What technology area does this patent fall under?

Primary CPC classification H04L9/088. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Apr 18 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

System, apparatus and method for configurable trusted input/output access from authorized software

US11630904B2 · US · B2

Patent metadata
Field	Value
Publication number	US-11630904-B2
Application number	US-202117304391-A
Country	US
Kind code	B2
Filing date	Jun 21, 2021
Priority date	Aug 27, 2018
Publication date	Apr 18, 2023
Grant date	Apr 18, 2023

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

In one embodiment, an apparatus includes a channel filter and a security processor. The security processor is to: receive a plurality of device access control policies from a protected non-volatile storage of a platform; determine whether the plurality of device access control policies are verified; program the channel filter with a plurality of filter entries each associated with one of the plurality of device access control policies based on the determination; and remove a security attribute of the security processor from a policy register of the channel filter, to lock the channel filter for a boot cycle of the platform. Other embodiments are described and claimed.

First claim

Opening claim text (preview).

What is claimed is: 1. An apparatus comprising: a channel filter; memory; and a security processor coupled to the memory, the security processor to: receive a plurality of device access control policies from a protected non-volatile storage of a platform; determine whether the plurality of device access control policies are verified; program the channel filter with a plurality of filter entries each associated with one of the plurality of device access control policies based on the determination; and remove a security attribute of the security processor from a policy register of the channel filter, to lock the channel filter for a boot cycle of the platform. 2. The apparatus of claim 1 , wherein in response to a first request from a first enclave, the channel filter is to unlock a first filter entry and store a first session encryption key in the first filter entry to enable the first enclave to access data from a first device associated with the first filter entry. 3. The apparatus of claim 2 , further comprising a memory encryption circuit coupled to the channel filter to: receive first data from the first device; identify a first access control policy in the first filter entry; encrypt the first data with the first session encryption key stored in the first filter entry; and send the first encrypted data to the memory for storage. 4. The apparatus of claim 3 , further comprising a memory controller to: in response to a read request for the first encrypted data from the first enclave, obtain the first encrypted data from the memory; and send the first encrypted data to the first enclave, wherein the first enclave is to decrypt the first encrypted data with the first session encryption key. 5. The apparatus of claim 3 , wherein in response to an access request to the first device from a second enclave, the channel filter is to: determine whether the second enclave is identified in the first access control policy; and in response to determining that the second enclave is not identified in the first access control policy, prevent the second enclave from access to the first device. 6. The apparatus of claim 1 , wherein the security processor is to further: receive the plurality of device access control policies from a firmware of the platform on an initial boot of the platform; and store the plurality of device access control policies in the protected non-volatile storage in response to verification of the plurality of device access control policies. 7. At least one non-transitory computer readable storage medium having stored thereon instructions, which if performed by a machine cause the machine to perform a method comprising: receiving, in a security processor of a platform, a plurality of device access control policies from a protected non-volatile storage of the platform; in response to determining that the plurality of device access control policies are verified, programming a channel filter with a plurality of filter entries each associated with one of the plurality of device access control policies; and removing a security attribute of the security processor from a policy register of the channel filter, to lock the channel filter for a boot cycle of the platform. 8. The at least one non-transitory computer readable storage medium of claim 7 , wherein the method further comprises in response to a first request from a first enclave, unlocking a first filter entry and storing a first session encryption key in the first filter entry to enable the first enclave to access data from a first device associated with the first filter entry. 9. The at least one non-transitory computer readable storage medium of claim 8 , wherein the method further comprises: receiving first data from the first device; identifying a first access control policy in the first filter entry and encrypting the first data with the first session encryption key stored in the first filter entry; and sending the first encrypted data to a memory for storage. 10. The at least one non-transitory computer readable storage medium of claim 9 , wherein the method further comprises: in response to a read request for the first encrypted data from the first enclave, obtaining the first encrypted data from the memory; and sending the first encrypted data to the first enclave, wherein the first enclave is to decrypt the first encrypted data with the first session encryption key. 11. The at least one non-transitory computer readable storage medium of claim 9 , wherein the method further comprises: in response to an access request to the first device from a second enclave, determining whether the second enclave is identified in the first access control policy; and in response to determining that the second enclave is not identified in the first access control policy, preventing the second enclave from access to the first device. 12. The at least non-transitory one computer readable storage medium of claim 7 , wherein the method further comprises: receiving, in the security processor, the plurality of device access control policies from a firmware of the platform on an initial boot of the platform; and storing the plurality of device access control policies in the protected non-volatile storage in response to verification of the plurality of device access control policies. 13. A system comprising: a first device to receive data from a user and send the data to a destination; a memory to store the data from the first device; and a system on chip comprising: at least one core; a memory execution circuit coupled between the first device and the memory; a channel filter; and a security processor coupled to the at least one core, the security processor to: receive a plurality of device access control policies from a protected non-volatile storage of a platform; determine whether the plurality of device access control policies are verified; program the channel filter with a plurality of filter entries each associated with one of the plurality of device access control policies based on the determination; and remove a security attribute of the security processor from a policy register of the channel filter, to lock the channel filter for a boot cycle of the platform. 14. The system of claim 13 , wherein in response to a first request from a first enclave, the channel filter is to unlock a first filter entry and store a first session encryption key in the first filter entry to enable the first enclave to access data from the first device associated with the first filter entry. 15. The system of claim 14 , further comprising a memory encryption circuit coupled to the channel filter to: receive first data from the first device; identify a first access control policy in the first filter entry; encrypt the first data with the first session encryption key stored in the first filter entry; and send the first encrypted data to the memory for storage. 16. The system of claim 15 , further comprising a memory controller to: in response to a read request for the first encrypted data from the first enclave, obtain the first encrypted data from the memory; and send the first encrypted data to the first enclave, wherein the first enclave is to decrypt the first encrypted data with the first session encryption key. 17. The system of claim 15 , wherein in response to an access request to the first device from a second enclave, the channel filter is to: determine whether the second enclave is identified in the first access control policy; and in response to determining tha

Assignees

Intel Corp

Inventors

Classifications

G06F21/575
Secure boot · CPC title
H04L9/3247
involving digital signatures · CPC title
H04L9/0894
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
G06F21/53
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
H04L9/088Primary
Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms (network architectures or network communication protocols for using time-dependent keys in a packet data network H04L63/068) · CPC title

Patent family

Related publications grouped by family.

View patent family 65230527

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US11630904B2 cover?: In one embodiment, an apparatus includes a channel filter and a security processor. The security processor is to: receive a plurality of device access control policies from a protected non-volatile storage of a platform; determine whether the plurality of device access control policies are verified; program the channel filter with a plurality of filter entries each associated with one of the pl…
Who is the assignee on this patent?: Intel Corp
What technology area does this patent fall under?: Primary CPC classification H04L9/088. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Apr 18 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).