Patents by Inventor Vincent R. Scarlata
Vincent R. Scarlata has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20160371191Abstract: Instructions and logic provide advanced paging capabilities for secure enclave page caches. Embodiments include multiple hardware threads or processing cores, a cache to store secure data for a shared page address allocated to a secure enclave accessible by the hardware threads. A decode stage decodes a first instruction specifying said shared page address as an operand, and execution units mark an entry corresponding to an enclave page cache mapping for the shared page address to block creation of a new translation for either of said first or second hardware threads to access the shared page. A second instruction is decoded for execution, the second instruction specifying said secure enclave as an operand, and execution units record hardware threads currently accessing secure data in the enclave page cache corresponding to the secure enclave, and decrement the recorded number of hardware threads when any of the hardware threads exits the secure enclave.Type: ApplicationFiled: August 29, 2016Publication date: December 22, 2016Inventors: CARLOS V. ROZAS, ILYA ALEXANDROVICH, ITTAI ANATI, ALEX BERENZON, MICHAEL A. GOLDSMITH, BARRY E. HUNTLEY, ANTON IVANOV, SIMON P. JOHNSON, REBEKAH M. LESLIE-HURD, FRANCIS X. MCKEEN, GILBERT NEIGER, RINAT RAPPOPORT, SCOTT D. RODGERS, UDAY R. SAVAGAONKAR, VINCENT R. SCARLATA, VEDVYAS SHANBHOGUE, WESLEY H. SMITH, WILLIAM C. WOOD
-
Patent number: 9524400Abstract: A virtual security coprocessor is created in a first processing system. The virtual security coprocessor is then transferred to a second processing system, for use by the second processing system. For instance, the second processing system may use the virtual security coprocessor to provide attestation for the second processing system. In an alternative embodiment, a virtual security coprocessor from a first processing system is received at a second processing system. After receiving the virtual security coprocessor from the first processing system, the second processing system uses the virtual security coprocessor. Other embodiments are described and claimed.Type: GrantFiled: May 28, 2015Date of Patent: December 20, 2016Assignee: Intel CorporationInventor: Vincent R. Scarlata
-
Publication number: 20160364338Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.Type: ApplicationFiled: June 12, 2015Publication date: December 15, 2016Inventors: Krystof C. Zmudzinski, Siddhartha Chhabra, Uday R. Savagaonkar, Simon P. Johnson, Rebekah M. Leslie-Hurd, Francis X. McKeen, Gilbert Neiger, Raghunandan Makaram, Carlos V. Rozas, Amy L. Santoni, Vincent R. Scarlata, Vedvyas Shanbhogue, Ilya Alexandrovich, Ittai Anati, Wesley H. Smith, Michael Goldsmith
-
Patent number: 9501668Abstract: Systems and methods for secure delivery of output surface bitmaps to a display engine. An example processing system comprises: an architecturally protected memory; and a processing core communicatively coupled to the architecturally protected memory, the processing core comprising a processing logic configured to implement an architecturally-protected execution environment by performing at least one of: executing instructions residing in the architecturally protected memory and preventing an unauthorized access to the architecturally protected memory; wherein the processing logic is further configured to provide a secure video output path by generating an output surface bitmap encrypted with a first encryption key and storing an encrypted first encryption key in an external memory, wherein the encrypted first encryption key is produced by encrypting the first encryption key with a second encryption key.Type: GrantFiled: September 25, 2013Date of Patent: November 22, 2016Assignee: Intel CorporationInventors: Siddhartha Chhabra, Uday R. Savagaonkar, Prashant Dewan, David M. Durham, Balaji Vembu, Xiaozhu Kang, Scott Janus, Jason Martin, Vincent R. Scarlata
-
Patent number: 9501665Abstract: A virtual security coprocessor is created in a first processing system. The virtual security coprocessor is then transferred to a second processing system, for use by the second processing system. For instance, the second processing system may use the virtual security coprocessor to provide attestation for the second processing system. In an alternative embodiment, a virtual security coprocessor from a first processing system is received at a second processing system. After receiving the virtual security coprocessor from the first processing system, the second processing system uses the virtual security coprocessor. Other embodiments are described and claimed.Type: GrantFiled: May 28, 2015Date of Patent: November 22, 2016Assignee: Intel CorporationInventor: Vincent R. Scarlata
-
Patent number: 9483662Abstract: A virtual security coprocessor is created in a first processing system. The virtual security coprocessor is then transferred to a second processing system, for use by the second processing system. For instance, the second processing system may use the virtual security coprocessor to provide attestation for the second processing system. In an alternative embodiment, a virtual security coprocessor from a first processing system is received at a second processing system. After receiving the virtual security coprocessor from the first processing system, the second processing system uses the virtual security coprocessor. Other embodiments are described and claimed.Type: GrantFiled: May 28, 2015Date of Patent: November 1, 2016Assignee: Intel CorporationInventor: Vincent R. Scarlata
-
Publication number: 20160283411Abstract: An embodiment includes at least one machine readable medium on which is stored code that, when executed enables a system to initialize a trusted loader enclave (TL) and a measurement and storage manager enclave (MSM) within a memory of the system, to receive by the MSM a TL measurement of the TL from a trusted processor of the system, to determine whether to establish a secure channel between the MSM and the TL based at least in part on the TL measurement, and responsive to a determination to establish the secure channel, to establish the secure channel and store particular code in the TL. Additional embodiments are described and claimed.Type: ApplicationFiled: March 27, 2015Publication date: September 29, 2016Inventors: Micah J. Sheller, Bin Xing, Vincent R. Scarlata
-
Patent number: 9448950Abstract: Systems and methods for secure delivery of output surface bitmaps to a display engine. An example processing system comprises: an architecturally protected memory; and a plurality of processing devices communicatively coupled to the architecturally protected memory, each processing device comprising a first processing logic to implement an architecturally-protected execution environment by performing at least one of: executing instructions residing in the architecturally protected memory, or preventing an unauthorized access to the architecturally protected memory; wherein each processing device further comprises a second processing logic to establish a secure communication channel with a second processing device of the processing system, employ the secure communication channel to synchronize a platform identity key representing the processing system, and transmit a platform manifest comprising the platform identity key to a certification system.Type: GrantFiled: December 24, 2013Date of Patent: September 20, 2016Assignee: Intel CorporationInventors: Vincent R. Scarlata, Simon P. Johnson, Vladimir Beker, Jesse Walker, Carlos V. Rozas, Amy L. Santoni, Ittai Anati, Raghunandan Makaram, Francis X. McKeen, Uday R. Savagaonkar
-
Patent number: 9430384Abstract: Instructions and logic provide advanced paging capabilities for secure enclave page caches. Embodiments include multiple hardware threads or processing cores, a cache to store secure data for a shared page address allocated to a secure enclave accessible by the hardware threads. A decode stage decodes a first instruction specifying said shared page address as an operand, and execution units mark an entry corresponding to an enclave page cache mapping for the shared page address to block creation of a new translation for either of said first or second hardware threads to access the shared page. A second instruction is decoded for execution, the second instruction specifying said secure enclave as an operand, and execution units record hardware threads currently accessing secure data in the enclave page cache corresponding to the secure enclave, and decrement the recorded number of hardware threads when any of the hardware threads exits the secure enclave.Type: GrantFiled: March 31, 2013Date of Patent: August 30, 2016Assignee: Intel CorporationInventors: Carlos V Rozas, Ilya Alexandrovich, Ittai Anati, Alex Berenzon, Michael A Goldsmith, Barry E Huntley, Anton Ivanov, Simon P Johnson, Rebekah M. Leslie-Hurd, Francis X. McKeen, Gilbert Neiger, Rinat Rappoport, Scott Dion Rodgers, Uday R. Savagaonkar, Vincent R. Scarlata, Vedvyas Shanbhogue, Wesley H Smith, William Colin Wood
-
Publication number: 20160203340Abstract: An apparatus and method for securely suspending and resuming the state of a processor. For example, one embodiment of a method comprises: generating a data structure including at least the monotonic counter value; generating a message authentication code (MAC) over the data structure using a first key; securely providing the data structure and the MAC to a module executed on the processor; the module verifying the MAC, comparing the monotonic counter value with a counter value stored during a previous suspend operation and, if the counter values match, then loading processor state required for the resume operation to complete. Another embodiment of a method comprises: generating a first key by a processor; securely sharing the first key with an off-processor component; and using the first key to generate a pairing ID usable to identify a pairing between the processor and the off-processor component.Type: ApplicationFiled: March 24, 2016Publication date: July 14, 2016Inventors: VINCENT R. SCARLATA, SIMON P. JOHNSON, CARLOS V. ROZAS, FRANCIS X. MCKEEN, ITTAI ANATII, ILYA ALEXANDROVICH, REBEKAH M. LESLIE-HURD
-
Publication number: 20160202976Abstract: Embodiments of an invention for memory management in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction and a second instruction. The execution unit is to execute the first instruction, wherein execution of the first instruction includes allocating a page in an enclave page cache to a secure enclave. The execution unit is also to execute the second instruction, wherein execution of the second instruction includes confirming the allocation of the page.Type: ApplicationFiled: March 18, 2016Publication date: July 14, 2016Applicant: Intel CorporationInventors: Rebekah Leslie-Hurd, Carlos V. Rozas, Vincent R. Scarlata, Simon P. Johnson, Uday R. Savagaonkar, Barry E. Huntley, Vedvyas Shanbhogue, Ittai Anati, Francis X. Mckeen, Michael A. Goldsmith, Ilya Alexandrovich, Alex Berenzon, Wesley H. Smith, Gilbert Neiger
-
Publication number: 20160134627Abstract: The present application is directed to establishing ownership of a secure workspace (SW). A client device may provide a SW data structure (SWDS) to a SW configurator. A SWDS may comprise a hash of an original SW and a public key, and may be signed by a private key corresponding to the public key. The SW configurator may cause an execution container (EC) to be generated including a SW initiated using the SWDS. The client device may claim SW ownership using a request (signed by the private key) transmitted along with a copy of the public key. SW ownership may be determined by an ownership determination module that verifies the signature of the request using the public key received with the request, determines a hash of the received public key and compares the hash of the received public key to a hash of the public key in the SWDS.Type: ApplicationFiled: November 6, 2014Publication date: May 12, 2016Applicant: Intel CorporationInventors: SIMON P. JOHNSON, ASHER M. ALTMAN, ABHISHEK DAS, VINCENT R. SCARLATA
-
Patent number: 9323686Abstract: Embodiments of an invention for paging in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction. The execution unit is to execute the first instruction, wherein execution of the first instruction includes evicting a first page from an enclave page cache.Type: GrantFiled: December 28, 2012Date of Patent: April 26, 2016Assignee: Intel CorporationInventors: Francis X. Mckeen, Michael A. Goldsmith, Barry E. Huntley, Simon P. Johnson, Rebekah Leslie, Carlos V. Rozas, Uday R. Savagaonkar, Vincent R. Scarlata, Vedvyas Shanbhogue, Wesley H. Smith, Ittai Anati, Ilya Alexandrovich, Alex Berenzon, Gilbert Neiger
-
Patent number: 9311507Abstract: A virtual security coprocessor is created in a first processing system. The virtual security coprocessor is then transferred to a second processing system, for use by the second processing system. For instance, the second processing system may use the virtual security coprocessor to provide attestation for the second processing system. In an alternative embodiment, a virtual security coprocessor from a first processing system is received at a second processing system. After receiving the virtual security coprocessor from the first processing system, the second processing system uses the virtual security coprocessor. Other embodiments are described and claimed.Type: GrantFiled: March 27, 2015Date of Patent: April 12, 2016Assignee: Intel CorporationInventor: Vincent R. Scarlata
-
Patent number: 9298948Abstract: A virtual security coprocessor is created in a first processing system. The virtual security coprocessor is then transferred to a second processing system, for use by the second processing system. For instance, the second processing system may use the virtual security coprocessor to provide attestation for the second processing system. In an alternative embodiment, a virtual security coprocessor from a first processing system is received at a second processing system. After receiving the virtual security coprocessor from the first processing system, the second processing system uses the virtual security coprocessor. Other embodiments are described and claimed.Type: GrantFiled: January 20, 2015Date of Patent: March 29, 2016Assignee: Intel CorporationInventor: Vincent R. Scarlata
-
Patent number: 9280659Abstract: A data processing system supports remeasurement of a virtual machine monitor (VMM). In one example process, the VMM may obtain a secret value from a trusted platform module (TPM) of the processing system. The VMM may provide the secret value from the VMM to a measurement agent executing in system management mode (SMM) of the processing system. The measurement agent may be a system management interrupt (SMI) transfer monitor (STM) that can create virtual machines to execute in SMM, for example. However, the VMM may verify the measurement agent before providing the secret value to the measurement agent. The measurement agent may generate a remeasurement value for the VMM, use the secret value that was obtained from the TPM to certify the remeasurement value, and communicate the remeasurement value to a requesting program, via the VMM. Other embodiments are described and claimed.Type: GrantFiled: December 29, 2006Date of Patent: March 8, 2016Assignee: Intel CorporationInventors: Carlos V. Rozas, Vincent R. Scarlata
-
Patent number: 9276750Abstract: Embodiments of an invention for secure processing environment measurement and attestation are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction associated with a build or a rebuild of a secure enclave. The execution unit is to execute the first instruction. Execution of the first instruction, when associated with the build, includes calculation of a first measurement and a second measurement of the secure enclave. Execution of the first instruction, when associated with the rebuild, includes calculation of the second measurement without calculation of the first measurement.Type: GrantFiled: July 23, 2013Date of Patent: March 1, 2016Assignee: Intel CorporationInventors: Vincent R. Scarlata, Carlos Rozas, Simon Johnson, Uday Savagaonkar, Rebekah Leslie-Hurd, Barry Huntley, Vedvyas Shanbhogue, Ittai Anati, Francis McKeen, Michael Goldsmith, William Wood, Shay Gueron
-
Publication number: 20160042184Abstract: Embodiments of an invention for logging in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction having an associated enclave page cache address. The execution unit is to execute the instruction without causing a virtual machine exit, wherein execution of the instruction includes logging the instruction and the associated enclave page cache address.Type: ApplicationFiled: October 21, 2015Publication date: February 11, 2016Applicant: Intel CorporationInventors: Francis X. Mckeen, Michael A. Goldsmith, Barrey E. Huntley, Simon P. Johnson, Rebekah M. Leslie-Hurd, Carlos V. Rozas, Uday R. Savagaonkar, Vincent R. Scarlata, Vedvyas Shanbhogue, Wesley H. Smith, Gilbert Neiger
-
Patent number: 9189411Abstract: Embodiments of an invention for logging in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction having an associated enclave page cache address. The execution unit is to execute the instruction without causing a virtual machine exit, wherein execution of the instruction includes logging the instruction and the associated enclave page cache address.Type: GrantFiled: December 28, 2012Date of Patent: November 17, 2015Assignee: Intel CorporationInventors: Francis X. Mckeen, Michael A. Goldsmith, Barrey E. Huntley, Simon P. Johnson, Rebekah Leslie, Carlos V. Rozas, Uday R. Savagaonkar, Vincent R. Scarlata, Vedvyas Shanbhogue, Wesley H. Smith
-
Publication number: 20150261977Abstract: A virtual security coprocessor is created in a first processing system. The virtual security coprocessor is then transferred to a second processing system, for use by the second processing system. For instance, the second processing system may use the virtual security coprocessor to provide attestation for the second processing system. In an alternative embodiment, a virtual security coprocessor from a first processing system is received at a second processing system. After receiving the virtual security coprocessor from the first processing system, the second processing system uses the virtual security coprocessor. Other embodiments are described and claimed.Type: ApplicationFiled: May 28, 2015Publication date: September 17, 2015Inventor: Vincent R. Scarlata