Methods, systems, and apparatus, including computer programs encoded on computer storage media, for generating signed addresses. One of the methods includes receiving, by a component from a device, a plurality of first requests, each first request for a physical address and including a virtual address, determining, by the component, a first physical address using the virtual address, generating a first signature for the first physical address, and providing, to the device, a response that includes the first signature, receiving, from the device, a plurality of second requests, each second request for access to a second physical address and including a second signature, determining, by the component for each of the plurality of second requests, whether the second physical address is valid using the second signature, and for each second request for which the second physical address is determined to be valid, servicing the corresponding second request.

The present disclosure is related to encryption of executables in computational memory. Computational memory can traverse an operating system page table in the computational memory for a page marked as executable. In response to finding a page marked as executable, the computational memory can determine whether the page marked as executable has been encrypted. In response to determining that the page marked as executable is not encrypted, the computational memory can generate a key for the page marked as executable. The computational memory can encrypt the page marked as executable using the key.

Technologies for secure I/O include a compute device, which further includes a processor, a memory, a trusted execution environment (TEE), one or more input/output (I/O) devices, and an I/O subsystem. The I/O subsystem includes a device memory access table (DMAT) programmed by the TEE to establish bindings between the TEE and one or more I/O devices that the TEE trusts and a memory ownership table (MOT) programmed by the TEE when a memory page is allocated to the TEE.

Systems and methods for encryption support for virtual machines. An example method may comprise initializing, by a firmware module associated with a virtual machine running on a host computer system, an exclusion range register associated with the virtual machine with a value specifying a first portion of guest memory, wherein the first portion of the guest memory comprises an exclusion range marked as reserved; encrypting, by the firmware using an ephemeral encryption key, a second portion of the guest memory; booting, by a hypervisor of the host computer system, the virtual machine; and responsive to intercepting, by the hypervisor, a privileged instruction executed by the virtual machine, performing at least one of: copying data for performing the privileged instruction to the first portion of the guest memory or copying data for performing the privileged instruction from the first portion of the guest memory.

Methods and systems disclosed herein describe obfuscating plaintext cryptographic material stored in memory. A random location in an obfuscation buffer may be selected for each byte of the plaintext cryptographic material. The location of each byte of the plaintext cryptographic material may be stored in a position tracking buffer. To recover the scrambled plaintext cryptographic material, the location of each byte of the plaintext cryptographic material may be read from the position tracking buffer. Each byte of the plaintext cryptographic material may then be read from the obfuscation buffer and written to a temporary buffer. When each byte of the plaintext cryptographic material is recovered, the plaintext cryptographic material may be used to perform one or more cryptographic operations. The scrambling techniques described herein reduce the likelihood of a malicious user recovering plaintext cryptographic material while stored in memory.

Aspects of a storage device are provided that allow a controller to leverage cache to minimize occurrence of HMB address overlaps between different HMB requests. The storage device may include a cache and a controller coupled to the cache. The controller may store in the cache, in response to a HMB read request, first data from a HMB at a first HMB address. The controller may also store in the cache, in response to an HMB write request, second data from the HMB at a second HMB address. The controller may refrain from processing subsequent HMB requests in response to an overlap of the first HMB address with an address range including the second HMB address, and the controller may resume processing the subsequent HMB requests after the first data is stored. As a result, turnaround time delays for HMB requests may be reduced and performance may be improved.

An example method for restricting read access to content in the component circuitry and securing data in the supply item is disclosed. The method identifies the status of a read command, and depending upon whether the status disabled or enabled, either blocks the accessing of encrypted data stored in the supply chip, or allows the accessing of the encrypted data stored in the supply chip.

Technologies disclosed herein provide cryptographic computing. An example method comprises storing, in a register, an encoded pointer to a memory location, wherein the encoded pointer comprises first context information and a slice of a memory address of the memory location, wherein the first context information includes an identification of a data key; decoding the encoded pointer to obtain the memory address of the memory location; using the memory address obtained by decoding the encoded pointer to access encrypted data at the memory location; and decrypting the encrypted data based on the data key.

A data cache memory mitigates side channel attacks in a processor that comprises the data cache memory and that includes a translation context (TC). A first input receives a virtual memory address. A second input receives the TC. Control logic, with each allocation of an entry of the data cache memory, uses the received virtual memory address and the received TC to perform the allocation of the entry. The control logic also, with each access of the data cache memory, uses the received virtual memory address and the received TC in a correct determination of whether the access hits in the data cache memory. The TC includes a virtual machine identifier (VMID), or a privilege mode (PM) or a translation regime (TR), or both the VMID and the PM or the TR.

A system is provided for the storage of data, the system having: an encrypted host platform upon which regulatory controlled data is stored; a controller configured to allow a primary user to set permission settings and identify authorized end users and degrees of access granted to each the authorized end user, the authorized end user being pre-cleared for compliance with regulatory controls pertaining to the regulatory controlled data; the controller configured to permit access to the encrypted host platform only if the hosting platform is in compliance with predefined data security protocols the controller configured to allow the authorized end user access to the regulatory controlled data, and the controller configured to exclude access to both a provider of the system for storage and a system host platform provider; at least one individual computing device accessible by at least one the authorized end user, the individual computing device configured to provide authorized end user identification data to the controller and receive permissions from the controller for access to the host platform; and the host platform only communicates with individual user devices if the devices have received permission from the controller.