According to a first aspect, execution logic is configured to perform a linear capability transfer operation which transfers a physical capability from a partition of a first software modules to a partition of a second of software module without retaining it in the partition of the first. According to a second, alternative or additional aspect, the execution logic is configured to perform a sharding operation whereby a physical capability is divided into at least two instances, which may later be combined.

Provided is a control method of controlling locking or unlocking of storage using a blockchain. The control method includes: determining, when first request information indicating a lock/unlock request, that is a lock request or an unlock request, is received from a terminal, whether a keyholder identified by reading keyholder information stored in the blockchain matches an owner of the terminal that has transmitted the first request information, the keyholder information indicating a person having the authority to lock or unlock the storage; performing lock/unlock processing when the keyholder is determined to match the owner, the lock/unlock processing being processing for causing the storage to lock or unlock in accordance with the first request information; and performing first storage processing after the lock/unlock processing is performed, the first storage processing being processing of storing, in the blockchain, transaction data indicating that the lock/unlock processing has been performed.

A method for protecting data includes encrypting information to generate a first tweak, combining a data block with the first tweak, encrypting the tweaked data block to form encrypted data, combining the encrypted data with the first tweak, and providing the combined encrypted data for storage in a memory address. Storing the combined encrypted data at the memory address generates a first stimulus different from a second stimulus generated by storing same encrypted data combined with a second tweak at the memory address. The first stimulus is generated based on the first tweak and the second stimulus is generated based on the second tweak.

Apparatus comprises a multi-threaded processing element to execute processing threads as one or more process groups each of one or more processing threads, each process group having a process group identifier unique amongst the one or more process groups and being associated by capability data with a respective memory address range in a virtual memory address space; and memory address translation circuitry to translate a virtual memory address to a physical memory address by a processing thread of one of the process groups; the memory address translation circuitry being configured to associate, with a translation of a given virtual memory address to a corresponding physical memory address, permission data defining one or more process group identifiers representing respective process groups permitted to access the given virtual memory address, and to inhibit access to the given virtual memory address in dependence on the capability data associated with the process group of the processing thread requesting the memory access and a detection of whether the permission data defines the process group identifier of the process group of the processing thread requesting the memory access.

Techniques for memory assisted inline encryption/decryption are described. An example includes an encryption data structure engine to provide a key, data, and a tweak to the encryption/decryption engine, wherein the encryption data structure engine is to: read an index value from an encryption data structure lookup data structure entry using an address, the entry to include the index value and a guest page physical address (GPPA), retrieve, based on the index value, an entry from the encryption data structure, the entry to include a logical block address (LBA) base, a key identifier, and at least one GPPA in a sequence of GPPAs, generate a LBA using a position of the GPPA from the encryption data structure lookup data structure entry in the sequence of GPPAs, and retrieve a key based on the key identifier, wherein the encryption engine to encrypt data using the retrieved key, and the generated LBA.

Example implementations include a system of secure decryption by virtualization and translation of physical encryption keys, the system having a key translation memory operable to store at least one physical mapping address corresponding to at least one virtual key address, a physical key memory operable to store at least one physical encryption key at a physical memory address thereof; and a key security engine operable generate at least one key address translation index, obtain, from the key translation memory, the physical mapping address based on the key address translation index and the virtual key address, and retrieve, from the physical key memory, the physical encryption key stored at the physical memory address.

A hardware control system and a hardware control method are provided. The hardware control system is for controlling a function circuit, and includes a first transformation circuit, a second transformation circuit and an analysis circuit. The first transformation circuit transforms a command from an operating system to an intermediate address. The second transformation circuit transforms the intermediate address to a permission physical address according to an identifier of the operating system, wherein the permission physical address consists of a hardware physical address and a permission value. The analysis circuit analyzes the permission physical address to generate the hardware physical address and the permission value, and determines a control value corresponding to the hardware physical address according to the permission value. The control value is for permitting the operating system to control the function circuit.

The embodiment of the present disclosure provides a method for evolving a root of trust and an electronic device using the method. Through the present disclosure, the root of trust can be evolved several times to strengthen the security verification capability for secure boot. Different from the conventional method of burning the root of trust in the read-only memory, the present disclosure uses a block protection storage device to write a verification firmware to be added to the root of trust into an unprotected block of the block protection storage device. Further, after the writing is completed, the unprotected block in which the verification firmware is written becomes a protected block, so as to make the evolvable root of trust secure and reliable, and can achieve credibility for evolving the root of trust.

Aspects of the present disclosure relate to techniques for minimizing the effects of RowHammer and induced charge leakage. In examples, systems and methods for preventing access pattern attacks in random-access memory (RAM) are provided. In aspects, a data request associated with a page table may be determined to be a potential security risk and such potential security risk may be mitigated by randomly selecting a memory region from a subset of memory regions, copying data stored in a memory region associated with a page table entry in the page table to the second memory region, disassociating the second memory region from the subset of memory regions and associating the memory region associated with the page table to the second memory region, and updating the page table entry in the page table to refer to the second memory region.

A device which can be implemented on a single packaged integrated circuit or a multichip module comprises a plurality of non-volatile memory cells, and logic to use a physical unclonable function to produce a key and to store the key in a set of non-volatile memory cells in the plurality of non-volatile memory cells. The physical unclonable function can use entropy derived from non-volatile memory cells in the plurality of non-volatile memory cells to produce a key. Logic is described to disable changes to data in the set of non-volatile memory cells, and thereby freeze the key after it is stored in the set.