Abstract: An apparatus to facilitate protecting data transfer between a secure application and networked devices is disclosed. The apparatus includes a processor to provide a trusted execution environment (TEE) to run an application, wherein the processor is to: generate, via the application in the TEE, encrypted data, wherein the encrypted data comprises a payload; copy, via the application in the TEE, the encrypted data to a local buffer; interface, using the application in the TEE, with a source network interface controller (NIC) to initiate a copy over a network of the encrypted data from the local buffer to a remote buffer of a remote platform; and communicate, after completing the copy of the network of the encrypted data, at least one message with the remote platform to indicate that the encrypted data is available and to enable the remote platform to verify integrity of the encrypted data.

Abstract: An apparatus comprising translator circuitry to receive a plurality of physical addresses of memory data, determine an offset associated with each of the physical page addresses and apply a tweak seed to each offset to generate a plurality of tweaks.

Abstract: An apparatus to facilitate disaggregated computing for a distributed confidential computing environment is disclosed. The apparatus includes a programmable integrated circuit (IC) comprising secure device manager (SDM) hardware circuitry to: receive a tenant bitstream of a tenant and a tenant use policy for utilization of the programmable IC via the tenant bitstream, wherein the tenant use policy is cryptographically bound to the tenant bitstream by a cloud service provider (CSP) authorizing entity and signed with a signature of the CSP authorizing entity; in response to successfully verifying the signature, extract the tenant use policy to provide to a policy manager of the programmable IC for verification; in response to the policy manager verifying the tenant bitstream based on the tenant use policy, configure a partial reconfiguration (PR) region of the programmable IC using the tenant bitstream; and associate a slot ID of the PR region with the tenant use policy.

Abstract: An apparatus comprises a compute complex comprising one or more processing resources to execute a software process identified by a software identifier (SWID), at least one hardware module, a communication fabric to provide a communication pathway between the compute complex, the at least one hardware module, and at least one memory device, and at least one memory management unit to provide access control to the memory device based at least in part on the software identifier.

Abstract: An apparatus comprises a compute complex comprising one or more processing resources to execute a software process, a hardware processor to initiate an authentication request to at least one adjunct processing hardware device communicatively coupled to the compute complex, establish a session key with the at least one adjunct processing hardware device, negotiate, with a hypervisor, a virtual function allocation for at least one virtual adjunct processing device to be implemented by the at least one adjunct processing hardware device to define a configuration in a trusted page table, verify the configuration with the at least one adjunct processing hardware device using the session key, and lock the configuration in the trusted table.

Abstract: An apparatus to facilitate in-place memory copy during remote data transfer in a heterogeneous compute environment is disclosed. The apparatus includes a processor to receive data via a network interface card (NIC) of a hardware accelerator device; identify a destination address of memory of the hardware accelerator device to write the data; determine that access control bits of the destination address in page tables maintained by a memory management unit (MMU) indicate that memory pages of the destination address are both registered and free; write the data to the memory pages of the destination address; and update the access control bits for memory pages of the destination address to indicate that the memory pages are restricted, wherein setting the access control bits to restricted prevents the NIC and a compute kernel of the hardware accelerator device from accessing the memory pages.

Abstract: An apparatus comprises a local computer readable memory, a compute processor comprising one or more processing resources to execute a compute process, and a cryptographic processor to prefetch encrypted compute data for the compute processor and decrypt the compute data prior to making the compute data accessible to the compute processor.

Abstract: An apparatus to facilitate disaggregated computing for a distributed confidential computing environment is disclosed. The apparatus includes one or more processors to facilitate receiving a manifest corresponding to graph nodes representing regions of memory of a remote client machine, the graph nodes corresponding to a command buffer and to associated data structures and kernels of the command buffer used to initialize a hardware accelerator and execute the kernels, and the manifest indicating a destination memory location of each of the graph nodes and dependencies of each of the graph nodes; identifying, based on the manifest, the command buffer and the associated data structures to copy to the host memory; identifying, based on the manifest, the kernels to copy to local memory of the hardware accelerator; and patching addresses in the command buffer copied to the host memory with updated addresses of corresponding locations in the host memory.

Abstract: One or more machine readable storage media, an apparatus, and a method. The apparatus provides a mechanism to implement a trusted telemetry governor (TTG) inside a trusted execution environment. The TTG is to determine a security policy to be applied to telemetry data corresponding to component of a computing infrastructure, receive the telemetry data in encrypted format and, based on the security policy: process the telemetry data including at least one of generating transformed telemetry data or analyzing the telemetry data to generate a report therefrom, and generating telemetry information from the telemetry data. The telemetry information includes at least one of processed telemetry data, a report, or a recommendation based on an analysis of the telemetry data. The TTG is to send the telemetry information outside of the trusted execution environment to a consumer of the telemetry data.

Abstract: Technologies for establishing device locality are disclosed. A processor in a computing device generates an identifier distinct to the computing device. The processor transmits the identifier to a management controller via a hardware bus in the computing device. The processor generates a key and encrypts the key with the identifier to generate a wrapped key. The processor transmits the wrapped key to the management controller. In turn, the management controller unwraps the key using the identifier. Other embodiments are described and claimed.

Abstract: An apparatus to facilitate disaggregated computing for a distributed confidential computing environment is disclosed. The apparatus includes one or more processors to: provide a remote GPU middleware layer to act as a proxy for an application stack on a client platform separate from the apparatus; communicate, by the remote GPU middleware layer, with a kernel mode driver of the one or more processors to cause the host memory to be allocated for command buffers and data structures received from the client platform for consumption by a command streamer of a remote GPU of the apparatus; and invoke, by the remote GPU middleware layer, the kernel mode driver to submit a workload generated by the application stack, the workload submitted for processing by the remote GPU using the command buffers and the data structures allocated in the host memory as directed by the command streamer.

Abstract: A computing platform comprising a plurality of disaggregated data center resources and an infrastructure processing unit (IPU), communicatively coupled to the plurality of resources, to compose a platform of the plurality of disaggregated data center resources for allocation of micro service s cluster.

Abstract: An apparatus includes a central processing unit (CPU), including a plurality of processing cores, each having a cache memory, a fabric interconnect coupled to the plurality of processing cores and cryptographic circuitry, coupled to the fabric interconnect including mesh stop station to receive memory data and determine a destination of the memory data and encryption circuitry to encrypt/decrypt the memory data based on a destination of the memory data.

Abstract: Embodiments are directed to protection of communications between a trusted execution environment and a hardware accelerator utilizing enhanced end-to-end encryption and inter-context security. An embodiment of an apparatus includes one or more processors having one or more trusted execution environments (TEEs) including a first TEE to include a first trusted application; an interface with a hardware accelerator, the hardware accelerator including trusted embedded software or firmware; and a computer memory to store an untrusted kernel mode driver for the hardware accelerator, the one or more processors to establish an encrypted tunnel between the first trusted application in the first TEE and the trusted software or firmware, generate a call for a first command from the first trusted application, generate an integrity tag for the first command, and transfer command parameters for the first command and the integrity tag to the kernel mode driver to generate the first command.

Abstract: An apparatus comprising a memory device, a system on chip (SoC), including a central processing unit (CPU) to execute a virtual machine to retrieve data from the memory device and transmit the data to a remote input/output (I/O) device coupled to a remote computing platform as memory transaction data; and a port to transmit the memory transaction data as transaction layer packets (TLPs) and a network interface card (NIC) to receive the TLPs, including an interface to receive the TLPs and packet conversion hardware to convert the TLPs to network protocol packets and transmit the network protocol packets to the remote I/O memory device.

Abstract: An apparatus comprising translator circuitry to receive a plurality of physical addresses of memory data, determine an offset associated with each of the physical page addresses and apply a tweak seed to each offset to generate a plurality of tweaks.

Abstract: Technologies for cryptographic separation of MMIO operations with an accelerator device include a computing device having a processor and an accelerator. The processor establishes a trusted execution environment. The accelerator determines, based on a target memory address, a first memory address range associated with the memory-mapped I/O transaction, generates a second authentication tag using a first cryptographic key from a set of cryptographic keys, wherein the first key is uniquely associated with the first memory address range. An accelerator validator determines whether the first authentication tag matches the second authentication tag, and a memory mapper commits the memory-mapped I/O transaction in response to a determination that the first authentication tag matches the second authentication tag. Other embodiments are described and claimed.

Abstract: Embodiments are directed to providing integrity-protected command buffer execution. An embodiment of an apparatus includes a computer-readable memory comprising one or more command buffers and a processing device communicatively coupled to the computer-readable memory to read, from a command buffer of the computer-readable memory, a first command received from a host device, the first command executable by one or more processing elements on the processing device, the first command comprising an instruction and associated parameter data, compute a first authentication tag using a cryptographic key associated with the host device, the instruction and at least a portion of the parameter data, and authenticate the first command by comparing the first authentication tag with a second authentication tag computed by the host device and associated with the command.

Abstract: An apparatus to facilitate in-place memory copy during remote data transfer in a heterogeneous compute environment is disclosed. The apparatus includes a processor to receive data via a network interface card (NIC) of a hardware accelerator device; identify a destination address of memory of the hardware accelerator device to write the data; determine that access control bits of the destination address in page tables maintained by a memory management unit (MMU) indicate that memory pages of the destination address are both registered and free; write the data to the memory pages of the destination address; and update the access control bits for memory pages of the destination address to indicate that the memory pages are restricted, wherein setting the access control bits to restricted prevents the NIC and a compute kernel of the hardware accelerator device from accessing the memory pages.

Abstract: Systems and methods include establishing a cryptographically secure communication between an application module and an audio module. The application module is configured to execute on an information-handling machine, and the audio module is coupled to the information-handling machine. The establishment of the cryptographically secure communication may be at least partially facilitated by a mutually trusted module.