Securing data transmission between processor packages
First Claim
Patent Images
1. A first processor package comprising:
- first encryption proxy agent hardware including a first key storage in which secure software is to store a key, encryption circuitry to generate encrypted data by using the key to encrypt unencrypted data, and replay protection circuitry to append an anti-replay value to the encrypted data;
a cache;
a caching agent including processor circuitry to determine whether a memory address is within the cache, to determine whether the memory address is within a secure memory address range, and, if the memory address is not within the cache or the secure memory address range, to route the unencrypted data to a first link unit, and, if the memory address is not within the cache but is within the secure memory address range, to route the unencrypted data to the first encryption proxy agent hardware; and
the first link unit including link circuitry to, if the memory address is not within the cache or the secure memory address range, receive the unencrypted data from the caching unit and generate a first plurality of packets to be transmitted directly to a second link unit of a second processor package through a point-to-point link, and to, if the memory address is not within the cache but is within the secure memory address range, receive the encrypted data from the first encryption proxy agent hardware and generate a second plurality of packets to be transmitted directly to the second link unit of the second processor package through the point-to-point link and to be decrypted by second encryption proxy agent hardware in the second processor package, wherein the second encryption proxy agent hardware includes a second key storage in which the secure software is to store the key.
0 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of an invention for securing transmissions between processor packages are disclosed. In one embodiment, an apparatus includes an encryption unit to encrypt first content to be transmitted from the apparatus to a processor package directly through a point-to-point link.
-
Citations
11 Claims
-
1. A first processor package comprising:
-
first encryption proxy agent hardware including a first key storage in which secure software is to store a key, encryption circuitry to generate encrypted data by using the key to encrypt unencrypted data, and replay protection circuitry to append an anti-replay value to the encrypted data; a cache; a caching agent including processor circuitry to determine whether a memory address is within the cache, to determine whether the memory address is within a secure memory address range, and, if the memory address is not within the cache or the secure memory address range, to route the unencrypted data to a first link unit, and, if the memory address is not within the cache but is within the secure memory address range, to route the unencrypted data to the first encryption proxy agent hardware; and the first link unit including link circuitry to, if the memory address is not within the cache or the secure memory address range, receive the unencrypted data from the caching unit and generate a first plurality of packets to be transmitted directly to a second link unit of a second processor package through a point-to-point link, and to, if the memory address is not within the cache but is within the secure memory address range, receive the encrypted data from the first encryption proxy agent hardware and generate a second plurality of packets to be transmitted directly to the second link unit of the second processor package through the point-to-point link and to be decrypted by second encryption proxy agent hardware in the second processor package, wherein the second encryption proxy agent hardware includes a second key storage in which the secure software is to store the key. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method comprising:
-
storing, by secure software, a key in a first key storage in a first encryption proxy agent in a first processor package; storing, by the secure software, the key in a second key storage in the second encryption proxy agent in a second processor package; determining whether a memory address is within a cache in the first processor package; determining whether the memory address is within a secure memory address range; if the memory address is not within the cache or the secure memory address range, routing the unencrypted data to a first link unit in the first processor package; if the memory address is not within the cache but is within the secure memory address range, routing the unencrypted data to the first encryption proxy agent; if the memory address is not within the cache but is within the secure memory address range, generating, by the first encryption proxy agent, encrypted data by using the key to encrypt the unencrypted data; if the memory address is not within the cache but is within the secure memory address range, appending an anti-replay value to the encrypted data; if the memory address is not within the cache or the secure memory address range, generating, by the first link unit, a first plurality of packets including the unencrypted data; if the memory address is not within the cache or the secure memory address range, transmitting, by the first link unit, the first plurality of packets directly to a second link unit in the second processor through a point-to-point link; if the memory address is not within the cache but is within the secure memory address range, generating, by the first link unit, a second plurality of packets including the encrypted data and the anti-replay value; if the memory address is not within the cache but is within the secure memory address range, transmitting, by the first link unit, the second plurality of packets directly to the second link unit the second processor through the point-to-point link; if the memory address is not within the cache but is within the secure memory address range, receiving, by the second link unit, the second plurality of packets directly from the first link unit through the point-to-point link; if the memory address is not within the cache but is within the secure memory address range, using, within the second processor package, the anti-replay value to verify that receiving the encrypted data is not associated with a replay attack; if the memory address is not within the cache but is within the secure memory address range, using, by the second encryption proxy agent, the key to decrypt the encrypted data. - View Dependent Claims (8, 9)
-
-
10. A system comprising:
-
a first processor package; a second processor package; a point-to-point link between the first processor package and the second processor package; wherein the first processor package includes first encryption proxy agent hardware including a first key storage in which secure software is to store a key, first encryption circuitry to generate encrypted data by using the key to encrypt unencrypted data, and replay protection circuitry to append an anti-replay value to the encrypted data; a cache; a caching agent including processor circuitry to determine whether a memory address is within the cache, to determine whether the memory address is within a secure memory address range, and, if the memory address is not within the cache or the secure memory address range, to route the unencrypted data to a first link unit, and, if the memory address is not within the cache but is within the secure memory address range, to route the unencrypted data to the first encryption proxy agent hardware; and the first link unit including link circuitry to, if the memory address is not within the cache or the secure memory address range, receive the unencrypted data from the caching unit and generate a first plurality of packets to be transmitted directly to a second link unit of the Second processor package through the point-to-point link, and to, if the memory address is not within the cache but is within the secure memory address range, receive the encrypted data from the first encryption proxy agent hardware and generate a second plurality of packets to be transmitted directly to the second link unit of the second processor package through the point-to-point link; and wherein the second processor package includes second encryption proxy agent hardware including a first key storage in which secure software is to store a key and second encryption circuitry to decrypt the encrypted data using the key. - View Dependent Claims (11)
-
Specification