Abstract: Examples include an apparatus which accesses secure pages in a trust domain using secure lookups in first and second sets of page tables. For example, one embodiment of the processor comprises: a decoder to decode a plurality of instructions including instructions related to a trusted domain; execution circuitry to execute a first one or more of the instructions to establish a first trusted domain using a first trusted domain key, the trusted domain key to be used to encrypt memory pages within the first trusted domain; and the execution circuitry to execute a second one or more of the instructions to associate a first process address space identifier (PASID) with the first trusted domain, the first PASID to uniquely identify a first execution context associated with the first trusted domain.

Abstract: Device memory protection for supporting trust domains is described. An example of a computer-readable storage medium includes instructions for allocating device memory for one or more trust domains (TDs) in a system including one or more processors and a graphics processing unit (GPU); allocating a trusted key ID for a TD of the one or more TDs; creating LMTT (Local Memory Translation Table) mapping for address translation tables, the address translation tables being stored in a device memory of the GPU; transitioning the TD to a secure state; and receiving and processing a memory access request associated with the TD, processing the memory access request including accessing a secure version of the address translation tables.

Abstract: A write request causes controller circuitry to write an encrypted data line and First Tier metadata portion including MAC data and a first portion of ECC data to a first memory circuitry portion and a second portion of ECC data to a sequestered, second memory circuitry portion. A read request causes the controller circuitry to read the encrypted data line and the First Tier metadata portion from the first memory circuitry portion. Using the first portion of the ECC data included in the First Tier metadata portion, the controller circuitry determines if an error exists in the encrypted data line. If no error is detected, the controller circuitry decrypts and verifies the data line using the MAC data included in the First Tier metadata portion. If an error in the data line is detected by the controller circuitry, the Second Tier metadata portion, containing the second portion of the ECC data is fetched from the sequestered, second memory circuitry portion and the error corrected.

Abstract: Encryption interface technologies are described. A processor can include a system agent, an encryption interface, and a memory controller. The system agent can communicate data with a hardware functional block. The encryption interface can be coupled between the system agent and a memory controller. The encryption interface can receive a plaintext request from the system agent, encrypt the plaintext request to obtain an encrypted request, and communicate the encrypted request to the memory controller. The memory controller can communicate the encrypted request to a main memory of the computing device.

Abstract: An integrated circuit includes a core and memory controller coupled to a last level cache (LLC). A first key identifier for a first program is associated with physical addresses of memory that store data of the first program. To flush and invalidate cache lines associated with the first key identifier, the core is to execute an instruction (having the first key identifier) to generate a transaction with the first key identifier. In response to the transaction, a cache controller of the LLC is to: identify matching entries in the LLC by comparison of first key identifier with at least part of an address tag of a plurality of entries in a tag storage structure of the LLC, the matching entries associated with cache lines of the LLC; write back, to the memory, data stored in the cache lines; and mark the matching entries of the tag storage structure as invalid.

Abstract: In embodiments detailed herein describe an encryption architecture with fast zero support (e.g., FZ-MKTME) to allow memory encryption and integrity architecture to work efficiently with 3DXP or other far memory memories. In particular, an encryption engine for the purpose of fast zeroing in the far memory controller is detailed along with mechanisms for consistent key programming of this engine. For example, an instruction is detailed which allows software to send keys protected even when the controller is located outside of a system on a chip (SoC), etc.

Abstract: Detailed herein are embodiments which allow for integrity protected access control to provide defense against deterministic software attacks. Software attacks such as rowhammer attacks which target the TD bit itself are defended against using cryptographic integrity which the data itself is protected by the TD-bit alone. As such, software is reduced to performing only non-deterministic attacks (e.g., random corruption), but all the deterministic attacks are defended against. Additionally, integrity-protected access control bits are protected against simple hardware attacks where the adversary with physical access to the machine can flip TD bits to get ciphertext access in software which can break confidentiality.

Abstract: A method is described. The method includes executing a memory access instruction for a software process or thread. The method includes creating a memory access request for the memory access instruction having a physical memory address and a first identifier of a realm that the software process or thread execute from. The method includes receiving the memory access request and determining a second identifier of a realm from the physical memory address. The method also includes servicing the memory access request because the first identifier matches the second identifier.

Abstract: Detailed herein are embodiments utilizing a cryptographically authenticated address bus (CAAB) protection that uses an intelligent memory design to prevent attacks on the address bus without detection and eliminate the memory bus as an observability surface for an attacker to do access pattern analysis. Embodiments detailed herein describe an intelligent memory module which has cryptographic capabilities. In some embodiments, a memory controller and an intelligent memory module exchange a key and using this key, the address (on the address bus) is encrypted and integrity protected using authenticated counter mode encryption. The memory controller on receiving a read or a write request encrypts the address (e.g., using pre-generated encrypted counters to minimize cryptographic overheads). A message authentication code (MAC) also gets generated along with the encrypted address to be able to detect modification to the encrypted address.

Abstract: Techniques for encrypting data using a key generated by a physical unclonable function (PUF) are described. An apparatus according to the present disclosure may include decoder circuitry to decode an instruction and generate a decoded instruction. The decoded instruction includes operands and an opcode. The opcode indicates that execution circuitry is to encrypt data using a key generated by a PUF. The apparatus may further include execution circuitry to execute the decoded instruction according to the opcode to encrypt the data to generate encrypted data using the key generated by the PUF.

Abstract: Techniques for encrypting data using a key generated by a physical unclonable function (PUF) are described. An apparatus according to the present disclosure may include decoder circuitry to decode an instruction and generate a decoded instruction. The decoded instruction includes operands and an opcode. The opcode indicates that execution circuitry is to encrypt data using a key generated by a PUF. The apparatus may further include execution circuitry to execute the decoded instruction according to the opcode to encrypt the data to generate encrypted data using the key generated by the PUF.

Abstract: Techniques for Scalable Memory Integrity and Enhanced Reliability, Availability, and Serviceability (SMIRAS) based systems are described. A SMIRAS based system may be enabled to use an integrity-based metadata organization that stores data, metadata, and a first portion of ECC data together in memory and a second portion of ECC data in sequestered memory; or using a compression based organization that stores compressed data, compression metadata, and an second portion of ECC data as a cacheline.

Abstract: Techniques for encrypting data using a key generated by a physical unclonable function (PUF) are described. An apparatus according to the present disclosure may include decoder circuitry to decode an instruction and generate a decoded instruction. The decoded instruction includes operands and an opcode. The opcode indicates that execution circuitry is to encrypt data using a key generated by a PUF. The apparatus may further include execution circuitry to execute the decoded instruction according to the opcode to encrypt the data to generate encrypted data using the key generated by the PUF.

Abstract: Detailed herein is instruction level support to allow untrusted software to save/restore key state from the memory encryption engine to support S3/S4 flows on clients. In a first embodiment, the save/restore is done by the untrusted software and encryption hardware alone. In another embodiment, a security engine (which forms the root of trust on the platform) is involved to protect the keys before handing over to untrusted software. Either embodiment uses the instructions introduced herein which may work differently underneath depending on the implementation option chosen.

Abstract: Techniques for encrypting data using a key generated by a physical unclonable function (PUF) are described. An apparatus according to the present disclosure may include decoder circuitry to decode an instruction and generate a decoded instruction. The decoded instruction includes operands and an opcode. The opcode indicates that execution circuitry is to encrypt data using a key generated by a PUF. The apparatus may further include execution circuitry to execute the decoded instruction according to the opcode to encrypt the data to generate encrypted data using the key generated by the PUF.

Abstract: Methods and apparatus relating to a Converged Cryptographic Engine (CCE) for storage encryption are described. In an embodiment, decode circuitry decodes an instruction to determine whether Converged Cryptographic Engine (CCE) circuitry is enabled. Execution circuitry executes the instruction to program a plurality of keys in response to the CCE circuitry being enabled. The CCE circuitry performs all encryption and all decryption of data to be transferred between a memory and a storage device based at least in part on at least one of the plurality of keys. Other embodiments are also disclosed and claimed.

Abstract: A processor includes a processor core and a memory controller coupled to the processor core. The memory controller comprising a cryptographic engine to: detect, in a write request for a cache line, a key identifier (ID) within a physical address of a location in memory; determine that the key ID is a trust domain key ID of a plurality of key IDs; responsive to a determination that the key ID is the trust domain key ID, set an ownership bit of the cache line to indicate the cache line belongs to a trust domain; encrypt the cache line to generate encrypted data; determine a message authentication code (MAC) associated with the cache line; and write the encrypted data, the ownership bit, and the MAC of the cache line to the memory.

Abstract: There is disclosed in one example a computing system, including: a processor; a memory; and a memory encryption engine (MEE) including circuitry and logic to: allocate a protected isolated memory region (IMR); encrypt the protected IMR; set an access control policy to allow access to the IMR by a device identified by a device identifier; and upon receiving a memory access request directed to the IMR, enforce the access control policy.

Abstract: Technologies disclosed herein provide a method for receiving at a device from a remote server, a request for state information from a first processor of the device, obtaining the state information from one or more registers of the first processor based on a request structure indicated by a first instruction of a software program executing on the device, and generating a response structure based, at least in part, on the obtained state information. The method further includes using a cryptographic algorithm and a shared key established between the device and the remote server to generate a signature based, at least in part, on the response structure, and communicating the response structure and the signature to the remote server. In more specific embodiments, both the response structure and the request structure each include a same nonce value.

Abstract: Techniques and mechanisms for metadata, which corresponds to cached data, to be selectively stored to a sequestered memory region. In an embodiment, integrated circuitry evaluates whether a line of a cache can accommodate a first representation of both the data and some corresponding metadata. Where the cache line can accommodate the first representation, said first representation is generated and stored to the line. Otherwise, a second representation of the data is generated and stored to a cache line, and the metadata is stored to a sequestered memory region that is external to the cache. The cache line include an indication as to whether the metadata is represented in the cache line, or is stored in the sequestered memory region. In another embodiment, a metric of utilization of the sequestered memory region is provided to software which determines whether a capacity of the sequestered memory region is to be modified.