A method of protecting confidentiality of air-gapped logs comprises: generating, during a first log processing cycle, a data processor key and a drive encryption key, wherein the data processor key and the drive encryption key are unique to a log drive mounted to at least one computer processor; wrapping the drive encryption key with the computer processor key; storing the drive encryption key wrapped by the computer processor key in a database, where the database is mapped to data uniquely identifying the log drive; wrapping the drive encryption key with a default key that is known to at least one originator device; wiping the log drive; and writing the drive encryption key wrapped by the default key to the log drive. Some methods described also include a method of processing logs by an originator. Systems and computer program products are also provided.

A host may use address translation to convert virtual addresses to physical addresses for endpoints, which may then submit memory access requests for physical addresses. The host may incorporate the physical address and a signature of the physical address generated using a private key into a translated address field of a response to a translation request. An endpoint may treat the combination as a translated address by storing it in an entry of a translation cache, and accessing the entry for inclusion in a memory access request. The host may generate a signature of the translated address from the request using the private key, with the result being compared to the signature from the request. The memory access request may be verified when the compared values match, and the memory access may be performed using the translated address.

Methods, systems, and devices for authenticated reading of memory system data are described. In some examples, a host system and a memory system may exchange keys used to grant the host system access to one or more protected regions of the memory system. The keys may be symmetric or asymmetric. In some cases, the host system may transmit a read command to access data stored at a protected region of the memory system, along with a signature generated using the key associated with the protected region. The memory system may verify the signature to determine whether the host is authorized to access the protected region, and may transmit the requested data to the host system. In some examples, the memory system may sign the returned data, so that the host system may verify the source of the data.

A memory system includes a memory controller, a plurality of serial data buffers, and a plurality of memory devices. The memory controller issues packetized commands and data to the serial data buffers. The serial data buffers each apply a different remapping function to remap an input command address in the packetized commands to respective remapped memory addresses that are different for each serial data buffer. The serial data buffers then issue commands to the memory devices using the remapped addresses. The remapping functions may be designed to mitigate row hammer effects. The serial data buffers may furthermore apply transformations to read and write data to facilitate encryption and decryption.

In a method of operating a storage device including a plurality of storage regions, a first request is received. The first request is for a cryptographic erasure with respect to a first storage region. During a first time interval, a first encryption key corresponding to the first storage region is changed based on the first request. A second request is received. In response to receiving the second request within the first time interval, a region access signal is outputted. In response to determining, based on the region access signal, that the second request is associated with the first storage region, an execution of the second request is held. In response to determining, based on the region access signal, that the second request is associated with a second storage region among the plurality of storage regions, the second request is executed.

According to one embodiment, a key search circuit includes a hit determination circuit that determines whether a key search request hits a content stored in a search result buffer, and an update determination circuit that determines whether to update the content stored in the search result buffer. When the hit determination circuit determines that the key search request hits the search result buffer, the key search circuit outputs the search result stored in the search result buffer to an encryption/decryption circuit. When the update determination circuit determines to update the search result buffer, the key search circuit updates the content stored in the search result buffer with the key search request and a search result obtained from a range table.

A cache unit that is configured to retain: a plurality of cache blocks; a plurality of owner indicators, and a plurality of validity marks. For each cache block of the plurality of cache blocks exists a corresponding owner indicator in the plurality of owner indicators. An owner indicator corresponding to a cache block is capable of identifying an entity that caused the cache block to be fetched to the cache unit. For each cache block of the plurality of cache blocks exists a corresponding validity mark in the plurality of validity marks. A validity mark corresponding to the cache block indicates whether a validation process performed on the cache block upon fetching thereof was successful. The cache unit may be useful for secure execution.

A method includes receiving, for metadata processing, a current instruction with associated metadata tags. The metadata processing is performed in a metadata processing domain isolated from a code execution domain including the current instruction. Each respective associated metadata tag represents a respective policy of the composite policy. For each respective metadata tag, the method includes determining, in the metadata processing domain and in accordance with the metadata tag and the current instruction, whether a rule exists for the current instruction in a rules cache. The rules cache may include rules on metadata used by the metadata processing to define allowed instructions. The determination of whether a rule exists results in a respective output, which may include generating a new rule and inserting the new rule in the rules cache. Control Status Registers, and associated tags, may be used to accomplish the metadata processing.

A device which can be implemented on a single packaged integrated circuit or a multichip module comprises a plurality of non-volatile memory cells, and logic to use a physical unclonable function to produce a key and to store the key in a set of non-volatile memory cells in the plurality of non-volatile memory cells. The physical unclonable function can use entropy derived from non-volatile memory cells in the plurality of non-volatile memory cells to produce a key. Logic is described to disable changes to data in the set of non-volatile memory cells, and thereby freeze the key after it is stored in the set.

A self-encrypting drive (SED) comprises an SED controller and a nonvolatile storage medium (NVSM) responsive to the SED controller. The SED controller enables the SED to perform operations comprising: (a) receiving an encrypted media encryption key (eMEK) for a client; (b) decrypting the eMEK into an unencrypted media encryption key (MEK); (c) receiving a write request from the client, wherein the write request includes data to be stored and a key tag value associated with the MEK; (d) using the key tag value to select the MEK for the write request; (e) using the MEK for the write request to encrypt the data from the client; and (f) storing the encrypted data in a region of the NVSM allocated to the client. Other embodiments are described and claimed.