Abstract: A mechanism is provided, in a data processing system, for accessing memory based on an effective address submitted by a process of a partition. The mechanism may translate the effective address into a virtual address using a segment look-aside buffer. The mechanism may further translate the virtual address into a partition real address using a page table. Moreover, the mechanism may translate the partition real address into a system real address using a logical partition real memory map for the partition. The system real address may then be used to access the memory.

Abstract: A bottle packaging for shipment includes a bottom tray, and a top tray made of molded pulp fiber, such as newspaper pulp, and a cardboard partition support structure disposed between the trays. Cavities formed in the bottom and top trays are arranged to engage both ends of a bottle and include crushable elements that can axially engage each bottle. The support partition may be made of corrugated cardboard material and be arranged such that the cardboard flutes provide support for loads imparted to the sides of the carton when the carton is laying on its side. The partition forms a void surrounding each bottle in the area of its labels. In this way, structural support and cushioning can be provided to the packaged bottles from all directions.

Abstract: Electronic devices and methods are disclosed to provide and to test a physically unclonable function (PUF) based on relative threshold voltages of one or more pairs of transistors. In a particular embodiment, an electronic device is operable to generate a response to a challenge. The electronic device includes a plurality of transistors, with each of the plurality of transistors having a threshold voltage substantially equal to an intended threshold voltage. The electronic device includes a challenge input configured to receive the challenge. The challenge input includes one or more bits that are used to individually select each of a pair of transistors of the plurality of transistors. The electronic device also includes a comparator to receive an output voltage from each of the pair of transistors and to generate a response indicating which of the pair of transistors has the higher output voltage.

Abstract: Methods and apparatus for reducing the impact of latency associated with decrypting encrypted data are provided. Rather than wait until an entire packet of encrypted data is validated (e.g., by checking for data transfer errors), the encrypted data may be pipelined to a decryption engine as it is received, thus allowing decryption to begin prior to validation. In some cases, the decryption engine may be notified of data transfer errors detected during the validation process, in order to prevent reporting false security violations.

Abstract: A mechanism is provided for performing secure recursive virtualization of a computer system. A portion of memory is allocated by a virtual machine monitor (VMM) or an operating system (OS) to a new domain. An initial program for the new domain is loaded into the portion of memory. Secure recursive virtualization firmware (SVF) in the data processing system is called to request that the new domain be generated. A determination is made as to whether the call is from a privileged domain or a non-privileged domain. Responsive to the request being from a privileged domain, all access to the new domain is removed from any other domain in the data processing system. Responsive to receiving an indication that the new domain has been generated, an execution of the initial program is scheduled.

Abstract: A computing environment maintains the confidentiality of data stored in system memory. The computing environment has an encryption circuit in communication with a CPU. The system memory is also in communication with the encryption circuit. An address bus having a plurality of address lines forms part of the system and a value of at least one of the address lines determines a key selected from a plurality of keys to use in the encryption circuit to encrypt data being transferred by the CPU to the memory.

Abstract: A circuit arrangement, method, and design structure for controlling access to master secret data disposed in at least a portion of at least one persistent region of an integrated circuit device is disclosed. The circuit arrangement includes a clock circuit responsive to an external clock signal, a security state machine configured to control a security state of the integrated circuit device, and a master secret circuit in communication with the security state machine and configured to control access to the master secret data. The security state machine and master secret circuit are isolated from the clock circuit, and the master secret circuit is responsive to the security state machine to selectively erase at least a portion of the master secret data. The master secret circuit may be configured to erase the portion of the master secret data in response to a null or triggered security state.

Abstract: A method and eFuse circuit for implementing enhanced security features using eFuses, such as disabling selected predefined test, debug, and mission security functions used in application-specific integrated circuits (ASICs), and a design structure on which the subject circuit resides are provided. The eFuse circuit includes a plurality of eFuses, a sense amplifier coupled to the plurality of eFuses, and a plurality of sense output latches coupled to the sense amplifier. The plurality of sense output latches is arranged to have a bias to power up to a known value. Control logic coupled to the plurality of sense output latches provides at least one predefined control signal responsive to the known value of the plurality of sense output latches, which enables a selected predefined security function. The plurality of eFuses is sensed and the ASIC is configured to a predefined state responsive to an applied POR/Sense control signal.

Abstract: A mechanism is provided, in a data processing system, for accessing memory based on an effective address submitted by a process of a partition. The mechanism may translate the effective address into a virtual address using a segment look-aside buffer. The mechanism may further translate the virtual address into a partition real address using a page table. Moreover, the mechanism may translate the partition real address into a system real address using a logical partition real memory map for the partition. The system real address may then be used to access the memory.

Abstract: A secure computer architecture is provided. With this architecture, data is received, in a component of an integrated circuit chip implementing the secure computer architecture, for transmission across a data communication link. The data is converted, by the component, to one or more first fixed length frames. The one or more first fixed length frames are then transmitted, by the component, on the data communication link in a continuous stream of frames. The continuous stream of frames includes one or more second fixed length frames generated when no data is available for inclusion in the frames of the continuous stream.

Abstract: A recursive logical partition real memory map mechanism is provided for use in address translation. The mechanism, which is provided in a data processing system, receives a first address based on an address submitted from a process of a currently active logical partition. The first address is translated into a second address using a recursive logical partition real memory (RLPRM) map data structure for the currently active logical partition. The memory is accessed using the second address. The RLPRM map data structure provides a plurality of translation table pointers, each translation table pointer pointing to a separate page table for a separate level of virtualization in the data processing system with the data processing system supporting multiple levels of virtualization.

Abstract: Hardware mechanisms are provided for performing hardware based access control of instructions to data. These hardware mechanisms associate an instruction access policy label with an instruction to be processed by a processor and associate an operand access policy label with data to be processed by the processor. The instruction access policy label is passed along with the instruction through one or more hardware functional units of the processor. The operand access policy label is passed along with the data through the one or more hardware functional units of the processor. One or more hardware implemented policy engines associated with the one or more hardware functional units of the processor are utilized to control access by the instruction to the data based on the instruction access policy label and the operand access policy label.

Abstract: Methods and apparatus that may be utilized to reduce latency associated with encryption based on externally stored security metadata are provided. When encrypted data is accessed for the first time, a cache line containing corresponding metadata used for decryption may be placed in an internal security metadata cache. If that data is accessed again, it may be retrieved without accessing external memory, thus reducing latency. Further, if adjacent data is accessed, the cached line may contain sufficient metadata to decrypt the adjacent data. As a result, a separate operation to access metadata for the adjacent data may be avoided, thus reducing latency.

Abstract: Methods and devices that may be utilized in systems to dynamically update a security version parameter used to encrypt secure data are provided. The version may be maintained in persistent storage located on a device implementing the encryption, such as a system on a chip (SOC). The persistent storage does not require battery backing and, thus, the cost and complexity associated with conventional systems utilizing battery backed storage may be reduced.

Abstract: Methods and devices that may be utilized in systems to dynamically update a security version parameter used to encrypt secure data are provided. The version may be maintained in persistent storage located on a device implementing the encryption, such as a system on a chip (SOC). The persistent storage does not require battery backing and, thus, the cost and complexity associated with conventional systems utilizing battery backed storage may be reduced.

Abstract: Methods and apparatus for reducing the impact of latency associated with decrypting encrypted data are provided. Rather than wait until an entire packet of encrypted data is validated (e.g., by checking for data transfer errors), the encrypted data may be pipelined to a decryption engine as it is received, thus allowing decryption to begin prior to validation. In some cases, the decryption engine may be notified of data transfer errors detected during the validation process, in order to prevent reporting false security violations.

Abstract: This invention relates to a method and apparatus for generating a cryptographic authentication code of a set of plaintext blocks, while allowing incremental updates to the set of plaintext blocks. Additionally, an aspect of the invention, allows the updated authentication code to be computed in a highly parallelizable manner. Another embodiment of the present invention defines a new class of authentication trees in which the updated authentication tree, although requiring log(n) block cryptographic operations, allows for the log(n) block cryptographic operations to be computed in parallel. Another embodiment of the present invention provides encryption and verification authentication tree schemes, as well as, an apparatus that generates, updates, and verifies such authentication trees. Another embodiment of the present invention provides authentication tree schemes in which the individual cryptographic operations are block cipher invocations as opposed to hash function invocations.

Abstract: A system and method for packaging consumer products that include a number of individual pieces is provided. A pulp insert tray that includes a number of form fitting receiving locations to receive the individual pieces of the set separates and protects the individual pieces from damage resulting from uncontained packaging. A retainer may be used in association with the insert tray to provide additional support of the individual pieces, and assist in the final assembly of the packaged set. The use of pulp as the insert tray material provides significant ecological benefit.

Abstract: Methods and apparatus for reducing the impact of latency associated with decrypting encrypted data are provided. Rather than wait until an entire packet of encrypted data is validated (e.g., by checking for data transfer errors), the encrypted data may be pipelined to a decryption engine as it is received, thus allowing decryption to begin prior to validation. In some cases, the decryption engine may be notified of data transfer errors detected during the validation process, in order to prevent reporting false security violations.

Abstract: Methods and devices that may be utilized in systems to dynamically update a security version parameter used to encrypt secure data are provided. The version may be maintained in persistent storage located on a device implementing the encryption, such as a system on a chip (SOC). The persistent storage does not require battery backing and, thus, the cost and complexity associated with conventional systems utilizing battery backed storage may be reduced.