公开(公告)号：US11966742B2

公开(公告)日：2024-04-23

申请号：US18311810

申请日：2023-05-03

申请人： Intel Corporation

发明人： Eliezer Weissmann ,  Mark Charney ,  Michael Mishaeli ,  Robert Valentine ,  Itai Ravid ,  Jason W. Brandt ,  Gilbert Neiger ,  Baruch Chaikin ,  Efraim Rotem

IPC分类号： G06F9/38 ,  G06F9/30

CPC分类号： G06F9/3851 ,  G06F9/30043 ,  G06F9/30076 ,  G06F9/30101 ,  G06F9/3836 ,  G06F9/3842

摘要： Systems, methods, and apparatuses relating to instructions to reset software thread runtime property histories in a hardware processor are described. In one embodiment, a hardware processor includes a hardware guide scheduler comprising a plurality of software thread runtime property histories; a decoder to decode a single instruction into a decoded single instruction, the single instruction having a field that identifies a model-specific register; and an execution circuit to execute the decoded single instruction to check that an enable bit of the model-specific register is set, and when the enable bit is set, to reset the plurality of software thread runtime property histories of the hardware guide scheduler.

公开(公告)号：US20210319118A1

公开(公告)日：2021-10-14

申请号：US17304391

申请日：2021-06-21

申请人： Intel Corporation

发明人： Pradeep M. Pappachan ,  Siddhartha Chhabra ,  Bin Xing ,  Reshma Lal ,  Baruch Chaikin

IPC分类号： G06F21/60 ,  G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  G06F21/53 ,  G06F21/57 ,  G06F21/82

摘要： In one embodiment, an apparatus includes a channel filter and a security processor. The security processor is to: receive a plurality of device access control policies from a protected non-volatile storage of a platform; determine whether the plurality of device access control policies are verified; program the channel filter with a plurality of filter entries each associated with one of the plurality of device access control policies based on the determination; and remove a security attribute of the security processor from a policy register of the channel filter, to lock the channel filter for a boot cycle of the platform. Other embodiments are described and claimed.

公开(公告)号：US20170364707A1

公开(公告)日：2017-12-21

申请号：US15628008

申请日：2017-06-20

申请人： Intel Corporation

发明人： Reshma Lal ,  Gideon Gerzon ,  Baruch Chaikin ,  Siddhartha Chhabra ,  Pradeep M. Pappachan ,  Bin Xing

IPC分类号： G06F21/62 ,  G06F21/57 ,  G06F21/60 ,  G06F13/20 ,  G06F21/51

摘要： Technologies for trusted I/O include a computing device having a processor, a channel identifier filter, and an I/O controller. The I/O controller may generate an I/O transaction that includes a channel identifier and a memory address. The channel identifier filter verifies that the memory address of the I/O transaction is within a processor reserved memory region associated with the channel identifier. The processor reserved memory region is not accessible to software executed by the computing device. The processor encrypts I/O data at the memory address in response to invocation of a processor feature and copies the encrypted data to a memory buffer outside of the processor reserved memory region. The processor may securely clean the processor reserved memory region before encrypting and copying the data. The processor may wrap and unwrap programming information for the channel identifier filter. Other embodiments are described and claimed.

公开(公告)号：US20160171248A1

公开(公告)日：2016-06-16

申请号：US14572060

申请日：2014-12-16

申请人： Intel Corporation

发明人： Nadav Nesher ,  Alex Berenzon ,  Baruch Chaikin

IPC分类号： G06F21/71 ,  G06F21/60

CPC分类号： G06F21/53 ,  G06F21/57 ,  G06F21/71 ,  H04L2209/127

摘要： An embodiment includes a processor coupled to memory to perform operations comprising: creating a first trusted execution environment (TXE), in protected non-privileged user address space of the memory, which makes a first measurement for at least one of first data and first executable code and which encrypts the first measurement with a persistent first hardware based encryption key while the first measurement is within the first TXE; creating a second TXE, in the non-privileged user address space, which makes a second measurement for at least one of second data and second executable code; creating a third TXE in the non-privileged user address space; creating a first secure communication channel between the first and third TXEs and a second secure communication channel between the second and third TXEs; and communicating the first measurement between the first and third TXEs via the first secure communication channel. Other embodiments are described herein.

摘要翻译： 实施例包括耦合到存储器以执行操作的处理器，其包括：在存储器的受保护非特权用户地址空间中创建第一可信执行环境（TXE），其对第一数据和第一可执行文件中的至少一个进行第一测量 代码，并且其在第一测量在第一TXE内时利用持久的基于硬件的第一硬件加密密钥对第一测量进行加密; 在非特权用户地址空间中创建第二TXE，其为第二数据和第二可执行代码中的至少一个进行第二测量; 在非特权用户地址空间中创建第三个TXE; 在第一和第三TXE之间创建第一安全通信信道，以及第二和第三TXE之间的第二安全通信信道; 以及经由所述第一安全通信信道在所述第一和第三TXE之间传送所述第一测量。 本文描述了其它实施例。

公开(公告)号：US20240220388A1

公开(公告)日：2024-07-04

申请号：US18091975

申请日：2022-12-30

申请人： Intel Corporation

发明人： Baruch Chaikin ,  Ahmad Yasin

IPC分类号： G06F11/34 ,  G06F9/455 ,  G06F9/50

CPC分类号： G06F11/3466 ,  G06F9/45533 ,  G06F9/5011 ,  G06F2201/88

摘要： Techniques for flexible virtualization of performance monitoring are described. In an embodiment, an apparatus includes a plurality of performance monitoring hardware resources and an instruction decoder to decode a first instruction to access a first performance monitoring hardware resource of the plurality of performance monitoring hardware resources. In response to the first instruction being received by a virtual machine, the apparatus is to determine whether the first performance monitoring hardware resource is allocated to the virtual machine based on an allocation model to allow any set of the performance monitoring hardware resources to be allocated to the virtual machine, execute the first instruction within the virtual machine in response to a determination that the first performance monitoring hardware resource is allocated to the virtual machine, and raise an exception within the virtual machine in response to a determination that the first performance monitoring hardware resource is not allocated to the virtual machine.

公开(公告)号：US10705976B2

公开(公告)日：2020-07-07

申请号：US16023537

申请日：2018-06-29

申请人： Intel Corporation

发明人： Ravi Sahita ,  Barry E. Huntley ,  Vedvyas Shanbhogue ,  Dror Caspi ,  Baruch Chaikin ,  Gilbert Neiger ,  Arie Aharon ,  Arumugam Thiyagarajah

IPC分类号： G06F12/1036 ,  G06F12/14 ,  G06F9/455 ,  G06F12/109 ,  G06F21/53 ,  G06F21/78 ,  G06F12/1009 ,  G06F12/02

摘要： Examples include a processor including at least one untrusted extended page table (EPT), circuitry to execute a set of instructions of the instruction set architecture (ISA) of the processor to manage at least one secure extended page table (SEPT), and a physical address translation component to translate a guest physical address of a guest physical memory to a host physical address of a host physical memory using one of the at least one untrusted EPT and the at least one SEPT.

公开(公告)号：US10339327B2

公开(公告)日：2019-07-02

申请号：US15628012

申请日：2017-06-20

申请人： Intel Corporation

发明人： Pradeep M. Pappachan ,  Reshma Lal ,  Siddhartha Chhabra ,  Gideon Gerzon ,  Baruch Chaikin ,  Bin Xing ,  William A. Stevens, Jr.

IPC分类号： G06F21/76 ,  G06F21/60 ,  H04L29/06 ,  G06F21/57 ,  G06F13/28 ,  H04L9/32 ,  G06F13/20 ,  G06F21/62 ,  G06F21/85 ,  G09C1/00 ,  G06F21/70 ,  G06F21/51 ,  H04L9/06

摘要： Technologies for securely binding a manifest to a platform include a computing device having a security engine and a field-programmable fuse. The computing device receives a platform manifest indicative of a hardware configuration of the computing device and a manifest hash. The security engine of the computing device blows a bit of a field programmable fuse and then stores the manifest hash and a counter value of the field-programmable fuse in integrity-protected non-volatile storage. In response to a platform reset, the security engine verifies the stored manifest hash and counter value and then determines whether the stored counter value matches the field-programmable fuse. If verified and current, trusted software may calculate a hash of the platform manifest and compare the calculated hash to the stored manifest hash. If matching, the platform manifest may be used to discover platform hardware. Other embodiments are described and claimed.

公开(公告)号：US20230128711A1

公开(公告)日：2023-04-27

申请号：US18062957

申请日：2022-12-07

申请人： Intel Corporation

发明人： Reshma Lal ,  Gideon Gerzon ,  Baruch Chaikin ,  Siddhartha Chhabra ,  Pradeep M. Pappachan ,  Bin Xing

IPC分类号： G06F21/60 ,  H04L9/40 ,  G06F21/57 ,  G06F13/28 ,  H04L9/32 ,  G06F21/62 ,  G06F21/85 ,  G09C1/00 ,  G06F13/20

摘要： Technologies for trusted I/O include a computing device having a processor, a channel identifier filter, and an I/O controller. The I/O controller may generate an I/O transaction that includes a channel identifier and a memory address. The channel identifier filter verifies that the memory address of the I/O transaction is within a processor reserved memory region associated with the channel identifier. The processor reserved memory region is not accessible to software executed by the computing device. The processor encrypts I/O data at the memory address in response to invocation of a processor feature and copies the encrypted data to a memory buffer outside of the processor reserved memory region. The processor may securely clean the processor reserved memory region before encrypting and copying the data. The processor may wrap and unwrap programming information for the channel identifier filter. Other embodiments are described and claimed.

公开(公告)号：US11630904B2

公开(公告)日：2023-04-18

申请号：US17304391

申请日：2021-06-21

申请人： Intel Corporation

发明人： Pradeep M. Pappachan ,  Siddhartha Chhabra ,  Bin Xing ,  Reshma Lal ,  Baruch Chaikin

IPC分类号： G06F21/00 ,  G06F21/60 ,  G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  G06F21/53 ,  G06F21/57 ,  G06F21/82

摘要： In one embodiment, an apparatus includes a channel filter and a security processor. The security processor is to: receive a plurality of device access control policies from a protected non-volatile storage of a platform; determine whether the plurality of device access control policies are verified; program the channel filter with a plurality of filter entries each associated with one of the plurality of device access control policies based on the determination; and remove a security attribute of the security processor from a policy register of the channel filter, to lock the channel filter for a boot cycle of the platform. Other embodiments are described and claimed.

公开(公告)号：US11126733B2

公开(公告)日：2021-09-21

申请号：US16113013

申请日：2018-08-27

申请人： Intel Corporation

发明人： Pradeep M. Pappachan ,  Siddhartha Chhabra ,  Bin Xing ,  Reshma Lal ,  Baruch Chaikin

IPC分类号： G06F21/00 ,  G06F21/60 ,  G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  G06F21/53 ,  G06F21/57 ,  G06F21/82

摘要： In one embodiment, an apparatus includes: a memory encryption circuit to encrypt data from a protected device, the data to be stored to a memory; and a filter circuit coupled to the memory encryption circuit, the filter circuit including a plurality of filter entries, each filter entry to store a channel identifier corresponding to a protected device, an access control policy for the protected device, and a session encryption key provided by an enclave, the enclave permitted to access the data according to the access control policy, where the filter circuit is to receive the session encryption key from the enclave in response to validation of the enclave. Other embodiments are described and claimed.