Patents by Inventor Vincent R. Scarlata
Vincent R. Scarlata has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20220035923Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information.Type: ApplicationFiled: October 22, 2021Publication date: February 3, 2022Applicant: Intel CorporationInventors: Pradeep M. Pappachan, Reshma Lal, Bin Xing, Siddhartha Chhabra, Vincent R. Scarlata, Steven B. McGowan
-
Publication number: 20210406201Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.Type: ApplicationFiled: July 3, 2021Publication date: December 30, 2021Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
-
Patent number: 11157623Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information.Type: GrantFiled: February 20, 2019Date of Patent: October 26, 2021Assignee: INTEL CORPORATIONInventors: Pradeep M. Pappachan, Reshma Lal, Bin Xing, Siddhartha Chhabra, Vincent R. Scarlata, Steven B. McGowan
-
Publication number: 20210255962Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.Type: ApplicationFiled: January 22, 2021Publication date: August 19, 2021Applicant: Intel CorporationInventors: Krystof C. Zmudzinski, Siddhartha Chhabra, Uday R. Savagaonkar, Simon P. Johnson, Rebekah M. Leslie-Hurd, Francis X. McKeen, Gilbert Neiger, Raghunandan Makaram, Carlos V. Rozas, Amy L. Santoni, Vincent R. Scarlata, Vedvyas Shanbhogue, Ilya Alexandrovich, Ittai Anati, Wesley H. Smith, Michael Goldsmith
-
Patent number: 11055236Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.Type: GrantFiled: December 27, 2019Date of Patent: July 6, 2021Assignee: Intel CorporationInventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
-
Patent number: 10943012Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information.Type: GrantFiled: January 29, 2019Date of Patent: March 9, 2021Assignee: INTEL CORPORATIONInventors: Pradeep M. Pappachan, Reshma Lal, Bin Xing, Siddhartha Chhabra, Vincent R. Scarlata, Steven B. McGowan
-
Patent number: 10922241Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.Type: GrantFiled: May 3, 2019Date of Patent: February 16, 2021Assignee: Intel CorporationInventors: Krystof C. Zmudzinski, Siddhartha Chhabra, Uday R. Savagaonkar, Simon P. Johnson, Rebekah M. Leslie-Hurd, Francis X. McKeen, Gilbert Neiger, Raghunandan Makaram, Carlos V. Rozas, Amy L. Santoni, Vincent R. Scarlata, Vedvyas Shanbhogue, Ilya Alexandrovich, Ittai Anati, Wesley H. Smith, Michael Goldsmith
-
Publication number: 20210006416Abstract: Embodiments include systems, methods, computer readable media, and devices configured to, for a first processor of a platform, generate a platform root key; create a data structure to encapsulate the platform root key, the data structure comprising a platform provisioning key and an identification of a registration service; and transmit, on a secure connection, the data structure to the registration service to register the platform root key for the first processor of the platform. Embodiments include systems, methods, computer readable media, and devices configured to store a device certificate received from a key generation facility; receive a manifest from a platform, the manifest comprising an identification of a processor associated with the platform; and validate the processor using a stored device certificate.Type: ApplicationFiled: April 23, 2020Publication date: January 7, 2021Applicant: Intel CorporationInventors: Vincent R. Scarlata, Francis X. McKeen, Carlos V. Rozas, Simon P. Johnson, Bo Zhang, James D. Beaney, JR., Piotr Zmijewski, Wesley Hamilton Smith, Eduardo Cabre, Uday R. Savagaonkar
-
Patent number: 10880097Abstract: A computing platform implements one or more secure enclaves including a first provisioning enclave to interface with a first provisioning service to obtain a first attestation key from the first provisioning service, a second provisioning enclave to interface with a different, second provisioning service to obtain a second attestation key from the second provisioning service, and a provisioning certification enclave to sign first data from the first provisioning enclave and second data from the second provisioning enclave using a hardware-based provisioning attestation key. The signed first data is used by the first provisioning enclave to authenticate to the first provisioning service to obtain the first attestation key and the signed second data is used by the second provisioning enclave to authenticate to the second provisioning service to obtain the second attestation key.Type: GrantFiled: October 17, 2018Date of Patent: December 29, 2020Assignee: Intel CorporationInventors: Vincent R. Scarlata, Francis X. McKeen, Carlos V. Rozas, Simon P. Johnson, Bo Zhang, James D. Beaney, Jr., Piotr Zmijewski, Wesley H. Smith, Eduardo Cabre
-
Publication number: 20200393977Abstract: An integrated circuit includes protected container access control logic to perform a set of access control checks and to determine whether to allow a device protected container module (DPCM) and an input and/or output (I/O) device to communicate securely through one of direct memory access (DMA) and memory-mapped input/output (MMIO). The DPCM and the I/O device are allowed to communicate securely if it is determined that at least the DPCM and the I/O device are mapped to one another, an access address associated with the communication resolves into a protected container memory, and a page of the protected container memory into which the access address resolves allows for the aforementioned one of DMA and MMIO. In some cases, a Security Attributes of Initiator (SAI) or security identifier may be used to obtain a DPCM identifier or attest that access is from a DPCM mapped to the I/O device.Type: ApplicationFiled: May 25, 2020Publication date: December 17, 2020Inventors: Ilya Alexandrovich, Vladimir Beker, Gideon Gerzon, Vincent R. Scarlata
-
Patent number: 10708067Abstract: Embodiments include systems, methods, computer readable media, and devices configured to, for a first processor of a platform, generate a platform root key; create a data structure to encapsulate the platform root key, the data structure comprising a platform provisioning key and an identification of a registration service; and transmit, on a secure connection, the data structure to the registration service to register the platform root key for the first processor of the platform. Embodiments include systems, methods, computer readable media, and devices configured to store a device certificate received from a key generation facility; receive a manifest from a platform, the manifest comprising an identification of a processor associated with the platform; and validate the processor using a stored device certificate.Type: GrantFiled: July 2, 2016Date of Patent: July 7, 2020Assignee: Intel CorporationInventors: Vincent R. Scarlata, Francis X. McKeen, Carlos V. Rozas, Simon P. Johnson, Bo Zhang, James D. Beaney, Jr., Piotr Zmijewski, Wesley Hamilton Smith, Eduardo Cabre, Uday R. Savagaonkar
-
Patent number: 10664179Abstract: An integrated circuit includes protected container access control logic to perform a set of access control checks and to determine whether to allow a device protected container module (DPCM) and an input and/or output (I/O) device to communicate securely through one of direct memory access (DMA) and memory-mapped input/output (MMIO). The DPCM and the I/O device are allowed to communicate securely if it is determined that at least the DPCM and the I/O device are mapped to one another, an access address associated with the communication resolves into a protected container memory, and a page of the protected container memory into which the access address resolves allows for the aforementioned one of DMA and MMIO. In some cases, a Security Attributes of Initiator (SAI) or security identifier may be used to obtain a DPCM identifier or attest that access is from a DPCM mapped to the I/O device.Type: GrantFiled: September 25, 2015Date of Patent: May 26, 2020Assignee: Intel CorporationInventors: Ilya Alexandrovich, Vladimir Beker, Gideon Gerzon, Vincent R. Scarlata
-
Publication number: 20200142838Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.Type: ApplicationFiled: December 27, 2019Publication date: May 7, 2020Inventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
-
Patent number: 10642972Abstract: Methods and apparatus for extending packet processing to trusted programmable and fixed-function accelerators. Secure enclaves are created in system memory of a compute platform, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The compute platform further includes one or more hardware-based accelerators that are used by the software to offload packet processing operations. The accelerators are configured to read packet data from input queues, process the data, and output processed data to output queues, wherein the input and output queues are located in encrypted portions of memory that may be in a secure enclave or external to the secure enclaves.Type: GrantFiled: October 20, 2016Date of Patent: May 5, 2020Assignee: Intel CorporationInventors: Kapil Sood, Somnath Chakrabarti, Wei Shen, Carlos V. Rozas, Mona Vij, Vincent R. Scarlata
-
Patent number: 10592421Abstract: Instructions and logic provide advanced paging capabilities for secure enclave page caches. Embodiments include multiple hardware threads or processing cores, a cache to store secure data for a shared page address allocated to a secure enclave accessible by the hardware threads. A decode stage decodes a first instruction specifying said shared page address as an operand, and execution units mark an entry corresponding to an enclave page cache mapping for the shared page address to block creation of a new translation for either of said first or second hardware threads to access the shared page. A second instruction is decoded for execution, the second instruction specifying said secure enclave as an operand, and execution units record hardware threads currently accessing secure data in the enclave page cache corresponding to the secure enclave, and decrement the recorded number of hardware threads when any of the hardware threads exits the secure enclave.Type: GrantFiled: August 29, 2016Date of Patent: March 17, 2020Assignee: Intel CorporationInventors: Carlos V. Rozas, Ilya Alexandrovich, Ittai Anati, Alex Berenzon, Michael A. Goldsmith, Barry E. Huntley, Anton Ivanov, Simon P. Johnson, Rebekah M. Leslie-Hurd, Francis X. McKeen, Gilbert Neiger, Rinat Rappoport, Scott D. Rodgers, Uday R. Savagaonkar, Vincent R. Scarlata, Vedvyas Shanbhogue, Wesley H. Smith, William C. Wood
-
Patent number: 10558588Abstract: A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location.Type: GrantFiled: July 17, 2017Date of Patent: February 11, 2020Assignee: Intel CorporationInventors: Carlos V. Rozas, Mona Vij, Rebekah M. Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Francis X. Mckeen, Vincent R. Scarlata, Simon P. Johnson, Ilya Alexandrovich, Gilbert Neiger, Vedvyas Shanbhogue, Ittai Anati
-
Patent number: 10534724Abstract: Instructions and logic support suspending and resuming migration of enclaves in a secure enclave page cache (EPC). An EPC stores a secure domain control structure (SDCS) in storage accessible by an enclave for a management process, and by a domain of enclaves. A second processor checks if a corresponding version array (VA) page is bound to the SDCS, and if so: increments a version counter in the SDCS for the page, performs an authenticated encryption of the page from the EPC using the version counter in the SDCS, and writes the encrypted page to external memory. A second processor checks if a corresponding VA page is bound to a second SDCS of the second processor, and if so: performs an authenticated decryption of the page using a version counter in the second SDCS, and loads the decrypted page to the EPC in the second processor if authentication passes.Type: GrantFiled: December 24, 2015Date of Patent: January 14, 2020Assignee: Intel CorporationInventors: Carlos V. Rozas, Ilya Alexandrovich, Gilbert Neiger, Francis X. McKeen, Ittai Anati, Vedvyas Shanbhogue, Mona Vij, Rebekah Leslie-Hurd, Krystof C. Zmudzinski, Somnath Chakrabarti, Vincent R. Scarlata, Simon P. Johnson
-
Patent number: 10528721Abstract: Methods and apparatus for implemented trusted packet processing for multi-domain separatization and security. Secure enclaves are created in system memory of a compute platform configured to support a virtualized execution environment including a plurality of virtual machines (VMs) or containers, each secure enclave occupying a respective protected portion of the system memory, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The software in the secure enclaves is then executed to perform the packet processing operations.Type: GrantFiled: October 20, 2016Date of Patent: January 7, 2020Assignee: Intel CorporationInventors: Kapil Sood, Somnath Chakrabarti, Wei Shen, Carlos V. Rozas, Mona Vij, Vincent R. Scarlata
-
Publication number: 20190324918Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.Type: ApplicationFiled: May 3, 2019Publication date: October 24, 2019Inventors: Krystof C. Zmudzinski, Siddhartha Chhabra, Uday R. Savagaonkar, Simon P. Johnson, Rebekah M. Leslie-Hurd, Francis X. McKeen, Gilbert Neiger, Raghunandan Makaram, Carlos V. Rozas, Amy L. Santoni, Vincent R. Scarlata, Vedvyas Shanbhogue, Ilya Alexandrovich, Ittai Anati, Wesley H. Smith, Michael Goldsmith
-
Publication number: 20190278911Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information.Type: ApplicationFiled: February 20, 2019Publication date: September 12, 2019Applicant: Intel CorporationInventors: Pradeep M. Pappachan, Reshma Lal, Bin Xing, Siddhartha Chhabra, Vincent R. Scarlata, Steven B. McGowan