Patents by Inventor Reouven Elbaz
Reouven Elbaz has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11658947Abstract: A protected link between a first computing device and a second computing device is set up, wherein communication over the protected link is to comply with a communication protocol that allows packets to be reordered during transit. A plurality of packets are generated according to a packet format that ensures the plurality of packets will not be reordered during transmission over the protected link, the plurality of packets comprising a first packet and a second packet. Data of the plurality of packets are encrypted for transmission over the protected link, wherein data of the first packet is encrypted based on the cryptographic key and a first value of a counter and data of the second packet is encrypted based on the cryptographic key and a second value of the counter.Type: GrantFiled: July 7, 2021Date of Patent: May 23, 2023Assignee: Intel CorporationInventors: David J. Harriman, Raghunandan Makaram, Ioannis T. Schoinas, Kapil Sood, Yu-Yuan Chen, Vedvyas Shanbhogue, Siddhartha Chhabra, Reshma Lal, Reouven Elbaz
-
Patent number: 11533170Abstract: Methods, systems, and apparatuses associated with hardware mechanisms for link encryption are disclosed. In various embodiments, an interconnect interface is coupled to a processor core to interconnect a peripheral device to the processor core via a link established between the peripheral device and the interconnect interface. The interconnect interface is to select a cryptographic engine of a plurality of cryptographic engines instantiated in the interconnect interface for the link. The cryptographic engine is to symmetrically encrypt data to be transmitted through the link. In more specific embodiments, each of the plurality of cryptographic engines is instantiated for one of a request type on the link, a virtual channel on the link, or a request type within a virtual channel on the link.Type: GrantFiled: March 28, 2019Date of Patent: December 20, 2022Assignee: Intel CorporationInventors: Reouven Elbaz, Hooi Kar Loo, Poh Thiam Teoh, Su Wei Lim, Patrick D. Maloney, Santosh Ghosh
-
Publication number: 20220335109Abstract: On-demand paging support for confidential computing is described. An example of an apparatus includes circuitry including one or more processors including a first processor, the first processor including a TEE and registers, wherein the one or more processors are to: receive a memory access request associated with a trust domain (TD), wherein one or more direct memory access payloads associated with the request being generated by a protocol engine (PE) of a peripheral device and written to a host interface (HIF), the HIF including an address translation engine (ATE); and, in response to a page fault being identified for a payload, divert the payload and forward a payload fault to one or more TD fault buffers in a set of registers, and resolve the page fault by an ATE driver and a virtual machine manager using the TEE.Type: ApplicationFiled: June 30, 2022Publication date: October 20, 2022Applicant: Intel CorporationInventors: Ravi Sahita, Anjali Jain, Reouven Elbaz
-
Publication number: 20220207155Abstract: Detailed herein is instruction level support to allow untrusted software to save/restore key state from the memory encryption engine to support S3/S4 flows on clients. In a first embodiment, the save/restore is done by the untrusted software and encryption hardware alone. In another embodiment, a security engine (which forms the root of trust on the platform) is involved to protect the keys before handing over to untrusted software. Either embodiment uses the instructions introduced herein which may work differently underneath depending on the implementation option chosen.Type: ApplicationFiled: December 26, 2020Publication date: June 30, 2022Inventors: Siddhartha CHHABRA, Thripthi HEGDE, Reouven ELBAZ
-
Publication number: 20220103516Abstract: An apparatus comprising a first computing platform including a processor to execute a first trusted executed environment (TEE) to host a first plurality of virtual machines and a first network interface controller to establish a trusted communication channel with a second computing platform via an orchestration controller.Type: ApplicationFiled: December 10, 2021Publication date: March 31, 2022Applicant: Intel CorporationInventors: Pradeep Pappachan, Luis Kida, Donald E. Wood, Tony Hurson, Reouven Elbaz, Reshma Lal
-
Patent number: 11243893Abstract: A processor or system includes a processor core to execute a set of instructions to determine that a memory encryption mode is enabled. The memory encryption mode is to cause data stored to memory to be encrypted and data retrieved from the memory to be decrypted. The processor core is further to determine that a debug mode has been enabled and, responsive to a determination that the debug mode has been enabled, generate a second encryption key different than a first encryption key employed before reboot of a computing system. The processor core is further to transmit the second encryption key to a cryptographic engine for use in encryption and decryption of the data according to the memory encryption mode.Type: GrantFiled: May 11, 2018Date of Patent: February 8, 2022Assignee: Intel CorporationInventors: Jonathan Lutz, Reouven Elbaz, Jason W. Brandt, Hisham Shafi, Ittai Anati, Vedvyas Shanbhogue
-
Publication number: 20210344653Abstract: A protected link between a first computing device and a second computing device is set up, wherein communication over the protected link is to comply with a communication protocol that allows packets to be reordered during transit. A plurality of packets are generated according to a packet format that ensures the plurality of packets will not be reordered during transmission over the protected link, the plurality of packets comprising a first packet and a second packet. Data of the plurality of packets are encrypted for transmission over the protected link, wherein data of the first packet is encrypted based on the cryptographic key and a first value of a counter and data of the second packet is encrypted based on the cryptographic key and a second value of the counter.Type: ApplicationFiled: July 7, 2021Publication date: November 4, 2021Applicant: Intel CorporationInventors: David J. Harriman, Raghunandan Makaram, Ioannis T. Schoinas, Kapil Sood, Yu-Yuan Chen, Vedvyas Shanbhogue, Siddhartha Chhabra, Reshma Lal, Reouven Elbaz
-
Patent number: 11070527Abstract: A protected link between a first computing device and a second computing device is set up, wherein communication over the protected link is to comply with a communication protocol that allows packets to be reordered during transit. A plurality of packets are generated according to a packet format that ensures the plurality of packets will not be reordered during transmission over the protected link, the plurality of packets comprising a first packet and a second packet. Data of the plurality of packets are encrypted for transmission over the protected link, wherein data of the first packet is encrypted based on the cryptographic key and a first value of a counter and data of the second packet is encrypted based on the cryptographic key and a second value of the counter.Type: GrantFiled: April 1, 2019Date of Patent: July 20, 2021Assignee: Intel CorporationInventors: David J. Harriman, Raghunandan Makaram, Ioannis T. Schoinas, Kapil Sood, Yu-Yuan Chen, Vedvyas Shanbhogue, Siddhartha Chhabra, Reshma Lal, Reouven Elbaz
-
Patent number: 10755156Abstract: Systems, methods, and apparatuses associated with data exchanged between a processor and a hardware accelerator are disclosed. In various embodiments, a method comprises receiving, at a first endpoint, a first request to change a current tag frequency used to generate a first authentication tag for one or more transactions of a first transaction window sent over a data link to a second endpoint coupled to a processor core. The method further includes sending a message to the second endpoint that the current tag frequency is to change to a new tag frequency, where a second authentication tag for one or more transactions in a second transaction window is to be generated based on the new tag frequency. The method also includes changing the current tag frequency to the new tag frequency based, at least in part, on receiving an acknowledgement that the second endpoint received the message.Type: GrantFiled: March 27, 2019Date of Patent: August 25, 2020Assignee: Intel CorporationInventors: Siddhartha Chhabra, Reouven Elbaz
-
Patent number: 10565130Abstract: Technologies for secure memory usage include a computing device having a processor that includes a memory encryption engine and a memory device coupled to the processor. The processor supports multiple processor usages, such as secure enclaves, system management firmware, and a virtual machine monitor. The memory encryption engine is configured to protect a memory region stored in the memory device for a processor usage. The memory encryption engine restricts access to one or more configuration registers to a trusted code base of the processor usage. The processor executes the processor usage and the memory encryption engine protects contents of the memory region during execution. The memory encryption engine may access integrity metadata based on the address of the protected memory region. The memory encryption engine may prepare top-level counter metadata for entering a low-power state. Other embodiments are described and claimed.Type: GrantFiled: September 25, 2017Date of Patent: February 18, 2020Assignee: Intel CorporationInventors: Siddhartha Chhabra, Reouven Elbaz, Krishnakumar Narasimhan, Prashant Dewan, David M. Durham
-
Publication number: 20190347213Abstract: A processor or system includes a processor core to execute a set of instructions to determine that a memory encryption mode is enabled. The memory encryption mode is to cause data stored to memory to be encrypted and data retrieved from the memory to be decrypted. The processor core is further to determine that a debug mode has been enabled and, responsive to a determination that the debug mode has been enabled, generate a second encryption key different than a first encryption key employed before reboot of a computing system. The processor core is further to transmit the second encryption key to a cryptographic engine for use in encryption and decryption of the data according to the memory encryption mode.Type: ApplicationFiled: May 11, 2018Publication date: November 14, 2019Inventors: Jonathan LUTZ, Reouven ELBAZ, Jason W. BRANDT, Hisham SHAFI, Ittai ANATI, Vedvyas SHANBHOGUE
-
Publication number: 20190281025Abstract: A protected link between a first computing device and a second computing device is set up, wherein communication over the protected link is to comply with a communication protocol that allows packets to be reordered during transit. A plurality of packets are generated according to a packet format that ensures the plurality of packets will not be reordered during transmission over the protected link, the plurality of packets comprising a first packet and a second packet. Data of the plurality of packets are encrypted for transmission over the protected link, wherein data of the first packet is encrypted based on the cryptographic key and a first value of a counter and data of the second packet is encrypted based on the cryptographic key and a second value of the counter.Type: ApplicationFiled: April 1, 2019Publication date: September 12, 2019Applicant: Intel CorporationInventors: David J. Harriman, Raghunandan Makaram, Ioannis T. Schoinas, Kapil Sood, Yu-Yuan Chen, Vedvyas Shanbhogue, Siddhartha Chhabra, Reshma Lal, Reouven Elbaz
-
Patent number: 10374805Abstract: Technologies for secure programming of a cryptographic engine include a computing device with a cryptographic engine and one or more I/O controllers. The computing device establishes one or more trusted execution environments (TEEs). A TEE generates a request to program the cryptographic engine with respect to a DMA channel. The computing device may verify a signed manifest that indicates the TEEs permitted to program DMA channels and, if verified, determine whether the TEE is permitted to program the requested DMA channel. The computing device may record the TEE for a request to protect the DMA channel and may determine whether the programming TEE matches the recorded TEE for a request to unprotect a DMA channel. The computing device may allow the request to unprotect the DMA channel if the programming TEE matches the recorded TEE. Other embodiments are described and claimed.Type: GrantFiled: December 18, 2015Date of Patent: August 6, 2019Assignee: Intel CorporationInventors: Siddhartha Chhabra, Reshma Lal, Ravi L. Sahita, Reouven Elbaz, Bin Xing
-
Publication number: 20190229901Abstract: Methods, systems, and apparatuses associated with hardware mechanisms for link encryption are disclosed. In various embodiments, an interconnect interface is coupled to a processor core to interconnect a peripheral device to the processor core via a link established between the peripheral device and the interconnect interface. The interconnect interface is to select a cryptographic engine of a plurality of cryptographic engines instantiated in the interconnect interface for the link. The cryptographic engine is to symmetrically encrypt data to be transmitted through the link. In more specific embodiments, each of the plurality of cryptographic engines is instantiated for one of a request type on the link, a virtual channel on the link, or a request type within a virtual channel on the link.Type: ApplicationFiled: March 28, 2019Publication date: July 25, 2019Applicant: Intel CorporationInventors: Reouven Elbaz, Hooi Kar Loo, Poh Thiam Teoh, Su Wei Lim, Patrick D. Maloney, Santosh Ghosh
-
Publication number: 20190220721Abstract: Systems, methods, and apparatuses associated with data exchanged between a processor and a hardware accelerator are disclosed. In various embodiments, a method comprises receiving, at a first endpoint, a first request to change a current tag frequency used to generate a first authentication tag for one or more transactions of a first transaction window sent over a data link to a second endpoint coupled to a processor core. The method further includes sending a message to the second endpoint that the current tag frequency is to change to a new tag frequency, where a second authentication tag for one or more transactions in a second transaction window is to be generated based on the new tag frequency. The method also includes changing the current tag frequency to the new tag frequency based, at least in part, on receiving an acknowledgement that the second endpoint received the message.Type: ApplicationFiled: March 27, 2019Publication date: July 18, 2019Applicant: Intel CorporationInventors: Siddhartha Chhabra, Reouven Elbaz
-
Publication number: 20190095351Abstract: Technologies for secure memory usage include a computing device having a processor that includes a memory encryption engine and a memory device coupled to the processor. The processor supports multiple processor usages, such as secure enclaves, system management firmware, and a virtual machine monitor. The memory encryption engine is configured to protect a memory region stored in the memory device for a processor usage. The memory encryption engine restricts access to one or more configuration registers to a trusted code base of the processor usage. The processor executes the processor usage and the memory encryption engine protects contents of the memory region during execution. The memory encryption engine may access integrity metadata based on the address of the protected memory region. The memory encryption engine may prepare top-level counter metadata for entering a low-power state. Other embodiments are described and claimed.Type: ApplicationFiled: September 25, 2017Publication date: March 28, 2019Inventors: Siddhartha Chhabra, Reouven Elbaz, Krishnakumar Narasimhan, Prashant Dewan, David M. Durham
-
Patent number: 10181946Abstract: Technologies for cryptographic protection of I/O data include a computing device with one or more I/O controllers. Each I/O controller may generate a direct memory access (DMA) transaction that includes a channel identifier that is indicative of the I/O controller and that is indicative of an I/O device coupled to the I/O controller. The computing device intercepts the DMA transaction and determines whether to protect the DMA transaction as a function of the channel identifier. If so, the computing device performs a cryptographic operation using an encryption key associated with the channel identifier. The computing device may include a cryptographic engine that intercepts the DMA transaction and determines whether to protect the DMA transaction by determining whether the channel identifier matches an entry in a channel identifier table of the cryptographic engine. Other embodiments are described and claimed.Type: GrantFiled: December 18, 2015Date of Patent: January 15, 2019Assignee: Intel CorporationInventors: Reshma Lal, Steven B. McGowan, Siddhartha Chhabra, Gideon Gerzon, Bin Xing, Pradeep M. Pappachan, Reouven Elbaz
-
Publication number: 20190004978Abstract: Various systems and methods for Security Attributes of Initiator (SAI) pools allocation are described herein. A system for security attribute pool allocation includes an integrated circuit to: access a hardware block and store a security identifier in the hardware block, the security identifier being from a pool of security identifiers, the pool being one of a plurality of pools of security identifiers with each of the plurality of pools having mutually exclusive sets of security identifiers.Type: ApplicationFiled: June 30, 2017Publication date: January 3, 2019Inventors: Michael C. Neve De Mevergnies, Reouven Elbaz
-
Patent number: 10073977Abstract: Technologies for authenticity assurance for I/O data include a computing device with a cryptographic engine and one or more I/O controllers. A metadata producer of the computing device performs an authenticated encryption operation on I/O data to generate encrypted I/O data and an authentication tag. The metadata producer stores the encrypted I/O data in a DMA buffer and the authentication tag in an authentication tag queue. A metadata consumer decrypts the encrypted I/O data from the DMA buffer and determines whether the encrypted I/O data is authentic using the authentication tag from the authentication tag queue. For input, the metadata producer may be embodied as the cryptographic engine and the metadata consumer may be embodied as a trusted software component. For output, the metadata producer may be embodied as the trusted software component and the metadata consumer may be embodied as the cryptographic engine. Other embodiments are described and claimed.Type: GrantFiled: December 18, 2015Date of Patent: September 11, 2018Assignee: Intel CorporationInventors: Pradeep M. Pappachan, Reshma Lal, Bin Xing, Steven B. McGowan, Siddhartha Chhabra, Reouven Elbaz
-
Patent number: 10013579Abstract: Various configurations and methods for securing and validating trusted input output (IO) data communications within fabric interconnects of processing circuitry are disclosed herein. As an example, a technique for secure routing of trusted software transactions includes operations of a crypto engine and an IO hub to validate trusted transactions such as DMA read and write transactions received from a trusted IO controller, and configuring the fabrics of the circuitry to prevent re-routing or tampering of data from the trusted transactions. In an example, hardware-based identification and verification of the trusted transactions may be performed with use of content addressable memory at the crypto engine and the respective unsecure fabrics, to identify and enforce the trusted transactions that cannot be re-routed. As a result, rogue agents or entities connected to the unsecure fabrics cannot interfere with or intercept data for trusted transactions.Type: GrantFiled: December 23, 2015Date of Patent: July 3, 2018Assignee: Intel CorporationInventors: Reouven Elbaz, Siddhartha Chhabra, Steven B. McGowan