Protect non-memory encryption engine (non-mee) metadata in trusted execution environment
US-2017091119-A1 · Mar 30, 2017 · US
Technologies for secure inter-enclave communications
US10469265B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10469265-B2 |
| Application number | US-201615087254-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 31, 2016 |
| Priority date | Mar 31, 2016 |
| Publication date | Nov 5, 2019 |
| Grant date | Nov 5, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Technologies for secure inter-enclave communication include a computing device having a processor with secure enclave support. The computing device establishes a first secure enclave and a second secure enclave with the secure enclave support of the processor. The first secure enclave invokes a report instruction to cause the processor to generate a report targeted to the second secure enclave. The report includes a report body and a message authentication code generated using a report key associated with the second secure enclave. The second secure enclave invokes a get key instruction to cause the processor to generate the report key associated with the second secure enclave and generates the message authentication code over the report body using the report key. The first secure enclave and second secure enclave each perform a cryptographic operation on a message using the message authentication code as a cryptographic key. Other embodiments are described and claimed.
First claim
Opening claim text (preview).
The invention claimed is: 1. A computing device for secure communication, the computing device comprising: a processor having secure enclave support; a report generator module to (i) invoke, by a first secure enclave established with the secure enclave support of the processor, a first processor instruction to cause the processor to generate a report targeted to a second secure enclave, wherein the report includes a report body and a message authentication code, and wherein the message authentication code is generated as a function of the report body and a report key associated with the second secure enclave, and (ii) perform, by the first secure enclave, a cryptographic operation on a message with the message authentication code of the report as a cryptographic key; and a report target module to (i) invoke, by the second secure enclave established with the secure enclave support of the processor, a second processor instruction to cause the processor to generate the report key associated with the second secure enclave, (ii) generate, by the second secure enclave, the message authentication code over the report body with the report key, and (iii) perform, by the second secure enclave, a cryptographic operation on the message with the message authentication code of the report as the cryptographic key. 2. The computing device of claim 1 , wherein: to invoke the first processor instruction further comprises to cause the processor to derive the report key as a function of a secret device key of the processor; and to invoke the second processor instruction further comprises to cause the processor to derive the report key as a function of the secret device key of the processor. 3. The computing device of claim 1 , wherein: the report target module is further to verify, by the second secure enclave, a measurement of the first secure enclave, wherein the report body includes the measurement; and to invoke the first processor instruction to cause the processor to generate the report targeted to the second secure enclave further causes the processor to include the measurement of the first secure enclave in the report body. 4. The computing device of claim 1 , further comprising: a secure initialization module to (i) initialize the first secure enclave with the secure enclave support of the processor and (ii) initialize the second secure enclave with the secure enclave support of the processor; wherein to invoke the first processor instruction comprises to invoke the first processor instruction in response to initialization of the first secure enclave; and wherein to invoke the second processor instruction comprises to invoke the second processor instruction in response to initialization of the second secure enclave. 5. The computing device of claim 1 , wherein: to perform, by the first secure enclave, the cryptographic operation on the message comprises to protect an interactive secure messaging session with the second secure enclave using the message authentication code of the report as the cryptographic key; and to perform, by the second secure enclave, the cryptographic operation on the message comprises to protect the interactive secure messaging session with the first secure enclave using the message authentication code of the report as the cryptographic key. 6. The computing device of claim 5 , wherein to protect the interactive secure messaging session comprises to derive a session key as a function of the message authentication code of the report. 7. The computing device of claim 5 , wherein: the report target module is further to (i) generate, by the second secure enclave, a first random nonce and (ii) transmit the first nonce from the second secure enclave to the first secure enclave; the report generator module is further to (i) generate, by the first secure enclave, a second random nonce and (ii) generate, by the first secure enclave, report data as a function of the first random nonce, the second random nonce, and a domain separation constant; and to invoke the first processor instruction comprises to invoke the first processor instruction with the report data to cause the processor to generate the report, wherein the report body includes the report data. 8. The computing device of claim 1 , wherein: to perform, by the first secure enclave, the cryptographic operation on the message comprises to seal the message to generate an encrypted message with the message authentication code of the report as the cryptographic key; and to perform, by the second secure enclave, the cryptographic operation on the message comprises to unseal the encrypted message to recover the message with the message authentication code of the report as the cryptographic key. 9. The computing device of claim 8 , wherein: the report generator module is further to (i) generate, by the first secure enclave, a random nonce and (ii) generate, by the first secure enclave, report data as a function of the random nonce and a domain separation constant; wherein to invoke the first processor instruction comprises to invoke the first processor instruction with the report data to generate the report, wherein the report body includes the report data. 10. The computing device of claim 9 , wherein the report generator module is further to store, by the first secure enclave, the report body, the random nonce, and the encrypted message. 11. The computing device of claim 1 , wherein: to perform, by the second secure enclave, the cryptographic operation on the message comprises to seal the message to generate an encrypted message with the message authentication code of the report as the cryptographic key; and to perform, by the first secure enclave, the cryptographic operation on the message comprises to unseal the encrypted message to recover the message with the message authentication code of the report as the cryptographic key. 12. A method for secure communication, the method comprising: invoking, by a first secure enclave established using secure enclave support of a processor of a computing device, a first processor instruction to cause the processor to generate a report targeted to a second secure enclave, wherein the report includes a report body and a message authentication code, and wherein the message authentication code is generated as a function of the report body and a report key associated with the second secure enclave; performing, by the first secure enclave, a cryptographic operation on a message using the message authentication code of the report as a cryptographic key; invoking, by the second secure enclave established using the secure enclave support of the processor, a second processor instruction to cause the processor to generate the report key associated with the second secure enclave; generating, by the second secure enclave, the message authentication code over the report body using the report key; and performing, by the second secure enclave, a cryptographic operation on the message using the message authentication code of the report as the cryptographic key. 13. The method of claim 12 , wherein: invoking the first processor instruction further comprises causing the processor to derive the report key as a function of a secret device key of the processor; and invoking the second processor instruction further comprises causing the processor to derive the report key as a function of the secret device key of the processor. 14. The method of claim 12 , wherein: performing, by the first secure enclave, the cryptographic operation on the message comprises protecting an interactive secure messaging session with the second secur
Assignees
Inventors
Classifications
Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these (network architectures or network communication protocols for key exchange in a packet data network H04L63/061) · CPC title
- H04L9/3242Primary
involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC · CPC title
in cryptographic circuits · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10469265B2 cover?
- Technologies for secure inter-enclave communication include a computing device having a processor with secure enclave support. The computing device establishes a first secure enclave and a second secure enclave with the secure enclave support of the processor. The first secure enclave invokes a report instruction to cause the processor to generate a report targeted to the second secure enclave.…
- Who is the assignee on this patent?
- Intel Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L9/3242. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 05 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).