Patents by Inventor Jonathan D. Bradbury
Jonathan D. Bradbury has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 12079658Abstract: A conversion operation is performed which includes a plurality of conversion actions. A conversion action includes processing an instruction to convert selected data from a source data type to a target data type. The processing includes determining whether a data type indicated using the instruction is a valid data type for a select machine. The data type is a selected data type selected from the source data type or the target data type. The selected data is converted from the source data type to the target data type, based on determining that the data type is a valid data type for the select machine. An indicator is set to a select value to indicate the data type is an invalid data type, based on determining that the data type is an invalid data type for the select machine. The indicator is checked at an end of the conversion operation.Type: GrantFiled: June 17, 2021Date of Patent: September 3, 2024Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Jonathan D. Bradbury, Laith M. AlBarakat, Timothy Slegel, Andrew M. Sica
-
Patent number: 12050700Abstract: A method, computer program product, and a system where a secure interface control determines functionality of a secure guest based on metadata. The secure interface control (“SC”) obtains metadata linked to an image of a secure guest to be started by an owner and managed by the hypervisor, where the metadata comprises control(s) that indicate whether a secure guest generated with the image is permitted to obtain a response to a particular request. The SC intercepts, from the secure guest generated with the image, during runtime, a request. The SC determines, based on the control(s), if the secure guest is permitted to obtain a response to the request. If permitted, the SC commences fulfillment of the request, within the computing system. If not permitted, the SC ignores the request.Type: GrantFiled: March 30, 2022Date of Patent: July 30, 2024Assignee: International Business Machines CorporationInventors: Reinhard T. Buendgen, Jonathan D. Bradbury
-
Patent number: 12019772Abstract: At least one request to store diagnostic state of a virtual machine is obtained. Based on obtaining the at least one request, a store of diagnostic state of the virtual machine is performed to provide stored diagnostic state of the virtual machine. The performing the store includes encrypting the diagnostic state of the virtual machine that is unencrypted and being stored to prevent a reading of the diagnostic state of the virtual machine by an untrusted entity prior to encrypting the diagnostic state of the virtual machine that is unencrypted and being stored.Type: GrantFiled: September 14, 2021Date of Patent: June 25, 2024Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Jonathan D. Bradbury, Torsten Hendel, Reinhard Theodor Buendgen, Claudio Imbrenda, Christian Borntraeger, Janosch Andreas Frank
-
Patent number: 12020059Abstract: A virtual machine is dispatched and based on the dispatch, a determination is made as to whether a select area of memory expected to be accessible to the virtual machine and used in communication between the virtual machine and an operating system is accessible to the virtual machine. Based on determining that the select area of memory is inaccessible to the virtual machine, virtual machine execution is exited with a select interception code.Type: GrantFiled: August 30, 2021Date of Patent: June 25, 2024Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Fadi Y. Busaba, Lisa Cranton Heller, Janosch Andreas Frank, Christian Borntraeger, Jonathan D. Bradbury
-
Publication number: 20240176634Abstract: A computer-implemented method for personalizing a secure guest instance from a generic boot image using trusted firmware that maintains metadata of the secure guest instance is disclosed. The method comprises passing a request structure from the secure guest instance to the trusted firmware for modifying the metadata of the secure guest instance and to establish at least one retrievable secret in the metadata of the secure guest instance that is specific to the secure guest instance, verifying, by the trusted firmware, the request structure and upon success modifying the metadata as specified by the request structure, retrieving, by the secure guest instance, a secret object derived from the retrievable secret from the trusted firmware, and using, by the secure guest instance, the retrieved secret object to personalize the secure guest instance.Type: ApplicationFiled: February 1, 2023Publication date: May 30, 2024Inventors: Reinhard Theodor Buendgen, Viktor Mihajlovski, Jonathan D. Bradbury
-
Publication number: 20240176870Abstract: A method, system, and computer program product implement a three-factor authorization in a trusted computing environment. The method includes triggering, by a hypervisor, a start of a secure guest by passing control regarding an image of the secure guest and metadata of the secure guest to a trusted firmware, where the secure guest is designed to access a hardware security module (HSM). Upon a successful integrity check of the metadata of the secure guest by the trusted firmware, the secure guest is started using the hypervisor and any sensitive request from the secure guest to the HSM is blocked. The secure guest submits a request with a request structure including a third authorization secret and a characterization of a requested HSM to the trusted firmware. The method also includes binding each HSM protected key generated in the requested HSM in response to the request to the third authorization secret.Type: ApplicationFiled: January 25, 2023Publication date: May 30, 2024Inventors: Reinhard Theodor Buendgen, Jonathan D. Bradbury
-
Publication number: 20240176913Abstract: A method for a policy-based association of a hardware security module to a secure guest is disclosed. The method comprises maintaining a binding between a secure guest and an HSM. Thereby, the binding enables the trusted guest to send only non-sensitive request to the HSM. The method comprises further maintaining, for a secure guest, a pair of a secret and a secret name, submitting a query to the bound HSM for obtaining HSM configuration data, and upon determining that the obtained HSM configuration data match a rule available to the secure guest, wherein the rule associates the HSM to a secret name, requesting to associate the secret from the pair of secret and the secret name to the bound HSM, thereby triggering that the trusted firmware allows the secure guest to submit a sensitive crypto-request to the bound and associated HSM.Type: ApplicationFiled: January 25, 2023Publication date: May 30, 2024Inventors: Reinhard Theodor Buendgen, Viktor Mihajlovski, Jonathan D. Bradbury, Harald Freudenberger, Steffen Eiden, Volker Urban, Eric David Rossman
-
Patent number: 11829495Abstract: A secure guest of a computing environment requests confidential data. The confidential data is included in metadata of the secure guest, which is stored in a trusted execution environment of the computing environment. Based on the request, the confidential data is obtained from the metadata of the secure guest that is stored in the trusted execution environment.Type: GrantFiled: August 5, 2021Date of Patent: November 28, 2023Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Jonathan D. Bradbury, Reinhard Theodor Buendgen, Janosch Andreas Frank, Marc Hartmayer, Viktor Mihajlovski
-
Patent number: 11809607Abstract: A trusted execution environment obtains a secure guest image and metadata to be used to start a secure guest. The metadata includes multiple parts and a plurality of integrity measures. A first part of the metadata includes one or more integrity measures of the plurality of integrity measures, and a second part of the metadata includes customized confidential data of the secure guest and one or more other integrity measures of the plurality of integrity measures. The trusted execution environment is used to verify at least one select part of the metadata using at least one integrity measure of the plurality of integrity measures of the metadata. Based on successful verification of the at least one select part of the metadata, the trusted execution environment starts the secure guest using the secure guest image and at least a portion of the metadata.Type: GrantFiled: August 5, 2021Date of Patent: November 7, 2023Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Reinhard Theodor Buendgen, Jonathan D. Bradbury
-
Patent number: 11797270Abstract: An indication of a function to be executed is obtained, in which the function is one function of an instruction and configured to perform multiple operations. A determination is made of an operation of the multiple operations to be performed, and a set of function-specific parameters is validated using a set of values and a corresponding set of relationships. The set of values and corresponding set of relationships are based on the operation to be performed. One set of values and corresponding set of relationships are to be used for the operation to be performed, and another set of values and corresponding set of relationships are to be used for another operation of the multiple operations.Type: GrantFiled: June 17, 2021Date of Patent: October 24, 2023Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Cedric Lichtenau, Jonathan D. Bradbury, Laith M. AlBarakat
-
Patent number: 11762659Abstract: An input/output store instruction is handled. A data processing system includes a system nest communicatively coupled to at least one input/output bus by an input/output bus controller. The data processing system further includes at least a data processing unit including a core, system firmware and an asynchronous core-nest interface. The data processing unit is communicatively coupled to the system nest via an aggregation buffer. The system nest is configured to asynchronously load from and/or store data to an external device which is communicatively coupled to the input/output bus. The data processing unit is configured to complete the input/output store instruction before an execution of the input/output store instruction in the system nest is completed.Type: GrantFiled: September 21, 2021Date of Patent: September 19, 2023Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Christoph Raisch, Marco Kraemer, Frank Siegfried Lehnert, Matthias Klein, Jonathan D. Bradbury, Christian Jacobi, Brenton Belmar, Peter Dana Driever
-
Patent number: 11734013Abstract: An exception summary is provided for an invalid value detected during instruction execution. An indication that a value determined to be invalid was included in input data to a computation of one or more computations or in output data resulting from the one or more computations is obtained. The value is determined to be invalid due to one exception of a plurality of exceptions. Based on obtaining the indication that the value is determined to be invalid, a summary indicator is set. The summary indicator represents the plurality of exceptions collectively.Type: GrantFiled: June 17, 2021Date of Patent: August 22, 2023Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Laith M. AlBarakat, Jonathan D. Bradbury, Timothy Slegel, Cedric Lichtenau, Joachim von Buttlar
-
Patent number: 11687655Abstract: A method, computer program product, and a system where a secure interface control determines whether an instance of a secure guest image can execute based on metadata. The secure interface control (“SC”) obtains metadata linked to an image of a secure guest of an owner and managed by the hypervisor that includes control(s) that indicates whether the hypervisor is permitted to execute an instance of a secure guest generated with the image in the computing system based on system setting(s) in the computing system. The SC intercepts a command by the hypervisor to initiate the instance. The SC determines the presence or the absence of system setting(s) in the computing system. The SC determines if the hypervisor is permitted to execute the instance. If so, the SC enables initiation of the instance by the hypervisor. If not, the SC ignores the command.Type: GrantFiled: August 4, 2022Date of Patent: June 27, 2023Assignee: International Business Machines CorporationInventors: Reinhard T. Buendgen, Jonathan D. Bradbury, Lisa Cranton Heller
-
Patent number: 11675899Abstract: Aspects include circuitry that includes a first global generation counter (GGC) that is increased upon decoding of a branch instruction and a second GGC that is increased upon a completion of the branch instruction. Upon a triggered rollback, the first GGC is reset. The circuitry also includes a generation tag memory associated with a register that receives loads during a side-channel attacks which is set to the first GGC upon a first load, and a determination unit to determine, for a second load from an address depending on the register of the first load, a generation tag value associated with the register of the second load as a function of the first GGC, the second GGC, and the generation tag value associated with the register of the first load. A wait queue is configured to block the second load, if the generation tag is larger than the second GGC.Type: GrantFiled: December 15, 2020Date of Patent: June 13, 2023Assignee: International Business Machines CorporationInventors: Christian Borntraeger, Jonathan D. Bradbury, Martin Recktenwald, Anthony Saporito
-
Patent number: 11675592Abstract: An instruction is executed to perform a query function. The executing includes obtaining information relating to a selected model of a processor. The information includes at least one model-dependent data attribute of the selected model of the processor. The information is placed in a selected location for use by at least one application in performing one or more functions.Type: GrantFiled: June 17, 2021Date of Patent: June 13, 2023Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Timothy Slegel, Laith M. AlBarakat, Jonathan D. Bradbury, Cedric Lichtenau, Simon Weishaupt
-
Patent number: 11669462Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving, at a secure interface control of a computer system, an access request for a data structure related to a secure entity in a secure domain of the computer system. The secure interface control can check for a virtual storage address associated with a location of the data structure. The secure interface control can request an address translation using a virtual address space of a non-secure entity of the computer system based on determining that the location of the data structure is associated with the virtual storage address. The secure interface control can access the data structure based on a result of the address translation.Type: GrantFiled: September 15, 2021Date of Patent: June 6, 2023Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Claudio Imbrenda, Christian Borntraeger, Lisa Cranton Heller, Fadi Y. Busaba, Jonathan D. Bradbury
-
Patent number: 11669331Abstract: A first processor processes an instruction configured to perform a plurality of functions. The plurality of functions includes one or more functions to operate on one or more tensors. A determination is made of a function of the plurality of functions to be performed. The first processor provides to a second processor information related to the function. The second processor is to perform the function. The first processor and the second processor share memory providing memory coherence.Type: GrantFiled: June 17, 2021Date of Patent: June 6, 2023Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Laith M. AlBarakat, Jonathan D. Bradbury, Timothy Slegel, Cedric Lichtenau, Simon Weishaupt, Anthony Saporito
-
Patent number: 11663270Abstract: An instruction is provided for performing a vector string search. The instruction to be processed is obtained, with the instruction being defined to be a string search instruction to locate occurrence of a substring within a string. The instruction is processed, with the processing including searching the string specified in one operand of the instruction using the substring specified in another operand of the instruction. Based on the searching locating a first full match of the substring within the string, a full match condition indication is returned with position of the first full match in the string, and based on the searching locating only a partial match of the substring at a termination of the string, a partial match condition indication is returned, with the position of the partial match in the string.Type: GrantFiled: March 22, 2021Date of Patent: May 30, 2023Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Cedric Lichtenau, Jonathan D. Bradbury, Eric M. Schwarz, Razvan Peter Figuli, Stefan Payer
-
Patent number: 11656871Abstract: An input/output store instruction is handled. A data processing system includes a system nest communicatively coupled to at least one input/output bus by an input/output bus controller. The data processing system further includes at least a data processing unit including a core, system firmware and an asynchronous core-nest interface. The data processing unit is communicatively coupled to the system nest via an aggregation buffer. The system nest is configured to asynchronously load from and/or store data to an external device which is communicatively coupled to the input/output bus. The data processing unit is configured to complete the input/output store instruction before an execution of the input/output store instruction in the system nest is completed.Type: GrantFiled: September 21, 2021Date of Patent: May 23, 2023Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Christoph Raisch, Marco Kraemer, Frank Siegfried Lehnert, Matthias Klein, Jonathan D. Bradbury, Christian Jacobi, Brenton Belmar, Peter Dana Driever
-
Patent number: 11640361Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving a secure access request for a secure page of memory at a secure interface control of a computer system. The secure interface control can check a disable virtual address compare state associated with the secure page. The secure interface control can disable a virtual address check in accessing the secure page to support mapping of a plurality of virtual addresses to a same absolute address to the secure page based on the disable virtual address compare state being set and/or to support secure pages that are accessed using an absolute address and do not have an associated virtual address.Type: GrantFiled: March 8, 2019Date of Patent: May 2, 2023Assignee: International Business Machines CorporationInventors: Fadi Y. Busaba, Lisa Cranton Heller, Jonathan D. Bradbury