Automatic provisioning and onboarding of offline or disconnected machines
US-12182236-B2 · Dec 31, 2024 · US
Technologies for trusted I/O protection of I/O data with header information
US11423159B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11423159-B2 |
| Application number | US-201916704168-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 5, 2019 |
| Priority date | Jun 20, 2016 |
| Publication date | Aug 23, 2022 |
| Grant date | Aug 23, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Technologies for trusted I/O include a computing device having a hardware cryptographic agent, a cryptographic engine, and an I/O controller. The hardware cryptographic agent intercepts a message from the I/O controller and identifies boundaries of the message. The message may include multiple DMA transactions, and the start of message is the start of the first DMA transaction. The cryptographic engine encrypts the message and stores the encrypted data in a memory buffer. The cryptographic engine may skip and not encrypt header data starting at the start of message or may read a value from the header to determine the skip length. In some embodiments, the cryptographic agent and the cryptographic engine may be an inline cryptographic engine. In some embodiments, the cryptographic agent may be a channel identifier filter, and the cryptographic engine may be processor-based. Other embodiments are described and claimed.
First claim
Opening claim text (preview).
The invention claimed is: 1. A computing device comprising: one or more processors coupled to a physical memory, the one or more processors to: perform an authenticated encryption operation on an input/output (I/O message to generate an authentication tag and an encrypted message; and store an authentication tag queue entry in an authentication tag queue in response to performance of the authenticated encryption operation, wherein the authentication tag queue entry comprises a hash, a message length, and the authentication tag, and wherein the hash comprises a predetermined number of bytes from the start of the encrypted message. 2. The computing device of claim 1 , wherein the one or more processors are further to: concatenate a plurality of encrypted messages in an encrypted message buffer; and facilitate a trusted execution environment to: determine whether a first hash of a first authentication tag queue entry of the authentication tag queue matches a second hash of a first encrypted message of the encrypted message buffer, wherein the second hash comprises the predetermined number of bytes from the start of the first encrypted message; perform an authenticated decryption operation on the first encrypted message with a first authentication tag of the first authentication tag queue entry in response to a determination that the first hash matches the second hash; and increment an index in the authentication tag queue in response to a determination that the first hash does not match the second hash. 3. The computing device of claim 2 , wherein to determine whether the first hash of the first authentication tag queue entry matches the second hash of the first encrypted message comprises to identify the first authentication tag queue entry based on the index in the authentication tag queue. 4. The computing device of claim 2 , wherein the trusted execution environment comprises an application enclave established by secure enclave support of a processor of the computing device. 5. The computing device of claim 2 , wherein the one or more processors are further to facilitate the trusted execution environment to: determine whether the authentication tag queue and the encrypted message buffer are synchronized; and drop one or more encrypted messages from the encrypted message buffer in response to a determination that the authentication tag queue and the encrypted message buffer are not synchronized, wherein to determine whether the first hash matches the second hash comprises to determine whether the first hash matches the second hash in response to a determination that the authentication tag queue and the encrypted message buffer are synchronized or in response to dropping of the one or more encrypted messages. 6. The computing device of claim 5 , wherein to determine whether the authentication tag queue and the encrypted message buffer are synchronized comprises to determine whether an un-consumed entry of the authentication tag queue has been overwritten. 7. A method comprising: performing, by one or more processors of a computing device, an authenticated encryption operation on an input/output (I/O) message to generate an authentication tag and an encrypted message; and storing, by the one or more processors, an authentication tag queue entry in an authentication tag queue in response to performing the authenticated encryption operation, wherein the authentication tag queue entry comprises a hash, a message length, and the authentication tag, and wherein the hash comprises a predetermined number of bytes from the start of the encrypted message. 8. The method of claim 7 , further comprising: concatenating, by the one or more processors, a plurality of encrypted messages in an encrypted message buffer; determining, by a trusted execution environment as facilitated by the one or more processors, whether a first hash of a first authentication tag queue entry of the authentication tag queue matches a second hash of a first encrypted message of the encrypted message buffer, wherein the second hash comprises the predetermined number of bytes from the start of the first encrypted message; performing, by the trusted execution environment as facilitated by the one or more processors, an authenticated decryption operation on the first encrypted message with a first authentication tag of the first authentication tag queue entry in response to determining that the first hash matches the second hash; and incrementing, by the trusted execution environment as facilitated by the one or more processors, an index in the authentication tag queue in response to determining that the first hash does not match the second hash. 9. The method of claim 8 , wherein determining whether the first hash of the first authentication tag queue entry matches the second hash of the first encrypted message comprises identifying the first authentication tag queue entry based on the index in the authentication tag queue. 10. The method of claim 8 , wherein the trusted execution environment comprises an application enclave established by secure enclave support of a processor of the computing device. 11. The method of claim 8 , further comprising: determining, by the trusted execution environment as facilitated by the one or more processors, whether the authentication tag queue and the encrypted message buffer are synchronized; and dropping, by the trusted execution environment as facilitated by the one or more processors, one or more encrypted messages from the encrypted message buffer in response to determining that the authentication tag queue and the encrypted message buffer are not synchronized, wherein determining whether the first hash matches the second hash comprises determining whether the first hash matches the second hash in response to determining that the authentication tag queue and the encrypted message buffer are synchronized or in response to dropping the one or more encrypted messages. 12. The method of claim 11 , wherein determining whether the authentication tag queue and the encrypted message buffer are synchronized comprises determining whether an un-consumed entry of the authentication tag queue has been overwritten. 13. At least one non-transitory computer-readable medium having stored thereon instructions which, when executed, cause a computing device to perform operations comprising: performing an authenticated encryption operation on an I/O message to generate an authentication tag and an encrypted message; and storing an authentication tag queue entry in an authentication tag queue in response to performing the authenticated encryption operation, wherein the authentication tag queue entry comprises a hash, a message length, and the authentication tag, and wherein the hash comprises a predetermined number of bytes from the start of the encrypted message. 14. The non-transitory computer-readable medium of claim 13 , wherein the operations further comprise: concatenating a plurality of encrypted messages in an encrypted message buffer; determining, by a trusted execution environment of the computing device, whether a first hash of a first authentication tag queue entry of the authentication tag queue matches a second hash of a first encrypted message of the encrypted message buffer, wherein the second hash comprises the predetermined number of bytes from the start of the first encrypted message; performing, by the trusted execution environment, an authenticated decryption operation on the first encrypted message with a first authentication tag of the first authentication tag queue entry in response to determining that the first
Assignees
Inventors
Classifications
involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC · CPC title
at program execution time, where the protection is within the operating system · CPC title
Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system (cryptographic typewriters G09C3/00) · CPC title
to a system of files or objects, e.g. local or distributed file system or database · CPC title
at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11423159B2 cover?
- Technologies for trusted I/O include a computing device having a hardware cryptographic agent, a cryptographic engine, and an I/O controller. The hardware cryptographic agent intercepts a message from the I/O controller and identifies boundaries of the message. The message may include multiple DMA transactions, and the start of message is the start of the first DMA transaction. The cryptographi…
- Who is the assignee on this patent?
- Intel Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/602. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Aug 23 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).