公开(公告)号：US11461244B2

公开(公告)日：2022-10-04

申请号：US16227386

申请日：2018-12-20

申请人： Intel Corporation

发明人： Ido Ouziel ,  Arie Aharon ,  Dror Caspi ,  Baruch Chaikin ,  Jacob Doweck ,  Gideon Gerzon ,  Barry E. Huntley ,  Francis X. McKeen ,  Gilbert Neiger ,  Carlos V. Rozas ,  Ravi L. Sahita ,  Vedvyas Shanbhogue ,  Assaf Zaltsman ,  Hormuzd M. Khosravi

IPC分类号： G06F11/30 ,  G06F12/14 ,  G06F9/455 ,  G06F11/07 ,  G06F12/02 ,  G06F12/0817 ,  G06F21/53 ,  G06F21/57 ,  G06F21/60 ,  G06F21/79

摘要： Implementations described provide hardware support for the co-existence of restricted and non-restricted encryption keys on a computing system. Such hardware support may comprise a processor having a core, a hardware register to store a bit range to identify a number of bits, of physical memory addresses, that define key identifiers (IDs) and a partition key ID identifying a boundary between non-restricted and restricted key IDs. The core may allocate at least one of the non-restricted key IDs to a software program, such as a hypervisor. The core may further allocate a restricted key ID to a trust domain whose trust computing base does not comprise the software program. A memory controller coupled to the core may allocate a physical page of a memory to the trust domain, wherein data of the physical page of the memory is to be encrypted with an encryption key associated with the restricted key ID.

公开(公告)号：US11204874B2

公开(公告)日：2021-12-21

申请号：US16838418

申请日：2020-04-02

申请人： Intel Corporation

发明人： Vedvyas Shanbhogue ,  Krystof C. Zmudzinski ,  Carlos V. Rozas ,  Francis X. McKeen ,  Raghunandan Makaram ,  Ilya Alexandrovich ,  Ittai Anati ,  Meltem Ozsoy

IPC分类号： G06F12/0862 ,  G06F12/0846 ,  G06F12/1027 ,  G06F12/14 ,  G06F12/1009

摘要： Secure memory repartitioning technologies are described. Embodiments of the disclosure may include a processing device including a processor core and a memory controller coupled between the processor core and a memory device. The memory device includes a memory range including a section of convertible pages that are convertible to secure pages or non-secure pages. The processor core is to receive a non-secure access request to a page in the memory device, responsive to a determination, based on one or more secure state bits in one or more secure state bit arrays, that the page is a secure page, insert an abort page address into a translation lookaside buffer, and responsive to a determination, based on the one or more secure state bits in the one or more secure state bit arrays, that the page is a non-secure page, insert the page into the translation lookaside buffer.

公开(公告)号：US11030120B2

公开(公告)日：2021-06-08

申请号：US16454481

申请日：2019-06-27

申请人： Intel Corporation

发明人： Krystof C. Zmudzinski ,  Simon P. Johnson ,  Raghunandan Makaram ,  Francis X. McKeen ,  Carlos V. Rozas ,  Meltem Ozsoy ,  Ilya Alexandrovich ,  Siddhartha Chhabra

IPC分类号： G06F12/14 ,  G06F12/1045 ,  G06F12/0882 ,  G06F11/30 ,  G06F12/0871 ,  G06F9/4401 ,  G06F11/07 ,  G06F12/0891

摘要： A processor includes a cryptographic engine to control access, using an secure region key identifier (ID), to one or more memory range of memory allocable for flexible conversion to secure pages of architecturally-protected memory regions, and a processor core. The processor core is to, responsive to receipt of a request to access the memory, perform a walk of page tables and extended page tables to translate a linear address of the request to a physical address of the memory. The processor core is further to determine that the physical address corresponds to an secure page within the one or more memory range of the memory, that a first key ID located within the physical address does not match the secure region key ID, and issue a page fault and deny access to the secure page in the memory.

公开(公告)号：US20200310990A1

公开(公告)日：2020-10-01

申请号：US16807872

申请日：2020-03-03

申请人： Intel Corporation

发明人： Rebekah M. Leslie-Hurd ,  Francis X. McKeen ,  Carlos V. Rozas ,  Krystof C. Zmudzinski

IPC分类号： G06F12/14 ,  G06F9/52 ,  G06F21/74 ,  G06F21/79 ,  G06F21/53

摘要： Secure memory allocation technologies are described. A processor includes a processor core and a memory controller that is coupled between the processor core and main memory. The main memory comprises a protected region including secured pages. The processor, in response to a content copy instruction, is to initialize a target page in the protected region of an application address space. The processor, in response to the content copy instruction, is also to select content of a source page in the protected region to be copied. The processor, in response to the content copy instruction, is also to copy the selected content to the target page in the protected region of the application address space.

公开(公告)号：US10671740B2

公开(公告)日：2020-06-02

申请号：US15946401

申请日：2018-04-05

申请人： Intel Corporation

发明人： Binata Bhattacharyya ,  Raghunandan Makaram ,  Amy L. Santoni ,  George Z. Chrysos ,  Simon P. Johnson ,  Brian S. Morris ,  Francis X. McKeen

IPC分类号： G06F21/62 ,  G06F21/64 ,  G06F21/78 ,  G06F21/74 ,  G06F12/14 ,  G06F21/60

摘要： A processor implementing techniques for supporting configurable security levels for memory address ranges is disclosed. In one embodiment, the processor includes a processing core a memory controller, operatively coupled to the processing core, to access data in an off-chip memory and a memory encryption engine (MEE) operatively coupled to the memory controller. The MEE is to responsive to detecting a memory access operation with respect to a memory location identified by a memory address within a memory address range associated with the off-chip memory, identify a security level indicator associated with the memory location based on a value stored on a security range register. The MEE is further to access at least a portion of a data item associated with the memory address range of the off-chip memory in view of the security level indicator.

公开(公告)号：US10592436B2

公开(公告)日：2020-03-17

申请号：US16036654

申请日：2018-07-16

申请人： Intel Corporation

发明人： Rebekah M. Leslie-Hurd ,  Francis X. McKeen ,  Carlos V. Rozas ,  Krystof C. Zmudzinski

IPC分类号： G06F12/14 ,  G06F9/52 ,  G06F21/74 ,  G06F21/79 ,  G06F21/53

摘要： Secure memory allocation technologies are described. A processor includes a processor core and a memory controller that is coupled between the processor core and main memory. The main memory comprises a protected region including secured pages. The processor, in response to a content copy instruction, is to initialize a target page in the protected region of an application address space. The processor, in response to the content copy instruction, is also to select content of a source page in the protected region to be copied. The processor, in response to the content copy instruction, is also to copy the selected content to the target page in the protected region of the application address space.

公开(公告)号：US10135622B2

公开(公告)日：2018-11-20

申请号：US15279527

申请日：2016-09-29

申请人： Intel Corporation

发明人： Vincent R. Scarlata ,  Francis X. McKeen ,  Carlos V. Rozas ,  Simon P. Johnson ,  Bo Zhang ,  James D. Beaney, Jr. ,  Piotr Zmijewski ,  Wesley H. Smith ,  Eduardo Cabre

IPC分类号： H04L9/36 ,  H04L9/32 ,  H04L9/08 ,  H04L9/14 ,  H04L9/30 ,  H04L29/06 ,  G09C1/00 ,  G06F21/53

摘要： A computing platform implements one or more secure enclaves including a first provisioning enclave to interface with a first provisioning service to obtain a first attestation key from the first provisioning service, a second provisioning enclave to interface with a different, second provisioning service to obtain a second attestation key from the second provisioning service, and a provisioning certification enclave to sign first data from the first provisioning enclave and second data from the second provisioning enclave using a hardware-based provisioning attestation key. The signed first data is used by the first provisioning enclave to authenticate to the first provisioning service to obtain the first attestation key and the signed second data is used by the second provisioning enclave to authenticate to the second provisioning service to obtain the second attestation key.

公开(公告)号：US20180183580A1

公开(公告)日：2018-06-28

申请号：US15391208

申请日：2016-12-27

申请人： Intel Corporation

发明人： Vincent R. Scarlata ,  Carlos V. Rozas ,  Simon P. Johnson ,  Francis X. McKeen ,  Mona Vij ,  Somnath Chakrabarti ,  Brandon Baker ,  Ittai Anati ,  Ilya Alexandrovich

IPC分类号： H04L9/08 ,  H04L9/32 ,  G06F9/48

CPC分类号： G06F9/4856 ,  G06F21/53 ,  G06F21/602 ,  H04L9/0861 ,  H04L9/0897 ,  H04L9/3247 ,  H04L9/3268

摘要： A secure migration enclave is provided to identify a launch of a particular virtual machine on a host computing system, where the particular virtual machine is launched to include a secure quoting enclave to perform an attestation of one or more aspects of the virtual machine. A root key for the particular virtual machine is generated using the secure migration enclave hosted on the host computing system for use in association with provisioning the secure quoting enclave with an attestation key to be used in the attestation. The migration enclave registers the root key with a virtual machine registration service.

公开(公告)号：US20170366359A1

公开(公告)日：2017-12-21

申请号：US15201400

申请日：2016-07-02

申请人： Intel Corporation

发明人： Vincent R. Scarlata ,  Francis X. McKeen ,  Carlos V. Rozas ,  Simon P, Johnson ,  Bo Zhang ,  James D. Beaney, JR. ,  Piotr Zmijewski ,  Wesley Hamilton Smith ,  Eduardo Cabre ,  Uday R. Savagaonkar

IPC分类号： H04L9/32 ,  H04L9/08 ,  H04L9/14 ,  H04L29/06

CPC分类号： H04L9/3263 ,  G09C1/00 ,  H04L9/0816 ,  H04L9/0822 ,  H04L9/14 ,  H04L9/3268 ,  H04L63/06 ,  H04L63/0823 ,  H04L63/12

摘要： Embodiments include systems, methods, computer readable media, and devices configured to, for a first processor of a platform, generate a platform root key; create a data structure to encapsulate the platform root key, the data structure comprising a platform provisioning key and an identification of a registration service; and transmit, on a secure connection, the data structure to the registration service to register the platform root key for the first processor of the platform. Embodiments include systems, methods, computer readable media, and devices configured to store a device certificate received from a key generation facility; receive a manifest from a platform, the manifest comprising an identification of a processor associated with the platform; and validate the processor using a stored device certificate.

公开(公告)号：US20170337145A1

公开(公告)日：2017-11-23

申请号：US15612845

申请日：2017-06-02

申请人： INTEL CORPORATION

发明人： Carlos V. Rozas ,  Ilya Alexandrovich ,  Gilbert Neiger ,  Francis X. McKeen ,  Ittai Anati ,  Vedvyas Shanbhogue ,  Shay Gueron

IPC分类号： G06F13/24 ,  G06F12/0806 ,  G06F21/00 ,  G06F21/85 ,  G06F12/08 ,  G06F21/71 ,  G06F12/0875

CPC分类号： G06F13/24 ,  G06F12/08 ,  G06F12/0806 ,  G06F12/0875 ,  G06F21/00 ,  G06F21/71 ,  G06F21/85 ,  G06F2212/1024 ,  G06F2212/1052 ,  G06F2212/62

摘要： Instructions and logic interrupt and resume paging in secure enclaves. Embodiments include instructions, specify page addresses allocated to a secure enclave, the instructions are decoded for execution by a processor. The processor includes an enclave page cache to store secure data in a first cache line and in a last cache line for a page corresponding to the page address. A page state is read from the first or last cache line for the page when an entry in an enclave page cache mapping for the page indicates only a partial page is stored in the enclave page cache. The entry for a partial page may be set, and a new page state may be recorded in the first cache line when writing-back, or in the last cache line when loading the page when the instruction's execution is being interrupted. Thus the writing-back, or loading can be resumed.