公开(公告)号：US11966742B2

公开(公告)日：2024-04-23

申请号：US18311810

申请日：2023-05-03

Applicant: Intel Corporation

Inventor： Eliezer Weissmann ,  Mark Charney ,  Michael Mishaeli ,  Robert Valentine ,  Itai Ravid ,  Jason W. Brandt ,  Gilbert Neiger ,  Baruch Chaikin ,  Efraim Rotem

IPC: G06F9/38 ,  G06F9/30

CPC classification number: G06F9/3851 ,  G06F9/30043 ,  G06F9/30076 ,  G06F9/30101 ,  G06F9/3836 ,  G06F9/3842

Abstract: Systems, methods, and apparatuses relating to instructions to reset software thread runtime property histories in a hardware processor are described. In one embodiment, a hardware processor includes a hardware guide scheduler comprising a plurality of software thread runtime property histories; a decoder to decode a single instruction into a decoded single instruction, the single instruction having a field that identifies a model-specific register; and an execution circuit to execute the decoded single instruction to check that an enable bit of the model-specific register is set, and when the enable bit is set, to reset the plurality of software thread runtime property histories of the hardware guide scheduler.

公开(公告)号：US20210319118A1

公开(公告)日：2021-10-14

申请号：US17304391

申请日：2021-06-21

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Siddhartha Chhabra ,  Bin Xing ,  Reshma Lal ,  Baruch Chaikin

IPC: G06F21/60 ,  G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  G06F21/53 ,  G06F21/57 ,  G06F21/82

Abstract: In one embodiment, an apparatus includes a channel filter and a security processor. The security processor is to: receive a plurality of device access control policies from a protected non-volatile storage of a platform; determine whether the plurality of device access control policies are verified; program the channel filter with a plurality of filter entries each associated with one of the plurality of device access control policies based on the determination; and remove a security attribute of the security processor from a policy register of the channel filter, to lock the channel filter for a boot cycle of the platform. Other embodiments are described and claimed.

公开(公告)号：US20170364707A1

公开(公告)日：2017-12-21

申请号：US15628008

申请日：2017-06-20

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Gideon Gerzon ,  Baruch Chaikin ,  Siddhartha Chhabra ,  Pradeep M. Pappachan ,  Bin Xing

IPC: G06F21/62 ,  G06F21/57 ,  G06F21/60 ,  G06F13/20 ,  G06F21/51

Abstract: Technologies for trusted I/O include a computing device having a processor, a channel identifier filter, and an I/O controller. The I/O controller may generate an I/O transaction that includes a channel identifier and a memory address. The channel identifier filter verifies that the memory address of the I/O transaction is within a processor reserved memory region associated with the channel identifier. The processor reserved memory region is not accessible to software executed by the computing device. The processor encrypts I/O data at the memory address in response to invocation of a processor feature and copies the encrypted data to a memory buffer outside of the processor reserved memory region. The processor may securely clean the processor reserved memory region before encrypting and copying the data. The processor may wrap and unwrap programming information for the channel identifier filter. Other embodiments are described and claimed.

公开(公告)号：US20160171248A1

公开(公告)日：2016-06-16

申请号：US14572060

申请日：2014-12-16

Applicant: Intel Corporation

Inventor： Nadav Nesher ,  Alex Berenzon ,  Baruch Chaikin

IPC: G06F21/71 ,  G06F21/60

CPC classification number: G06F21/53 ,  G06F21/57 ,  G06F21/71 ,  H04L2209/127

Abstract: An embodiment includes a processor coupled to memory to perform operations comprising: creating a first trusted execution environment (TXE), in protected non-privileged user address space of the memory, which makes a first measurement for at least one of first data and first executable code and which encrypts the first measurement with a persistent first hardware based encryption key while the first measurement is within the first TXE; creating a second TXE, in the non-privileged user address space, which makes a second measurement for at least one of second data and second executable code; creating a third TXE in the non-privileged user address space; creating a first secure communication channel between the first and third TXEs and a second secure communication channel between the second and third TXEs; and communicating the first measurement between the first and third TXEs via the first secure communication channel. Other embodiments are described herein.

Abstract translation: 实施例包括耦合到存储器以执行操作的处理器，其包括：在存储器的受保护非特权用户地址空间中创建第一可信执行环境（TXE），其对第一数据和第一可执行文件中的至少一个进行第一测量 代码，并且其在第一测量在第一TXE内时利用持久的基于硬件的第一硬件加密密钥对第一测量进行加密; 在非特权用户地址空间中创建第二TXE，其为第二数据和第二可执行代码中的至少一个进行第二测量; 在非特权用户地址空间中创建第三个TXE; 在第一和第三TXE之间创建第一安全通信信道，以及第二和第三TXE之间的第二安全通信信道; 以及经由所述第一安全通信信道在所述第一和第三TXE之间传送所述第一测量。 本文描述了其它实施例。

公开(公告)号：US20230128711A1

公开(公告)日：2023-04-27

申请号：US18062957

申请日：2022-12-07

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Gideon Gerzon ,  Baruch Chaikin ,  Siddhartha Chhabra ,  Pradeep M. Pappachan ,  Bin Xing

IPC: G06F21/60 ,  H04L9/40 ,  G06F21/57 ,  G06F13/28 ,  H04L9/32 ,  G06F21/62 ,  G06F21/85 ,  G09C1/00 ,  G06F13/20

Abstract: Technologies for trusted I/O include a computing device having a processor, a channel identifier filter, and an I/O controller. The I/O controller may generate an I/O transaction that includes a channel identifier and a memory address. The channel identifier filter verifies that the memory address of the I/O transaction is within a processor reserved memory region associated with the channel identifier. The processor reserved memory region is not accessible to software executed by the computing device. The processor encrypts I/O data at the memory address in response to invocation of a processor feature and copies the encrypted data to a memory buffer outside of the processor reserved memory region. The processor may securely clean the processor reserved memory region before encrypting and copying the data. The processor may wrap and unwrap programming information for the channel identifier filter. Other embodiments are described and claimed.

公开(公告)号：US11630904B2

公开(公告)日：2023-04-18

申请号：US17304391

申请日：2021-06-21

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Siddhartha Chhabra ,  Bin Xing ,  Reshma Lal ,  Baruch Chaikin

IPC: G06F21/00 ,  G06F21/60 ,  G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  G06F21/53 ,  G06F21/57 ,  G06F21/82

Abstract: In one embodiment, an apparatus includes a channel filter and a security processor. The security processor is to: receive a plurality of device access control policies from a protected non-volatile storage of a platform; determine whether the plurality of device access control policies are verified; program the channel filter with a plurality of filter entries each associated with one of the plurality of device access control policies based on the determination; and remove a security attribute of the security processor from a policy register of the channel filter, to lock the channel filter for a boot cycle of the platform. Other embodiments are described and claimed.

公开(公告)号：US11126733B2

公开(公告)日：2021-09-21

申请号：US16113013

申请日：2018-08-27

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Siddhartha Chhabra ,  Bin Xing ,  Reshma Lal ,  Baruch Chaikin

IPC: G06F21/00 ,  G06F21/60 ,  G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  G06F21/53 ,  G06F21/57 ,  G06F21/82

Abstract: In one embodiment, an apparatus includes: a memory encryption circuit to encrypt data from a protected device, the data to be stored to a memory; and a filter circuit coupled to the memory encryption circuit, the filter circuit including a plurality of filter entries, each filter entry to store a channel identifier corresponding to a protected device, an access control policy for the protected device, and a session encryption key provided by an enclave, the enclave permitted to access the data according to the access control policy, where the filter circuit is to receive the session encryption key from the enclave in response to validation of the enclave. Other embodiments are described and claimed.

公开(公告)号：US10789371B2

公开(公告)日：2020-09-29

申请号：US15628008

申请日：2017-06-20

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Gideon Gerzon ,  Baruch Chaikin ,  Siddhartha Chhabra ,  Pradeep M. Pappachan ,  Bin Xing

IPC: G06F21/00 ,  G06F21/60 ,  H04L29/06 ,  G06F21/57 ,  G06F13/28 ,  H04L9/32 ,  G06F21/62 ,  G06F21/85 ,  G09C1/00 ,  G06F13/20 ,  H04L9/06 ,  G06F21/51

Abstract: Technologies for trusted I/O include a computing device having a processor, a channel identifier filter, and an I/O controller. The I/O controller may generate an I/O transaction that includes a channel identifier and a memory address. The channel identifier filter verifies that the memory address of the I/O transaction is within a processor reserved memory region associated with the channel identifier. The processor reserved memory region is not accessible to software executed by the computing device. The processor encrypts I/O data at the memory address in response to invocation of a processor feature and copies the encrypted data to a memory buffer outside of the processor reserved memory region. The processor may securely clean the processor reserved memory region before encrypting and copying the data. The processor may wrap and unwrap programming information for the channel identifier filter. Other embodiments are described and claimed.

公开(公告)号：US20170364689A1

公开(公告)日：2017-12-21

申请号：US15628012

申请日：2017-06-20

Applicant: Intel Corporation

Inventor： Pradeep M. Pappachan ,  Reshma Lal ,  Siddhartha Chhabra ,  Gideon Gerzon ,  Baruch Chaikin ,  Bin Xing ,  William A. Stevens, JR.

IPC: G06F21/60 ,  G06F21/57 ,  H04L9/32

CPC classification number: G06F21/602 ,  G06F13/20 ,  G06F13/28 ,  G06F21/51 ,  G06F21/57 ,  G06F21/6218 ,  G06F21/6281 ,  G06F21/85 ,  G09C1/00 ,  H04L9/0637 ,  H04L9/32 ,  H04L9/3242 ,  H04L63/12 ,  H04L63/126

Abstract: Technologies for securely binding a manifest to a platform include a computing device having a security engine and a field-programmable fuse. The computing device receives a platform manifest indicative of a hardware configuration of the computing device and a manifest hash. The security engine of the computing device blows a bit of a field programmable fuse and then stores the manifest hash and a counter value of the field-programmable fuse in integrity-protected non-volatile storage. In response to a platform reset, the security engine verifies the stored manifest hash and counter value and then determines whether the stored counter value matches the field-programmable fuse. If verified and current, trusted software may calculate a hash of the platform manifest and compare the calculated hash to the stored manifest hash. If matching, the platform manifest may be used to discover platform hardware. Other embodiments are described and claimed.

公开(公告)号：US12153665B2

公开(公告)日：2024-11-26

申请号：US17133455

申请日：2020-12-23

Applicant: Intel Corporation

Inventor： Vedvyas Shanbhogue ,  Baruch Chaikin

IPC: G06F21/53 ,  G06F9/30 ,  G06F9/38 ,  G06F9/445 ,  G06F9/455 ,  G06F9/52

Abstract: Techniques and mechanisms to efficiently provide features of a secure authentication mode (SEAM) by a processor. In an embodiment, cores of the processor support an instruction set which comprises instructions to invoke the SEAM. One such core installs an authenticated code module (ACM), which is executed to load a persistent SEAM loader module (P-SEAMLDR) in a reserved region of a system memory. In turn, the P-SEAMLDR loads into the reserved region a SEAM module which facilitates trust domain extension (TDX) protections for a given trusted domain. In another embodiment, the instruction set supports a SEAM call instruction with which either of the P-SEAMLDR or the SEAM module is accessed in the reserved region.