Abstract: Various examples of device and system implementations and methods for performing attestation delegation operations are disclosed. In an example, attestation operations are performed by a verifier, including: obtaining endorsement information for attestation of an entity; obtaining an appraisal policy for evaluation of attestation evidence for the attestation of the entity; determining, based on the endorsement information and the appraisal policy, that delegation to a delegate verifier entity is permitted to perform the attestation of the entity; and providing, to the delegate verifier entity, a delegation command to perform the attestation of the entity, wherein the delegation command authorizes the delegate verifier entity to perform attestation operations (e.g., verifier operations) for a domain of entities including the entity.

Abstract: Techniques and mechanisms for determining an operation to be performed with a direct memory access (DMA) request. An inspection unit (105) is coupled between an input-output memory management unit (IOMMU) (120) and an endpoint device (118). The inspection unit (105) stores a registry (330) comprising entries (332) which each correspond to a respective address, and a respective one or more resources of the endpoint device (118). A given entry (332) of the registry (330) is created based on a message from the IOM MU (120) which indicates the successful completion of an address translation to facilitate a DMA request. The endpoint device (118) performs a search, based on a DMA request, to determine if any registry (330) entry (332) indicates a combination of an address and an endpoint resource, where said combination matches a corresponding combination indicated by the DMA request. Communication of the DMA request to the IOMMU (120) is contingent on a result of the search.

Abstract: Systems, methods, and apparatuses to support a device translation lookaside buffer pre-translation instruction are described. A hardware system includes an input/output device, an input/output memory controller to perform a direct memory access of a memory for the input/output device, and a processor core separate from the input/output device and comprising a decoder circuit to decode a single instruction into a decoded single instruction, the single instruction including one or more fields to identify a virtual address to physical address mapping for the input/output device in the memory, and an opcode to indicate an execution circuit is to store the virtual address to physical address mapping into a translation lookaside buffer within the input/output device, and the execution circuit to execute the decoded single instruction according to the opcode.

Abstract: Methods and apparatus for customers key protection for cloud native deployments. Compute resources for a compute platform comprising platform hardware including one or more processors are allocated to one or more customers that use the compute resources to execute applications and/or services used to perform customer workloads. The compute platform includes a per-part device key that is used to generate hardware protected key used by the applications and services. Mechanisms are provided to ensure hardware protected keys can only be accessed by associated customers and/or customer applications and services, while preventing other customers and/or applications and services from accessing the hardware protected keys. The hardware protected keys include keys employing various forms of RSA and ECC Wrapped Private Keys (WPKs) including RSA WPKs, RSA Chinese Remainder Theorem CRT WPK and ECC WPKs.

Abstract: Techniques to reduce data processing latency for a device. Circuitry at a device coupled with a host processor can facilitate execution of parallel tasks associated with processing data for a service offloaded to the device from the host processor. The parallel tasks can include prefetching information for address translations related to a shared virtual memory (SVM) space that is shared between the device and the host processor and prefetching data to be processed by device in relation to the offloaded service.

Abstract: Apparatus and method for performing address pre-translation to enhance direct memory access by hardware subsystems is described herein. An apparatus embodiment includes a processor to execute an enqueue instruction to submit, to a hardware subsystem, a job descriptor describing a job to be performed. The job descriptor includes virtual addresses of memory locations in which data required to perform the job are stored. An input-output memory management unit (IOMMU) is to obtain the address translations for the virtual addresses responsive to a pre-translation request from the processor. The address translations is obtained by the IOMMU prior to receiving a memory access request from the hardware subsystem. The IOMMU is to retrieve the data from the memory location using the address translations and to provide the retrieved data to the hardware subsystem to fulfill the request.

Abstract: Techniques and mechanisms for determining an operation to be performed with a direct memory access (DMA) request. An inspection unit (105) is coupled between an input-output memory management unit (IOMMU) (120) and an endpoint device (118). The inspection unit (105) stores a registry (330) comprising entries (332) which each correspond to a respective address, and a respective one or more resources of the endpoint device (118). A given entry (332) of the registry (330) is created based on a message from the IOM MU (120) which indicates the successful completion of an address translation to facilitate a DMA request. The endpoint device (118) performs a search, based on a DMA request, to determine if any registry (330) entry (332) indicates a combination of an address and an endpoint resource, where said combination matches a corresponding combination indicated by the DMA request. Communication of the DMA request to the IOMMU (120) is contingent on a result of the search.

Abstract: An embodiment of an integrated circuit may comprise memory to store respective resource control descriptors in correspondence with respective identifiers, and an input/output (JO) memory management unit (IOMMU) communicatively coupled to the memory, the IOMMU including circuitry to determine resource control information for an IO transaction based on a resource control descriptor stored in the memory that corresponds to an identifier associated with the IO transaction, and control utilization of one or more resources of the IOMMU based on the determined resource control information. Other embodiments are disclosed and claimed.

Abstract: Various examples of device and system implementations and methods for performing attestation delegation operations are disclosed. In an example, attestation operations are performed by a verifier, including: obtaining endorsement information for attestation of an entity; obtaining an appraisal policy for evaluation of attestation evidence for the attestation of the entity; determining, based on the endorsement information and the appraisal policy, that delegation to a delegate verifier entity is permitted to perform the attestation of the entity; and providing, to the delegate verifier entity, a delegation command to perform the attestation of the entity, wherein the delegation command authorizes the delegate verifier entity to perform attestation operations (e.g., verifier operations) for a domain of entities including the entity.

Abstract: Examples described herein relate to circuitry to provide telemetry data of first circuitry based on a power state of the first circuitry and provide telemetry data of second circuitry based on a power state of the second circuitry.