公开(公告)号：US07117232B2

公开(公告)日：2006-10-03

申请号：US11140454

申请日：2005-05-27

Applicant: Derrick Chu Lin ,  Punit Minocha ,  Alexander D. Peleg ,  Yaakov Yaari ,  Millind Mittal ,  Larry M. Mennemeier ,  Benny Eitan

Inventor： Derrick Chu Lin ,  Punit Minocha ,  Alexander D. Peleg ,  Yaakov Yaari ,  Millind Mittal ,  Larry M. Mennemeier ,  Benny Eitan

IPC: G06F5/01

CPC classification number: G06F7/762 ,  G06F5/01 ,  G06F7/49994 ,  G06F7/76 ,  G06F9/30025 ,  G06F9/30032 ,  G06F9/30036 ,  G06F9/30109 ,  G06F9/3013 ,  G06F9/30167 ,  G06F9/3885

Abstract: A method and apparatus for providing, in a processor, a shift operation on a packed data element having multiple values. The apparatus having multiple muxes, each of the multiple muxes having a first input, a second input, a select input and an output. Each of the multiple bits that represent a shifted packed intermediate result on a first bus is coupled to the corresponding first input. Each of the multiple bits representing a replacement bit for one of the multiple values is coupled to a corresponding second input. Each of the multiple bits driven by a correction circuit is coupled to a corresponding select input. Each output corresponds to a bit of a shifted packed result.

公开(公告)号：US20060200680A1

公开(公告)日：2006-09-07

申请号：US09672602

申请日：2001-02-26

Applicant: Carl Ellison ,  Roger Golliver ,  Howard Herbert ,  Derrick Lin ,  Francis McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James Sutton ,  Shreekant Thakkar ,  Millind Mittal

Inventor： Carl Ellison ,  Roger Golliver ,  Howard Herbert ,  Derrick Lin ,  Francis McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James Sutton ,  Shreekant Thakkar ,  Millind Mittal

IPC: G06F12/14

CPC classification number: G06F12/1491 ,  G06F21/57 ,  G06F2221/2105

Abstract: In an embodiment of the present invention, a technique is provided for remote attestation. An interface maps a device via a bus to an address space of a chipset in a secure environment for an isolated execution mode. The secure environment is associated with an isolated memory area accessible by at least one processor. The at least one processor operates in one of a normal execution mode and the isolated execution mode. A communication storage corresponding to the address space allows the device to exchange security information with the at least one processor in the isolated execution mode in a remote attestation.

Abstract translation: 在本发明的实施例中，提供了用于远程证明的技术。 接口将设备通过总线映射到安全环境中的芯片组的地址空间，用于隔离执行模式。 安全环境与由至少一个处理器可访问的隔离存储器区域相关联。 所述至少一个处理器以正常执行模式和隔离执行模式之一进行操作。 对应于地址空间的通信存储器允许设备在远程证明中以隔离执行模式与至少一个处理器交换安全信息。

公开(公告)号：US07082615B1

公开(公告)日：2006-07-25

申请号：US09668610

申请日：2000-09-22

Applicant: Carl M. Ellison ,  Roger A. Golliver ,  Howard C. Herbert ,  Derrick C. Lin ,  Francis X. McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James A. Sutton ,  Shreekant S. Thakkar ,  Millind Mittal

Inventor： Carl M. Ellison ,  Roger A. Golliver ,  Howard C. Herbert ,  Derrick C. Lin ,  Francis X. McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James A. Sutton ,  Shreekant S. Thakkar ,  Millind Mittal

IPC: G06F7/04

CPC classification number: G06F21/53 ,  G06F9/468 ,  G06F21/562 ,  G06F21/57 ,  G06F21/74 ,  G06F2221/2105

Abstract: The present invention is a method and apparatus to protect a subset of a software environment. A key generator generates an operating system nub key (OSNK). The OSNK is unique to an operating system (OS) nub. The OS nub is part of an operating system in a secure platform. A usage protector uses the OSNK to protect usage of a subset of the software environment.

Abstract translation: 本发明是一种保护软件环境子集的方法和装置。 密钥生成器生成操作系统nub（OSNK）。 OSNK是操作系统（OS）nub所独有的。 OS nub是安全平台中操作系统的一部分。 使用保护程序使用OSNK来保护软件环境的子集的使用。

公开(公告)号：US20060015749A1

公开(公告)日：2006-01-19

申请号：US11229669

申请日：2005-09-20

Applicant: Millind Mittal

Inventor： Millind Mittal

IPC: G06F11/30

CPC classification number: G06F21/72 ,  G06F12/1408 ,  G06F12/1441 ,  G06F12/1491 ,  G06F21/60 ,  G06F21/602 ,  G06F21/78 ,  G06F2221/2107 ,  G06F2221/2125

Abstract: A processor capable of secure execution. The processor contains an execution unit and secure partition logic that secures a partition in memory. The processor also contains cryptographic logic coupled to the execution unit that encrypts and decrypts secure data and code.

公开(公告)号：US20060015719A1

公开(公告)日：2006-01-19

申请号：US11203538

申请日：2005-08-12

Applicant: Howard Herbert ,  David Grawrock ,  Carl Ellison ,  Roger Golliver ,  Derrick Lin ,  Francis McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James Sutton ,  Shreekant Thakkar ,  Millind Mittal

Inventor： Howard Herbert ,  David Grawrock ,  Carl Ellison ,  Roger Golliver ,  Derrick Lin ,  Francis McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James Sutton ,  Shreekant Thakkar ,  Millind Mittal

IPC: H04L9/00

CPC classification number: G06F21/305 ,  G06F9/30189 ,  G06F12/1491 ,  G06F21/35 ,  G06F21/53 ,  G06F21/57 ,  G06F21/575 ,  G06F21/64 ,  G06F21/74 ,  G06F2221/2101 ,  G06F2221/2103 ,  G06F2221/2105 ,  G06F2221/2149

Abstract: In one embodiment, a method of remote attestation for a special mode of operation. The method comprises storing an audit log within protected memory of a platform. The audit log is a listing of data representing each of a plurality of IsoX software modules loaded into the platform. The audit log is retrieved from the protected memory in response to receiving a remote attestation request from a remotely located platform. Then, the retrieved audit log is digitally signed to produce a digital signature for transfer to the remotely located platform.

公开(公告)号：US06952770B1

公开(公告)日：2005-10-04

申请号：US09525702

申请日：2000-03-14

Applicant: Millind Mittal ,  James Mi

Inventor： Millind Mittal ,  James Mi

IPC: G06F21/00 ,  H04L9/28

CPC classification number: G06F21/73 ,  G06F21/123

Abstract: A method and apparatus for enabling hardware platform identification while ensuring privacy protection. The apparatus comprises a computer-readable medium that stores computer-executable instructions. Those instructions, when executed by a microprocessor, cause an expected hash value, which is derived from a key and a first identifier for a computer system; to be compared with a hash value, which is derived from the key and a second identifier for a computer system. A microprocessor for executing those instructions may comprise an identifier that identifies the microprocessor, and embedded instructions for comparing a hash value, derived from the identifier and a key, to an expected hash value.

Abstract translation: 一种用于在确保隐私保护的同时实现硬件平台识别的方法和装置。 该装置包括存储计算机可执行指令的计算机可读介质。 这些指令在由微处理器执行时产生从计算机系统的密钥和第一标识符导出的预期散列值; 与从密钥导出的散列值和计算机系统的第二标识符进行比较。 用于执行这些指令的微处理器可以包括识别微处理器的标识符和用于将从标识符和密钥导出的哈希值与预期散列值进行比较的嵌入指令。

公开(公告)号：US06678825B1

公开(公告)日：2004-01-13

申请号：US09618738

申请日：2000-07-18

Applicant: Carl M. Ellison ,  Roger A. Golliver ,  Howard C. Herbert ,  Derrick C. Lin ,  Francis X. McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James A. Sutton ,  Shreekant S. Thakkar ,  Millind Mittal

Inventor： Carl M. Ellison ,  Roger A. Golliver ,  Howard C. Herbert ,  Derrick C. Lin ,  Francis X. McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James A. Sutton ,  Shreekant S. Thakkar ,  Millind Mittal

IPC: G06F1760

CPC classification number: G06F12/145 ,  G06F12/0831 ,  G06F12/1009 ,  G06F12/1491 ,  G06F21/74 ,  G06F2212/1016 ,  G06F2212/1041 ,  G06F2212/1052

Abstract: The present invention provides a method, apparatus, and system for controlling memory accesses to multiple isolated memory areas in an isolated execution environment. A page manager is used to distribute a plurality of pages to a plurality of different areas of a memory, respectively. The memory is divided into non-isolated areas and isolated areas. The page manager is located in an isolated area of memory. Further, a memory ownership page table describes each page of memory and is also located in an isolated area of memory. The page manager assigns an isolated attribute to a page if the page is distributed to an isolated area of memory. On the other hand, the page manager assigns a non-isolated attribute to a page if the page is distributed to a non-isolated area of memory. The memory ownership page table records the attribute for each page. In one embodiment, a processor having a normal execution mode and an isolated execution mode generates an access transaction. The access transaction is configured using a configuration storage that contains configuration settings related to a page and access information. An access checking circuit coupled to the configuration storage checks the access transaction using at least one of the configuration settings and the access information and generates an access grant signal if the access transaction is valid.

Abstract translation: 本发明提供一种用于控制对隔离执行环境中的多个隔离存储器区域的存储器访问的方法，装置和系统。 页面管理器用于分别将多个页面分发到存储器的多个不同区域。 记忆分为非隔离区和隔离区。 页面管理器位于隔离区内。 此外，存储器所有权页表描述了存储器的每一页，并且还位于存储器的隔离区域中。 页面管理器将一个隔离的属性分配给页面，如果该页面被分发到一个隔离的内存区域。 另一方面，如果页面被分发到存储器的非隔离区域，则页面管理器将非隔离属性分配给页面。 内存所有权页表记录每个页面的属性。 在一个实施例中，具有正常执行模式和隔离执行模式的处理器生成访问事务。 访问事务使用包含与页面和访问信息相关的配置设置的配置存储进行配置。 耦合到配置存储器的访问检查电路使用配置设置和访问信息中的至少一个来检查访问事务，并且如果访问事务有效则生成访问许可信号。

公开(公告)号：US06631389B2

公开(公告)日：2003-10-07

申请号：US09747122

申请日：2000-12-22

Applicant: Derrick Chu Lin ,  Punit Minocha ,  Alexander D. Peleg ,  Yaakov Yaari ,  Millind Mittal ,  Larry M. Mennemeier ,  Benny Eitan

Inventor： Derrick Chu Lin ,  Punit Minocha ,  Alexander D. Peleg ,  Yaakov Yaari ,  Millind Mittal ,  Larry M. Mennemeier ,  Benny Eitan

IPC: G06F501

CPC classification number: G06F7/762 ,  G06F5/01 ,  G06F7/49994 ,  G06F7/76 ,  G06F9/30025 ,  G06F9/30032 ,  G06F9/30036 ,  G06F9/30109 ,  G06F9/3013 ,  G06F9/30167 ,  G06F9/3885

Abstract: An apparatus for performing a shift operation on a packed data element having a multiple values. The apparatus having multiple muxes, each of the multiple muxes having a first input, a second input, a select input and an output. Each of the multiple bits that represent a shifted packed intermediate result on a first bus is coupled to the corresponding first input. Each of the multiple bits representing a replacement bit for one of the multiple values is coupled to a corresponding second input. Each of the multiple bits driven by a correction circuit is coupled to a corresponding select input. Each output corresponds to a bit of a shifted packed result.

Abstract translation: 一种用于对具有多个值的压缩数据元素执行移位操作的装置。 所述装置具有多个多路复用器，所述多个多路复用器中的每一个具有第一输入，第二输入，选择输入和输出。 表示在第一总线上的移位的打包中间结果的多个比特中的每一个被耦合到对应的第一输入。 表示多个值之一的替换位的多个比特中的每一个被耦合到对应的第二输入。 由校正电路驱动的多个比特中的每一个被耦合到对应的选择输入。 每个输出对应于移位包装结果的一位。

公开(公告)号：US06611910B2

公开(公告)日：2003-08-26

申请号：US09169868

申请日：1998-10-12

Applicant: Harshvardhan Sharangpani ,  Tse-Yu Yeh ,  Michael Paul Corwin ,  Millind Mittal ,  Kent G. Fielden ,  Dale Morris ,  Rajiv Gupta ,  Michael Schlansker ,  Mircea Poplingher

Inventor： Harshvardhan Sharangpani ,  Tse-Yu Yeh ,  Michael Paul Corwin ,  Millind Mittal ,  Kent G. Fielden ,  Dale Morris ,  Rajiv Gupta ,  Michael Schlansker ,  Mircea Poplingher

IPC: G06F930

CPC classification number: G06F9/3806 ,  G06F9/322 ,  G06F9/325 ,  G06F9/3844 ,  G06F9/3846

Abstract: A branch operation is processed using a branch predict instruction and an associated branch instruction. The branch predict instruction indicates a predicted direction, a target address, and an instruction address for the associated branch instruction. When the branch predict instruction is detected, the target address is stored at an entry indicated by the associated branch instruction address and a prefetch request is triggered to the target address. The branch predict instruction may also include hint information for managing the storage and use of the branch prediction information.

Abstract translation: 使用分支预测指令和相关联的分支指令来处理分支操作。 分支预测指示指示相关联的分支指令的预测方向，目标地址和指令地址。 当检测到分支预测指令时，目标地址被存储在由关联的分支指令地址指示的条目上，并且预取请求被触发到目标地址。 分支预测指令还可以包括用于管理分支预测信息的存储和使用的提示信息。

公开(公告)号：US06430657B1

公开(公告)日：2002-08-06

申请号：US09170137

申请日：1998-10-12

Applicant: Millind Mittal ,  Martin J. Whittaker ,  Gary N. Hammond ,  Jerome C. Huck

Inventor： Millind Mittal ,  Martin J. Whittaker ,  Gary N. Hammond ,  Jerome C. Huck

IPC: G06F1210

CPC classification number: G06F12/0837 ,  G06F12/1027

Abstract: Atomic memory operations are provided by using exportable “fetch and add” instructions and by emulating IA-32 instructions prepended with a lock prefix. In accordance with the present invention, a CPU includes a default control register that includes IA-32 lock check enable bit (LC) that when set to “1”, causes an IA-32 atomic memory reference to raise an IA-32 intercept lock fault. An IA-32 intercept lock fault handler branches to appropriate code to atomically emulate the instruction. Furthermore, the present invention defines an exportable fetch and add (FETCHADD) instruction that reads a memory location indexed by a first register, places the contents read from the memory location into a second register, increments the value read from the memory location, and stores the sum back to the memory location. Associated with each virtual memory page is a memory attribute that can assume a state of “cacheable using a write-back policy” (WB), “uncacheable” (UC), or “uncacheable and exportable” (UCE). When a FETCHADD instruction is executed and the memory location accessed is in a page having an attribute set to WB, the FETCHADD is atomically executed by the CPU by obtaining exclusive use of the cache line containing the memory location. However, when a FETCHADD instruction is executed and the memory location accessed is in a page having an attribute set to UCE, the FETCHADD is atomically executed by exporting the FETCHADD instruction to a centralized location, such as a memory controller.

Abstract translation: 通过使用可导出的“读取和添加”指令以及通过模拟前缀为前缀的IA-32指令来提供原子存储器操作。 根据本发明，CPU包括默认控制寄存器，其包括当设置为“1”时的IA-32锁定检查使能位（LC），导致IA-32原子存储器引用来提升IA-32拦截锁 故障。 IA-32拦截锁定错误处理器分支到适当的代码以原子地模拟指令。 此外，本发明定义了一种读出由第一寄存器索引的存储器位置的可导出的读取和加法（FETCHADD）指令，将从存储器位置读取的内容放入第二寄存器，增加从存储器位置读取的值，并存储 总和回到内存位置。 与每个虚拟内存页面相关联的是一种内存属性，可以采用“可缓存使用回退策略”（WB），“不可缓存”（UC）或“不可缓存和可导出”（UCE））状态。 当执行FETCHADD指令并且访问的存储器位置在具有设置为WB的属性的页面中时，FETCHADD由CPU通过获得包含存储器位置的高速缓存行的排他使用原子地执行。 然而，当执行FETCHADD指令并且访问的存储器位置在具有设置为UCE的属性的页面中时，通过将FETCHADD指令导出到诸如存储器控制器的集中位置来原子地执行FETCHADD。