Abstract: Rolling encryption within a memory region. A method includes storing data in a first encrypted memory portion in the memory region. The data in the first encrypted memory portion is encrypted to a first runtime encryption key. Data is stored in a second encrypted memory portion in the memory region. The data in the second encrypted memory portion is encrypted to a second runtime encryption key. A pointer is stored. The pointer defines a boundary between the first encrypted memory portion and the second encrypted memory portion. The first encrypted memory portion and second encrypted memory portion are both configured to be accessible together to entities external to the memory to provide data stored in the first encrypted memory portion and second encrypted memory portion.

Abstract: Hardware enforced CPU core protection by identification of digital blocks as instructions or data. A method includes, at a memory controller shim, receiving, from a CPU core, a memory read request. The memory read request comprises an address for a block. The block at the address is requested from a memory. The block is received from the memory. At least one of a decryption key or an authentication key is accessed. At least one of a decryption transformation or an authentication transformation is performed on the block using the decryption key or the authentication key. When the decryption transformation or authentication transformation is deemed valid, a plain text version of the block is returned to the CPU core for consumption. When the decryption transformation or authentication transformation is deemed invalid, the CPU core is prevented from consuming the plain text version of the block.

Abstract: Securely loading digital blocks into memory for consumption by a processor. A method includes, at a memory protection shim, receiving a digital block and a manifest for the digital block. The manifest includes a transformation key for the digital block. The transformation key is configured to be used for at least one of validating the digital block or decrypting the digital block. The manifest is encrypted. The method further includes decrypting the manifest to obtain the transformation keys. The method further includes using the transformation keys to perform at least one of validating or decrypting the digital block. The method further includes retransforming the digital block using a memory protection shim ephemeral key to perform at least one of creating an authentication tag or encrypting the digital block. The method further includes storing the retransformed digital block in memory.

Abstract: An apparatus comprising a CPU core configured to execute instructions and consume data. The apparatus includes a memory configured to store the instructions and the data. A memory protection shim is coupled to the CPU core and the memory. The memory protection shim is configured to perform transformations over digital blocks to perform at least one of authentication or decryption of the digital blocks received from the memory. The memory protection shim is coupled to the CPU core in a fashion that prevents egress of the digital blocks or ingress of other external digital blocks between the memory protection shim and the CPU core.

Abstract: An apparatus comprising a CPU core configured to execute instructions and consume data. The apparatus includes a memory configured to store the instructions and the data. A memory protection shim is coupled to the CPU core and the memory. The memory protection shim is configured to perform transformations over digital blocks to perform at least one of authentication or decryption of the digital blocks received from the memory. The memory protection shim is coupled to the CPU core in a fashion that prevents egress of the digital blocks or ingress of other external digital blocks between the memory protection shim and the CPU core.

Abstract: An apparatus comprising a CPU core configured to execute instructions and consume data. The apparatus includes a memory configured to store the instructions and the data. A memory protection shim is coupled to the CPU core and the memory. The memory protection shim is configured to perform transformations over digital blocks to perform at least one of authentication or decryption of the digital blocks received from the memory. The memory protection shim is coupled to the CPU core in a fashion that prevents egress of the digital blocks or ingress of other external digital blocks between the memory protection shim and the CPU core.

Abstract: An apparatus comprising a CPU core configured to execute instructions and consume data. The apparatus includes a memory configured to store the instructions and the data. A memory protection shim is coupled to the CPU core and the memory. The memory protection shim is configured to perform transformations over digital blocks to perform at least one of authentication or decryption of the digital blocks received from the memory. The memory protection shim is coupled to the CPU core in a fashion that prevents egress of the digital blocks or ingress of other external digital blocks between the memory protection shim and the CPU core.

Abstract: Hardware enforced CPU core protection by identification of digital blocks as instructions or data. A method includes, at a memory controller shim, receiving, from a CPU core, a memory read request. The memory read request comprises an address for a block. The block at the address is requested from a memory. The block is received from the memory. At least one of a decryption key or an authentication key is accessed. At least one of a decryption transformation or an authentication transformation is performed on the block using the decryption key or the authentication key. When the decryption transformation or authentication transformation is deemed valid, a plain text version of the block is returned to the CPU core for consumption. When the decryption transformation or authentication transformation is deemed invalid, the CPU core is prevented from consuming the plain text version of the block.

Abstract: Hardware enforced CPU core protection by identification of digital blocks as instructions or data. A method includes, at a memory controller shim, receiving, from a CPU core, a memory read request. The memory read request comprises an address for a block. The block at the address is requested from a memory. The block is received from the memory. At least one of a decryption key or an authentication key is accessed. At least one of a decryption transformation or an authentication transformation is performed on the block using the decryption key or the authentication key. When the decryption transformation or authentication transformation is deemed valid, a plain text version of the block is returned to the CPU core for consumption. When the decryption transformation or authentication transformation is deemed invalid, the CPU core is prevented from consuming the plain text version of the block.