Block store managamement using a virtual computing system service
US-10268593-B1 · Apr 23, 2019 · US
Technologies for memory replay prevention using compressive encryption
US11775332B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11775332-B2 |
| Application number | US-202117532886-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 22, 2021 |
| Priority date | Jul 1, 2017 |
| Publication date | Oct 3, 2023 |
| Grant date | Oct 3, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to generate a compressed line in response to determining that the data line is compressible, where the compressed line includes compression metadata and compressed data, adding encryption metadata to the compressed line, where the encryption metadata is indicative of the encryption key, encrypting a part of the compressed line with the encryption key to generate an encrypted line in response to adding the encryption metadata, and writing the encrypted line to a memory device at the physical memory address. Other embodiments are described and claimed.
First claim
Opening claim text (preview).
The invention claimed is: 1. An apparatus comprising: first processor circuitry coupled to memory, the first processor circuitry to facilitate memory isolation, the first processor circuitry to: select a decryption key from a key table based on a start of an encrypted line if the start of the encrypted line fails to match a conflict indicator, wherein a part of the encrypted line is used to generate a compressed line having one or more of compression metadata, integrity metadata, and compressed data; verify the integrity metadata against the compressed data and, if the integrity metadata is verified, decompress the compressed data to generate a data line; and forward the data line to a second processor circuitry. 2. The apparatus of claim 1 , wherein the first processor circuitry is further to: receive a request to read the encrypted line from a physical memory address of the apparatus, wherein the physical memory address comprises a key identifier; determine the start of the encrypted line matching the conflict indicator, wherein the conflict indicator comprises a predetermined bit pattern; (i) decrypt the part of the encrypted line with the decryption key to generate the compressed line, and (ii) determine whether the integrity metadata is verified against the compressed data; determine whether the start of the encrypted line matches the key identifier of the physical memory address in response to the determination that the integrity metadata is verified against the compressed data; and generate a verification error in response to a determination that the start of the encrypted line does not match the key identifier of the physical memory address; wherein to decompress the compressed data further comprises to decompress the compressed data in response to a determination that the start of the encrypted line matches the key identifier of the physical memory address. 3. The apparatus of claim 1 , wherein the first processor circuitry is further to: select a second decryption key from the key table based on the key identifier of the physical memory address in response to a determination that the integrity metadata is not verified against the compressed data; and decrypt the entire encrypted line with the second decryption key to generate the data line in response to selection of the second decryption key; wherein to forward the data line further comprises to forward the data line in response to decryption of the entire encrypted line. 4. The apparatus of claim 3 , wherein the first processor circuitry is further to: replace the start of the encrypted line with a value from a conflict table that corresponds to the physical memory address of the encrypted line in response to a determination that the start of the encrypted line matches the conflict indicator; wherein to decrypt the entire encrypted line further comprises to decrypt the entire encrypted line in response to replacement of the start of the encrypted line. 5. A method comprising: selecting, by a first computing device, a decryption key from a key table based on a start of an encrypted line failing to match a conflict indicator, wherein a part of the encrypted line is used to generate a compressed line having one or more of compression metadata, integrity metadata, and compressed data; verifying integrity metadata against compressed data and, if the integrity metadata is verified, decompressing, by the first computing device, the compressed data to generate a data line; and forwarding, by the first computing device, the data line to a second computing device. 6. The method of claim 5 , further comprising: receiving, by the first computing device, a request to read the encrypted line from a physical memory address of the apparatus, wherein the physical memory address comprises a key identifier; determining the start of the encrypted line matching the conflict indicator, wherein the conflict indicator comprises a predetermined bit pattern; (i) decrypting the part of the encrypted line with the decryption key to generate the compressed line, and (ii) determining whether the integrity metadata is verified against the compressed data; determining whether the start of the encrypted line matches the key identifier of the physical memory address in response to the determination that the integrity metadata is verified against the compressed data; and generating a verification error in response to a determination that the start of the encrypted line does not match the key identifier of the physical memory address; wherein to decompress the compressed data further comprises to decompress the compressed data in response to a determination that the start of the encrypted line matches the key identifier of the physical memory address. 7. The method of claim 5 , further comprising: selecting a second decryption key from the key table based on the key identifier of the physical memory address in response to a determination that the integrity metadata is not verified against the compressed data; and decrypting the entire encrypted line with the second decryption key to generate the data line in response to selection of the second decryption key; wherein to forward the data line further comprises to forward the data line in response to decryption of the entire encrypted line. 8. The method of claim 7 , further comprising: replacing the start of the encrypted line with a value from a conflict table that corresponds to the physical memory address of the encrypted line in response to a determination that the start of the encrypted line matches the conflict indicator; wherein to decrypt the entire encrypted line further comprises to decrypt the entire encrypted line in response to replacement of the start of the encrypted line. 9. A non-transitory computer-readable medium having stored thereon instructions which, when executed, cause a first computing device to perform operations comprising: selecting a decryption key from a key table based on a start of an encrypted line if the encrypted line fails to match the conflict indicator, wherein a part of the encrypted line is used to generate a compressed line having one or more of compression metadata, integrity metadata, and compressed data; verifying integrity metadata against compressed data and, if the integrity metadata is verified, decompressing the compressed data to generate a data line; forwarding the data line to a second computing device. 10. The non-transitory computer-readable medium of claim 9 , wherein the operations further comprise: receiving a request to read the encrypted line from a physical memory address of the apparatus, wherein the physical memory address comprises a key identifier; determining the start of the encrypted line matching the conflict indicator, wherein the conflict indicator comprises a predetermined bit pattern; (i) decrypting the part of the encrypted line with the decryption key to generate the compressed line, and (ii) determining whether the integrity metadata is verified against the compressed data; determining whether the start of the encrypted line matches the key identifier of the physical memory address in response to the determination that the integrity metadata is verified against the compressed data; and generating a verification error in response to a determination that the start of the encrypted line does not match the key identifier of the physical memory address; wherein to decompress the compressed data further comprises to decompress the compressed data in response to a determination that the start of the encrypted line matches the key identifier of the physical memory address. 11. The non-transitory computer-read
Assignees
Inventors
Classifications
- G06F9/45558Primary
Hypervisor-specific management and integration aspects · CPC title
using clearing, invalidating or resetting means · CPC title
- G06F12/1408Primary
by using cryptography (for digital transmission H04L9/00) · CPC title
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
in semiconductor storage media, e.g. directly-addressable memories · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11775332B2 cover?
- Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to gener…
- Who is the assignee on this patent?
- Intel Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F9/45558. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Oct 03 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).