Patents by Inventor Pradeep M. Pappachan
Pradeep M. Pappachan has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20220366081Abstract: Embodiments are directed to protection of privacy and data on smart edge devices. An embodiment of an apparatus includes a sensor to produce a stream of sensor data; an analytics mechanism; and a trusted execution environment (TEE) including multiple keys for data security, the apparatus to exchange keys with a host server to establish one or more secure communication channels between the apparatus and a TEE on a host server, process the stream of sensor data utilizing the analytics mechanism to generate metadata, perform encryption and integrity protection of the metadata utilizing a key from the TEE for the sensor, sign the metadata utilizing a private key for the analytics mechanism, and transfer the encrypted and integrity protected metadata and the signature to the host server via the one or more secure communication channels in a manner that prevents privileged users on the host from accessing the data.Type: ApplicationFiled: July 28, 2022Publication date: November 17, 2022Applicant: Intel CorporationInventors: Lawrence A. Booth, JR., Salessawi Ferede Yitbarek, Reshma Lal, Pradeep M. Pappachan, Brent D. Thomas
-
Patent number: 11496314Abstract: Embodiments are directed to providing integrity-protected command buffer execution. An embodiment of an apparatus includes a computer-readable memory comprising one or more command buffers and a processing device communicatively coupled to the computer-readable memory to read, from a command buffer of the computer-readable memory, a first command received from a host device, the first command executable by one or more processing elements on the processing device, the first command comprising an instruction and associated parameter data, compute a first authentication tag using a cryptographic key associated with the host device, the instruction and at least a portion of the parameter data, and authenticate the first command by comparing the first authentication tag with a second authentication tag computed by the host device and associated with the command.Type: GrantFiled: December 18, 2019Date of Patent: November 8, 2022Assignee: INTEL CORPORATIONInventors: Pradeep M. Pappachan, Reshma Lal
-
Patent number: 11461483Abstract: Embodiments are directed to protection of communications between a trusted execution environment and a hardware accelerator utilizing enhanced end-to-end encryption and inter-context security. An embodiment of an apparatus includes one or more processors having one or more trusted execution environments (TEEs) including a first TEE to include a first trusted application; an interface with a hardware accelerator, the hardware accelerator including trusted embedded software or firmware; and a computer memory to store an untrusted kernel mode driver for the hardware accelerator, the one or more processors to establish an encrypted tunnel between the first trusted application in the first TEE and the trusted software or firmware, generate a call for a first command from the first trusted application, generate an integrity tag for the first command, and transfer command parameters for the first command and the integrity tag to the kernel mode driver to generate the first command.Type: GrantFiled: January 28, 2020Date of Patent: October 4, 2022Assignee: Intel CorporationInventors: Salessawi Ferede Yitbarek, Lawrence A. Booth, Jr., Brent D. Thomas, Reshma Lal, Pradeep M. Pappachan, Akshay Kadam
-
Publication number: 20220272076Abstract: Embodiments are directed to a session management framework for secure communications between host systems and trusted devices. An embodiment of computer-readable storage mediums includes instructions for establishing a security agreement between a host system and a trusted device, the host device including a trusted execution environment (TEE); initiating a key exchange between the host system and the trusted device, including sending a key agreement message from the host system to the trusted device; sending an initialization message to the trusted device; validating capabilities of the trusted device for a secure communication session between the host system and the trusted device; provisioning secrets to the trusted device and initializing cryptographic parameters with the trusted device; and sending an activate session message to the trusted device to activate the secure communication session over a secure communication channel.Type: ApplicationFiled: May 13, 2022Publication date: August 25, 2022Applicant: Intel CorporationInventors: Pradeep M. Pappachan, Reshma Lal
-
Patent number: 11423171Abstract: Embodiments are directed to protection of privacy and data on smart edge devices. An embodiment of an apparatus includes a sensor to produce a stream of sensor data; an analytics mechanism; and a trusted execution environment (TEE) including multiple keys for data security, the apparatus to exchange keys with a host server to establish one or more secure communication channels between the apparatus and a TEE on a host server, process the stream of sensor data utilizing the analytics mechanism to generate metadata, perform encryption and integrity protection of the metadata utilizing a key from the TEE for the sensor, sign the metadata utilizing a private key for the analytics mechanism, and transfer the encrypted and integrity protected metadata and the signature to the host server via the one or more secure communication channels in a manner that prevents privileged users on the host from accessing the data.Type: GrantFiled: December 23, 2019Date of Patent: August 23, 2022Assignee: Intel CorporationInventors: Lawrence A. Booth, Jr., Salessawi Ferede Yitbarek, Reshma Lal, Pradeep M. Pappachan, Brent D. Thomas
-
Patent number: 11423159Abstract: Technologies for trusted I/O include a computing device having a hardware cryptographic agent, a cryptographic engine, and an I/O controller. The hardware cryptographic agent intercepts a message from the I/O controller and identifies boundaries of the message. The message may include multiple DMA transactions, and the start of message is the start of the first DMA transaction. The cryptographic engine encrypts the message and stores the encrypted data in a memory buffer. The cryptographic engine may skip and not encrypt header data starting at the start of message or may read a value from the header to determine the skip length. In some embodiments, the cryptographic agent and the cryptographic engine may be an inline cryptographic engine. In some embodiments, the cryptographic agent may be a channel identifier filter, and the cryptographic engine may be processor-based. Other embodiments are described and claimed.Type: GrantFiled: December 5, 2019Date of Patent: August 23, 2022Assignee: INTEL CORPORATIONInventors: Soham Jayesh Desai, Siddhartha Chhabra, Bin Xing, Pradeep M. Pappachan, Reshma Lal
-
Patent number: 11416415Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.Type: GrantFiled: June 18, 2019Date of Patent: August 16, 2022Assignee: INTEL CORPORATIONInventors: Reshma Lal, Pradeep M. Pappachan, Luis Kida, Krystof Zmudzinski, Siddhartha Chhabra, Abhishek Basak, Alpa Narendra Trivedi, Anna Trikalinou, David M. Lee, Vedvyas Shanbhogue, Utkarsh Y. Kakaiya
-
Patent number: 11349817Abstract: Embodiments are directed to a session management framework for secure communications between host systems and trusted devices. An embodiment of computer-readable storage mediums includes instructions for establishing a security agreement between a host system and a trusted device, the host device including a trusted execution environment (TEE); initiating a key exchange between the host system and the trusted device, including sending a key agreement message from the host system to the trusted device; sending an initialization message to the trusted device; validating capabilities of the trusted device for a secure communication session between the host system and the trusted device; provisioning secrets to the trusted device and initializing cryptographic parameters with the trusted device; and sending an activate session message to the trusted device to activate the secure communication session over a secure communication channel.Type: GrantFiled: December 23, 2019Date of Patent: May 31, 2022Assignee: Intel CorporationInventors: Pradeep M. Pappachan, Reshma Lal
-
Publication number: 20220140993Abstract: Systems and methods include establishing a cryptographically secure communication between an application module and an audio module. The application module is configured to execute on an information-handling machine, and the audio module is coupled to the information-handling machine. The establishment of the cryptographically secure communication may be at least partially facilitated by a mutually trusted module.Type: ApplicationFiled: January 11, 2022Publication date: May 5, 2022Applicant: Intel CorporationInventors: Pradeep M. Pappachan, Reshma Lal, Rakesh A. Ughreja, Kumar N. Dwarakanath, Victoria C. Moore
-
Publication number: 20220091998Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.Type: ApplicationFiled: December 6, 2021Publication date: March 24, 2022Applicant: Intel CorporationInventors: Reshma Lal, Pradeep M. Pappachan, Luis Kida, Krystof Zmudzinski, Siddhartha Chhabra, Abhishek Basak, Alpa Narendra Trivedi, Anna Trikalinou, David M. Lee, Vedvyas Shanbhogue, Utkarsh Y. Kakaiya
-
Publication number: 20220035923Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information.Type: ApplicationFiled: October 22, 2021Publication date: February 3, 2022Applicant: Intel CorporationInventors: Pradeep M. Pappachan, Reshma Lal, Bin Xing, Siddhartha Chhabra, Vincent R. Scarlata, Steven B. McGowan
-
Patent number: 11228420Abstract: Systems and methods include establishing a cryptographically secure communication between an application module and an audio module. The application module is configured to execute on an information-handling machine, and the audio module is coupled to the information-handling machine. The establishment of the cryptographically secure communication may be at least partially facilitated by a mutually trusted module.Type: GrantFiled: December 6, 2019Date of Patent: January 18, 2022Assignee: INTEL CORPORATIONInventors: Pradeep M. Pappachan, Reshma Lal, Rakesh A. Ughreja, Kumar N. Dwarakanath, Victoria C. Moore
-
Publication number: 20210390063Abstract: Technologies for secure I/O data transfer with an accelerator device include a computing device having a processor and an accelerator. The processor establishes a trusted execution environment. The trusted execution environment may generate an authentication tag based on a memory-mapped I/O transaction, write the authentication tag to a register of the accelerator, and dispatch the transaction to the accelerator. The accelerator performs a cryptographic operation associated with the transaction, generates an authentication tag based on the transaction, and compares the generated authentication tag to the authentication tag received from the trusted execution environment. The accelerator device may initialize an authentication tag in response to a command from the trusted execution environment, transfer data between host memory and accelerator memory, perform a cryptographic operation in response to transferring the data, and update the authentication tag in response to transferrin the data.Type: ApplicationFiled: August 27, 2021Publication date: December 16, 2021Applicant: Intel CorporationInventors: Reshma Lal, Alpa Narendra Trivedi, Luis Kida, Pradeep M. Pappachan, Soham Jayesh Desai, Nanda Kumar Unnikrishnan
-
Patent number: 11157623Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information.Type: GrantFiled: February 20, 2019Date of Patent: October 26, 2021Assignee: INTEL CORPORATIONInventors: Pradeep M. Pappachan, Reshma Lal, Bin Xing, Siddhartha Chhabra, Vincent R. Scarlata, Steven B. McGowan
-
Publication number: 20210319118Abstract: In one embodiment, an apparatus includes a channel filter and a security processor. The security processor is to: receive a plurality of device access control policies from a protected non-volatile storage of a platform; determine whether the plurality of device access control policies are verified; program the channel filter with a plurality of filter entries each associated with one of the plurality of device access control policies based on the determination; and remove a security attribute of the security processor from a policy register of the channel filter, to lock the channel filter for a boot cycle of the platform. Other embodiments are described and claimed.Type: ApplicationFiled: June 21, 2021Publication date: October 14, 2021Inventors: Pradeep M. Pappachan, Siddhartha Chhabra, Bin Xing, Reshma Lal, Baruch Chaikin
-
Patent number: 11138132Abstract: Technologies for secure I/O data transfer with an accelerator device include a computing device having a processor and an accelerator. The processor establishes a trusted execution environment. The trusted execution environment may generate an authentication tag based on a memory-mapped I/O transaction, write the authentication tag to a register of the accelerator, and dispatch the transaction to the accelerator. The accelerator performs a cryptographic operation associated with the transaction, generates an authentication tag based on the transaction, and compares the generated authentication tag to the authentication tag received from the trusted execution environment. The accelerator device may initialize an authentication tag in response to a command from the trusted execution environment, transfer data between host memory and accelerator memory, perform a cryptographic operation in response to transferring the data, and update the authentication tag in response to transferrin the data.Type: GrantFiled: December 26, 2018Date of Patent: October 5, 2021Assignee: INTEL CORPORATIONInventors: Reshma Lal, Alpa Narendra Trivedi, Luis Kida, Pradeep M. Pappachan, Soham Jayesh Desai, Nanda Kumar Unnikrishnan
-
Patent number: 11126733Abstract: In one embodiment, an apparatus includes: a memory encryption circuit to encrypt data from a protected device, the data to be stored to a memory; and a filter circuit coupled to the memory encryption circuit, the filter circuit including a plurality of filter entries, each filter entry to store a channel identifier corresponding to a protected device, an access control policy for the protected device, and a session encryption key provided by an enclave, the enclave permitted to access the data according to the access control policy, where the filter circuit is to receive the session encryption key from the enclave in response to validation of the enclave. Other embodiments are described and claimed.Type: GrantFiled: August 27, 2018Date of Patent: September 21, 2021Assignee: Intel CorporationInventors: Pradeep M. Pappachan, Siddhartha Chhabra, Bin Xing, Reshma Lal, Baruch Chaikin
-
Publication number: 20210117576Abstract: Technologies for secure I/O include a compute device, which further includes a processor, a memory, a trusted execution environment (TEE), one or more input/output (I/O) devices, and an I/O subsystem. The I/O subsystem includes a device memory access table (DMAT) programmed by the TEE to establish bindings between the TEE and one or more I/O devices that the TEE trusts and a memory ownership table (MOT) programmed by the TEE when a memory page is allocated to the TEE.Type: ApplicationFiled: December 2, 2020Publication date: April 22, 2021Applicant: Intel CorporationInventors: Krystof Zmudzinski, Siddhartha Chhabra, Reshma Lal, Alpa Narendra Trivedi, Luis S. Kida, Pradeep M. Pappachan, Abhishek Basak, Anna Trikalinou
-
Patent number: 10943012Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information.Type: GrantFiled: January 29, 2019Date of Patent: March 9, 2021Assignee: INTEL CORPORATIONInventors: Pradeep M. Pappachan, Reshma Lal, Bin Xing, Siddhartha Chhabra, Vincent R. Scarlata, Steven B. McGowan
-
Patent number: 10878134Abstract: Technologies for secure I/O include a compute device, which further includes a processor, a memory, a trusted execution environment (TEE), one or more input/output (I/O) devices, and an I/O subsystem. The I/O subsystem includes a device memory access table (DMAT) programmed by the TEE to establish bindings between the TEE and one or more I/O devices that the TEE trusts and a memory ownership table (MOT) programmed by the TEE when a memory page is allocated to the TEE.Type: GrantFiled: March 29, 2019Date of Patent: December 29, 2020Assignee: INTEL CORPORATIONInventors: Krystof Zmudzinski, Siddhartha Chhabra, Reshma Lal, Alpa Narendra Trivedi, Luis S. Kida, Pradeep M. Pappachan, Abhishek Basak, Anna Trikalinou