Abstract: Technologies for execute only transactional memory include a computing device with a processor and a memory. The processor includes an instruction translation lookaside buffer (iTLB) and a data translation lookaside buffer (dTLB). In response to a page miss, the processor determines whether a page physical address is within an execute only transactional (XOT) range of the memory. If within the XOT range, the processor may populate the iTLB with the page physical address and prevent the dTLB from being populated with the page physical address. In response to an asynchronous change of control flow such as an interrupt, the processor determines whether a last iTLB translation is within the XOT range. If within the XOT range, the processor clears or otherwise secures the processor register state. The processor ensures that an XOT range starts execution at an authorized entry point. Other embodiments are described and claimed.

Abstract: Encryption interface technologies are described. A processor can include a system agent, an encryption interface, and a memory controller. The system agent can communicate data with a hardware functional block. The encryption interface can be coupled between the system agent and a memory controller. The encryption interface can receive a plaintext request from the system agent, encrypt the plaintext request to obtain an encrypted request, and communicate the encrypted request to the memory controller. The memory controller can communicate the encrypted request to a main memory of the computing device.

Abstract: Memory scanning methods and apparatus are disclosed. An example apparatus includes scan manager to identify a physical memory address that has recently been accessed. The physical memory address is identified as having been recently accessed when an access has occurred within a threshold of a current time. The apparatus also includes a scanner to scan a threshold amount of memory beginning at the physical memory address, and determine whether the memory included in the threshold amount of memory includes a pattern indicative of malware.

Abstract: Embodiments of the invention include a machine-readable medium having stored thereon instructions, which if performed by a machine causes the machine to perform a method that includes assigning an urgency of requests based on a priority level for incoming requests and associated entries in at least one priority queue, assigning an urgency delta for anti-starvation that indicates urgency promotion to prevent starvation for the incoming requests in the at least one priority queue, determining conflict information including whether an incoming request is dependent on any request already present in the at least one queue, determining all contending requests within the at least one priority queue during a cycle, and sending a selected contending request to a memory controller for accessing memory.

Abstract: Technologies for memory encryption include a computing device to generate a keyed hash of a data line based on a statistical counter value and a memory address to which to write the data line and to store the keyed hash to a cache line. The statistical counter value has a reference probability of incrementing at each write operation. The cache line includes a plurality of keyed hashes and each of the keyed hashes corresponds with a different data line. The computing device further encrypts the data line based on the keyed hash, the memory address, and the statistical counter value.

Abstract: Methods and apparatus are disclosed to provide for security within a network enclave. In one embodiment authentication logic initiates authentication with a central network authority. Packet processing logic receives a key and an identifier from the central network authority. Security protocol logic then establishes a client-server security association through a communication that includes a client identifier and an encrypted portion and/or an authorization signature, wherein a client authorization key allocated by the central network authority can be reproduced by a server, other than said central network authority, from the client identifier and a derivation key provided to the server by the central network authority to decrypt the encrypted portion and/or to validate the communication using the authorization signature.

Abstract: Embodiments of the invention include a machine-readable medium having stored thereon instructions, which if performed by a machine causes the machine to perform a method that includes assigning an urgency of requests based on a priority level for incoming requests and associated entries in at least one priority queue, assigning an urgency delta for anti-starvation that indicates urgency promotion to prevent starvation for the incoming requests in the at least one priority queue, determining conflict information including whether an incoming request is dependent on any request already present in the at least one queue, determining all contending requests within the at least one priority queue during a cycle, and sending a selected contending request to a memory controller for accessing memory.

Abstract: Apparatus, systems, and/or methods may provide for identifying unencrypted data including a plurality of bits, wherein the unencrypted data may be encrypted and stored in memory. In addition, a determination may be made as to whether the unencrypted data includes a random distribution of the plurality of bits, for example based on a compressibility function. An integrity action may be implemented when the unencrypted data includes a random distribution of the plurality of bits, which may include error correction including a modification to ciphertext of the unencrypted data. Independently of error correction, a diffuser may generate intermediate and final ciphertext. In addition, a key and/or a tweak may be derived for a location in the memory. Moreover, an integrity value may be generated (e.g., as a copy) from a portion of the unencrypted data, and/or stored in a slot of an integrity check line based on the location.

Abstract: Memory encryption engine (MEE) integration technologies are described. A MEE system may include a MEE interface and a MEE core. The MEE interface may receive a data from an arbiter, where the data is selected by the arbiter from data at memory link queues. The MEE interface may adjust a timing rate to send the data to match a timing of a MEE core. The MEE core may be coupled to the MEE interface and may receive the data from the MEE interface.

Abstract: Memory scanning methods and apparatus are disclosed. An example apparatus includes scan manager to identify a physical memory address that has recently been accessed. The physical memory address is identified as having been recently accessed when an access has occurred within a threshold of a current time. The apparatus also includes a scanner to scan a threshold amount of memory beginning at the physical memory address, and determine whether the memory included in the threshold amount of memory includes a pattern indicative of malware.

Abstract: A processing or memory device may include a first encryption pipeline to encrypt and decrypt data with a first encryption mode and a second encryption pipeline to encrypt and decrypt data with a second encryption mode, wherein the first encryption pipeline and the second encryption pipeline share a single, shared pipeline for a majority of encryption and decryption operations performed by the first encryption pipeline and by the second encryption pipeline. A controller (and/or other logic) may direct selection of encrypted (or decrypted) data from the first and second encryption pipelines responsive to a region of memory to which a physical address of a memory request is directed. The result of the selection may result in bypassing encryption/decryption or encrypting/decrypting the data according to the first encryption mode or the second encryption mode. More than two encryption modes are envisioned.

Abstract: Embodiments of an invention for establishing secure channels between a protected execution environment and fixed-function endpoints are disclosed. In one embodiment, and system includes an architecturally protected memory, a processing core communicatively coupled to the architecturally protected memory, and a key distribution engine. The processing core is to implement an architecturally-protected execution environment by performing at least one of executing instructions residing in the architecturally protected memory and preventing an unauthorized access to the architecturally protected memory.

Abstract: Systems and methods may provide for identifying unencrypted data including a plurality of bits, wherein the unencrypted data may be encrypted and stored in memory. In addition, a determination may be made as to whether the unencrypted data includes a random distribution of the plurality of bits. An integrity action may be implemented, for example, when the unencrypted data includes a random distribution of the plurality of bits.

Abstract: Both end-to-end security and traffic visibility may be achieved by a system using a controller that derives a cryptographic key that is different for each client based on a derivation key and a client identifier that is conveyed in each data packet. The controller distributes the derivation key to information technology monitoring devices and a server to provide traffic visibility. For large key sizes, the key may be derived using a derivation formula as follows: client_key_MSB=AES128(base_key_1, client_ID),??(1) client_key_LSB=AES128(base_key_2, client_ID+pad), and??(2) client_key=client_key_MSB?client_key_LSB, where (1) and (2) are executed in parallel. The client key and a client identifier may be used so that end-to-end security may be achieved.

Abstract: Memory scanning methods and apparatus are disclosed. An example apparatus includes a walker to traverse a paging structure of an address translation system; a bit analyzer to determine whether a bit associated with an entry of the paging structure is indicative of the entry being recently accessed; an address identifier to, when the bit analyzer determines that the bit associated with the entry of the paging structure is indicative of the entry being recently accessed, determine an address associated with the entry; and an outputter to provide the determined address to a memory scanner.

Abstract: In one embodiment, the present invention includes a system on a chip (SoC) that has a first agent with an intellectual property (IP) logic, an interface to a fabric including a target interface, a master interface and a sideband interface, and an access control plug-in unit to handle access control policy for the first agent with respect to incoming and outgoing transactions. This access control plug-in unit can be incorporated into the SoC at integration time and without any modification to the IP logic. Other embodiments are described and claimed.

Abstract: In an embodiment, a processor includes: at least one core to execute instructions; and a memory protection logic to encrypt data to be stored to a memory coupled to the processor, generate a message authentication code (MAC) based on the encrypted data, the MAC to have a first value according to a first key, obtain the encrypted data from the memory and validate the encrypted data using the MAC, where the MAC is to be re-keyed to have a second value according to a second key and without the encrypted data. Other embodiments are described and claimed.

Abstract: In an embodiment, a processor includes: at least one core to execute instructions; a cache memory coupled to the at least one core to store data; and a tracker cache memory coupled to the at least one core. The tracker cache memory includes entries to store an integrity value associated with a data block to be written to a memory coupled to the processor. Other embodiments are described and claimed.

Abstract: Apparatus, systems, and/or methods may provide for identifying unencrypted data including a plurality of bits, wherein the unencrypted data may be encrypted and stored in memory. In addition, a determination may be made as to whether the unencrypted data includes a random distribution of the plurality of bits, for example based on a compressibility function. An integrity action may be implemented when the unencrypted data includes a random distribution of the plurality of bits, which may include error correction including a modification to ciphertext of the unencrypted data. Independently of error correction, a diffuser may generate intermediate and final ciphertext. In addition, a key and/or a tweak may be derived for a location in the memory. Moreover, an integrity value may be generated (e.g., as a copy) from a portion of the unencrypted data, and/or stored in a slot of an integrity check line based on the location.

Abstract: Encryption interface technologies are described. A processor can include a system agent, an encryption interface, and a memory controller. The system agent can communicate data with a hardware functional block. The encryption interface can be coupled between the system agent and a memory controller. The encryption interface can receive a plaintext request from the system agent, encrypt the plaintext request to obtain an encrypted request, and communicate the encrypted request to the memory controller. The memory controller can communicate the encrypted request to a main memory of the computing device.