Patents by Inventor Jiewen Yao

Jiewen Yao has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20240320322
    Abstract: Systems, methods, and apparatuses for implementing a trusted execution environment security manager are described. In one example, hardware processor includes a hardware processor core comprising a trust domain manager to manage one or more hardware isolated virtual machines as a respective trust domain, a coupling between the hardware processor core and an input/output device, and a secure startup service circuit separate from the trust domain manager to, in response to a request from the trust domain manager, generate a secure communication session between the trust domain manager and the input/output device.
    Type: Application
    Filed: December 20, 2021
    Publication date: September 26, 2024
    Inventors: Jiewen Yao, Vedvyas Shanbhogue, Ravi Sahita
  • Publication number: 20240168754
    Abstract: An embodiment of a semiconductor package apparatus may include technology to determine version information for a new firmware component, read dependency information corresponding to the firmware component, and determine if dependency is satisfied between the new firmware component and one or more other firmware components based on the version information and the dependency information of the new firmware component. Other embodiments are disclosed and claimed.
    Type: Application
    Filed: November 29, 2023
    Publication date: May 23, 2024
    Applicant: Intel Corporation
    Inventors: Vincent Zimmer, Jiewen Yao
  • Patent number: 11875147
    Abstract: An embodiment of a semiconductor package apparatus may include technology to determine version information for a new firmware component, read dependency information corresponding to the firmware component, and determine if dependency is satisfied between the new firmware component and one or more other firmware components based on the version information and the dependency information of the new firmware component. Other embodiments are disclosed and claimed.
    Type: Grant
    Filed: August 26, 2021
    Date of Patent: January 16, 2024
    Assignee: Intel Corporation
    Inventors: Vincent Zimmer, Jiewen Yao
  • Publication number: 20230289433
    Abstract: Systems, methods, and apparatuses for implementing device security manager architecture for trusted execution environment input/output (TEE-IO) capable system-on-a-chip integrated devices are described. In one example, a system includes a hardware processor core configurable to implement a trust domain manager to manage one or more virtual machines as a respective trust domain isolated from a virtual machine monitor, and an input/output device coupled to the hardware processor core and comprising a device security manager circuit, wherein the device security manager circuit is to, in response to an trusted request from the trust domain manager to a control interface of the device security manager circuit, access a state of a trusted device interface of the input/output device for a trust domain of the trust domain manager, and provide a corresponding response to the trust domain manager.
    Type: Application
    Filed: January 13, 2023
    Publication date: September 14, 2023
    Inventors: Utkarsh Y. Kakaiya, Jiewen Yao
  • Publication number: 20230013235
    Abstract: A system management mode (SMM) runtime resiliency manager (SRM) augments computing resource protection policies provided by an SMM policy shim The SMM shim protects system resources by deprivileging system management interrupt (SMI) handlers to a lower level of privilege (e.g., ring 3 privilege) and by configuring page tables and register bitmaps (e.g., I/O, MSR, and Save State register bitmaps). SRM capabilities include protecting the SMM shim, updating the SMM shim, protecting a computing system during SMM shim update, detecting SMM attacks, and recovering attacked or faulty SMM components.
    Type: Application
    Filed: March 24, 2022
    Publication date: January 19, 2023
    Applicant: Intel Corporation
    Inventors: Jiewen Yao, Vincent Zimmer
  • Publication number: 20220179961
    Abstract: Various embodiments provide apparatuses, systems, and methods for establishing, by a data object exchange (DOE entity) of a peripheral component interconnect express (PCIe) device, a first session for communication between a first host entity of a host device and a first PCIe entity of the PCIe device, and a second session for communication between a second host entity of the host device and a second PCIe entity of the PCIe device. The first session may have a first security policy and be a session of a first connection between the PCIe device and the host device. The second session may have a second security policy and be a session of a second connection between the PCIe device and the host device. Other embodiments may be described and claimed.
    Type: Application
    Filed: January 14, 2022
    Publication date: June 9, 2022
    Inventors: Jiewen YAO, David HARRIMAN, Xiaoyu RUAN, Mahesh NATU
  • Patent number: 11354417
    Abstract: A disclosed example apparatus includes memory; and at least one processor to execute first instructions, the first instructions obtained from first encrypted firmware, the at least one processor to: encrypt handoff data with an original equipment manufacturer key to generate encrypted handoff data; decrypt second encrypted firmware based on the original equipment manufacturer key to generate second instructions; and provide access to the encrypted handoff data to the second instructions, the second instructions to perform initialization of a computer based on the handoff data obtained from the encrypted handoff data.
    Type: Grant
    Filed: January 4, 2021
    Date of Patent: June 7, 2022
    Assignee: McAfee, LLC
    Inventors: Jiewen Yao, Rangasai V. Chaganty, Xiang Ma, Ravi Poovalur Rangarajan, Rajesh Poornachandran, Nivedita Aggarwal, Giri P. Mudusuru, Vincent J. Zimmer, Satya P. Yarlagadda, Amy Chan, Sudeep Das
  • Patent number: 11249748
    Abstract: An embodiment of a semiconductor package apparatus may include technology to determine version information for a new firmware component, read dependency information corresponding to the firmware component, and determine if dependency is satisfied between the new firmware component and one or more other firmware components based on the version information and the dependency information of the new firmware component. Other embodiments are disclosed and claimed.
    Type: Grant
    Filed: September 27, 2017
    Date of Patent: February 15, 2022
    Assignee: Intel Corporation
    Inventors: Vincent Zimmer, Jiewen Yao
  • Publication number: 20210389944
    Abstract: An embodiment of a semiconductor package apparatus may include technology to determine version information for a new firmware component, read dependency information corresponding to the firmware component, and determine if dependency is satisfied between the new firmware component and one or more other firmware components based on the version information and the dependency information of the new firmware component. Other embodiments are disclosed and claimed.
    Type: Application
    Filed: August 26, 2021
    Publication date: December 16, 2021
    Applicant: Intel Corporation
    Inventors: Vincent Zimmer, Jiewen Yao
  • Publication number: 20210365559
    Abstract: Methods and apparatus for seamless system management mode (SMM) code injection. A code injection listener is installed in BIOS during booting of the computer system or platform. During operating system (OS) runtime operation a secure execution mode code injection image comprising injected code is received and delivered to the BIOS. The processor execution mode is switched to a secure execution mode such as SMM, and while in the secure execution mode the injected code is accessed and executed on the processor to effect one or more changes such as patching processor microcode, a profile or policy reconfiguration, and a security fix. The solution enables platform changes to be effected during OS runtime without having to reboot the system.
    Type: Application
    Filed: August 2, 2021
    Publication date: November 25, 2021
    Inventors: Sarathy Jayakumar, Jiewen Yao, Murugasamy Nachimuthu, Ruixia Li, Siyuan Fu, Chuan SONG, Wei Xu
  • Patent number: 11068276
    Abstract: The present disclosure is directed to controlled customization of silicon initialization. A device may comprise, for example, a boot module including a memory on which boot code is stored, the boot code including at least an initial boot block (IBB) module that is not customizable and a global platform database (GPD) module including customizable data. The IBB module may include a pointer indicating GPD module location. The customizable data may comprise configurable parameters and simple configuration language (SCL) to cause the device to execute at least one logical operation during execution of the boot code. The GPD module may further comprise a pointer indicating SCL location. The boot code may be executed upon activation of the device, which may cause the IBB module to load an interpreter for executing the SCL. The interpreter may also verify access request operations in the SCL are valid before executing the access request operations.
    Type: Grant
    Filed: June 4, 2019
    Date of Patent: July 20, 2021
    Assignee: Intel Corporation
    Inventors: Jiewen Yao, Vincent Zimmer, Nicholas Adams, Willard Wiseman, Giri Mudusuru, Nuo Zhang
  • Publication number: 20210208869
    Abstract: System, method, and instructions for providing system management mode (SMM) runtime telemetry support. An SMM Telemetry Service component is responsible for collecting telemetry information from other SMM components, as well as exposing the information to non-firmware component on request. The SMM Telemetry Service collects telemetry information produced by an SMM Runtime Update handler and other SMM drivers and exposes the telemetry information at runtime to an upper layer OS consumer or management unit (e.g., BMC, CSME, etc.). Since the SMM Telemetry Service is a standalone module and independent of other SMM service(s), the service is available even during a runtime SMM Driver Update. The embodiments also disclose a mechanism for managing a shared telemetry data region that can be accessed by the data producer (SMM components) and consumer (non-SMM components), without introducing additional SMI that affects system performance.
    Type: Application
    Filed: March 23, 2021
    Publication date: July 8, 2021
    Inventors: Murugasamy K. NACHIMUTHU, Ruixia LI, Siyuan FU, Jiewen YAO, Wei XU
  • Publication number: 20210124829
    Abstract: A disclosed example apparatus includes memory; and at least one processor to execute first instructions, the first instructions obtained from first encrypted firmware, the at least one processor to: encrypt handoff data with an original equipment manufacturer key to generate encrypted handoff data; decrypt second encrypted firmware based on the original equipment manufacturer key to generate second instructions; and provide access to the encrypted handoff data to the second instructions, the second instructions to perform initialization of a computer based on the handoff data obtained from the encrypted handoff data.
    Type: Application
    Filed: January 4, 2021
    Publication date: April 29, 2021
    Inventors: Jiewen Yao, Rangasai V. Chaganty, Xiang Ma, Ravi Poovalur Rangarajan, Rajesh Poornachandran, Nivedita Aggarwal, Giri P. Mudusuru, Vincent J. Zimmer, Satya P. Yarlagadda, Amy Chan, Sudeep Das
  • Patent number: 10885199
    Abstract: A pre-boot initialization technique for a computing system allows for encrypting both a manufacturer and original equipment manufacturer firmware routines, as well as handing off data between the manufacturer and original equipment manufacturer firmware routines encrypted with a key provisioned in field programmable fuses with an original equipment manufacturer key. By encrypting the firmware routines and handoff data, security of the pre-boot initialization process is enhanced. Original equipment manufacturer updatable product data may also be encrypted with the original equipment manufacturer key. Additional security may be provided by using trusted input/output capabilities of a trusted execution environment to display information to and receive information from a user. Furthermore, multiple secure phases of configuration may be achieved using wireless credentials exchange components.
    Type: Grant
    Filed: September 26, 2016
    Date of Patent: January 5, 2021
    Assignee: McAfee, LLC
    Inventors: Jiewen Yao, Rangasai V. Chaganty, Xiang Ma, Ravi Poovalur Rangarajan, Rajesh Poornachandran, Nivedita Aggarwal, Giri P. Mudusuru, Vincent J. Zimmer, Satya P. Yarlagadda, Amy Chan, Sudeep Das
  • Publication number: 20200387611
    Abstract: Malicious attacks have moved from higher level virus attacks on software and data files operating on a device, to subverting the firmware underlying the device, where the firmware will compromise operation of the device even after attempts to remove the virus, unwanted programs, or other activity due to the subversion. If the firmware is compromised then even a clean reinstall of all software and/or services on the device may only result in a clean device that is then subsequently compromised again. Although device manufacturers may update a firmware to remove the vulnerability, there remains a problem in getting users to actually perform the update. To facilitate device security, a database or databases of firmware may be maintained where their status of vulnerable (bad) or not (good) is maintained and various options are presented for scanning firmware for vulnerabilities, out of band or manually, and pulling/pushing updates as desired to automatically update a device or prompt a user for updating.
    Type: Application
    Filed: December 22, 2017
    Publication date: December 10, 2020
    Inventors: Jiewen YAO, Vincent J. ZIMMER
  • Publication number: 20200310788
    Abstract: An embodiment of a semiconductor package apparatus may include technology to determine version information for a new firmware component, read dependency information corresponding to the firmware component, and determine if dependency is satisfied between the new firmware component and one or more other firmware components based on the version information and the dependency information of the new firmware component. Other embodiments are disclosed and claimed.
    Type: Application
    Filed: September 27, 2017
    Publication date: October 1, 2020
    Applicant: Intel Corporation
    Inventors: Vincent Zimmer, Jiewen Yao
  • Patent number: 10747884
    Abstract: Techniques for providing and maintaining protection of firmware routines that form part of a chain of trust through successive processing environments. An apparatus may include a first processor component (550); a volatile storage (562) coupled to the first processor component; an enclave component to, in a pre-OS operating environment, generate a secure enclave within a portion of the volatile storage to restrict access to a secured firmware loaded into the secure enclave; a first firmware driver (646) to, in the pre-OS operating environment, provide a first API to enable unsecured firmware to call a support routine of the secured firmware from outside the secure enclave; and a second firmware driver (647) to, in an OS operating environment that replaces the pre-OS operating environment, provide a second API to enable an OS of the OS operating environment to call the support routine from outside the secure enclave.
    Type: Grant
    Filed: December 24, 2015
    Date of Patent: August 18, 2020
    Assignee: INTEL CORPORATION
    Inventors: Jiewen Yao, Vincent J. Zimmer, Wei Li, Rajesh Poornachandran, Giri P. Mudusuru
  • Patent number: 10664573
    Abstract: Apparatuses, methods and storage media associated with managing a computing platform in view of an expiration date are described herein. In embodiments, an apparatus may include a computing platform that includes one or more processors to execute applications; and a trusted execution environment that includes a tamper-proof storage to store an expiration date of the computing platform, and a firmware module to be operated in a secure system management mode to regulate operation of the computing platform in view of at least whether a current date is earlier than the expiration date. Other embodiments may be described or claimed.
    Type: Grant
    Filed: June 17, 2015
    Date of Patent: May 26, 2020
    Assignee: Intel Corporation
    Inventors: Jiewen Yao, Vincent J. Zimmer, Rajesh Poornachandran
  • Patent number: 10635607
    Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to improve boot efficiency. An example apparatus includes a firmware support package (FSP) configuration engine to retrieve an FSP reset (FSP-R) component from a platform memory, a firmware interface table (FIT) manager to assign an entry to a FIT for the FSP-R component and assign respective entries to the FIT for auxiliary FSP components, and an FSP configuration engine to transfer platform control to the FSP-R component to control execution of the auxiliary FSP components in response to a platform reset vector.
    Type: Grant
    Filed: June 30, 2016
    Date of Patent: April 28, 2020
    Assignee: Intel Corporation
    Inventors: Rangasai V. Chaganty, Vincent Zimmer, Satya P. Yarlagadda, Giri P. Mudusuru, Jiewen Yao, Xiang Ma, Ravi Rangarajan
  • Publication number: 20190370470
    Abstract: A pre-boot initialization technique for a computing system allows for encrypting both a manufacturer and original equipment manufacturer firmware routines, as well as handing off data between the manufacturer and original equipment manufacturer firmware routines encrypted with a key provisioned in field programmable fuses with an original equipment manufacturer key. By encrypting the firmware routines and handoff data, security of the pre-boot initialization process is enhanced. Original equipment manufacturer updatable product data may also be encrypted with the original equipment manufacturer key. Additional security may be provided by using trusted input/output capabilities of a trusted execution environment to display information to and receive information from a user. Furthermore, multiple secure phases of configuration may be achieved using wireless credentials exchange components.
    Type: Application
    Filed: September 26, 2016
    Publication date: December 5, 2019
    Inventors: Jiewen Yao, Rangasai V. Chaganty, Xiang Ma, Ravi Poovalur Rangarajan, Rajesh Poornachandran, Nivedita Aggarwal, Giri P. Mudusuru, Vincent J. Zimmer, Satya P. Yarlagadda, Amy Chan, Sudeep Das