Abstract: In one embodiment, a secure distributed processing system includes nodes connected over a network, and configured to process tasks, each respective one of the nodes including a respective processor to process data of respective ones of the tasks, and a respective network interface controller to connect to other nodes over the network, store task master keys for use in computing communication keys for securing data transfer over the network for respective ones of the tasks, compute respective task and node-pair specific communication keys for securing communication with respective ones of the nodes over the network for respective ones of the tasks responsively to respective ones of the task master keys and node-specific data of respective node pairs, and securely communicate the processed data of the respective ones of the tasks with the respective ones of the nodes over the network responsively to the respective task and node-pair specific communication keys.

Abstract: A confidential computing (CC) apparatus, including a CPU, to run a hypervisor that hosts one or more Trusted Virtual Machines (TVMs). The CC apparatus provides inter-TVM isolation and hardware isolation between the one or more TVMs and the hypervisor. The CPU is further to run a Device TVM (DTVM) including an interface to the network device; and a hypervisor interface which presents the DTVM to the hypervisor as a TVM, in a manner that the CC provides inter-TVM isolation and hardware isolation between the DTVM and the one or more TVMs and the hypervisor, as if the DTVM is a TVM. The DTVM is to receive from the hypervisor allocations of memory space in the external memory for a network device; and allocate the memory space in the external memory to the network device, in response to the hypervisor allocations.

Abstract: In one embodiment, a network device includes a network interface to receive secured packets from a remote device over a packet data network, each of the secured packets being secured according to a security protocol and including a respective security protocol header and a Transmission Control Protocol (TCP) packet, which is encrypted according to the security protocol, a host device interface to connect the network device to a host device, and packet processing circuitry to decrypt each of the secured packets based on the respective security protocol header yielding multiple decrypted packets including decrypted TCP packets, aggregate the decrypted TCP packets into a single aggregated packet, and provide the single aggregated packet to software running on a processor of the host device via the host device interface.

Abstract: In one embodiment, a secure distributed processing system includes a plurality of nodes connected over a network, and configured to process a plurality of tasks, each one of the nodes including a processor to process task-specific data, and a network interface controller (NIC) to connect to other ones of the nodes over the network, compute task-and-node-specific communication keys for securing communication with ones of the nodes over the network based on task-specific master keys and node-specific data, and securely communicate the processed task-specific data with the ones of the nodes over the network based on the task-and-node-specific communication keys.

Abstract: A confidential computing (CC) apparatus includes a CPU and a peripheral device. The CPU is to run a hypervisor that hosts one or more Trusted Virtual Machines (TVMs). The peripheral device is coupled to the CPU and to an external memory. The CPU includes a TVM-Monitor (TVMM), to perform management operations on the one or more TVMs, to track memory space that is allocated by the hypervisor to the peripheral device in the external memory, to monitor memory-access requests issued by the hypervisor to the memory space allocated to the peripheral device in the external memory, and to permit or deny the memory-access requests, according to a criterion.

Abstract: In one embodiment, a system includes a networking device including a network interface to receive network packets having headers including datagram transport layer security (DTLS) headers from a remote device over a packet data network, packet processing circuitry to identify first packets of the received packets for DTLS processing in the packet processing circuitry, identify second packets of the received packets to bypass DTLS processing in the packet processing circuitry and to be provided to software to perform DTLS processing on the second packets, and perform DTLS processing on the first packets, and a host interface to provide the DTLS processed first packets to the software, and provide the second packets to the software to perform DTLS processing on the second packets.

Abstract: In one embodiment, a local networking device includes a host interface to receive packets from a local host device, packet processing hardware to receive cryptographic material offloaded from the local host device over the host interface, perform cryptographic operations on the packets based on the cryptographic material, generate datagram transport layer security (DTLS) headers including respective DTLS sequence numbers in hardware, and encapsulate the packets with the DTLS headers in hardware, and a network interface to send the packets with the DTLS headers to a remote networking device over a packet data network.

Abstract: Technologies for encrypting communication links between devices are described. A method includes generating a first initialization vector (IV), from a first subspace of IVs, for a first cryptographic ordered flow, and a second IV, from a second subspace of IVs that are mutually exclusive from the first subspace. The first and second cryptographic ordered flows share a key to secure multipath routing in a fabric between devices. The method sends, to the second device, a first packet for the first cryptographic ordered flow and a second packet for the second cryptographic ordered flow. The first packet includes a first security tag with the first IV and a first payload encrypted using the first IV and a first key. The second packet includes a second security tag with the second IV and a second payload encrypted using the second IV and a second key.

Abstract: A method of encrypting a memory transaction include, using a computing device operating a processor, encrypting a set of buffers to be transmitted, each buffer encrypted using an encryption key of a set of encryption keys.

Abstract: The technology disclosed herein enables selective clearing of memory regions upon a context switch. An example method includes the operations of: receiving a memory access request referencing a memory region; determining an identifier of a current execution context associated with the memory region; determining an identifier of a previous execution context specified by metadata associated with the memory region; responsive to determining that the identifier of the current execution context does not match the identifier of the previous execution context, updating the metadata associated with the memory region to store the identifier of the current execution context; clearing at least a part of the memory region; and processing the memory access request with respect to the memory region.

Abstract: A network device includes a hardware pipeline to process a network packet to be encrypted. A portion of the hardware pipeline retrieves information from the network packet and generates a command based on the information. A block cipher circuit is coupled inline within the hardware pipeline. The hardware pipeline includes hardware engines coupled between the portion of the hardware pipeline and the block cipher circuit. The hardware engines parse and execute the command to determine a set of inputs and input the set of inputs and portions of the network packet to the block cipher circuit. The block cipher circuit encrypts a payload data of the network packet based on the set of inputs.

Abstract: In one embodiment, data communication apparatus includes packet processing circuitry to receive data from a memory responsively to a data transfer request, and cryptographically process the received data in units of data blocks using a block cipher so as to add corresponding cryptographically processed data blocks to a sequence of data packets, the sequence including respective ones of the cryptographically processed data blocks having block boundaries that are not aligned with payload boundaries of respective one of the packets, such that respective ones of the cryptographically processed data blocks are divided into two respective segments, which are contained in successive respective ones of the packets in the sequence, and a network interface which includes one or more ports for connection to a packet data network and is configured to send the sequence of data packets to a remote device over the packet data network via the one or more ports.

Abstract: A method for communication includes provisioning each node in a network with a respective set of two or more network addresses. Each node in succession is assigned a respective network address from the respective provisioned set that has not been assigned for use by any preceding node. Upon finding for a given node that all the network addresses in the respective provisioned set were assigned to preceding nodes, the preceding nodes are searched to identify a candidate node having an additional network address in the respective provisioned set, other than the assigned respective network address, that was not yet assigned to any of the nodes. The additional network address is assigned to the candidate node instead of the respective network address that was previously assigned to the candidate node, and the assigning of the network addresses to the nodes in the succession resumes following the candidate node.

Abstract: In one embodiment, an apparatus includes a network interface to receive a sequence of data packets from a remote device responsively to a data transfer request, the received sequence including received data blocks, and packet processing circuitry to read cryptographic parameters from a memory in which the parameters were registered by a processing unit, the cryptographic parameters including an initial cryptographic key and initial value, compute a first cryptographic key responsively to the initial cryptographic key and initial value, cryptographically process a first block responsively to the first cryptographic key, compute an updated value responsively to the initial value and a size of the first block, compute a second cryptographic key responsively to the initial cryptographic key and the updated value, cryptographically process a second block of the received data blocks responsively to the second cryptographic key, and write the cryptographically processed first and second block to the memory.

Abstract: A method for communication includes provisioning each node in a network with a respective set of two or more network addresses. Each node in succession is assigned a respective network address from the respective provisioned set that has not been assigned for use by any preceding node. Upon finding for a given node that all the network addresses in the respective provisioned set were assigned to preceding nodes, the preceding nodes are searched to identify a candidate node having an additional network address in the respective provisioned set, other than the assigned respective network address, that was not yet assigned to any of the nodes. The additional network address is assigned to the candidate node instead of the respective network address that was previously assigned to the candidate node, and the assigning of the network addresses to the nodes in the succession resumes following the candidate node.

Abstract: Apparatuses, systems, and techniques are presented to configure computing resources to perform various tasks. In at least one embodiment, an approach presented herein can be used to verify whether a network of computing nodes is properly configured based, at least in part, on one or more expected data strings generated by the network of computing nodes.

Abstract: A method includes detecting, by an accelerator of a networking device, a serial number of a first data packet is out of order with respect to a previous data packet within a first flow of data packets associated with a packet communication network, wherein the serial number is assigned to the first data packet according to a transport protocol. The method includes reconstructing context data associated with the first flow of data packets, wherein the context data comprises encoding information for encoding of data records containing data conveyed in payloads of data packets in the first flow of data packets according to a storage protocol. The method includes using, by the accelerator, the reconstructed context data in processing a data record associated with a second data packet within the first flow, wherein the second data packet is subsequent to the first data packet in the first flow of data packets.

Abstract: The technology disclosed herein enables a Trusted Execution Environment (TEE) to be extended to an auxiliary device that handles persistently storing data in a security enhanced manner. Extending the trusted computing base to the auxiliary device may involve establishing an auxiliary TEE in the auxiliary device and a trusted communication link between the primary and auxiliary TEEs. The primary TEE may include the computing resources of the primary devices (e.g., CPU and host memory) and the auxiliary TEE may include the computing resources of the auxiliary devices (e.g., hardware accelerators and auxiliary memory). The trusted communication link may enable the auxiliary TEE to access data of the primary TEE that is otherwise inaccessible to all software executing external to the primary TEE (e.g., host operating system and hypervisor). The auxiliary device may use the auxiliary TEE to process the data to avoid compromising the security enhancements provided by the primary TEE.

Abstract: A confidential computing (CC) apparatus includes a CPU and a peripheral device. The CPU is to run a hypervisor that hosts one or more Trusted Virtual Machines (TVMs). The peripheral device is coupled to the CPU and to an external memory. The CPU includes a TVM-Monitor (TVMM), to perform management operations on the one or more TVMs, to track memory space that is allocated by the hypervisor to the peripheral device in the external memory, to monitor memory-access requests issued by the hypervisor to the memory space allocated to the peripheral device in the external memory, and to permit or deny the memory-access requests, according to a criterion.

Abstract: A network adapter includes a network interface controller and a processor. The network interface controller is to communicate over a peripheral bus with a host, and over a network with a remote storage device. The processor is to expose on the peripheral bus a peripheral-bus device that communicates with the host using a bus storage protocol, to receive first I/O transactions of the bus storage protocol from the host, via the exposed peripheral-bus device, and to complete the first I/O transactions in the remote storage device by (i) translating between the first I/O transactions and second I/O transactions of a network storage protocol, and (ii) executing the second I/O transactions in the remote storage device. For receiving and completing the first I/O transactions, the processor is to cause the network interface controller to transfer data directly between the remote storage device and a memory of the host using zero-copy.