Patents by Inventor Vincent R. Scarlata
Vincent R. Scarlata has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20250094594Abstract: It is provided an apparatus comprising interface circuitry, machine-readable instructions, and processing circuitry to execute the machine-readable instructions. The machine-readable instructions include instructions to obtain a request for a seamless update of at least a part of a confidential computing environment, while the confidential computing environment is handling a workload. The machine-readable instructions further include instructions to generate first attestation evidence for verifying the integrity of the confidential computing environment before updating the confidential computing environment. The machine-readable instructions further include instructions to generate second attestation evidence for verifying the integrity of the confidential computing environment after updating the confidential computing environment.Type: ApplicationFiled: September 25, 2024Publication date: March 20, 2025Inventors: Ned M. SMITH, Vincent R. SCARLATA, James BEANEY, JR.
-
Publication number: 20250094593Abstract: It is provided an apparatus comprising interface circuitry, machine-readable instructions, and processing circuitry to execute the machine-readable instructions. The machine-readable instructions include instructions to generate an attestation evidence for verifying the integrity of a first confidential computing environment, the first confidential computing environment executing a workload. The machine-readable instructions further include instructions to obtain a collection of attestation evidence associated with the workload, the collection of attestation evidence comprising attestation evidence for verifying the integrity of each confidential computing environment that the workload was deployed to during its lifecycle. The machine-readable instructions further include instructions to generate a migration image comprising the workload, the generated attestation evidence and the collection of attestation evidence.Type: ApplicationFiled: September 25, 2024Publication date: March 20, 2025Inventors: Ned M. SMITH, Vincent R. SCARLATA, James BEANEY, JR.
-
Patent number: 12242391Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.Type: GrantFiled: October 9, 2023Date of Patent: March 4, 2025Assignee: Intel CorporationInventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. McKeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
-
Publication number: 20250068722Abstract: It is provided an apparatus comprising interface circuitry, machine-readable instructions, and processing circuitry to execute the machine-readable instructions. The machine-readable instructions include instructions to obtain a migration history log from a first confidential computing environment executing a workload. The migration history log comprising data about one or more performed migrations of the workload. The machine-readable instructions further include instructions to obtain an attestation evidence collection associated with the workload. The attestation evidence collection associated with the workload comprising one or more attestation evidence associated with the workload. The machine-readable instructions further include instructions to obtain a migration image of the workload from the first confidential computing environment.Type: ApplicationFiled: September 25, 2024Publication date: February 27, 2025Inventors: Ned M. SMITH, Vincent R. SCARLATA, James BEANEY, JR.
-
Publication number: 20250068738Abstract: It is provided an apparatus comprising interface circuitry, machine-readable instructions, and processing circuitry to execute the machine-readable instructions. The machine-readable instructions include instructions to generate a first attestation measurement of a runtime image executed in a confidential computing environment at a first point in time. The machine-readable instructions further include instructions to store the first attestation measurement as baseline attestation measurement in a storage circuitry. The machine-readable instructions further include instructions to generate a second attestation measurement of the runtime image executed in confidential computing environment at a second point in time. The machine-readable instructions further include instructions to generate an attestation evidence report based on the baseline attestation measurement and the second attestation measurement.Type: ApplicationFiled: September 25, 2024Publication date: February 27, 2025Inventors: Ned M. SMITH, Bin XING, Vincent R. SCARLATA
-
Publication number: 20250060987Abstract: A method and system for implementing software trusted platform module (swTPM) for a virtual machine (VM). A guest VM is set up in the system. A tenant trust domain (TTD) or a Software Guard Extension (SGX) enclave is also set up in the system, and a swTPM for the guest VM is executed within the TTD or the SGX enclave. The tenant workload and the guest VM may be measured, and the measurements may be extended into Platform Configuration Registers (PCRs) in the swTPM via a swTPM interface in the guest VM. TPM secrets may be stored in a secure storage in the SGX enclave. The TTD may take runtime measurements of the tenant workload, the guest VM, and/or the swTPM.Type: ApplicationFiled: September 26, 2024Publication date: February 20, 2025Inventors: Ned M. SMITH, Vincent R. SCARLATA, James BEANEY, JR., Jiewen YAO
-
Publication number: 20250028455Abstract: An integrated circuit includes protected container access control logic to perform a set of access control checks and to determine whether to allow a device protected container module (DPCM) and an input and/or output (I/O) device to communicate securely through one of direct memory access (DMA) and memory-mapped input/output (MMIO). The DPCM and the I/O device are allowed to communicate securely if it is determined that at least the DPCM and the I/O device are mapped to one another, an access address associated with the communication resolves into a protected container memory, and a page of the protected container memory into which the access address resolves allows for the aforementioned one of DMA and MMIO. In some cases, a Security Attributes of Initiator (SAI) or security identifier may be used to obtain a DPCM identifier or attest that access is from a DPCM mapped to the I/O device.Type: ApplicationFiled: October 8, 2024Publication date: January 23, 2025Applicant: Intel CorporationInventors: Ilya Alexandrovich, Vladimir Beker, Gideon Gerzon, Vincent R. Scarlata
-
Publication number: 20250013760Abstract: It is provided an apparatus comprising interface circuitry, machine-readable instructions, and processing circuitry to execute the machine-readable instructions. The machine-readable instructions include instructions to obtain a first set of data formats. The first set of data formats comprises data formats that are available to an attestation environment of a confidential computing environment for generation of attestation evidence of a confidential computing environment. The machine-readable instructions further comprise instructions to obtain a second set of data formats. The second set of data formats comprises data formats of attestation evidence that are available to an attestation verifier.Type: ApplicationFiled: September 25, 2024Publication date: January 9, 2025Inventors: Ned M. SMITH, Vincent R. SCARLATA, James BEANEY, JR.
-
Patent number: 12141450Abstract: An integrated circuit includes protected container access control logic to perform a set of access control checks and to determine whether to allow a device protected container module (DPCM) and an input and/or output (I/O) device to communicate securely through one of direct memory access (DMA) and memory-mapped input/output (MMIO). The DPCM and the I/O device are allowed to communicate securely if it is determined that at least the DPCM and the I/O device are mapped to one another, an access address associated with the communication resolves into a protected container memory, and a page of the protected container memory into which the access address resolves allows for the aforementioned one of DMA and MMIO. In some cases, a Security Attributes of Initiator (SAI) or security identifier may be used to obtain a DPCM identifier or attest that access is from a DPCM mapped to the I/O device.Type: GrantFiled: December 16, 2022Date of Patent: November 12, 2024Assignee: Intel CorporationInventors: Ilya Alexandrovich, Vladimir Beker, Gideon Gerzon, Vincent R. Scarlata
-
Publication number: 20240184717Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.Type: ApplicationFiled: October 9, 2023Publication date: June 6, 2024Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
-
Publication number: 20240176861Abstract: Data integrity logic is executable by a processor to generate a data integrity code using a hardware-based secret. A container manager, executable by the processor, creates a secured container including report generation logic that determines measurements of the secured container, generates a report according to a defined report format, and sends a quote request including the report. The defined report format includes a field to include the measurements and a field to include the data integrity code, and the report format is compatible for consumption by any one of a plurality of different quote creator types.Type: ApplicationFiled: November 6, 2023Publication date: May 30, 2024Inventors: Vincent R. Scarlata, Carlos V. Rozas, Baiju Patel, Barry E. Huntley, Ravi L. Sahita, Hormuzd M. Khosravi
-
Patent number: 11995001Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.Type: GrantFiled: July 18, 2022Date of Patent: May 28, 2024Assignee: Intel CorporationInventors: Krystof C. Zmudzinski, Siddhartha Chhabra, Uday R. Savagaonkar, Simon P. Johnson, Rebekah M. Leslie-Hurd, Francis X. McKeen, Gilbert Neiger, Raghunandan Makaram, Carlos V. Rozas, Amy L. Santoni, Vincent R. Scarlata, Vedvyas Shanbhogue, Ilya Alexandrovich, Ittai Anati, Wesley H. Smith, Michael Goldsmith
-
Patent number: 11809545Abstract: Data integrity logic is executable by a processor to generate a data integrity code using a hardware-based secret. A container manager, executable by the processor, creates a secured container including report generation logic that determines measurements of the secured container, generates a report according to a defined report format, and sends a quote request including the report. The defined report format includes a field to include the measurements and a field to include the data integrity code, and the report format is compatible for consumption by any one of a plurality of different quote creator types.Type: GrantFiled: July 1, 2022Date of Patent: November 7, 2023Assignee: Intel Corporation, Inc.Inventors: Vincent R. Scarlata, Carlos V. Rozas, Baiju Patel, Barry E. Huntley, Ravi L. Sahita, Hormuzd M. Khosravi
-
Patent number: 11782849Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.Type: GrantFiled: July 3, 2021Date of Patent: October 10, 2023Assignee: Intel CorporationInventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
-
Patent number: 11741230Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information.Type: GrantFiled: October 22, 2021Date of Patent: August 29, 2023Assignee: INTEL CORPORATIONInventors: Pradeep M. Pappachan, Reshma Lal, Bin Xing, Siddhartha Chhabra, Vincent R. Scarlata, Steven B. McGowan
-
Publication number: 20230266888Abstract: An integrated circuit includes protected container access control logic to perform a set of access control checks and to determine whether to allow a device protected container module (DPCM) and an input and/or output (I/O) device to communicate securely through one of direct memory access (DMA) and memory-mapped input/output (MMIO). The DPCM and the I/O device are allowed to communicate securely if it is determined that at least the DPCM and the I/O device are mapped to one another, an access address associated with the communication resolves into a protected container memory, and a page of the protected container memory into which the access address resolves allows for the aforementioned one of DMA and MMIO. In some cases, a Security Attributes of Initiator (SAI) or security identifier may be used to obtain a DPCM identifier or attest that access is from a DPCM mapped to the I/O device.Type: ApplicationFiled: December 16, 2022Publication date: August 24, 2023Inventors: Ilya Alexandrovich, Vladimir Beker, Gideon Gerzon, Vincent R. Scarlata
-
Publication number: 20230042288Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.Type: ApplicationFiled: July 18, 2022Publication date: February 9, 2023Applicant: Intel CorporationInventors: Krystof C. Zmudzinski, Siddhartha Chhabra, Uday R. Savagaonkar, Simon P. Johnson, Rebekah M. Leslie-Hurd, Francis X. McKeen, Gilbert Neiger, Raghunandan Makaram, Carlos V. Rozas, Amy L. Santoni, Vincent R. Scarlata, Vedvyas Shanbhogue, Ilya Alexandrovich, Ittai Anati, Wesley H. Smith, Michael Goldsmith
-
Patent number: 11531475Abstract: An integrated circuit includes protected container access control logic to perform a set of access control checks and to determine whether to allow a device protected container module (DPCM) and an input and/or output (I/O) device to communicate securely through one of direct memory access (DMA) and memory-mapped input/output (MMIO). The DPCM and the I/O device are allowed to communicate securely if it is determined that at least the DPCM and the I/O device are mapped to one another, an access address associated with the communication resolves into a protected container memory, and a page of the protected container memory into which the access address resolves allows for the aforementioned one of DMA and MMIO. In some cases, a Security Attributes of Initiator (SAI) or security identifier may be used to obtain a DPCM identifier or attest that access is from a DPCM mapped to the I/O device.Type: GrantFiled: May 25, 2020Date of Patent: December 20, 2022Assignee: Intel CorporationInventors: Ilya Alexandrovich, Vladimir Beker, Gideon Gerzon, Vincent R. Scarlata
-
Patent number: 11489678Abstract: Embodiments include systems, methods, computer readable media, and devices configured to, for a first processor of a platform, generate a platform root key; create a data structure to encapsulate the platform root key, the data structure comprising a platform provisioning key and an identification of a registration service; and transmit, on a secure connection, the data structure to the registration service to register the platform root key for the first processor of the platform. Embodiments include systems, methods, computer readable media, and devices configured to store a device certificate received from a key generation facility; receive a manifest from a platform, the manifest comprising an identification of a processor associated with the platform; and validate the processor using a stored device certificate.Type: GrantFiled: April 23, 2020Date of Patent: November 1, 2022Assignee: Intel CorporationInventors: Vincent R. Scarlata, Francis X. McKeen, Carlos V. Rozas, Simon P. Johnson, Bo Zhang, James D. Beaney, Jr., Piotr Zmijewski, Wesley Hamilton Smith, Eduardo Cabre, Uday R. Savagaonkar
-
Publication number: 20220335117Abstract: Data integrity logic is executable by a processor to generate a data integrity code using a hardware-based secret. A container manager, executable by the processor, creates a secured container including report generation logic that determines measurements of the secured container, generates a report according to a defined report format, and sends a quote request including the report. The defined report format includes a field to include the measurements and a field to include the data integrity code, and the report format is compatible for consumption by any one of a plurality of different quote creator types.Type: ApplicationFiled: July 1, 2022Publication date: October 20, 2022Applicant: Intel CorporationInventors: Vincent R. Scarlata, Carlos V. Rozas, Baiju Patel, Barry E. Huntley, Ravi L. Sahita, Hormuzd M. Khosravi