Shared memory inter-enclave communication

US 10,635,605 B2
Filed: 03/13/2018
Issued: 04/28/2020
Est. Priority Date: 03/13/2018
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for inter-enclave communication, comprising:

receiving a shared memory request for establishing a shared memory region between a plurality of enclaves including at least a first enclave and a second enclave;

in response to receiving the shared memory request, allocating the shared memory region;

generating shared memory key data for the shared memory region;

encrypting the shared memory key data with a first public key corresponding to a first private key stored in the first enclave;

encrypting the shared memory key data with a second public key corresponding to a second private key stored in the second enclave;

sending the shared memory key data encrypted with the first public key to the first enclave; and

sending the shared memory key data encrypted with the second public key to the second enclave.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed embodiments provide techniques for inter-enclave communication through shared memory. Enclaves (containers) operate in a protected memory space that inhibits the use of shared memory. Disclosed embodiments enable enclaves to use shared memory, eliminating the communication bottlenecks associated with networking. A memory cryptography coprocessor implemented in hardware generates shared memory key data for a shared memory region that is to be used by two or more enclaves. The shared memory key data is sent to the enclaves that require a shared memory interface. The enclaves access the shared memory securely utilizing the shared memory key data. The memory cryptography coprocessor facilitates shared memory key generation and exchange. The memory cryptography coprocessor data is not directly accessible by the processes executing on the main processor. This enables secure cloud hosting on untrusted environments, since the hosting entity cannot directly access the internal data of the memory cryptography coprocessor.

23 Citations

20 Claims

1. A computer-implemented method for inter-enclave communication, comprising:
- receiving a shared memory request for establishing a shared memory region between a plurality of enclaves including at least a first enclave and a second enclave;
  
  in response to receiving the shared memory request, allocating the shared memory region;
  
  generating shared memory key data for the shared memory region;
  
  encrypting the shared memory key data with a first public key corresponding to a first private key stored in the first enclave;
  
  encrypting the shared memory key data with a second public key corresponding to a second private key stored in the second enclave;
  
  sending the shared memory key data encrypted with the first public key to the first enclave; and
  
  sending the shared memory key data encrypted with the second public key to the second enclave.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein generating shared memory key data comprises generating an asymmetric encryption keypair comprising a shared memory public key and a shared memory private key.
  - 3. The method of claim 2, wherein sending shared memory key data comprises sending the shared memory public key and the shared memory private key to the first enclave and the second enclave.
  - 4. The method of claim 2, wherein sending shared memory key data comprises sending the shared memory public key to the first enclave and sending the shared memory private key to the second enclave.
  - 5. The method of claim 1, wherein generating shared memory key data comprises generating a symmetric encryption key.
  - 6. The method of claim 1, wherein allocating a shared memory region comprises creating a third enclave.
  - 7. The method of claim 1, wherein allocating a shared memory region comprises allocating a non-enclave memory region.

8. An electronic computation device comprising:
- a processor;
  
  a first memory coupled to the processor, the first memory comprising a first enclave and a second enclave;
  
  a memory cryptography coprocessor coupled to the processor;
  
  a second memory coupled to the memory cryptography coprocessor, the second memory containing instructions, that when executed by the memory cryptography coprocessor, perform the steps of;
  
  receiving a shared memory request for establishing a shared memory region between the first enclave and the second enclave;
  
  in response to receiving the shared memory request, allocating the shared memory region;
  
  generating shared memory key data for the shared memory region;
  
  encrypting the shared memory key data with a first public key corresponding to a first private key stored in the first enclave;
  
  encrypting the shared memory key data with a second public key corresponding to a second private key stored in the second enclave;
  
  sending the shared memory key data encrypted with the first public key to the first enclave; and
  
  sending the shared memory key data encrypted with the second public key to the second enclave.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The electronic computation device of claim 8, wherein the second memory further comprises instructions, that when executed by the memory cryptography coprocessor, perform the step of generating an asymmetric encryption keypair comprising a shared memory public key and a shared memory private key.
  - 10. The electronic computation device of claim 9, wherein the second memory further comprises instructions, that when executed by the memory cryptography coprocessor, perform the steps of sending the shared memory public key and the shared memory private key to the first enclave and the second enclave.
  - 11. The electronic computation device of claim 9, wherein the second memory further comprises instructions, that when executed by the memory cryptography coprocessor, perform the steps of sending the shared memory public key to the first enclave and sending the shared memory private key to the second enclave.
  - 12. The electronic computation device of claim 8, wherein the second memory further comprises instructions, that when executed by the memory cryptography coprocessor, perform the step of generating a symmetric encryption key.
  - 13. The electronic computation device of claim 8, wherein the second memory further comprises instructions, that when executed by the memory cryptography coprocessor, perform the step of creating a third enclave to serve as the shared memory region.
  - 14. The electronic computation device of claim 8, wherein the second memory further comprises instructions, that when executed by the memory cryptography coprocessor, perform the step of allocating a non-enclave memory region to serve as the shared memory region.

15. A computer program product for an electronic computation device comprising a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause the electronic computation device to:
- receive a shared memory request for establishing a shared memory region between a plurality of enclaves including at least a first enclave and a second enclave;
  
  in response to receiving the shared memory request, allocate the shared memory region;
  
  generate shared memory key data for the shared memory region;
  
  encrypt the shared memory key data with a first public key corresponding to a first private key stored in the first enclave;
  
  encrypt the shared memory key data with a second public key corresponding to a second private key stored in the second enclave;
  
  send the shared memory key data encrypted with the first public key to the first enclave; and
  
  send the shared memory key data encrypted with the second public key to the second enclave.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product of claim 15, wherein the computer readable storage medium includes program instructions executable by the processor to cause the electronic computation device to generate shared memory key data comprising an asymmetric encryption keypair that includes a shared memory public key and a shared memory private key.
  - 17. The computer program product of claim 16, wherein the computer readable storage medium includes program instructions executable by the processor to cause the electronic computation device to send the shared memory public key and the shared memory private key to the first enclave and the second enclave.
  - 18. The computer program product of claim 16, wherein the computer readable storage medium includes program instructions executable by the processor to cause the electronic computation device to send the shared memory public key to the first enclave and send the shared memory private key to the second enclave.
  - 19. The computer program product of claim 15, wherein the computer readable storage medium includes program instructions executable by the processor to cause the electronic computation device to generate shared memory key data comprising a symmetric encryption key.
  - 20. The computer program product of claim 15, wherein the computer readable storage medium includes program instructions executable by the processor to cause the electronic computation device to compute a checksum for the shared memory key data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Leitao, Breno H., Martins Rodrigues, Mauro Sergio, Camarda Silva Folco, Rafael, Battaiola Kreling, Daniel
Primary Examiner(s)
Patel, Haresh N

Application Number

US15/919,319
Publication Number

US 20190286577A1
Time in Patent Office

777 Days
Field of Search

713193
US Class Current
CPC Class Codes

G06F 12/023   Free address space management

G06F 12/109   for multiple virtual addres...

G06F 12/1408   by using cryptography for d...

G06F 12/1441   for a range

G06F 12/1466   Key-lock mechanism

G06F 12/1475   in a virtual system, e.g. w...

G06F 2009/45583   Memory management, e.g. acc...

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 2212/1016   Performance improvement

G06F 2212/152   Virtualized environment, e....

G06F 2212/656   Address space sharing

G06F 2212/657   Virtual address space manag...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5016   the resource being the memory

G06F 9/544   Buffers; Shared memory; Pipes

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0861   Generation of secret inform...

H04L 9/0894   Escrow, recovery or storing...

Shared memory inter-enclave communication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Shared memory inter-enclave communication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links