Abstract: A coherent connection and a non-coherent connection are provided between system-on-chips (SoCs). The coherent connection can be coupled to coherent interconnects on the SoCs, and the non-coherent connection can be coupled to non-coherent interconnects on the SoCs. An input/output (I/O) transaction from an I/O device on a first SoC that is targeted to a second SoC can be transmitted via the non-coherent connection, and a processor transaction from the first SoC that is targeted to the second SoC can be transmitted via the coherent connection.

Abstract: Approaches in accordance with various embodiments can be used to provide bootstrap data for a computing device, such as a system on chip (SoC). In particular, various embodiments can use one or more shift registers to receive bits of a sequence of bootstrap data in parallel. Individual bits of this bootstrap data sequence can then be provided to the SoC, from the shift register(s), serially and using a single input. Such an approach prevents the need for multiple bootstrap pins on the SoC, as well as the need to multiplex those pins for use with other external devices.

Abstract: A modified measured boot approach is utilized for establishing a secure communication link between two devices. Each device may execute a respective boot process until the device reaches the stage responsible for establishing the communication link with the other device. Each device may exchange its respective self-signed certificate and extend its certificate chain with the self-signed certificate received from the other device. Each device can then generate a new pair of keys based on its extended certificate chain that includes the identity of the other device, and exchange the public key of the new key pair with the other device. A secure link can be established using the public key of the other device as a based key for a key exchange protocol. A central management entity can attest the measurements of the boot stages for each device using the corresponding public key.

Abstract: A system-on-chip (SoC) can include a processor, a network controller configured to provide a network interface, and a memory controller configured to perform memory scrubbing. A memory patrol driver executing on the processor can initiate direct memory access (DMA) transfers to read successive portions of the memory by configuring corresponding DMA descriptors at a certain time interval. The network controller can perform each DMA transfer to read a corresponding portion of the memory, which can cause the memory controller to scrub the corresponding portion of the memory. The scrubbed data is sent to the network controller, which is discarded by the network controller.

Abstract: Multiple independent endpoint devices can be emulated using a single system on chip (SoC) device. Such a SoC can have multiple cores that can emulate ports according to a specified protocol, such as the peripheral component interconnect express (PCIe) protocol useful for data communications. An emulation agent can manage various aspects of these emulated endpoint devices in software, including serving interrupts for relevant emulated devices according to a determined priority scheme. Interrupts can be registered for each device, and data structures allocated dynamically for a determined number and type(s) of PCIe endpoint devices to be emulated. Each PCIe core on the SoC can function as a separate PCIe endpoint device endpoint for communicating with one or more hosts or other such devices.

Abstract: Multiple independent endpoint devices can be emulated using a single system on chip (SoC) device. Such a SoC can have multiple cores that can emulate ports according to a specified protocol, such as the peripheral component interconnect express (PCIe) protocol useful for data communications. An emulation agent can manage various aspects of these emulated endpoint devices in software, including serving interrupts for relevant emulated devices according to a determined priority scheme. Interrupts can be registered for each device, and data structures allocated dynamically for a determined number and type(s) of PCIe endpoint devices to be emulated. Each PCIe core on the SoC can function as a separate PCIe endpoint device endpoint for communicating with one or more hosts or other such devices.

Abstract: Execution flows of a program can be characterized by a series of execution events. The rates at which these execution events occur for a particular program can be collected periodically, and the execution events statistics can be utilized for both training a machine learning model, and later on for making classification inferences to determine whether a program run contains any abnormality. When an abnormality is encountered, an alert can be generated and provided to supervisory logic of a computing system to indicate that an abnormal program flow has been detected.

Abstract: A one-time programmable (OTP) memory can be programmed over a number of programming sessions in which each programming session writes a different portion of the memory. To provide the OTP memory with data integrity check capability, the OTP memory stores multiple error detection code entries. With each programming session, a new error detection code is stored in a previously unused entry. When the OTP memory is read, the error detection code corresponding to the latest programming session is used to verify the content of the OTP memory.

Abstract: A multi-phase boot operation of a virtualization manager at a virtualization host is initiated at an offload card. In a first phase of the boot, a security key stored in a tamper-resistant location of the offload card is used. In a second phase, firmware programs are measured using a security module, and a first version of a virtualization coordinator is instantiated at the offload card. The first version of the virtualization coordinator obtains a different version of the virtualization coordinator and launches the different version at the offload card. Other components of the virtualization manager (such as various hypervisor components that do not run at the offload card) are launched by the different version of the virtualization controller.

Abstract: Disclosed herein are techniques for enabling device communication in a secure environment. In one example, a system comprises a storage in a server, a first component in the server, the first component being isolated in a secure environment in the server, and an entry point device authorized to access the first component via the secure environment. The entry point device may receive a request to access the first component. The entry point device may store a notification in a region of the storage accessible by the first component, wherein the notification is to be read by the first component from the storage to set the first component to an operation mode. The entry point device may store operation data in the storage, wherein the operation data is to be acquired by the first component from the storage to control an operation of the first component in the operation mode.

Abstract: Disclosed is a network device, comprising a first network interface port, a second network interface port, and a processor coupled to the first network interface port and the second network interface port. The processor can be configured to operate in a first switching mode to receive network control packets via the first network interface port and transmit the received network control packets via the second network interface port. The processor can also be configured operate in a second communications mode to receive and transmit network communication packets using the first network interface independently of the operation in the first switching mode.

Abstract: Configuration snapshots can be obtained from various connected devices, such as network interface cards or hardware offload devices, to determine whether the configuration matches expected values. If discrepancies are determined then the appropriate values can be automatically applied to those devices. For each type and version of device, there can be a set of expected configuration values, or a golden model of configuration, that is determined and stored. The models can also be used to test updated configuration values, as the new values can be pushed to a subset of devices and the impact on performance determined. If acceptable performance improvement is detected, or another such target achieved, then the golden model can be updated with the new values and those values can be pushed out to the remainder of the devices.

Abstract: A multi-phase boot operation of a virtualization manager at a virtualization host is initiated at an offload card. In a first phase of the boot, a security key stored in a tamper-resistant location of the offload card is used. In a second phase, firmware programs are measured using a security module, and a first version of a virtualization coordinator is instantiated at the offload card. The first version of the virtualization coordinator obtains a different version of the virtualization coordinator and launches the different version at the offload card. Other components of the virtualization manager (such as various hypervisor components that do not run at the offload card) are launched by the different version of the virtualization controller.

Abstract: A multi-phase boot operation of a virtualization manager at a virtualization host is initiated at an offload card. In a first phase of the boot, a security key stored in a tamper-resistant location of the offload card is used. In a second phase, firmware programs are measured using a security module, and a first version of a virtualization coordinator is instantiated at the offload card. The first version of the virtualization coordinator obtains a different version of the virtualization coordinator and launches the different version at the offload card. Other components of the virtualization manager (such as various hypervisor components that do not run at the offload card) are launched by the different version of the virtualization controller.

Abstract: An electronic system includes a secret value (e.g., an encryption key) which is used for its intended purpose after which the address translations in the system's memory management unit are modified to prevent further access to the secret value. The address translation modifications also include modification of a translation for the memory management unit itself thereby preventing further modification of the address translations. The secret value cannot again be accessed until the system is reinitialized, but the address translations are modified during each system initialization so that the secret value is only usable for its intended purpose during the initialization process. In other implementations, the system modifies mappings between physical addresses and hardware components to preclude further access to the secret value.

Abstract: Techniques for updating code of a device may be described. In an example, bus may connect the device to a management entity. The device may run a first version of the code. A second version of the code may be available from memory. The device may access the second version from the memory, stop running the first version of the code, and start running the second version of the code without restarting the management entity or the device.

Abstract: An apparatus such as a system-on-a-chip includes memory that is distributed through one or more functional hardware circuits. Each functional hardware circuit includes memory, and each functional hardware circuit can be configured to have its memory used either by the respective functional hardware circuit or by the apparatus' master device (e.g., main processor). For those functional hardware circuits that are not needed for a given application, their memories can be repurposed for use by the master device. Related methods are also disclosed.

Abstract: In a system having a first clock domain with a first clock and a second clock domain with a second clock, the first and second clocks are monitored to determine whether one or both clocks are active. The first clock is selected to be an output clock if the first clock is active and the second clock is disabled irrespective of the clock selection signal. The second clock is selected to be the output clock if the second clock is active and the first clock is disabled irrespective of the clock selection signal. If both the first clock and the second clock are active, either the first clock or the second clock is selected according to a received clock selection signal.

Abstract: Disclosed is a network device, comprising a first network interface port, a second network interface port, and a processor coupled to the first network interface port and the second network interface port. The processor can be configured to operate in a first switching mode to receive network control packets via the first network interface port and transmit the received network control packets via the second network interface port. The processor can also be configured operate in a second communications mode to receive and transmit network communication packets using the first network interface independently of the operation in the first switching mode.

Abstract: Techniques for updating code of a device may be described. In an example, bus may connect the device to a management entity. The device may run a first version of the code. A second version of the code may be available from memory. The device may access the second version from the memory, stop running the first version of the code, and start running the second version of the code without restarting the management entity or the device.