Shared memory inter-enclave communication
First Claim
1. A computer-implemented method for inter-enclave communication, comprising:
- receiving a shared memory request for establishing a shared memory region between a plurality of enclaves including at least a first enclave and a second enclave;
in response to receiving the shared memory request, allocating the shared memory region;
generating shared memory key data for the shared memory region;
encrypting the shared memory key data with a first public key corresponding to a first private key stored in the first enclave;
encrypting the shared memory key data with a second public key corresponding to a second private key stored in the second enclave;
sending the shared memory key data encrypted with the first public key to the first enclave; and
sending the shared memory key data encrypted with the second public key to the second enclave.
2 Assignments
0 Petitions
Accused Products
Abstract
Disclosed embodiments provide techniques for inter-enclave communication through shared memory. Enclaves (containers) operate in a protected memory space that inhibits the use of shared memory. Disclosed embodiments enable enclaves to use shared memory, eliminating the communication bottlenecks associated with networking. A memory cryptography coprocessor implemented in hardware generates shared memory key data for a shared memory region that is to be used by two or more enclaves. The shared memory key data is sent to the enclaves that require a shared memory interface. The enclaves access the shared memory securely utilizing the shared memory key data. The memory cryptography coprocessor facilitates shared memory key generation and exchange. The memory cryptography coprocessor data is not directly accessible by the processes executing on the main processor. This enables secure cloud hosting on untrusted environments, since the hosting entity cannot directly access the internal data of the memory cryptography coprocessor.
23 Citations
20 Claims
-
1. A computer-implemented method for inter-enclave communication, comprising:
-
receiving a shared memory request for establishing a shared memory region between a plurality of enclaves including at least a first enclave and a second enclave; in response to receiving the shared memory request, allocating the shared memory region; generating shared memory key data for the shared memory region; encrypting the shared memory key data with a first public key corresponding to a first private key stored in the first enclave; encrypting the shared memory key data with a second public key corresponding to a second private key stored in the second enclave; sending the shared memory key data encrypted with the first public key to the first enclave; and sending the shared memory key data encrypted with the second public key to the second enclave. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An electronic computation device comprising:
-
a processor; a first memory coupled to the processor, the first memory comprising a first enclave and a second enclave; a memory cryptography coprocessor coupled to the processor; a second memory coupled to the memory cryptography coprocessor, the second memory containing instructions, that when executed by the memory cryptography coprocessor, perform the steps of; receiving a shared memory request for establishing a shared memory region between the first enclave and the second enclave; in response to receiving the shared memory request, allocating the shared memory region; generating shared memory key data for the shared memory region; encrypting the shared memory key data with a first public key corresponding to a first private key stored in the first enclave; encrypting the shared memory key data with a second public key corresponding to a second private key stored in the second enclave; sending the shared memory key data encrypted with the first public key to the first enclave; and sending the shared memory key data encrypted with the second public key to the second enclave. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product for an electronic computation device comprising a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause the electronic computation device to:
receive a shared memory request for establishing a shared memory region between a plurality of enclaves including at least a first enclave and a second enclave; in response to receiving the shared memory request, allocate the shared memory region; generate shared memory key data for the shared memory region; encrypt the shared memory key data with a first public key corresponding to a first private key stored in the first enclave; encrypt the shared memory key data with a second public key corresponding to a second private key stored in the second enclave; send the shared memory key data encrypted with the first public key to the first enclave; and send the shared memory key data encrypted with the second public key to the second enclave. - View Dependent Claims (16, 17, 18, 19, 20)
Specification