Patents by Inventor Krystof Zmudzinski
Krystof Zmudzinski has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20240070091Abstract: An apparatus comprises a hardware processor to program a memory table for a trusted domain with a first device identifier associated with a device, a guest physical address (GPA) range associated with the device, and a guest physical address offset, receive a memory access request from the device, the memory access request comprising a second device identifier and a guest physical address, and validate the memory access request using the memory table.Type: ApplicationFiled: August 29, 2022Publication date: February 29, 2024Applicant: Intel CorporationInventors: Pradeep Pappachan, Krystof Zmudzinski, Reshma Lal
-
Publication number: 20240073013Abstract: An apparatus comprises a hardware processor to perform an attestation procedure to attest a remote device, establish a session key for a communication session with the remote device, define a linear address (LA) region outside an established address range for a secure enclave, generate, for the linear address (LA) region, a unique encryption key accessible only to the enclave, assign a key identifier to the unique encryption key, store the linear address (LA) region and the unique encryption key in an enclave control structure, set a pending bit in the enclave control structure to a value to indicate that contents of the linear address region cannot be changed without approval from the secure enclave, clear the pending bit to indicate that the linear address range is available for use by the enclave, wrap the key identifier and the unique encryption key with the session key, and send the key identifier and the unique encryption key to the remote device.Type: ApplicationFiled: August 30, 2022Publication date: February 29, 2024Applicant: Intel CorporationInventors: Reshma Lal, Krystof Zmudzinski
-
Publication number: 20240061697Abstract: An apparatus comprises a hardware processor to create an input/output control data structure (IOCS) for a trusted execution environment (TEE), allocate an input/output (I/O) address range comprising a host physical address (HPA) and a plurality of input/output (IO) pages to the input/output control structure, create an entry in the input/output control structure (IOCS) for a set of input/output (IO) pages and a device identifier for a remote device, set a pending bit to a first value which indicates that the remote device is authorized to access the input/output (I/O) address range, and grant the remote device access to the set of input/output pages in the input/output control structure upon verification of an input/output (IO) address range for the remote device.Type: ApplicationFiled: August 19, 2022Publication date: February 22, 2024Applicant: Intel CorporationInventors: RESHMA LAL, KRYSTOF ZMUDZINSKI, PRADEEP PAPPACHAN
-
Publication number: 20240054071Abstract: An apparatus comprises a hardware processor to define a linear address (LA) region outside an established address range for a secure enclave, generate, for the linear address (LA) region, a unique encryption key accessible only to the enclave, assign a key identifier to the unique encryption key, store the linear address (LA) region and the unique encryption key in an enclave control structure, and program the key identifier and the unique encryption key into a memory encryption circuitry.Type: ApplicationFiled: August 15, 2022Publication date: February 15, 2024Applicant: Intel CorporationInventor: KRYSTOF ZMUDZINSKI
-
Publication number: 20230297725Abstract: Technologies for secure I/O include a compute device having a processor, a memory, an input/output (I/O) device, and a filter logic. The filter logic is configured to receive a first key identifier from the processor, wherein the first key identifier is indicative of a shared memory range includes a shared key identifier range to be used for untrusted I/O devices and receive a transaction from the I/O device, wherein the transaction includes a second key identifier and a trust device ID indicator associated with the I/O device. The filter logic is further configured to determine whether the transaction is asserted with the trust device ID indicator indicative of whether the I/O device is assigned to a trust domain and determine, in response to a determination that the transaction is not asserted with the trust device ID indicator, whether the second key identifier matches the first key identifier.Type: ApplicationFiled: May 22, 2023Publication date: September 21, 2023Inventors: Luis Kida, Krystof Zmudzinski, Reshma Lal, Pradeep Pappachan, Abhishek Basak, Anna Trikalinou
-
Publication number: 20230205869Abstract: Systems, methods, and apparatuses relating efficient exception handling in trusted execution environments are described. In an embodiment, a hardware processor includes a register, a decoder, and execution circuitry. The register has a field to be set to enable an architecturally protected execution environment at one of a plurality of contexts for code in an architecturally protected enclave in memory. The decoder is to decode an instruction having a format including a field for an opcode, the opcode to indicate that the execution circuitry is to perform a context change. The execution circuitry is to perform one or more operations corresponding to the instruction, the one or more operations including changing, within the architecturally protected enclave, from a first context to a second context.Type: ApplicationFiled: December 23, 2021Publication date: June 29, 2023Applicant: Intel CorporationInventors: Scott Constable, Bin Xing, Yuan Xiao, Krystof Zmudzinski, Mona Vij, Mark Shanahan, Francis McKeen, Ittai Anati
-
Patent number: 11625275Abstract: Technologies for secure I/O include a compute device, which further includes a processor, a memory, a trusted execution environment (TEE), one or more input/output (I/O) devices, and an I/O subsystem. The I/O subsystem includes a device memory access table (DMAT) programmed by the TEE to establish bindings between the TEE and one or more I/O devices that the TEE trusts and a memory ownership table (MOT) programmed by the TEE when a memory page is allocated to the TEE.Type: GrantFiled: December 2, 2020Date of Patent: April 11, 2023Assignee: INTEL CORPORATIONInventors: Krystof Zmudzinski, Siddhartha Chhabra, Reshma Lal, Alpa Narendra Trivedi, Luis S. Kida, Pradeep M. Pappachan, Abhishek Basak, Anna Trikalinou
-
Patent number: 11416415Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.Type: GrantFiled: June 18, 2019Date of Patent: August 16, 2022Assignee: INTEL CORPORATIONInventors: Reshma Lal, Pradeep M. Pappachan, Luis Kida, Krystof Zmudzinski, Siddhartha Chhabra, Abhishek Basak, Alpa Narendra Trivedi, Anna Trikalinou, David M. Lee, Vedvyas Shanbhogue, Utkarsh Y. Kakaiya
-
Patent number: 11392506Abstract: Examples include an apparatus which accesses secure pages in a trust domain using secure lookups in first and second sets of page tables. For example, one embodiment of the processor comprises: a decoder to decode a plurality of instructions including instructions related to a trusted domain; execution circuitry to execute a first one or more of the instructions to establish a first trusted domain using a first trusted domain key, the trusted domain key to be used to encrypt memory pages within the first trusted domain; and the execution circuitry to execute a second one or more of the instructions to associate a first process address space identifier (PASID) with the first trusted domain, the first PASID to uniquely identify a first execution context associated with the first trusted domain.Type: GrantFiled: August 5, 2020Date of Patent: July 19, 2022Assignee: INTEL CORPORATIONInventors: Vedvyas Shanbhogue, Ravi Sahita, Rajesh Sankaran, Siddhartha Chhabra, Abhishek Basak, Krystof Zmudzinski, Rupin Vakharwala
-
Publication number: 20220207187Abstract: Systems, methods, and apparatuses relating to an instruction that allows a trusted execution environment to react to an asynchronous exit are described. In one embodiment, a hardware processor includes a register comprising a field, that when set, is to enable an architecturally protected execution environment for code in an architecturally protected enclave in memory, a decoder circuit to decode a single instruction comprising an opcode into a decoded instruction, the opcode to indicate an execution circuit is to invoke a handler to handle an asynchronous exit from execution of the code in the architecturally protected enclave and then resume execution of the code in the architecturally protected enclave from where the asynchronous exit occurred, and the execution circuit to respond to the decoded instruction as specified by the opcode.Type: ApplicationFiled: December 26, 2020Publication date: June 30, 2022Inventors: SCOTT CONSTABLE, MARK SHANAHAN, MONA VIJ, BIN XING, KRYSTOF ZMUDZINSKI
-
Patent number: 11373013Abstract: Technologies for secure I/O include a compute device having a processor, a memory, an input/output (I/O) device, and a filter logic. The filter logic is configured to receive a first key identifier from the processor, wherein the first key identifier is indicative of a shared memory range includes a shared key identifier range to be used for untrusted I/O devices and receive a transaction from the I/O device, wherein the transaction includes a second key identifier and a trust device ID indicator associated with the I/O device. The filter logic is further configured to determine whether the transaction is asserted with the trust device ID indicator indicative of whether the I/O device is assigned to a trust domain and determine, in response to a determination that the transaction is not asserted with the trust device ID indicator, whether the second key identifier matches the first key identifier.Type: GrantFiled: December 28, 2018Date of Patent: June 28, 2022Assignee: INTEL CORPORATIONInventors: Luis Kida, Krystof Zmudzinski, Reshma Lal, Pradeep Pappachan, Abhishek Basak, Anna Trikalinou
-
Publication number: 20220092223Abstract: Technologies for secure I/O include a compute device having a processor, a memory, an input/output (I/O) device, and a filter logic. The filter logic is configured to receive a first key identifier from the processor, wherein the first key identifier is indicative of a shared memory range includes a shared key identifier range to be used for untrusted I/O devices and receive a transaction from the I/O device, wherein the transaction includes a second key identifier and a trust device ID indicator associated with the I/O device. The filter logic is further configured to determine whether the transaction is asserted with the trust device ID indicator indicative of whether the I/O device is assigned to a trust domain and determine, in response to a determination that the transaction is not asserted with the trust device ID indicator, whether the second key identifier matches the first key identifier.Type: ApplicationFiled: October 29, 2021Publication date: March 24, 2022Applicant: Intel CorporationInventors: Luis Kida, Krystof Zmudzinski, Reshma Lal, Pradeep Pappachan, Abhishek Basak, Anna Trikalinou
-
Publication number: 20220091998Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.Type: ApplicationFiled: December 6, 2021Publication date: March 24, 2022Applicant: Intel CorporationInventors: Reshma Lal, Pradeep M. Pappachan, Luis Kida, Krystof Zmudzinski, Siddhartha Chhabra, Abhishek Basak, Alpa Narendra Trivedi, Anna Trikalinou, David M. Lee, Vedvyas Shanbhogue, Utkarsh Y. Kakaiya
-
Publication number: 20220083347Abstract: A method comprises receiving an instruction to resume operations of an enclave in a cloud computing environment and generating a pseud-random time delay before resuming operations of the enclave in the cloud computing environment.Type: ApplicationFiled: September 14, 2020Publication date: March 17, 2022Applicant: Intel CorporationInventors: Scott Constable, Bin Xing, Fangfei Liu, Thomas Unterluggauer, Krystof Zmudzinski
-
Patent number: 11163913Abstract: Technologies for secure I/O include a compute device having a processor, a memory, an input/output (I/O) device, and a filter logic. The filter logic is configured to receive a first key identifier from the processor, wherein the first key identifier is indicative of a shared memory range includes a shared key identifier range to be used for untrusted I/O devices and receive a transaction from the I/O device, wherein the transaction includes a second key identifier and a trust device ID indicator associated with the I/O device. The filter logic is further configured to determine whether the transaction is asserted with the trust device ID indicator indicative of whether the I/O device is assigned to a trust domain and determine, in response to a determination that the transaction is not asserted with the trust device ID indicator, whether the second key identifier matches the first key identifier.Type: GrantFiled: December 28, 2018Date of Patent: November 2, 2021Assignee: INTEL CORPORATIONInventors: Luis Kida, Krystof Zmudzinski, Reshma Lal, Pradeep Pappachan, Abhishek Basak, Anna Trikalinou
-
Publication number: 20210117576Abstract: Technologies for secure I/O include a compute device, which further includes a processor, a memory, a trusted execution environment (TEE), one or more input/output (I/O) devices, and an I/O subsystem. The I/O subsystem includes a device memory access table (DMAT) programmed by the TEE to establish bindings between the TEE and one or more I/O devices that the TEE trusts and a memory ownership table (MOT) programmed by the TEE when a memory page is allocated to the TEE.Type: ApplicationFiled: December 2, 2020Publication date: April 22, 2021Applicant: Intel CorporationInventors: Krystof Zmudzinski, Siddhartha Chhabra, Reshma Lal, Alpa Narendra Trivedi, Luis S. Kida, Pradeep M. Pappachan, Abhishek Basak, Anna Trikalinou
-
Patent number: 10970390Abstract: A processor includes a processing core to identify a code comprising a plurality of instructions to be executed in the architecturally-protected environment, determine that a first physical memory page stored in the architecturally-protected memory matches a first virtual memory page referenced by a first instruction of the plurality of instructions, generate a first address mapping between a first address of the first virtual memory page and a second address of the first physical memory page, store, in the cache memory, the address translation data structure comprising the first address mapping, and execute the code by retrieving the first address mapping in the address translation data structures to be executed in the architecturally-protected environment, determine that a first physical memory page stored in the architecturally-protected memory matches a first virtual memory page referenced by a first instruction of the plurality of instructions, generate a first address mapping between a first address ofType: GrantFiled: February 15, 2018Date of Patent: April 6, 2021Assignee: Intel CorporationInventors: Francis McKeen, Bin Xing, Krystof Zmudzinski, Carlos Rozas, Mona Vij
-
Publication number: 20210089466Abstract: Examples include an apparatus which accesses secure pages in a trust domain using secure lookups in first and second sets of page tables. For example, one embodiment of the processor comprises: a decoder to decode a plurality of instructions including instructions related to a trusted domain; execution circuitry to execute a first one or more of the instructions to establish a first trusted domain using a first trusted domain key, the trusted domain key to be used to encrypt memory pages within the first trusted domain; and the execution circuitry to execute a second one or more of the instructions to associate a first process address space identifier (PASID) with the first trusted domain, the first PASID to uniquely identify a first execution context associated with the first trusted domain.Type: ApplicationFiled: August 5, 2020Publication date: March 25, 2021Inventors: Vedvyas SHANBHOGUE, Ravi SAHITA, Rajesh SANKARAN, Siddhartha CHHABRA, Abhishek BASAK, Krystof ZMUDZINSKI, Rupin VAKHARWALA
-
Patent number: 10922088Abstract: Detailed herein are systems, apparatuses, and methods for a computer architecture with instruction set support to mitigate against page fault- and/or cache-based side-channel attacks. In an embodiment, an apparatus includes a decoder to decode a first instruction, the first instruction having a first field for a first opcode that indicates that execution circuitry is to set a first flag in a first register that indicates a mode of operation that redirects program flow to an exception handler upon the occurrence of an event. The apparatus further includes execution circuitry to execute the decoded first instruction to set the first flag in the first register that indicates the mode of operation and to store an address of an exception handler in a second register.Type: GrantFiled: June 29, 2018Date of Patent: February 16, 2021Assignee: Intel CorporationInventors: Fangfei Liu, Bin Xing, Michael Steiner, Mona Vij, Carlos Rozas, Francis McKeen, Meltem Ozsoy, Matthew Fernandez, Krystof Zmudzinski, Mark Shanahan
-
PROCESSOR INSTRUCTION SUPPORT FOR MITIGATING CONTROLLED-CHANNEL AND CACHE-BASED SIDE-CHANNEL ATTACKS
Publication number: 20200409711Abstract: Detailed herein are systems, apparatuses, and methods for a computer architecture with instruction set support to mitigate against page fault and/or cache-based side-channel attacks. In an embodiment, a processor includes a decoder to decode an instruction into a decoded instruction, the instruction comprising a first field that indicates an instruction pointer to a user-level event handler; and an execution unit to execute the decoded instruction to, after a swap of an instruction pointer that indicates where an event occurred from a current instruction pointer register into a user-level event handler pointer register, push the instruction pointer that indicates where the event occurred onto call stack storage, and change a current instruction pointer in the current instruction pointer register to the instruction pointer to the user-level event handler.Type: ApplicationFiled: June 29, 2019Publication date: December 31, 2020Inventors: Scott Constable, Fangfei Liu, Bin Xing, Michael Steiner, Mona Vij, Carlos Rozas, Francis X. McKeen, Meltem Ozsoy, Matthew Fernandez, Krystof Zmudzinski, Mark Shanahan