A single input/output (I/O) controller for both secure partitionable endpoints (PEs) and non-secure PEs is enabled in a trusted execution environment (TEE) where secure memory portions are isolated from non-secure PEs. Security attributes for certain endpoints indicate secure memory access privilege of owning entities of the certain endpoints. A security monitor has exclusive access to the address translation control tables (TCE) stored in secure memory associated with a secure endpoint. When owning entity reassignment occurs, the endpoints are reinitialized to support a change in ownership from an outgoing owning entity having secure memory access and an incoming owning entity not having secure memory access.

A method for determining a storage location includes one or more processing modules of one or more computing devices of a storage network (SN) receiving a data object to store in a storage network (SN) and determining whether the data object is subject to a legal restriction, where a data object is subject to a legal restriction based on the data object requiring storage in a jurisdiction that subjects the data object to a retention policy. The method continues by determining one or more attributes of a first storage location of a plurality of storage locations and based on a determination that the data object is subject to a legal restriction and at least one attribute of the one or more attributes of the first storage location, transmitting a write threshold number of write requests to a plurality of SUs at the first storage location.

A secrecy system and a decryption method of on-chip data stream of nonvolatile FPGA are provided in the present invention. The nonvolatile memory module of the system is configured to only allow the full erase operation. After the full erase operation is finished, the nonvolatile memory module gets into the initial state. Only the operation to the nonvolatile memory module under the initial state is effective, and thereby the encryption region unit is arranged in the nonvolatile memory module. Only the decryption data written into the encryption region unit under the initial state can make the nonvolatile memory module to be readable, so that the decryption of the system is finished, which greatly improves the secrecy precision.

A cloud-based system for securely storing data, the system having a processor which obtains a source data file; splits it into at least three fragments; and uses an encryption key associated with the fragments to encrypt the fragments and distributes the encrypted fragments among at least three cloud storage providers, creates a pointer file containing information for retrieving the encrypted fragments. When a system user requests access to the data, the system uses the information stored in the pointer file to retrieve the stored encrypted fragments from the plurality of clouds; decrypts the fragments and reconstructs the data, and provides data access to the system user.

A processing device receives a command to arm a memory device for self-destruction. In response to the command, a self-destruction countdown timer is commenced. An expiry of the self-destruction countdown timer and based on detecting the expiry of the self-destruction countdown timer, data stored by the memory device is destructed.

Physical storage devices (PSDs) of a protection group cluster (PGC) may be represented by a protection group matrix (PGM) having a plurality of rows and a plurality of columns, where each row corresponds to a PSD of the PGC, and each column corresponds to a partition of each PSD. The value specified in each cell at an intersection of a row and column specifies the protection group of the PGC to which the partition of the PSD represented by the column and row, respectively, is (or will be) assigned. In response to one or more of PSDs being added to a PGC, the PGM may be reconfigured, including adding new rows, and transposing portions of columns to the new rows, or transposing portions of rows to portions of columns of the new rows. Protection members of the PGC may be re-assigned based on the reconfiguration.

Techniques for provisioning storage may include: initially provisioning storage for a storage group of logical devices; tagging the storage group to enable autonomous storage provisioning; receiving a plurality of parameters used in connection with performing autonomous storage provisioning for the storage group, wherein the plurality of parameters includes a first parameter denoting a threshold amount of consumed storage of the storage group, a second parameter denoting a storage capacity expansion amount by which to expand the storage capacity of the storage group, and a third parameter denoting a system-wide threshold of consumed backend non-volatile storage; determining, in accordance with the plurality of parameters, whether to expand a current storage capacity of the storage group; and responsive to determining to expand the current storage capacity of the storage group, performing first processing to automatically expand the current storage capacity of the storage group in accordance with the second parameter.

Apparatuses for address expansion and methods of address expansion are disclosed. Memory region definitions are stored, each comprising attribute data relevant to a respective memory region. In response to reception of a first address a region identifier indicative of a memory region to which the first address belongs is provided. Cache storage stores data in association with an address tag and in response to a cache miss a data retrieval request is generated. Address expansion circuitry is responsive to the data retrieval request to initiate a lookup for attribute data relevant to the memory region to which the first address belongs. The address expansion circuitry expands the first address in dependence on a base address forming part of the attribute data to generate an expanded second address, wherein the expanded second address is part of greater address space than the first address.

The present disclosure generally relates to modifying support security parameters without stalling data transfer. Rather than stalling the data transfer when support security modification requests are received. The disclosure proposes incorporating multiple security partition slots in the device controller. Each slot holds security parameters and an IO counter that holds the current number of pending commands in the device that are going to use that slot. The security partition slots are used as ping-pong buffers allowing the device to modify a second slot while freezing the values on a first slot until completing the previous queued commands that are still under execution. The slots allow support security parameter on-the-fly modifications without stalling any IO traffic. The slots feature is very important for QoS and system performance.

Provided is a process that includes: obtaining a first request by a first program associated with a first sub-partition of a first partition of a tamper-evident data store of a decentralized computing platform to read data stored in either (i) a second sub-partition of the first partition of the tamper-evident data store of the decentralized computing platform, or (ii) a second partition of the tamper-evident data store of the decentralized computing platform; determining with a subset of peer computing nodes of a set of peer computing nodes that the first program is authorized to read from the second sub-partition or the second partition; and in response to the determination, causing the requested data to be read from the second sub-partition or the second partition.