What technology area does this patent fall under?

Primary CPC classification G06F9/45558. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Sep 30 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Method and apparatus for trust domain creation and destruction

US12430473B2 · US · B2

Patent metadata
Field	Value
Publication number	US-12430473-B2
Application number	US-202318493709-A
Country	US
Kind code	B2
Filing date	Oct 24, 2023
Priority date	Dec 20, 2018
Publication date	Sep 30, 2025
Grant date	Sep 30, 2025

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A method of creating a trusted execution domain includes initializing, by a processing device executing a trust domain resource manager (TDRM), a trust domain control structure (TDCS) and a trust domain protected memory (TDPM) associated with a trust domain (TD). The method further includes generating a one-time cryptographic key, assigning the one-time cryptographic key to an available host key id (HKID) in a multi-key total memory encryption (MK-TME) engine, and storing the HKID in the TDCS. The method further includes associating a logical processor to the TD, adding a memory page from an address space of the logical processor to the TDPM, and transferring execution control to the logical processor to execute the TD.

First claim

Opening claim text (preview).

What is claimed is: 1. A system-on-chip (SoC) comprising: a memory to store a key ownership table, the key ownership table to store a first plurality of key identifiers and a first plurality of corresponding indicators to indicate that the first plurality of key identifiers are assigned to a first plurality of cryptographic keys, and the key ownership table to store a second plurality of key identifiers and a second plurality of corresponding indicators to indicate that the second plurality of key identifiers are available to be assigned to other cryptographic keys; an encryption circuit to encrypt data stored to memory from a plurality of trust domains using the first plurality of cryptographic keys, wherein each of the first plurality of cryptographic keys is to be assigned to a different corresponding one of the plurality of trust domains, wherein a first cryptographic key of the first plurality of cryptographic keys is to be assigned to a first trust domain of the plurality of trust domains; decode circuitry to decode an instruction for a virtual machine monitor (VMM); and execution circuitry to perform operations corresponding to the instruction, including to: determine whether data corresponding to the first trust domain has been flushed from entries of a cache; and if the data has been flushed from the entries of the cache, modify a first indicator of the first plurality of indicators to indicate that a corresponding first key identifier of the first plurality of key identifiers is no longer assigned to the first cryptographic key and is available to be assigned to one of the other cryptographic keys. 2. The SoC of claim 1 , wherein the operations further include to determine whether the data corresponding to the first trust domain has been flushed from entries of a translation lookaside buffer (TLB). 3. The SoC of claim 2 , wherein the first indicator is to be modified if the data has been flushed from the entries of the TLB. 4. The SoC of claim 1 , further comprising a memory to store a trust domain control structure corresponding to the first trust domain, the trust domain control structure to store the first cryptographic key and an identifier of the first trust domain. 5. The SoC of claim 4 , wherein the trust domain control structure is also to store the first key identifier. 6. The SoC of claim 1 , wherein the key ownership table is not visible to software operating on processor. 7. The SoC of claim 1 , wherein the encryption circuit is a multi-key total memory encryption (MK-TME) circuit. 8. The SoC of claim 1 , wherein the operations further include to determine whether the data corresponding to the first trust domain has been flushed from entries of a translation lookaside buffer (TLB), wherein the first indicator is to be modified if the data has been flushed from the entries of the TLB, and further comprising a memory to store a trust domain control structure corresponding to the first trust domain, the trust domain control structure to store the first cryptographic key and an identifier of the first trust domain. 9. The SoC of claim 1 , wherein the key ownership table is not visible to software operating on processor, wherein the encryption circuit is a multi-key total memory encryption (MK-TME) circuit. 10. A method comprising: storing, in a key ownership table, a first plurality of key identifiers and a first plurality of corresponding indicators indicating that the first plurality of key identifiers are assigned to a first plurality of cryptographic keys; storing, in the key ownership table, a second plurality of key identifiers and a second plurality of corresponding indicators indicating that the second plurality of key identifiers are available to be assigned to other cryptographic keys; encrypting data stored to memory from a plurality of trust domains using the first plurality of cryptographic keys, wherein each of the first plurality of cryptographic keys is assigned to a different corresponding one of the plurality of trust domains, wherein a first cryptographic key of the first plurality of cryptographic keys is assigned to a first trust domain of the plurality of trust domains; decoding an instruction for a virtual machine monitor (VMM); and performing operations corresponding to the instruction, including: determining that data corresponding to the first trust domain has been flushed from entries of a cache; and after said determining that the data has been flushed from the entries of the cache, modifying a first indicator of the first plurality of indicators to indicate that a corresponding first key identifier of the first plurality of key identifiers is no longer assigned to the first cryptographic key and is available to be assigned to one of the other cryptographic keys. 11. The method of claim 10 , wherein the operations further include determining whether the data corresponding to the first trust domain has been flushed from entries of a translation lookaside buffer (TLB). 12. The method of claim 11 , wherein said modifying the first indicator occurs after said determining that the data has been flushed from the entries of the TLB. 13. The method of claim 10 , further comprising storing the first cryptographic key and an identifier of the first trust domain in a trust domain control structure corresponding to the first trust domain. 14. The method of claim 13 , further comprising storing the first key identifier in the trust domain control structure. 15. The method of claim 10 , wherein the operations further include determining whether the data corresponding to the first trust domain has been flushed from entries of a translation lookaside buffer (TLB), wherein said modifying the first indicator occurs after said determining that the data has been flushed from the entries of the TLB, and further comprising storing the first cryptographic key and an identifier of the first trust domain in a trust domain control structure corresponding to the first trust domain. 16. An apparatus comprising: a memory to store a key ownership table, the key ownership table to store a first plurality of key identifiers and a first plurality of corresponding indicators to indicate that the first plurality of key identifiers are assigned to a first plurality of cryptographic keys, and the key ownership table to store a second plurality of key identifiers and a second plurality of corresponding indicators to indicate that the second plurality of key identifiers are available to be assigned to other cryptographic keys; an encryption circuit to encrypt data stored to memory from a plurality of trust domains using the first plurality of cryptographic keys, wherein each of the first plurality of cryptographic keys is to be assigned to a different corresponding one of the plurality of trust domains, wherein a first cryptographic key of the first plurality of cryptographic keys is to be assigned to a first trust domain of the plurality of trust domains; and circuitry to perform operations corresponding to an instruction for a virtual machine monitor (VMM), including to: determine whether data corresponding to the first trust domain has been flushed from entries of a cache; determine whether the data corresponding to the first trust domain has been flushed from entries of a translation lookaside buffer (TLB); and if the data has been flushed from the entries of the cache, and the data has been flushed from the entries of the TLB, modify a first indicator of the first plurality of indicators to indicate that a corresponding first key identifier of the first plurality of key identi

Assignees

Intel Corp

Inventors

Classifications

G06F21/575
Secure boot · CPC title
H04L9/0894
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
G06F9/45558Primary
Hypervisor-specific management and integration aspects · CPC title
G06F2009/45587
Isolation or security of virtual machine instances · CPC title
G06F9/5016
the resource being the memory · CPC title

Patent family

Related publications grouped by family.

View patent family 66432808

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US12430473B2 cover?: A method of creating a trusted execution domain includes initializing, by a processing device executing a trust domain resource manager (TDRM), a trust domain control structure (TDCS) and a trust domain protected memory (TDPM) associated with a trust domain (TD). The method further includes generating a one-time cryptographic key, assigning the one-time cryptographic key to an available host ke…
Who is the assignee on this patent?: Intel Corp
What technology area does this patent fall under?: Primary CPC classification G06F9/45558. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Sep 30 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).