Abstract: A network device includes one or more ports, match-action circuitry, and an action processor. The one or more ports are to exchange packets between the network device and a network. The match-action circuitry is to match at least some of the packets to one or more rules so as to set respective actions to be performed, at least one of the actions including a programmable action. The instruction processor is to perform the programmable action by running user-programmable software code. The instruction processor includes architectural registers, one or more of the architectural registers being accessible by the match-action circuitry, and the match-action circuitry is to write into the architectural registers information for performing the programmable action.

Abstract: A confidential computing (CC) apparatus includes a CPU and a peripheral device. The CPU is to run a hypervisor that hosts one or more Trusted Virtual Machines (TVMs). The peripheral device is coupled to the CPU and to an external memory. The CPU includes a TVM-Monitor (TVMM), to perform management operations on the one or more TVMs, to track memory space that is allocated by the hypervisor to the peripheral device in the external memory, to monitor memory-access requests issued by the hypervisor to the memory space allocated to the peripheral device in the external memory, and to permit or deny the memory-access requests, according to a criterion.

Abstract: In one embodiment, a system includes a networking device including a network interface to receive network packets having headers including datagram transport layer security (DTLS) headers from a remote device over a packet data network, packet processing circuitry to identify first packets of the received packets for DTLS processing in the packet processing circuitry, identify second packets of the received packets to bypass DTLS processing in the packet processing circuitry and to be provided to software to perform DTLS processing on the second packets, and perform DTLS processing on the first packets, and a host interface to provide the DTLS processed first packets to the software, and provide the second packets to the software to perform DTLS processing on the second packets.

Abstract: Technologies for encrypting communication links between devices are described. A method includes generating a first initialization vector (IV), from a first subspace of IVs, for a first cryptographic ordered flow, and a second IV, from a second subspace of IVs that are mutually exclusive from the first subspace. The first and second cryptographic ordered flows share a key to secure multipath routing in a fabric between devices. The method sends, to the second device, a first packet for the first cryptographic ordered flow and a second packet for the second cryptographic ordered flow. The first packet includes a first security tag with the first IV and a first payload encrypted using the first IV and a first key. The second packet includes a second security tag with the second IV and a second payload encrypted using the second IV and a second key.

Abstract: A network device includes one or more ports, match-action circuitry, and an action processor. The one or more ports are to exchange packets between the network device and a network. The match-action circuitry is to match at least some of the packets to one or more rules so as to set respective actions to be performed, at least one of the actions including a programmable action. The instruction processor is to perform the programmable action by running user-programmable software code. The instruction processor includes architectural registers, one or more of the architectural registers being accessible by the match-action circuitry, and the match-action circuitry is to write into the architectural registers information for performing the programmable action.

Abstract: An Integrated Montgomery Calculation Engine (IMCE), for multiplying two multiplicands modulo a predefined number, includes a Carry Save Adder (CSA) circuit and control circuitry. The CSA circuit has multiple inputs, and has outputs including a sum output and a carry output. The control circuitry is coupled to the inputs and the outputs of the CSA circuit and is configured to operate the CSA circuit in at least (i) a first setting that calculates a Montgomery precompute value and (ii) a second setting that calculates a Montgomery multiplication of the two multiplicands.

Abstract: A Montgomery multiplication apparatus (MMA), for multiplying two multiplicands modulo a predefined number, includes a pre-compute circuit and a Montgomery multiplication circuit. The pre-compute circuit is configured to compute a Montgomery pre-compute value by performing a series of iterations. In a given iteration, the pre-compute circuit is configured to modify one or more intermediate values by performing bit-wise operations on the intermediate values calculated in a preceding iteration. The Montgomery multiplication circuit is configured to multiply the two multiplicands, modulo the predefined number, by performing a plurality of Montgomery reduction operations using the Montgomery pre-compute value computed by the pre-compute circuit.

Abstract: The technology disclosed herein enables selective clearing of memory regions upon a context switch. An example method includes the operations of: receiving a memory access request referencing a memory region; determining an identifier of a current execution context associated with the memory region; determining an identifier of a previous execution context specified by metadata associated with the memory region; responsive to determining that the identifier of the current execution context does not match the identifier of the previous execution context, updating the metadata associated with the memory region to store the identifier of the current execution context; clearing at least a part of the memory region; and processing the memory access request with respect to the memory region.

Abstract: A network device includes a hardware pipeline to process a network packet to be encrypted. A portion of the hardware pipeline retrieves information from the network packet and generates a command based on the information. A block cipher circuit is coupled inline within the hardware pipeline. The hardware pipeline includes hardware engines coupled between the portion of the hardware pipeline and the block cipher circuit. The hardware engines parse and execute the command to determine a set of inputs and input the set of inputs and portions of the network packet to the block cipher circuit. The block cipher circuit encrypts a payload data of the network packet based on the set of inputs.

Abstract: A confidential computing (CC) apparatus includes a CPU and a peripheral device. The CPU is to run a hypervisor that hosts one or more Trusted Virtual Machines (TVMs). The peripheral device is coupled to the CPU and to an external memory. The CPU includes a TVM-Monitor (TVMM), to perform management operations on the one or more TVMs, to track memory space that is allocated by the hypervisor to the peripheral device in the external memory, to monitor memory-access requests issued by the hypervisor to the memory space allocated to the peripheral device in the external memory, and to permit or deny the memory-access requests, according to a criterion.

Abstract: A network adapter includes a network interface controller and a processor. The network interface controller is to communicate over a peripheral bus with a host, and over a network with a remote storage device. The processor is to expose on the peripheral bus a peripheral-bus device that communicates with the host using a bus storage protocol, to receive first I/O transactions of the bus storage protocol from the host, via the exposed peripheral-bus device, and to complete the first I/O transactions in the remote storage device by (i) translating between the first I/O transactions and second I/O transactions of a network storage protocol, and (ii) executing the second I/O transactions in the remote storage device. For receiving and completing the first I/O transactions, the processor is to cause the network interface controller to transfer data directly between the remote storage device and a memory of the host using zero-copy.

Abstract: A network adapter includes a network interface controller and a processor. The network interface controller is to communicate over a peripheral bus with a host, and over a network with a remote storage device. The processor is to expose on the peripheral bus a peripheral-bus device that communicates with the host using a bus storage protocol, to receive first I/O transactions of the bus storage protocol from the host, via the exposed peripheral-bus device, and to complete the first I/O transactions in the remote storage device by (i) translating between the first I/O transactions and second I/O transactions of a network storage protocol, and (ii) executing the second I/O transactions in the remote storage device. For receiving and completing the first I/O transactions, the processor is to cause the network interface controller to transfer data directly between the remote storage device and a memory of the host using zero-copy.

Abstract: An Integrated Montgomery Calculation Engine (IMCE), for multiplying two multiplicands modulo a predefined number, includes a Carry Save Adder (CSA) circuit and control circuitry. The CSA circuit has multiple inputs, and has outputs including a sum output and a carry output. The control circuitry is coupled to the inputs and the outputs of the CSA circuit and is configured to operate the CSA circuit in at least (i) a first setting that calculates a Montgomery precompute value and (ii) a second setting that calculates a Montgomery multiplication of the two multiplicands.

Abstract: A Montgomery multiplication apparatus (MMA), for multiplying two multiplicands modulo a predefined number, includes a pre-compute circuit and a Montgomery multiplication circuit. The pre-compute circuit is configured to compute a Montgomery pre-compute value by performing a series of iterations. In a given iteration, the pre-compute circuit is configured to modify one or more intermediate values by performing bit-wise operations on the intermediate values calculated in a preceding iteration. The Montgomery multiplication circuit is configured to multiply the two multiplicands, modulo the predefined number, by performing a plurality of Montgomery reduction operations using the Montgomery pre-compute value computed by the pre-compute circuit.

Abstract: Instruction code is executed in a central processing unit of a network computing device. Besides the central processing unit the device is provided with a code sequencer operative to execute predefined instruction sequences. The code sequencer is invoked by a trigger instruction in the instruction code, which is encountered by the central processing unit. Responsively to its invocations the code sequencer executes the predefined instruction sequences.

Abstract: A method for designing a logic circuit includes providing an initial design of the logic circuit, including at least first and second logic stages, and a sequential component, which is inserted between the first and second logic stages and comprises a flip-flop or a latch. Timing delays of multiple paths in the initial design, including at least one path in which the sequential component is bypassed, are estimated. Based on the timing delays, a decision is made whether the paths in which the sequential component is bypassed meet a timing constraint set for the logic circuit. A final design of the logic circuit is then generated, in which the sequential component is either bypassed or not bypassed, depending on the decision.

Abstract: A method for designing a logic circuit includes providing an initial design of the logic circuit, including at least first and second logic stages, and a sequential component, which is inserted between the first and second logic stages and comprises a flip-flop or a latch. Timing delays of multiple paths in the initial design, including at least one path in which the sequential component is bypassed, are estimated. Based on the timing delays, a decision is made whether the paths in which the sequential component is bypassed meet a timing constraint set for the logic circuit. A final design of the logic circuit is then generated, in which the sequential component is either bypassed or not bypassed, depending on the decision.

Abstract: Instruction code is executed in a central processing unit of a network computing device. Besides the central processing unit the device is provided with a code sequencer operative to execute predefined instruction sequences. The code sequencer is invoked by a trigger instruction in the instruction code, which is encountered by the central processing unit. Responsively to its invocations the code sequencer executes the predefined instruction sequences.