公开(公告)号：US20220214879A1

公开(公告)日：2022-07-07

申请号：US17703121

申请日：2022-03-24

Applicant: Intel Corporation

Inventor： Michael Lemay ,  David M. Durham

IPC: G06F9/30 ,  G06F9/50 ,  G06F21/60

Abstract: Systems, methods, and apparatuses for generating a protected stack allocation pointer. In certain examples, a hardware processor core comprises a decoder circuit to decode a single instruction into a decoded single instruction, the single instruction comprising one or more fields to indicate a stack allocation index as an operand, and an opcode to indicate that an execution circuit is to generate a stack allocation pointer to reference an address in a stack and an address in a shadow stack; and an execution circuit to execute the decoded single instruction according to the opcode.

公开(公告)号：US20220156180A1

公开(公告)日：2022-05-19

申请号：US17539933

申请日：2021-12-01

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael LeMay

IPC: G06F12/02 ,  G06F12/0853 ,  G06F11/10 ,  G06F9/50 ,  G06F21/60 ,  G06F12/0871

Abstract: A memory controller is to store a unique tag at the mid-point address within each of allocated memory portions. In addition to the tag data, additional metadata may be stored at the mid-point address of the memory allocation. For each memory access operation, an encoded pointer contains information indicative of a size of the memory allocation as well as its own tag data. The processor circuitry compares the tag data included in the encoded pointer with the tag data stored in the memory allocation. If the tag data included in the encoded pointer matches the tag data stored in the memory allocation, the memory operation proceeds. If the tag data included in the encoded pointer fails to match the tag data stored in the memory allocation, an error or exception is generated.

公开(公告)号：US20220147453A1

公开(公告)日：2022-05-12

申请号：US17096274

申请日：2020-11-12

Applicant: Intel Corporation

Inventor： Michael Kounavis ,  Siddhartha Chhabra ,  David M. Durham

IPC: G06F12/0802 ,  H04L9/32

Abstract: Techniques and mechanisms for metadata, which corresponds to cached data, to be selectively stored to a sequestered memory region. In an embodiment, integrated circuitry evaluates whether a line of a cache can accommodate a first representation of both the data and some corresponding metadata. Where the cache line can accommodate the first representation, said first representation is generated and stored to the line. Otherwise, a second representation of the data is generated and stored to a cache line, and the metadata is stored to a sequestered memory region that is external to the cache. The cache line include an indication as to whether the metadata is represented in the cache line, or is stored in the sequestered memory region. In another embodiment, a metric of utilization of the sequestered memory region is provided to software which determines whether a capacity of the sequestered memory region is to be modified.

公开(公告)号：US20220123930A1

公开(公告)日：2022-04-21

申请号：US17561828

申请日：2021-12-24

Applicant: Intel Corporation

Inventor： Salmin Sultana ,  David M. Durham ,  Michael LeMay ,  Karanvir Grewal ,  Sergej Deutsch

IPC: H04L9/08 ,  G06F21/60

Abstract: A method comprises detecting execution of a fork( ) operation in a cryptographic computing system that generates a parent process and a child process, assigning a parent kernel data structure to the parent process and a child kernel data structure to the child process, detecting, in the child process, a write operation comprising write data and a cryptographic target address, and in response to the write operation blocking access to a corresponding page in the parent process, allocating a new physical page in memory for the child process, encrypting the write data with a cryptographic key unique to the child process, and filling the new physical page in memory with magic marker data.

公开(公告)号：US11308225B2

公开(公告)日：2022-04-19

申请号：US16723927

申请日：2019-12-20

Applicant: Intel Corporation

Inventor： Michael E. Kounavis ,  Santosh Ghosh ,  Sergej Deutsch ,  David M. Durham

IPC: H04L9/08 ,  G06F9/30 ,  G06F21/60 ,  G06F12/0897 ,  G06F9/48 ,  G06F21/72 ,  H04L9/06 ,  G06F12/06 ,  G06F12/0875 ,  G06F21/79 ,  G06F9/455 ,  G06F12/0811 ,  G06F21/12 ,  G06F12/14 ,  G06F9/32 ,  G06F9/50 ,  G06F12/02 ,  H04L9/14 ,  G06F21/62

Abstract: A method comprising executing, by a core of a processor, a first instruction requesting access to a parameter associated with data for storage in a main memory coupled to the processor, the first instruction including a reference to the parameter, a reference to a wrapping key, and a reference to an encrypted encryption key, wherein execution of the first instruction comprises decrypting the encrypted encryption key using the wrapping key to generate a decrypted encryption key; requesting transfer of the data between the main memory and the processor core; and performing a cryptographic operation on the parameter using the decrypted encryption key.

公开(公告)号：US11196565B2

公开(公告)日：2021-12-07

申请号：US16689575

申请日：2019-11-20

Applicant: INTEL CORPORATION

Inventor： David M. Durham ,  Rajat Agarwal ,  Siddhartha Chhabra ,  Sergej Deutsch ,  Karanvir S. Grewal ,  Ioannis T. Schoinas

IPC: H04L9/32 ,  G06F3/06 ,  G06F11/10 ,  G06F12/14 ,  G06F12/0886 ,  G06F21/78 ,  H04L9/06 ,  H04L9/08 ,  H04L9/30 ,  G06F21/14 ,  G11C29/52 ,  G06F21/79 ,  G11C29/44

Abstract: In one example, a system for managing encrypted memory comprises a processor to store a first MAC based on data stored in system memory in response to a write operation to the system memory. The processor can also detect a read operation corresponding to the data stored in the system memory, calculate a second MAC based on the data retrieved from the system memory, determine that the second MAC does not match the first MAC, and recalculate the second MAC with a correction operation, wherein the correction operation comprises an XOR operation based on the data retrieved from the system memory and a replacement value for a device of the system memory. Furthermore, the processor can decrypt the data stored in the system memory in response to detecting the recalculated second MAC matches the first MAC and transmit the decrypted data to cache thereby correcting memory errors.

公开(公告)号：US11163911B2

公开(公告)日：2021-11-02

申请号：US16792941

申请日：2020-02-18

Applicant: Intel Corporation

Inventor： David M. Durham ,  Gilbert Neiger ,  Barry E. Huntley ,  Ravi L. Sahita ,  Baiju V. Patel

IPC: H04L9/00 ,  G06F21/71 ,  G06F9/455 ,  G06F21/53 ,  G06F21/57 ,  G06F21/78 ,  G06F8/61 ,  H04L9/08

Abstract: According to one embodiment, a method comprises executing an untrusted host virtual machine monitor (VMM) to manage execution of at least one guest virtual machine (VM). The VMM receives an encrypted key domain key, an encrypted guest code image, and an encrypted guest control structure. The VM also issues a create command. In response, a processor creates a first key domain comprising a region of memory to be encrypted by a key domain key. The encrypted key domain key is decrypted to produce the key domain key, which is inaccessible to the VMM. The VMM issues a launch command. In response, a first guest VM is launched within the first key domain. In response to a second launch command, a second guest VM is launched within the first key domain. The second guest VM provides an agent to act on behalf of the VMM. Other embodiments are described and claimed.

公开(公告)号：US11163569B2

公开(公告)日：2021-11-02

申请号：US16729358

申请日：2019-12-28

Applicant: Intel Corporation

Inventor： Michael Lemay ,  Vedvyas Shanbhogue ,  Deepak Gupta ,  Ravi Sahita ,  David M. Durham ,  Willem Pinckaers ,  Enrico Perla

IPC: G06F16/90 ,  G06F12/14 ,  G06F12/1009 ,  G06F9/30 ,  G06F9/38 ,  G06F16/901 ,  G06F9/46 ,  G06F9/448

Abstract: Systems, methods, and apparatuses relating to circuitry to implement individually revocable capabilities for enforcing temporal memory safety are described. In one embodiment, a hardware processor comprises an execution unit to execute an instruction to request access to a block of memory through a pointer to the block of memory, and a memory controller circuit to allow access to the block of memory when an allocated object tag in the pointer is validated with an allocated object tag in an entry of a capability table in memory that is indexed by an index value in the pointer, wherein the memory controller circuit is to clear the allocated object tag in the capability table when a corresponding object is deallocated.

公开(公告)号：US11088846B2

公开(公告)日：2021-08-10

申请号：US16368810

申请日：2019-03-28

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  Rajat Agarwal ,  David M. Durham

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/00 ,  H04L9/08 ,  H04L9/06 ,  H04L9/16

Abstract: In one example a computer implemented method comprises encrypting data to be stored in a protected region of a memory using a message authentication code (MAC) having a first value determined using a first key during a first period of time, generating a replay integrity tree structure comprising security metadata for the data stored in the protected region of the memory using the first value of the MAC, and at the end of the first period of time, re-keying the MAC to have a second value determined using a second key at the end of the first period of time, decrypting the data stored in the protected region using the first value for the MAC, re-encrypting the data stored in the protected region using the second value for the MAC, and updating the replay integrity tree using the second value for the MAC. Other examples may be described.

公开(公告)号：US11042652B2

公开(公告)日：2021-06-22

申请号：US16558705

申请日：2019-09-03

Applicant: INTEL CORPORATION

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: G06F21/60 ,  G06F21/57 ,  H04L9/08 ,  H04L9/32 ,  G06F12/14

Abstract: Various embodiments are generally directed to techniques for multi-domain memory encryption, such as with a plurality of cryptographically isolated domains, for instance. Some embodiments are particularly directed to a multi-domain encryption system that provides one or more of memory encryption, integrity, and replay protection services to a plurality of cryptographic domains. In one embodiment, for example, an apparatus may comprise a memory and logic for an encryption engine, at least a portion of the logic implemented in circuitry coupled to the memory. In various embodiments, the logic may receive a memory operation request associated with a data line of a set of data lines stored in a protected memory separate from the memory.