Abstract: Embodiments of an invention for modifying memory permissions in a secure processing environment are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to modify access permissions for a page in a secure enclave. The execution unit is to execute the instruction. Execution of the instruction includes setting new access permissions in an enclave page cache map entry. Furthermore, the page is immediately accessible from inside the secure enclave according to the new access permissions.

Abstract: Embodiments of an invention for offloading functionality from a secure processing environment are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to initialize a secure enclave. The execution unit is to execute the instruction. Execution of the instruction includes verifying that a signature structure key matches a hardware key that permits functionality to be offloaded.

Abstract: Embodiments of an invention for sharing memory in a secure processing environment are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to match an offer to make a page in an enclave page cache shareable to a bid to make the page shareable. The execution unit is to execute the instruction. Execution of the instruction includes making the page shareable.

Abstract: Embodiments of an invention for feature licensing in a secure processing environment are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to initialize a secure enclave. The execution unit is to execute the instruction. Execution of the instruction includes determining whether a requested feature is licensed for use in the secure enclave.

Abstract: Embodiments of an invention for secure processing environment measurement and attestation are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction associated with a build or a rebuild of a secure enclave. The execution unit is to execute the first instruction. Execution of the first instruction, when associated with the build, includes calculation of a first measurement and a second measurement of the secure enclave. Execution of the first instruction, when associated with the rebuild, includes calculation of the second measurement without calculation of the first measurement.

Abstract: An apparatus for sharing information between entities includes a processor and a trusted execution module executing on the processor. The trusted execution module is configured to receive first confidential information from a first client device associated with a first entity, seal the first confidential information within a trusted execution environment, receive second confidential information from a second client device associated with a second entity, seal the second confidential information within the trusted execution environment, and execute code within the trusted execution environment. The code is configured to compute a confidential result based upon the first confidential information and the second confidential information.

Abstract: Embodiments of an invention for securing transmissions between processor packages are disclosed. In one embodiment, an apparatus includes an encryption unit to encrypt first content to be transmitted from the apparatus to a processor package directly through a point-to-point link.

Abstract: In accordance with some embodiments, a protected execution environment may be defined for a graphics processing unit. This framework not only protects the workloads from malware running on the graphics processing unit but also protects those workloads from malware running on the central processing unit. In addition, the trust framework may facilitate proof of secure execution by measuring the code and data structures used to execute the workload. If a part of the trusted computing base of this framework or protected execution environment is compromised, that part can be patched remotely and the patching can be proven remotely throughout attestation in some embodiments.

Abstract: Embodiments of apparatuses and methods including virtual address memory range registers are disclosed. In one embodiment, a processor includes a memory interface, address translation hardware, and virtual memory address comparison hardware. The memory interface is to access a system memory using a physical memory address. The address translation hardware is to support translation of a virtual memory address to the physical memory address. The virtual memory address is used by software to access a virtual memory location in the virtual memory address space of the processor. The virtual memory address comparison hardware is to determine whether the virtual memory address is within a virtual memory address range.

Abstract: Executing a monitor, in a memory region of a platform protected from access by programs executing in a partition provided on the platform, and the monitor executing an agent to measure a program executing in the partition to obtain a measurement.

Abstract: A method for managing a memory in a computer system is disclosed. A mapping of a virtual page to physical page is locked in response to receiving a request to make the page immutable. According to an aspect of an embodiment of the invention, locking the mapping of the virtual page to the physical page includes preventing mapping of the virtual page to another physical page. Other embodiments are described and claimed.

Abstract: A method and apparatus for memory encryption with reduced decryption latency. In one embodiment, the method includes reading an encrypted data block from memory. During reading of the encrypted data block, a keystream used to encrypt the data block is regenerated according to one or more stored criteria of the encrypted data block. Once the encrypted data block is read, the encrypted data block is decrypted using the regenerated keystream. Accordingly, in one embodiment, encryption of either random access memory (RAM) or disk memory is performed. A keystream is regenerated during data retrieval such that once the data is received, the data may be decrypted using a single clock operation. As a result, memory encryption is performed without exacerbating memory latency between the processor and memory.

Abstract: The present disclosure relates to attempting to monitor and control memory access and, more specifically, to attempting to limit memory access to a specific registered software agent.

Abstract: Systems, methods, and media for dynamic measurement of operating systems in a virtualized system are disclosed. Some embodiments may include accessing a dirty bitmap associated with an operating system executing in a virtualized system where the dirty bitmap may include an indication of memory locations that have been modified since a previous access. Embodiments may also include analyzing the dirty bitmap to determine one or more memory locations associated with the operating system to measure and measuring the determined memory locations to produce measurements of the memory locations. Embodiments may also include performing an action based on the measurements of the memory locations. Other embodiments are disclosed and claimed.

Abstract: A method for managing a memory in a computer system is disclosed. A mapping of a virtual page to physical page is locked in response to receiving a request to make the page immutable. According to an aspect of an embodiment of the invention, locking the mapping of the virtual page to the physical page includes preventing mapping of the virtual page to another physical page. Other embodiments are described and claimed.

Abstract: The present disclosure relates to attempting to monitor and control memory access and, more specifically, to attempting to limit memory access to a specific registered software agent.

Abstract: Executing a monitor, in a memory region of a platform protected from access by programs executing in a partition provided on the platform, and the monitor executing an agent to measure a program executing in the partition to obtain a measurement.

Abstract: A method and apparatus for binding trusted platform module (TPM) keys to execution entities are described. In one embodiment, the method includes the receipt of an authorization request issued by an execution entity for authorization data. According to the authorization request, the execution entity may be measured to generate an entity digest value. Once the entity digest value is generated, a platform reference module may grant the authorization request if the entity digest value verifies that the execution entity is an owner of the key held by the TPM. Accordingly, in one embodiment, a platform reference module, rather than an execution entity, holds the authorization data required by a TPM to use a key owned by the execution entity and held within sealed storage by the TPM. Other embodiments are described and claimed.

Abstract: A virtual security coprocessor framework supports creation of at least one device model to emulate a predetermined cryptographic coprocessor. In one embodiment, the virtual security coprocessor framework uses a cryptographic coprocessor in a processing system to create an instance of the device model (DM) in the processing system. The DM may be based at least in part on a predetermined device model design. The DM may emulate the predetermined cryptographic coprocessor in accordance with the control logic of the device model design. In one embodiment, the virtual security coprocessor framework uses a physical trusted platform module (TPM) in a processing system to support one or more virtual TPMs (vTPMs) for one or more virtual machines (VMs) in the processing system. Other embodiments are described and claimed.

Abstract: A first processing system determines whether a second processing system provides a trustworthy state for supporting a virtual security coprocessor. In response to determining that the second processing system provides a trustworthy state for supporting the virtual security coprocessor, the first processing system transfers the virtual security coprocessor to the second processing system. In one embodiment, the first processing system receives a key and proof of bindings of the key from the second processing system. The first processing system may determine whether the second processing system provides a trustworthy state for migration of the virtual security coprocessor, based at least in part on the proof of bindings received from the second processing system. After the second processing system receives the virtual security coprocessor, the virtual security coprocessor may be removed from the first processing system. Other embodiments are described and claimed.