The present disclosure includes systems and methods for securing data direct I/O (DDIO) for a secure accelerator interface, in accordance with various embodiments. Historically, DDIO has enabled performance advantages that have outweighed its security risks. DDIO circuitry may be configured to secure DDIO data by using encryption circuitry that is manufactured for use in communications with main memory along the direct memory access (DMA) path. DDIO circuitry may be configured to secure DDIO data by using DDIO encryption circuitry manufactured for use by or manufactured within the DDIO circuitry. Enabling encryption and decryption in the DDIO path by the DDIO circuitry has the potential to close a security gap in modem data central processor units (CPUs).

A processing device is configured to process an initial set of command types. A command extension module and a digital signature are received. The digital signature is generated based on the command extension module using a private key of a key pair. The command extension module, once installed by the processing device, enables the processing device to process a new command type that is not included in the initial set of command types. The digital signature is verified using a public key of the key pair. Based on a successful verification of the digital signature, the command extension module is temporarily installed by loading the command extension module in a volatile memory device.

Described apparatuses and methods balance memory-portion accessing. Some memory architectures are designed to accelerate memory accesses using schemes that may be at least partially dependent on memory access requests being distributed roughly equally across multiple memory portions of a memory. Examples of such memory portions include cache sets of cache memories and memory banks of multibank memories. Some code, however, may execute in a manner that concentrates memory accesses in a subset of the total memory portions, which can reduce memory responsiveness in these memory types. To account for such behaviors, described techniques can shuffle memory addresses based on a shuffle map to produce shuffled memory addresses. The shuffle map can be determined based on a count of the occurrences of a reference bit value at bit positions of the memory addresses. Using the shuffled memory address for memory requests can substantially balance the accesses across the memory portions.

Systems and methods are presented for creating encrypted containers in cloud computing environments. In one embodiment, a method is provided that includes receiving a request to create a virtual machine at an application node. The request may contain encryption parameters for use in encrypting the virtual machine. The virtual machine may be created at the application node and may include an associated memory for use during execution of the virtual machine. An encryption key may be received and the memory may be encrypted. An encrypted container image and may be mounted within the virtual machine. The encrypted container image may be executed within the virtual machine.

A cloud data encryption and security system includes a central computing authority and a network of computing devices. At least some of the computing devices are pod computing devices physically hosted by an operator. The pod computing devices include a central processing unit and a computer readable storage media in data communication with the central processing unit. Data is encrypted in the computer readable storage media so that the owner can access the data but the operator cannot access the data.

According to one or more embodiments of the present invention, a computer implemented method includes enabling, by a secure interface control of a computer system, a non-secure entity of the computer system to access a page of memory shared between the non-secure entity and a secure domain of the computer system based on the page being marked as non-secure with a secure storage protection indicator of the page being clear. The secure interface control can verify that the secure storage protection indicator of the page is clear prior to allowing the non-secure entity to access the page. The secure interface control can provide a secure entity of the secure domain with access to the page absent a check of the secure storage protection indicator of the page.

Systems and methods are provided for storing data blocks in distributed storage. One exemplary computer-implemented method includes, in response to receipt of a data block comprising data, generating a value N for the data block, wherein the value N includes a variable integer greater than one and dividing the data block into N segments, wherein each segment includes a portion of the data. The method also includes generating a value M for the data block, wherein the value M includes a variable integer greater than or equal to one, and adding M segments of chaff to the N segments. The method then includes encrypting the N segments and the M segments of chaff and distributing the M segments and the N segments in distributed storage, wherein the N segments and the M segments of chaff are stored in multiple different storage devices included in the distributed storage.

Example implementations include a system of secure decryption by virtualization and translation of physical encryption keys, the system having a key translation memory operable to store at least one physical mapping address corresponding to at least one virtual key address, a physical key memory operable to store at least one physical encryption key at a physical memory address thereof; and a key security engine operable generate at least one key address translation index, obtain, from the key translation memory, the physical mapping address based on the key address translation index and the virtual key address, and retrieve, from the physical key memory, the physical encryption key stored at the physical memory address.

Various embodiments relate to a memory controller, including: a memory interface connected to a memory; an address and control logic connected to the memory interface and a command interface, wherein the address and control logic is configured to receive a memory read request; a read inline encryption engine (IEE) connected to the memory interface, wherein the read IEE is configured to decrypt encrypted data read from the memory; a key selector configured to determine a read memory region associated with the memory read request based upon a read address where the data to be read is stored, wherein the read address is received from the address and control logic; and a key logic configured to select a first key associated with the determined read memory region and provide the selected key to the read IEE.

A data storage device includes a nonvolatile memory device, a volatile memory device, a data encryption circuit configured to encrypt data outputted from the nonvolatile memory device, a data decryption circuit configured to decrypt encrypted data output from the data encryption circuit and configured to provide the decrypted data to the volatile memory device, and a processor configured to perform a first process that controls installation of a first in-storage program in the data storage device, a second process configured to manage a mapping table storing a relation between a logical address and a physical address of the nonvolatile memory device, and a third process configured to execute the first in-storage program.