公开(公告)号：US20200250003A1

公开(公告)日：2020-08-06

申请号：US16652038

申请日：2018-06-29

Applicant: Intel Corporation

Inventor： Shao-Wen Yang ,  Yen-Kuang Chen ,  Ragaad Mohammed Irsehid Altarawneh ,  Juan Pablo Munoz Chiabrando ,  Siew Wen Chin ,  Kushal Datta ,  Subramanya R. Dulloor ,  Julio C. Zamora Esquivel ,  Omar Ulises Florez Choque ,  Vishakha Gupta ,  Scott D. Hahn ,  Rameshkumar Illikkal ,  Nilesh Kumar Jain ,  Siti Khairuni Amalina Kamarol ,  Anil S. Keshavamurthy ,  Heng Kar Lau ,  Jonathan A. Lefman ,  Yiting Liao ,  Michael G. Millsap ,  Ibrahima J. Ndiour ,  Luis Carlos Maria Remis ,  Addicam V. Sanjay ,  Usman Sarwar ,  Eve M. Schooler ,  Ned M. Smith ,  Vallabhajosyula S. Somayazulu ,  Christina R. Strong ,  Omesh Tickoo ,  Srenivas Varadarajan ,  Jesús A. Cruz Vargas ,  Hassnaa Moustafa ,  Arun Raghunath ,  Katalin Klara Bartfai-Walcott ,  Maruti Gupta Hyde ,  Deepak S. Vembar ,  Jessica McCarthy

IPC: G06F9/50 ,  G06K9/00 ,  G06N3/04 ,  G06N3/063

Abstract: In one embodiment, an apparatus comprises a processor to: identify a workload comprising a plurality of tasks; generate a workload graph based on the workload, wherein the workload graph comprises information associated with the plurality of tasks; identify a device connectivity graph, wherein the device connectivity graph comprises device connectivity information associated with a plurality of processing devices; identify a privacy policy associated with the workload; identify privacy level information associated with the plurality of processing devices; identify a privacy constraint based on the privacy policy and the privacy level information; and determine a workload schedule, wherein the workload schedule comprises a mapping of the workload onto the plurality of processing devices, and wherein the workload schedule is determined based on the privacy constraint, the workload graph, and the device connectivity graph. The apparatus further comprises a communication interface to send the workload schedule to the plurality of processing devices.

公开(公告)号：US20150220745A1

公开(公告)日：2015-08-06

申请号：US14358789

申请日：2013-09-27

Applicant: INTEL CORPORATION

Inventor： Hariprasad Nellitheertha ,  Deepak S. ,  Thanunathan Rangarajan ,  Anil S. Keshavamurthy

IPC: G06F21/60 ,  G06F9/455

CPC classification number: G06F21/602 ,  G06F9/45558 ,  G06F15/16 ,  G06F21/53 ,  G06F21/60 ,  G06F21/6218 ,  G06F2009/45587

Abstract: The present disclosure is directed to a protection scheme for remotely-stored data. A system may comprise, for example, at least one device including at least one virtual machine (VM) and a trusted execution environment (TEE). The TEE may include an encryption service to encrypt or decrypt data received from the at least one VM. In one embodiment, the at least one VM may include an encryption agent to interact with interfaces in the encryption service. For example, the encryption agent may register with the encryption service, at which time an encryption key corresponding to the at least one VM may be generated. After verifying the registration of the encryption agent, the encryption service may utilize the encryption key corresponding to the at least one VM to encrypt or decrypt data received from the encryption agent. The encryption service may then return the encrypted or decrypted data to the encryption agent.

Abstract translation: 本公开涉及用于远程存储的数据的保护方案。 系统可以包括例如至少一个包括至少一个虚拟机（VM）和可信执行环境（TEE）的设备。 TEE可以包括加密或加密从至少一个VM接收的数据的加密服务。 在一个实施例中，所述至少一个VM可以包括与加密服务中的接口交互的加密代理。 例如，加密代理可以向加密服务注册，此时可以生成与至少一个VM相对应的加密密钥。 在验证加密代理的注册之后，加密服务可以利用与至少一个VM相对应的加密密钥来加密或解密从加密代理接收的数据。 加密服务然后可以将加密或解密的数据返回给加密代理。

公开(公告)号：US10146571B2

公开(公告)日：2018-12-04

申请号：US15175874

申请日：2016-06-07

Applicant: Intel Corporation

Inventor： Radhakrishna R K Hiremane ,  Anil S. Keshavamurthy

IPC: G06F3/06 ,  G06F9/455 ,  G06F11/07 ,  G06F21/54

Abstract: Techniques are described for providing processor-based dedicated fixed function hardware to perform runtime integrity measurements for detecting attacks on system supervisory software, such as a hypervisor or native Operating System (OS). The dedicated fixed function hardware is provided with memory addresses of the system supervisory software for monitoring. After obtaining the memory addresses and other information required to facilitate integrity monitoring, the dedicated fixed function hardware activates a lock-out to prevent reception of any additional information, such as information from a corrupted version of the system supervisory software. The dedicated fixed function hardware then automatically performs periodic integrity measurements of the system supervisory software. Upon detection of an integrity failure, the dedicated fixed function hardware uses out-of-band signaling to report that an integrity failure has occurred.The dedicated fixed function hardware provides for runtime integrity verification of a platform in a secure manner without impacting the performance of the platform.

公开(公告)号：US09852299B2

公开(公告)日：2017-12-26

申请号：US14358789

申请日：2013-09-27

Applicant: INTEL CORPORATION

Inventor： Hariprasad Nellitheertha ,  Deepak S. ,  Thanunathan Rangarajan ,  Anil S. Keshavamurthy

IPC: G06F21/60 ,  G06F15/16 ,  G06F21/62 ,  G06F9/455 ,  G06F21/53

CPC classification number: G06F21/602 ,  G06F9/45558 ,  G06F15/16 ,  G06F21/53 ,  G06F21/60 ,  G06F21/6218 ,  G06F2009/45587

Abstract: The present disclosure is directed to a protection scheme for remotely-stored data. A system may comprise, for example, at least one device including at least one virtual machine (VM) and a trusted execution environment (TEE). The TEE may include an encryption service to encrypt or decrypt data received from the at least one VM. In one embodiment, the at least one VM may include an encryption agent to interact with interfaces in the encryption service. For example, the encryption agent may register with the encryption service, at which time an encryption key corresponding to the at least one VM may be generated. After verifying the registration of the encryption agent, the encryption service may utilize the encryption key corresponding to the at least one VM to encrypt or decrypt data received from the encryption agent. The encryption service may then return the encrypted or decrypted data to the encryption agent.

公开(公告)号：US20170024238A1

公开(公告)日：2017-01-26

申请号：US15175874

申请日：2016-06-07

Applicant: Intel Corporation

Inventor： Radhakrishna RK Hiremane ,  Anil S. Keshavamurthy

IPC: G06F9/455 ,  G06F3/06

CPC classification number: G06F9/45558 ,  G06F9/45541 ,  G06F11/07 ,  G06F11/0712 ,  G06F11/0766 ,  G06F21/54 ,  G06F2009/45583 ,  G06F2009/45591

Abstract: Techniques are described for providing processor-based dedicated fixed function hardware to perform runtime integrity measurements for detecting attacks on system supervisory software, such as a hypervisor or native Operating System (OS). The dedicated fixed function hardware is provided with memory addresses of the system supervisory software for monitoring. After obtaining the memory addresses and other information required to facilitate integrity monitoring, the dedicated fixed function hardware activates a lock-out to prevent reception of any additional information, such as information from a corrupted version of the system supervisory software. The dedicated fixed function hardware then automatically performs periodic integrity measurements of the system supervisory software. Upon detection of an integrity failure, the dedicated fixed function hardware uses out-of-band signaling to report that an integrity failure has occurred.The dedicated fixed function hardware provides for runtime integrity verification of a platform in a secure manner without impacting the performance of the platform.

Abstract translation: 专用固定功能硬件以安全的方式提供平台的运行时完整性验证，而不会影响平台的性能。

公开(公告)号：US09323539B2

公开(公告)日：2016-04-26

申请号：US13928875

申请日：2013-06-27

Applicant: Intel Corporation

Inventor： Anil S. Keshavamurthy ,  Murugasamy K. Nachimuthu ,  Mohan J. Kumar

IPC: G06F9/44 ,  G06F12/02 ,  G06F17/30

CPC classification number: G06F9/44 ,  G06F12/0238 ,  G06F12/0246 ,  G06F17/30 ,  Y02D10/13

Abstract: Methods and apparatus related to constructing a persistent file system from scattered persistent regions are described. In one embodiment, stored information in a storage unit corresponds to one or more persistent memory regions that are scattered amongst one or more non-volatile memory devices. The one or more persistent memory regions are byte addressable. Also, the one or more persistent memory regions are used to form a virtual contiguous region. Other embodiments are also disclosed and claimed.

Abstract translation: 描述了从分散的持续区域构建持久性文件系统的方法和装置。 在一个实施例中，存储单元中存储的信息对应于分散在一个或多个非易失性存储器件中的一个或多个持久性存储器区域。 一个或多个持久性存储器区域是字节可寻址的。 此外，一个或多个持久性存储器区域用于形成虚拟连续区域。 还公开并要求保护其他实施例。

公开(公告)号：US08751864B2

公开(公告)日：2014-06-10

申请号：US13848830

申请日：2013-03-22

Applicant: Intel Corporation

Inventor： Robert C. Swanson ,  Mahesh S. Natu ,  Rahul Khanna ,  Murugasamy K. Nachimuthu ,  Sarathy Jayakumar ,  Anil S. Keshavamurthy ,  Narayan Ranganathan

IPC: G06F11/00

CPC classification number: G06F11/203 ,  G06F11/1666 ,  G06F11/20

Abstract: In one embodiment, the present invention provides an ability to handle an error occurring during a memory migration operation in a high availability system. In addition, a method can be used to dynamically remap a memory page stored in a non-mirrored memory region of memory to a mirrored memory region. This dynamic remapping may be responsive to a determination that the memory page has been accessed more than a threshold number of times, indicating a criticality of information on the page. Other embodiments are described and claimed.

Abstract translation: 在一个实施例中，本发明提供了处理在高可用性系统中的存储器迁移操作期间发生的错误的能力。 此外，可以使用一种方法来将存储在存储器的非镜像存储器区域中的存储器页面动态重映射到镜像存储器区域。 该动态重新映射可以响应于确定存储器页已经被访问多于阈值次数，指示页面上的信息的关键性。 描述和要求保护其他实施例。