公开(公告)号：US20250004879A1

公开(公告)日：2025-01-02

申请号：US18346034

申请日：2023-06-30

Applicant: Intel Corporation

Inventor： David M. Durham ,  Sergej Deutsch ,  Salmin Sultana ,  Karanvir Grewal

IPC: G06F11/10 ,  G06F9/30 ,  G06F21/60

Abstract: Techniques for error correction with memory safety and compartmentalization are described. In an embodiment, an apparatus includes a processor to provide a first set of data bits and a first tag in connection with a store operation, and an error correcting code (ECC) generation circuit to generate a first set of ECC bits based on a first set of data bits and a first tag.

公开(公告)号：US12045174B2

公开(公告)日：2024-07-23

申请号：US17704771

申请日：2022-03-25

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael Lemay

IPC: G06F12/14 ,  G06F9/30

CPC classification number: G06F12/1408 ,  G06F9/30043 ,  G06F12/1441 ,  G06F12/1458

Abstract: Embodiments are directed to tagless implicit integrity with multi-perspective pattern search for memory safety. An embodiment of an apparatus includes one or more processors comprising hardware circuitry to: access encrypted data stored in a memory hierarchy using a pointer; decrypt the encrypted data using a current version of a pointer tag of the pointer to yield first decrypted data; perform an entropy test on the first decrypted data; responsive to the entropy test failing to detect patterns in the first decrypted data, re-decrypt the encrypted data using one or more different versions of the pointer tag of the pointer to yield one or more other decrypted data; perform the entropy test on the one or more other decrypted versions; and responsive to the entropy test detecting the patterns in the one or more other decrypted data, signal an exception to the one or more processors with respect to the encrypted data.

公开(公告)号：US20240176749A1

公开(公告)日：2024-05-30

申请号：US18528124

申请日：2023-12-04

Applicant: Intel Corporation

Inventor： Siddhartha Chhabra ,  David M. Durham

IPC: G06F12/14 ,  G06F21/52 ,  G06F21/53 ,  G06F21/60 ,  G06F21/64 ,  G06F21/71 ,  G06F21/72 ,  H04L9/06 ,  H04L9/08 ,  H04L9/14 ,  H04L9/32 ,  H04L9/40

CPC classification number: G06F12/1408 ,  G06F21/52 ,  G06F21/53 ,  G06F21/602 ,  G06F21/64 ,  G06F21/71 ,  G06F21/72 ,  H04L9/0631 ,  H04L9/0637 ,  H04L9/0894 ,  H04L9/14 ,  H04L9/3273 ,  H04L63/0428 ,  H04L63/061 ,  H04L63/126 ,  H04L63/1466 ,  H04L2463/062

Abstract: In one embodiment, a multi-tenant computing system includes a processor including a plurality of cores on which agents of tenants of the multi-tenant computing system are to execute, a configuration storage, and a memory execution circuit. The configuration storage includes a first configuration register to store configuration information associated with the memory execution circuit. The first configuration register is to store a mode identifier to identify a mode of operation of the memory execution circuit. The memory execution circuit, in a first mode of operation, is to receive encrypted data of a first tenant, the encrypted data encrypted by the first tenant, generate an integrity value for the encrypted data, and send the encrypted data and the integrity value to a memory, the integrity value not visible to the software of the multi-tenant computing system. Other embodiments are described and claimed.

公开(公告)号：US11954045B2

公开(公告)日：2024-04-09

申请号：US17485213

申请日：2021-09-24

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael LeMay ,  Santosh Ghosh ,  Sergej Deutsch

IPC: G06F12/14 ,  G06F12/0802 ,  G06F21/55 ,  G06F21/56 ,  G06F21/79

CPC classification number: G06F12/1408 ,  G06F12/0802 ,  G06F21/554 ,  G06F2212/466

Abstract: Technologies disclosed herein provide one example of a system that includes processor circuitry and integrity circuitry. The processor circuitry is to receive a first request associated with an application to perform a memory access operation for an address range in a memory allocation of memory circuitry. The integrity circuitry is to determine a location of a metadata region within a cacheline that includes at least some of the address range, identify a first portion of the cacheline based at least in part on a first data bounds value stored in the metadata region, generate a first integrity value based on the first portion of the cacheline, and prevent the memory access operation in response to determining that the first integrity value does not correspond to a second integrity value stored in the metadata region.

公开(公告)号：US11940927B2

公开(公告)日：2024-03-26

申请号：US17839877

申请日：2022-06-14

Applicant: Intel Corporation

Inventor： David M. Durham ,  Michael D. LeMay

IPC: G06F12/00 ,  G06F12/02 ,  G06F12/1009 ,  G06F12/1045 ,  G06F12/14

CPC classification number: G06F12/1009 ,  G06F12/0238 ,  G06F12/1063 ,  G06F12/1408

Abstract: Techniques for memory tagging are disclosed. In the illustrative embodiment, 16 bits of a virtual memory address are used as memory tag bits. In a page table entry corresponding to the virtual memory address, page tag bits indicate which of the 16 bits of the virtual memory address are to be sent to the memory as memory tag bits when a memory operation is requested on the virtual memory address. The memory can then compare the memory tag bits sent with the physical memory address to memory tag bits stored on the memory that correspond to the physical memory address. If the memory tag bits match, then the operation is allowed to proceed.

公开(公告)号：US20240053904A1

公开(公告)日：2024-02-15

申请号：US17944352

申请日：2022-09-14

Applicant: Intel Corporation

Inventor： Sergej Deutsch ,  David M. Durham ,  Karanvir Grewal ,  Rajat Agarwal

IPC: G06F3/06

CPC classification number: G06F3/0622 ,  G06F3/0673 ,  G06F3/0629

Abstract: The technology disclosed herein comprises a processor; a memory to store data and a plurality of error correcting code (ECC) bits associated with the data; and a memory controller coupled to the memory, the memory controller to receive a write request from the processor and, when an access control field is selected in the write request, perform an exclusive OR (XOR) operation on the plurality of ECC bits and a fixed encoding pattern to generate a plurality of encoded ECC bits and store the data and the plurality of encoded ECC bits in the memory.

公开(公告)号：US20240004659A1

公开(公告)日：2024-01-04

申请号：US17853087

申请日：2022-06-29

Applicant: Intel Corporation

Inventor： Michael LeMay ,  Dan Baum ,  Joseph Cihula ,  Joao Batista Correa Gomes Moreira ,  Anjo Lucas Vahldiek-Oberwagner ,  Scott Constable ,  Andreas Kleen ,  Konrad Lai ,  Henrique de Medeiros Kawakami ,  David M. Durham

IPC: G06F9/30

CPC classification number: G06F9/3016

Abstract: Techniques for an instruction for a Runtime Call operation are described. An example apparatus comprises decoder circuitry to decode a single instruction, the single instruction to include a field for an identifier of an opcode, the opcode to indicate execution circuitry is to execute a no operation when a runtime call destination equals a predetermined value; and execute an indirect call with the runtime call destination as a destination address when the runtime call destination does not equal the predetermined value. Other examples are described and claimed.

公开(公告)号：US11783081B2

公开(公告)日：2023-10-10

申请号：US17022177

申请日：2020-09-16

Applicant: Intel Corporation

Inventor： David M. Durham ,  Ravi L. Sahita ,  Barry E. Huntley ,  Nikhil M. Deshpande

IPC: G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  G06F21/53 ,  H04L29/06 ,  H04L9/40

CPC classification number: G06F21/6245 ,  G06F21/53 ,  H04L9/08 ,  H04L9/0894 ,  H04L9/3236 ,  H04L63/06

Abstract: In a method to utilize a secure public cloud, a computer receives a domain manager image and memory position-dependent address information in response to requesting a service from a cloud services provider. The computer also verifies the domain manager image and identifies a key domain key to be used to encrypt data stored in a key domain of a key domain-capable server. The computer also uses the key domain key and the memory-position dependent address information to encrypt a domain launch image such that the encrypted domain launch image is cryptographically bound to at least one memory location of the key domain. The computer also encrypts the key domain key and sends the encrypted domain launch image and the encrypted key domain key to the key domain-capable server, to cause a processor of the key domain-capable server to create the key domain. Other embodiments are described and claimed.

公开(公告)号：US11775332B2

公开(公告)日：2023-10-03

申请号：US17532886

申请日：2021-11-22

Applicant: Intel Corporation

Inventor： David M. Durham ,  Siddhartha Chhabra ,  Michael E. Kounavis

IPC: G06F12/14 ,  G06F21/64 ,  G06F21/79 ,  G06F9/455 ,  H04L9/40 ,  H04L69/04 ,  G06F12/0891 ,  G06F21/53 ,  G06F12/16 ,  G06F21/80

CPC classification number: G06F9/45558 ,  G06F12/0891 ,  G06F12/1408 ,  G06F21/53 ,  G06F21/79 ,  H04L63/0227 ,  H04L63/0428 ,  H04L63/0435 ,  H04L63/0471 ,  H04L69/04 ,  H04L63/123

Abstract: Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to generate a compressed line in response to determining that the data line is compressible, where the compressed line includes compression metadata and compressed data, adding encryption metadata to the compressed line, where the encryption metadata is indicative of the encryption key, encrypting a part of the compressed line with the encryption key to generate an encrypted line in response to adding the encryption metadata, and writing the encrypted line to a memory device at the physical memory address. Other embodiments are described and claimed.

公开(公告)号：US11687654B2

公开(公告)日：2023-06-27

申请号：US15705562

申请日：2017-09-15

Applicant: Intel Corporation

Inventor： Ravi L. Sahita ,  Baiju V. Patel ,  Barry E. Huntley ,  Gilbert Neiger ,  Hormuzd M. Khosravi ,  Ido Ouziel ,  David M. Durham ,  Ioannis T. Schoinas ,  Siddhartha Chhabra ,  Carlos V. Rozas ,  Gideon Gerzon

IPC: G06F21/57 ,  G06F21/62 ,  G06F12/14 ,  H04L9/06 ,  H04L9/40 ,  G06F21/53 ,  G06F21/71 ,  G06F21/79 ,  G06F9/455

CPC classification number: G06F21/57 ,  G06F12/1408 ,  G06F21/53 ,  G06F21/6218 ,  G06F21/71 ,  G06F21/79 ,  H04L9/0618 ,  H04L63/061 ,  G06F9/45558 ,  G06F2009/45587 ,  G06F2212/1052 ,  G06F2221/2107 ,  G06F2221/2149

Abstract: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.