Securing data transmission between processor packages

US 9,729,309 B2
Filed: 12/19/2012
Issued: 08/08/2017
Est. Priority Date: 12/19/2012
Status: Active Grant

First Claim

Patent Images

1. A first processor package comprising:

first encryption proxy agent hardware including a first key storage in which secure software is to store a key, encryption circuitry to generate encrypted data by using the key to encrypt unencrypted data, and replay protection circuitry to append an anti-replay value to the encrypted data;

a cache;

a caching agent including processor circuitry to determine whether a memory address is within the cache, to determine whether the memory address is within a secure memory address range, and, if the memory address is not within the cache or the secure memory address range, to route the unencrypted data to a first link unit, and, if the memory address is not within the cache but is within the secure memory address range, to route the unencrypted data to the first encryption proxy agent hardware; and

the first link unit including link circuitry to, if the memory address is not within the cache or the secure memory address range, receive the unencrypted data from the caching unit and generate a first plurality of packets to be transmitted directly to a second link unit of a second processor package through a point-to-point link, and to, if the memory address is not within the cache but is within the secure memory address range, receive the encrypted data from the first encryption proxy agent hardware and generate a second plurality of packets to be transmitted directly to the second link unit of the second processor package through the point-to-point link and to be decrypted by second encryption proxy agent hardware in the second processor package, wherein the second encryption proxy agent hardware includes a second key storage in which the secure software is to store the key.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of an invention for securing transmissions between processor packages are disclosed. In one embodiment, an apparatus includes an encryption unit to encrypt first content to be transmitted from the apparatus to a processor package directly through a point-to-point link.

Citations

11 Claims

1. A first processor package comprising:
- first encryption proxy agent hardware including a first key storage in which secure software is to store a key, encryption circuitry to generate encrypted data by using the key to encrypt unencrypted data, and replay protection circuitry to append an anti-replay value to the encrypted data;
  
  a cache;
  
  a caching agent including processor circuitry to determine whether a memory address is within the cache, to determine whether the memory address is within a secure memory address range, and, if the memory address is not within the cache or the secure memory address range, to route the unencrypted data to a first link unit, and, if the memory address is not within the cache but is within the secure memory address range, to route the unencrypted data to the first encryption proxy agent hardware; and
  
  the first link unit including link circuitry to, if the memory address is not within the cache or the secure memory address range, receive the unencrypted data from the caching unit and generate a first plurality of packets to be transmitted directly to a second link unit of a second processor package through a point-to-point link, and to, if the memory address is not within the cache but is within the secure memory address range, receive the encrypted data from the first encryption proxy agent hardware and generate a second plurality of packets to be transmitted directly to the second link unit of the second processor package through the point-to-point link and to be decrypted by second encryption proxy agent hardware in the second processor package, wherein the second encryption proxy agent hardware includes a second key storage in which the secure software is to store the key.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The processor package of claim 1, wherein the encryption proxy agent hardware also comprises authentication circuitry to append authentication metadata to the encrypted data.
  - 3. The processor package of claim 1, wherein the encryption circuitry is also to decrypt content received from the second processor package directly through the point-to-point link.
  - 4. The processor package of claim 2, wherein the authentication circuitry is also to verify the authenticity of the content received from the second processor package.
  - 5. The processor package of claim 1, wherein the replay protection circuitry is also to protect the content received from the second processor package from a replay attack.
  - 6. The processor package of claim 1, further comprising a range register to be used to determine whether the memory address is within the secure memory address range.

7. A method comprising:
- storing, by secure software, a key in a first key storage in a first encryption proxy agent in a first processor package;
  
  storing, by the secure software, the key in a second key storage in the second encryption proxy agent in a second processor package;
  
  determining whether a memory address is within a cache in the first processor package;
  
  determining whether the memory address is within a secure memory address range;
  
  if the memory address is not within the cache or the secure memory address range, routing the unencrypted data to a first link unit in the first processor package;
  
  if the memory address is not within the cache but is within the secure memory address range, routing the unencrypted data to the first encryption proxy agent;
  
  if the memory address is not within the cache but is within the secure memory address range, generating, by the first encryption proxy agent, encrypted data by using the key to encrypt the unencrypted data;
  
  if the memory address is not within the cache but is within the secure memory address range, appending an anti-replay value to the encrypted data;
  
  if the memory address is not within the cache or the secure memory address range, generating, by the first link unit, a first plurality of packets including the unencrypted data;
  
  if the memory address is not within the cache or the secure memory address range, transmitting, by the first link unit, the first plurality of packets directly to a second link unit in the second processor through a point-to-point link;
  
  if the memory address is not within the cache but is within the secure memory address range, generating, by the first link unit, a second plurality of packets including the encrypted data and the anti-replay value;
  
  if the memory address is not within the cache but is within the secure memory address range, transmitting, by the first link unit, the second plurality of packets directly to the second link unit the second processor through the point-to-point link;
  
  if the memory address is not within the cache but is within the secure memory address range, receiving, by the second link unit, the second plurality of packets directly from the first link unit through the point-to-point link;
  
  if the memory address is not within the cache but is within the secure memory address range, using, within the second processor package, the anti-replay value to verify that receiving the encrypted data is not associated with a replay attack;
  
  if the memory address is not within the cache but is within the secure memory address range, using, by the second encryption proxy agent, the key to decrypt the encrypted data.
- View Dependent Claims (8, 9)
- - 8. The method of claim 7, further comprising appending authentication metadata to the encrypted data.
  - 9. The method of claim 7, further comprising using, within the second processor package, the authentication metadata to verify the authenticity of the encrypted data.

10. A system comprising:
- a first processor package;
  
  a second processor package;
  
  a point-to-point link between the first processor package and the second processor package;
  
  wherein the first processor package includesfirst encryption proxy agent hardware including a first key storage in which secure software is to store a key, first encryption circuitry to generate encrypted data by using the key to encrypt unencrypted data, and replay protection circuitry to append an anti-replay value to the encrypted data;
  
  a cache;
  
  a caching agent including processor circuitry to determine whether a memory address is within the cache, to determine whether the memory address is within a secure memory address range, and, if the memory address is not within the cache or the secure memory address range, to route the unencrypted data to a first link unit, and, if the memory address is not within the cache but is within the secure memory address range, to route the unencrypted data to the first encryption proxy agent hardware; and
  
  the first link unit including link circuitry to, if the memory address is not within the cache or the secure memory address range, receive the unencrypted data from the caching unit and generate a first plurality of packets to be transmitted directly to a second link unit of the Second processor package through the point-to-point link, and to, if the memory address is not within the cache but is within the secure memory address range, receive the encrypted data from the first encryption proxy agent hardware and generate a second plurality of packets to be transmitted directly to the second link unit of the second processor package through the point-to-point link; and
  
  wherein the second processor package includes second encryption proxy agent hardware including a first key storage in which secure software is to store a key and second encryption circuitry to decrypt the encrypted data using the key.
- View Dependent Claims (11)
- - 11. The system of claim 10 wherein the second processor package also includes:
    - a home agent; and
      
      logic to determine that the second plurality of packets is associated with a secure memory request to the home agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Blankenship, Robert, Padwekar, Kiran, Savagaonkar, Uday, Das, Abhishek, Johnson, Simon, Rozas, Carlos
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US13/719,939
Publication Number

US 20140173275A1
Time in Patent Office

1,693 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/556   involving covert channels, ...

G06F 21/606   by securing the transmissio...

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/123   received data contents, e.g...

H04L 9/00   Cryptographic mechanisms or...

H04L 9/32   including means for verifyi...

Securing data transmission between processor packages

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Securing data transmission between processor packages

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links