Patents by Inventor Vincent R. Scarlata

Vincent R. Scarlata has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 10708067
    Abstract: Embodiments include systems, methods, computer readable media, and devices configured to, for a first processor of a platform, generate a platform root key; create a data structure to encapsulate the platform root key, the data structure comprising a platform provisioning key and an identification of a registration service; and transmit, on a secure connection, the data structure to the registration service to register the platform root key for the first processor of the platform. Embodiments include systems, methods, computer readable media, and devices configured to store a device certificate received from a key generation facility; receive a manifest from a platform, the manifest comprising an identification of a processor associated with the platform; and validate the processor using a stored device certificate.
    Type: Grant
    Filed: July 2, 2016
    Date of Patent: July 7, 2020
    Assignee: Intel Corporation
    Inventors: Vincent R. Scarlata, Francis X. McKeen, Carlos V. Rozas, Simon P. Johnson, Bo Zhang, James D. Beaney, Jr., Piotr Zmijewski, Wesley Hamilton Smith, Eduardo Cabre, Uday R. Savagaonkar
  • Patent number: 10664179
    Abstract: An integrated circuit includes protected container access control logic to perform a set of access control checks and to determine whether to allow a device protected container module (DPCM) and an input and/or output (I/O) device to communicate securely through one of direct memory access (DMA) and memory-mapped input/output (MMIO). The DPCM and the I/O device are allowed to communicate securely if it is determined that at least the DPCM and the I/O device are mapped to one another, an access address associated with the communication resolves into a protected container memory, and a page of the protected container memory into which the access address resolves allows for the aforementioned one of DMA and MMIO. In some cases, a Security Attributes of Initiator (SAI) or security identifier may be used to obtain a DPCM identifier or attest that access is from a DPCM mapped to the I/O device.
    Type: Grant
    Filed: September 25, 2015
    Date of Patent: May 26, 2020
    Assignee: Intel Corporation
    Inventors: Ilya Alexandrovich, Vladimir Beker, Gideon Gerzon, Vincent R. Scarlata
  • Publication number: 20200142838
    Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
    Type: Application
    Filed: December 27, 2019
    Publication date: May 7, 2020
    Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
  • Patent number: 10642972
    Abstract: Methods and apparatus for extending packet processing to trusted programmable and fixed-function accelerators. Secure enclaves are created in system memory of a compute platform, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The compute platform further includes one or more hardware-based accelerators that are used by the software to offload packet processing operations. The accelerators are configured to read packet data from input queues, process the data, and output processed data to output queues, wherein the input and output queues are located in encrypted portions of memory that may be in a secure enclave or external to the secure enclaves.
    Type: Grant
    Filed: October 20, 2016
    Date of Patent: May 5, 2020
    Assignee: Intel Corporation
    Inventors: Kapil Sood, Somnath Chakrabarti, Wei Shen, Carlos V. Rozas, Mona Vij, Vincent R. Scarlata
  • Patent number: 10592421
    Abstract: Instructions and logic provide advanced paging capabilities for secure enclave page caches. Embodiments include multiple hardware threads or processing cores, a cache to store secure data for a shared page address allocated to a secure enclave accessible by the hardware threads. A decode stage decodes a first instruction specifying said shared page address as an operand, and execution units mark an entry corresponding to an enclave page cache mapping for the shared page address to block creation of a new translation for either of said first or second hardware threads to access the shared page. A second instruction is decoded for execution, the second instruction specifying said secure enclave as an operand, and execution units record hardware threads currently accessing secure data in the enclave page cache corresponding to the secure enclave, and decrement the recorded number of hardware threads when any of the hardware threads exits the secure enclave.
    Type: Grant
    Filed: August 29, 2016
    Date of Patent: March 17, 2020
    Assignee: Intel Corporation
    Inventors: Carlos V. Rozas, Ilya Alexandrovich, Ittai Anati, Alex Berenzon, Michael A. Goldsmith, Barry E. Huntley, Anton Ivanov, Simon P. Johnson, Rebekah M. Leslie-Hurd, Francis X. McKeen, Gilbert Neiger, Rinat Rappoport, Scott D. Rodgers, Uday R. Savagaonkar, Vincent R. Scarlata, Vedvyas Shanbhogue, Wesley H. Smith, William C. Wood
  • Patent number: 10558588
    Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.
    Type: Grant
    Filed: July 17, 2017
    Date of Patent: February 11, 2020
    Assignee: Intel Corporation
    Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
  • Patent number: 10534724
    Abstract: Instructions and logic support suspending and resuming migration of enclaves in a secure enclave page cache (EPC). An EPC stores a secure domain control structure (SDCS) in storage accessible by an enclave for a management process, and by a domain of enclaves. A second processor checks if a corresponding version array (VA) page is bound to the SDCS, and if so: increments a version counter in the SDCS for the page, performs an authenticated encryption of the page from the EPC using the version counter in the SDCS, and writes the encrypted page to external memory. A second processor checks if a corresponding VA page is bound to a second SDCS of the second processor, and if so: performs an authenticated decryption of the page using a version counter in the second SDCS, and loads the decrypted page to the EPC in the second processor if authentication passes.
    Type: Grant
    Filed: December 24, 2015
    Date of Patent: January 14, 2020
    Assignee: Intel Corporation
    Inventors: Carlos V. Rozas, Ilya Alexandrovich, Gilbert Neiger, Francis X. McKeen, Ittai Anati, Vedvyas Shanbhogue, Mona Vij, Rebekah Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Vincent R. Scarlata, Simon P. Johnson
  • Patent number: 10528721
    Abstract: Methods and apparatus for implemented trusted packet processing for multi-domain separatization and security. Secure enclaves are created in system memory of a compute platform configured to support a virtualized execution environment including a plurality of virtual machines (VMs) or containers, each secure enclave occupying a respective protected portion of the system memory, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The software in the secure enclaves is then executed to perform the packet processing operations.
    Type: Grant
    Filed: October 20, 2016
    Date of Patent: January 7, 2020
    Assignee: Intel Corporation
    Inventors: Kapil Sood, Somnath Chakrabarti, Wei Shen, Carlos V. Rozas, Mona Vij, Vincent R. Scarlata
  • Publication number: 20190324918
    Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.
    Type: Application
    Filed: May 3, 2019
    Publication date: October 24, 2019
    Inventors: Krystof C. Zmudzinski, Siddhartha Chhabra, Uday R. Savagaonkar, Simon P. Johnson, Rebekah M. Leslie-Hurd, Francis X. McKeen, Gilbert Neiger, Raghunandan Makaram, Carlos V. Rozas, Amy L. Santoni, Vincent R. Scarlata, Vedvyas Shanbhogue, Ilya Alexandrovich, Ittai Anati, Wesley H. Smith, Michael Goldsmith
  • Publication number: 20190278911
    Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information.
    Type: Application
    Filed: February 20, 2019
    Publication date: September 12, 2019
    Applicant: Intel Corporation
    Inventors: Pradeep M. Pappachan, Reshma Lal, Bin Xing, Siddhartha Chhabra, Vincent R. Scarlata, Steven B. McGowan
  • Patent number: 10409597
    Abstract: Embodiments of an invention for memory management in secure enclaves are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first instruction and a second instruction. The execution unit is to execute the first instruction, wherein execution of the first instruction includes allocating a page in an enclave page cache to a secure enclave. The execution unit is also to execute the second instruction, wherein execution of the second instruction includes confirming the allocation of the page.
    Type: Grant
    Filed: May 7, 2018
    Date of Patent: September 10, 2019
    Assignee: Intel Corporation
    Inventors: Rebekah Leslie-Hurd, Carlos V. Rozas, Vincent R. Scarlata, Simon P. Johnson, Uday R. Savagaonkar, Barry E. Huntley, Vedvyas Shanbhogue, Ittai Anati, Francis X. Mckeen, Michael A. Goldsmith, Ilya Alexandrovich, Alex Berenzon, Wesley H. Smith, Gilbert Neiger
  • Publication number: 20190228159
    Abstract: Technologies for filtering transactions includes a compute device, which further includes an accelerator device and an I/O subsystem having an accelerator port. The I/O subsystem is configured to determine whether to enable a global attestation during a boot process of the compute device, receive a transaction from the accelerator device connected to the accelerator port via a coherent accelerator link, and filter the transaction based on a determination of whether to enable the global attestation.
    Type: Application
    Filed: March 29, 2019
    Publication date: July 25, 2019
    Inventors: Anna Trikalinou, Krystof Zmudzinski, Reshma Lal, Luis S. Kida, Pradeep M. Pappachan, Raghunandan Makaram, Siddhartha Chhabra, Vincent R. Scarlata
  • Patent number: 10338957
    Abstract: A secure migration enclave is provided to identify a launch of a particular virtual machine on a host computing system, where the particular virtual machine is launched to include a secure quoting enclave to perform an attestation of one or more aspects of the virtual machine. A root key for the particular virtual machine is generated using the secure migration enclave hosted on the host computing system for use in association with provisioning the secure quoting enclave with an attestation key to be used in the attestation. The migration enclave registers the root key with a virtual machine registration service.
    Type: Grant
    Filed: December 27, 2016
    Date of Patent: July 2, 2019
    Assignee: Intel Corporation
    Inventors: Vincent R. Scarlata, Carlos V. Rozas, Simon P. Johnson, Francis X. McKeen, Mona Vij, Somnath Chakrabarti, Brandon Baker, Ittai Anati, Ilya Alexandrovich
  • Publication number: 20190156038
    Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information.
    Type: Application
    Filed: January 29, 2019
    Publication date: May 23, 2019
    Inventors: Pradeep M. Pappachan, Reshma Lal, Bin Xing, Siddhartha Chhabra, Vincent R. Scarlata, Steven B. McGowan
  • Patent number: 10282306
    Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.
    Type: Grant
    Filed: January 3, 2018
    Date of Patent: May 7, 2019
    Assignee: Intel Corporation
    Inventors: Krystof C. Zmudzinski, Siddhartha Chhabra, Uday R. Savagaonkar, Simon P. Johnson, Rebekah M. Leslie-Hurd, Francis X. McKeen, Gilbert Neiger, Raghunandan Makaram, Carlos V. Rozas, Amy L. Santoni, Vincent R. Scarlata, Vedvyas Shanbhogue, Ilya Alexandrovich, Ittai Anati, Wesley H. Smith, Michael Goldsmith
  • Patent number: 10248791
    Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information.
    Type: Grant
    Filed: December 18, 2015
    Date of Patent: April 2, 2019
    Assignee: Intel Corporation
    Inventors: Pradeep M. Pappachan, Reshma Lal, Bin Xing, Siddhartha Chhabra, Vincent R. Scarlata, Steven B. McGowan
  • Patent number: 10216648
    Abstract: Embodiments of an invention for maintaining a secure processing environment across power cycles are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to evict a root version array page entry from a secure cache. The execution unit is to execute the instruction. Execution of the instruction includes generating a blob to contain information to maintain a secure processing environment across a power cycle and storing the blob in a non-volatile memory.
    Type: Grant
    Filed: June 2, 2017
    Date of Patent: February 26, 2019
    Assignee: Intel Corporation
    Inventors: Francis X. McKeen, Vincent R. Scarlata, Carlos V. Rozas, Ittai Anati, Vedvyas Shanbhogue
  • Publication number: 20190052469
    Abstract: A computing platform implements one or more secure enclaves including a first provisioning enclave to interface with a first provisioning service to obtain a first attestation key from the first provisioning service, a second provisioning enclave to interface with a different, second provisioning service to obtain a second attestation key from the second provisioning service, and a provisioning certification enclave to sign first data from the first provisioning enclave and second data from the second provisioning enclave using a hardware-based provisioning attestation key. The signed first data is used by the first provisioning enclave to authenticate to the first provisioning service to obtain the first attestation key and the signed second data is used by the second provisioning enclave to authenticate to the second provisioning service to obtain the second attestation key.
    Type: Application
    Filed: October 17, 2018
    Publication date: February 14, 2019
    Applicant: Intel Corporation
    Inventors: Vincent R. Scarlata, Francis X. McKeen, Carlos V. Rozas, Simon P. Johnson, Bo Zhang, James D. Beaney, JR., Piotr Zmijewski, Wesley H. Smith, Eduardo Cabre
  • Publication number: 20190034617
    Abstract: Data integrity logic is executable by a processor to generate a data integrity code using a hardware-based secret. A container manager, executable by the processor, creates a secured container including report generation logic that determines measurements of the secured container, generates a report according to a defined report format, and sends a quote request including the report. The defined report format includes a field to include the measurements and a field to include the data integrity code, and the report format is compatible for consumption by any one of a plurality of different quote creator types.
    Type: Application
    Filed: July 31, 2017
    Publication date: January 31, 2019
    Inventors: Vincent R. Scarlata, Carlos V. Rozas, Baiju Patel, Barry Huntley, Ravi L. Sahita, Hormuzd M. Khosravi
  • Patent number: 10152350
    Abstract: Particular embodiments described herein provide for an electronic device that can be configured to determine that a secure domain has been created on a device, where keys are required to access the secure domain, obtain the keys that are required to access the secure domain from a network element, and encrypt the keys and store the encrypted keys on the device. In an example, only the secure domain can decrypt the encrypted keys and the device is a virtual machine.
    Type: Grant
    Filed: July 1, 2016
    Date of Patent: December 11, 2018
    Assignee: Intel Corporation
    Inventors: Somnath Chakrabarti, Mona Vij, Carlos V. Rozas, Brandon Baker, Vincent R. Scarlata, Francis X. McKeen, Simon P. Johnson