Patents by Inventor Ido Ouziel

Ido Ouziel has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20200226074
    Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.
    Type: Application
    Filed: March 27, 2020
    Publication date: July 16, 2020
    Inventors: David M. Durham, Siddhartha Chhabra, Amy L. Santoni, Gilbert Neiger, Barry E. Huntley, Hormuzd M. Khosravi, Baiju V. Patel, Ravi L. Sahita, Gideon Gerzon, Ido Ouziel, Ioannis T. Schoinas, Rajesh M. Sankaran
  • Publication number: 20200204356
    Abstract: A processor includes a processor core. A register of the core is to store: a bit range for a number of address bits of physical memory addresses used for key identifiers (IDs), and a first key ID to identify a boundary between non-restricted key IDs and restricted key IDs of the key identifiers. A memory controller is to: determine, via access to bit range and the first key ID in the register, a key ID range of the restricted key IDs within the physical memory addresses; access a processor state that a first logical processor of the processor core executes in an untrusted domain mode; receive a memory transaction, from the first logical processor, including an address associated with a second key ID; and generate a fault in response to a determination that the second key ID is within a key ID range of the restricted key IDs.
    Type: Application
    Filed: December 20, 2018
    Publication date: June 25, 2020
    Inventors: Ido OUZIEL, Arie AHARON, Dror CASPI, Baruch CHAIKIN, Jacob DOWECK, Gideon GERZON, Barry E. HUNTLEY, Francis X. MCKEEN, Gilbert NEIGER, Carlos V. ROZAS, Ravi L. SAHITA, Vedvyas SHANBHOGUE, Assaf ZALTSMAN
  • Publication number: 20200201638
    Abstract: A processor includes a global register to store a value of an interrupted block count. A processor core, communicably coupled to the global register, may, upon execution of an instruction to flush blocks of a cache that are associated with a security domain: flush the blocks of the cache sequentially according to a flush loop of the cache; and in response to detection of a system interrupt: store a value of a current cache block count to the global register as the interrupted block count; and stop execution of the instruction to pause the flush of the blocks of the cache. After handling of the interrupt, the instruction may be called again to restart the flush of the cache.
    Type: Application
    Filed: December 20, 2018
    Publication date: June 25, 2020
    Inventors: Gideon GERZON, Dror CASPI, Arie AHARON, Ido OUZIEL
  • Publication number: 20200201786
    Abstract: Implementations described provide hardware support for the co-existence of restricted and non-restricted encryption keys on a computing system. Such hardware support may comprise a processor having a core, a hardware register to store a bit range to identify a number of bits, of physical memory addresses, that define key identifiers (IDs) and a partition key ID identifying a boundary between non-restricted and restricted key IDs. The core may allocate at least one of the non-restricted key IDs to a software program, such as a hypervisor. The core may further allocate a restricted key ID to a trust domain whose trust computing base does not comprise the software program. A memory controller coupled to the core may allocate a physical page of a memory to the trust domain, wherein data of the physical page of the memory is to be encrypted with an encryption key associated with the restricted key ID.
    Type: Application
    Filed: December 20, 2018
    Publication date: June 25, 2020
    Inventors: Ido OUZIEL, Arie AHARON, Dror CASPI, Baruch CHAIKIN, Jacob DOWECK, Gideon GERZON, Barry E. HUNTLEY, Francis X. MCKEEN, Gilbert NEIGER, Carlos V. ROZAS, Ravi L. SAHITA, Vedvyas SHANBHOGUE, Assaf ZALTSMAN, Hormuzd M. KHOSRAVI
  • Patent number: 10657071
    Abstract: In one embodiment, a cryptographic circuit is adapted to receive a data line including at least an encrypted portion from a memory in response to a read request having a memory address from a first agent, obtain a key identifier for a key of the first agent from the data line, obtain the key using the key identifier, decrypt the at least encrypted portion of the data line using the key and send decrypted data of the at least encrypted portion of the data line to the first agent. Other embodiments are described and claimed.
    Type: Grant
    Filed: September 25, 2017
    Date of Patent: May 19, 2020
    Assignee: Intel Corporation
    Inventors: David M. Durham, Siddhartha Chhabra, Amy L. Santoni, Gilbert Neiger, Barry E. Huntley, Hormuzd M. Khosravi, Baiju V. Patel, Ravi L. Sahita, Gideon Gerzon, Ido Ouziel, Ioannis T. Schoinas, Rajesh M. Sankaran
  • Patent number: 10649783
    Abstract: A technique to enable efficient instruction fusion within a computer system is disclosed. In one embodiment, a processor includes multiple cores, each including a first-level cache, a fetch circuit to fetch instructions, an instruction buffer (IBUF) to store instructions, a decode circuit to decode instructions, an execution circuit to execute decoded instructions, and an instruction fusion circuit to fuse a first instruction and a second instruction to form a fused instruction to be processed by the execution circuit as a single instruction, the instruction fusion occurring when both the first and second instructions have been stored in the IBUF prior to issuance to the decode circuit, and wherein the first instruction was the last instruction to be stored in the IBUF prior to the second instruction being stored in the IBUF, such that the first and second instructions are stored adjacently in the IBUF.
    Type: Grant
    Filed: April 30, 2016
    Date of Patent: May 12, 2020
    Assignee: Intel Corporation
    Inventors: Ido Ouziel, Lihu Rappoport, Robert Valentine, Ron Gabor, Pankaj Raghuvanshi
  • Publication number: 20190095350
    Abstract: In one embodiment, a cryptographic circuit is adapted to receive a data line including at least an encrypted portion from a memory in response to a read request having a memory address from a first agent, obtain a key identifier for a key of the first agent from the data line, obtain the key using the key identifier, decrypt the at least encrypted portion of the data line using the key and send decrypted data of the at least encrypted portion of the data line to the first agent. Other embodiments are described and claimed.
    Type: Application
    Filed: September 25, 2017
    Publication date: March 28, 2019
    Inventors: David M. Durham, Siddhartha Chhabra, Amy L. Santoni, Gilbert Neiger, Barry E. Huntley, Hormuzd M. Khosravi, Baiju V. Patel, Ravi L. Sahita, Gideon Gerzon, Ido Ouziel, Ioannis T. Schoinas, Rajesh M. Sankaran
  • Publication number: 20190087575
    Abstract: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.
    Type: Application
    Filed: September 15, 2017
    Publication date: March 21, 2019
    Inventors: Ravi L. Sahita, Baiju V. Patel, Barry E. Huntley, Gilbert Neiger, Hormuzd M. Khosravi, Ido Ouziel, David M. Durham, Ioannis T. Schoinas, Siddhartha Chhabra, Carlos V. Rozas, Gideon Gerzon
  • Patent number: 10223121
    Abstract: A processor includes a decoder, a data return buffer, and an execution unit. The decoder is to decode an instruction for a non-posted load into a decoded instruction for loading data from memory mapped input/output. The execution unit is for executing the decoded instruction. The execution is to start a timer, determine whether the timer exceeds a timeout threshold, allocate an entry in the data return buffer for the load, and determine whether an event arrived. The timer is to measure an amount of time taken to return the non-posted load instruction. The determination whether an event arrived is made in response to at least one of the allocation of the entry for the load, or a determination that the timer exceeds the timeout threshold.
    Type: Grant
    Filed: December 22, 2016
    Date of Patent: March 5, 2019
    Assignee: Intel Corporation
    Inventors: Ido Ouziel, Raanan Sade, Jacob Doweck
  • Patent number: 10216662
    Abstract: Embodiments of systems, apparatuses, and methods for remote action handling are describe. In an embodiment, a hardware apparatus comprises: a first register to store a memory address of a payload corresponding to an action to be performed associated with a remote action request (RAR) interrupt, a second register to store a memory address of an action list accessible by a plurality of processors, and a remote action handler circuit to identify a received RAR interrupt, perform an action of the received RAR interrupt, and signal acknowledgment to an initiating processor upon completion of the action.
    Type: Grant
    Filed: September 26, 2015
    Date of Patent: February 26, 2019
    Assignee: Intel Corporation
    Inventors: Michael Mishaeli, Ido Ouziel, Baruch Chaikin, Yoav Zach
  • Publication number: 20190042671
    Abstract: Technologies are provided in embodiments including a memory element to store a payload indicating an action to be performed associated with a remote action request (RAR) and a remote action handler circuit to identify the action to be performed, where the action includes invalidating one or more entries of a translation lookaside buffer (TLB), determine that the logical processor entered an enclave mode during a prior epoch, perform one or more condition checks on control and state pages of the enclave mode, and based on results of the one or more condition checks, adjust one or more variables associated with the logical processor to simulate the logical processor re-entering the enclave mode. Specific embodiments include the remote action handler circuit to invalidate an entry of the TLB based, at least in part, on the results of the one or more condition checks.
    Type: Application
    Filed: December 16, 2017
    Publication date: February 7, 2019
    Applicant: Intel Corporation
    Inventors: Dror Caspi, Ido Ouziel
  • Publication number: 20190004973
    Abstract: In one embodiment, an apparatus comprises a processor to execute instruction(s), wherein the instructions comprise a memory access operation associated with a memory location of a memory. The apparatus further comprises a memory encryption controller to: identify the memory access operation; determine that the memory location is associated with a protected domain, wherein the protected domain is associated with a protected memory region of the memory, and wherein the protected domain is identified from a plurality of protected domains associated with a plurality of protected memory regions of the memory; identify an encryption key associated with the protected domain; perform a cryptography operation on data associated with the memory access operation, wherein the cryptography operation is performed based on the encryption key associated with the protected domain; and return a result of the cryptography operation, wherein the result is to be used for the memory access operation.
    Type: Application
    Filed: June 28, 2017
    Publication date: January 3, 2019
    Applicant: Intel Corporation
    Inventors: Siddhartha Chhabra, Hormuzd M. Khosravi, Gideon Gerzon, Barry E. Huntley, Gilbert Neiger, Ido Ouziel, Baiju Patel, Ravi L. Sahita, Amy L. Santoni, Ioannis T. Schoinas
  • Publication number: 20180181393
    Abstract: A processor includes a decoder, a data return buffer, and an execution unit. The decoder is to decode an instruction for a non-posted load into a decoded instruction for loading data from memory mapped input/output. The execution unit is for executing the decoded instruction. The execution is to start a timer, determine whether the timer exceeds a timeout threshold, allocate an entry in the data return buffer for the load, and determine whether an event arrived. The timer is to measure an amount of time taken to return the non-posted load instruction. The determination whether an event arrived is made in response to at least one of the allocation of the entry for the load, or a determination that the timer exceeds the timeout threshold.
    Type: Application
    Filed: December 22, 2016
    Publication date: June 28, 2018
    Inventors: Ido Ouziel, Raanan Sade, Jacob Doweck
  • Patent number: 9858411
    Abstract: A method comprises filtering branch trap events at a branch event filter, monitoring a branch event filter to capture indirect branch trap events that cause a control flow trap exception, receiving the indirect branch trap events at a handler and the handler processing the indirect branch trap events.
    Type: Grant
    Filed: December 19, 2014
    Date of Patent: January 2, 2018
    Assignee: INTEL CORPORATION
    Inventors: Ravi Sahita, Xiaoning Li, Barry E. Huntley, Ofer Levy, Vedvyas Shanbhogue, Yuriy Bulygin, Ido Ouziel, Michael Lemay, John M. Esper
  • Patent number: 9792222
    Abstract: Systems and methods for validating virtual address translation. An example processing system comprises: a processing core to execute a first application associated with a first privilege level and a second application associated with a second privilege level, wherein a first set of privileges associated with the first privilege level includes a second set of privileges associated with the second privilege level; and an address validation component to validate, in view of an address translation data structure maintained by the first application, a mapping of a first address defined in a first address space of the second application to a second address defined in a second address space of the second application.
    Type: Grant
    Filed: June 27, 2014
    Date of Patent: October 17, 2017
    Assignee: Intel Corporation
    Inventors: Ravi L. Sahita, Gilbert Neiger, David M. Durham, Vedvyas Shanbhogue, Michael Lemay, Ido Ouziel, Stanislav Shwartsman, Barry Huntley, Andrew V. Anderson
  • Patent number: 9690591
    Abstract: A technique to enable efficient instruction fusion within a computer system is disclosed. In one embodiment, processor logic delays the processing of a first instruction for a threshold amount of time if the first instruction within an instruction queue is fusible with a second instruction.
    Type: Grant
    Filed: October 30, 2008
    Date of Patent: June 27, 2017
    Assignee: Intel Corporation
    Inventors: Ido Ouziel, Lihu Rappoport, Robert Valentine, Ron Gabor, Pankaj Raghuvanshi
  • Publication number: 20170091128
    Abstract: Embodiments of systems, apparatuses, and methods for remote action handling are describe. In an embodiment, a hardware apparatus comprises: a first register to store a memory address of a payload corresponding to an action to be performed associated with a remote action request (RAR) interrupt, a second register to store a memory address of an action list accessible by a plurality of processors, and a remote action handler circuit to identify a received RAR interrupt, perform an action of the received RAR interrupt, and signal acknowledgment to an initiating processor upon completion of the action.
    Type: Application
    Filed: September 26, 2015
    Publication date: March 30, 2017
    Inventors: Michael Mishaeli, Ido Ouziel, Baruch Chaikin, Yoav Zach
  • Publication number: 20170003965
    Abstract: A technique to enable efficient instruction fusion within a computer system. In one embodiment, a processor logic delays the processing of a second instruction for a threshold amount of time if a first instruction within an instruction queue is fusible with the second instruction.
    Type: Application
    Filed: April 30, 2016
    Publication date: January 5, 2017
    Inventors: Ido Ouziel, Lihu Rappoport, Robert Valentine, Ron Gabor, Pankaj Raghuvanshi
  • Publication number: 20160378487
    Abstract: A technique to enable efficient instruction fusion within a computer system. In one embodiment, a processor logic delays the processing of a second instruction for a threshold amount of time if a first instruction within an instruction queue is fusible with the second instruction.
    Type: Application
    Filed: April 30, 2016
    Publication date: December 29, 2016
    Inventors: Ido Ouziel, Lihu Rappoport, Robert Valentine, Ron Gabor, Pankaj Raghuvanshi
  • Publication number: 20160246600
    Abstract: A technique to enable efficient instruction fusion within a computer system. In one embodiment, a processor logic delays the processing of a second instruction for a threshold amount of time if a first instruction within an instruction queue is fusible with the second instruction.
    Type: Application
    Filed: April 30, 2016
    Publication date: August 25, 2016
    Inventors: Ido Ouziel, Lihu Rappoport, Robert Valentine, Ron Gabor, Pankaj Raghuvanshi