Abstract: A method comprising executing, by a core of a processor, a first instruction requesting access to a parameter associated with data for storage in a main memory coupled to the processor, the first instruction including a reference to the parameter, a reference to a wrapping key, and a reference to an encrypted encryption key, wherein execution of the first instruction comprises decrypting the encrypted encryption key using the wrapping key to generate a decrypted encryption key; requesting transfer of the data between the main memory and the processor core; and performing a cryptographic operation on the parameter using the decrypted encryption key.

Abstract: Embodiments are directed to aggregate GHASH-based message authentication code (MAC) over multiple cachelines with incremental updates. An embodiment of a system includes a controller comprising circuitry, the controller to generate an error correction code for a memory line, the memory line comprising a plurality of first data blocks, generate a metadata block corresponding to the memory line, the metadata block comprising the error correction code for the memory line and at least one metadata bit, generate an aggregate GHASH corresponding to a region of memory comprising a cacheline set comprising at least the memory line, encode the first data blocks and the metadata block, encrypt the aggregate GHASH as an aggregate message authentication code (AMAC), provide the encoded first data blocks and the encoded metadata block for storage on a memory module comprising the memory line, and provide the AMAC for storage on a device separate from the memory module.

Abstract: In one embodiment, the present invention includes a method for receiving incoming data in a processor and performing a checksum operation on the incoming data in the processor pursuant to a user-level instruction for the checksum operation. For example, a cyclic redundancy checksum may be computed in the processor itself responsive to the user-level instruction. Other embodiments are described and claimed.

Abstract: Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to generate a compressed line in response to determining that the data line is compressible, where the compressed line includes compression metadata and compressed data, adding encryption metadata to the compressed line, where the encryption metadata is indicative of the encryption key, encrypting a part of the compressed line with the encryption key to generate an encrypted line in response to adding the encryption metadata, and writing the encrypted line to a memory device at the physical memory address. Other embodiments are described and claimed.

Abstract: Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to generate a compressed line in response to determining that the data line is compressible, where the compressed line includes compression metadata and compressed data, adding encryption metadata to the compressed line, where the encryption metadata is indicative of the encryption key, encrypting a part of the compressed line with the encryption key to generate an encrypted line in response to adding the encryption metadata, and writing the encrypted line to a memory device at the physical memory address. Other embodiments are described and claimed.

Abstract: In one embodiment, an apparatus comprises an antenna to receive one or more radio signals, wherein the antenna is associated with a proximity-based access portal. The apparatus further comprises a processor to: detect, based on the one or more radio signals, an access request from a first device, wherein the access request comprises a request to access the proximity-based access portal using an access token associated with an authorized device; determine, based on the one or more radio signals, that the first device is within a particular proximity of the proximity-based access portal; obtain a first motion history associated with movement detected near the proximity-based access portal; obtain a second motion history associated with movement detected by the authorized device; and determine, based on the first motion history and the second motion history, whether the movement detected near the proximity-based access portal matches the movement detected by the authorized device.

Abstract: Embodiments are directed to security optimizing compute distribution in a hybrid deep learning environment. An embodiment of an apparatus includes one or more processors to determine security capabilities and compute capabilities of a client machine requesting to use a machine learning (ML) model hosted by the apparatus; determine, based on the security capabilities and based on exposure criteria of the ML model, that one or more layers of the ML model can be offloaded to the client machine for processing; define, based on the compute capabilities of the client machine, a split level of the one or more layers of the ML model for partition of the ML model, the partition comprising offload layers of the one or more layers of the ML model to be processed at the client machine; and cause the offload layers of the ML model to be downloaded to the client machine.

Abstract: Embodiments are directed to collision-free hashing for accessing cryptographic computing metadata and for cache expansion. An embodiment of an apparatus includes one or more processors to compute a plurality of hash functions that combine additions, bit-level reordering, bit-linear mixing, and wide substitutions, wherein each of the plurality of hash functions differs in one of the additions, the bit-level reordering, the wide substitutions, or the bit-linear mixing; and access a hash table utilizing results of the plurality of hash functions.

Abstract: Embodiments are directed to aggregate GHASH-based message authentication code (MAC) over multiple cachelines with incremental updates. An embodiment of a system includes a controller comprising circuitry, the controller to generate an error correction code for a memory line, the memory line comprising a plurality of first data blocks, generate a metadata block corresponding to the memory line, the metadata block comprising the error correction code for the memory line and at least one metadata bit, generate an aggregate GHASH corresponding to a region of memory comprising a cacheline set comprising at least the memory line, encode the first data blocks and the metadata block, encrypt the aggregate GHASH as an aggregate message authentication code (AMAC), provide the encoded first data blocks and the encoded metadata block for storage on a memory module comprising the memory line, and provide the AMAC for storage on a device separate from the memory module.

Abstract: Technologies disclosed herein provide one example of a processor that includes a register to store a first encoded pointer for a first memory allocation for an application and circuitry coupled to memory. Size metadata is stored in first bits of the first encoded pointer and first memory address data associated with the first memory allocation is stored in second bits of the first encoded pointer. The circuitry is configured to determine a first memory address of a first marker region in the first memory allocation, obtain current data from the first marker region at the first memory address, compare the current data to a reference marker stored separately from the first memory allocation, and determine that the first memory allocation is in a first state in response to a determination that the current data corresponds to the reference marker.

Abstract: In one embodiment, an encoded pointer is constructed from a stack pointer that includes offset. The encoded pointer includes the offset value and ciphertext that is based on encrypting a portion of a decorated pointer that includes a maximum offset value. Stack data is encrypted based on the encoded pointer, and the encoded pointer is stored in a stack pointer register of a processor. To access memory, a decoded pointer is constructed based on decrypting the ciphertext of the encoded pointer and the offset value. Encrypted stack data is accessed based on the decoded pointer, and the encrypted stack is decrypted based on the encoded pointer.

Abstract: In one embodiment, the present invention includes a method for receiving incoming data in a processor and performing a checksum operation on the incoming data in the processor pursuant to a user-level instruction for the checksum operation. For example, a cyclic redundancy checksum may be computed in the processor itself responsive to the user-level instruction. Other embodiments are described and claimed.

Abstract: Apparatus, systems, computer readable storage mediums and/or methods may provide memory integrity by using unused physical address bits (or other metadata passed through cache) to manipulate cryptographic memory integrity values, allowing software memory allocation routines to control the assignment of pointers (e.g., implement one or more access control policies). Unused address bits (e.g., because of insufficient external memory) passed through cache, may encode key domain information in the address so that different key domain addresses alias to the same physical memory location. Accordingly, by mixing virtual memory mappings and cache line granularity aliasing, any page in memory may contain a different set of aliases at the cache line level and be non-deterministic to an adversary.

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

Abstract: In one embodiment, a heterogeneous multicore processor is described that is optimized to execute multi-stage computer vision algorithms such as cascade classifier workloads. In such embodiment the heterogeneous processor includes at least one SIMD core, such as a vector processor core, coupled with one or more scalar cores. In one embodiment the heterogeneous multiprocessor executes multi-stage compute operations, where the SIMD core computes a first set of stages and the one or more scalar cores compute the second set of stages. In one embodiment, a process for designing a heterogeneous multicore processor is disclosed which optimizes the ratio of scalar to SIMD cores based on execution time of the multi-stage compute operation in relation to processor die area consumed by a processor configuration having the ratio.

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

Abstract: Apparatus, systems, computer readable storage mediums and/or methods may provide memory integrity by using unused physical address bits (or other metadata passed through cache) to manipulate cryptographic memory integrity values, allowing software memory allocation routines to control the assignment of pointers (e.g., implement one or more access control policies). Unused address bits (e.g., because of insufficient external memory) passed through cache, may encode key domain information in the address so that different key domain addresses alias to the same physical memory location. Accordingly, by mixing virtual memory mappings and cache line granularity aliasing, any page in memory may contain a different set of aliases at the cache line level and be non-deterministic to an adversary.

Abstract: Technologies disclosed herein provide cryptographic computing with memory write access in the core. An example method comprises executing a first instruction of a software entity. The first instruction comprises a first operand comprising a certificate for a memory region in memory. Executing the first instruction includes computing encrypted first data based, at least in part, on a cryptographic algorithm and a first data parameter, determining whether the certificate authorizes the software entity to access the memory region of the memory, and based on determining the certificate in the first operand authorizes the software entity to access the memory region, performing a write operation to store the encrypted first data in the memory region. More specific embodiments include performing the write operation without performing a preceding read operation on the memory region, which may be called a write for ownership.

Abstract: Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to generate a compressed line in response to determining that the data line is compressible, where the compressed line includes compression metadata and compressed data, adding encryption metadata to the compressed line, where the encryption metadata is indicative of the encryption key, encrypting a part of the compressed line with the encryption key to generate an encrypted line in response to adding the encryption metadata, and writing the encrypted line to a memory device at the physical memory address. Other embodiments are described and claimed.

Abstract: A processor comprises a first register to store an encoded pointer to a memory location. First context information is stored in first bits of the encoded pointer and a slice of a linear address of the memory location is stored in second bits of the encoded pointer. The processor also includes circuitry to execute a memory access instruction to obtain a physical address of the memory location, access encrypted data at the memory location, derive a first tweak based at least in part on the encoded pointer, and generate a keystream based on the first tweak and a key. The circuitry is to further execute the memory access instruction to store state information associated with memory access instruction in a first buffer, and to decrypt the encrypted data based on the keystream. The keystream is to be generated at least partly in parallel with accessing the encrypted data.