Patents by Inventor Ravi Sahita
Ravi Sahita has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20220222340Abstract: Security and support for trust domain operation is described. An example of a method includes processing, at an accelerator, one or more compute workloads received from a host system; upon receiving a notification that a trust domain has transitioned to a secure state, transition an original set of privileges for the accelerator to a downgraded set of privileges; upon receiving a command from the host system for the trust domain, processing the command in accordance with the trust domain; and upon receiving a request from the host system to access a register, for a register included in an allowed list of registers for access, allow access to the register, and, for a register that is not within the allowed list of registers for access, disallowing access to the register.Type: ApplicationFiled: April 1, 2022Publication date: July 14, 2022Applicant: Intel CorporationInventors: Vidhya Krishnan, Ankur Shah, Bryan White, Daniel Nemiroff, David Puffer, Julien Carreno, Scott Janus, Ravi Sahita, Hema Nalluri, Utkarsh Y. Kakaiya
-
Publication number: 20220222358Abstract: Scalable cloning and replication for trusted execution environments is described. An example of a computer-readable storage medium includes instructions for receiving a selection of a point to capture a snapshot of a baseline trust domain (TD) or secure enclave, the TD or secure enclave being associated with a trusted execution environment (TEE) of a processor utilized for processing of a workload; initiating cloning of the TD or secure enclave from a source platform to an escrow platform; generating an escrow key to export the snapshot to the escrow platform; and exporting a state of the TD or secure enclave to the escrow platform, the state being sealed with a sealing key.Type: ApplicationFiled: March 31, 2022Publication date: July 14, 2022Applicant: Intel CorporationInventors: Ravi Sahita, Dror Caspi, Vedvyas Shanbhogue, Vincent Scarlata, Anjo Lucas Vahldiek-Oberwagner, Haidong Xia, Mona Vij
-
Publication number: 20220214976Abstract: Embodiment of this disclosure provide techniques to support memory paging between trust domains (TDs) in computer systems. In one embodiment, a processing device including a memory controller and a memory paging circuit is provided. The memory paging circuit is to insert a transportable page into a memory location associated with a trust domain (TD), the transportable page comprises encrypted contents of a first memory page of the TD. The memory paging circuit is further to create a third memory page associated with the TD by binding the transportable page to the TD, binding the transportable page to the TD comprises re-encrypting contents of the transportable page based on a key associated with the TD and a physical address of the memory location. The memory paging circuit is further to access contents of the third memory page by decrypting the contents of the third memory page using the key associated with the TD.Type: ApplicationFiled: March 28, 2022Publication date: July 7, 2022Inventors: Hormuzd M. Khosravi, Baiju Patel, Ravi Sahita, Barry Huntley
-
Publication number: 20220206842Abstract: Techniques for migration of a source protected virtual machine from a source platform to a destination platform are descried. A method of an aspect includes enforcing that bundles of state, of a first protected virtual machine (VM), received at a second platform over a stream, during an in-order phase of a migration of the first protected VM from a first platform to the second platform, are imported to a second protected VM of the second platform, in a same order that they were exported from the first protected VM. Receiving a marker over the stream marking an end of the in-order phase. Determining that all bundles of state exported from the first protected VM prior to export of the marker have been imported to the second protected VM. Starting an out-of-order phase of the migration based on the determination that said all bundles of the state exported have been imported.Type: ApplicationFiled: December 26, 2020Publication date: June 30, 2022Inventors: Ravi SAHITA, Dror CASPI, Vincent SCARLATA, Sharon YANIV, Baruch CHAIKIN, Vedvyas SHANBHOGUE, Jun NAKAJIMA, Arumugam THIYAGARAJAH, Sean CHRISTOPHERSON, Haidong XIA, Vinay AWASTHI, Isaku YAMAHATA, Wei WANG, Thomas ADELMEYER
-
Patent number: 11366895Abstract: Embodiments include side channel defender circuitry to protect shared code pages in executable only memory (XOM) from side-channel exploits. The side channel defender circuitry receives system calls and determines whether code pages include executable code, whether the code pages include writeable code, and whether the code pages include instructions capable of altering or modifying one or more protection keys associated with code pages stored in XOM. If the code pages contain executable code that is writeable or executable code that includes instructions capable of altering or modifying one or more protection keys associated with code pages stored in XOM the side channel defender circuitry, the side channel defender circuitry aborts the system call.Type: GrantFiled: September 28, 2018Date of Patent: June 21, 2022Assignee: Intel CorporationInventors: Ravi Sahita, Mingwei Zhang
-
Patent number: 11288206Abstract: Embodiment of this disclosure provide techniques to support memory paging between trust domains (TDs) in computer systems. In one embodiment, a processing device including a memory controller and a memory paging circuit is provided. The memory paging circuit is to insert a transportable page into a memory location associated with a trust domain (TD), the transportable page comprises encrypted contents of a first memory page of the TD. The memory paging circuit is further to create a third memory page associated with the TD by binding the transportable page to the TD, binding the transportable page to the TD comprises re-encrypting contents of the transportable page based on a key associated with the TD and a physical address of the memory location. The memory paging circuit is further to access contents of the third memory page by decrypting the contents of the third memory page using the key associated with the TD.Type: GrantFiled: March 26, 2020Date of Patent: March 29, 2022Assignee: Intel CorporationInventors: Hormuzd M. Khosravi, Baiju Patel, Ravi Sahita, Barry Huntley
-
Publication number: 20220083647Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.Type: ApplicationFiled: November 29, 2021Publication date: March 17, 2022Applicant: Intel CorporationInventors: Michael LeMay, Barry E. Huntley, Ravi Sahita
-
Publication number: 20220083649Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.Type: ApplicationFiled: November 29, 2021Publication date: March 17, 2022Applicant: Intel CorporationInventors: Michael LeMay, Barry E. Huntley, Ravi Sahita
-
Publication number: 20220083648Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.Type: ApplicationFiled: November 29, 2021Publication date: March 17, 2022Applicant: Intel CorporationInventors: Michael LeMay, Barry E. Huntley, Ravi Sahita
-
Publication number: 20220058023Abstract: Systems, methods, and apparatuses relating to circuitry to implement individually revocable capabilities for enforcing temporal memory safety are described. In one embodiment, a hardware processor comprises an execution unit to execute an instruction to request access to a block of memory through a pointer to the block of memory, and a memory controller circuit to allow access to the block of memory when an allocated object tag in the pointer is validated with an allocated object tag in an entry of a capability table in memory that is indexed by an index value in the pointer, wherein the memory controller circuit is to clear the allocated object tag in the capability table when a corresponding object is deallocated.Type: ApplicationFiled: November 2, 2021Publication date: February 24, 2022Inventors: Michael LEMAY, Vedvyas SHANBHOGUE, Deepak GUPTA, Ravi SAHITA, David M. DURHAM, Willem PINCKAERS, Enrico PERLA
-
Publication number: 20220012059Abstract: Systems, methods, and apparatuses relating to instructions to compartmentalize memory accesses and execution (e.g., non-speculative and speculative) are described.Type: ApplicationFiled: June 7, 2021Publication date: January 13, 2022Inventors: Ravi Sahita, Deepak Gupta, Vedvyas Shanbhogue, David Hansen, Jason W. Brandt, Joseph Nuzman, Mingwei Zhang
-
Patent number: 11216556Abstract: The present disclosure is directed to systems and methods that maintain consistency between a system architectural state and a microarchitectural state in the system cache circuitry to prevent a side-channel attack from accessing secret information. Speculative execution of one or more instructions by the processor circuitry causes memory management circuitry to transition the cache circuitry from a first microarchitectural state to a second microarchitectural state. The memory management circuitry maintains the cache circuitry in the second microarchitectural state in response to a successful completion and/or retirement of the speculatively executed instruction. The memory management circuitry reverts the cache circuitry from the second microarchitectural state to the first microarchitectural state in response to an unsuccessful completion, flushing, and/or retirement of the speculatively executed instruction.Type: GrantFiled: December 17, 2018Date of Patent: January 4, 2022Assignee: Intel CorporationInventors: Ken Grewal, Ravi Sahita, David Durham, Erdem Aktas, Sergej Deutsch, Abhishek Basak
-
Patent number: 11163569Abstract: Systems, methods, and apparatuses relating to circuitry to implement individually revocable capabilities for enforcing temporal memory safety are described. In one embodiment, a hardware processor comprises an execution unit to execute an instruction to request access to a block of memory through a pointer to the block of memory, and a memory controller circuit to allow access to the block of memory when an allocated object tag in the pointer is validated with an allocated object tag in an entry of a capability table in memory that is indexed by an index value in the pointer, wherein the memory controller circuit is to clear the allocated object tag in the capability table when a corresponding object is deallocated.Type: GrantFiled: December 28, 2019Date of Patent: November 2, 2021Assignee: Intel CorporationInventors: Michael Lemay, Vedvyas Shanbhogue, Deepak Gupta, Ravi Sahita, David M. Durham, Willem Pinckaers, Enrico Perla
-
Publication number: 20210312038Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.Type: ApplicationFiled: June 14, 2021Publication date: October 7, 2021Applicant: Intel CorporationInventors: Michael LeMay, Barry E. Huntley, Ravi Sahita
-
Publication number: 20210303677Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.Type: ApplicationFiled: June 14, 2021Publication date: September 30, 2021Applicant: Intel CorporationInventors: Michael LeMay, Barry E. Huntley, Ravi Sahita
-
Publication number: 20210303678Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.Type: ApplicationFiled: June 14, 2021Publication date: September 30, 2021Applicant: Intel CorporationInventors: Michael LeMay, Barry E. Huntley, Ravi Sahita
-
Publication number: 20210263779Abstract: Embodiments of systems, apparatuses and methods provide enhanced function as a service (FaaS) to users, e.g., computer developers and cloud service providers (CSPs). A computing system configured to provide such enhanced FaaS service include one or more controls architectural subsystems, software and orchestration subsystems, network and storage subsystems, and security subsystems. The computing system executes functions in response to events triggered by the users in an execution environment provided by the architectural subsystems, which represent an abstraction of execution management and shield the users from the burden of managing the execution. The software and orchestration subsystems allocate computing resources for the function execution by intelligently spinning up and down containers for function code with decreased instantiation latency and increased execution scalability while maintaining secured execution.Type: ApplicationFiled: April 16, 2019Publication date: August 26, 2021Applicant: Intel CorporationInventors: Mohammad R. Haghighat, Kshitij Doshi, Andrew J. Herdrich, Anup Mohan, Ravishankar R. Iyer, Mingqiu Sun, Krishna Bhuyan, Teck Joo Goh, Mohan J. Kumar, Michael Prinke, Michael Lemay, Leeor Peled, Jr-Shian Tsai, David M. Durham, Jeffrey D. Chamberlain, Vadim A. Sukhomlinov, Eric J. Dahlen, Sara Baghsorkhi, Harshad Sane, Areg Melik-Adamyan, Ravi Sahita, Dmitry Yurievich Babokin, Ian M. Steiner, Alexander Bachmutsky, Anil Rao, Mingwei Zhang, Nilesh K. Jain, Amin Firoozshahian, Baiju V. Patel, Wenyong Huang, Yeluri Raghuram
-
Publication number: 20210200673Abstract: An apparatus and method for memory management using compartmentalization. For example, one embodiment of a processor comprises: execution circuitry to execute instructions and process data, at least one instruction to generate a system memory access request using a first linear address; and address translation circuitry to perform a first walk operation through a set of one or more address translation tables to translate the first linear address to a first physical address, the address translation circuitry to concurrently perform a second walk operation through a set of one or more linear address metadata tables to identify metadata associated with the linear address, and to use one or more portions of the metadata to validate access by the at least one instruction to the first physical address.Type: ApplicationFiled: December 27, 2019Publication date: July 1, 2021Inventors: DEEPAK GUPTA, MINGWEI ZHANG, RAVI SAHITA, VEDVYAS SHANBHOGUE, MICHAEL LEMAY, DAVID M. DURHAM
-
Publication number: 20210200546Abstract: Systems, methods, and apparatuses relating to circuitry to implement individually revocable capabilities for enforcing temporal memory safety are described. In one embodiment, a hardware processor comprises an execution unit to execute an instruction to request access to a block of memory through a pointer to the block of memory, and a memory controller circuit to allow access to the block of memory when an allocated object tag in the pointer is validated with an allocated object tag in an entry of a capability table in memory that is indexed by an index value in the pointer, wherein the memory controller circuit is to clear the allocated object tag in the capability table when a corresponding object is deallocated.Type: ApplicationFiled: December 28, 2019Publication date: July 1, 2021Inventors: Michael LEMAY, Vedvyas SHANBHOGUE, Deepak GUPTA, Ravi SAHITA, David M. DURHAM, Willem PINCKAERS, Enrico PERLA
-
Patent number: 11036850Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.Type: GrantFiled: December 13, 2018Date of Patent: June 15, 2021Assignee: Intel CorporationInventors: Michael LeMay, Barry E. Huntley, Ravi Sahita