Abstract: A technique allows for protecting a PCI device controller from a PCI BDF masquerade attack from Ring-0 and Ring-3 malware. The technique may use Virtualization technologies to create guest virtual machines that can use a hypervisor to allocate ACPI information from ACPI tables to a secure VM and using extended page tables (EPT) and VT-d policies to protect the MMIO memory range during illegal runtime events.

Abstract: A technique allows for protecting a PCI device controller from a PCI BDF masquerade attack from Ring-0 and Ring-3 malware. The technique may use Virtualization technologies to create guest virtual machines that can use a hypervisor to allocate ACPI information from ACPI tables to a secure VM and using extended page tables (EPT) and VT-d policies to protect the MMIO memory range during illegal runtime events.

Abstract: Systems and methods may provide for securely transferring data from a flash component. In one example, the method may include receiving a download request from an embedded controller chip, obtaining information from the flash component in response to the download request, and transferring the information to the embedded controller chip.

Abstract: In an embodiment, an apparatus is provided that may include an integrated circuit to be removably communicatively coupled to at least one storage device. The integrated circuit of this embodiment may be capable of encrypting and/or and decrypting, based at least in part upon a first key, data to be, in at least in part, stored in and/or retrieved from, respectively, at least one region of the at least one storage device. The at least one region and a second key may be associated with at least one access privilege authorized, at least in part, by an administrator. The second key may be stored, at least in part, externally to the at least one storage device. The first key may be obtainable, at least in part, based, at least in part, upon at least one operation involving the second key. Of course, many alternatives, modifications, and variations are possible without departing from this embodiment.

Abstract: In an embodiment, an apparatus is provided that may include an integrated circuit to be removably communicatively coupled to at least one storage device. The integrated circuit of this embodiment may be capable of encrypting and/or and decrypting, based at least in part upon a first key, data to be, in at least in part, stored in and/or retrieved from, respectively, at least one region of the at least one storage device. The at least one region and a second key may be associated with at least one access privilege authorized, at least in part, by an administrator. The second key may be stored, at least in part, externally to the at least one storage device. The first key may be obtainable, at least in part, based, at least in part, upon at least one operation involving the second key. Of course, many alternatives, modifications, and variations are possible without departing from this embodiment.

Abstract: Systems and methods may provide for securely transferring data from a flash component. In one example, the method may include receiving a download request from an embedded controller chip, obtaining information from the flash component in response to the download request, and transferring the information to the embedded controller chip.

Abstract: In some embodiments, the invention involves securing sensitive data from mal-ware on a computing platform and, more specifically, to utilizing virtualization technology and protected audio video path technologies to prohibit a user environment from directly accessing unencrypted sensitive data. In an embodiment a service operating system (SOS) accesses sensitive data requested by an application running in a user environment virtual machine, or a capability operating system (COS). The SOS application encrypts the sensitive data before passing the data to the COS. The COS makes requests directly to a graphics engine which decrypts the data before displaying the sensitive data on a display monitor. Other embodiments are described and claimed.

Abstract: In an embodiment, an apparatus is provided that may include an integrated circuit to be removably communicatively coupled to at least one storage device. The integrated circuit of this embodiment may be capable of encrypting and/or and decrypting, based at least in part upon a first key, data to be, in at least in part, stored in and/or retrieved from, respectively, at least one region of the at least one storage device. The at least one region and a second key may be associated with at least one access privilege authorized, at least in part, by an administrator. The second key may be stored, at least in part, externally to the at least one storage device. The first key may be obtainable, at least in part, based, at least in part, upon at least one operation involving the second key. Of course, many alternatives, modifications, and variations are possible without departing from this embodiment.

Abstract: In an embodiment, an apparatus is provided that may include an integrated circuit to be removably communicatively coupled to at least one storage device. The integrated circuit of this embodiment may be capable of encrypting and/or and decrypting, based at least in part upon a first key, data to be, in at least in part, stored in and/or retrieved from, respectively, at least one region of the at least one storage device. The at least one region and a second key may be associated with at least one access privilege authorized, at least in part, by an administrator. The second key may be stored, at least in part, externally to the at least one storage device. The first key may be obtainable, at least in part, based, at least in part, upon at least one operation involving the second key. Of course, many alternatives, modifications, and variations are possible without departing from this embodiment.

Abstract: In an embodiment, an apparatus is provided that may include an integrated circuit to be removably communicatively coupled to at least one storage device. The integrated circuit of this embodiment may be capable of encrypting and/or and decrypting, based at least in part upon a first key, data to be, in at least in part, stored in and/or retrieved from, respectively, at least one region of the at least one storage device. The at least one region and a second key may be associated with at least one access privilege authorized, at least in part, by an administrator. The second key may be stored, at least in part, externally to the at least one storage device. The first key may be obtainable, at least in part, based, at least in part, upon at least one operation involving the second key. Of course, many alternatives, modifications, and variations are possible without departing from this embodiment.

Abstract: In some embodiments, the invention involves securing sensitive data from mal-ware on a computing platform and, more specifically, to utilizing virtualization technology and protected audio video path technologies to prohibit a user environment from directly accessing unencrypted sensitive data. In an embodiment a service operating system (SOS) accesses sensitive data requested by an application running in a user environment virtual machine, or a capability operating system (COS). The SOS application encrypts the sensitive data before passing the data to the COS. The COS makes requests directly to a graphics engine which decrypts the data before displaying the sensitive data on a display monitor. Other embodiments are described and claimed.

Abstract: An apparatus, system, and method are disclosed. In one embodiment, the apparatus includes a virtualization engine on a computer platform. The virtualization engine can intercept multiple data transfer schedules from multiple virtual machines fetched from a memory by a physical Universal Serial Bus (USB) host controller on the computer platform. The virtualization engine also can merge the multiple fetched data transfer schedules into a merged data transfer schedule. The virtualization engine also can send the merged data transfer schedule to the physical USB host controller.

Abstract: A method and computer readable medium are disclosed. In one embodiment, the method includes enumerating multiple Universal Serial Bus (USB) devices on a computer platform running a multiple virtual machines (VMs). The method also includes assigning each of the USB devices to a VM, wherein each USB device may be assigned to a different VM. The method also includes making each USB device visible only to the VM it is assigned to. The method also includes limiting the bandwidth each of the VMs can schedule its assigned devices within a USB data transfer frame. This will allow all of the VMs to have access to the bandwidth of the frame by avoiding the problem of over-subscription when the schedule is merged.

Abstract: Each of a plurality of device or agents connected to a computer system bus is provided with a mechanism for unilaterally and dynamically limiting the depth of a pipeline of the bus. Each agent includes a state machine which indicates whether the bus is in a throttled state, a stalled state or a free state. When in a free state, an agent having control of the bus may transmit any number of bus transactions and the depth of the pipeline may therefore increase. In the throttled state, the agent may transmit only a single bus transaction from the throttled state, the state machine always transitions either to the stalled state or to the free state. In the stalled state, no agents may transmit transactions onto the bus and the depth of the pipeline therefore cannot increase and instead may decrease with time as previously issued transactions are drained from the bus.

Abstract: Each of a plurality of device or agents connected to a computer system bus is provided with a mechanism for unilaterally and dynamically limiting the depth of a pipeline of the bus. Each agent includes a state machine which indicates whether the bus is in a throttled state, a stalled state or a free state. When in a free state, an agent having control of the bus may transmit any number of bus transactions and the depth of the pipeline may therefore increase. In the throttled state, the agent may transmit only a single bus transaction from the throttled state, the state machine always transitions either to the stalled state or to the free state. In the stalled state, no agents may transmit transactions onto the bus and the depth of the pipeline therefore cannot increase and instead may decrease with time as previously issued transactions are drained from the bus.

Abstract: An initialization mechanism for symmetric arbitration agents ensures that multiple agents on a bus are each initialized with a different arbitration counter value. The arbitration counter of each bus agent is used to keep track of which agent was the last or current owner of the bus and which agent will be the next owner of the bus. All bus agents agree on which agent will be the priority agent at system reset and thus be allowed first ownership of the bus. Each agent's arbitration counter is initialized according to each agent's own agent identification. The arbitration pins of the bus agents are interconnected such that each agent determines for itself a unique agent identification based on which pin of its arbitration pins is active at system reset and the maximum number of bus agents allowed on the bus. After determining its agent identification, each bus agent initializes its arbitration counter such that every agent agrees which agent is the priority agent.

Abstract: A bus system for a computer having multiple agents provides a mechanism for unilaterally and dynamically limiting the pipelining depth. Each agent includes a state machine which indicates whether the bus is in a throttled state, a stalled state or a free state. When in a free state, an agent having control of the bus may transmit any number of bus transactions and the depth of the pipeline may therefore increase. In the throttled state, the agent may transmit only a single bus transaction from the throttled state. The state machine always transitions either to the stalled state or to the free state. In the stalled state, no agents may transmit transactions onto the bus and the depth of the pipeline therefore cannot increase and instead may decrease with time as previously issued transactions are drained from the bus.

Abstract: A multiprocessor computing system includes a serial bus and implements a boot protocol in which each processor compares a vector field of a boot message issued on the serial bus by a first processor with an ID of the processor; a match indicating that the first processor is a bootstrap processor (BSP). The non-BSPs are halted and, after issuing a final message on the bus, the BSP fetches code to start a reset sequence. The BSP then sends a message to wake the non-BSPs, after which time the operating system software is given control. Faulty processors that fail to participate in the boot protocol do not stop the selection of a BSP as long as one processor in the system is functional.

Abstract: A method and apparatus for use in transmitting information on a wired-OR signal line is described which employs a data transfer protocol exploiting the generally shorter signal settling time occurring following high to low signal voltage transitions than occurs following low to high signal voltage transitions. In accordance with the protocol, the transmission of meaningful information on multiple-driver signal lines is restricted to the assertion of high to low signal voltage transitions. By asserting meaningful information only on high to low transitions, the clock period for the bus may be set based on the voltage settling time resulting from only high to low transitions rather than from arbitrary transitions. As a result, the transmission of meaningful signals are all within the limits of incident wave switching and a high overall information transmission rate is achieved.

Abstract: The write-combining buffer combines data from separate data write operations into cache-line-sized buffer units for uncacheable types of data, such as frame buffer data. The write-combining buffer is implemented within a microprocessor having a data cache unit storing cacheable data within cache-lines. The data cache unit includes components and circuitry provided for efficiently inputting and outputting cache-line-sized units of data. By combining many uncacheable data write operations within a single cache-line-sized buffer, the circuitry and techniques employed for processing cache-lines are exploited in the processing of uncacheable data as well. A particular implementation is described wherein uncacheable data units corresponding to graphics write operations within an out-of-order microprocessor are combined into cache-line-sized buffers, then transmitted to a frame buffer using a burst mode eviction.