquely associated with the first memory address range. An accelerator validator determines whether the first authentication tag matches the second authentication tag, and a memory mapper commits the memory-mapped I/O transaction in response to a determination that the first authentication tag matches the second authentication tag. Other embodiments are described and claimed.

公开(公告)号：US20190230067A1

公开(公告)日：2019-07-25

申请号：US16369303

申请日：2019-03-29

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Luis S. Kida ,  Soham Jayesh Desai

IPC: H04L29/06 ,  H04L29/08 ,  H04L9/08 ,  G06F13/20 ,  G06F21/60 ,  G06F21/57

Abstract: Technologies for secure I/O data transfer includes a compute device, which includes a processor to execute a trusted application, an input/output (I/O) device, and an I/O subsystem. The I/O subsystem is configured to establish a secured channel between the I/O subsystem and a trusted application running on the compute device, and receive, in response to an establishment of the secured channel, I/O data from the I/O device via an unsecured channel. The I/O subsystem is further configured to encrypt, in response to a receipt of the I/O data, the I/O data using a security key associated with the trusted application that is to process the I/O data and transmit the encrypted I/O data to the trusted application via the secured channel, wherein the secured channel has a data transfer rate that is higher than a data transfer rate of the unsecured channel between the I/O device and the I/O subsystem.

公开(公告)号：US10296766B2

公开(公告)日：2019-05-21

申请号：US15868634

申请日：2018-01-11

Applicant: Intel Corporation

Inventor： Soham Jayesh Desai ,  Reshma Lal ,  Pradeep Pappachan ,  Bin Xing

IPC: G06F11/30 ,  G06F21/85 ,  G06F13/38 ,  G06F13/42 ,  G06F21/44 ,  G06F21/72

Abstract: Technologies for secure enumeration of USB devices include a computing device having a USB controller and a trusted execution environment (TEE). The TEE may be a secure enclave protected secure enclave support of the processor. In response to a USB device connecting to the USB controller, the TEE sends a secure command to the USB controller to protect a device descriptor for the USB device. The secure command may be sent over a secure channel to a static USB device. A driver sends a get device descriptor request to the USB device, and the USB device responds with the device descriptor. The USB controller redirects the device descriptor to a secure memory buffer, which may be located in a trusted I/O processor reserved memory region. The TEE retrieves and validates the device descriptor. If validated, the TEE may enable the USB device for use. Other embodiments are described and claimed.