Patents by Inventor Ioannis T. Schoinas
Ioannis T. Schoinas has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11907389Abstract: First data is stored. A request for the first data is received from a communication device over a link established with a communication device. An access control engine comprising circuitry is to control access to the first data to the communication device based on an authentication state of the communication device and a protection state of the link.Type: GrantFiled: May 16, 2022Date of Patent: February 20, 2024Assignee: Intel CorporationInventors: David J. Harriman, Ioannis T. Schoinas, Kapil Sood, Raghunandan Makaram, Yu-Yuan Chen
-
Publication number: 20240045968Abstract: In one embodiment, an apparatus comprises a processor to: receive a request to configure a secure execution environment for a first workload; configure a first set of secure execution enclaves for execution of the first workload, wherein the first set of secure execution enclaves is configured on a first set of processing resources, wherein the first set of processing resources comprises one or more central processing units and one or more accelerators; configure a first set of secure datapaths for communication among the first set of secure execution enclaves during execution of the first workload, wherein the first set of secure datapaths is configured over a first set of interconnect resources; configure the secure execution environment for the first workload, wherein the secure execution environment comprises the first set of secure execution enclaves and the first set of secure datapaths.Type: ApplicationFiled: October 23, 2023Publication date: February 8, 2024Applicant: Intel CorporationInventors: Kapil Sood, Ioannis T. Schoinas, Yu-Yuan Chen, Raghunandan Makaram, David J. Harriman, Baiju Patel, Ronald Perez, Matthew E. Hoekstra, Reshma Lal
-
Publication number: 20230421545Abstract: Methods, systems, and apparatuses associated with a secure stream protocol for a serial interconnect are disclosed. An apparatus comprises a first device comprising circuitry to, using an end-to-end protocol, secure a transaction in a first secure stream based at least in part on a transaction type of the transaction, where the first secure stream is separate from a second secure stream. The first device is further to send the transaction secured in the first secure stream to a second device over a link established between the first device and the second device, where the transaction is to traverse one or more intermediate devices from the first device to the second device. In more specific embodiments, the first secure stream is based on one of a posted transaction type, a non-posted transaction type, or completion transaction type.Type: ApplicationFiled: June 30, 2023Publication date: December 28, 2023Applicant: Intel CorporationInventors: Vedvyas Shanbhogue, Siddhartha Chhabra, David J. Harriman, Raghunandan Makaram, Ioannis T. Schoinas
-
Publication number: 20230315857Abstract: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.Type: ApplicationFiled: April 5, 2023Publication date: October 5, 2023Inventors: Ravi L. Sahita, Baiju V. Patel, Barry E. Huntley, Gilbert Neiger, Hormuzd M. Khosravi, Ido Ouziel, David M. Durham, Ioannis T. Schoinas, Siddhartha Chhabra, Carlos V. Rozas, Gideon Gerzon
-
Patent number: 11775447Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.Type: GrantFiled: October 12, 2021Date of Patent: October 3, 2023Assignee: Intel CorporationInventors: David M. Durham, Siddhartha Chhabra, Amy L. Santoni, Gilbert Neiger, Barry E. Huntley, Hormuzd M. Khosravi, Baiju V. Patel, Ravi L. Sahita, Gideon Gerzon, Ido Ouziel, Ioannis T. Schoinas, Rajesh M. Sankaran
-
Patent number: 11743240Abstract: Methods, systems, and apparatuses associated with a secure stream protocol for a serial interconnect are disclosed. An apparatus comprises a first device comprising circuitry to, using an end-to-end protocol, secure a transaction in a first secure stream based at least in part on a transaction type of the transaction, where the first secure stream is separate from a second secure stream. The first device is further to send the transaction secured in the first secure stream to a second device over a link established between the first device and the second device, where the transaction is to traverse one or more intermediate devices from the first device to the second device. In more specific embodiments, the first secure stream is based on one of a posted transaction type, a non-posted transaction type, or completion transaction type.Type: GrantFiled: June 18, 2019Date of Patent: August 29, 2023Assignee: Intel CorporationInventors: Vedvyas Shanbhogue, Siddhartha Chhabra, David J. Harriman, Raghunandan Makaram, Ioannis T. Schoinas
-
Patent number: 11687654Abstract: Implementations describe providing isolation in virtualized systems using trust domains. In one implementation, a processing device includes a memory ownership table (MOT) that is access-controlled against software access. The processing device further includes a processing core to execute a trust domain resource manager (TDRM) to manage a trust domain (TD), maintain a trust domain control structure (TDCS) for managing global metadata for each TD, maintain an execution state of the TD in at least one trust domain thread control structure (TD-TCS) that is access-controlled against software accesses, and reference the MOT to obtain at least one key identifier (key ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key.Type: GrantFiled: September 15, 2017Date of Patent: June 27, 2023Assignee: Intel CorporationInventors: Ravi L. Sahita, Baiju V. Patel, Barry E. Huntley, Gilbert Neiger, Hormuzd M. Khosravi, Ido Ouziel, David M. Durham, Ioannis T. Schoinas, Siddhartha Chhabra, Carlos V. Rozas, Gideon Gerzon
-
Patent number: 11658947Abstract: A protected link between a first computing device and a second computing device is set up, wherein communication over the protected link is to comply with a communication protocol that allows packets to be reordered during transit. A plurality of packets are generated according to a packet format that ensures the plurality of packets will not be reordered during transmission over the protected link, the plurality of packets comprising a first packet and a second packet. Data of the plurality of packets are encrypted for transmission over the protected link, wherein data of the first packet is encrypted based on the cryptographic key and a first value of a counter and data of the second packet is encrypted based on the cryptographic key and a second value of the counter.Type: GrantFiled: July 7, 2021Date of Patent: May 23, 2023Assignee: Intel CorporationInventors: David J. Harriman, Raghunandan Makaram, Ioannis T. Schoinas, Kapil Sood, Yu-Yuan Chen, Vedvyas Shanbhogue, Siddhartha Chhabra, Reshma Lal, Reouven Elbaz
-
Publication number: 20220350912Abstract: First data is stored. A request for the first data is received from a communication device over a link established with a communication device. An access control engine comprising circuitry is to control access to the first data to the communication device based on an authentication state of the communication device and a protection state of the link.Type: ApplicationFiled: May 16, 2022Publication date: November 3, 2022Applicant: Intel CorporationInventors: David J. Harriman, Ioannis T. Schoinas, Kapil Sood, Raghunandan Makaram, Yu-Yuan Chen
-
Patent number: 11403005Abstract: There is disclosed a microprocessor, including: a processing core; and a total memory encryption (TME) engine to provide TME for a first trust domain (TD), and further to: allocate a block of physical memory to the first TD and a first cryptographic key to the first TD; map within an extended page table (EPT) a host physical address (HPA) space to a guest physical address (GPA) space of the TD; create a memory ownership table (MOT) entry for a memory page within the block of physical memory, wherein the MOT table comprises a GPA reverse mapping; encrypt the MOT entry using the first cryptographic key; and append to the MOT entry verification data, wherein the MOT entry verification data enables detection of an attack on the MOT entry.Type: GrantFiled: September 29, 2017Date of Patent: August 2, 2022Assignee: Intel CorporationInventors: David M. Durham, Ravi L. Sahita, Vedvyas Shanbhogue, Barry E. Huntley, Baiju Patel, Gideon Gerzon, Ioannis T. Schoinas, Hormuzd M. Khosravi, Siddhartha Chhabra, Carlos V. Rozas
-
Patent number: 11361093Abstract: First data is stored. A request for the first data is received from a communication device over a link established with a communication device. An access control engine comprising circuitry is to control access to the first data to the communication device based on an authentication state of the communication device and a protection state of the link.Type: GrantFiled: March 27, 2019Date of Patent: June 14, 2022Assignee: Intel CorporationInventors: David J. Harriman, Ioannis T. Schoinas, Kapil Sood, Raghunandan Makaram, Yu-Yuan Chen
-
Publication number: 20220094553Abstract: In one example, a system for managing encrypted memory comprises a processor to store a first MAC based on data stored in system memory in response to a write operation to the system memory. The processor can also detect a read operation corresponding to the data stored in the system memory, calculate a second MAC based on the data retrieved from the system memory, determine that the second MAC does not match the first MAC, and recalculate the second MAC with a correction operation, wherein the correction operation comprises an XOR operation based on the data retrieved from the system memory and a replacement value for a device of the system memory. Furthermore, the processor can decrypt the data stored in the system memory in response to detecting the recalculated second MAC matches the first MAC and transmit the decrypted data to cache thereby correcting memory errors.Type: ApplicationFiled: December 6, 2021Publication date: March 24, 2022Applicant: Intel CorporationInventors: David M. Durham, Rajat Agarwal, Siddhartha Chhabra, Sergej Deutsch, Karanvir S. Grewal, Ioannis T. Schoinas
-
Publication number: 20220043757Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.Type: ApplicationFiled: October 12, 2021Publication date: February 10, 2022Inventors: David M. Durham, Siddhartha Chhabra, Amy L. Santoni, Gilbert Neiger, Barry E. Huntley, Hormuzd M. Khosravi, Baiju V. Patel, Ravi L. Sahita, Gideon Gerzon, Ido Ouziel, Ioannis T. Schoinas, Rajesh M. Sankaran
-
Publication number: 20220019667Abstract: In one embodiment, an apparatus comprises a processor to: receive a request to configure a secure execution environment for a first workload; configure a first set of secure execution enclaves for execution of the first workload, wherein the first set of secure execution enclaves is configured on a first set of processing resources, wherein the first set of processing resources comprises one or more central processing units and one or more accelerators; configure a first set of secure datapaths for communication among the first set of secure execution enclaves during execution of the first workload, wherein the first set of secure datapaths is configured over a first set of interconnect resources; configure the secure execution environment for the first workload, wherein the secure execution environment comprises the first set of secure execution enclaves and the first set of secure datapaths.Type: ApplicationFiled: June 22, 2021Publication date: January 20, 2022Applicant: Intel CorporationInventors: Kapil Sood, Ioannis T. Schoinas, Yu-Yuan Chen, Raghunandan Makaram, David J. Harriman, Baiju Patel, Ronald Perez, Matthew E. Hoekstra, Reshma Lal
-
Patent number: 11196565Abstract: In one example, a system for managing encrypted memory comprises a processor to store a first MAC based on data stored in system memory in response to a write operation to the system memory. The processor can also detect a read operation corresponding to the data stored in the system memory, calculate a second MAC based on the data retrieved from the system memory, determine that the second MAC does not match the first MAC, and recalculate the second MAC with a correction operation, wherein the correction operation comprises an XOR operation based on the data retrieved from the system memory and a replacement value for a device of the system memory. Furthermore, the processor can decrypt the data stored in the system memory in response to detecting the recalculated second MAC matches the first MAC and transmit the decrypted data to cache thereby correcting memory errors.Type: GrantFiled: November 20, 2019Date of Patent: December 7, 2021Assignee: INTEL CORPORATIONInventors: David M. Durham, Rajat Agarwal, Siddhartha Chhabra, Sergej Deutsch, Karanvir S. Grewal, Ioannis T. Schoinas
-
Patent number: 11176059Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.Type: GrantFiled: March 27, 2020Date of Patent: November 16, 2021Assignee: Intel CorporationInventors: David M. Durham, Siddhartha Chhabra, Amy L. Santoni, Gilbert Neiger, Barry E. Huntley, Hormuzd M. Khosravi, Baiju V. Patel, Ravi L. Sahita, Gideon Gerzon, Ido Ouziel, Ioannis T. Schoinas, Rajesh M. Sankaran
-
Publication number: 20210344653Abstract: A protected link between a first computing device and a second computing device is set up, wherein communication over the protected link is to comply with a communication protocol that allows packets to be reordered during transit. A plurality of packets are generated according to a packet format that ensures the plurality of packets will not be reordered during transmission over the protected link, the plurality of packets comprising a first packet and a second packet. Data of the plurality of packets are encrypted for transmission over the protected link, wherein data of the first packet is encrypted based on the cryptographic key and a first value of a counter and data of the second packet is encrypted based on the cryptographic key and a second value of the counter.Type: ApplicationFiled: July 7, 2021Publication date: November 4, 2021Applicant: Intel CorporationInventors: David J. Harriman, Raghunandan Makaram, Ioannis T. Schoinas, Kapil Sood, Yu-Yuan Chen, Vedvyas Shanbhogue, Siddhartha Chhabra, Reshma Lal, Reouven Elbaz
-
Patent number: 11100023Abstract: In one example, a semiconductor die includes a plurality of agents and a fabric coupled to at least some of the plurality of agents. The fabric may include at least one router to provide communication between two or more of the plurality of agents, the at least one router coupled to a first agent of the plurality of agents, where the first agent is to send a first message to the at least one router, the first message comprising a first header including a first source identifier, and the at least one router is to validate that the first source identifier is associated with the first agent and if so to direct the first message towards a destination agent, and otherwise to prevent the first message from being directed towards the destination agent. Other embodiments are described and claimed.Type: GrantFiled: September 28, 2017Date of Patent: August 24, 2021Assignee: Intel CorporationInventors: Ruirui Huang, Nilanjan Palit, Robert P. Adler, Ioannis T. Schoinas, Avishay Snir, Boris Dolgunov
-
Publication number: 20210224202Abstract: In one embodiment, an apparatus comprises a processor to execute instruction(s), wherein the instructions comprise a memory access operation associated with a memory location of a memory. The apparatus further comprises a memory encryption controller to: identify the memory access operation; determine that the memory location is associated with a protected domain, wherein the protected domain is associated with a protected memory region of the memory, and wherein the protected domain is identified from a plurality of protected domains associated with a plurality of protected memory regions of the memory; identify an encryption key associated with the protected domain; perform a cryptography operation on data associated with the memory access operation, wherein the cryptography operation is performed based on the encryption key associated with the protected domain; and return a result of the cryptography operation, wherein the result is to be used for the memory access operation.Type: ApplicationFiled: April 5, 2021Publication date: July 22, 2021Inventors: Siddhartha Chhabra, Hormuzd M. Khosravi, Gideon Gerzon, Barry E. Huntley, Gilbert Neiger, Ido Ouziel, Baiju Patel, Ravi L. Sahita, Amy L. Santoni, Ioannis T. Schoinas
-
Patent number: 11070527Abstract: A protected link between a first computing device and a second computing device is set up, wherein communication over the protected link is to comply with a communication protocol that allows packets to be reordered during transit. A plurality of packets are generated according to a packet format that ensures the plurality of packets will not be reordered during transmission over the protected link, the plurality of packets comprising a first packet and a second packet. Data of the plurality of packets are encrypted for transmission over the protected link, wherein data of the first packet is encrypted based on the cryptographic key and a first value of a counter and data of the second packet is encrypted based on the cryptographic key and a second value of the counter.Type: GrantFiled: April 1, 2019Date of Patent: July 20, 2021Assignee: Intel CorporationInventors: David J. Harriman, Raghunandan Makaram, Ioannis T. Schoinas, Kapil Sood, Yu-Yuan Chen, Vedvyas Shanbhogue, Siddhartha Chhabra, Reshma Lal, Reouven Elbaz