Abstract: A system and method of enhancing the mitigation of side channel attacks on platform interconnects using endpoint HW based detection, synchronization, and re-keying include generating a set of keys for link encryption based on a high entropy seed, storing the set of keys in a deterministic order in a register, detecting that a re-key programmable threshold is met during link encryption with a device, identifying a synchronization point associated with the device, where the synchronization point indicates the device is ready to switch a current key used for link encryption, and synchronizing a rekeying event with the device.

Abstract: An integrated circuit includes a region of configurable logic circuits and a configuration controller circuit that generates a first health condition report indicating a first health condition of the region before configuring the configurable logic circuits according to a circuit design. The configuration controller circuit generates a second health condition report indicating a second health condition of the region after configuring the configurable logic circuits according to the circuit design.

Abstract: A host Virtual Machine Monitor (VMM) operates “blindly,” without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, using VMPageIn and VMPageOut instructions, can build virtual machines in key domains and page VM pages in and out of key domains.

Abstract: A security processor includes a scheduler to read input data blocks from an input buffer, send the input data blocks to one or more cryptographic circuits in a first random order; and send data blocks having random values in a second random order to one or more of the cryptographic circuits that did not receive the input data blocks.

Abstract: A method includes receiving, by a processor from a virtual machine (VM) executed by the processor, an indication that a proper subset of a plurality of virtual memory pages of the VM are secure memory pages. The method further includes, responsive to determining the VM is attempting to access a first memory page, determining whether the proper subset comprises the first memory page. The method further includes, responsive to determining the proper subset comprises the first memory page: using first attributes specified by the VM for the first memory page; and ignoring second attributes specified by a virtual machine monitor (VMM) for the first memory page. The VMM is executed by the processor to manage the VM.

Abstract: A host Virtual Machine Monitor (VMM) operates “blindly,” without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, using VMPageIn and VMPageOut instructions, can build virtual machines in key domains and page VM pages in and out of key domains.

Abstract: A method includes receiving, by a processor from a virtual machine (VM) executed by the processor, an indication that a proper subset of a plurality of virtual memory pages of the VM are secure memory pages. The method further includes, responsive to determining the VM is attempting to access a first memory page, determining whether the proper subset comprises the first memory page. The method further includes, responsive to determining the proper subset comprises the first memory page: using first attributes specified by the VM for the first memory page; and ignoring second attributes specified by a virtual machine monitor (VMM) for the first memory page. The VMM is executed by the processor to manage the VM.

Abstract: Sensor data may be filtered in a secure environment. The filtering may limit distribution of the sensor data. Filtering may modify the sensor data, for example, to prevent identification of a person depicted in a captured image or to prevent acquiring a user's precise location. Filtering may also add or require other data use controls to access the data. Attestation that a filter policy is being applied and working properly or not may be provided as well.

Abstract: Methods, apparatuses and storage medium associated with providing enhanced privacy during usage of computer vision are disclosed. In embodiments, an apparatus may include one or more privacy indicators to indicate one or more privacy conditions of the apparatus in association with provision of computer vision on the apparatus. The apparatus may further include a privacy engine coupled with the one or more privacy indicators, and configured to pre-process images from an image source of the apparatus associated with the provision of computer vision to the apparatus, to increase privacy for a user of the apparatus, and to control the one or more privacy indicators. In embodiments, the apparatus may include means for blanking out one or more pixels with depth values identified as greater than a threshold. Other embodiments may be described and claimed.

Abstract: Methods, apparatuses and storage medium associated with providing enhanced privacy during usage of computer vision are disclosed. In embodiments, an apparatus may include one or more privacy indicators to indicate one or more privacy conditions of the apparatus in association with provision of computer vision on the apparatus. The apparatus may further include a privacy engine coupled with the one or more privacy indicators, and configured to pre-process images from an image source of the apparatus associated with the provision of computer vision to the apparatus, to increase privacy for a user of the apparatus, and to control the one or more privacy indicators. In embodiments, the apparatus may include means for blanking out one or more pixels with depth values identified as greater than a threshold. Other embodiments may be described and claimed.

Abstract: Methods, apparatuses and storage medium associated with providing enhanced privacy during usage of computer vision are disclosed. In embodiments, an apparatus may include one or more privacy indicators to indicate one or more privacy conditions of the apparatus in association with provision of computer vision on the apparatus. The apparatus may further include a privacy engine coupled with the one or more privacy indicators, and configured to pre-process images from an image source of the apparatus associated with the provision of computer vision to the apparatus, to increase privacy for a user of the apparatus, and to control the one or more privacy indicators. In embodiments, the apparatus may include means for blanking out one or more pixels with depth values identified as greater than a threshold. Other embodiments may be described and claimed.

Abstract: Sensor data may be filtered in a secure environment. The filtering may limit distribution of the sensor data. Filtering may modify the sensor data, for example, to prevent identification of a person depicted in a captured image or to prevent acquiring a user's precise location. Filtering may also add or require other data use controls to access the data. Attestation that a filter policy is being applied and working properly or not may be provided as well.

Abstract: Sensor data may be filtered in a secure environment. The filtering may limit distribution of the sensor data. Filtering may modify the sensor data, for example, to prevent identification of a person depicted in a captured image or to prevent acquiring a user's precise location. Filtering may also add or require other data use controls to access the data. Attestation that a filter policy is being applied and working properly or not may be provided as well.

Abstract: Methods, apparatuses and storage medium associated with providing enhanced privacy during usage of computer vision are disclosed. In embodiments, an apparatus may include one or more privacy indicators to indicate one or more privacy conditions of the apparatus in association with provision of computer vision on the apparatus. The apparatus may further include a privacy engine coupled with the one or more privacy indicators, and configured to pre-process images from an image source of the apparatus associated with the provision of computer vision to the apparatus, to increase privacy for a user of the apparatus, and to control the one or more privacy indicators. In embodiments, the apparatus may include means for blanking out one or more pixels with depth values identified as greater than a threshold. Other embodiments may be described and claimed.

Abstract: Methods, apparatuses and storage medium associated with providing enhanced privacy during usage of computer vision are disclosed. In embodiments, an apparatus may include one or more privacy indicators to indicate one or more privacy conditions of the apparatus in association with provision of computer vision on the apparatus. The apparatus may further include a privacy engine coupled with the one or more privacy indicators, and configured to pre-process images from an image source of the apparatus associated with the provision of computer vision to the apparatus, to increase privacy for a user of the apparatus, and to control the one or more privacy indicators. In embodiments, the apparatus may include means for blanking out one or more pixels with depth values identified as greater than a threshold. Other embodiments may be described and claimed.

Abstract: Sensor data may be filtered in a secure environment. The filtering may limit distribution of the sensor data. Filtering may modify the sensor data, for example, to prevent identification of a person depicted in a captured image or to prevent acquiring a user's precise location. Filtering may also add or require other data use controls to access the data. Attestation that a filter policy is being applied and working properly or not may be provided as well.

Abstract: Methods, apparatuses and storage medium associated with providing enhanced privacy during usage of computer vision are disclosed. In embodiments, an apparatus may include one or more privacy indicators to indicate one or more privacy conditions of the apparatus in association with provision of computer vision on the apparatus. The apparatus may further include a privacy engine coupled with the one or more privacy indicators, and configured to pre-process images from an image source of the apparatus associated with the provision of computer vision to the apparatus, to increase privacy for a user of the apparatus, and to control the one or more privacy indicators. In embodiments, the apparatus may include means for blanking out one or more pixels with depth values identified as greater than a threshold. Other embodiments may be described and claimed.

Abstract: In one embodiment, a processor comprises a programmable map and a circuit. The programmable map is configured to store data that identifies at least one instruction for which an architectural modification of an instruction set architecture implemented by the processor has been defined, wherein the processor does not implement the modification. The circuitry is configured to detect the instruction or its memory operands and cause a transition to Known Good Code (KGC), wherein the KGC is protected from unauthorized modification and is provided from an authenticated entity. The KGC comprises code that, when executed, emulates the modification. In another embodiment, an integrated circuit comprises at least one processor core; at least one other circuit; and a KGC source configured to supply KGC to the processor core for execution. The KGC comprises interface code for the other circuit whereby an application executing on the processor core interfaces to the other circuit through the KGC.

Abstract: A virtualized computer system includes at least one guest environment (guest), a service guest environment (SG) and trusted software. The at least one guest includes at least one driver having a first private message interface. The SG includes a first USB host controller (HC) driver, which is in communication with a USB HC. The first USB HC driver includes a second private message interface. The trusted software is in communication with the guest and the SG. The trusted software includes a data intercept/routing mechanism that facilitates secure communication between at least one USB device coupled to the USB HC and the guest using the first and second private message interfaces.

Abstract: In one embodiment, a processor comprises a programmable map and a circuit. The programmable map is configured to store data that identifies at least one instruction for which an architectural modification of an instruction set architecture implemented by the processor has been defined, wherein the processor does not implement the modification. The circuitry is configured to detect the instruction or its memory operands and cause a transition to Known Good Code (KGC), wherein the KGC is protected from unauthorized modification and is provided from an authenticated entity. The KGC comprises code that, when executed, emulates the modification. In another embodiment, an integrated circuit comprises at least one processor core; at least one other circuit; and a KGC source configured to supply KGC to the processor core for execution. The KGC comprises interface code for the other circuit whereby an application executing on the processor core interfaces to the other circuit through the KGC.