Securing non-volatile memory regions

US 8,516,271 B2
Filed: 03/11/2011
Issued: 08/20/2013
Est. Priority Date: 03/11/2011
Status: Active Grant

First Claim

Patent Images

1. A method to secure non-volatile memory regions, the method comprising:

associating a first key pair and a second key pair different than the first key pair with a process;

using the first key pair to secure a first region of a non-volatile memory for storing first data accessible by the process; and

using the second key pair to secure a second region of the non-volatile memory for storing second data accessible by the same process, the second region being different than the first region.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus and articles of manufacture to secure non-volatile memory regions are disclosed. An example method disclosed herein comprises associating a first key pair and a second key pair different than the first key pair with a process, using the first key pair to secure a first region of a non-volatile memory for the process, and using the second key pair to secure a second region of the non-volatile memory for the same process, the second region being different than the first region.

33 Citations

View as Search Results

15 Claims

1. A method to secure non-volatile memory regions, the method comprising:
- associating a first key pair and a second key pair different than the first key pair with a process;
  
  using the first key pair to secure a first region of a non-volatile memory for storing first data accessible by the process; and
  
  using the second key pair to secure a second region of the non-volatile memory for storing second data accessible by the same process, the second region being different than the first region.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as defined in claim 1 wherein the first data stored in the first region is retrievable using only a first decryption key included in the first key pair, and the second data stored in the second region is retrievable using either a second decryption key included in the second key pair or a third decryption key different from the second decryption key.
  - 3. A method as defined in claim 1 wherein the first key pair includes a first encryption key and a first decryption key, the second key pair includes a second encryption key and a second decryption key, and further comprising:
    - generating a first private key and a first public key, the first public key to be the first encryption key and the first private key to be the first decryption key and the second decryption key; and
      
      generating the second encryption key based on the first public key and a second public key.
  - 4. A method as defined in claim 3 further comprising storing the first key pair and the second key pair in volatile memory, the first key pair and the second key pair to be unrecoverable after power is removed from the volatile memory, and the second data stored in the second region, but not the first data stored in the first region, of the non-volatile memory to be recoverable after power is removed from the volatile memory using a second private key associated with the second public key.
  - 5. A method as defined in claim 1 wherein the first key pair includes a first encryption key and a first decryption key, the second key pair includes a second encryption key and a second decryption key, and further comprising:
    - encrypting data to be written from a cache to the first region of the non-volatile memory for the process using the first encryption key and decrypting data to be read from the first region of the non-volatile memory using the first decryption key to secure the first region of the non-volatile memory for the process; and
      
      encrypting data to be written from the cache to the second region of the non-volatile memory for the process using the second encryption key and decrypting data to be read from the second region of the non-volatile memory using the second decryption key to secure the second region of the non-volatile memory for the process.
  - 6. A method as defined in claim 1 further comprising:
    - storing the first key pair and the second key pair in a key table associated with the process;
      
      generating a pointer to an entry of the key table to select a key from one of the first key pair or the second key pair to securely exchange data for the process between a cache and the non-volatile memory, the pointer generated based on whether the data is to be exchanged between the cache and the first region of the non-volatile memory, or between the cache and the second region of the non-volatile memory.
  - 7. A method as defined in claim 6 wherein the pointer is a first pointer, and generating the pointer comprises:
    - determining a second pointer to the key table using a process identifier of the process; and
      
      combining the second pointer with address bits from a tag of a cache line of the cache to determine the first pointer, the cache line to contain the data exchanged between the cache and the non-volatile memory.
  - 8. A method as defined in claim 7 further comprising storing the second pointer in a tag extension of the cache line.

9. A cache controller comprising:
- a key retriever comprising executable instructions to;
  
  retrieve a first key associated with a process in response to determining that first process data is to be written from a cache line of a cache to an ephemeral region of a non-volatile memory; and
  
  retrieve a different second key associated with the same process in response to determining that second process data is to be written from the cache line of the cache to a persistent region of the non-volatile memory, the persistent region being different than the ephemeral region; and
  
  a processor comprising executable instructions to;
  
  use the first key retrieved by the key retriever to encrypt the first process data in the cache line of the cache before the first process data is to be written to the non-volatile memory; and
  
  use the second key retrieved by the key retriever to encrypt the second process data in the cache line of the cache before the second process data is to be written to the non-volatile memory.
- View Dependent Claims (10, 11, 12)
- - 10. A cache controller as defined in claim 9 wherein the key retriever comprises executable instructions to retrieve a third key associated with the process when third process data is to be read from one of the first region or the second region of the non-volatile, and the processor comprises executable instructions to use the third key retrieved by the key retriever to decrypt the third process data read from the non-volatile memory before the third process data is to be written to the cache line.
  - 11. A cache controller as defined in claim 9 wherein the first key is included in a first key pair stored in a key table in memory, the second key is included in a second key pair stored in the key table, the key retriever comprises executable instructions to combine a first pointer to the key table with addresses bits from a tag of the cache line to determine a second pointer to one of the first key pair or the second key pair, and the key retriever comprises executable instructions to retrieve one of the first key or the second key from the key table based on the second pointer.
  - 12. A cache controller as defined in claim 11 wherein the key retriever comprises executable instructions to store the first pointer in a tag extension of the cache line.

13. A system comprising:
- a non-volatile memory;
  
  a cache including a cache line to store data for a process;
  
  a volatile memory to store a key table associated with the process, the key table to store a plurality of different key pairs associated with respective different regions of the non-volatile memory, the different key pairs to be used to securely exchange the data between the cache line and the respective different regions of the non-volatile memory; and
  
  a cache controller to;
  
  combine a key table pointer pointing to the key table and address bits from a tag of the cache line to determine a key pointer pointing to one of the plurality of different key pairs stored in the key table;
  
  retrieve an encryption key included in the one of the plurality of different key pairs pointed to by the key pointer to encrypt the data when the data is to be written from the cache line to the non-volatile memory; and
  
  retrieve a decryption key included in the one of the plurality of different key pairs pointed to by the key pointer to decrypt the data when the data is to be read from the non-volatile memory and written to the cache line.
- View Dependent Claims (14, 15)
- - 14. A system as defined in claim 13 wherein the plurality of different key pairs include a first key pair associated with a first region of the non-volatile memory and a second key pair associated with a second region of the non-volatile memory, and the system further comprises a key generator to:
    - generate a first private key and a first public key, the first public key to be a first encryption key included in the first key pair, and the first private key to be a first decryption key included in the first key pair and a second decryption key included in the second key pair; and
      
      generate a second encryption key included in the second key pair based on the first public key and a second public key received from a recovery service.
  - 15. A system as defined in claim 14 wherein the first key pair and the second key pair are unrecoverable after power is removed from the volatile memory, and data stored in the second region, but not the first region, of the non-volatile memory is recoverable after power is removed from the volatile memory by the recovery service using a second private key associated with the second public key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Faraboschi, Paolo, Ranganathan, Parthasarathy, Muralimanohar, Naveen
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US13/046,381
Publication Number

US 20120233472A1
Time in Patent Office

893 Days
Field of Search

None
US Class Current

713/190
CPC Class Codes

G06F 12/0246   in block erasable memory, e...

G06F 12/1441   for a range

G06F 12/1466   Key-lock mechanism

G06F 2212/225   Hybrid cache memory, e.g. h...

Securing non-volatile memory regions

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Securing non-volatile memory regions

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links