Abstract: A processor includes a register to store an encoded pointer to a memory location in memory and the encoded pointer is to include an encrypted portion. The processor further includes circuitry to determine a first data encryption factor based on a first data access instruction, decode the encoded pointer to obtain a memory address of the memory location, use the memory address to access an encrypted first data element, and decrypt the encrypted first data element using a cryptographic algorithm with first inputs to generate a decrypted first data element. The first inputs include the first data encryption factor based on the first data access instruction and a second data encryption factor from the encoded pointer.

Abstract: A processor executes an untrusted VMM that manages execution of a guest workload. The processor also populates an entry in a memory ownership table for the guest workload. The memory ownership table is indexed by an original hardware physical address, the entry comprises an expected guest address that corresponds to the original hardware physical address, and the entry is encrypted with a key domain key. In response to receiving a request from the guest workload to access memory using a requested guest address, the processor (a) obtains, from the untrusted VMM, a hardware physical address that corresponds to the requested guest address; (b) uses that physical address as an index to find an entry in the memory ownership table; and (c) verifies whether the expected guest address from the found entry matches the requested guest address. Other embodiments are described and claimed.

Abstract: An apparatus including a processor comprising at least one core to execute instructions of a plurality of virtual machines and a virtual machine monitor; and a cryptographic engine comprising circuitry to protect data associated with the plurality of virtual machines through use of a plurality of private keys and an accessor key, wherein each of the plurality of private keys are to protect a respective virtual machine and the accessor key is to protect management structures of the plurality of virtual machines; and wherein the processor is to provide, to the virtual machine monitor, direct read access to the management structures of the plurality of virtual machines through the accessor key and indirect write access to the management structures of the plurality of virtual machines through a secure software module.

Abstract: Embodiments are directed to memory protection with hidden inline metadata. An embodiment of an apparatus includes processor cores; a computer memory for the storage of data; and cache memory communicatively coupled with one or more of the processor cores, wherein one or more processor cores of the plurality of processor cores are to implant hidden inline metadata in one or more cachelines for the cache memory, the hidden inline metadata being hidden at a linear address level.

Abstract: A system may use memory tagging for side-channel defense, memory safety, and sandboxing to reduce the likelihood of successful attacks. The system may include memory tagging circuitry to address existing and potential hardware and software architectures security vulnerabilities. The memory tagging circuitry may prevent memory pointers from being overwritten, prevent memory pointer manipulation (e.g., by adding values), and increase the granularity of memory tagging to include byte-level tagging in cache. The memory tagging circuitry may sandbox untrusted code by tagging portions of memory to indicate when the tagged portions of memory include contain a protected pointer. The memory tagging circuitry provides security features while enabling CPUs to continue using and benefiting from speculatively performing operations.

Abstract: Technologies disclosed herein provide cryptographic computing. An example method comprises storing, in a register, an encoded pointer to a memory location, wherein the encoded pointer comprises first context information and a slice of a memory address of the memory location, wherein the first context information includes an identification of a data key; decoding the encoded pointer to obtain the memory address of the memory location; using the memory address obtained by decoding the encoded pointer to access encrypted data at the memory location; and decrypting the encrypted data based on the data key.

Abstract: Technologies disclosed herein provide cryptographic computing. An example processor includes a core to execute an instruction, where the core includes a register to store a pointer to a memory location and a tag associated with the pointer. The tag indicates whether the pointer is at least partially immutable. The core also includes circuitry to access the pointer and the tag associated with the pointer, determine whether the tag indicates that the pointer is at least partially immutable. The circuitry is further, based on a determination that the tag indicates the pointer is at least partially immutable, to obtain a memory address of the memory location based on the pointer, use the memory address to access encrypted data at the memory location, and decrypt the encrypted data based on a key and a tweak, where the tweak including one or more bits based, at least in part, on the pointer.

Abstract: Embodiments are generally directed to message authentication code (MAC) based compression and decompression. An embodiment of an apparatus includes one or processors to process data; and a computer memory; wherein the one or more processors are to perform compression of a fixed transmission or storage unit, the transmission or storage unit including multiple slots, the compression of the transmission or storage unit including the one or more processors to calculate a MAC for data in the transmission or storage unit, determine whether a special value is present in any slot of the transmission or storage unit, and upon determining that the special value is present in a respective slot of the transmission or storage unit, remove the special value from the transmission or storage unit, shift remaining data of the transmission or storage unit to provide room in a first slot the transmission or storage unit, and insert the MAC in the first slot to generate a compressed transmission or storage unit.

Abstract: In one embodiment, a processor includes a memory hierarchy and a core coupled to the memory hierarchy. The memory hierarchy stores encrypted data, and the core includes circuitry to access the encrypted data stored in the memory hierarchy, decrypt the encrypted data to yield decrypted data, perform an entropy test on the decrypted data, and update a processor state based on a result of the entropy test. The entropy test may include determining a number of data entities in the decrypted data whose values are equal to one another, determining a number of adjacent data entities in the decrypted data whose values are equal to one another, determining a number of data entities in the decrypted data whose values are equal to at least one special value from a set of special values, or determining a sum of n highest data entity value frequencies.

Abstract: A processor includes a register to store an encoded pointer to a variable in stack memory. The encoded pointer includes an encrypted portion and a fixed plaintext portion of a memory address corresponding to the variable. The processor further includes circuitry to, in response to a memory access request for associated with the variable, decrypt the encrypted portion of the encoded pointer to obtain first upper address bits of the memory address and a memory allocation size for a variable, decode the encoded pointer to obtain the memory address, verify the memory address is valid based, at least in part on the memory allocation size, and in response to determining that the memory address is valid, allow the memory access request.

Abstract: An apparatus and method for efficient process-based compartmentalization.

Abstract: A processor comprises a first register to store an encoded pointer to a memory location. First context information is stored in first bits of the encoded pointer and a slice of a linear address of the memory location is stored in second bits of the encoded pointer. The processor also includes circuitry to execute a memory access instruction to obtain a physical address of the memory location, access encrypted data at the memory location, derive a first tweak based at least in part on the encoded pointer, and generate a keystream based on the first tweak and a key. The circuitry is to further execute the memory access instruction to store state information associated with memory access instruction in a first buffer, and to decrypt the encrypted data based on the keystream. The keystream is to be generated at least partly in parallel with accessing the encrypted data.

Abstract: Embodiments are directed to security optimizing compute distribution in a hybrid deep learning environment. An embodiment of an apparatus includes one or more processors to determine security capabilities and compute capabilities of a client machine requesting to use a machine learning (ML) model hosted by the apparatus; determine, based on the security capabilities and based on exposure criteria of the ML model, that one or more layers of the ML model can be offloaded to the client machine for processing; define, based on the compute capabilities of the client machine, a split level of the one or more layers of the ML model for partition of the ML model, the partition comprising offload layers of the one or more layers of the ML model to be processed at the client machine; and cause the offload layers of the ML model to be downloaded to the client machine.

Abstract: The present disclosure includes systems and methods for securing data direct I/O (DDIO) for a secure accelerator interface, in accordance with various embodiments. Historically, DDIO has enabled performance advantages that have outweighed its security risks. DDIO circuitry may be configured to secure DDIO data by using encryption circuitry that is manufactured for use in communications with main memory along the direct memory access (DMA) path. DDIO circuitry may be configured to secure DDIO data by using DDIO encryption circuitry manufactured for use by or manufactured within the DDIO circuitry. Enabling encryption and decryption in the DDIO path by the DDIO circuitry has the potential to close a security gap in modem data central processor units (CPUs).

Abstract: A processor, a system, a machine readable medium, and a method.

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

Abstract: A processor is to execute a first instruction to perform a simulated return in a program from a callee function to a caller function based on a first input stack pointer encoded with a first security context of a first callee stack frame. To perform the simulated return is to include generating a first simulated stack pointer to the caller stack frame. The processor is further to, in response to identifying an exception handler in the first caller function, execute a second instruction to perform a simulated call based on a second input stack pointer encoded with a second security context of the caller stack frame. To perform the simulated call is to include generating a second simulated stack pointer to a new stack frame containing an encrypted instruction pointer associated with the exception handler. The second simulated stack pointer is to be encoded with a new security context.

Abstract: Methods and apparatus relating to zero-redundancy tag storage for bucketed allocators are described. In some embodiments, memory stores a memory page. The memory page includes a metadata page and a plurality of slots. The metadata page includes information corresponding to the plurality of slots. Decode circuitry decodes an instruction that includes a source operand. Execution circuitry executes the decoded instruction according to the source operand to load a first tag for a first slot of the plurality of slots in response to a memory access request directed at the first slot of the plurality of slots. The memory access request is allowed to proceed in response to a match between the first tag and a second tag of a pointer of the memory access request. The memory page stores a separate tag in proximity to each of the plurality of slots. Other embodiments are also disclosed and claimed.

Abstract: A server includes a processor core including system memory, and a cryptographic engine storing a key data structure. The data structure is to store multiple keys for multiple secure domains. The core receives a request to program a first secure domain into the cryptographic engine. The request includes first domain information within a first wrapped binary large object (blob). In response a determination that there is no available entry in the data structure, the core selects a second secure domain within the data structure to de-schedule and issues a read key command to read second domain information from a target entry of the data structure. The core encrypts the second domain information to generate a second wrapped blob and stores the second wrapped blob in a determined region of the system memory, which frees up the target entry for use to program the first secure domain.

Abstract: Systems, apparatuses and methods may provide for technology that associates a key domain of a plurality of key domains with a customer boot image, receives the customer boot image from the customer, and verifies the integrity of the customer boot image that is to be securely installed at memory locations determined from an untrusted privileged entity (e.g., a virtual machine manager).