Devices and techniques for efficient obfuscated logical-to-physical mapping are described herein. For example, activity corresponding to obfuscated regions of an L2P map for a memory device can be tracked. A record of discontinuity between the obfuscated regions and L2P mappings resulting from the activity can be updated. The obfuscated regions can be ordered based on a level of discontinuity from the record of discontinuity. When an idle period is identified, an obfuscated region from the obfuscated regions is selected and refreshed based on the ordering.

A micro-controller chip is coupled to an external memory and includes a central processing unit (CPU), an address reorder circuit, and an address bus. The CPU is configured to provide a first internal address. The address reorder circuit calculates a unique identifier and a seed code to generate a base parameter and performs a reorder operation for the first internal address according to the base parameter to generate a first encryption address. The address bus is coupled between the address reorder circuit and the external memory to provide the first encryption address to the external memory. The external memory stores specific data according to the first encryption address.

A storage system includes a host device including a host processor and a secure element distinguished from the host processor, and a storage device that includes a first memory area accessed by the host processor, and a second memory area distinguished from the first memory area and accessed by the secure element. The host processor includes a first replay protected memory block (RPMB) key and a first RPMB counter for a first RPMB subsystem of the host processor. The secure element includes a second RPMB key and a second RPMB counter for a second RPMB subsystem of secure element. The first memory area includes a third RPMB key, a third RPMB counter and a first data space of the first RPMB sub-system. The second memory area includes a fourth RPMB key, a fourth RPMB counter and a second data space of the second RPMB sub-system.

Technologies for allocating resources of managed nodes to workloads to balance multiple resource allocation objectives include an orchestrator server to receive resource allocation objective data indicative of multiple resource allocation objectives to be satisfied. The orchestrator server is additionally to determine an initial assignment of a set of workloads among the managed nodes and receive telemetry data from the managed nodes. The orchestrator server is further to determine, as a function of the telemetry data and the resource allocation objective data, an adjustment to the assignment of the workloads to increase an achievement of at least one of the resource allocation objectives without decreasing an achievement of another of the resource allocation objectives, and apply the adjustments to the assignments of the workloads among the managed nodes as the workloads are performed. Other embodiments are also described and claimed.

There is provided a method of communication among at least two processes miming on the same computer. The method comprises: generating, by at least one process of the at least two processes, a group key usable for encrypting/decrypting a data unit retrieved from/stored to shared access memory, wherein the generating utilizes, at least, a nonce provided by each of the at least two processes, and wherein the nonces are provided as encrypted integrity-protected data according to, at least, a platform-provided hiding function, wherein each process executes in a protected container, the processes are signed by a single signing authority, and the protected container infrastructure enables use of encrypted, integrity-protected data according to a platform-provided hiding function and a platform-provided revealing function; and verifying, by at least one process of the at least two processes, that a data unit read from shared access memory is successfully decrypted using the group key.

A cloud implementation of a persisted storage device, such as a disk, is provided. The implementation supports a variety of features and protocols, in full analogy with a physical storage device such as a disk drive. The present disclosure provides for implementing standard eDrive protocols in the cloud by designing internal disk storage, referred to as a “system area,” in a virtual disk instance that the virtual disk can potentially utilize for a multitude of disk features. This internal storage can be used to implement eDrive protocols, which use the system area to maintain the necessary internal virtual disk state.

A request to add tags (e.g., labels, key-value pairs, or metadata) to resources can be digitally signed by the entity making the request, such that the source can be verified and an authorization determination made for each tag. For a request involving multiple services (or entities) that can each add tags, any tag added by a service can be included in the request and digitally signed by that service. Each service processing the request can also digitally sign the request before forwarding, so that each service signs a version of the request, which includes elements signed by other services earlier in the request chain. When the request is received to a tagging service, the service ensures that every tag was digitally signed by the appropriate authorized entity or service, and validates the signatures to ensure that no data was modified or omitted, before adding the tags to the designated resource(s).

A semiconductor memory is provided. The memory includes: a memory array; a row address processing unit configured to output a row address; a bank address processing unit configured to output a bank address; a column address processing unit configured to output a column address; and a mapping factor generating unit, configured to generate a mapping factor, wherein an output of the mapping factor generating unit is coupled to at least one of an output of the row address processing unit, an output of the bank address processing unit, and an output of the column address processing unit, and the output of the mapping factor generating unit is further coupled to the memory array, and wherein the memory array receives a result from logical processing performed on the mapping factor and at least one of the row address, the bank address, and the column address. The technical solutions of the embodiments of the present invention can improve the security, service life and reliability of the semiconductor memory.

Embodiments are directed to aggregate GHASH-based message authentication code (MAC) over multiple cachelines with incremental updates. An embodiment of a system includes a controller comprising circuitry, the controller to generate an error correction code for a memory line, the memory line comprising a plurality of first data blocks, generate a metadata block corresponding to the memory line, the metadata block comprising the error correction code for the memory line and at least one metadata bit, generate an aggregate GHASH corresponding to a region of memory comprising a cacheline set comprising at least the memory line, encode the first data blocks and the metadata block, encrypt the aggregate GHASH as an aggregate message authentication code (AMAC), provide the encoded first data blocks and the encoded metadata block for storage on a memory module comprising the memory line, and provide the AMAC for storage on a device separate from the memory module.

A storage device includes a memory storage region and a controller having a processor. The processor retrieves user data from the memory storage region using a physical block address corresponding to a logical block address (LBA), in response to a read command. The retrieved user data includes a first hash received through a host interface in a prior host data transmission. The processor further performs error correction on the user data to generate error-corrected user data. The processor further causes a cryptographic engine to produce a second hash of the error-corrected user data. The first hash is compared to the second hash associated with the error-corrected user data to determine a match result. A notification is generated in response to the match result.