Technologies disclosed herein provide cryptographic computing. An example processor includes a core to execute an instruction, where the core includes a register to store a pointer to a memory location and a tag associated with the pointer. The tag indicates whether the pointer is at least partially immutable. The core also includes circuitry to access the pointer and the tag associated with the pointer, determine whether the tag indicates that the pointer is at least partially immutable. The circuitry is further, based on a determination that the tag indicates the pointer is at least partially immutable, to obtain a memory address of the memory location based on the pointer, use the memory address to access encrypted data at the memory location, and decrypt the encrypted data based on a key and a tweak, where the tweak including one or more bits based, at least in part, on the pointer.

Technologies for secure key provisioning include a computing device having a processor with secure enclave support and a manageability controller. The manageability controller receives a secret key from a network source via a network interface that is isolated from untrusted software of the computing device. The manageability controller authenticates a secure enclave of the computing device and, if successful, securely provisions a session key derived from the secret key to the secure enclave. The manageability controller may provision additional session keys after expiration of the session key. The manageability controller may monitor for revocation of the secret key by the network source. If revoked, the manageability controller does not provision additional session keys to the secure enclave. The manageability controller may also provision the session key to a sensor device protected by the secret key, which is pre-provisioned to the sensor device. Other embodiments are described and claimed.

A device-capability-based locking key management system includes a key management system coupled to a server device via a network. The server device includes storage devices coupled to a remote access controller device. The remote access controller device identifies each of the storage devices, and then identifies a key management profile for each of the storage devices. A first key management profile identified for at least one first storage device is different from a second key management profile identified for at least one second storage device. The remote access controller device then uses the respective key management profile identified for each of the storage devices to create a respective key management sub-client for each of the storage devices, and each respective key management sub-client communicates with the key management system to provide a locking key for its respective storage device.

The invention introduces an apparatus for encrypting and decrypting user data, including a memory, a bypass-flag writing circuit and a flash interface controller. The bypass-flag writing circuit writes a bypass flag in a remaining bit of space of the memory that is originally allocated for storing an End-to-End Data Path Protection (E2E DPP), where the bypass flag indicates whether user data has been encrypted. The flash interface controller reads the user data, the E2E DPP and the bypass flag from the memory and programs the user data, the E2E DPP and the bypass flag into the flash device.

A memory controller and a storage device including the same are disclosed. A memory controller for controlling a nonvolatile memory includes: a security access control module configured to convert biometric authentication data received from a biometric module into security configuration data having a data format according to a security standard protocol and perform, based on the security configuration data, at least one of authority registration and authority authentication of a user authority set for an access control of a secure area of the nonvolatile memory, encrypted user data being stored in the secure area; and a data processing unit configured to, based on an access to the secure area being permitted, encrypt user data received from a host device or decrypt the encrypted user data read from the secure area.

An example computing device includes a memory accessible at startup of the computing device, a buffer, and a set of instructions. The memory stores a configuration setting that is configurable by the application of a change request. The memory also stores a first public key and a second public key. The buffer stores change requests submitted by a remote entity, including a first change request to make a first setting change and a second change request to make a second setting change. The first change request is signed by a first private key corresponding to the first public key, and the second change request is signed by a second private key corresponding to the second public key. The set of instructions retrieves a change request from the buffer, determines whether the change request is authenticated by a public key, and if authenticated, applies the change request.

In a method of allocating and protecting a memory in a computational storage device including a first computing engine and a buffer memory, a memory allocation request is received from a host device that is disposed outside the computational storage device. Based on the memory allocation request, a memory allocation operation in which a first memory region is generated in the buffer memory and a first key associated with the first memory region is generated is performed. A program execution request is received from the host device. Based on the program execution request, a program execution operation is performed in which a first program is executed by the first computing engine by accessing the first memory region based on an encryption or a decryption using the first key.

An operating method of a data storge device including a buffer memory, a non-volatile memory, and a controller, includes receiving, from a host, an encryption request for data stored in the buffer memory, and performing an encryption operation in response to the encryption request, wherein the performing of the encryption operation comprises performing a program operation, the performing of the program operation comprises receiving a physical address of a buffer region of the non-volatile memory, generating encrypted data by causing an encryption module included in the controller to be in an on state to encrypt the data stored in the buffer memory, and programming the encrypted data in the buffer region of the non-volatile memory based on the physical address.

A program execution device capable of protecting a program against unauthorized analysis and alteration is provided. The program execution device includes an execution unit, a first protection unit, and a second protection unit. The execution unit executes a first program and a second program, and is connected with an external device that is capable of controlling the execution. The first protection unit disconnects the execution unit from the external device while the execution unit is executing the first program. The second protection unit protects the first program while the execution unit is executing the second program.

Various embodiments relate to an inline encryption engine in a memory controller configured to process data read from a memory, including: a first data pipeline configured to receive data that is plaintext data and a first validity flag; a second data pipeline having the same length as the first data pipeline configured to: receive data that is encrypted data and a second validity flag; decrypt the encrypted data from the memory and output decrypted plaintext data; an output multiplexer configured to select and output data from either the first pipeline or the second pipeline; and control logic configured to control the output multiplexer, wherein the control logic is configured to output valid data from the first pipeline when the second pipeline does not have valid output decrypted plaintext data available.