Security for network computing environment using centralized security system
US-10419931-B1 · Sep 17, 2019 · US
Technologies for secure authentication and programming of accelerator devices
US11386017B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11386017-B2 |
| Application number | US-201816232143-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 26, 2018 |
| Priority date | Jun 20, 2018 |
| Publication date | Jul 12, 2022 |
| Grant date | Jul 12, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Technologies for secure authentication and programming of an accelerator device include a computing device having a processor and an accelerator. The processor establishes a trusted execution environment, which receives a unique device identifier from the accelerator, validates a device certificate for the device identifier, authenticates the accelerator in response to validating the accelerator, validates attestation information of the accelerator, and establishes a secure channel with the accelerator. The trusted execution environment may securely program a data key and a bitstream key to the accelerator, and may encrypt a bitstream image and securely program the bitstream image to the accelerator. The accelerator and a tenant may securely exchange data protected by the data key. The trusted execution environment may be a secure enclave, and the accelerator may be a field programmable gate array (FPGA). Other embodiments are described and claimed.
First claim
Opening claim text (preview).
The invention claimed is: 1. A computing device comprising: a processor communicably coupled to an accelerator device, the processor to host an accelerator services enclave comprising a first trusted execution environment and utilize the accelerator services enclave to: receive a unique device identifier from the accelerator device; validate a device certificate for the unique device identifier in response to receipt of the unique device identifier; authenticate the accelerator device in response to validation of the device certificate, wherein to authenticate the accelerator device comprises to receive attestation information indicative of a device configuration of the accelerator device; validate the attestation information based on the device certificate; establish a secure channel with the accelerator device in response to validation of the attestation information; authenticate a tenant enclave comprising a second trusted execution environment hosted by the processor, wherein the tenant enclave is hosted by the processor and comprises a tenant application; in response to authentication of the tenant enclave, receive a bitstream image key and a data key from the tenant enclave; securely communicate, via the secure channel, encrypted versions of the bitstream image key and of the data key to the accelerator device; and program the accelerator device via the secure channel using the bitstream image key; wherein code and data comprised in the accelerator services enclave is protected by hardware protection circuitry of the processor while being executed or while being stored in a protected cache memory of the processor. 2. The computing device of claim 1 , wherein the accelerator services enclave is further to request the device certificate for the unique device identifier from a certificate service. 3. The computing device of claim 1 , wherein: to authenticate the accelerator device comprises to perform a secure key exchange with the accelerator device to establish a shared secret key; and to establish the secure channel comprises to complete the secure key exchange to establish the secure channel protected by the shared secret key. 4. The computing device of claim 1 , wherein to validate the attestation information comprises to compare the attestation information indicative of the device configuration to device configuration data of the device certificate. 5. The computing device of claim 1 , wherein to validate the attestation information comprises to validate a testable attribute the attestation information, wherein the testable attribute is indicative of the device configuration. 6. The computing device of claim 1 , wherein to receive the unique device identifier comprises to receive a device identifier based on a physical unclonable function (PUF) of the accelerator device. 7. The computing device of claim 1 , wherein the accelerator service enclave is further to: establish the data key; securely communicate the data key to the accelerator device via the secure channel; and securely exchange data between the accelerator services enclave and the accelerator device protected by the data key in response to communication of the data key to the accelerator device. 8. The computing device of claim 7 , wherein the tenant enclave is to securely exchange the data between the tenant application and the accelerator device using the data key. 9. The computing device of claim 7 , wherein: the accelerator device comprises a field-programmable gate array (FPGA); and the accelerator services enclave is further to: establish the bitstream image key; and program the accelerator device with an encrypted bitstream image in response to secure communication of the bitstream image key to the accelerator device, wherein the encrypted bitstream image is encrypted by the bitstream image key. 10. The computing device of claim 9 , wherein the accelerator services enclave is further to: receive the encrypted bitstream image from the tenant enclave in response to authentication of the tenant enclave. 11. The computing device of claim 1 , wherein the accelerator services enclave is further to: receive an encrypted bitstream image and a bitstream image key from the tenant enclave in response to authentication of the tenant enclave; decrypt the encrypted bitstream image with the bitstream image key to recover a bitstream image; determine whether the bitstream image satisfies an owner policy; and program the accelerator device with the encrypted bitstream image in response to a determination that the bitstream image satisfies the owner policy. 12. The computing device of claim 11 , wherein the computing device comprises the accelerator device, wherein the accelerator device comprises a field-programmable gate array (FPGA), and wherein the owner policy comprises a hardware safety policy. 13. The computing device of claim 1 , wherein the trusted execution environment comprises a secure enclave established with secure enclave support of a processor of the computing device. 14. A method comprising: receiving, by a first trusted execution environment of a computing device, a unique device identifier from an accelerator device of the computing device; validating, by the first trusted execution environment, a device certificate for the unique device identifier in response to receiving the unique device identifier; authenticating, by the first trusted execution environment, the accelerator device in response to validating the device certificate, wherein authenticating the accelerator device comprises receiving attestation information indicative of a device configuration of the accelerator device; validating, by the first trusted execution environment, the attestation information based on the device certificate; establishing, by the first trusted execution environment, a secure channel with the accelerator device in response to validating the attestation information; authenticating a tenant enclave comprising a second trusted execution environment hosted by a processor of the computing device, wherein the tenant enclave is hosted by the processor and comprises a tenant application; in response to authentication of the tenant enclave, receiving a bitstream image key and a data key from the tenant enclave; securely communicating, via the secure channel, encrypted versions of the bitstream image key and of the data key to the accelerator device; and programming the accelerator device via the secure channel using the bitstream image key; wherein code and data comprised in the first trusted execution environment is protected by hardware protection circuitry of a processor of the computing device while being executed or while being stored in a protected cache memory of the processor. 15. The method of claim 14 , further comprising requesting, by the first trusted execution environment, the device certificate for the unique device identifier from a certificate service. 16. The method of claim 14 , wherein receiving the unique device identifier comprises receiving a device identifier based on a physical unclonable function (PUF) of the accelerator device. 17. The method of claim 14 , further comprising: establishing, by the first trusted execution environment, the data key; securely communicating, by the first trusted execution environment, the data key to the accelerator device via the secure channel; and securely exchanging data between the first trusted execution environment and the accelerator device protected by the data key in response to communicating the data ke
Assignees
Inventors
Classifications
comprising network management agents or mobile agents therefor · CPC title
using a predetermined code, e.g. password, passphrase or PIN (network architectures or network communication protocols for supporting authentication of entities using passwords in a packet data network H04L63/083) · CPC title
Network integration; Enabling network access in virtual machine instances · CPC title
Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these (network architectures or network communication protocols for key exchange in a packet data network H04L63/061) · CPC title
- G06F21/76Primary
in application-specific integrated circuits [ASIC] or field-programmable devices, e.g. field-programmable gate arrays [FPGA] or programmable logic devices [PLD] · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11386017B2 cover?
- Technologies for secure authentication and programming of an accelerator device include a computing device having a processor and an accelerator. The processor establishes a trusted execution environment, which receives a unique device identifier from the accelerator, validates a device certificate for the device identifier, authenticates the accelerator in response to validating the accelerato…
- Who is the assignee on this patent?
- Intel Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/76. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jul 12 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).