公开(公告)号：US12001346B2

公开(公告)日：2024-06-04

申请号：US17127786

申请日：2020-12-18

Applicant: Intel Corporation

Inventor： Thomas Unterluggauer ,  Alaa Alameldeen ,  Scott Constable ,  Fangfei Liu ,  Francis McKeen ,  Carlos Rozas ,  Anna Trikalinou

IPC: G06F12/10 ,  G06F12/121 ,  G06F12/14

CPC classification number: G06F12/14 ,  G06F12/121 ,  G06F2212/1052

Abstract: Techniques and mechanisms for a victim cache to operate in conjunction with a skewed cache to help mitigate the risk of a side-channel attack. In an embodiment, a first line is evicted from a skewed cache, and moved to a victim cache, based on a message indicating that a second line is to be stored to the skewed cache. Subsequently, a request to access the first line results in a search of both the victim cache and sets of the skewed cache which have been mapped to an address corresponding to the first line. Based on the search, the first line is evicted from the victim cache, and reinserted in the skewed cache. In another embodiment, reinsertion of the first line in the skewed cache includes the first line and a third line being swapped between the skewed cache and the victim cache.

公开(公告)号：US11921646B2

公开(公告)日：2024-03-05

申请号：US17842094

申请日：2022-06-16

Applicant: Intel Corporation

Inventor： David Koufaty ,  Rajesh Sankaran ,  Anna Trikalinou ,  Rupin Vakharwala

IPC: G06F12/14 ,  G06F12/0862 ,  G06F12/1009 ,  G06F13/16 ,  G06F13/42

CPC classification number: G06F12/1483 ,  G06F12/0862 ,  G06F12/1009 ,  G06F13/1668 ,  G06F13/4282 ,  G06F2212/1052 ,  G06F2212/305 ,  G06F2212/6028 ,  G06F2213/0026

Abstract: Embodiments are directed to providing a secure address translation service. An embodiment of a system includes memory for storage of data, an IOMMU coupled to the memory, and a host-to-device link to couple the IOMMU with one or more devices and to operate as a translation agent on behalf of one or more devices in connection with memory operations relating to the memory, including receiving a translated request from a discrete device via the host-to-device link specifying a memory operation and a physical address within the memory pertaining to the memory operation, determining page access permissions assigned to a context of the discrete device for a physical page of the memory within which the physical address resides, allowing the memory operation to proceed when the page access permissions permit the memory operation, and blocking the memory operation when the page access permissions do not permit the memory operation.

公开(公告)号：US11373013B2

公开(公告)日：2022-06-28

申请号：US16234871

申请日：2018-12-28

Applicant: Intel Corporation

Inventor： Luis Kida ,  Krystof Zmudzinski ,  Reshma Lal ,  Pradeep Pappachan ,  Abhishek Basak ,  Anna Trikalinou

IPC: G06F21/78 ,  G06F21/44 ,  G06F21/85

Abstract: Technologies for secure I/O include a compute device having a processor, a memory, an input/output (I/O) device, and a filter logic. The filter logic is configured to receive a first key identifier from the processor, wherein the first key identifier is indicative of a shared memory range includes a shared key identifier range to be used for untrusted I/O devices and receive a transaction from the I/O device, wherein the transaction includes a second key identifier and a trust device ID indicator associated with the I/O device. The filter logic is further configured to determine whether the transaction is asserted with the trust device ID indicator indicative of whether the I/O device is assigned to a trust domain and determine, in response to a determination that the transaction is not asserted with the trust device ID indicator, whether the second key identifier matches the first key identifier.

公开(公告)号：US20210173794A1

公开(公告)日：2021-06-10

申请号：US17131974

申请日：2020-12-23

Applicant: Intel Corporation

Inventor： David Koufaty ,  Anna Trikalinou ,  Utkarsh Y. Kakaiya ,  Ravi Sahita ,  Ramya Jayaram Masti

IPC: G06F12/14 ,  G06F12/1009 ,  G06F12/1045

Abstract: Embodiments are directed to providing a secure address translation service. An embodiment of a system includes a memory device to store memory data in a plurality of physical pages shared by a plurality of devices, a first table to map each page of memory to an associated bundle identifier (ID) that identifies one or more devices having access to a page of memory, a second table to map each bundle ID to page access permissions that define access to one or more pages associated with a bundle ID and a translation agent to receive requests from the plurality of devices to perform memory operations on the memory and determine page access permissions for requests received from the plurality of devices using the first table and the second table

公开(公告)号：US20200327072A1

公开(公告)日：2020-10-15

申请号：US16912251

申请日：2020-06-25

Applicant: Intel Corporation

Inventor： Michael Kounavis ,  Anna Trikalinou

IPC: G06F12/14 ,  G06F12/1081 ,  G06F12/0882 ,  G06F21/79 ,  H04L9/06 ,  H04L9/32

Abstract: Methods and apparatus relating to secure-ATS (or secure Address Translation Services) using a version tree for replay protection are described. In an embodiment, memory stores data for a secured device. The stored data comprising information for one or more intermediate nodes and one or more leaf nodes. Logic circuitry allows/disallows access to contents of a memory region associated with a first leaf node from the one or more leaf nodes by a memory access request based at least in part on whether the memory access request is associated with a permission authenticated by the MAC of the first leaf node. Other embodiments are also disclosed and claimed.

公开(公告)号：US10474814B2

公开(公告)日：2019-11-12

申请号：US15278250

申请日：2016-09-28

Applicant: Intel Corporation

Inventor： Anna Trikalinou

IPC: G06F21/55 ,  G06F21/70

Abstract: In an embodiment, an apparatus includes: an interface circuit to receive thermal information from a system memory; a calculation circuit to determine a rate of thermal change of the system memory based on a current temperature of the system memory, a prior temperature of the system memory and a time duration; and a policy enforcement circuit, in response to a result of a comparison of the rate of thermal change to a threshold, to perform at least one protection measure on the system memory. Other embodiments are described and claimed.

公开(公告)号：US12210660B2

公开(公告)日：2025-01-28

申请号：US17548170

申请日：2021-12-10

Applicant: Intel Corporation

Inventor： Anna Trikalinou ,  Abhishek Basak ,  Rupin H. Vakharwala ,  Utkarsh Y. Kakaiya

IPC: G06F21/83 ,  G06F21/62 ,  G06F21/78

Abstract: In one embodiment, a read request is received from a peripheral device across an interconnect, with the read request including a process identifier and an encrypted virtual address. One or more keys are obtained based on the process identifier of the read request, and the encrypted virtual address of the read request is decrypted based on the one or more keys to obtain an unencrypted virtual address. Encrypted data is retrieved from memory based on the unencrypted virtual address, and the encrypted data is decrypted based on the one or more keys to obtain plaintext data. The plaintext data is transmitted to the peripheral device across the interconnect.

公开(公告)号：US12189542B2

公开(公告)日：2025-01-07

申请号：US17543267

申请日：2021-12-06

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan ,  Luis Kida ,  Krystof Zmudzinski ,  Siddhartha Chhabra ,  Abhishek Basak ,  Alpa Narendra Trivedi ,  Anna Trikalinou ,  David M. Lee ,  Vedvyas Shanbhogue ,  Utkarsh Y. Kakaiya

IPC: G06F12/14 ,  G06F9/38 ,  G06F9/455 ,  G06F12/0802 ,  G06F21/57 ,  G06F21/60 ,  G06F21/64 ,  G06F21/76 ,  G06F21/79 ,  H04L9/06 ,  H04L9/08 ,  H04L9/32 ,  H04L41/046 ,  H04L41/28

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.

公开(公告)号：US20230297725A1

公开(公告)日：2023-09-21

申请号：US18200543

申请日：2023-05-22

Applicant: Intel Corporation

Inventor： Luis Kida ,  Krystof Zmudzinski ,  Reshma Lal ,  Pradeep Pappachan ,  Abhishek Basak ,  Anna Trikalinou

IPC: G06F21/78 ,  G06F21/44 ,  G06F21/85

CPC classification number: G06F21/78 ,  G06F21/44 ,  G06F21/85

Abstract: Technologies for secure I/O include a compute device having a processor, a memory, an input/output (I/O) device, and a filter logic. The filter logic is configured to receive a first key identifier from the processor, wherein the first key identifier is indicative of a shared memory range includes a shared key identifier range to be used for untrusted I/O devices and receive a transaction from the I/O device, wherein the transaction includes a second key identifier and a trust device ID indicator associated with the I/O device. The filter logic is further configured to determine whether the transaction is asserted with the trust device ID indicator indicative of whether the I/O device is assigned to a trust domain and determine, in response to a determination that the transaction is not asserted with the trust device ID indicator, whether the second key identifier matches the first key identifier.

公开(公告)号：US20220309008A1

公开(公告)日：2022-09-29

申请号：US17842094

申请日：2022-06-16

Applicant: Intel Corporation

Inventor： David Koufaty ,  Rajesh Sankaran ,  Anna Trikalinou ,  Rupin Vakharwala

IPC: G06F12/14 ,  G06F12/0862 ,  G06F12/1009 ,  G06F13/16 ,  G06F13/42

Abstract: Embodiments are directed to providing a secure address translation service. An embodiment of a system includes memory for storage of data, an IOMMU coupled to the memory, and a host-to-device link to couple the IOMMU with one or more devices and to operate as a translation agent on behalf of one or more devices in connection with memory operations relating to the memory, including receiving a translated request from a discrete device via the host-to-device link specifying a memory operation and a physical address within the memory pertaining to the memory operation, determining page access permissions assigned to a context of the discrete device for a physical page of the memory within which the physical address resides, allowing the memory operation to proceed when the page access permissions permit the memory operation, and blocking the memory operation when the page access permissions do not permit the memory operation.