公开(公告)号：US11989595B2

公开(公告)日：2024-05-21

申请号：US17526097

申请日：2021-11-15

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep Pappachan ,  Luis Kida ,  Soham Jayesh Desai ,  Sujoy Sen ,  Selvakumar Panneer ,  Robert Sharp

IPC: G06F9/50 ,  G06F9/38 ,  G06T1/20 ,  G06T1/60

CPC classification number: G06F9/5083 ,  G06F9/3814 ,  G06F9/5027 ,  G06T1/20 ,  G06T1/60

Abstract: An apparatus to facilitate disaggregated computing for a distributed confidential computing environment is disclosed. The apparatus includes one or more processors to: provide a remote GPU middleware layer to act as a proxy for an application stack on a client platform separate from the apparatus; communicate, by the remote GPU middleware layer, with a kernel mode driver of the one or more processors to cause the host memory to be allocated for command buffers and data structures received from the client platform for consumption by a command streamer of a remote GPU of the apparatus; and invoke, by the remote GPU middleware layer, the kernel mode driver to submit a workload generated by the application stack, the workload submitted for processing by the remote GPU using the command buffers and the data structures allocated in the host memory as directed by the command streamer.

公开(公告)号：US11784990B2

公开(公告)日：2023-10-10

申请号：US17549014

申请日：2021-12-13

Applicant: Intel Corporation

Inventor： Luis Kida ,  Reshma Lal

IPC: H04L29/06 ,  H04L9/40 ,  G06F13/28 ,  H04L9/08 ,  G06F9/50 ,  H04L9/32

CPC classification number: H04L63/0485 ,  G06F9/5044 ,  G06F9/5083 ,  G06F13/28 ,  H04L9/085 ,  H04L9/0825 ,  H04L9/3242 ,  H04L63/0435 ,  H04L63/061 ,  H04L63/123

Abstract: An apparatus to facilitate protecting data transfer between a secure application and networked devices is disclosed. The apparatus includes a source network interface controller (NIC); and a processor to provide a trusted execution environment (TEE) to run an application, wherein the source NIC operates outside of a trust boundary of the TEE, and wherein the processor is to utilize the application in the TEE to: generate encrypted data of the application; copy the encrypted data to a local shared buffer; interface with the source NIC to initiate a copy, over a network, of the encrypted data from the local shared buffer to a remote buffer of a remote platform; and communicate at least one message with the remote platform to indicate that the encrypted data is available and to enable the remote platform to verify integrity of the encrypted data, wherein the one least one message comprises an authentication tag.

公开(公告)号：US11373013B2

公开(公告)日：2022-06-28

申请号：US16234871

申请日：2018-12-28

Applicant: Intel Corporation

Inventor： Luis Kida ,  Krystof Zmudzinski ,  Reshma Lal ,  Pradeep Pappachan ,  Abhishek Basak ,  Anna Trikalinou

IPC: G06F21/78 ,  G06F21/44 ,  G06F21/85

Abstract: Technologies for secure I/O include a compute device having a processor, a memory, an input/output (I/O) device, and a filter logic. The filter logic is configured to receive a first key identifier from the processor, wherein the first key identifier is indicative of a shared memory range includes a shared key identifier range to be used for untrusted I/O devices and receive a transaction from the I/O device, wherein the transaction includes a second key identifier and a trust device ID indicator associated with the I/O device. The filter logic is further configured to determine whether the transaction is asserted with the trust device ID indicator indicative of whether the I/O device is assigned to a trust domain and determine, in response to a determination that the transaction is not asserted with the trust device ID indicator, whether the second key identifier matches the first key identifier.

公开(公告)号：US20220100580A1

公开(公告)日：2022-03-31

申请号：US17526097

申请日：2021-11-15

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep Pappachan ,  Luis Kida ,  Soham Jayesh Desai ,  Sujoy Sen ,  Selvakumar Panneer ,  Robert Sharp

IPC: G06F9/50 ,  G06T1/60 ,  G06T1/20 ,  G06F9/38

Abstract: An apparatus to facilitate disaggregated computing for a distributed confidential computing environment is disclosed. The apparatus includes one or more processors to: provide a remote GPU middleware layer to act as a proxy for an application stack on a client platform separate from the apparatus; communicate, by the remote GPU middleware layer, with a kernel mode driver of the one or more processors to cause the host memory to be allocated for command buffers and data structures received from the client platform for consumption by a command streamer of a remote GPU of the apparatus; and invoke, by the remote GPU middleware layer, the kernel mode driver to submit a workload generated by the application stack, the workload submitted for processing by the remote GPU using the command buffers and the data structures allocated in the host memory as directed by the command streamer.

公开(公告)号：US12189542B2

公开(公告)日：2025-01-07

申请号：US17543267

申请日：2021-12-06

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep M. Pappachan ,  Luis Kida ,  Krystof Zmudzinski ,  Siddhartha Chhabra ,  Abhishek Basak ,  Alpa Narendra Trivedi ,  Anna Trikalinou ,  David M. Lee ,  Vedvyas Shanbhogue ,  Utkarsh Y. Kakaiya

IPC: G06F12/14 ,  G06F9/38 ,  G06F9/455 ,  G06F12/0802 ,  G06F21/57 ,  G06F21/60 ,  G06F21/64 ,  G06F21/76 ,  G06F21/79 ,  H04L9/06 ,  H04L9/08 ,  H04L9/32 ,  H04L41/046 ,  H04L41/28

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.

公开(公告)号：US12149513B2

公开(公告)日：2024-11-19

申请号：US18453970

申请日：2023-08-22

Applicant: Intel Corporation

Inventor： Luis Kida ,  Reshma Lal

IPC: H04L29/06 ,  G06F9/50 ,  G06F13/28 ,  H04L9/08 ,  H04L9/32 ,  H04L9/40

Abstract: An apparatus to facilitate protecting data transfer between a secure application and networked devices is disclosed. The apparatus includes a processor to provide a trusted execution environment (TEE) to run an application, wherein the processor is to utilize the application in the TEE to: generate encrypted data of the application; copy the encrypted data to a local shared buffer; interface with a source network interface controller (NIC) to initiate a copy over a network of the encrypted data from the local shared buffer to a remote buffer of a remote platform, wherein the source NIC operates outside of a trust boundary of the TEE; and communicate at least one message with the remote platform to indicate that the encrypted data is available and to enable the remote platform to verify integrity of the encrypted data, wherein the one least one message comprises an authentication tag.

公开(公告)号：US20240236058A1

公开(公告)日：2024-07-11

申请号：US18416569

申请日：2024-01-18

Applicant: Intel Corporation

Inventor： Luis Kida ,  Reshma Lal

IPC: H04L9/40 ,  G06F9/50 ,  G06F13/28 ,  H04L9/08 ,  H04L9/32

CPC classification number: H04L63/0485 ,  G06F9/5044 ,  G06F9/5083 ,  G06F13/28 ,  H04L9/0825 ,  H04L9/085 ,  H04L9/3242 ,  H04L63/0435 ,  H04L63/061 ,  H04L63/123

Abstract: An apparatus to facilitate protecting data transfer between a secure application and networked devices is disclosed. The apparatus includes a processor to provide a trusted execution environment (TEE) to run an application, wherein the processor is to: generate, via the application in the TEE, encrypted data, wherein the encrypted data comprises a payload; copy, via the application in the TEE, the encrypted data to a local buffer; interface, using the application in the TEE, with a source network interface controller (NIC) to initiate a copy over a network of the encrypted data from the local buffer to a remote buffer of a remote platform; and communicate, after completing the copy of the network of the encrypted data, at least one message with the remote platform to indicate that the encrypted data is available and to enable the remote platform to verify integrity of the encrypted data.

公开(公告)号：US12033005B2

公开(公告)日：2024-07-09

申请号：US17532562

申请日：2021-11-22

Applicant: Intel Corporation

Inventor： Reshma Lal ,  Pradeep Pappachan ,  Luis Kida ,  Soham Jayesh Desai ,  Sujoy Sen ,  Selvakumar Panneer ,  Robert Sharp

IPC: G06F9/50 ,  G06F9/38 ,  G06T1/20 ,  G06T1/60

CPC classification number: G06F9/5083 ,  G06F9/3814 ,  G06F9/5027 ,  G06T1/20 ,  G06T1/60

Abstract: An apparatus to facilitate disaggregated computing for a distributed confidential computing environment is disclosed. The apparatus includes a programmable integrated circuit (IC) comprising secure device manager (SDM) hardware circuitry to: receive a tenant bitstream of a tenant and a tenant use policy for utilization of the programmable IC via the tenant bitstream, wherein the tenant use policy is cryptographically bound to the tenant bitstream by a cloud service provider (CSP) authorizing entity and signed with a signature of the CSP authorizing entity; in response to successfully verifying the signature, extract the tenant use policy to provide to a policy manager of the programmable IC for verification; in response to the policy manager verifying the tenant bitstream based on the tenant use policy, configure a partial reconfiguration (PR) region of the programmable IC using the tenant bitstream; and associate a slot ID of the PR region with the tenant use policy.

公开(公告)号：US20230297725A1

公开(公告)日：2023-09-21

申请号：US18200543

申请日：2023-05-22

Applicant: Intel Corporation

Inventor： Luis Kida ,  Krystof Zmudzinski ,  Reshma Lal ,  Pradeep Pappachan ,  Abhishek Basak ,  Anna Trikalinou

IPC: G06F21/78 ,  G06F21/44 ,  G06F21/85

CPC classification number: G06F21/78 ,  G06F21/44 ,  G06F21/85

Abstract: Technologies for secure I/O include a compute device having a processor, a memory, an input/output (I/O) device, and a filter logic. The filter logic is configured to receive a first key identifier from the processor, wherein the first key identifier is indicative of a shared memory range includes a shared key identifier range to be used for untrusted I/O devices and receive a transaction from the I/O device, wherein the transaction includes a second key identifier and a trust device ID indicator associated with the I/O device. The filter logic is further configured to determine whether the transaction is asserted with the trust device ID indicator indicative of whether the I/O device is assigned to a trust domain and determine, in response to a determination that the transaction is not asserted with the trust device ID indicator, whether the second key identifier matches the first key identifier.

公开(公告)号：US11522678B2

公开(公告)日：2022-12-06

申请号：US17342271

申请日：2021-06-08

Applicant: Intel Corporation

Inventor： Santosh Ghosh ,  Luis Kida ,  Reshma Lal

IPC: H04L29/06 ,  G06F21/00 ,  H04L9/06 ,  H04L9/08

Abstract: Technologies for secure data transfer of MMIO data between a processor and an accelerator. A MIMO security engine includes a first block cipher pipeline to encrypt a count using a key; a first exclusive-OR (XOR) to generate a first XOR result of the encrypted count and a length multiplied by an authentication key; a second block cipher pipeline to encrypt (count+1) using the key; a second XOR to generate a second XOR result of plaintext data and the encrypted (count+1); a plurality of Galois field multipliers (GFMs) to perform Galois field multiplication on additional authenticated data (AAD), powers of the authentication key, and ciphertext data; and a plurality of exclusive-ORs (XORs) to combine results of the GFMs and the first XOR result to generate an authentication tag. Other embodiments are described and claimed.