Abstract: Various embodiments for providing datalink security in a datalink between a first hardware device (e.g., a system-on-a-chip (SoC) device) and a second hardware device (e.g., an encrypted storage device) are described. Various embodiments using differing types of keys and setups are described and claimed.

Abstract: Various configurations and methods for securing and validating trusted input output (IO) data communications within fabric interconnects of processing circuitry are disclosed herein. As an example, a technique for secure routing of trusted software transactions includes operations of a crypto engine and an IO hub to validate trusted transactions such as DMA read and write transactions received from a trusted IO controller, and configuring the fabrics of the circuitry to prevent re-routing or tampering of data from the trusted transactions. In an example, hardware-based identification and verification of the trusted transactions may be performed with use of content addressable memory at the crypto engine and the respective unsecure fabrics, to identify and enforce the trusted transactions that cannot be re-routed. As a result, rogue agents or entities connected to the unsecure fabrics cannot interfere with or intercept data for trusted transactions.

Abstract: Technologies for cryptographic protection of I/O data include a computing device with one or more I/O controllers. Each I/O controller may be coupled to one or more I/O devices. Each I/O controller may generate a direct memory access (DMA) transaction that includes a channel identifier that is indicative of the I/O controller and that is indicative of an I/O device coupled to the I/O controller. The computing device intercepts the DMA transaction and determines whether to protect the DMA transaction as a function of the channel identifier. If so, the computing device performs a cryptographic operation using an encryption key associated with the channel identifier. The computing device may include a cryptographic engine that intercepts the DMA transaction and determines whether to protect the DMA transaction by determining whether the channel identifier matches an entry in a channel identifier table of the cryptographic engine. Other embodiments are described and claimed.

Abstract: Technologies for secure programming of a cryptographic engine include a computing device with a cryptographic engine and one or more I/O controllers. The computing device establishes one or more trusted execution environments (TEEs). A TEE generates a request to program the cryptographic engine with respect to a DMA channel. The computing device may verify a signed manifest that indicates the TEEs permitted to program DMA channels and, if verified, determine whether the TEE is permitted to program the requested DMA channel. The computing device may record the TEE for a request to protect the DMA channel and may determine whether the programming TEE matches the recorded TEE for a request to unprotect a DMA channel. The computing device may allow the request to unprotect the DMA channel if the programming TEE matches the recorded TEE. Other embodiments are described and claimed.

Abstract: Technologies for authenticity assurance for I/O data include a computing device with a cryptographic engine and one or more I/O controllers. A metadata producer of the computing device performs an authenticated encryption operation on I/O data to generate encrypted I/O data and an authentication tag. The metadata producer stores the encrypted I/O data in a DMA buffer and the authentication tag in an authentication tag queue. A metadata consumer decrypts the encrypted I/O data from the DMA buffer and determines whether the encrypted I/0 data is authentic using the authentication tag from the authentication tag queue. For input, the metadata producer may be embodied as the cryptographic engine and the metadata consumer may be embodied as a trusted software component. For output, the metadata producer may be embodied as the trusted software component and the metadata consumer may be embodied as the cryptographic engine. Other embodiments are described and claimed.

Abstract: A method and device for encrypting and/or decrypting binary data blocks protecting both confidentiality and integrity of data sent to or received from a memory. The encryption method comprises steps of: applying to the input data block a reversible scrambling process, the scrambling process providing a scrambled data block in which the bits of the input data block are mixed so that a modification of one bit in the scrambled data block impacts on every bit of the input data block, and applying to the scrambled data block a stream cipher encryption algorithm providing an encrypted data block. Application can be made to secured integrated circuits requiring to securely store data in an external memory.

Abstract: A method and device for encrypting and/or decrypting binary data blocks protecting both confidentiality and integrity of data sent to or received from a memory. The encryption method comprises steps of: applying to the input data block a reversible scrambling process, the scrambling process providing a scrambled data block in which the bits of the input data block are mixed so that a modification of one bit in the scrambled data block impacts on every bit of the input data block, and applying to the scrambled data block a stream cipher encryption algorithm providing an encrypted data block. Application can be made to secured integrated circuits requiring to securely store data in an external memory.