Encrypted memory access using page table attributes
US-2017371809-A1 · Dec 28, 2017 · US
Multi-tenant encryption for storage class memory
US10255202B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10255202-B2 |
| Application number | US-201615283104-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 30, 2016 |
| Priority date | Sep 30, 2016 |
| Publication date | Apr 9, 2019 |
| Grant date | Apr 9, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Various embodiments are generally directed to the providing for mutual authentication and secure distributed processing of multi-party data. In particular, an experiment may be submitted to include the distributed processing of private data owned by multiple distrustful entities. Private data providers may authorize the experiment and securely transfer the private data for processing by trusted computing nodes in a pool of trusted computing nodes.
First claim
Opening claim text (preview).
What is claimed is: 1. An apparatus comprising: a memory controller communicatively coupled to a processor element, the memory controller to: add a tenant encryption key to a key table of the processor element, the tenant encryption key corresponding to a tenant of a plurality of tenants; add a unique tenant identification to the key table to identify the tenant encryption key; and configure a physical address comprising a set of bits in a page table for at least one memory page of a storage class memory (SCM) to include an indication of the unique tenant identification and an SCM physical address, wherein the indication of the unique tenant identification includes a first subset of the set of bits and the SCM physical address includes a second subset of the set of bits. 2. The apparatus of claim 1 , comprising the processor element, the processor element implemented to provide a computing environment for the plurality of tenants. 3. The apparatus of claim 1 , the memory controller to add the indication of the unique tenant identification to a portion of the physical address. 4. The apparatus of claim 1 , wherein the set of bits of the physical address comprises 52 bits, the unique tenant identification comprises 6 bits, and the first subset of the set of bits comprises the 6 most significant bits of the physical address, the memory controller to add the indication of the unique tenant identification to the 6 most significant bits of the physical address. 5. The apparatus of claim 1 , the memory controller to encrypt the SCM corresponding to the at least one memory page based in part on the tenant encryption key. 6. The apparatus of claim 1 , the memory controller to: receive a memory access request including an indication of the physical address, the physical address to include the indication of the unique tenant identification and the SCM physical address; and access the SCM based on the SCM physical address and the tenant encryption key corresponding the unique tenant identification. 7. The apparatus of claim 1 , the memory controller to encrypt or decrypt the at least one memory page of the SCM using the tenant encryption key. 8. The apparatus of claim 1 , the memory controller to: receive a memory access request including an indication of the physical address, the physical address to include the indication of the unique tenant identification and the SCM physical address; translate the SCM physical address from a first domain to a second domain; add the translated SCM physical address to a context table for an input output (I/O) memory access; and add an indication of a second unique tenant identification to the context table. 9. The apparatus of claim 8 , the memory controller to: retrieve an information element from the SCM based on a memory access to the SCM physical address and the tenant encryption key corresponding to the unique tenant identification; and encrypt the information element based on a tenant key corresponding to the second unique tenant identification. 10. The apparatus of claim 9 , the memory controller to add the encrypted information element to a direct memory access (DMA) buffer of an I/O device, the I/O device corresponding to the second unique tenant identification. 11. The apparatus of claim 10 , the memory controller to: generate an initial encryption key; and wrap the initial encryption key to generate the tenant encryption key. 12. At least one non-transitory machine-readable storage medium comprising instructions that when executed by a processor element, cause the processor element to: add a tenant encryption key to a key table of the processor element, the tenant encryption key corresponding to a tenant of a plurality of tenants; add a tenant identification to the key table to identify the tenant encryption key; and configure a physical address comprising a set of bits in a page table for at least one memory page of a storage class memory (SCM) to include an indication of the tenant identification and an SCM physical address, wherein the indication of the tenant identification includes a first subset of the set of bits and the SCM physical address includes a second subset of the set of bits. 13. The at least one non-transitory machine-readable storage medium of claim 12 , the medium comprising instructions that further cause the processor element to add the indication of the tenant identification to a portion of the physical address. 14. The at least one non-transitory machine-readable storage medium of claim 12 , wherein the set of bits of the physical address comprises 52 bits, the tenant identification comprises 6 bits, and the first subset of the set of bits comprises the 6 most significant bits of the physical address, the medium comprising instructions that further cause the processor element to add the indication of the tenant identification to the 6 most significant bits of the physical address. 15. The at least one non-transitory machine-readable storage medium of claim 12 , comprising instructions that further cause the processor element to encrypt the SCM corresponding to the at least one memory page based in part on the tenant encryption key. 16. The at least one non-transitory machine-readable storage medium of claim 12 , comprising instructions that further cause the processor element to: receive a memory access request including an indication of the physical address, the physical address to include the indication of the tenant identification and the SCM physical address; and access the SCM based on the SC physical address and the tenant encryption key corresponding the tenant identification. 17. The at least one non-transitory machine-readable storage medium of claim 16 , comprising instructions that further cause the processor element to access the SCM comprising encrypting or decrypting a memory page of the SCM using the tenant encryption key. 18. The at least one non-transitory machine-readable storage medium of claim 12 , comprising instructions that further cause the processor element to: receive a memory access request including an indication of the physical address, the physical address to include the indication of the tenant identification and the SCM physical address; translate the SCM physical address from a first domain to a second domain; add the translated SCM physical address to a context table for an input output (I/O) memory access; and add an indication of a second tenant identification to the context table. 19. The at least one non-transitory machine-readable storage medium of claim 18 , comprising instructions that further cause the processor element to: retrieve an information element from the SCM based on a memory access to the SCM physical address and the tenant encryption key corresponding to the tenant identification; and encrypt the information element based on a tenant key corresponding to the second tenant identification. 20. The at least one non-transitory machine-readable storage medium of claim 19 , comprising instructions that further cause the processor element to add the encrypted information element to a direct memory access (DMA) buffer of an I/O device, the I/O device corresponding to the second tenant identification. 21. A system comprising: a storage class memory (SCM); a memory controller coupled to the storage class memory to access the SCM; and logic, at least a portion of which is implemented in hardware, the logic to: add a tenant encryption key to a key table of a pr
Assignees
Inventors
Classifications
Network integration; Enabling network access in virtual machine instances · CPC title
in a virtual system, e.g. with translation means · CPC title
File encryption · CPC title
Hypervisor-specific management and integration aspects · CPC title
in semiconductor storage media, e.g. directly-addressable memories · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10255202B2 cover?
- Various embodiments are generally directed to the providing for mutual authentication and secure distributed processing of multi-party data. In particular, an experiment may be submitted to include the distributed processing of private data owned by multiple distrustful entities. Private data providers may authorize the experiment and securely transfer the private data for processing by trusted…
- Who is the assignee on this patent?
- Intel Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F12/1408. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Apr 09 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).