Techniques for data storage protection and integrity checking

US 10,310,774 B2
Filed: 12/24/2015
Issued: 06/04/2019
Est. Priority Date: 12/24/2015
Status: Active Grant

First Claim

Patent Images

1. An apparatus to support secure processing comprising:

a processor component comprising a cache, the cache comprising a cache line to store a first block of data that is to correspond to a second block of encrypted data stored within a storage by the processor component;

a compressor to compress the data within the first block to generate compressed data within the first block to clear sufficient storage space within the first block to store a first metadata associated with generation of the second block of encrypted data from the first block of data in response to eviction of the first block of data from the cache line; and

an encrypter to;

encrypt the compressed data and the first metadata within the first block to generate the encrypted data within the second block within the storage;

generate a cryptographic hash of the encrypted data andstore, within the second block within the storage;

(i) encryption metadata associated with the encryption of the compressed data and the encryption of the first metadata, and (ii) integrity metadata indicative of the cryptographic hash of the encrypted data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments are generally directed to techniques for encrypting stored data. An apparatus includes a processor component comprising a cache that comprises a cache line to store a first block of data corresponding to a second block of encrypted data stored within a storage; a compressor to compress the data within the first block to generate compressed data within the first block to clear sufficient storage space within the first block to store metadata associated with generation of the second block of encrypted data from the first block in response to eviction of the first block from the cache line; and an encrypter to encrypt the compressed data within the first block to generate the encrypted data within the second block and to store encryption metadata associated with encrypting the compressed data within the second block as a portion of the metadata associated with the generation of the second block.

Citations

25 Claims

1. An apparatus to support secure processing comprising:
- a processor component comprising a cache, the cache comprising a cache line to store a first block of data that is to correspond to a second block of encrypted data stored within a storage by the processor component;
  
  a compressor to compress the data within the first block to generate compressed data within the first block to clear sufficient storage space within the first block to store a first metadata associated with generation of the second block of encrypted data from the first block of data in response to eviction of the first block of data from the cache line; and
  
  an encrypter to;
  
  encrypt the compressed data and the first metadata within the first block to generate the encrypted data within the second block within the storage;
  
  generate a cryptographic hash of the encrypted data andstore, within the second block within the storage;
  
  (i) encryption metadata associated with the encryption of the compressed data and the encryption of the first metadata, and (ii) integrity metadata indicative of the cryptographic hash of the encrypted data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, comprising a measurer to take a first measure of the data within the first block prior to the compression of the data within the first block, and to store integrity metadata indicative of the first measure within the second block.
  - 3. The apparatus of claim 1, the compressor to determine whether the data within the first block is able to be compressed sufficiently to clear sufficient storage space within the first block to store at least the first metadata, the compressor to condition compression of the data within the first block on a determination that the data is able to be compressed sufficiently, and the encrypter to condition storage of at least the first metadata within the second block in lieu of a third block on a determination that the data is able to be compressed sufficiently.
  - 4. The apparatus of claim 3, in response to a determination that the data within the first block is not able to be compressed sufficiently, the compressor to refrain from compressing the data within the first block, the encrypter to store the encryption metadata and the integrity metadata within the third block, and the processor component to store the second and third blocks within the storage.
  - 5. The apparatus of claim 1, the encrypter comprising a counter to provide a unique counter value as an input to encrypting data within each block of data of multiple blocks of data evicted by the cache line, the encrypter to store the encryption metadata in a metadata store accessible by a security subsystem of the processor component, and the encrypter to include in encryption metadata associated with each block of the multiple blocks an indication of the corresponding counter value.
  - 6. The apparatus of claim 1, a size of the first block and a size of the second block to correspond to a size of the cache line, the first block of data evicted from the cache line to store the second block of encrypted data at a location within the storage associated with a physical address, and the encrypter to employ the physical address as an input to the encryption of the compressed data within the first block.
  - 7. The apparatus of claim 6, comprising a decrypter to employ the physical address to decrypt the encrypted data within the second block to recreate the first block and the compressed data within the first block, the encrypter to encrypt the integrity metadata, the storage comprising at least one of a volatile memory and a non-volatile memory of the apparatus.

8. An apparatus to support secure processing comprising:
- a processor component comprising a cache, the cache comprising a cache line to store a recreation of a first block of data that is to correspond to a second block of encrypted data stored within a storage of the apparatus by the processor component, the encrypted data comprising a compression indicator indicating whether the data within the first block was compressed to generate the encrypted data within the second block, the encrypted data comprising metadata associated with generation of the second block from the first block;
  
  a verifier to, in response to retrieval of the second block of encrypted data from the storage, retrieve integrity metadata from the second block to verify preservation of integrity of the encrypted data, the integrity metadata including a cryptographic hash of the encrypted data;
  
  a decrypter to, in response to retrieval of the second block of encrypted data from the storage, decrypt the encrypted data within the second block to recreate the data or to recreate compressed data within the recreation of the first block based on the compression indicator; and
  
  a decompressor to decompress the recreated compressed data within the recreation of the first block to recreate the data within the recreation of the first block based on the compression indicator.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The apparatus of claim 8, the verifier to retrieve integrity metadata from the second block to obtain a first measure taken of the data within the first block prior to encryption of the data within the first block to generate the encrypted data within the second block, to take a second measure of the recreated data within the recreation of the first block, and to compare the second measure to the first measure to verify preservation of integrity of the data during storage as the encrypted data, a size of the first block and a size of the second block to correspond to a size of the cache line.
  - 10. The apparatus of claim 9, comprising:
    - a compressor to compress the data within the first block to generate the compressed data within the first block to clear sufficient storage space within the first block to store the compression indicator and a first metadata associated with generation of the second block of encrypted data from the first block of data in response to eviction of the first block of data from the cache line; and
      
      an encrypter to encrypt the compressed data and the first metadata within the first block to generate the encrypted data within the second block.
  - 11. The apparatus of claim 10, comprising a measurer to take the first measure of the data within the first block prior to the compression of the data within the first block, and to store the integrity metadata indicative of the first measure within the second block.
  - 12. The apparatus of claim 8, the decrypter to retrieve a portion of the encrypted data from a third block and to decrypt portions of the encrypted data from the second and third blocks to recreate the data within the recreation of the first block in response to an indication by the compression indicator that the data within the first block was not compressed to generate the encrypted data within the second block.
  - 13. The apparatus of claim 12, comprising a compressor to determine whether the data within the first block is able to be compressed sufficiently to clear sufficient storage space within the first block to store at least the compression indicator and the first, compress the data within the first block to generate the compressed data in response to a determination that the data within the first block is able to be compressed sufficiently, and to refrain from compressing the data within the first block in response to a determination that the data within the first block is not able to be compressed sufficiently, the storage comprising at least one of a volatile memory and a non-volatile memory of the apparatus.

14. A computer-implemented method for supporting secure processing comprising:
- storing, within a cache line of a cache of a processor component, a first block of data that is to correspond to a second block of encrypted data stored within a storage by the processor component;
  
  compressing the data within the first block to generate compressed data within the first block to clear sufficient storage space within the first block to store a first metadata associated with generation of the second block of encrypted data from the first block of data in response to eviction of the first block of data from the cache line;
  
  encrypting the compressed data and the first metadata within the first block to generate the encrypted data within the second block within the storage;
  
  generating a cryptographic hash of the encrypted data; and
  
  storing, within the second block within the storage;
  
  (i) encryption metadata associated with the encryption of the compressed data and the encryption of the first metadata, and (ii) integrity metadata indicative of the cryptographic hash of the encrypted data.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer-implemented method of claim 14, comprising:
    - taking a first measure of the data within the first block prior to compressing the data within the first block; and
      
      storing integrity metadata indicative of the first measure within the second block as a portion of the metadata associated with the generation of the second block.
  - 16. The computer-implemented method of claim 15, comprising:
    - retrieving the second block from the storage;
      
      employing the encryption metadata within the second block to decrypt the encrypted data to recreate the first block and the compressed data within the first block; and
      
      decompressing the recreated compressed data within the recreated first block to recreate the data within the recreated first block in uncompressed form.
  - 17. The computer-implemented method of claim 16, comprising:
    - taking a second measure of the recreated data within the recreated first block; and
      
      comparing the second measure to the first measure indicated by the integrity metadata to verify preservation of integrity of the data during storage as the encrypted data.
  - 18. The computer-implemented method of claim 14, comprising:
    - determining whether the data within the first block is able to be compressed sufficiently to clear sufficient storage space within the first block to store the first metadata; and
      
      conditioning, on a determination that the data is able to be compressed sufficiently, compressing the data within the first block and storing the first metadata within the second block in lieu of a third block.
  - 19. The computer-implemented method of claim 14, a size of the first block and a size of the second block to correspond to a size of the cache line, the encrypter to encrypt the integrity metadata, the storage comprising at least one of a volatile memory and a non-volatile memory, the first block of data evicted from the cache line to store the second block of encrypted data at a location within the storage associated with a physical address, the method comprising:
    - employing at least one uppermost bit of the physical address to select an encryption value to employ as an input to the encryption of the compressed data within the first block; and
      
      including an indication of the at least one uppermost bit in the encryption metadata.

20. At least one non-transitory machine-readable storage medium comprising instructions that when executed by a processing device, cause the processing device to:
- store, within a cache line of a cache of a processor component, a first block of data that is to correspond to a second block of encrypted data stored within a storage by the processor component;
  
  compress the data within the first block to generate compressed data within the first block to clear sufficient storage space within the first block to store a first metadata associated with generation of the second block of encrypted data from the first block of data in response to eviction of the first block of data from the cache line;
  
  encrypt the compressed data and the first metadata within the first block to generate the encrypted data within the second block within the storage;
  
  generate a cryptographic hash of the encrypted data; and
  
  store, within the second block within the storage;
  
  (i) encryption metadata associated with the encryption of the compressed data and the encryption of the first metadata, and (ii) integrity metadata indicative of the cryptographic hash of the encrypted data.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The at least one non-transitory machine-readable storage medium of claim 20, a size of the first block and a size of the second block to correspond to a size of the cache line, integrity metadata encrypted, the storage comprising at least one of a volatile memory and a non-volatile memory, the processing device caused to:
    - determine whether the data within the first block is able to be compressed sufficiently to clear sufficient storage space within the first block to store the first metadata; and
      
      condition, on a determination that the data is able to be compressed sufficiently, compressing the data within the first block and storing the first metadata within the second block in lieu of a third block.
  - 22. The at least one non-transitory machine-readable storage medium of claim 21, the processing device caused to:
    - refrain from compressing the data within the first block;
      
      store the first metadata within the third block; and
      
      transmit the second and third blocks to a storage controller coupled to the processor component to store the second and third blocks within the storage.
  - 23. The at least one non-transitory machine-readable storage medium of claim 22, the processing device caused to store in the second block a first compression indicator indicative of the data within the first block as having been compressed in response to a determination that the data within the first block is able to be sufficiently compressed.
  - 24. The at least one non-transitory machine-readable storage medium of claim 23, the processing device caused, in response to a determination that the data within the first block is not able to be sufficiently compressed and in response to the portion of the encrypted data providing a value that matches the first compression indicator, to:
    - store at a location occupied by a portion of the encrypted data in the second block a second compression indicator indicative of the data within the first block as having not been compressed; and
      
      store the portion of the encrypted data within the third block.
  - 25. The at least one non-transitory machine-readable storage medium of claim 24, the processing device caused, in response to storage of the second compression indicator in the second block, to:
    - retrieve portions of the encrypted data from the second and third blocks; and
      
      decrypt the encrypted data to recreate the first block and the data within the first block.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Chhabra, Siddhartha, Durham, David M.
Primary Examiner(s)
Feild, Lynn D
Assistant Examiner(s)
Savenkov, Vadim

Application Number

US14/998,323
Publication Number

US 20170185529A1
Time in Patent Office

1,258 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 12/023   Free address space management

G06F 12/1408   by using cryptography for d...

G06F 12/145   the protection being virtua...

G06F 21/602   Providing cryptographic fac...

G06F 21/82   Protecting input, output or...

G06F 2212/1052   Security improvement

G06F 2212/401   Compressed data

G06F 2212/402   Encrypted data

G06F 2212/60   Details of cache memory

G06F 3/0623   in relation to content

G06F 3/0661   Format or protocol conversi...

G06F 3/0685   Hybrid storage combining he...

Techniques for data storage protection and integrity checking

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for data storage protection and integrity checking

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links