Abstract: Technologies disclosed herein provide cryptographic computing. An example method comprises storing, in a register, an encoded pointer to a memory location, where first context information is stored in first bits of the encoded pointer and a slice of a memory address of the memory location is encrypted and stored in second bits of the encoded pointer. The method further includes decoding the encoded pointer to obtain the memory address of the memory location, using the memory address obtained by decoding the encoded pointer to access encrypted data at the memory location, and decrypting the encrypted data based on a first key and a first tweak value. The first tweak value includes one or more bits derived, at least in part, from the encoded pointer.

Abstract: In one embodiment, a processor of a cryptographic computing system includes data cache units storing encrypted data and circuitry coupled to the data cache units. The circuitry accesses a sequence of cryptographic-based instructions to execute based on the encrypted data, decrypts the encrypted data based on a first pointer value, executes the cryptographic-based instruction using the decrypted data, encrypts a result of the execution of the cryptographic-based instruction based on a second pointer value, and stores the encrypted result in the data cache units. In some embodiments, the circuitry generates, for each cryptographic-based instruction, at least one encryption-based microoperation and at least one non-encryption-based microoperation. The circuitry also schedules the at least one encryption-based microoperation and the at least one non-encryption-based microoperation for execution based on timings of the encryption-based microoperation.

Abstract: Technologies disclosed herein provide cryptographic computing. An example method comprises executing a first instruction of a first software entity to receive a first input operand indicating a first key associated with a first memory compartment of a plurality of memory compartments stored in a first memory unit, and execute a cryptographic algorithm in a core of a processor to compute first encrypted contents based at least in part on the first key. Subsequent to computing the first encrypted contents in the core, the first encrypted contents are stored at a memory location in the first memory compartment of the first memory unit. More specific embodiments include, prior to storing the first encrypted contents at the memory location in the first memory compartment and subsequent to computing the first encrypted contents in the core, moving the first encrypted contents into a level one (L1) cache outside a boundary of the core.

Abstract: Technologies disclosed herein provide cryptographic computing. An example processor includes a core to execute an instruction, where the core includes a register to store a pointer to a memory location and a tag associated with the pointer. The tag indicates whether the pointer is at least partially immutable. The core also includes circuitry to access the pointer and the tag associated with the pointer, determine whether the tag indicates that the pointer is at least partially immutable. The circuitry is further, based on a determination that the tag indicates the pointer is at least partially immutable, to obtain a memory address of the memory location based on the pointer, use the memory address to access encrypted data at the memory location, and decrypt the encrypted data based on a key and a tweak, where the tweak including one or more bits based, at least in part, on the pointer.

Abstract: Generally, this disclosure provides systems, devices, methods and computer readable media for secure memory page mapping in a virtual machine (VM) environment. The system may include a processor configured to execute a virtual machine monitor (VMM). The VMM may be configured to maintain a table of cryptographic keys and associate a token with one of the memory pages to be mapped from a guest linear address (GLA) to a guest physical address (GPA). The token may include a key identifier (key ID) associated with one of the cryptographic keys, and an authentication code based on the GLA, the GPA, and one of the cryptographic keys. The system may also include a page walk processor configured to validate the token to indicate that the memory page associated with the token is authorized to be mapped from the GLA to the GPA.

Abstract: A microcoded processor instruction may invoke a number of microinstructions to perform a round of a SHA3 operation using a circuit that includes a first stage circuit to perform a set of first bitwise XOR operations on a set of five input blocks to yield first intermediate output blocks; perform a set of second bitwise XOR operations on a first intermediate block and a rotation of another first intermediate block to yield second intermediate blocks; and perform a set of third bitwise XOR operations on a second intermediate block and an input block to yield third intermediate blocks. The circuit further includes a second stage circuit to rotate bits within each of the third intermediate blocks to yield a set of fourth intermediate blocks, and a third stage circuit to perform an affine mapping on bits within each of the fourth intermediate blocks to yield a set of output blocks.

Abstract: Memory scanning methods and apparatus are disclosed. An example apparatus includes an address identifier to, when an entry of a paging structure has been accessed, determine a first address corresponding to a page of physical memory when the entry of the paging structure maps to the page of the physical memory; and a scanner to: scan a threshold amount of memory beginning at a physical memory address corresponding to the first address; and determine whether the threshold amount of memory includes a pattern indicative of malware.

Abstract: Technologies for execute only transactional memory include a computing device with a processor and a memory. The processor includes an instruction translation lookaside buffer (iTLB) and a data translation lookaside buffer (dTLB). In response to a page miss, the processor determines whether a page physical address is within an execute only transactional (XOT) range of the memory. If within the XOT range, the processor may populate the iTLB with the page physical address and prevent the dTLB from being populated with the page physical address. In response to an asynchronous change of control flow such as an interrupt, the processor determines whether a last iTLB translation is within the XOT range. If within the XOT range, the processor clears or otherwise secures the processor register state. The processor ensures that an XOT range starts execution at an authorized entry point. Other embodiments are described and claimed.

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

Abstract: A processor core that includes a token generator circuit is to execute a first instruction in response to initialization of a software program that requests access to protected data output by a cryptographic operation. To execute the first instruction, the processor core is to: retrieve a key that is to be used by the cryptographic operation; trigger the token generator circuit to generate an authorization token; cryptographically encode the key and the authorization token within a key handle; store the key handle in memory; and embed the authorization token within a cryptographic instruction that is to perform the cryptographic operation. The cryptographic instruction may be associated with a first logical compartment of the software program that is authorized access to the protected data.

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.

Abstract: Memory scanning methods and apparatus are disclosed. An example apparatus includes scan manager to identify a physical memory address that has recently been accessed. The physical memory address is identified as having been recently accessed when an access has occurred within a threshold of a current time. The apparatus also includes a scanner to scan a threshold amount of memory beginning at the physical memory address, and determine whether the memory included in the threshold amount of memory includes a pattern indicative of malware.

Abstract: Selective/controlled disclosure of user information to private workspaces of other users/invitees based on context/contextual relations, and a shared workspace or market to collaborate amongst the other users (e.g., to crowd-source gifts of interest to the recipient). Contextual disclosure may be based on common context or commonality under a set of conditions, such as a topic, which may include known topics of relationships amongst the users and/or undiscovered contexts. As an example, items of interest to each user are identified and clustered, keywords are assigned to the clusters indicative of topics/subjects of interests to the respective users, recipient keywords are compared to keywords of an invitee to identify common keywords as shared interests, and items of interest to the recipient that relate to the common keywords are disclosed to the invitee as a personalized wish-list. Keyword weighting and/or keyword/item level privacy designations may be provided to further control disclosure.

Abstract: Processor trace systems and methods are described. For example, one embodiment comprises executing instrumented code by a compiler, the instrumented code including at least one call to un-instrumented code. The compiler can determine the at least one call to un-instrumented code is a next call to be executed. A resume tracing instruction can be inserted into the instrumented code prior to the at least one call to the un-instrumented code. The resume tracing instruction can be executed to selectively add processor tracing to the at least one call to the un-instrumented code, and the at least one call to the un-instrumented code can be executed.

Abstract: Generally, this disclosure provides systems, methods and computer readable media for a protected memory view in a virtual machine (VM) environment enabling nested page table access by trusted guest software outside of VMX root mode. The system may include an editor module configured to provide access to a nested page table structure, by operating system (OS) kernel components and by user space applications within a guest of the VM, wherein the nested page table structure is associated with one of the protected memory views. The system may also include a page handling processor configured to secure that access by maintaining security information in the nested page table structure.

Abstract: Various embodiments are generally directed to techniques for detecting malware in a manner that mitigates the consumption of processing and/or storage resources of a processing device. An apparatus may include a first processor component of a processing device to generate entries in a chronological order within a first page modification log maintained within a first storage divided into multiple pages, each entry to indicate a write access made by the first processor component to a page of the multiple pages; a retrieval component of a graphics controller of the processing device to recurringly retrieve indications from the first page modification log of at least one recently written page of the multiple pages; and a scan component of the graphics controller to recurringly scan the at least one recently written page to detect malware within the at least one recently written page.

Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.

Abstract: Apparatuses for computing are disclosed herein. In embodiments, an apparatus may include one or more processors, a memory, and a compiler to be operated by the one or more processors to compile a computer program. The compiler may include one or more analyzers to parse and analyze source code of the computer program that generates pointers or de-references pointers. The compiler may also include a code generator coupled to the one or more analyzers to generate executable instructions for the source code of the computer program including insertion of additional encryption or decryption executable instructions into the computer program, based at least in part on a result of the analysis, to authenticate memory access operations of the source code.

Abstract: Systems, apparatuses and methods may provide for technology that associates a key domain of a plurality of key domains with a customer boot image, receives the customer boot image from the customer, and verifies the integrity of the customer boot image that is to be securely installed at memory locations determined from an untrusted privileged entity (e.g., a virtual machine manager).