Systems and methods are provided for binding one or more components to an identification component of a hardware module. Each of the serial numbers for the one or more components are included within a module-specific authentication certificate that is stored within the identification component of the hardware module. When connected to a computing platform, an authentication system of the computing platform is capable of retrieving the module-specific authentication certificate. The authentication system can compare the list of serial numbers included in the module-specific authentication certificate with one or more serial numbers read over a first interface. If the two lists of serial numbers match, the authentication system can flag the hardware module as authenticate through authentication of all components of the hardware module.

Memory regions may be protected based on occurrence of an event in a computing device. Subsystems of the computing device may store information in a memory controller identifying memory regions to be erased upon occurrence of an event, such as a system or subsystem crash. The memory controller may control erasing the memory regions in response to an indication associated with the event. A memory dump may be performed after the memory regions have been erased.

It is possible to reduce the latency attributable to memory protection in shared memory systems by performing access protection at a central Data Ownership Manager (DOM), rather than at distributed memory management units in the central processing unit (CPU) elements (CEs) responsible for parallel thread processing. In particular, the DOM may monitor read requests communicated over a data plane between the CEs and a memory controller, and perform access protection verification in parallel with the memory controller's generation of the data response. The DOM may be separate and distinct from both the CEs and the memory controller, and therefore may generally be able to make the access determination without interfering with data plane processing/generation of the read requests and data responses exchanged between the memory controller and the CEs.

In one example in accordance with the present disclosure, a method may include retrieving, at a memory management unit (MMU), encrypted data from a memory via direct memory access and determining, at the MMU, a peripheral that is the intended recipient of the encrypted data. The method may also include accessing an application key used for transmission between an application and the peripheral, wherein the application key originates from the application and decrypting, at the MMU, the encrypted data using the application key and transmitting the decrypted data to the peripheral.

System and techniques for multi-tenant cryptographic memory isolation are described herein. A multiple key total memory encryption (MKTME) circuitry may receive a read request for encrypted memory. Here, the read request may include an encrypted memory address that itself includes a sequence of keyid bits and physical address bits. The MKTME circuitry may retrieve a keyid-nonce from a key table using the keyid bits. The MKTME circuitry may construct a tweak from the keyid-nonce, the keyid bits, and the physical address bits. The MKTME circuitry may then decrypt data specified by the read request using the tweak and a common key.

A loading control method and system for a storage device are disclosed. The method comprises: judging whether a storage controller is valid through a first bus, and judging whether a storage controller is valid through a first bus, and acquiring a key of the storage controller if a positive judgement is made; judging whether the key is valid, commanding the storage controller to turn on a power supply of a storage device if a positive judgement is made; and loading the storage device through a second bus. According to the method, storage devices based on windows and android are allowed to be loaded after the storage device verification is successful, and by means of the method, data security of a user can be effectively protected, which provides reliable and effective protection for future private cloud service data.

In a system executing a program, a method comprises detecting one or more input/output calls associated with the program and re-randomizing memory associated with the program in response to the one or more input/output calls. A related system is also described.

Representative embodiments disclose how to remove spilled data from an unauthorized system and/or service in a cloud service. Some embodiments allow a user to remove spilled data in a secure fashion without involving an administrator. Spilled data resides in a data structure backed by allocated storage locations. The system presents a user interface allowing a user to enter information that allows identification of the allocated storage locations. The spilled data is removed from the data structure leaving whitespace in the allocated storage locations where remnants of the spilled data can reside. The system creates a copy of the data structure, removing the whitespace. The system connects the copy of the data structure in place of the original data structure. The original allocated storage locations are then overwritten in a secure manner to remove any remnants of the spilled data.

An apparatus, a method, and a computer program product are provided that provide confidential computing on virtual machines by securing input/output operations between a virtual machine and a device. The method includes receiving an input/output (I/O) transaction from an I/O device requesting data stored memory from a virtual machine. The I/O transaction includes a virtual memory address and a bus device function. The method also includes associating the I/O transaction with a key slot associated with the virtual machine and retrieving, using the key slot, an encryption key used to encrypt and decrypt the data. The method further includes retrieving the data located at a physical memory address in physical memory relating to the virtual memory address of the data being requested and decrypting, during a read operation, the data using the encryption key for I/O transmission. The method also includes transmitting the decrypted data to the I/O device.

A memory controller for controlling a non-volatile memory device includes a key management unit configured to control an access right to a secure key based on a biometric authentication message and a unique value, which are received from an external device; and a data processing unit configured to encrypt data received from a host and decrypt data stored in the non-volatile memory device based on the secure key.