Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

Abstract: Methods, apparatus, systems and articles of manufacture to securely handle chip card data are disclosed. An example method includes providing, by executing an instruction with a first processor of a client device, an application programming interface (API) in a web client of the client device, in response to detecting, in the web client at the client device, a query from a server for card data, operating, by executing an instruction with the first processor of the client device, the API in the web client at the client device to obtain the card data stored on a chip of a chip card communicatively coupled to the client device, and sending, by executing an instruction with the first processor of the client device, the card data to the server.

Abstract: Methods, apparatus, systems and articles of manufacture to securely handle chip card data are disclosed. An example method includes providing, by executing an instruction with a first processor of a client device, an application programming interface (API) in a web client of the client device, in response to detecting, in the web client at the client device, a query from a server for card data, operating, by executing an instruction with the first processor of the client device, the API in the web client at the client device to obtain the card data stored on a chip of a chip card communicatively coupled to the client device, and sending, by executing an instruction with the first processor of the client device, the card data to the server.

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

Abstract: A processor to facilitate acceleration of instruction execution is disclosed. The processor includes a plurality of execution units (EUs), each including an instruction decode unit to decode an instruction into one or more operands and opcode defining an operation to be performed at an accelerator, a register file having a plurality of registers to store the one or more operands and an accelerator having programmable hardware to retrieve the one or more operands from the register file and perform the operation on the one or more operands.

Abstract: Technologies for duplicating virtual machines (VMs) are described. A virtual machine monitor (VMM) may operate a parent virtual machine (VM), which may include a parent virtual memory and a parent virtual central processing unit (VCPU). The VMM or a host platform may obtain a command to duplicate the parent VM to create a child VM. In response to the command, the VMM or host may obtain a VCPU state of the parent VCPU, and generate the child VM including a child VCPU based on a state of the parent VCPU and a child virtual memory based on the parent virtual memory. Other embodiments are described herein and claimed.

Abstract: A processor to facilitate acceleration of instruction execution is disclosed. The processor includes a plurality of execution units (EUs), each including an instruction decode unit to decode an instruction into one or more operands and opcode defining an operation to be performed at an accelerator, a register file having a plurality of registers to store the one or more operands and an accelerator having programmable hardware to retrieve the one or more operands from the register file and perform the operation on the one or more operands.

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

Abstract: A system-on-chip (SoC) includes a host CPU on a CPU fabric, the host CPU including multiple processor cores, each associated with multiple security attributes. The SoC includes a secure asset on a network-on-chip and a security co-processor. The security co-processor includes circuitry to detect requests from the processor cores targeting the secure asset and security function processing requests, to determine, based on associated security attributes, whether the core or function is authorized to access the secure asset, to allow the request to be issued, if the core or function is so authorized, and to prevent its issuance, if not. The determination may be dependent on a signal from the CPU fabric indicating whether the host CPU can modify its security attributes or they are locked down. The security co-processor may have the highest security level and may be the only master on the SoC that can access the secure asset.

Abstract: A system-on-chip (SoC) includes a host CPU on a CPU fabric, the host CPU including multiple processor cores, each associated with multiple security attributes. The SoC includes a secure asset on a network-on-chip and a security co-processor. The security co-processor includes circuitry to detect requests from the processor cores targeting the secure asset and security function processing requests, to determine, based on associated security attributes, whether the core or function is authorized to access the secure asset, to allow the request to be issued, if the core or function is so authorized, and to prevent its issuance, if not. The determination may be dependent on a signal from the CPU fabric indicating whether the host CPU can modify its security attributes or they are locked down. The security co-processor may have the highest security level and may be the only master on the SoC that can access the secure asset.

Abstract: Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

Abstract: Various system configurations and methods for maintaining, accessing, and utilizing secure data of a web browser in a hardware-managed secure data store are disclosed herein. In an example, operations for management of sensitive data such as passwords may be provided with the use of secure enclaves operating in a trusted execution environment. For example, such secure enclaves may be used for sealing and persisting sensitive data associated with a remote service, and transmitting the sensitive data to the remote service, while an unsealed form of the sensitive data is not accessible outside of the trusted execution environment. In further examples, operations for generating a password, storing or updating existing passwords, and replacing web browser input fields with secure data are disclosed.

Abstract: The present disclosure provides RNG states. Generating the RNG states can include creating a first VM with a first RNG state and a second VM with a second RNG state and generating a plurality of interrupts for the first VM and the second VM. Generating the RNG states can also include providing the plurality of interrupts to the first VM with a first plurality of time intervals between the plurality of interrupts to configure the first RNG state and providing the plurality of interrupts to the second VM with a second plurality of time intervals, between the plurality of interrupts, that are different from the first plurality of time intervals to configure the second RNG state to be different from the first RNG state.

Abstract: Methods, apparatus, systems and articles of manufacture to securely handle chip card data are disclosed. An example method includes providing, by executing an instruction with a first processor of a client device, an application programming interface (API) in a web client of the client device, in response to detecting, in the web client at the client device, a query from a server for card data, operating, by executing an instruction with the first processor of the client device, the API in the web client at the client device to obtain the card data stored on a chip of a chip card communicatively coupled to the client device, and sending, by executing an instruction with the first processor of the client device, the card data to the server.

Abstract: Technologies for duplicating virtual machines (VMs) are described. A virtual machine monitor (VMM) may operate a parent virtual machine (VM), which may include a parent virtual memory and a parent virtual central processing unit (VCPU). The VMM or a host platform may obtain a command to duplicate the parent VM to create a child VM. In response to the command, the VMM or host may obtain a VCPU state of the parent VCPU, and generate the child VM including a child VCPU based on a state of the parent VCPU and a child virtual memory based on the parent virtual memory. Other embodiments are described herein and claimed.

Abstract: The present disclosure provides RNG states. Generating the RNG states can include creating a first VM with a first RNG state and a second VM with a second RNG state and generating a plurality of interrupts for the first VM and the second VM.

Abstract: A system-on-chip (SoC) includes a host CPU on a CPU fabric, the host CPU including multiple processor cores, each associated with multiple security attributes. The SoC includes a secure asset on a network-on-chip and a security co-processor. The security co-processor includes circuitry to detect requests from the processor cores targeting the secure asset and security function processing requests, to determine, based on associated security attributes, whether the core or function is authorized to access the secure asset, to allow the request to be issued, if the core or function is so authorized, and to prevent its issuance, if not. The determination may be dependent on a signal from the CPU fabric indicating whether the host CPU can modify its security attributes or they are locked down. The security co-processor may have the highest security level and may be the only master on the SoC that can access the secure asset.

Abstract: Various system configurations and methods for maintaining, accessing, and utilizing secure data of a web browser in a hardware-managed secure data store are disclosed herein. In an example, operations for management of sensitive data such as passwords may be provided with the use of secure enclaves operating in a trusted execution environment. For example, such secure enclaves may be used for sealing and persisting sensitive data associated with a remote service, and transmitting the sensitive data to the remote service, while an unsealed form of the sensitive data is not accessible outside of the trusted execution environment. In further examples, operations for generating a password, storing or updating existing passwords, and replacing web browser input fields with secure data are disclosed.