公开(公告)号：US11989332B2

公开(公告)日：2024-05-21

申请号：US17449343

申请日：2021-09-29

申请人： Intel Corporation

发明人： David M. Durham ,  Gilbert Neiger ,  Barry E. Huntley ,  Ravi L. Sahita ,  Baiju V. Patel

IPC分类号： G06F21/71 ,  G06F8/61 ,  G06F9/455 ,  G06F21/53 ,  G06F21/57 ,  G06F21/78 ,  H04L9/08

CPC分类号： G06F21/71 ,  G06F8/63 ,  G06F9/45533 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/57 ,  G06F21/78 ,  H04L9/0822 ,  G06F2009/45579 ,  G06F2009/45587 ,  G06F2212/402 ,  G06F2221/2149

摘要： According to one embodiment, a method comprises executing an untrusted host virtual machine monitor (VMM) to manage execution of at least one guest virtual machine (VM). The VMM receives an encrypted key domain key, an encrypted guest code image, and an encrypted guest control structure. The VM also issues a create command. In response, a processor creates a first key domain comprising a region of memory to be encrypted by a key domain key. The encrypted key domain key is decrypted to produce the key domain key, which is inaccessible to the VMM. The VMM issues a launch command. In response, a first guest VM is launched within the first key domain. In response to a second launch command, a second guest VM is launched within the first key domain. The second guest VM provides an agent to act on behalf of the VMM. Other embodiments are described and claimed.

公开(公告)号：US11934843B2

公开(公告)日：2024-03-19

申请号：US18307650

申请日：2023-04-26

申请人： Intel Corporation

发明人： Vedvyas Shanbhogue ,  Ravi L. Sahita ,  Vincent Scarlata ,  Barry E. Huntley

IPC分类号： G06F9/44 ,  G06F9/4401 ,  G06F9/455 ,  G06F12/1009 ,  G06F21/78 ,  H04L9/30 ,  H04L9/32

CPC分类号： G06F9/4403 ,  G06F9/45558 ,  G06F12/1009 ,  G06F21/78 ,  H04L9/30 ,  H04L9/32 ,  G06F2009/45579 ,  G06F2009/45583 ,  G06F2009/45591 ,  G06F2009/45595

摘要： A processor includes a range register to store information that identifies a reserved range of memory associated with a secure arbitration mode (SEAM) and a core coupled to the range register. The core includes security logic to unlock the range register on a logical processor, of the processor core, that is to initiate the SEAM. The logical processor is to, via execution of the security logic, store, in the reserved range, a SEAM module and a manifest associated with the SEAM module, wherein the SEAM module supports execution of one or more trust domains; initialize a SEAM virtual machine control structure (VMCS) within the reserved range of the memory that is to control state transitions between a virtual machine monitor (VMM) and the SEAM module; and authenticate the SEAM module using a manifest signature of the manifest.

公开(公告)号：US20240078111A1

公开(公告)日：2024-03-07

申请号：US18324788

申请日：2023-05-26

申请人： Intel Corporation

发明人： Vedvyas Shanbhogue ,  Jason W. Brandt ,  Ravi L. Sahita ,  Barry E. Huntley ,  Baiju V. Patel ,  Deepak K. Gupta

IPC分类号： G06F9/30 ,  G06F9/46 ,  G06F21/52

CPC分类号： G06F9/3004 ,  G06F9/30134 ,  G06F9/461 ,  G06F21/52

摘要： Methods and apparatuses relating to switching of a shadow stack pointer are described. In one embodiment, a hardware processor includes a hardware decode unit to decode an instruction, and a hardware execution unit to execute the instruction to: pop a token for a thread from a shadow stack, wherein the token includes a shadow stack pointer for the thread with at least one least significant bit (LSB) of the shadow stack pointer overwritten with a bit value of an operating mode of the hardware processor for the thread, remove the bit value in the at least one LSB from the token to generate the shadow stack pointer, and set a current shadow stack pointer to the shadow stack pointer from the token when the operating mode from the token matches a current operating mode of the hardware processor.

公开(公告)号：US11822644B2

公开(公告)日：2023-11-21

申请号：US17346860

申请日：2021-06-14

申请人： Intel Corporation

发明人： Michael LeMay ,  Barry E. Huntley ,  Ravi Sahita

IPC分类号： G06F21/53 ,  G06F9/50 ,  G06F21/12 ,  G06F21/74 ,  G06F12/00

CPC分类号： G06F21/53 ,  G06F9/5016 ,  G06F12/00 ,  G06F21/121 ,  G06F21/74 ,  G06F2221/033 ,  G06F2221/0713 ,  G06F2221/2113

摘要： Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.

公开(公告)号：US11783064B2

公开(公告)日：2023-10-10

申请号：US15941992

申请日：2018-03-30

申请人： INTEL CORPORATION

发明人： Kirk D. Brannock ,  Barry E. Huntley

IPC分类号： G06F21/62 ,  G06F21/64 ,  G06F21/74

CPC分类号： G06F21/6218 ,  G06F21/64 ,  G06F21/74

摘要： Various embodiments are generally directed to an apparatus, method and other techniques to detect an access request to access a computing resource while in a system management mode (SMM), determine a bit of a lock register is set to enable access to a bitmap associated with the computing resource, the bitmap to indicate an access policy for the computing resource, and determine whether the access request violate the access policy set in the bitmap. Embodiments may also include performing the access request if the access request does not violate the access policy, and causing a fault if the access request does violate the access policy.

公开(公告)号：US11775447B2

公开(公告)日：2023-10-03

申请号：US17450597

申请日：2021-10-12

申请人： Intel Corporation

发明人： David M. Durham ,  Siddhartha Chhabra ,  Amy L. Santoni ,  Gilbert Neiger ,  Barry E. Huntley ,  Hormuzd M. Khosravi ,  Baiju V. Patel ,  Ravi L. Sahita ,  Gideon Gerzon ,  Ido Ouziel ,  Ioannis T. Schoinas ,  Rajesh M. Sankaran

IPC分类号： G06F12/14 ,  G06F21/53 ,  G06F3/06 ,  G06F21/78 ,  G06F21/82 ,  G06F21/60

CPC分类号： G06F12/1408 ,  G06F3/0623 ,  G06F12/145 ,  G06F21/53 ,  G06F21/602 ,  G06F21/78 ,  G06F21/82 ,  G06F2212/1052 ,  G06F2212/401 ,  G06F2212/402

摘要： In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.

公开(公告)号：US11669335B2

公开(公告)日：2023-06-06

申请号：US16367527

申请日：2019-03-28

申请人： Intel Corporation

发明人： Vedvyas Shanbhogue ,  Ravi L. Sahita ,  Vincent Scarlata ,  Barry E. Huntley

IPC分类号： G06F9/44 ,  G06F9/4401 ,  G06F9/455 ,  G06F12/1009 ,  H04L9/30 ,  H04L9/32 ,  G06F21/78

CPC分类号： G06F9/4403 ,  G06F9/45558 ,  G06F12/1009 ,  G06F21/78 ,  H04L9/30 ,  H04L9/32 ,  G06F2009/45579 ,  G06F2009/45583 ,  G06F2009/45591 ,  G06F2009/45595

摘要： A processor includes a range register to store information that identifies a reserved range of memory associated with a secure arbitration mode (SEAM) and a core coupled to the range register. The core includes security logic to unlock the range register on a logical processor, of the processor core, that is to initiate the SEAM. The logical processor is to, via execution of the security logic, store, in the reserved range, a SEAM module and a manifest associated with the SEAM module, wherein the SEAM module supports execution of one or more trust domains; initialize a SEAM virtual machine control structure (VMCS) within the reserved range of the memory that is to control state transitions between a virtual machine monitor (VMM) and the SEAM module; and authenticate the SEAM module using a manifest signature of the manifest.

公开(公告)号：US11520906B2

公开(公告)日：2022-12-06

申请号：US16830379

申请日：2020-03-26

申请人： Intel Corporation

发明人： David M. Durham ,  Siddhartha Chhabra ,  Ravi L. Sahita ,  Barry E. Huntley ,  Gilbert Neiger ,  Gideon Gerzon ,  Baiju V. Patel

IPC分类号： G06F21/60 ,  G06F3/06 ,  G06F12/1009 ,  G06F21/57 ,  G06F21/53

摘要： A computer-readable medium comprises instructions that, when executed, cause a processor to execute an untrusted workload manager to manage execution of at least one guest workload. The instructions, when executed, also cause the processor to (i) receive a request from a guest workload managed by the untrusted workload manager to access a memory using a requested guest address; (ii) obtain, from the untrusted workload manager, a translated workload manager-provided hardware physical address to correspond to the requested guest address; (iii) determine whether a stored mapping exists for the translated workload manager-provided hardware physical address; (iv) in response to finding the stored mapping, determine whether a stored expected guest address from the stored mapping matches the requested guest address; and (v) if the stored expected guest address from the stored mapping matches the requested guest address, enable the guest workload to access contents of the translated workload-manager provided hardware physical address.

公开(公告)号：US11461098B2

公开(公告)日：2022-10-04

申请号：US16914343

申请日：2020-06-27

申请人： Intel Corporation

发明人： Toby Opferman ,  Prashant Sethi ,  Abhimanyu K. Varde ,  Barry E. Huntley ,  Michael W. Chynoweth ,  Jason W. Brandt

IPC分类号： G06F9/30 ,  G06F9/38

摘要： Systems, methods, and apparatuses relating to an instruction for operating system transparent instruction state management of new instructions for application threads are described. In one embodiment, a hardware processor includes a decoder to decode a single instruction into a decoded single instruction, and an execution circuit to execute the decoded single instruction to cause a context switch from a current state to a state comprising additional state data that is not supported by an execution environment of an operating system that executes on the hardware processor.

公开(公告)号：US11436342B2

公开(公告)日：2022-09-06

申请号：US16727608

申请日：2019-12-26

申请人： Intel Corporation

发明人： Gideon Gerzon ,  Hormuzd M. Khosravi ,  Vincent Von Bokern ,  Barry E. Huntley ,  Dror Caspi

IPC分类号： G06F21/60 ,  G06F9/455 ,  G06F21/72 ,  H04L9/06

摘要： Disclosed embodiments relate to trust domain islands with self-contained scope. In one example, a system includes multiple sockets, each including multiple cores, multiple multi-key total memory encryption (MK-TME) circuits, multiple memory controllers, and a trust domain island resource manager (TDIRM) to: initialize a trust domain island (TDI) island control structure (TDICS) associated with a TD island, initialize a trust domain island protected memory (TDIPM) associated with the TD island, identify a host key identifier (HKID) in a key ownership table (KOT), assign the HKID to a cryptographic key and store the HKID in the TDICS, associate one of the plurality of cores with the TD island, add a memory page from an address space of the first core to the TDIPM, and transfer execution control to the first core to execute the TDI, and wherein a number of HKIDs available in the system is increased as the memory mapped to the TD island is decreased.