Providing isolation in virtualized systems using trust domains
US-2023315857-A1 · Oct 5, 2023 · US
Technologies for trusted I/O protection of I/O data with header information
US12135801B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12135801-B2 |
| Application number | US-202217820628-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 18, 2022 |
| Priority date | Jun 20, 2016 |
| Publication date | Nov 5, 2024 |
| Grant date | Nov 5, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Technologies for trusted I/O include a computing device having a hardware cryptographic agent, a cryptographic engine, and an I/O controller. The hardware cryptographic agent intercepts a message from the I/O controller and identifies boundaries of the message. The message may include multiple DMA transactions, and the start of message is the start of the first DMA transaction. The cryptographic engine encrypts the message and stores the encrypted data in a memory buffer. The cryptographic engine may skip and not encrypt header data starting at the start of message or may read a value from the header to determine the skip length. In some embodiments, the cryptographic agent and the cryptographic engine may be an inline cryptographic engine. In some embodiments, the cryptographic agent may be a channel identifier filter, and the cryptographic engine may be processor-based. Other embodiments are described and claimed.
First claim
Opening claim text (preview).
The invention claimed is: 1. An apparatus comprising: processor circuitry coupled to a memory; an input/output (IO) controller to receive a plurality of IO messages from one or more IO devices; a cryptographic engine configured to perform encryption operations on the plurality of IO messages to generate a respective plurality of encrypted messages and a corresponding plurality of authentication tags (ATs), the cryptographic engine to store the respective plurality of encrypted messages in an encrypted message buffer and to store the corresponding plurality of ATs in an authentication tag queue; the processor circuitry to execute instructions to: operate a trusted execution environment (TEE), the TEE to authenticate a next encrypted message of the plurality of encrypted messages based on a comparison with a corresponding AT in the authentication tag queue and, in response to a successful authentication, to decrypt the next encrypted message to generate a decrypted message to be accessible within the TEE; determine whether the authentication tag queue and the encrypted-message buffer are synchronized; and drop one or more of the encrypted messages from the encrypted message buffer when the authentication tag queue and the encrypted message buffer are not synchronized, wherein each AT stored in the authentication tag queue comprises one or more of a hash, a message length, or an authentication tag. 2. The apparatus of claim 1 , wherein to determine whether the authentication tag queue and the encrypted message buffer are synchronized comprises to determine whether an un-consumed entry of the authentication tag queue has been overwritten, wherein the hash comprises a predetermined number of bytes from a start of the encrypted message of the one or more encrypted messages. 3. The apparatus of claim 1 , wherein the processor circuitry to host a hardware cryptographic agent having the cryptographic engine, and wherein the processor circuitry is in communication with the trusted execution environment having an application enclave established by secure enclave support for the processor circuitry. 4. A method comprising: receiving, by an input/output (IO) controller of a computing device, a plurality of IO messages from one or more IO devices; performing, by a cryptographic engine of the computing device, encryption operations on the plurality of IO messages to generate a respective plurality of encrypted messages and a corresponding plurality of authentication tags (ATs), the cryptographic engine to store the respective plurality of encrypted messages in an encrypted message buffer and to store the corresponding plurality of ATs in an authentication tag queue; authenticating, by a trusted execution environment (TEE) executed by a processor of the computing device, a next encrypted message of the plurality of encrypted messages based on a comparison with a corresponding AT in the authentication tag queue decrypting the next encrypted message in response to a successful authentication to generate a decrypted message to be accessible within the TEE; determining, by the processor of the computing device, whether the authentication tag queue and the encrypted message buffer are synchronized; and dropping one or more of the encrypted messages from the encrypted message buffer when the authentication tag queue and the encrypted message buffer are not synchronized, wherein each AT stored in the authentication tag queue comprises one or more of a hash, a message length, or an authentication tag. 5. The method of claim 4 , wherein determining whether the authentication tag queue and the encrypted message buffer are synchronized comprises determining whether an un-consumed entry of the authentication tag queue has been overwritten, wherein the hash comprises a predetermined number of bytes from a start of the encrypted message of the one or more encrypted messages. 6. The method of claim 4 , wherein the processor comprises a hardware cryptographic agent having the cryptographic engine, and wherein the processor circuitry is in communication with the trusted execution environment having an application enclave established by secure enclave support for the processor circuitry. 7. At least one computer-readable medium having stored thereon instructions which, when executed, cause a computing device to perform operations comprising: receiving, by an input/output (IO) controller of a computing device, a plurality of IO messages from one or more IO devices; performing, by a cryptographic engine of the computing device, encryption operations on the plurality of IO messages to generate a respective plurality of encrypted messages and a corresponding plurality of authentication tags (ATs), the cryptographic engine to store the respective plurality of encrypted messages in an encrypted message buffer and to store the corresponding plurality of ATs in an authentication tag queue; authenticating, by a trusted execution environment (TEE) executed by a processor of the computing device, a next encrypted message of the plurality of encrypted messages based on a comparison with a corresponding AT in the authentication tag queue decrypting the next encrypted message in response to a successful authentication to generate a decrypted message to be accessible within the TEE; determining, by the processor of the computing device, whether the authentication tag queue and the encrypted message buffer are synchronized; and dropping one or more of the encrypted messages from the encrypted message buffer when the authentication tag queue and the encrypted message buffer are not synchronized, wherein each AT stored in the authentication tag queue comprises one or more of a hash, a message length, or an authentication tag. 8. The computer-readable medium of claim 7 , wherein determining whether the authentication tag queue and the encrypted message buffer are synchronized comprises determining whether an un-consumed entry of the authentication tag queue has been overwritten, wherein the hash comprises a predetermined number of bytes from a start of the encrypted message of the one or more encrypted messages. 9. The computer-readable medium of claim 7 , wherein the computing device comprises a processor coupled to a memory, wherein the processor comprises a hardware cryptographic agent having the cryptographic engine, and wherein the processor circuitry is in communication with the trusted execution environment having an application enclave established by secure enclave support for the processor circuitry.
Assignees
Inventors
Classifications
involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC · CPC title
at program execution time, where the protection is within the operating system · CPC title
at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability · CPC title
for access to input/output bus · CPC title
Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM] · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12135801B2 cover?
- Technologies for trusted I/O include a computing device having a hardware cryptographic agent, a cryptographic engine, and an I/O controller. The hardware cryptographic agent intercepts a message from the I/O controller and identifies boundaries of the message. The message may include multiple DMA transactions, and the start of message is the start of the first DMA transaction. The cryptographi…
- Who is the assignee on this patent?
- Intel Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/602. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Nov 05 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).