Abstract: An apparatus includes one or more processor cores, a memory associated with the one or more processing cores, a scheduler, and an activation accelerator. The scheduler is to select a processor core from the one or more processor cores for executing a program thread. The activation accelerator is to send information relating to the program thread to the memory, and to notify the selected processor core to start executing the program thread using the information in the memory.

Abstract: A network device includes a hardware pipeline to process a network packet to be encrypted for transmission, the hardware pipeline includes a steering engine to retrieve, from the network packet, information including a packet header, a parsed header structure, or steering metadata associated with processing the network packet. The steering engine generates, based on the information, steering action(s) to be taken using a match-action pipeline of the hardware pipeline. The steering engine generates command(s) based on the steering action(s). A set of hardware engines, of the hardware pipeline, are to be triggered, by the one the command(s), to parse and execute the command(s) to determine a set of inputs and facilitate performance of a cryptographic operation on a payload data of the network packet based on the set of inputs.

Abstract: A computer system includes a processor and a Duplicate Write Circuit (DWC). The DWC is to hold a definition that specifies an address range and a plurality of additional address ranges, and to receive, from the processor, a write command that specifies a write-data and a write-address. When the write-address falls outside the address range, the DWC is to generate a write cycle that writes the write-data to the address. When the write-address falls in the address range, the DWC is to generate (i) the write cycle that writes the write-data to the address, and (ii) a sequence of additional write cycles that write the write-data to corresponding addresses in the additional address ranges.

Abstract: The technology disclosed herein enables selective clearing of memory regions upon a context switch. An example method includes the operations of: determining an identifier of a current execution context associated with a memory region; determining an identifier of a previous execution context specified by metadata associated with the memory region; responsive to determining that the identifier of the current execution context does not match the identifier of the previous execution context, associating the memory region with the current execution context; and clearing at least a part of the memory region.

Abstract: In one embodiment, a system includes a networking device including a network interface to receive network packets having headers including datagram transport layer security (DTLS) headers from a remote device over a packet data network, packet processing circuitry to identify first packets of the received packets for DTLS processing in the packet processing circuitry, identify second packets of the received packets to bypass DTLS processing in the packet processing circuitry and to be provided to software to perform DTLS processing on the second packets, and perform DTLS processing on the first packets, and a host interface to provide the DTLS processed first packets to the software, and provide the second packets to the software to perform DTLS processing on the second packets.

Abstract: A network device includes a hardware pipeline to process a network packet to be encrypted. A portion of the hardware pipeline retrieves information from the network packet and generates a command based on the information. A block cipher circuit is coupled inline within the hardware pipeline. The hardware pipeline includes hardware engines coupled between the portion of the hardware pipeline and the block cipher circuit. The hardware engines parse and execute the command to determine a set of inputs and input the set of inputs and portions of the network packet to the block cipher circuit. The block cipher circuit encrypts a payload data of the network packet based on the set of inputs.

Abstract: A computer system includes a processor and a Duplicate Write Circuit (DWC). The DWC is to hold a definition that specifies an address range and a plurality of additional address ranges, and to receive, from the processor, a write command that specifies a write-data and a write-address. When the write-address falls outside the address range, the DWC is to generate a write cycle that writes the write-data to the address. When the write-address falls in the address range, the DWC is to generate (i) the write cycle that writes the write-data to the address, and (ii) a sequence of additional write cycles that write the write-data to corresponding addresses in the additional address ranges.

Abstract: The technology disclosed herein enables selective clearing of memory regions upon a context switch. An example method includes the operations of: receiving a memory access request referencing a memory region; determining an identifier of a current execution context associated with the memory region; determining an identifier of a previous execution context specified by metadata associated with the memory region; responsive to determining that the identifier of the current execution context does not match the identifier of the previous execution context, updating the metadata associated with the memory region to store the identifier of the current execution context; clearing at least a part of the memory region; and processing the memory access request with respect to the memory region.

Abstract: A device includes one or more ports, match-action circuitry, and an action processor. The one or more ports are to exchange packets between the device and a network. The match-action circuitry is to match at least some of the packets to one or more rules so as to set respective actions to be performed, at least one of the actions including a programmable action. The instruction processor is to perform the programmable action by running user-programmable software code. The match-action circuitry is to provide the instruction processor information for performing the programmable action.

Abstract: A confidential computing (CC) apparatus, including a CPU, to run a hypervisor that hosts one or more Trusted Virtual Machines (TVMs). The CC apparatus provides inter-TVM isolation and hardware isolation between the one or more TVMs and the hypervisor. The CPU is further to run a Device TVM (DTVM) including an interface to the network device; and a hypervisor interface which presents the DTVM to the hypervisor as a TVM, in a manner that the CC provides inter-TVM isolation and hardware isolation between the DTVM and the one or more TVMs and the hypervisor, as if the DTVM is a TVM. The DTVM is to receive from the hypervisor allocations of memory space in the external memory for a network device; and allocate the memory space in the external memory to the network device, in response to the hypervisor allocations.

Abstract: A network device includes one or more ports, match-action circuitry, and an action processor. The one or more ports are to exchange packets between the network device and a network. The match-action circuitry is to match at least some of the packets to one or more rules so as to set respective actions to be performed, at least one of the actions including a programmable action. The instruction processor is to perform the programmable action by running user-programmable software code. The instruction processor includes architectural registers, one or more of the architectural registers being accessible by the match-action circuitry, and the match-action circuitry is to write into the architectural registers information for performing the programmable action.

Abstract: A confidential computing (CC) apparatus includes a CPU and a peripheral device. The CPU is to run a hypervisor that hosts one or more Trusted Virtual Machines (TVMs). The peripheral device is coupled to the CPU and to an external memory. The CPU includes a TVM-Monitor (TVMM), to perform management operations on the one or more TVMs, to track memory space that is allocated by the hypervisor to the peripheral device in the external memory, to monitor memory-access requests issued by the hypervisor to the memory space allocated to the peripheral device in the external memory, and to permit or deny the memory-access requests, according to a criterion.

Abstract: In one embodiment, a system includes a networking device including a network interface to receive network packets having headers including datagram transport layer security (DTLS) headers from a remote device over a packet data network, packet processing circuitry to identify first packets of the received packets for DTLS processing in the packet processing circuitry, identify second packets of the received packets to bypass DTLS processing in the packet processing circuitry and to be provided to software to perform DTLS processing on the second packets, and perform DTLS processing on the first packets, and a host interface to provide the DTLS processed first packets to the software, and provide the second packets to the software to perform DTLS processing on the second packets.

Abstract: Technologies for encrypting communication links between devices are described. A method includes generating a first initialization vector (IV), from a first subspace of IVs, for a first cryptographic ordered flow, and a second IV, from a second subspace of IVs that are mutually exclusive from the first subspace. The first and second cryptographic ordered flows share a key to secure multipath routing in a fabric between devices. The method sends, to the second device, a first packet for the first cryptographic ordered flow and a second packet for the second cryptographic ordered flow. The first packet includes a first security tag with the first IV and a first payload encrypted using the first IV and a first key. The second packet includes a second security tag with the second IV and a second payload encrypted using the second IV and a second key.

Abstract: A network device includes one or more ports, match-action circuitry, and an action processor. The one or more ports are to exchange packets between the network device and a network. The match-action circuitry is to match at least some of the packets to one or more rules so as to set respective actions to be performed, at least one of the actions including a programmable action. The instruction processor is to perform the programmable action by running user-programmable software code. The instruction processor includes architectural registers, one or more of the architectural registers being accessible by the match-action circuitry, and the match-action circuitry is to write into the architectural registers information for performing the programmable action.

Abstract: An Integrated Montgomery Calculation Engine (IMCE), for multiplying two multiplicands modulo a predefined number, includes a Carry Save Adder (CSA) circuit and control circuitry. The CSA circuit has multiple inputs, and has outputs including a sum output and a carry output. The control circuitry is coupled to the inputs and the outputs of the CSA circuit and is configured to operate the CSA circuit in at least (i) a first setting that calculates a Montgomery precompute value and (ii) a second setting that calculates a Montgomery multiplication of the two multiplicands.

Abstract: A Montgomery multiplication apparatus (MMA), for multiplying two multiplicands modulo a predefined number, includes a pre-compute circuit and a Montgomery multiplication circuit. The pre-compute circuit is configured to compute a Montgomery pre-compute value by performing a series of iterations. In a given iteration, the pre-compute circuit is configured to modify one or more intermediate values by performing bit-wise operations on the intermediate values calculated in a preceding iteration. The Montgomery multiplication circuit is configured to multiply the two multiplicands, modulo the predefined number, by performing a plurality of Montgomery reduction operations using the Montgomery pre-compute value computed by the pre-compute circuit.

Abstract: The technology disclosed herein enables selective clearing of memory regions upon a context switch. An example method includes the operations of: receiving a memory access request referencing a memory region; determining an identifier of a current execution context associated with the memory region; determining an identifier of a previous execution context specified by metadata associated with the memory region; responsive to determining that the identifier of the current execution context does not match the identifier of the previous execution context, updating the metadata associated with the memory region to store the identifier of the current execution context; clearing at least a part of the memory region; and processing the memory access request with respect to the memory region.

Abstract: A network device includes a hardware pipeline to process a network packet to be encrypted. A portion of the hardware pipeline retrieves information from the network packet and generates a command based on the information. A block cipher circuit is coupled inline within the hardware pipeline. The hardware pipeline includes hardware engines coupled between the portion of the hardware pipeline and the block cipher circuit. The hardware engines parse and execute the command to determine a set of inputs and input the set of inputs and portions of the network packet to the block cipher circuit. The block cipher circuit encrypts a payload data of the network packet based on the set of inputs.

Abstract: A confidential computing (CC) apparatus includes a CPU and a peripheral device. The CPU is to run a hypervisor that hosts one or more Trusted Virtual Machines (TVMs). The peripheral device is coupled to the CPU and to an external memory. The CPU includes a TVM-Monitor (TVMM), to perform management operations on the one or more TVMs, to track memory space that is allocated by the hypervisor to the peripheral device in the external memory, to monitor memory-access requests issued by the hypervisor to the memory space allocated to the peripheral device in the external memory, and to permit or deny the memory-access requests, according to a criterion.