Patents by Inventor Barry E. Huntley

Barry E. Huntley has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20220100871
    Abstract: Embodiments of apparatuses, methods, and systems for scalable multi-key memory encryption are disclosed. In an embodiment, an apparatus includes a core, an encryption unit, and key identification hardware. The core is to write data to and read data from memory regions, each to be identified by a corresponding address. The encryption unit to encrypt data to be written and decrypt data to be read. The key identification hardware is to use a portion of the corresponding address to look up a corresponding key identifier in a key information data structure. The corresponding key identifier is one multiple key identifiers. The corresponding key identifier is to identify which one of multiple encryption keys is to be used to encrypt and decrypt the data.
    Type: Application
    Filed: September 26, 2020
    Publication date: March 31, 2022
    Applicant: Intel Corporation
    Inventors: Barry E. Huntley, Hormuzd M. Khosravi, Thomas Toll, Ramya Jayaram Masti, Siddhartha Chhabra, Vincent Von Bokern
  • Publication number: 20220091995
    Abstract: An apparatus and method for managing different page tables for different privilege levels. For example, one embodiment of a processor comprises: a first control register to store a first base address associated with program code executed at a first privilege level; a second control register to store a second base address associated with program code executed at a second privilege level lower than the first privilege level; and address translation circuitry to identify a first base translation table using the first base address responsive to a first address translation request originating from the program code executed at the first privilege level and to identify a second base translation table using the second base address responsive to a second address translation request originating from the program code executed at the second privilege level.
    Type: Application
    Filed: October 11, 2021
    Publication date: March 24, 2022
    Inventors: Scott Dion RODGERS, Robert S. CHAPPELL, Barry E. HUNTLEY
  • Publication number: 20220083647
    Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.
    Type: Application
    Filed: November 29, 2021
    Publication date: March 17, 2022
    Applicant: Intel Corporation
    Inventors: Michael LeMay, Barry E. Huntley, Ravi Sahita
  • Publication number: 20220083649
    Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.
    Type: Application
    Filed: November 29, 2021
    Publication date: March 17, 2022
    Applicant: Intel Corporation
    Inventors: Michael LeMay, Barry E. Huntley, Ravi Sahita
  • Publication number: 20220083648
    Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.
    Type: Application
    Filed: November 29, 2021
    Publication date: March 17, 2022
    Applicant: Intel Corporation
    Inventors: Michael LeMay, Barry E. Huntley, Ravi Sahita
  • Publication number: 20220043757
    Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.
    Type: Application
    Filed: October 12, 2021
    Publication date: February 10, 2022
    Inventors: David M. Durham, Siddhartha Chhabra, Amy L. Santoni, Gilbert Neiger, Barry E. Huntley, Hormuzd M. Khosravi, Baiju V. Patel, Ravi L. Sahita, Gideon Gerzon, Ido Ouziel, Ioannis T. Schoinas, Rajesh M. Sankaran
  • Publication number: 20220027287
    Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.
    Type: Application
    Filed: October 7, 2021
    Publication date: January 27, 2022
    Applicant: Intel Corporation
    Inventors: Ravi L. SAHITA, Gilbert NEIGER, Vedvyas SHANBHOGUE, David M. DURHAM, Andrew V. ANDERSON, David A. KOUFATY, Asit K. MALLICK, Arumugam THIYAGARAJAH, Barry E. HUNTLEY, Deepak K. GUPTA, Michael LEMAY, Joseph F. CIHULA, Baiju V. PATEL
  • Publication number: 20220019698
    Abstract: According to one embodiment, a method comprises executing an untrusted host virtual machine monitor (VMM) to manage execution of at least one guest virtual machine (VM). The VMM receives an encrypted key domain key, an encrypted guest code image, and an encrypted guest control structure. The VM also issues a create command. In response, a processor creates a first key domain comprising a region of memory to be encrypted by a key domain key. The encrypted key domain key is decrypted to produce the key domain key, which is inaccessible to the VMM. The VMM issues a launch command. In response, a first guest VM is launched within the first key domain. In response to a second launch command, a second guest VM is launched within the first key domain. The second guest VM provides an agent to act on behalf of the VMM. Other embodiments are described and claimed.
    Type: Application
    Filed: September 29, 2021
    Publication date: January 20, 2022
    Inventors: David M. Durham, Gilbert Neiger, Barry E. Huntley, Ravi L. Sahita, Baiju V. Patel
  • Publication number: 20210406019
    Abstract: Systems, methods, and apparatuses relating to an instruction for operating system transparent instruction state management of new instructions for application threads are described. In one embodiment, a hardware processor includes a decoder to decode a single instruction into a decoded single instruction, and an execution circuit to execute the decoded single instruction to cause a context switch from a current state to a state comprising additional state data that is not supported by an execution environment of an operating system that executes on the hardware processor.
    Type: Application
    Filed: June 27, 2020
    Publication date: December 30, 2021
    Inventors: TOBY OPFERMAN, PRASHANT SETHI, ABHIMANYU K. VARDE, BARRY E. HUNTLEY, MICHAEL W. Chynoweth, JASON W. BRANDT
  • Publication number: 20210399882
    Abstract: A processor includes a processor core. A register of the core is to store: a bit range for a number of address bits of physical memory addresses used for key identifiers (IDs), and a first key ID to identify a boundary between non-restricted key IDs and restricted key IDs of the key identifiers. A memory controller is to: determine, via access to bit range and the first key ID in the register, a key ID range of the restricted key IDs within the physical memory addresses; access a processor state that a first logical processor of the processor core executes in an untrusted domain mode; receive a memory transaction, from the first logical processor, including an address associated with a second key ID; and generate a fault in response to a determination that the second key ID is within a key ID range of the restricted key IDs.
    Type: Application
    Filed: September 2, 2021
    Publication date: December 23, 2021
    Inventors: Ido OUZIEL, Arie AHARON, Dror CASPI, Baruch CHAIKIN, Jacob DOWECK, Gideon GERZON, Barry E. HUNTLEY, Francis X. MCKEEN, Gilbert NEIGER, Carlos V. ROZAS, Ravi L. SAHITA, Vedvyas SHANBHOGUE, Assaf ZALTSMAN
  • Patent number: 11199980
    Abstract: Various embodiments are generally directed to an apparatus, method and other techniques for determining a region of the memory for which to store information, inserting the information into the region of the memory, and applying one or more characteristics to the region of the memory via an instruction set architecture (ISA) operation, the one or more characteristics comprising an immutable characteristic to prevent modification of the information in the region of the memory.
    Type: Grant
    Filed: August 6, 2018
    Date of Patent: December 14, 2021
    Assignee: INTEL CORPORATION
    Inventors: Kirk D. Brannock, Barry E. Huntley
  • Publication number: 20210382987
    Abstract: A processor implementing techniques for processor extensions to protect stacks during ring transitions is provided. In one embodiment, the processor includes a plurality of registers and a processor core, operatively coupled to the plurality of registers. The plurality of registers is used to store data used in privilege level transitions. Each register of the plurality of registers is associated with a privilege level. An indicator to change a first privilege level of a currently active application to a second privilege level is received. In view of the second privilege level, a shadow stack pointer (SSP) stored in a register of the plurality of registers is selected. The register is associated with the second privilege level. By using the SSP, a shadow stack for use by the processor at the second privilege level is identified.
    Type: Application
    Filed: August 19, 2021
    Publication date: December 9, 2021
    Inventors: Vedvyas Shanbhogue, Jason W. Brandt, Ravi L. Sahita, Barry E. Huntley, Baiju V. Patel, Deepak K. Gupta
  • Publication number: 20210373933
    Abstract: Implementations describe a computing system that implements a plurality of virtual machines inside a trust domain (TD), enabled via a secure arbitration mode (SEAM) of the processor. A processor includes one or more registers to store a SEAM range of memory, a TD key identifier of a TD private encryption key. The processor is capable of initializing a trust domain resource manager (TDRM) to manage the TD, and a virtual machine monitor within the TD to manage the plurality of virtual machines therein. The processor is further capable of exclusively associating a plurality of memory pages with the TD, wherein the plurality of memory pages associated with the TD is encrypted with a TD private encryption key inaccessible to the TDRM. The processor is further capable of using the SEAM range of memory, inaccessible to the TDRM, to provide isolation between the TDRM and the plurality of virtual machines.
    Type: Application
    Filed: August 17, 2021
    Publication date: December 2, 2021
    Applicant: Intel Corporation
    Inventors: Ravi L. Sahita, Tin-Cheung Kung, Vedvyas Shanbhogue, Barry E. Huntley, Arie Aharon
  • Publication number: 20210357213
    Abstract: Methods and apparatuses relating to switching of a shadow stack pointer are described. In one embodiment, a hardware processor includes a hardware decode unit to decode an instruction, and a hardware execution unit to execute the instruction to: pop a token for a thread from a shadow stack, wherein the token includes a shadow stack pointer for the thread with at least one least significant bit (LSB) of the shadow stack pointer overwritten with a bit value of an operating mode of the hardware processor for the thread, remove the bit value in the at least one LSB from the token to generate the shadow stack pointer, and set a current shadow stack pointer to the shadow stack pointer from the token when the operating mode from the token matches a current operating mode of the hardware processor.
    Type: Application
    Filed: June 7, 2021
    Publication date: November 18, 2021
    Inventors: Vedvyas Shanbhogue, Jason W. Brandt, Ravi L. Sahita, Barry E. Huntley, Baiju V. Patel, Deepak K. Gupta
  • Patent number: 11176059
    Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.
    Type: Grant
    Filed: March 27, 2020
    Date of Patent: November 16, 2021
    Assignee: Intel Corporation
    Inventors: David M. Durham, Siddhartha Chhabra, Amy L. Santoni, Gilbert Neiger, Barry E. Huntley, Hormuzd M. Khosravi, Baiju V. Patel, Ravi L. Sahita, Gideon Gerzon, Ido Ouziel, Ioannis T. Schoinas, Rajesh M. Sankaran
  • Patent number: 11176243
    Abstract: A processor implementing techniques for processor extensions to protect stacks during ring transitions is provided. In one embodiment, the processor includes a plurality of registers and a processor core, operatively coupled to the plurality of registers. The plurality of registers is used to store data used in privilege level transitions. Each register of the plurality of registers is associated with a privilege level. An indicator to change a first privilege level of a currently active application to a second privilege level is received. In view of the second privilege level, a shadow stack pointer (SSP) stored in a register of the plurality of registers is selected. The register is associated with the second privilege level. By using the SSP, a shadow stack for use by the processor at the second privilege level is identified.
    Type: Grant
    Filed: September 27, 2019
    Date of Patent: November 16, 2021
    Assignee: Intel Corporation
    Inventors: Vedvyas Shanbhogue, Jason W. Brandt, Ravi L. Sahita, Barry E. Huntley, Baiju V. Patel, Deepak K. Gupta
  • Patent number: 11163911
    Abstract: According to one embodiment, a method comprises executing an untrusted host virtual machine monitor (VMM) to manage execution of at least one guest virtual machine (VM). The VMM receives an encrypted key domain key, an encrypted guest code image, and an encrypted guest control structure. The VM also issues a create command. In response, a processor creates a first key domain comprising a region of memory to be encrypted by a key domain key. The encrypted key domain key is decrypted to produce the key domain key, which is inaccessible to the VMM. The VMM issues a launch command. In response, a first guest VM is launched within the first key domain. In response to a second launch command, a second guest VM is launched within the first key domain. The second guest VM provides an agent to act on behalf of the VMM. Other embodiments are described and claimed.
    Type: Grant
    Filed: February 18, 2020
    Date of Patent: November 2, 2021
    Assignee: Intel Corporation
    Inventors: David M. Durham, Gilbert Neiger, Barry E. Huntley, Ravi L. Sahita, Baiju V. Patel
  • Patent number: 11144479
    Abstract: This disclosure is directed to a system for address mapping and translation protection. In one embodiment, processing circuitry may include a virtual machine manager (VMM) to control specific guest linear address (GLA) translations. Control may be implemented in a performance sensitive and secure manner, and may be capable of improving performance for critical linear address page walks over legacy operation by removing some or all of the cost of page walking extended page tables (EPTs) for critical mappings. Alone or in combination with the above, certain portions of a page table structure may be selectively made immutable by a VMM or early boot process using a sub-page policy (SPP). For example, SPP may enable non-volatile kernel and/or user space code and data virtual-to-physical memory mappings to be made immutable (e.g., non-writable) while allowing for modifications to non-protected portions of the OS paging structures and particularly the user space.
    Type: Grant
    Filed: November 18, 2019
    Date of Patent: October 12, 2021
    Assignee: Intel Corporation
    Inventors: Ravi L. Sahita, Gilbert Neiger, Vedvyas Shanbhogue, David M. Durham, Andrew V. Anderson, David A. Koufaty, Asit K. Mallick, Arumugam Thiyagarajah, Barry E. Huntley, Deepak K. Gupta, Michael Lemay, Joseph F. Cihula, Baiju V. Patel
  • Patent number: 11144472
    Abstract: An apparatus and method for managing different page tables for different privilege levels. For example, one embodiment of a processor comprises: a first control register to store a first base address associated with program code executed at a first privilege level; a second control register to store a second base address associated with program code executed at a second privilege level lower than the first privilege level; and address translation circuitry to identify a first base translation table using the first base address responsive to a first address translation request originating from the program code executed at the first privilege level and to identify a second base translation table using the second base address responsive to a second address translation request originating from the program code executed at the second privilege level.
    Type: Grant
    Filed: March 27, 2019
    Date of Patent: October 12, 2021
    Assignee: INTEL CORPORATION
    Inventors: Scott Dion Rodgers, Robert S. Chappell, Barry E. Huntley
  • Publication number: 20210312038
    Abstract: Technologies for memory management with memory protection extension include a computing device having a processor with one or more protection extensions. The processor may load a logical address including a segment base, effective limit, and effective address and generate a linear address as a function of the logical address with the effective limit as a mask. The processor may switch to a new task described by a task state segment extension. The task state extension may specify a low-latency segmentation mode. The processor may prohibit access to a descriptor in a local descriptor table with a descriptor privilege level lower than the current privilege level of the processor. The computing device may load a secure enclave using secure enclave support of the processor. The secure enclave may load an unsandbox and a sandboxed application in a user privilege level of the processor. Other embodiments are described and claimed.
    Type: Application
    Filed: June 14, 2021
    Publication date: October 7, 2021
    Applicant: Intel Corporation
    Inventors: Michael LeMay, Barry E. Huntley, Ravi Sahita