Patents by Inventor David M. Durham
David M. Durham has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 12135643Abstract: Techniques and mechanisms for metadata, which corresponds to cached data, to be selectively stored to a sequestered memory region. In an embodiment, integrated circuitry evaluates whether a line of a cache can accommodate a first representation of both the data and some corresponding metadata. Where the cache line can accommodate the first representation, said first representation is generated and stored to the line. Otherwise, a second representation of the data is generated and stored to a cache line, and the metadata is stored to a sequestered memory region that is external to the cache. The cache line include an indication as to whether the metadata is represented in the cache line, or is stored in the sequestered memory region. In another embodiment, a metric of utilization of the sequestered memory region is provided to software which determines whether a capacity of the sequestered memory region is to be modified.Type: GrantFiled: November 12, 2020Date of Patent: November 5, 2024Assignee: Intel CorporationInventors: Michael Kounavis, Siddhartha Chhabra, David M. Durham
-
Publication number: 20240354108Abstract: Techniques for implementing instructions and modified instruction encodings for checking tags and for interspersing islands of tags in line with bucketed data for locality by a processor are described. In an example, an apparatus includes decoder circuitry and execution circuitry. The decoder circuitry is to decode an instruction into a decoded instruction. The instruction has an opcode to indicate that the execution circuitry is to use metadata and instruction encodings to selectively perform a memory safety check. The execution circuitry is to execute the decoded instruction according to the opcode.Type: ApplicationFiled: September 29, 2023Publication date: October 24, 2024Applicant: Intel CorporationInventors: Michael LeMay, David M. Durham, Joseph Cihula, Joseph Nuzman, Dan Baum, Jonathan Combs
-
Publication number: 20240333501Abstract: In a technique of hardware thread isolation, a processor comprises a first core including a first hardware thread register. The core is to select a first key identifier stored in the first hardware thread register in response to receiving a first memory access request associated with a first hardware thread of a process. Memory controller circuitry coupled to the first core is to obtain a first encryption key associated with the first key identifier. The first key identifier may be selected from the first hardware thread register based, at least in part, on a first portion of a pointer of the first memory access request. The first key identifier selected from the first hardware thread register is to be appended to a physical address translated from a linear address at least partially included in the pointer.Type: ApplicationFiled: March 31, 2023Publication date: October 3, 2024Applicant: Intel CorporationInventors: David M. Durham, Michael LeMay, Salmin Sultana, Karanvir S. Grewal, Sergej Deutsch
-
Publication number: 20240329861Abstract: An apparatus includes circuitry to receive a memory access request based on a memory address in a memory allocation of a program. The memory allocation is assigned to a slot of memory apportioned into a plurality of slots. The circuitry is to calculate an index based, at least in part, on whether a size of the slot exceeds a slot threshold size, and determine whether a buffer communicatively coupled to the circuitry includes a buffer entry corresponding to the index and containing a set of metadata associated with the memory allocation. Based on the slot size, the circuitry is to calculate the index by either determining a metadata virtual address or by determining a virtual address of a midpoint of the slot. The indexed data may include bounds and tag information for the circuitry to determine if a memory access is within the bounds and matches the tag value.Type: ApplicationFiled: March 31, 2023Publication date: October 3, 2024Applicant: Intel CorporationInventors: Yonghae Kim, David M. Durham, Michael LeMay
-
SECURE ERROR CORRECTING CODE (ECC) TRUST EXECUTION ENVIRONMENT (TEE) CONFIGURATION METADATA ENCODING
Publication number: 20240311234Abstract: The technology disclosed herein includes a memory to store a plurality of pages, a page of the plurality of pages configured as one of a trusted execution environment (TEE) configuration and a non-TEE configuration, and a memory controller to attempt to access the page using a memory address and the TEE configuration and generate a first error correcting code (ECC); and when data for the first ECC is at least one of correct and correctable by ECC for the attempt to access the page using the TEE configuration, attempt to access the page using the memory address and the non-TEE configuration and generate a second ECC, and when data the second ECC is at least one of correct and correctable by ECC for the attempt to access the page using the non-TEE configuration, store the memory address as an unknown cacheline address.Type: ApplicationFiled: May 29, 2024Publication date: September 19, 2024Applicant: Intel CorporationInventors: David M. Durham, Sergej Deutsch, Karanvir Grewal -
Publication number: 20240289438Abstract: It is provided an apparatus comprising interface circuitry, machine-readable instructions, and processing circuitry to execute the machine-readable instructions. The machine-readable instructions comprise instructions to obtain a read request for reading data from an address in volatile memory. The machine-readable instructions further comprise instructions to determine whether the address in volatile memory is associated with a trusted domain. The machine-readable instructions further comprise instructions to set, if the address is associated with a trusted domain and the read request is obtained from outside the trusted domain, an identification tag for the trusted domain. The machine-readable instructions further comprise instructions to return, for the read request and subsequent read requests for one or more addresses associated with the trusted domain, poisoned data if the flag is set for the trusted domain.Type: ApplicationFiled: May 7, 2024Publication date: August 29, 2024Inventors: Sergej DEUTSCH, David M. DURHAM, Karanvir GREWAL
-
Patent number: 12066888Abstract: The technology disclosed herein comprises a processor; a memory to store data and a plurality of error correcting code (ECC) bits associated with the data; and a memory controller coupled to the memory, the memory controller to receive a write request from the processor and, when an access control field is selected in the write request, perform an exclusive OR (XOR) operation on the plurality of ECC bits and a fixed encoding pattern to generate a plurality of encoded ECC bits and store the data and the plurality of encoded ECC bits in the memory.Type: GrantFiled: September 14, 2022Date of Patent: August 20, 2024Assignee: Intel CorporationInventors: Sergej Deutsch, David M. Durham, Karanvir Grewal, Rajat Agarwal
-
Patent number: 12050701Abstract: Technologies disclosed herein provide cryptographic computing. An example method comprises executing a first instruction of a first software entity to receive a first input operand indicating a first key associated with a first memory compartment of a plurality of memory compartments stored in a first memory unit, and execute a cryptographic algorithm in a core of a processor to compute first encrypted contents based at least in part on the first key. Subsequent to computing the first encrypted contents in the core, the first encrypted contents are stored at a memory location in the first memory compartment of the first memory unit. More specific embodiments include, prior to storing the first encrypted contents at the memory location in the first memory compartment and subsequent to computing the first encrypted contents in the core, moving the first encrypted contents into a level one (L1) cache outside a boundary of the core.Type: GrantFiled: June 6, 2022Date of Patent: July 30, 2024Assignee: Intel CorporationInventors: Michael E. Kounavis, Santosh Ghosh, Sergej Deutsch, Michael LeMay, David M. Durham
-
Patent number: 12045176Abstract: Embodiments are directed to memory protection with hidden inline metadata. An embodiment of an apparatus includes processor cores; a computer memory for the storage of data; and cache memory communicatively coupled with one or more of the processor cores, wherein one or more processor cores of the plurality of processor cores are to implant hidden inline metadata in one or more cachelines for the cache memory, the hidden inline metadata being hidden at a linear address level.Type: GrantFiled: April 18, 2023Date of Patent: July 23, 2024Assignee: Intel CorporationInventors: David M. Durham, Ron Gabor
-
Secure error correcting code (ECC) trust execution environment (TEE) configuration metadata encoding
Patent number: 12045128Abstract: The technology disclosed herein includes a memory to store a plurality of pages, a page of the plurality of pages configured as one of a trusted execution environment (TEE) configuration and a non-TEE configuration, and a memory controller to attempt to access the page using a memory address and the TEE configuration and generate a first error correcting code (ECC); and when data for the first ECC is at least one of correct and correctable by ECC for the attempt to access the page using the TEE configuration, attempt to access the page using the memory address and the non-TEE configuration and generate a second ECC, and when data the second ECC is at least one of correct and correctable by ECC for the attempt to access the page using the non-TEE configuration, store the memory address as an unknown cacheline address.Type: GrantFiled: December 28, 2022Date of Patent: July 23, 2024Assignee: Intel CorporationInventors: David M. Durham, Sergej Deutsch, Karanvir Grewal -
Patent number: 12045174Abstract: Embodiments are directed to tagless implicit integrity with multi-perspective pattern search for memory safety. An embodiment of an apparatus includes one or more processors comprising hardware circuitry to: access encrypted data stored in a memory hierarchy using a pointer; decrypt the encrypted data using a current version of a pointer tag of the pointer to yield first decrypted data; perform an entropy test on the first decrypted data; responsive to the entropy test failing to detect patterns in the first decrypted data, re-decrypt the encrypted data using one or more different versions of the pointer tag of the pointer to yield one or more other decrypted data; perform the entropy test on the one or more other decrypted versions; and responsive to the entropy test detecting the patterns in the one or more other decrypted data, signal an exception to the one or more processors with respect to the encrypted data.Type: GrantFiled: March 25, 2022Date of Patent: July 23, 2024Assignee: INTEL CORPORATIONInventors: David M. Durham, Michael Lemay
-
Patent number: 12032486Abstract: In one embodiment, a processor includes circuitry to decode an instruction referencing an encoded data pointer that includes a set of plaintext linear address bits and a set of encrypted linear address bits. The processor also includes circuitry to perform a speculative lookup in a translation lookaside buffer (TLB) using the plaintext linear address bits to obtain physical address, buffer a set of architectural predictor state values based on the speculative TLB lookup, and speculatively execute the instruction using the physical address obtained from the speculative TLB lookup. The processor also includes circuitry to determine whether the speculative TLB lookup was correct and update a set of architectural predictor state values of the core using the buffered architectural predictor state values based on a determination that the speculative TLB lookup was correct.Type: GrantFiled: December 23, 2021Date of Patent: July 9, 2024Assignee: Intel CorporationInventors: Abhishek Basak, Santosh Ghosh, Michael D. LeMay, David M. Durham
-
SECURE ERROR CORRECTING CODE (ECC) TRUST EXECUTION ENVIRONMENT (TEE) CONFIGURATION METADATA ENCODING
Publication number: 20240220357Abstract: The technology disclosed herein includes a memory to store a plurality of pages, a page of the plurality of pages configured as one of a trusted execution environment (TEE) configuration and a non-TEE configuration, and a memory controller to attempt to access the page using a memory address and the TEE configuration and generate a first error correcting code (ECC); and when data for the first ECC is at least one of correct and correctable by ECC for the attempt to access the page using the TEE configuration, attempt to access the page using the memory address and the non-TEE configuration and generate a second ECC, and when data the second ECC is at least one of correct and correctable by ECC for the attempt to access the page using the non-TEE configuration, store the memory address as an unknown cacheline address.Type: ApplicationFiled: December 28, 2022Publication date: July 4, 2024Applicant: Intel CorporationInventors: David M. Durham, Sergej Deutsch, Karanvir Grewal -
Publication number: 20240220423Abstract: Techniques disclosed include selecting a first key identifier (ID) for a first compartment of a compartmentalized process of a computing system, the first compartment including first private data; assigning a first extended page table (EPT) having at least one memory address including the first key ID; encrypting the first private data with a first key associated with the first key ID; and storing the encrypted first private data in a memory starting at the at least one memory address of the first EPT.Type: ApplicationFiled: December 28, 2022Publication date: July 4, 2024Applicant: Intel CorporationInventors: Michael LeMay, David M. Durham, Salmin Sultana, Andrew V. Anderson, Hans Goran Liljestrand
-
Patent number: 12019562Abstract: An apparatus comprising a processor unit comprising circuitry to generate, for a first network host, a request for an object of a second network host, wherein the request comprises an address comprising a routable host ID of the second network host and an at least partially encrypted object ID, wherein the address uniquely identifies the object within a distributed computing domain; and a memory element to store at least a portion of the object.Type: GrantFiled: September 22, 2021Date of Patent: June 25, 2024Assignee: Intel CorporationInventors: Michael D. LeMay, David M. Durham, Anjo Lucas Vahldiek-Oberwagner, Anna Trikalinou
-
Patent number: 12008374Abstract: The technology includes allocating an object in a memory and setting an ownership identifier (ID) in the allocated object, the allocated object being associated with a first variable in a program and setting a matching ownership ID in a pointer to the allocated object. When the allocated object is accessed during execution of the program by a processor, an exception is generated when the ownership ID in the allocated object does not match the ownership ID in the pointer, and execution of the program is continued when the ownership ID in the allocated object does match the ownership ID in the pointer.Type: GrantFiled: March 16, 2022Date of Patent: June 11, 2024Assignee: INTEL CORPORATIONInventors: Michael LeMay, Peiming Liu, David M. Durham, Scott Constable, Kshitij Arun Doshi
-
Publication number: 20240176749Abstract: In one embodiment, a multi-tenant computing system includes a processor including a plurality of cores on which agents of tenants of the multi-tenant computing system are to execute, a configuration storage, and a memory execution circuit. The configuration storage includes a first configuration register to store configuration information associated with the memory execution circuit. The first configuration register is to store a mode identifier to identify a mode of operation of the memory execution circuit. The memory execution circuit, in a first mode of operation, is to receive encrypted data of a first tenant, the encrypted data encrypted by the first tenant, generate an integrity value for the encrypted data, and send the encrypted data and the integrity value to a memory, the integrity value not visible to the software of the multi-tenant computing system. Other embodiments are described and claimed.Type: ApplicationFiled: December 4, 2023Publication date: May 30, 2024Inventors: Siddhartha Chhabra, David M. Durham
-
Patent number: 11995006Abstract: A method comprises generating, for a cacheline, a first tag and a second tag, the first tag and the second tag generated as a function of user data stored and metadata in the cacheline stored in a first memory device, and a multiplication parameter derived from a secret key, storing the user data, the metadata, the first tag and the second tag in the first cacheline of the first memory device; generating, for the cacheline, a third tag and a fourth tag, the third tag and the fourth tag generated as a function of the user data stored and metadata in the cacheline stored in a second memory device, and the multiplication parameter; storing the user data, the metadata, the third tag and the fourth tag in the corresponding cache line of the second memory device; receiving, from a requesting device, a read operation directed to the cacheline; and using the first tag, the second tag, the third tag, and the fourth tag to determine whether a read error occurred during the read operation.Type: GrantFiled: December 22, 2021Date of Patent: May 28, 2024Assignee: Intel CorporationInventors: Sergej Deutsch, Karanvir Grewal, David M. Durham, Rajat Agarwal
-
Patent number: 11989332Abstract: According to one embodiment, a method comprises executing an untrusted host virtual machine monitor (VMM) to manage execution of at least one guest virtual machine (VM). The VMM receives an encrypted key domain key, an encrypted guest code image, and an encrypted guest control structure. The VM also issues a create command. In response, a processor creates a first key domain comprising a region of memory to be encrypted by a key domain key. The encrypted key domain key is decrypted to produce the key domain key, which is inaccessible to the VMM. The VMM issues a launch command. In response, a first guest VM is launched within the first key domain. In response to a second launch command, a second guest VM is launched within the first key domain. The second guest VM provides an agent to act on behalf of the VMM. Other embodiments are described and claimed.Type: GrantFiled: September 29, 2021Date of Patent: May 21, 2024Assignee: INTEL CORPORATIONInventors: David M. Durham, Gilbert Neiger, Barry E. Huntley, Ravi L. Sahita, Baiju V. Patel
-
Patent number: 11972126Abstract: Technologies disclosed herein provide one example of a system that includes processor circuitry to be communicatively coupled to a memory circuitry. The processor circuitry is to receive a memory access request corresponding to an application for access to an address range in a memory allocation of the memory circuitry and to locate a metadata region within the memory allocation. The processor circuitry is also to, in response to a determination that the address range includes at least a portion of the metadata region, obtain first metadata stored in the metadata region, use the first metadata to determine an alternate memory address in a relocation region, and read, at the alternate memory address, displaced data from the portion of the metadata region included in the address range of the memory allocation. The address range includes one or more bytes of an expected allocation region of the memory allocation.Type: GrantFiled: September 10, 2021Date of Patent: April 30, 2024Assignee: Intel CorporationInventors: David M. Durham, Michael D. LeMay, Sergej Deutsch, Joydeep Rakshit, Anant Vithal Nori, Jayesh Gaur, Sreenivas Subramoney