Abstract: The present disclosure includes systems and methods for securing data direct I/O (DDIO) for a secure accelerator interface, in accordance with various embodiments. Historically, DDIO has enabled performance advantages that have outweighed its security risks. DDIO circuitry may be configured to secure DDIO data by using encryption circuitry that is manufactured for use in communications with main memory along the direct memory access (DMA) path. DDIO circuitry may be configured to secure DDIO data by using DDIO encryption circuitry manufactured for use by or manufactured within the DDIO circuitry. Enabling encryption and decryption in the DDIO path by the DDIO circuitry has the potential to close a security gap in modern data central processor units (CPUs).

Abstract: A system on a chip (SoC) includes memory, a processor coupled to the memory, and link protection circuitry coupled to the memory and the processor. The link protection circuitry includes an SoC encryption engine to receive first data from the memory and a first key, generate, by an SoC encryption counter of the SoC encryption engine, an SoC encryption counter value, encrypt the first data using the SoC encryption counter value and the first key to generate first encrypted data, and cause the first encrypted data to be transmitted to a device including a device decryption counter synchronized with the SoC encryption counter.

Abstract: A computer-readable medium comprises instructions that, when executed, cause a processor to execute an untrusted workload manager to manage execution of at least one guest workload.

Abstract: System and techniques for multi-tenant cryptographic memory isolation are described herein. A multiple key total memory encryption (MKTME) circuitry may receive a read request for encrypted memory. Here, the read request may include an encrypted memory address that itself includes a sequence of keyid bits and physical address bits. The MKTME circuitry may retrieve a keyid-nonce from a key table using the keyid bits. The MKTME circuitry may construct a tweak from the keyid-nonce, the keyid bits, and the physical address bits. The MKTME circuitry may then decrypt data specified by the read request using the tweak and a common key.

Abstract: Apparatus, systems, computer readable storage mediums and/or methods may provide memory integrity by using unused physical address bits (or other metadata passed through cache) to manipulate cryptographic memory integrity values, allowing software memory allocation routines to control the assignment of pointers (e.g., implement one or more access control policies). Unused address bits (e.g., because of insufficient external memory) passed through cache, may encode key domain information in the address so that different key domain addresses alias to the same physical memory location. Accordingly, by mixing virtual memory mappings and cache line granularity aliasing, any page in memory may contain a different set of aliases at the cache line level and be non-deterministic to an adversary.

Abstract: Examples include an apparatus which accesses secure pages in a trust domain using secure lookups in first and second sets of page tables. For example, one embodiment of the processor comprises: a decoder to decode a plurality of instructions including instructions related to a trusted domain; execution circuitry to execute a first one or more of the instructions to establish a first trusted domain using a first trusted domain key, the trusted domain key to be used to encrypt memory pages within the first trusted domain; and the execution circuitry to execute a second one or more of the instructions to associate a first process address space identifier (PASID) with the first trusted domain, the first PASID to uniquely identify a first execution context associated with the first trusted domain.

Abstract: Systems, methods, and apparatuses associated with data exchanged between a processor and a hardware accelerator are disclosed. In various embodiments, a method comprises receiving, at a first endpoint, a first request to change a current tag frequency used to generate a first authentication tag for one or more transactions of a first transaction window sent over a data link to a second endpoint coupled to a processor core. The method further includes sending a message to the second endpoint that the current tag frequency is to change to a new tag frequency, where a second authentication tag for one or more transactions in a second transaction window is to be generated based on the new tag frequency. The method also includes changing the current tag frequency to the new tag frequency based, at least in part, on receiving an acknowledgement that the second endpoint received the message.

Abstract: A server includes a processor core including system memory, and a cryptographic engine storing a key data structure. The data structure is to store multiple keys for multiple secure domains. The core receives a request to program a first secure domain into the cryptographic engine. The request includes first domain information within a first wrapped binary large object (blob). In response a determination that there is no available entry in the data structure, the core selects a second secure domain within the data structure to de-schedule and issues a read key command to read second domain information from a target entry of the data structure. The core encrypts the second domain information to generate a second wrapped blob and stores the second wrapped blob in a determined region of the system memory, which frees up the target entry for use to program the first secure domain.

Abstract: Encryption interface technologies are described. A processor can include a system agent, an encryption interface, and a memory controller. The system agent can communicate data with a hardware functional block. The encryption interface can be coupled between the system agent and a memory controller. The encryption interface can receive a plaintext request from the system agent, encrypt the plaintext request to obtain an encrypted request, and communicate the encrypted request to the memory controller. The memory controller can communicate the encrypted request to a main memory of the computing device.

Abstract: Technologies for USB controller state integrity protection with trusted I/O are disclosed. A computing device includes an I/O controller, a channel identifier filter, and a memory. The I/O controller generates a memory access to controller state data in a scratchpad buffer in the memory. The memory access includes a channel identifier associated with the I/O controller. The channel identifier filter determines whether a memory address of the memory access is included in a range of a processor reserved memory region associated with the channel identifier. A processor of the computing device may copy the controller state data to a memory buffer outside of the processor reserved memory region. The computing device may reserve an isolated memory region in the memory that includes the processor reserved memory region. Secure routing hardware of the computing device may control access to the isolated memory region. Other embodiments are described and claimed.

Abstract: An embodiment of a semiconductor package apparatus may include technology to determine if an access request (e.g., a read or write request) to a memory location would result in an integrity failure and, if so determined, read previous data from the memory location, set an indicator to indicate the integrity failure, and store the previous data together with the indicator and previous authentication information. Other embodiments are disclosed and claimed.

Abstract: In one embodiment, an apparatus comprises a processor to read a data line from memory in response to a read request from a VM. The data line comprises encrypted memory data. The apparatus also comprises a memory encryption circuit in the processor. The memory encryption circuit is to use an address of the read request to select an entry from a P2K table; obtain a key identifier from the selected entry of the P2K table; use the key identifier to select a key for the read request; and use the selected key to decrypt the encrypted memory data into decrypted memory data. The processor is further to make the decrypted memory data available to the VM. The P2K table comprises multiple entries, each comprising (a) a key identifier for a page of memory and (b) an encrypted address for that page of memory. Other embodiments are described and claimed.

Abstract: Techniques for secure-chip memory for trusted execution environments are described. A processor may include a memory configured to interface with a trusted execution environment. The processor may be configured to indicate to a trusted execution environment that the memory supports dedicated access to the trusted execution environment. The processor may receive an instruction from the trusted execution environment. The processor may enforce an access control policy of an interface plugin to limit access of the memory by the trusted execution environment to a partition of the memory associated with the trusted execution environment. Other embodiments are described and claimed.

Abstract: Technologies for dynamically protecting memory of the mobile compute device include a main memory, a location sensor that produces sensor data indicative of a present location of the mobile compute device, a sensor hub communicatively coupled to the location sensor, and a security engine communicatively coupled to the sensor hub. The sensor hub determines a present location security zone of the mobile compute device based on the present location of the mobile compute device and a geofence policy, which maps locations to location security zones. The security engine encrypts the main memory of the mobile compute device and determines whether the present location security zone has changed relative to a most-previous location security zone of the mobile compute device. If the present location security zone has changed to a safe zone, the security engine decrypts the main memory.

Abstract: An integrated circuit includes a core and memory controller coupled to a last level cache (LLC). A first key identifier for a first program is associated with physical addresses of memory that store data of the first program. To flush and invalidate cache lines associated with the first key identifier, the core is to execute an instruction (having the first key identifier) to generate a transaction with the first key identifier. In response to the transaction, a cache controller of the LLC is to: identify matching entries in the LLC by comparison of first key identifier with at least part of an address tag of a plurality of entries in a tag storage structure of the LLC, the matching entries associated with cache lines of the LLC; write back, to the memory, data stored in the cache lines; and mark the matching entries of the tag storage structure as invalid.

Abstract: A processor includes a processor core to execute an application; a key attribute table (KAT) register to store a plurality of key identifiers (KeyIDs) associated with the application, wherein a KeyID identifies an encryption key; a selection circuit coupled to the KAT register to select the KeyID from the KAT register based on a KeyID selector (KSEL), wherein the KSEL is associated with a page of memory to which access is performed; a cache coupled to the processor core, the cache to store a physical address, data, and the KeyID of the page of memory, wherein the KeyID is an attribute associated with the page of memory; and a memory controller coupled to the cache to encrypt, based on the encryption key identified by the KeyID, the data of the page of memory stored in the cache as it is evicted from the cache to main memory.

Abstract: Various embodiments are generally directed to techniques for enclave confidentiality management, such as for protecting cross enclave confidentiality on servers, for instance. Some embodiments are particularly directed to a computing platform including hardware and/or instruction set architecture (ISA) extensions that ensure enclaves cannot access confidential data of other enclaves. For example, key programming ISA extensions and/or hardware changes to the page miss handler (PMH) may ensure that the key uniquely associated with an enclave is used for its memory accesses.

Abstract: This disclosure is directed to avoiding redundant memory encryption in a cryptographic protection system. Data stored in a device may be protected using different encryption systems. Data associated with at least one trusted execution environment (TEE) may be encrypted using a first encryption system. Main memory in the device may comprise data important to maintaining the integrity of an operating system (OS), etc. and may be encrypted using a second encryption system. Data may also be placed into a memory location via direct memory access (DMA) and may be protected utilizing a third encryption system. Redundant encryption may be avoided by encryption circuitry capable of determining when data is already protected by encryption provided by another system. For example, the encryption circuitry may comprise encryption control circuitry that monitors indicators set at different points during data handling, and may bypass certain data encryption or decryption operations based on the indicator settings.

Abstract: Technologies for providing shared immutable code among untrusting domains are provided. The untrusting domains may be cryptographically separated within a cloud computing service or environment. The shared immutable code may be a shared virtual machine monitor (sVMM) that is setup by system software to indicate that the sVMM code pages need integrity alone and should be protected with an integrity key associated with individual domains. This indication may be stored in page tables and carried over the memory bus to a cryptographic engine. The cryptographic engine may use this indication to protect the integrity of data before storing the data to memory. In order to ensure cryptographic isolation, integrity values may be generated using a domain-specific key ensuring that an attempt to modify the code by one domain is detected by a different domain. Other embodiments are described herein and claimed.

Abstract: In one embodiment, an apparatus includes a page miss handler to receive a full address including a linear address portion having a linear address and a key identifier portion having a key identifier for a key. The page miss handler may insert an entry including this key identifier in a translation storage. The apparatus further may include a remapping table having a plurality of entries each to store information regarding a key identifier. Other embodiments are described and claimed.