Technologies for implementing mutually distrusting domains

US 10,686,605 B2
Filed: 09/29/2017
Issued: 06/16/2020
Est. Priority Date: 09/29/2017
Status: Active Grant

First Claim

Patent Images

1. A platform for cloud computing, comprising:

one or more hardware processors arranged to host a plurality of virtual machines (VMs), wherein individual VMs of the plurality of VMs are arranged into a plurality of mutually untrusting domains associated with individual cloud computing clients of a plurality of cloud computing clients;

a single immutable shared virtual machine manager (sVMM) operated by the one or more hardware processors, the sVMM arranged to manage operations of the individual VMs of each domain of the plurality of mutually untrusting domains, wherein the sVMM is shared among the plurality of mutually untrusting domains without replicating the sVMM across each of the plurality of mutually untrusting domains and integrity protected with respective integrity values associated with individual domains of the plurality of mutually untrusting domains but not encrypted, and the respective integrity values being stored in a reserved memory space; and

a cryptographic engine (CE) coupled with the one or more hardware processors, the CE arranged to;

provide separated encryption services for the plurality of mutually untrusting domains, andprovide integrity protection services for individual ones of the plurality of mutually untrusting domains when accessing the sVMM, wherein, to provide integrity protection services, the CE is arranged to;

obtain a read request indicating a requested memory location from which to read data, the read request including an immutable-bit (I-bit) and a domain identifier (DID) of a requesting domain of the plurality of mutually untrusting domains that issued the request;

issue a read command to the requested memory location;

issue another read command to another memory location in the reserved memory space associated with the requested memory location, the other memory location storing a first integrity value of the respective integrity values;

generate a second integrity value using a domain key associated with the DID;

send data read from the requested memory location to the one or more hardware processors when the first integrity value matches the second integrity value; and

issue a security exception to the one or more hardware processors when the first integrity value does not match the second integrity value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies for providing shared immutable code among untrusting domains are provided. The untrusting domains may be cryptographically separated within a cloud computing service or environment. The shared immutable code may be a shared virtual machine monitor (sVMM) that is setup by system software to indicate that the sVMM code pages need integrity alone and should be protected with an integrity key associated with individual domains. This indication may be stored in page tables and carried over the memory bus to a cryptographic engine. The cryptographic engine may use this indication to protect the integrity of data before storing the data to memory. In order to ensure cryptographic isolation, integrity values may be generated using a domain-specific key ensuring that an attempt to modify the code by one domain is detected by a different domain. Other embodiments are described herein and claimed.

47 Citations

View as Search Results

24 Claims

1. A platform for cloud computing, comprising:
- one or more hardware processors arranged to host a plurality of virtual machines (VMs), wherein individual VMs of the plurality of VMs are arranged into a plurality of mutually untrusting domains associated with individual cloud computing clients of a plurality of cloud computing clients;
  
  a single immutable shared virtual machine manager (sVMM) operated by the one or more hardware processors, the sVMM arranged to manage operations of the individual VMs of each domain of the plurality of mutually untrusting domains, wherein the sVMM is shared among the plurality of mutually untrusting domains without replicating the sVMM across each of the plurality of mutually untrusting domains and integrity protected with respective integrity values associated with individual domains of the plurality of mutually untrusting domains but not encrypted, and the respective integrity values being stored in a reserved memory space; and
  
  a cryptographic engine (CE) coupled with the one or more hardware processors, the CE arranged to;
  
  provide separated encryption services for the plurality of mutually untrusting domains, andprovide integrity protection services for individual ones of the plurality of mutually untrusting domains when accessing the sVMM, wherein, to provide integrity protection services, the CE is arranged to;
  
  obtain a read request indicating a requested memory location from which to read data, the read request including an immutable-bit (I-bit) and a domain identifier (DID) of a requesting domain of the plurality of mutually untrusting domains that issued the request;
  
  issue a read command to the requested memory location;
  
  issue another read command to another memory location in the reserved memory space associated with the requested memory location, the other memory location storing a first integrity value of the respective integrity values;
  
  generate a second integrity value using a domain key associated with the DID;
  
  send data read from the requested memory location to the one or more hardware processors when the first integrity value matches the second integrity value; and
  
  issue a security exception to the one or more hardware processors when the first integrity value does not match the second integrity value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 22)
- - 2. The platform of claim 1, wherein the CE comprises:
    - a key table arranged to store a plurality of domain keys including the domain key associated with the DID, each of the plurality of domain keys including at least one encryption key and at least one integrity key, and each of the plurality of domain keys being stored in association with corresponding DIDs of a plurality of DIDs, wherein individual DIDs of the plurality of DIDs identify the individual domains; and
      
      a cryptographic pipeline (crypto-pipeline) arranged to encrypt and decrypt domain-specific data associated with the individual domains using corresponding encryption keys, andwherein, to provide integrity protection services, the CE is arranged to;
      
      decrypt, via the crypto-pipeline and using an encryption key associated with the requesting domain, the data read from the requested memory location before the data is sent to the requesting domain, andgenerate the second integrity value using an integrity key associated with the requesting domain.
  - 3. The platform of claim 2, wherein, to provide integrity protection services, the CE is arranged to:
    - obtain a write request indicating a requested memory location in which to write data, the write request comprising an I-bit along with the DID of the requesting domain;
      
      encrypt, using the encryption key associated with the requesting domain, the requested data via the crypto-pipeline and using the DID of the requesting domain; and
      
      issue a write command to write the encrypted data to the other requested memory location.
  - 4. The platform of claim 2, wherein the CE is arranged to:
    - perform a lookup operation on the key table using the I-bit or the DID to obtain the integrity key of the requesting domain.
  - 5. The platform of claim 1, wherein the data read from the requested memory location includes shared immutable program code of the sVMM, and wherein the other memory location including the first integrity value is within the reserved memory space.
  - 6. The platform of claim 5, wherein a portion of the DID comprises a physical address space of a physical memory associated with the reserved memory space.
  - 7. The platform of claim 5, wherein the shared immutable program code of the sVMM is mapped to one or more page table entries (PTEs), wherein the PTEs of the shared immutable program code includes an I-bit for each of the plurality of mutually untrusting domains.
  - 8. The platform of claim 1, wherein the one or more hardware processors include one or more processor cores, and the platform further comprises:
    - data access circuitry to provide the request to the CE, wherein the data access circuitry is to obtain the request from the one or more hardware processors;
      
      a memory controller to obtain the read command and the other read command from the CE, and provide, to the CE, the data and the first integrity value of the requested memory location and the other memory location, respectively, and wherein the memory controller is communicatively coupled with the CE via a memory bus.
  - 9. The platform of claim 8, wherein:
    - the first integrity value is a first Message Authentication Code (MAC) and the second integrity value is a second MAC;
      
      the data access circuitry is implemented by microprocessor circuitry, image processing unit (IPU) circuitry, graphics processing unit (GPU), or display engine circuitry;
      
      the CE is implemented by the microprocessor circuitry or other microprocessor circuitry; and
      
      the one or more processor cores, the data access circuitry, and the CE are communicatively coupled to one another via an in-die interconnect (IDI).
  - 22. The platform of claim 1, wherein the integrity protection services involve integrity verification of a data line loaded from memory using the respective integrity values for requesting domains of the plurality of mutually untrusting domains.

10. One or more non-transitory computer-readable storage media (NTCRSM) comprising program code, wherein execution of the program code by one or more processors is to cause a computer system to:
- host a plurality of virtual machines (VMs), wherein individual VMs of the plurality of VMs are arranged into a plurality of mutually untrusting domains associated with individual cloud computing clients of a plurality of cloud computing clients;
  
  operate a single immutable shared virtual machine manager (sVMM) to manage operations of the individual VMs of each domain of the plurality of mutually untrusting domains, wherein the sVMM is shared among the plurality of mutually untrusting domains without replicating the sVMM across each of the plurality of mutually untrusting domains and is integrity protected with respective domain keys associated with individual domains of the untrusting domains, but not encrypted, the respective domain keys being stored in a reserved memory space; and
  
  operate a cryptographic engine (CE) to provide separated encryption services for the plurality of mutually untrusting domains, and provide integrity protection services for individual ones of the plurality of mutually untrusting domains when accessing the sVMM, wherein, to provide integrity protection services, execution of the program code is to cause the computer system to;
  
  obtain a read request from a requesting domain of the plurality of mutually untrusting domains indicating a requested memory location from which to read data, the read request comprising an immutable-bit (I-bit) along with a domain identifier (DID) of the requesting domain;
  
  issue a read command to the requested memory location;
  
  issue a read command to another memory location in the reserved memory space associated with the requesting domain, the other memory location including a first Message Authentication Code (MAC);
  
  generate a second MAC using a domain key associated with the DID;
  
  send data read from the requested memory location to the requesting domain when the first MAC matches the second MAC; and
  
  issue a security exception to the one or more processors when the first MAC does not match the second MAC.
- View Dependent Claims (11, 12, 13, 14, 15, 23)
- - 11. The one or more NTCRSM of claim 10, wherein execution of the program code is to cause the computer system to operate the CE to:
    - perform a lookup operation on a key table to obtain the domain key associated with the DID associated with the requesting domain; and
      
      perform one or more stages of a cryptographic pipeline to generate the second MAC using the domain key or another domain key associated with the DID of the requesting domain.
  - 12. The one or more NTCRSM of claim 11, wherein execution of program code is to cause the computer system to operate the CE to:
    - obtain a write request from the requesting domain indicating a requested memory location in which to write data, the write request comprising an I-bit along with the DID of the requesting domain;
      
      perform a lookup operation on the key table using at least the DID of the requesting domain to obtain an encryption key associated with the requesting domain;
      
      perform one or more stages of a cryptographic pipeline to encrypt the requested data and use a DID of the plurality of DIDs associated with an entity that issued the request; and
      
      write the encrypted data to the other requested memory location.
  - 13. The one or more NTCRSM of claim 11, wherein execution of the program code is to cause the computer system to operate the CE to:
    - perform a lookup operation on the key table using at least the DID of the requesting domain to obtain an encryption key associated with the requesting domain; and
      
      perform one or more stages of a cryptographic pipeline to decrypt, using the obtained encryption key, the data read from the requested memory location before the data is sent to the requesting domain.
  - 14. The one or more NTCRSM of claim 12, wherein the data read from the requested memory location includes program code for the sVMM, and wherein the other memory location including the first MAC is within a reserved memory area associated with the requesting domain.
  - 15. The one or more NTCRSM of claim 14, wherein a portion of the DID comprises a physical address space of a physical memory associated with the reserved memory area, and wherein the program code of the sVMM is mapped to one or more page table entries (PTEs), wherein the PTEs of the program code of the sVMM includes an I-bit for each of the plurality of mutually untrusting domains.
  - 23. The one or more NTCRSM of claim 10, wherein the integrity protection services involve integrity verification of a data line loaded from memory using the respective domain keys for requesting domains of the plurality of mutually untrusting domains.

16. A computer-implemented method for sharing shared immutable code of a single immutable shared virtual machine manager (sVMM) among a plurality of mutually untrusting domains without replicating the sVMM across each of the plurality of mutually untrusting domains, each of the mutually untrusting domains are associated with individual cloud computing clients of a plurality of cloud computing clients, the sVMM is arranged to manage operations of the individual VMs of each domain of the plurality of mutually untrusting domains, the sVMM is respectively integrity protected with integrity keys associated with individual domains of the plurality of mutually untrusting domains, but not encrypted, and the method comprising:
- obtaining, by a cryptographic engine (CE), a read request from a requesting domain of the plurality of mutually untrusting domains indicating a requested memory location from which to read data, the read request comprising an immutable-bit (I-bit) along with a domain identifier (DID) of the requesting domain, wherein a plurality of virtual machines (VMs) are hosted by a platform that implements the CE, and individual VMs of the plurality of VMs are arranged into corresponding ones of the plurality of mutually untrusting domains;
  
  issuing, by the CE, a read command to a requested memory location, the data read from the requested memory location including program code for the sVMM;
  
  issuing, by the CE, a read command to another memory location in a reserved memory space associated with the requesting domain, the other memory location storing a first Message Authentication Code (MAC) associated with the requesting domain, and the reserved memory space to store MACs for each of the plurality of mutually untrusting domains;
  
  generating, by the CE, a second MAC using a domain key associated with the DID;
  
  sending, by the CE, data read from the requested memory location to the requesting domain when the first MAC matches the second MAC; and
  
  issuing, by the CE, a security exception to the one or more processors when the first MAC does not match the second MAC.
- View Dependent Claims (17, 18, 19, 20, 21, 24)
- - 17. The method of claim 16, wherein the method comprises:
    - performing, by the CE, a lookup operation on a key table to obtain the domain key associated with the DID of the requesting domain; and
      
      performing, by the CE, one or more stages of a cryptographic pipeline to generate the second MAC using the domain key or another domain key associated with the DID of the requesting domain.
  - 18. The method of claim 17, further comprising:
    - obtaining, by the CE, a write request from the requesting domain indicating a requested memory location in which to write data, the write request comprising an I-bit along with the DID of the requesting domain;
      
      performing, by the CE, a lookup operation on the key table using at least the DID of the requesting domain to obtain an encryption key associated with the requesting domain;
      
      performing, by the CE, one or more stages of a cryptographic pipeline to encrypt the requested data and use a DID of the plurality of DIDs associated with an entity that issued the request; and
      
      writing, by the CE, the encrypted data to the other requested memory location.
  - 19. The method of claim 18, further comprising:
    - performing, by the CE, a lookup operation on the key table using at least the DID of the requesting domain to obtain the encryption key associated with the requesting domain; and
      
      performing, by the CE, one or more stages of a cryptographic pipeline to decrypt, using the obtained encryption key, the data read from the requested memory location before the data is sent to the requesting domain.
  - 20. The method of claim 16, further comprising:
    - tagging, by the CE, each memory access with the DID of the requesting domain.
  - 21. The method of claim 16, wherein one or more bits of the DID comprise a physical address space of a physical memory associated with the reserved memory area, and wherein the program code of the shared immutable code is mapped to one or more page table entries (PTEs), wherein the PTEs of the program code of the sVMM includes an I-bit for each of the plurality of mutually untrusting domains.
  - 24. The computer-implemented method of claim 16, further comprising:
    - providing integrity protection services for individual ones of the plurality of mutually untrusting domains when accessing the sVMM, wherein providing the integrity protection services comprises verifying integrity of a data line loaded from memory using respective ones of the integrity keys associated with the individual domains for requesting domains of the plurality of mutually untrusting domains.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Chhabra, Siddhartha, Durham, David M.
Primary Examiner(s)
Duffield, Jeremy S

Application Number

US15/721,124
Publication Number

US 20190103976A1
Time in Patent Office

991 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/1009   using page tables, e.g. pag...

G06F 12/1408   by using cryptography for d...

G06F 12/1425   the protection being physic...

G06F 12/1441   for a range

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595   Network integration; Enabli...

G06F 21/00   Security arrangements for p...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 21/74   operating in dual or compar...

G06F 2212/1052   Security improvement

G06F 2212/402   Encrypted data

G06F 2212/65   Details of virtual memory a...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/3242   involving keyed hash functi...

Technologies for implementing mutually distrusting domains

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

47 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Technologies for implementing mutually distrusting domains

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links