Patents by Inventor Carlos V Rozas

Carlos V Rozas has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20210406201
    Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
    Type: Application
    Filed: July 3, 2021
    Publication date: December 30, 2021
    Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
  • Publication number: 20210399882
    Abstract: A processor includes a processor core. A register of the core is to store: a bit range for a number of address bits of physical memory addresses used for key identifiers (IDs), and a first key ID to identify a boundary between non-restricted key IDs and restricted key IDs of the key identifiers. A memory controller is to: determine, via access to bit range and the first key ID in the register, a key ID range of the restricted key IDs within the physical memory addresses; access a processor state that a first logical processor of the processor core executes in an untrusted domain mode; receive a memory transaction, from the first logical processor, including an address associated with a second key ID; and generate a fault in response to a determination that the second key ID is within a key ID range of the restricted key IDs.
    Type: Application
    Filed: September 2, 2021
    Publication date: December 23, 2021
    Inventors: Ido OUZIEL, Arie AHARON, Dror CASPI, Baruch CHAIKIN, Jacob DOWECK, Gideon GERZON, Barry E. HUNTLEY, Francis X. MCKEEN, Gilbert NEIGER, Carlos V. ROZAS, Ravi L. SAHITA, Vedvyas SHANBHOGUE, Assaf ZALTSMAN
  • Patent number: 11204874
    Abstract: Secure memory repartitioning technologies are described. Embodiments of the disclosure may include a processing device including a processor core and a memory controller coupled between the processor core and a memory device. The memory device includes a memory range including a section of convertible pages that are convertible to secure pages or non-secure pages. The processor core is to receive a non-secure access request to a page in the memory device, responsive to a determination, based on one or more secure state bits in one or more secure state bit arrays, that the page is a secure page, insert an abort page address into a translation lookaside buffer, and responsive to a determination, based on the one or more secure state bits in the one or more secure state bit arrays, that the page is a non-secure page, insert the page into the translation lookaside buffer.
    Type: Grant
    Filed: April 2, 2020
    Date of Patent: December 21, 2021
    Assignee: Intel Corporation
    Inventors: Vedvyas Shanbhogue, Krystof C. Zmudzinski, Carlos V. Rozas, Francis X. McKeen, Raghunandan Makaram, Ilya Alexandrovich, Ittai Anati, Meltem Ozsoy
  • Patent number: 11139967
    Abstract: A processor includes a processor core. A register of the core is to store: a bit range for a number of address bits of physical memory addresses used for key identifiers (IDs), and a first key ID to identify a boundary between non-restricted key IDs and restricted key IDs of the key identifiers. A memory controller is to: determine, via access to bit range and the first key ID in the register, a key ID range of the restricted key IDs within the physical memory addresses; access a processor state that a first logical processor of the processor core executes in an untrusted domain mode; receive a memory transaction, from the first logical processor, including an address associated with a second key ID; and generate a fault in response to a determination that the second key ID is within a key ID range of the restricted key IDs.
    Type: Grant
    Filed: December 20, 2018
    Date of Patent: October 5, 2021
    Assignee: Intel Corporation
    Inventors: Ido Ouziel, Arie Aharon, Dror Caspi, Baruch Chaikin, Jacob Doweck, Gideon Gerzon, Barry E. Huntley, Francis X. Mckeen, Gilbert Neiger, Carlos V. Rozas, Ravi L. Sahita, Vedvyas Shanbhogue, Assaf Zaltsman
  • Publication number: 20210255962
    Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.
    Type: Application
    Filed: January 22, 2021
    Publication date: August 19, 2021
    Applicant: Intel Corporation
    Inventors: Krystof C. Zmudzinski, Siddhartha Chhabra, Uday R. Savagaonkar, Simon P. Johnson, Rebekah M. Leslie-Hurd, Francis X. McKeen, Gilbert Neiger, Raghunandan Makaram, Carlos V. Rozas, Amy L. Santoni, Vincent R. Scarlata, Vedvyas Shanbhogue, Ilya Alexandrovich, Ittai Anati, Wesley H. Smith, Michael Goldsmith
  • Patent number: 11055236
    Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
    Type: Grant
    Filed: December 27, 2019
    Date of Patent: July 6, 2021
    Assignee: Intel Corporation
    Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
  • Publication number: 20210200858
    Abstract: Embodiments of processors, methods, and systems for executing code in a protected memory container by a trust domain are disclosed. In an embodiment, a processor includes a memory controller to enable creation of a trust domain and a core to enable the trust domain to execute code in a protected memory container.
    Type: Application
    Filed: December 28, 2019
    Publication date: July 1, 2021
    Applicant: Intel Corporation
    Inventors: Dror Caspi, Vedvyas Shanbhogue, Ido Ouziel, Francis McKeen, Baruch Chaikin, Carlos V. Rozas
  • Patent number: 11030120
    Abstract: A processor includes a cryptographic engine to control access, using an secure region key identifier (ID), to one or more memory range of memory allocable for flexible conversion to secure pages of architecturally-protected memory regions, and a processor core. The processor core is to, responsive to receipt of a request to access the memory, perform a walk of page tables and extended page tables to translate a linear address of the request to a physical address of the memory. The processor core is further to determine that the physical address corresponds to an secure page within the one or more memory range of the memory, that a first key ID located within the physical address does not match the secure region key ID, and issue a page fault and deny access to the secure page in the memory.
    Type: Grant
    Filed: June 27, 2019
    Date of Patent: June 8, 2021
    Assignee: Intel Corporation
    Inventors: Krystof C. Zmudzinski, Simon P. Johnson, Raghunandan Makaram, Francis X. McKeen, Carlos V. Rozas, Meltem Ozsoy, Ilya Alexandrovich, Siddhartha Chhabra
  • Patent number: 11023622
    Abstract: A method performed by a processor of an aspect includes accessing an encrypted copy of a protected container page stored in a regular memory. A determination is made whether the protected container page was live stored out, while able to remain useable in, protected container memory. The method also includes either performing a given security check, before determining to store the protected container page to a destination page in a first protected container memory, if it was determined that the protected container page was live stored out, or not performing the given security check, if it was determined that the protected container page was not live stored out. Other methods, as well as processors, computer systems, and machine-readable medium providing instructions are also disclosed.
    Type: Grant
    Filed: June 29, 2019
    Date of Patent: June 1, 2021
    Assignee: Intel Corporation
    Inventors: Carlos V. Rozas, Mona Vij, Somnath Chakrabarti
  • Publication number: 20210064254
    Abstract: There is disclosed a microprocessor, including: a processing core; and a total memory encryption (TME) engine to provide TME for a first trust domain (TD), and further to: allocate a block of physical memory to the first TD and a first cryptographic key to the first TD; map within an extended page table (EPT) a host physical address (HPA) space to a guest physical address (GPA) space of the TD; create a memory ownership table (MOT) entry for a memory page within the block of physical memory, wherein the MOT table comprises a GPA reverse mapping; encrypt the MOT entry using the first cryptographic key; and append to the MOT entry verification data, wherein the MOT entry verification data enables detection of an attack on the MOT entry.
    Type: Application
    Filed: September 29, 2017
    Publication date: March 4, 2021
    Applicant: Intel Corporation
    Inventors: David M. Durham, Ravi L. Sahita, Vedvyas Shanbhogue, Barry E. Huntley, Baiju Patel, Gideon Gerzon, Ioannis T. Schoinas, Hormuzd M. Khosravi, Siddhartha Chhabra, Carlos V. Rozas
  • Publication number: 20210064546
    Abstract: A processor includes a cryptographic engine to control access, using an secure region key identifier (ID), to one or more memory range of memory allocable for flexible conversion to secure pages of architecturally-protected memory regions, and a processor core. The processor core is to, responsive to receipt of a request to access the memory, perform a walk of page tables and extended page tables to translate a linear address of the request to a physical address of the memory. The processor core is further to determine that the physical address corresponds to an secure page within the one or more memory range of the memory, that a first key ID located within the physical address does not match the secure region key ID, and issue a page fault and deny access to the secure page in the memory.
    Type: Application
    Filed: June 27, 2019
    Publication date: March 4, 2021
    Inventors: Krystof C. Zmudzinski, Simon P. Johnson, Raghunandan Makaram, Francis X. McKeen, Carlos V. Rozas, Meltem Ozsoy, Ilya Alexandrovich, Siddhartha Chhabra
  • Patent number: 10922241
    Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.
    Type: Grant
    Filed: May 3, 2019
    Date of Patent: February 16, 2021
    Assignee: Intel Corporation
    Inventors: Krystof C. Zmudzinski, Siddhartha Chhabra, Uday R. Savagaonkar, Simon P. Johnson, Rebekah M. Leslie-Hurd, Francis X. McKeen, Gilbert Neiger, Raghunandan Makaram, Carlos V. Rozas, Amy L. Santoni, Vincent R. Scarlata, Vedvyas Shanbhogue, Ilya Alexandrovich, Ittai Anati, Wesley H. Smith, Michael Goldsmith
  • Publication number: 20210006416
    Abstract: Embodiments include systems, methods, computer readable media, and devices configured to, for a first processor of a platform, generate a platform root key; create a data structure to encapsulate the platform root key, the data structure comprising a platform provisioning key and an identification of a registration service; and transmit, on a secure connection, the data structure to the registration service to register the platform root key for the first processor of the platform. Embodiments include systems, methods, computer readable media, and devices configured to store a device certificate received from a key generation facility; receive a manifest from a platform, the manifest comprising an identification of a processor associated with the platform; and validate the processor using a stored device certificate.
    Type: Application
    Filed: April 23, 2020
    Publication date: January 7, 2021
    Applicant: Intel Corporation
    Inventors: Vincent R. Scarlata, Francis X. McKeen, Carlos V. Rozas, Simon P. Johnson, Bo Zhang, James D. Beaney, JR., Piotr Zmijewski, Wesley Hamilton Smith, Eduardo Cabre, Uday R. Savagaonkar
  • Patent number: 10885202
    Abstract: A technique to enable secure application and data integrity within a computer system. In one embodiment, one or more secure enclaves are established in which an application and data may be stored and executed.
    Type: Grant
    Filed: September 6, 2018
    Date of Patent: January 5, 2021
    Assignee: Intel Corporation
    Inventors: Francis X. McKeen, Carlos V. Rozas, Uday R. Savagaonkar, Simon P. Johnson, Vincent Scarlata, Michael A. Goldsmith, Ernie Brickell, Jiang Tao Li, Howard C. Herbert, Prashant Dewan, Stephen J. Tolopka, Gilbert Neiger, David Durham, Gary Graunke, Bernard Lint, Don A. Van Dyke, Joseph Cihula, Stalinselvaraj Jeyasingh, Stephen R. Van Doren, Dion Rodgers, John Garney, Asher Altman
  • Patent number: 10880097
    Abstract: A computing platform implements one or more secure enclaves including a first provisioning enclave to interface with a first provisioning service to obtain a first attestation key from the first provisioning service, a second provisioning enclave to interface with a different, second provisioning service to obtain a second attestation key from the second provisioning service, and a provisioning certification enclave to sign first data from the first provisioning enclave and second data from the second provisioning enclave using a hardware-based provisioning attestation key. The signed first data is used by the first provisioning enclave to authenticate to the first provisioning service to obtain the first attestation key and the signed second data is used by the second provisioning enclave to authenticate to the second provisioning service to obtain the second attestation key.
    Type: Grant
    Filed: October 17, 2018
    Date of Patent: December 29, 2020
    Assignee: Intel Corporation
    Inventors: Vincent R. Scarlata, Francis X. McKeen, Carlos V. Rozas, Simon P. Johnson, Bo Zhang, James D. Beaney, Jr., Piotr Zmijewski, Wesley H. Smith, Eduardo Cabre
  • Publication number: 20200310990
    Abstract: Secure memory allocation technologies are described. A processor includes a processor core and a memory controller that is coupled between the processor core and main memory. The main memory comprises a protected region including secured pages. The processor, in response to a content copy instruction, is to initialize a target page in the protected region of an application address space. The processor, in response to the content copy instruction, is also to select content of a source page in the protected region to be copied. The processor, in response to the content copy instruction, is also to copy the selected content to the target page in the protected region of the application address space.
    Type: Application
    Filed: March 3, 2020
    Publication date: October 1, 2020
    Inventors: Rebekah M. Leslie-Hurd, Francis X. McKeen, Carlos V. Rozas, Krystof C. Zmudzinski
  • Publication number: 20200233807
    Abstract: Secure memory repartitioning technologies are described. Embodiments of the disclosure may include a processing device including a processor core and a memory controller coupled between the processor core and a memory device. The memory device includes a memory range including a section of convertible pages that are convertible to secure pages or non-secure pages. The processor core is to receive a non-secure access request to a page in the memory device, responsive to a determination, based on one or more secure state bits in one or more secure state bit arrays, that the page is a secure page, insert an abort page address into a translation lookaside buffer, and responsive to a determination, based on the one or more secure state bits in the one or more secure state bit arrays, that the page is a non-secure page, insert the page into the translation lookaside buffer.
    Type: Application
    Filed: April 2, 2020
    Publication date: July 23, 2020
    Inventors: Vedvyas Shanbhogue, Krystof C. Zmudzinski, Carlos V. Rozas, Francis X. McKeen, Raghunandan Makaram, Ilya Alexandrovich, Ittai Anati, Meltem Ozsoy
  • Patent number: 10708067
    Abstract: Embodiments include systems, methods, computer readable media, and devices configured to, for a first processor of a platform, generate a platform root key; create a data structure to encapsulate the platform root key, the data structure comprising a platform provisioning key and an identification of a registration service; and transmit, on a secure connection, the data structure to the registration service to register the platform root key for the first processor of the platform. Embodiments include systems, methods, computer readable media, and devices configured to store a device certificate received from a key generation facility; receive a manifest from a platform, the manifest comprising an identification of a processor associated with the platform; and validate the processor using a stored device certificate.
    Type: Grant
    Filed: July 2, 2016
    Date of Patent: July 7, 2020
    Assignee: Intel Corporation
    Inventors: Vincent R. Scarlata, Francis X. McKeen, Carlos V. Rozas, Simon P. Johnson, Bo Zhang, James D. Beaney, Jr., Piotr Zmijewski, Wesley Hamilton Smith, Eduardo Cabre, Uday R. Savagaonkar
  • Publication number: 20200201786
    Abstract: Implementations described provide hardware support for the co-existence of restricted and non-restricted encryption keys on a computing system. Such hardware support may comprise a processor having a core, a hardware register to store a bit range to identify a number of bits, of physical memory addresses, that define key identifiers (IDs) and a partition key ID identifying a boundary between non-restricted and restricted key IDs. The core may allocate at least one of the non-restricted key IDs to a software program, such as a hypervisor. The core may further allocate a restricted key ID to a trust domain whose trust computing base does not comprise the software program. A memory controller coupled to the core may allocate a physical page of a memory to the trust domain, wherein data of the physical page of the memory is to be encrypted with an encryption key associated with the restricted key ID.
    Type: Application
    Filed: December 20, 2018
    Publication date: June 25, 2020
    Inventors: Ido OUZIEL, Arie AHARON, Dror CASPI, Baruch CHAIKIN, Jacob DOWECK, Gideon GERZON, Barry E. HUNTLEY, Francis X. MCKEEN, Gilbert NEIGER, Carlos V. ROZAS, Ravi L. SAHITA, Vedvyas SHANBHOGUE, Assaf ZALTSMAN, Hormuzd M. KHOSRAVI
  • Publication number: 20200204356
    Abstract: A processor includes a processor core. A register of the core is to store: a bit range for a number of address bits of physical memory addresses used for key identifiers (IDs), and a first key ID to identify a boundary between non-restricted key IDs and restricted key IDs of the key identifiers. A memory controller is to: determine, via access to bit range and the first key ID in the register, a key ID range of the restricted key IDs within the physical memory addresses; access a processor state that a first logical processor of the processor core executes in an untrusted domain mode; receive a memory transaction, from the first logical processor, including an address associated with a second key ID; and generate a fault in response to a determination that the second key ID is within a key ID range of the restricted key IDs.
    Type: Application
    Filed: December 20, 2018
    Publication date: June 25, 2020
    Inventors: Ido OUZIEL, Arie AHARON, Dror CASPI, Baruch CHAIKIN, Jacob DOWECK, Gideon GERZON, Barry E. HUNTLEY, Francis X. MCKEEN, Gilbert NEIGER, Carlos V. ROZAS, Ravi L. SAHITA, Vedvyas SHANBHOGUE, Assaf ZALTSMAN