Abstract: Embodiments of apparatus and methods for secure I/O device management are disclosed. In an embodiment, an apparatus includes a processor and an I/O controller. The processor has secure execution environment support, wherein the processor is to establish a secure execution environment using the secure execution environment support.

Abstract: An apparatus for managing input/output (I/O) data may include a streaming I/O controller to receive data from a load/store domain component and output the data as first streaming data of a first data type comprising a first data movement type and first data format type. The apparatus may also include at least one accelerator coupled to the streaming I/O controller to receive the first streaming data, transform the first streaming data to second streaming data having a second data type different than the first data type, and output the second streaming data. In addition, the apparatus may include a streaming interconnect to conduct the second data to a peer device configured to receive data of the second data type.

Abstract: Methods and apparatuses relating to measuring propagation delays through USB retimers are described. In one embodiment, a retimer apparatus includes a receiver to receive a data block and a timestamp for the data block from an upstream device, a buffer to store the data block and the timestamp for transmittal, a controller to modify the timestamp to generate a modified timestamp that includes a time from a receipt of a first portion of the data block in the buffer until a transmittal of the first portion of the data block from the buffer, and a transmitter to transmit the data block and the modified timestamp to a downstream device.

Abstract: Technologies for authenticity assurance for I/O data include a computing device with a cryptographic engine and one or more I/O controllers. A metadata producer of the computing device performs an authenticated encryption operation on I/O data to generate encrypted I/O data and an authentication tag. The metadata producer stores the encrypted I/O data in a DMA buffer and the authentication tag in an authentication tag queue. A metadata consumer decrypts the encrypted I/O data from the DMA buffer and determines whether the encrypted I/O data is authentic using the authentication tag from the authentication tag queue. For input, the metadata producer may be embodied as the cryptographic engine and the metadata consumer may be embodied as a trusted software component. For output, the metadata producer may be embodied as the trusted software component and the metadata consumer may be embodied as the cryptographic engine. Other embodiments are described and claimed.

Abstract: A system and method of conducting precision time management in a universal serial bus system with a retimer. The method includes initiating, from the retimer, a link delay management request on an upstream-facing port of the retimer. The method further includes receiving, at a downstream-facing port of the retimer, a link delay management request and responding to the request received on the downstream-facing port.

Abstract: An apparatus is described herein. The apparatus includes a Universal Serial Bus (USB) component and a controller interface. The controller interface is to allocate register space for interfacing with the USB component and the USB component is virtualized into multiple instantiations. The apparatus also includes a secure environment, and the secure environment further virtualizes the multiple instantiations such that the multiple instantiations are owned by the secure environment.

Abstract: Various configurations and methods for securing and validating trusted input output (IO) data communications within fabric interconnects of processing circuitry are disclosed herein. As an example, a technique for secure routing of trusted software transactions includes operations of a crypto engine and an IO hub to validate trusted transactions such as DMA read and write transactions received from a trusted IO controller, and configuring the fabrics of the circuitry to prevent re-routing or tampering of data from the trusted transactions. In an example, hardware-based identification and verification of the trusted transactions may be performed with use of content addressable memory at the crypto engine and the respective unsecure fabrics, to identify and enforce the trusted transactions that cannot be re-routed. As a result, rogue agents or entities connected to the unsecure fabrics cannot interfere with or intercept data for trusted transactions.

Abstract: In one embodiment, an apparatus includes a wireless controller, which may include a byte stream parser to receive a stream of data from one or more wireless devices and parse the stream of data to identify a first data packet associated with a first channel identifier associated with a trusted application, and a cryptographic engine coupled to the byte stream parser to encrypt a payload portion of the first data packet in response to the identification of the first data packet associated with the first channel identifier. Other embodiments are described and claimed.

Abstract: Examples are disclosed for automatic downstream to upstream mode switching at a universal serial bus (USB) physical (PHY) layer including activating a switching structure to switch a USB port operating in a downstream mode to an upstream mode based on an attempted attachment by another USB port also operating in a downstream mode. The examples may also include facilitating attachment of the switched USB port now operating in the upstream mode to the other USB port operating in the downstream mode.

Abstract: Methods and apparatuses relating to measuring propagation delays through USB retimers are described. In one embodiment, a retimer apparatus includes a receiver to receive a data block and a timestamp for the data block from an upstream device, a buffer to store the data block and the timestamp for transmittal, a controller to modify the timestamp to generate a modified timestamp that includes a time from a receipt of a first portion of the data block in the buffer until a transmittal of the first portion of the data block from the buffer, and a transmitter to transmit the data block and the modified timestamp to a downstream device.

Abstract: An apparatus for managing input/output (I/O) data may include a streaming I/O controller to receive data from a load/store domain component and output the data as first streaming data of a first data type comprising a first data movement type and first data format type. The apparatus may also include at least one accelerator coupled to the streaming I/O controller to receive the first streaming data, transform the first streaming data to second streaming data having a second data type different than the first data type, and output the second streaming data. In addition, the apparatus may include a streaming interconnect to conduct the second data to a peer device configured to receive data of the second data type.

Abstract: A system and method of conducting precision time management in a universal serial bus system with a retimer. The method includes initiating, from the retimer, a link delay management request on an upstream-facing port of the retimer. The method further includes receiving, at a downstream-facing port of the retimer, a link delay management request and responding to the request received on the downstream-facing port.

Abstract: Various configurations and methods for securing and validating trusted input output (IO) data communications within fabric interconnects of processing circuitry are disclosed herein. As an example, a technique for secure routing of trusted software transactions includes operations of a crypto engine and an IO hub to validate trusted transactions such as DMA read and write transactions received from a trusted IO controller, and configuring the fabrics of the circuitry to prevent re-routing or tampering of data from the trusted transactions. In an example, hardware-based identification and verification of the trusted transactions may be performed with use of content addressable memory at the crypto engine and the respective unsecure fabrics, to identify and enforce the trusted transactions that cannot be re-routed. As a result, rogue agents or entities connected to the unsecure fabrics cannot interfere with or intercept data for trusted transactions.

Abstract: Technologies for cryptographic protection of I/O audio data include a computing device with a cryptographic engine and an audio controller. A trusted software component may request an untrusted audio driver to establish an audio session with the audio controller that is associated with an audio codec. The trusted software component may verify that a stream identifier associated with the audio session received from the audio driver matches a stream identifier received from the codec. The trusted software may program the cryptographic engine with a DMA channel identifier associated with the codec, and the audio controller may assert the channel identifier in each DMA transaction associated with the audio session. The cryptographic engine cryptographically protects audio data associated with the audio session. The audio controller may lock the controller topology after establishing the audio session, to prevent re-routing of audio during a trusted audio session. Other embodiments are described and claimed.

Abstract: Embodiments of apparatus and methods for secure I/O device management are disclosed. In an embodiment, an apparatus includes a processor and an I/O controller. The processor has secure execution environment support, wherein the processor is to establish a secure execution environment using the secure execution environment support.

Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information.

Abstract: Technologies for cryptographic protection of I/O data include a computing device with one or more I/O controllers. Each I/O controller may be coupled to one or more I/O devices. Each I/O controller may generate a direct memory access (DMA) transaction that includes a channel identifier that is indicative of the I/O controller and that is indicative of an I/O device coupled to the I/O controller. The computing device intercepts the DMA transaction and determines whether to protect the DMA transaction as a function of the channel identifier. If so, the computing device performs a cryptographic operation using an encryption key associated with the channel identifier. The computing device may include a cryptographic engine that intercepts the DMA transaction and determines whether to protect the DMA transaction by determining whether the channel identifier matches an entry in a channel identifier table of the cryptographic engine. Other embodiments are described and claimed.

Abstract: Technologies for trusted I/O (TIO) include a computing device with a cryptographic engine and one or more I/O controllers. The computing device executes a TIO core service that has a cryptographic engine programming privileged granted by an operating system. The TIO core service receives a request from an application to protect a DMA channel. The TIO core service requests the operating system to protect the DMA channel, and the operating system verifies the cryptographic engine programming privilege of the TIO core service in response. The operating system programs the cryptographic engine to protect the DMA channel in response to verifying the cryptographic engine programming privilege of the TIO core service. If a privileged delegate determines that a user has confirmed termination of protection of the DMA channel, the TIO core service may unprotect the DMA channel. Other embodiments are described and claimed.

Abstract: Technologies for secure programming of a cryptographic engine include a computing device with a cryptographic engine and one or more I/O controllers. The computing device establishes, an invoking secure enclave using secure enclave support of a processor. The invoking enclave configures channel programming information, including a channel key, and invokes a processor instruction with the channel programming information as a parameter. The processor generates wrapped programming information including an encrypted channel key and a message authentication code. The encrypted channel key is protected with a key known only to the processor. The invoking enclave provides the wrapped programming information to untrusted software, which invokes a processor instruction with the wrapped programming information as a parameter. The processor unwraps and verifies the wrapped programming information and then programs the cryptographic engine.

Abstract: Technologies for authenticity assurance for I/O data include a computing device with a cryptographic engine and one or more I/O controllers. A metadata producer of the computing device performs an authenticated encryption operation on I/O data to generate encrypted I/O data and an authentication tag. The metadata producer stores the encrypted I/O data in a DMA buffer and the authentication tag in an authentication tag queue. A metadata consumer decrypts the encrypted I/O data from the DMA buffer and determines whether the encrypted I/0 data is authentic using the authentication tag from the authentication tag queue. For input, the metadata producer may be embodied as the cryptographic engine and the metadata consumer may be embodied as a trusted software component. For output, the metadata producer may be embodied as the trusted software component and the metadata consumer may be embodied as the cryptographic engine. Other embodiments are described and claimed.