View All Documents & Correspondence
Reducing Latency Of Hardware Trusted Execution Environments
Abstract: Example methods and systems are directed to reducing latency in providing trusted execution environments (TEEs). Initializing a TEE includes multiple steps before the TEE starts executing. Besides workload-specific initialization, workload-independent initialization is performed, such as adding memory to the TEE. In function-as-a-service (FaaS) environments, a large portion of the TEE is workload-independent, and thus can be performed prior to receiving the workload. Certain steps performed during TEE initialization are identical for certain classes of workloads. Thus, the common parts of the TEE initialization sequence may be performed before the TEE is requested. When a TEE is requested for a workload in the class and the parts to specialize the TEE for its particular purpose are known, the final steps to initialize the TEE are performed.
Notices, Deadlines & Correspondence
Patent Information
Applicants
INTEL CORPORATION
Inventors
1. Anjo Lucas Vahldiek-Oberwagner
2. Ravi L. Sahita
3. Mona Vij
4. Rameshkumar Illikkal
5. Michael Steiner
6. Thomas Knauth
7. Dmitrii Kuvaiskii
8. Sudha Krishnakumar
9. Krystof C Zmudzinski
10. Vincent Scarlata
11. Francis McKeen
Specification
Description:RELATED APPLICATION
[0001] This patent application is related to India Patent Application No. 202144042915, filed on September 22, 2021, entitled “REDUCING LATENCY OF HARDWARE TRUSTED EXECUTION ENVIRONMENTS”.
[0002] The present application claims priority to U.S. Non-Provisional Patent Application No. 17/131,716 filed December 22, 2020 and titled “REDUCING LATENCY OF HARDWARE TRUSTED EXECUTION ENVIRONMENTS” the entire disclosure of which is hereby incorporated by reference.
TECHNICAL FIELD
[0003] The subject matter disclosed herein generally relates to hardware trusted execution environments (TEEs). Specifically, the present disclosure addresses systems and methods for reducing latency of hardware TEEs.
BACKGROUND
[0004] Hardware privilege levels may be used by a processor to limit memory access by applications running on a device. An operating system runs at a higher privilege level and can access all memory of the device and define memory ranges for other applications. The applications, running a lower privilege level, are restricted to accessing memory within the range defined by the operating system and are not able to access the memory of other applications or the operating system. However, an application has no protection from a malicious or compromised operating system.
[0005] A TEE is enabled by processor protections that guarantee that code and data loaded inside the TEE is protected from access by code executing outside of the TEE. Thus, the TEE provides an isolated execution environment that prevents, at the hardware level, access of the data and code contained in the TEE from malicious software, including the operating system.
BRIEF DESCRIPTION OF THE DRAWINGS
[0006] Some embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings.
[0007] FIG. 1 is a network diagram illustrating a network environment suitable for servers providing functions as a service using TEEs, according to some example embodiments.
[0008] FIG. 2 is a block diagram of a function-as-a-service server, according to some example embodiments, suitable for reducing latency of TEEs according to some example embodiments.
[0009] FIG. 3 is a block diagram of prior art ring-based memory protection.
[0010] FIG. 4 is a block diagram of enclave-based memory protection, suitable for reducing latency of TEEs according to some example embodiments.
[0011] FIG. 5 is a block diagram of a database schema, according to some example embodiments, suitable for use in reducing latency of TEEs.
[0012] FIG. 6 is a block diagram of a sequence of operations performed in building a TEE, according to some example embodiments.
[0013] FIG. 7 is a flowchart illustrating operations of a method suitable for initializing and providing access to TEEs, according to some example embodiments.
[0014] FIG. 8 is a flowchart illustrating operations of a method suitable for initializing and providing access to TEEs, according to some example embodiments.
[0015] FIG. 9 is a flowchart illustrating operations of a method suitable for initializing and providing access to TEEs, according to some example embodiments.
[0016] FIG. 10 is a block diagram showing one example of a software architecture for a computing device.
[0017] FIG. 11 is a block diagram of a machine in the example form of a computer system within which instructions may be executed for causing the machine to perform any one or more of the methodologies discussed herein.
DETAILED DESCRIPTION
[0018] Example methods and systems are directed to reducing latency in providing TEEs. In the most general sense, a TEE is any trusted execution environment, regardless of how that trust is obtained. However, as used herein, TEEs are provided by executing code within a portion of memory protected from access by processes outside of the TEE, even if those processes are running at an elevated privilege level. Example TEEs include enclaves created by Intel® Software Guard Extensions (SGX) and trust domains created by Intel® Trust Domain Extensions (TDX).
, Claims:1. A processing system, comprising:
memory circuitry; and
processing circuitry configured to:
allocate resources of the processing circuitry to create a plurality of trusted execution environments (TEEs);
initialize each respective TEE in the plurality of TEEs by allocating an isolated memory space to the respective TEE in the memory circuitry and enabling the respective TEE to execute workloads on the processing circuitry, wherein each respective TEE in the plurality of TEEs is initialized to support independent scheduling and execution of a plurality of different types of workloads;
after each respective TEE in the plurality of TEEs is initialized, receive a request to execute a workload; and
cause a TEE of the initialized plurality of TEEs to execute the workload in response to the request.
Documents
Application Documents
| # | Name | Date |
|---|---|---|
| 1 | 202245071010-FORM 1 [09-12-2022(online)].pdf | 2022-12-09 |
| 1 | 202245071010-FORM 3 [08-05-2024(online)].pdf | 2024-05-08 |
| 2 | 202245071010-DRAWINGS [09-12-2022(online)].pdf | 2022-12-09 |
| 2 | 202245071010-FORM 18 [23-02-2024(online)].pdf | 2024-02-23 |
| 3 | 202245071010-DECLARATION OF INVENTORSHIP (FORM 5) [09-12-2022(online)].pdf | 2022-12-09 |
| 3 | 202245071010-FORM 3 [07-12-2023(online)].pdf | 2023-12-07 |
| 4 | 202245071010-COMPLETE SPECIFICATION [09-12-2022(online)].pdf | 2022-12-09 |
| 4 | 202245071010-FORM-26 [04-10-2023(online)].pdf | 2023-10-04 |
| 5 | 202245071010-FORM 3 [07-06-2023(online)].pdf | 2023-06-07 |
| 6 | 202245071010-COMPLETE SPECIFICATION [09-12-2022(online)].pdf | 2022-12-09 |
| 6 | 202245071010-FORM-26 [04-10-2023(online)].pdf | 2023-10-04 |
| 7 | 202245071010-DECLARATION OF INVENTORSHIP (FORM 5) [09-12-2022(online)].pdf | 2022-12-09 |
| 7 | 202245071010-FORM 3 [07-12-2023(online)].pdf | 2023-12-07 |
| 8 | 202245071010-DRAWINGS [09-12-2022(online)].pdf | 2022-12-09 |
| 8 | 202245071010-FORM 18 [23-02-2024(online)].pdf | 2024-02-23 |
| 9 | 202245071010-FORM 1 [09-12-2022(online)].pdf | 2022-12-09 |
| 9 | 202245071010-FORM 3 [08-05-2024(online)].pdf | 2024-05-08 |