A memory system, comprising: i) a first electronic device comprising a processor, ii) a second electronic device being external to the first electronic device and comprising a memory, wherein the memory stores a memory image over at least a part of a data set stored on the memory, and iii) a hash value related to the memory image. The first electronic device and the second electronic device are coupled such that the processor has at least partial control over the second electronic device. The processor is configured to, when updating the data set stored on the memory of the second electronic device, also update the hash value related to the memory image using an incremental hashing operation so that only those parts of the memory image are processed that have changed.

A host Virtual Machine Monitor (VMM) operates “blindly,” without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, using VMPageIn and VMPageOut instructions, can build virtual machines in key domains and page VM pages in and out of key domains.

A memory chip comprises a first memory controller, a first data storage zone, a security unit and an address configuration unit. The first data storage zone is coupled to the first memory controller, and represented by a first physical address range. The security unit is coupled to the first memory controller. The address configuration unit is coupled to the first memory controller. The memory chip is configured to be coupled between a host controller and another memory chip. The another memory chip comprises a second data storage zone represented by a second physical address range. The address configuration unit records one or more relationships of a logical address range corresponding to the first physical address range and the second physical address range. The security unit is configured to encrypt and decrypt data in the first data storage zone and the second data storage zone.

Memory devices, systems including memory devices, and methods of operating memory devices are described, in which security measures may be implemented to control access to a fuse array (or other secure features) of the memory devices based on a secure access key. In some cases, a customer may define and store a user-defined access key in the fuse array. In other cases, a manufacturer of the memory device may define a manufacturer-defined access key (e.g., an access key based on fuse identification (FID), a secret access key), where a host device coupled with the memory device may obtain the manufacturer-defined access key according to certain protocols. The memory device may compare an access key included in a command directed to the memory device with either the user-defined access key or the manufacturer-defined access key to determine whether to permit or prohibit execution of the command based on the comparison.

This disclosure describes system on a chip (SOC) communications that prevent direct memory access (DMA) attacks. An example SoC includes an encryption engine and a security processor. The encryption engine is configured to encrypt raw input data using a cipher key to form an encrypted payload. The security processor is configured to select the cipher key from a key store holding a plurality of cipher keys based on a channel ID describing a {source subsystem, destination subsystem} tuple for the encrypted payload, to form an encryption header that includes the channel ID, to encapsulate the encrypted payload with the encryption header that includes the channel ID to form a crypto packet, and to transmit the crypto packet to a destination SoC that is external to the SoC.

The technology disclosed herein provides a proof-of-work key wrapping system for verifying device capabilities. An example method may include: accessing a wrapped key and a cryptographic attribute for the wrapped key from an encrypted memory region, wherein the wrapped key encodes a cryptographic key; deriving, by a processing device, the cryptographic key in view of the wrapped key and the cryptographic attribute, wherein the deriving consumes computing resources for a duration of time; using the cryptographic key to access program data; and executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time.

Embodiments herein describe a memory controller that has an encryption path and a bypass path. Using an indicator (e.g., a dedicated address range), an outside entity can inform the memory controller whether to use the encryption path or the bypass path. For example, using the encryption path when performing a write request means the memory controller encrypts the data before it was stored, while using the bypass path means the data is written into memory without be encrypted. Similarly, using the encryption path when performing a read request means the controller decrypts the data before it is delivered to the requesting entity, while using the bypass path means the data is delivered without being decrypted.

Technologies disclosed herein provide cryptographic computing with cryptographically encoded pointers in multi-tenant environments. An example method comprises executing, by a trusted runtime, first instructions to generate a first address key for a private memory region in the memory and generate a first cryptographically encoded pointer to the private memory region in the memory. Generating the first cryptographically encoded pointer includes storing first context information associated with the private memory region in first bits of the first cryptographically encoded pointer and performing a cryptographic algorithm on a slice of a first linear address of the private memory region based, at least in part, on the first address key and a first tweak, the first tweak including the first context information. The method further includes permitting a first tenant in the multi-tenant environment to access the first address key and the first cryptographically encoded pointer to the private memory region.

Computer-readable media, methods, and systems are disclosed for encrypting and decrypting data pages in connection with a database employing group-level encryption. A request to load a group-level encrypted logical data page into main memory is received, the data page being identified by a logical page number. A block of group-level encrypted data is loaded into the main memory of the database system from an address corresponding to the physical block number. A block of group-level encrypted data is loaded into the main memory of the database system. A header associated with the block of group-level encrypted data is decrypted using a data-volume encryption key, and an encryption-group identifier is accessed from the decrypted header. A group-level encryption key is retrieved from a key manager, and the remainder of the block of group-level encrypted data is decrypted using the group-level encryption key.

Technology for performing data duplication on data that was previously consolidated (e.g., deduplicated or merged). An example method may involve receiving a request to modify a memory page; causing the data at a first storage location to be decrypted using location dependent cryptographic input and then encrypted using a location independent cryptographic input; copying the encrypted data of the memory page from the first storage location to a second storage location; causing the encrypted data at the first and second storage locations to be decrypted using location independent cryptographic input and to each be encrypted using a different location dependent cryptographic input; updating, by the supervisor, one of the references of the plurality of memory pages from pointing to the first storage location in the physical memory to pointing to the second storage location; and modifying the memory page by altering data in the physical memory.