Abstract: Various embodiments are generally directed to an apparatus, method, and other techniques to provide direct-memory access, memory-mapped input-output, and/or other memory transactions between devices designated for use by an enclave and the enclave itself. A secure device address map may be configured to map addresses for the enslave device and the enclave, and a register filter component may grant access to the enclave device to the enclave.

Abstract: Technologies for secure device configuration and management include a computing device having an I/O device. A trusted agent of the computing device is trusted by a virtual machine monitor of the computing device. The trusted agent securely commands the I/O device to enter a trusted I/O mode, securely commands the I/O device to set a global lock on configuration registers, receives configuration data from the I/O device, and provides the configuration data to a trusted execution environment. In the trusted I/O mode, the I/O device rejects a configuration command if a configuration register associated with the configuration command is locked and the configuration command is not received from the trusted agent. The trusted agent may provide attestation information to the trusted execution environment. The trusted execution environment may verify the configuration data and the attestation information. Other embodiments are described and claimed.

Abstract: Generally, this disclosure provides systems, devices, methods and computer readable media for virtualization-based intra-block workload isolation. The system may include a virtual machine manager (VMM) module to create a secure virtualization environment or sandbox. The system may also include a processor block to load data into a first region of the sandbox and to generate a workload package based on the data. The workload package is stored in a second region of the sandbox. The system may further include an operational block to fetch and execute instructions from the workload package.

Abstract: Technologies for secure I/O include a compute device, which further includes a processor, a memory, a trusted execution environment (TEE), one or more input/output (I/O) devices, and an I/O subsystem. The I/O subsystem includes a device memory access table (DMAT) programmed by the TEE to establish bindings between the TEE and one or more I/O devices that the TEE trusts and a memory ownership table (MOT) programmed by the TEE when a memory page is allocated to the TEE.

Abstract: Technologies for secure I/O data transfer with an accelerator device include a computing device having a processor and an accelerator. The processor establishes a trusted execution environment. The trusted execution environment may generate an authentication tag based on a memory-mapped I/O transaction, write the authentication tag to a register of the accelerator, and dispatch the transaction to the accelerator. The accelerator performs a cryptographic operation associated with the transaction, generates an authentication tag based on the transaction, and compares the generated authentication tag to the authentication tag received from the trusted execution environment. The accelerator device may initialize an authentication tag in response to a command from the trusted execution environment, transfer data between host memory and accelerator memory, perform a cryptographic operation in response to transferring the data, and update the authentication tag in response to transferrin the data.

Abstract: Technologies for secure authentication and programming of an accelerator device include a computing device having a processor and an accelerator. The processor establishes a trusted execution environment, which receives a unique device identifier from the accelerator, validates a device certificate for the device identifier, authenticates the accelerator in response to validating the accelerator, validates attestation information of the accelerator, and establishes a secure channel with the accelerator. The trusted execution environment may securely program a data key and a bitstream key to the accelerator, and may encrypt a bitstream image and securely program the bitstream image to the accelerator. The accelerator and a tenant may securely exchange data protected by the data key. The trusted execution environment may be a secure enclave, and the accelerator may be a field programmable gate array (FPGA). Other embodiments are described and claimed.

Abstract: Embodiments of an invention for an interface between a device and a secure processing environment are disclosed. In one embodiment, a system includes a processor, a device, and an interface plug-in. The processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to create a secure processing environment. The execution unit is to execute an application in the secure processing environment. The device is to execute a workload for the application. The interface plug-in is to provide an interface for the device to enter the secure processing environment to execute the workload.

Abstract: Techniques to enable scalable cryptographically protected memory using on-chip memory are described. In one embodiment, an apparatus may comprise a processor component implemented on a first integrated circuit, an on-chip memory component implemented on the first integrated circuit, the on-chip memory component to include a memory page handler to manage memory pages stored on the on-chip memory component, and a cryptographic engine to encrypt and decrypt memory pages for the memory page handler, and an off-chip memory component implemented on a second integrated circuit coupled to the first integrated circuit, the off-chip memory component to store encrypted memory pages evicted from the on-chip memory component. Other embodiments are described and claimed.

Abstract: Generally, this disclosure provides systems, devices, methods and computer readable media for virtualization-based intra-block workload isolation. The system may include a virtual machine manager (VMM) module to create a secure virtualization environment or sandbox. The system may also include a processor block to load data into a first region of the sandbox and to generate a workload package based on the data. The workload package is stored in a second region of the sandbox. The system may further include an operational block to fetch and execute instructions from the workload package.

Abstract: Embodiments of an invention for establishing secure channels between a protected execution environment and fixed-function endpoints are disclosed. In one embodiment, and system includes an architecturally protected memory, a processing core communicatively coupled to the architecturally protected memory, and a key distribution engine. The processing core is to implement an architecturally-protected execution environment by performing at least one of executing instructions residing in the architecturally protected memory and preventing an unauthorized access to the architecturally protected memory.

Abstract: Various embodiments are generally directed to an apparatus, method, and other techniques to provide direct-memory access, memory-mapped input-output, and/or other memory transactions between devices designated for use by an enclave and the enclave itself. A secure device address map may be configured to map addresses for the enslave device and the enclave, and a register filter component may grant access to the enclave device to the enclave.

Abstract: Techniques to enable scalable cryptographically protected memory using on-chip memory are described. In one embodiment, an apparatus may comprise a processor component implemented on a first integrated circuit, an on-chip memory component implemented on the first integrated circuit, the on-chip memory component to include a memory page handler to manage memory pages stored on the on-chip memory component, and a cryptographic engine to encrypt and decrypt memory pages for the memory page handler, and an off-chip memory component implemented on a second integrated circuit coupled to the first integrated circuit, the off-chip memory component to store encrypted memory pages evicted from the on-chip memory component. Other embodiments are described and claimed.

Abstract: Embodiments of an invention for establishing secure channels between a protected execution environment and fixed-function endpoints are disclosed. In one embodiment, and system includes an architecturally protected memory, a processing core communicatively coupled to the architecturally protected memory, and a key distribution engine. The processing core is to implement an architecturally-protected execution environment by performing at least one of executing instructions residing in the architecturally protected memory and preventing an unauthorized access to the architecturally protected memory.

Abstract: Systems and techniques for a System-on-a-Chip (SoC) security plugin are described herein. A component message may be received at an interconnect endpoint from an SoC component. The interconnect endpoint may pass the component message to a security component via a security interlink. The security component may secure the component message, using a cryptographic engine, to create a secured message. The secured message is delivered back to the interconnect endpoint via the security interlink and transmitted across the interconnect by the interconnect endpoint.

Abstract: Embodiments of an invention for an interface between a device and a secure processing environment are disclosed. In one embodiment, a system includes a processor, a device, and an interface plug-in. The processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to create a secure processing environment. The execution unit is to execute an application in the secure processing environment. The device is to execute a workload for the application. The interface plug-in is to provide an interface for the device to enter the secure processing environment to execute the workload.