公开(公告)号：US20240137210A1

公开(公告)日：2024-04-25

申请号：US18066383

申请日：2022-12-15

Applicant: Microsoft Technology Licensing, LLC

Inventor： Kapil VASWANI ,  Siddharth JAYASHANKAR ,  Antoine DELIGNAT-LAVAUD ,  Cedric Alain Marie Christophe FOURNET

IPC: H04L9/08 ,  H04L9/32

CPC classification number: H04L9/0825 ,  H04L9/0861 ,  H04L9/3247

Abstract: A computer device instantiates a first Transport Layer Security (TLS) endpoint having access to a trusted execution environment (TEE) of the processor; generates in the TEE in an endpoint-specific public-private key pair bound to the first TLS endpoint; generates of attestation data verifying that the endpoint-specific public-private key pair was generated in the TEE and is bound to the first TLS endpoint; and signs the attestation data in the TEE using a TEE private key securely embedded in the processor. The device generates a TEE signature using an endpoint-specific private key of an endpoint-specific public-private key pair; and indicates of the attestation data, an endpoint-specific public key of the endpoint-specific public public-private key pair and the TEE signature to a second TLS endpoint within a TLS handshake message exchange between the first TLS endpoint and the second TLS endpoint.

公开(公告)号：US20190236179A1

公开(公告)日：2019-08-01

申请号：US15955681

申请日：2018-04-17

Applicant: Microsoft Technology Licensing, LLC

Inventor： Christian PRIEBE ,  Kapil VASWANI ,  Manuel Silverio da Silva COSTA

IPC: G06F17/30 ,  G06F11/14 ,  G06F21/60

CPC classification number: G06F16/2379 ,  G06F11/1469 ,  G06F16/2358 ,  G06F16/2365 ,  G06F21/602 ,  G06F2201/87

Abstract: In various examples, there is provided a computer-implemented method for writing transaction log entries to a transaction log for a database system. At least part of the database system is configured to be executed within a trusted execution environment. The transaction log is stored outside of the trusted execution environment. The method maintains a first secure count representing a number of transaction log entries which have been written to the transaction log for transactions which have been committed to the database and writes a transaction log entry to the transaction log. In other examples, there is also provided is a computer-implemented method for restoring a database system using transaction log entries received from the transaction log and a current value of the first secure count.

公开(公告)号：US20240104193A1

公开(公告)日：2024-03-28

申请号：US17953169

申请日：2022-09-26

Applicant: Microsoft Technology Licensing, LLC

Inventor： Jin LIN ,  Jason Stewart WOHLGEMUTH ,  Michael Bishop EBERSOL ,  Aditya BHANDARI ,  Steven Adrian WEST ,  Emily Cara CLEMENS ,  Michael Halstead KELLEY ,  Dexuan CUI ,  Attilio MAINETTI ,  Sarah Elizabeth STEPHENSON ,  Carolina Cecilia PEREZ-VARGAS ,  Antoine Jean Denis DELIGNAT-LAVAUD ,  Kapil VASWANI ,  Alexander Daniel GREST ,  Steve Michel PRONOVOST ,  David Alan HEPKIN

IPC: G06F21/53 ,  G06F21/60 ,  G06F21/79

CPC classification number: G06F21/53 ,  G06F21/602 ,  G06F21/79

Abstract: Methods, systems, and computer program products for direct assignment of physical devices to confidential virtual machines (VMs). At a first guest privilege context of a guest partition, a direct assignment of a physical device associated with a host computer system to the guest partition is identified. The guest partition includes the first guest privilege context and a second guest privilege context, which is restricted from accessing memory associated with the first guest privilege context. The guest partition corresponds to a confidential VM, such that a memory region associated with the guest partition is inaccessible to a host operating system. It is determined, based on a policy, that the physical device is allowed to be directly assigned to the guest partition. Communication between the physical device and the second guest privilege context is permitted, such as by exposing the physical device on a virtual bus and/or forwarding an interrupt.

公开(公告)号：US20190236168A1

公开(公告)日：2019-08-01

申请号：US15955682

申请日：2018-04-17

Applicant: Microsoft Technology Licensing, LLC

Inventor： Kapil VASWANI ,  Manuel Silverio da Silva COSTA

IPC: G06F17/30 ,  G06F21/62 ,  G06F9/46

CPC classification number: G06F16/21 ,  G06F9/466 ,  G06F16/2272 ,  G06F16/2282 ,  G06F16/2358 ,  G06F16/2453 ,  G06F16/2455 ,  G06F21/6218

Abstract: In various examples, there is a database system which comprises an operating system, a query engine, a transaction manager and components implementing database administration functionality. The query engine and the transaction manager are configured to be executed within one or more memory enclaves of a host computer system separately from the operating system and the components implementing database administration functionality.

公开(公告)号：US20240235819A9

公开(公告)日：2024-07-11

申请号：US18066383

申请日：2022-12-15

Applicant: Microsoft Technology Licensing, LLC

Inventor： Kapil VASWANI ,  Siddharth JAYASHANKAR ,  Antoine DELIGNAT-LAVAUD ,  Cedric Alain Marie Christophe FOURNET

IPC: H04L9/08 ,  H04L9/32

CPC classification number: H04L9/0825 ,  H04L9/0861 ,  H04L9/3247

Abstract: A computer device instantiates a first Transport Layer Security (TLS) endpoint having access to a trusted execution environment (TEE) of the processor; generates in the TEE in an endpoint-specific public-private key pair bound to the first TLS endpoint; generates of attestation data verifying that the endpoint-specific public-private key pair was generated in the TEE and is bound to the first TLS endpoint; and signs the attestation data in the TEE using a TEE private key securely embedded in the processor. The device generates a TEE signature using an endpoint-specific private key of an endpoint-specific public-private key pair; and indicates of the attestation data, an endpoint-specific public key of the endpoint-specific public public-private key pair and the TEE signature to a second TLS endpoint within a TLS handshake message exchange between the first TLS endpoint and the second TLS endpoint.

公开(公告)号：US20240160795A1

公开(公告)日：2024-05-16

申请号：US18419359

申请日：2024-01-22

Applicant: Microsoft Technology Licensing, LLC

Inventor： Stavros VOLOS ,  David Thomas CHISNALL ,  Saurabh Mohan KULKARNI ,  Kapil VASWANI ,  Manuel COSTA ,  Samuel Alexander WEBSTER ,  Cédric Alain Marie FOURNET ,  Richard OSBORNE ,  Daniel John Pelham WILKINSON ,  Graham Bernard CUNNINGHAM

IPC: G06F21/85 ,  G06F21/60 ,  H04L9/30 ,  H04L9/32

CPC classification number: G06F21/85 ,  G06F21/602 ,  H04L9/30 ,  H04L9/3265

Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.

公开(公告)号：US20230342121A1

公开(公告)日：2023-10-26

申请号：US18005246

申请日：2021-07-13

Applicant: Microsoft Technology Licensing, LLC

Inventor： Daniel John Pelham WILKINSON ,  Richard OSBORNE ,  Graham Bernard CUNNINGHAM ,  Kenneth GORDON ,  Samuel Alexander WEBSTER ,  Stavros VOLOS ,  Kapil VASWANI ,  Balaji VEMBU ,  Cédric Alain Marie FOURNET

IPC: G06F8/41

CPC classification number: G06F8/41

Abstract: A processing system comprising one or more chips, each comprising a plurality of tiles is described. Each tile comprises a respective processing unit and memory, the memory storing a codelet. The processing system has at least one encryption unit configured to encrypt and decrypt data transferred between the tiles and a trusted computing entity via an external computing device. The codelets are configured to instruct the tiles to transfer the encrypted data by reading from and writing to a plurality of memory regions at the external memory such that a plurality of streams of encrypted data are formed, each stream using an individual one of the memory regions at the external computing device.

公开(公告)号：US20180253311A1

公开(公告)日：2018-09-06

申请号：US15615757

申请日：2017-06-06

Applicant: Microsoft Technology Licensing, LLC

Inventor： Matthew John PARKINSON ,  Manuel Silverio da Silva COSTA ,  Dimitrios VYTINIOTIS ,  Kapil VASWANI

IPC: G06F9/30 ,  G06F12/06

CPC classification number: G06F9/30123 ,  G06F9/30116

Abstract: A method of manual memory management is described which comprises enabling one or more threads to access an object created in a manual heap by storing a reference to the object in thread-local state and subsequently deleting the stored reference after accessing the object. In response to abandonment of the object, an identifier for the object and a current value of either a local counter of a thread or a global counter are stored in a delete queue and all threads are prevented from storing any further references to the object in thread-local state. Deallocation of the object only occurs when all references to the object stored in thread-local state for any threads have been deleted and a current value of the local counter for the thread or the global counter has incremented to a value that is at least a pre-defined amount more than the stored value, wherein the global counter is updated using one or more local counters.

公开(公告)号：US20240086542A1

公开(公告)日：2024-03-14

申请号：US18508208

申请日：2023-11-13

Applicant: Microsoft Technology Licensing, LLC

Inventor： Stavros VOLOS ,  Colin DOAK ,  Simon Douglas CHAMBERS ,  David RUGGLES ,  Richard NEAL ,  Cedric Alain Marie FOURNET ,  Kapil VASWANI ,  Balaji VEMBU

IPC: G06F21/57 ,  G06F9/4401

CPC classification number: G06F21/572 ,  G06F9/4405 ,  G06F2221/033

Abstract: In various examples there is a computing device comprising: a first microcontroller comprising a first immutable bootloader and first mutable firmware. The first immutable bootloader uses a unique device secret burnt into hardware of the computing device in order to generate an attestation of the first mutable firmware. The computing device has a second microcontroller. There is second mutable firmware at the second microcontroller. There is a second immutable bootloader at the second microcontroller which sends a measurement of the second mutable firmware to the first immutable bootloader whenever the second microcontroller restarts, such that the first microcontroller is able to include the measurement in the attestation.

公开(公告)号：US20210382876A1

公开(公告)日：2021-12-09

申请号：US17412165

申请日：2021-08-25

Applicant: Microsoft Technology Licensing, LLC

Inventor： Christian PRIEBE ,  Kapil VASWANI ,  Manuel Silverio da Silva COSTA

IPC: G06F16/23 ,  G06F21/60 ,  G06F11/14 ,  G06F21/57 ,  G06F21/64

Abstract: In various examples, there is provided a computer-implemented method for writing transaction log entries to a transaction log for a database system. At least part of the database system is configured to be executed within a trusted execution environment. The transaction log is stored outside of the trusted execution environment. The method maintains a first secure count representing a number of transaction log entries which have been written to the transaction log for transactions which have been committed to the database and writes a transaction log entry to the transaction log. In other examples, there is also provided is a computer-implemented method for restoring a database system using transaction log entries received from the transaction log and a current value of the first secure count.