阅读说明：本技术 平台安全机制 (Platform security mechanism ) 是由 B·帕特尔 P·德万 于 2020-12-07 设计创作，主要内容包括：本申请涉及平台安全机制。公开了一种促进计算系统内的安全性的设备。该设备包括存储驱动器、控制器和加密引擎,该控制器包括具有一个或多个密钥槽的受信任端口以对一个或多个密码密钥进行编程,该加密引擎经由一个或多个密钥槽接收密码密钥,使用密码密钥对写入存储驱动器的数据进行加密,并使用密码密钥对从存储驱动器读取的数据进行解密。(The application relates to a platform security mechanism. An apparatus to facilitate security within a computing system is disclosed. The apparatus includes a storage drive, a controller including a trusted port with one or more key slots to program one or more cryptographic keys, and an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys, and decrypt data read from the storage drive using the cryptographic keys.)

1. An apparatus that facilitates security within a computing system, comprising:

a non-volatile memory, the non-volatile memory comprising:

a storage drive;

a controller comprising a trusted port with one or more key slots to program one or more cryptographic keys; and

an encryption engine to receive the cryptographic key via the one or more key slots, encrypt data written to the storage drive using the cryptographic key, and decrypt data read from the storage drive using the cryptographic key.

2. The device of claim 1, wherein the one or more cryptographic keys are programmed into the controller during manufacture of the non-volatile memory.

3. The apparatus of claim 2, further comprising a security controller to generate the cryptographic key.

4. The device of claim 3, wherein the security controller receives the cryptographic key from a Physically Unclonable Function (PUF) engine.

5. The apparatus of claim 3, wherein the security controller receives the cryptographic key from a fuse controller.

6. The apparatus of claim 1, wherein the non-volatile memory further comprises basic input/output system (BIOS) firmware to provision an operating system image into the non-volatile memory during a boot process.

7. The apparatus of claim 1, wherein the BIOS firmware reads a security header included in the operating system image.

8. The apparatus of claim 7, wherein the security header provides an indication of a storage block in the storage drive that stores the operating system image as plaintext.

9. The apparatus of claim 8, wherein the BIOS firmware configures the controller not to decrypt a memory block in the storage drive indicated in the security header.

10. The apparatus of claim 9, wherein the BIOS reads the operating system image from the memory block.

11. The apparatus of claim 10, wherein the controller encrypts the operating system image with the cryptographic key and stores the encrypted operating system image to the storage drive.

12. A method of facilitating security for non-volatile memory, comprising:

receiving a write request to write data to the non-volatile memory;

encrypting, at an encryption engine included in the non-volatile memory, write data with one or more cryptographic keys; and

storing the encrypted write data at a storage drive within the non-volatile memory.

13. The method of claim 12, further comprising:

receiving a read request to read data from the non-volatile memory;

retrieving encrypted data from the storage drive within the non-volatile memory; and

decrypting data at the encryption engine using the one or more cryptographic keys.

14. The method of claim 13, further comprising transmitting the data.

15. A computing device, comprising:

a processor;

a memory device;

an architectural interface coupled between the processor and the memory device; and

a non-volatile memory coupled to the architecture interface, the non-volatile memory comprising:

a storage drive;

a controller comprising a trusted port with one or more key slots to program one or more cryptographic keys; and

an encryption engine to receive the cryptographic key via the one or more key slots, encrypt data written to the storage drive using the cryptographic key, and decrypt data read from the storage drive using the cryptographic key.

16. The computing device of claim 15, wherein the one or more cryptographic keys are programmed into the controller during manufacture of the non-volatile memory.

17. The computing device of claim 16, further comprising a security controller coupled to the architecture interface to generate the cryptographic key.

18. The computing device of claim 17, wherein the security controller receives the cryptographic key from a Physically Unclonable Function (PUF) engine.

19. The computing device of claim 17, wherein the security controller receives the cryptographic key from a fuse controller.

20. The apparatus of claim 15, wherein the non-volatile memory further comprises basic input/output system (BIOS) firmware to provision an operating system image into the non-volatile memory during a boot process.

Technical Field

The present application relates to security of systems on chip, and more particularly to mechanisms for protecting the security of data written to non-volatile memory.

Background

A system on a chip (SOC) is an integrated circuit that integrates all of the components of a computer or other electronic system. These components include a Central Processing Unit (CPU), memory, input/output (IO) ports, and secondary storage devices, all included on a single substrate or microchip. Furthermore, SOCs enable integration of third party components via standardized on-die interconnect protocols. However, adding such components may result in security breaches.

Disclosure of Invention

In view of the foregoing, the present application provides a platform security mechanism capable of protecting the security of data written to a non-volatile memory.

A first aspect of the present application provides an apparatus for facilitating security within a computing system, comprising: a non-volatile memory, the non-volatile memory comprising: a storage drive; a controller comprising a trusted port with one or more key slots to program one or more cryptographic keys; and an encryption engine to receive the cryptographic key via the one or more key slots, encrypt data written to the storage drive using the cryptographic key, and decrypt data read from the storage drive using the cryptographic key.

A second aspect of the present application provides a method of facilitating security for a non-volatile memory, comprising: receiving a write request to write data to a non-volatile memory; encrypting, at an encryption engine included in the non-volatile memory, the write data with one or more cryptographic keys; and storing the encrypted write data at a storage drive within the non-volatile memory.

A third aspect of the present application provides a computing device comprising: a processor; a memory device; an architectural interface coupled between the processor and the memory device; and a non-volatile memory coupled to the fabric interface, the non-volatile memory comprising: a storage drive; a controller comprising a trusted port with one or more key slots to program one or more cryptographic keys; and an encryption engine to receive the cryptographic key via the one or more key slots, encrypt data written to the storage drive using the cryptographic key, and decrypt data read from the storage drive using the cryptographic key.

Drawings

So that the manner in which the above recited features can be understood in detail, a more particular description, briefly summarized above, may be had by reference to embodiments, some of which are illustrated in the appended drawings. It is to be noted, however, that the appended drawings illustrate only typical embodiments and are therefore not to be considered limiting of its scope, for the invention may admit to other equally effective embodiments.

FIG. 1 illustrates one embodiment of a computing device.

FIG. 2 illustrates one embodiment of a platform.

FIG. 3 illustrates one embodiment of a non-volatile memory device coupled to a security controller.

FIG. 4 is a flow chart illustrating one embodiment of a process for programming a key at a non-volatile memory device.

FIG. 5 is a flow chart illustrating one embodiment of a process for performing a read operation at a non-volatile memory device.

FIG. 6A is a flow chart illustrating one embodiment of a process for performing a write operation at a non-volatile memory device.

FIG. 6B is a sequence diagram showing another embodiment of a process for programming a key and performing read and write operations at a non-volatile memory device.

FIG. 7A is a flow diagram illustrating one embodiment of a process for provisioning an operating system image.

FIG. 7B is a sequence diagram illustrating another embodiment of a process for provisioning an operating system image.

Fig. 8A and 8B illustrate embodiments of operating system image provisioning.

FIG. 9 is a schematic diagram of an exemplary electronic computing device.

Detailed Description

In the following description, numerous specific details are set forth in order to provide a more thorough understanding. It will be apparent, however, to one skilled in the art, that embodiments may be practiced without one or more of these specific details. In other instances, well-known features have not been described in order to avoid obscuring the embodiments.

In an embodiment, a mechanism is provided to protect the security of data written to non-volatile memory. In this embodiment, the encryption engine encrypts all data written to the non-volatile memory and decrypts all data read from the non-volatile memory. In further embodiments, the controller includes a trusted port with one or more slots to program the encryption key into the encryption engine.

References to "one embodiment," "an embodiment," "example embodiment," "various embodiments," etc., indicate that the embodiment(s) so described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. In addition, some embodiments may have some, all, or none of the features described for other embodiments.

In the following description and appended claims, the term "coupled" may be used along with its derivatives. "coupled" is used to indicate that two or more elements co-operate or interact with each other, but may or may not have intervening physical or electrical components between them.

As used in the claims, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common element, merely indicate that different instances of like elements are being referred to, and are not intended to imply that the elements so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.

FIG. 1 illustrates one embodiment of a computing device 100. According to one embodiment, the computing device 100 includes a computer platform, such as a system on a chip ("SoC" or "SoC"), that carries integrated circuits ("ICs") that integrate various hardware and/or software components of the computing device 100 on a single chip. As shown, in one embodiment, computing device 100 may include any number and type of hardware and/or software components, such as, but not limited to, a graphics processing unit 114 ("GPU" or simply "graphics processor"), a graphics driver 116 (also referred to as a "GPU driver," "graphics driver logic," "driver logic," User Mode Driver (UMD), UMD, User Mode Driver Framework (UMDF), UMDF, or simply "driver"), a central processing unit 112 ("CPU" or simply "application processor"), a memory 108, a network device, a driver, etc., and an input/output (I/O) source 104, such as a touchscreen, touch panel, touchpad, virtual or conventional keyboard, virtual or conventional mouse, port, connector, etc. The computing device 100 may include an Operating System (OS)106 that serves as an interface between hardware and/or physical resources of the computing device 100 and a user.

It should be appreciated that for some embodiments, a less or more equipped system than the above example may be preferred. Thus, the configuration of the computing device 100 may vary from implementation to implementation depending on a number of factors, such as price constraints, performance requirements, technological improvements, or other circumstances.

Embodiments may be implemented as any one or combination of the following: one or more microchips or integrated circuits interconnected using a motherboard, hardwired logic, software stored by a memory device and executed by a microprocessor, firmware, an Application Specific Integrated Circuit (ASIC), and/or a Field Programmable Gate Array (FPGA). The terms "logic," "module," "component," "engine," and "mechanism" may include, for example, software or hardware and/or combinations thereof, such as firmware.

Embodiments may be implemented using one or more memory chips, controllers, CPUs (central processing units), microchips or integrated circuits interconnected using a motherboard, Application Specific Integrated Circuits (ASICs), and/or Field Programmable Gate Arrays (FPGAs). The term "logic" may include, by way of example, software or hardware and/or combinations of software and hardware.

FIG. 2 illustrates one embodiment of a platform 200, the platform 200 including an SOC 210 similar to the computing device 100 described above. As shown in FIG. 2, platform 200 includes SOC 210 communicatively coupled to one or more software components 280 via CPU 112. Further, SOC 210 includes other computing device components (e.g., memory 108) coupled via system architecture 205. In one embodiment, system architecture 205 includes an integrated system-on-chip architecture (IOSF) to provide a standardized on-die interconnect protocol for coupling Interconnect Protocol (IP) agents 230 (e.g., IP blocks 230A and 230B) within SOC 210. In this embodiment, the interconnect protocol provides a standardized interface to enable third parties to design logic, such as IP agents 130, to be incorporated into SOC 210.

According to an embodiment, the IP agent 230 may include a general purpose processor (e.g., an in-order or out-of-order core), a fixed function unit, a graphics processor, an I/O controller, a display controller, and the like. In this embodiment, each IP agent 230 includes a hardware interface 235 to provide standardization to enable the IP agent 230 to communicate with SOC 210 components. For example, in embodiments where IPA agent 230 is a third party Visual Processing Unit (VPU), interface 235 provides standardization to enable the VPU to access memory 108 via fabric 205.

The SOC 210 also includes a security controller 240 that operates as a security engine to perform various security operations (e.g., security processes, cryptographic functions, etc.) on the SOC 210. In one embodiment, the security controller 240 includes an IPA agent 230 that is implemented to perform security operations. Further, the SOC 210 includes a nonvolatile memory 250. The non-volatile memory 250 may be implemented as a peripheral component interconnect express (PCIe) storage drive, such as a Solid State Drive (SSD) or a non-volatile memory express (NVMe) drive.

Many available PCIe drives may be vulnerable (or malicious), which may result in the impairment of user data stored on the drive. Currently, many such drives are sold with vulnerable firmware. As a result, the drive cannot be trusted. Many self-encrypting drives perform encrypting user data (sometimes using firmware, and sometimes in hardware encryption) in the drive itself. In addition, a malicious PCIe driver may perform Direct Memory Access (DMA) operations into the memory 108 to steal data.

According to one embodiment, the non-volatile memory 250 includes an encryption engine to encrypt all data written to the non-volatile memory 250 and decrypt all read requests. In another embodiment, the PCIe controller within the non-volatile memory 250 includes a trusted port and key slot configured such that the cryptographic key (or keys) is programmed into the encryption engine at provisioning time. In this embodiment, each key is retained in the encryption engine. In yet another embodiment, only write transactions are allowed at the key slot, while read transactions are blocked.

FIG. 3 illustrates one embodiment of a non-volatile memory device 250 coupled to the security controller 230. As shown in FIG. 3, the non-volatile memory device 250 includes a storage drive 310, a host PCIe controller 320, and basic input/output system (BIOS) firmware 330 implemented to perform hardware initialization during power-on startup (or boot process). In one embodiment, storage drive 310 comprises a flash memory device. However, other embodiments may implement different types of drivers.

The cryptographic key includes a string of characters that is used to lock or unlock cryptographic functions, including authentication, and encryption. Thus, a key is a piece of information (parameter) that determines the functional output of a cryptographic algorithm. For an encryption algorithm, the key specifies the transformation from plaintext to ciphertext, and for a decryption algorithm, vice versa.

The controller 320 includes an encryption engine 322 and a trusted port 325. According to one embodiment, the encryption engine 322 utilizes ciphertext stealing (XTS) to implement Advanced Encryption Standard (AES) and/or an XEX-based adjusted codebook mode to encrypt all data received at the non-volatile memory device 250. Therefore, any device that attempts to perform malicious DMA into the system memory cannot read the plaintext because the received data is encrypted. Trusted port 325 is implemented to program keys via security controller 230 and provide keys to encryption engine 322 via one or more key slots.

According to one embodiment, the key is programmed using a manufacturing key. In this embodiment, the key is generated during the manufacture of the non-volatile memory device 250. As a result, the trusted port 325 is not accessible in post-production. In another embodiment, the security controller 230 is implemented to generate a key. In another embodiment, the security controller 230 may receive a key from a Physical Unclonable Function (PUF) engine. In this embodiment, the controller 320 may pull the cryptographic key from the PUF engine and write the key to the key slot in the trusted port 325. All encryption operations are then performed using the keys in the key slot. In this embodiment, an out-of-band mechanism (e.g., a strap (strap) or programmable fuse) may be provided to force the controller 320 to re-key itself.

In yet another embodiment, security controller 230 may receive the key from a fuse controller that pushes the key into trusted port 325. Alternatively, the trusted port 325 may pull the key from the fuse controller and write the key to the storage drive 310. In this embodiment, one operation may be reinitiated using an out-of-band mechanism. In yet another embodiment, security controller 230 may be a manageability engine that may be used to write keys at platform initialization.

FIG. 4 is a flow chart illustrating one embodiment of a process for programming a cryptographic key at non-volatile memory device 220. At processing block 410, a boot process is performed. At processing block 420, security controller 230 receives the key (e.g., via a PUF, fuse, debug port, or out-of-band). At process block 430, a cryptographic key is generated at the security controller 230. At processing block 440, the key is programmed into PCIe controller 320 via trusted port 325.

FIG. 5 is a flow chart illustrating one embodiment of a process for performing a read operation at non-volatile memory device 220. At processing block 510, a read request is received at the encryption engine 322. At process block 520, encryption engine 322 retrieves encrypted (or cryptographic) data from storage drive 310. At processing block 530, the encryption engine 322 decrypts the cryptographic data. At processing block 540, the encryption engine 322 transmits the decrypted data as read data to the requesting entity.

FIG. 6A is a flow chart illustrating one embodiment of a process for performing a write operation at non-volatile memory device 220. At processing block 610, a write request is received at encryption engine 322. At process block 620, encryption engine 322 encrypts the write data. At process block 630, encryption engine 322 stores the encrypted text to storage drive 310. FIG. 6B is a sequence diagram illustrating another embodiment of a process for performing programming of keys and read and write operations at a non-volatile storage.

In further embodiments, the non-volatile memory device 220 may also receive and store encrypted data. In such embodiments, the data may be encrypted before being received at the non-volatile memory device 220 via the system fabric 205. In another embodiment, all SOC data (e.g., data generated within SOC 210) is encrypted within SOC 210 before being stored in non-volatile memory device 220.

According to one embodiment, the OS image is generated offline at the provisioning station using the security header. In such embodiments, the OS image is written to storage drive 310 at the start and end block addresses of the storage block provided in the header. In another embodiment, the programmer writes the clear image on the storage drive 310. Subsequently, non-volatile memory device 220 is connected into a platform (e.g., platform 200) and shipped (e.g., not booted). Once booted, the OS image is provisioned at the non-volatile memory device 220.

FIG. 7A is a flow diagram illustrating one embodiment of a process for provisioning an OS image during a boot process. At processing block 710, once the non-volatile memory device 220 is booted, the BIOS 330 reads a security header in the image. At processing block 720, BIOS 330 configures PCIe controller 320 so that the blocks in the storage device indicated in the security header (e.g., between the starting address and the ending address) will not be decrypted since the data is stored as plaintext. At process block 730, the BIOS 330 reads each block from the storage device 310 as plaintext. At processing block 740, the block is encrypted by PCIe controller 320 using the key in the key slot. At process block 750, the encrypted block is written back to storage 310. FIG. 7B is a sequence diagram illustrating another embodiment of a process for provisioning an operating system image.

Fig. 8A and 8B illustrate embodiments of operating system image provisioning. Fig. 8A shows an OS image before provisioning in a memory block. As shown in FIG. 8A, the OS image includes a header that indicates a start block, an end block, and status bits. FIG. 8B shows the OS image after it has been provisioned in storage. As shown in fig. 8B, the header shows the actual start block and end block.

The above-described mechanism protects user data on a non-volatile storage device without involving the user or software (e.g., OS). Thus, user data is protected in drives that are stolen, discarded, or refurbished. In addition, flash programmers can use this mechanism to provision the OS on the drive during manufacturing.

Fig. 9 is a schematic diagram of an exemplary electronic computing device implementing enhanced protection against attacks, in accordance with some embodiments. In some embodiments, computing device 900 includes one or more processors 910 including one or more processor cores 918 and a TEE 964 including a Machine Learning Service Enclave (MLSE) 980. In some embodiments, computing device 900 includes a hardware accelerator 968 that includes a cryptographic engine 982 and a machine learning model 984. In some embodiments, the computing device will provide enhanced protection against ML attacks, as provided by fig. 1-8.

Computing device 900 may additionally include one or more of the following: cache 962, a Graphics Processing Unit (GPU)912 (which may be a hardware accelerator in some embodiments), a wireless input/output (I/O) interface 920, wired I/O interfaces 930, memory circuitry 940, power management circuitry 950, non-transitory storage 960, and a network interface 970 for connecting to a network 972. The following discussion provides a brief, general description of the components that form the exemplary computing device 900. Example non-limiting computing device 900 may include a desktop computing device, a blade server device, a workstation, or similar device or system.

In an embodiment, the processor core 918 is capable of executing the set of machine-readable instructions 914, reading data and/or the set of instructions 914 from the one or more storage devices 960, and writing data to the one or more storage devices 960. One skilled in the relevant art will appreciate that the illustrated embodiments, as well as other embodiments, may be practiced with other processor-based device configurations, including portable electronic or handheld electronic devices, such as smart phones, portable computers, wearable computers, consumer electronics, personal computers ("PCs"), network PCs, minicomputers, blade servers, mainframe computers, and the like.

Processor core 918 may include any number of hardwired or configurable circuits, some or all of which may include a programmable and/or configurable combination of electronic components, semiconductor devices, and/or logic elements, partially or wholly disposed in a PC, server, or other computing system capable of executing processor-readable instructions.

Computing device 900 includes a bus or similar communication link 916 that communicatively couples and facilitates the exchange of information and/or data between various system components including a processor core 918, a cache 962, graphics processor circuitry 912, one or more wireless I/O interfaces 920, one or more wired I/O interfaces 930, one or more storage devices 960, and/or one or more network interfaces 970. Computing device 900 may be referred to herein in the singular, but this is not intended to limit embodiments to a single computing device 900, as in some embodiments there may be more than one computing device 900 incorporating, including, or containing any number of communicatively coupled, collocated, or remotely networked circuits or devices.

Processor core 918 may include any number, type, currently available or future developed device or combination of devices capable of executing a set of machine-readable instructions.

The processor core 918 may include (or be coupled to) but is not limited to any currently or future developed single or multi-core processor or microprocessor, such as: one or more system on a chip (SOC); a Central Processing Unit (CPU); a Digital Signal Processor (DSP); a Graphics Processing Unit (GPU); application Specific Integrated Circuits (ASICs), programmable logic units, Field Programmable Gate Arrays (FPGAs), and the like. The construction and operation of the various blocks shown in fig. 9 are of conventional design unless otherwise described. Accordingly, as will be understood by those skilled in the relevant art, such blocks need not be described in further detail herein. The bus 916 interconnecting at least some of the components of the computing device 900 may employ any currently available or future developed serial or parallel bus architecture or architecture.

The system memory 940 may include read only memory ("ROM") 942 and random access memory ("RAM") 946. A portion of the ROM 942 may be used to store or otherwise maintain a basic input/output system ("BIOS") 944. The BIOS 944 provides basic functionality to the computing device 900, for example, by causing the processor core 918 to load and/or execute one or more sets of machine-readable instructions 914. In an embodiment, at least some of the one or more sets of machine-readable instructions 914 cause at least a portion of the processor core 918 to provide, create, generate, transform and/or operate as a special purpose, specific and particular machine, such as a word processor, digital image capture machine, media player, gaming system, communication device, smart phone, or the like.

Computing device 900 may include at least one wireless input/output (I/O) interface 920. The at least one wireless I/O interface 920 may be communicatively coupled to one or more physical output devices 922 (haptic devices, video displays, audio output devices, hardcopy output devices, etc.). The at least one wireless I/O interface 920 may be communicatively coupled to one or more physical input devices 924 (pointing device, touch screen, keyboard, haptic device, etc.). The at least one wireless I/O interface 920 may include any currently available or future developed wireless I/O interface. Example wireless I/O interfaces include, but are not limited to:(bluetooth), Near Field Communication (NFC), etc.

Computing device 900 may include one or more wired input/output (I/O) interfaces 930. The at least one wired I/O interface 930 may be communicatively coupled to one or more physical output devices 922 (haptic devices, video displays, audio output devices, hardcopy output devices, etc.). The at least one wired I/O interface 930 may be communicatively coupled to one or more physical input devices 924 (pointing device, touch screen, keyboard, haptic device, etc.). The wired I/O interface 930 may include any currently available or future developed I/O interface. Example wired I/O interfaces include, but are not limited to: universal Serial Bus (USB), IEEE 1394 ("firewire"), etc.

Computing device 900 may include one or more communicatively coupled non-transitory data storage devices 960. Data storage 960 may include one or more Hard Disk Drives (HDDs) and/or one or more solid State Storage Devices (SSDs). The one or more data stores 960 may include any currently or later-developed storage devices, network storage, and/or systems. Non-limiting examples of such data storage 960 may include, but are not limited to, any current or future developed non-transitory storage device or means, such as one or more magnetic storage devices, one or more optical storage devices, one or more resistive storage devices, one or more molecular storage devices, one or more quantum storage devices, or various combinations thereof. In some embodiments, one or more data storage devices 960 may include one or more removable storage devices, such as one or more flash drives, flash memory storage units, or similar devices or apparatuses capable of being communicatively coupled to computing device 900 or decoupled from computing device 900.

One or more data storage devices 960 may include an interface or controller (not shown) that communicatively couples the respective storage device or system to bus 916. One or more data storage devices 960 may store, retain, or otherwise contain a set of machine-readable instructions, data structures, program modules, data stores, databases, logic structures, and/or other data useful to processor core 918 and/or graphics processor circuitry 912, and/or one or more applications executing on or by processor core 918 and/or graphics processor circuitry 912. In some cases, one or more data stores 960 may be communicatively coupled to the processor core 918, such as via the bus 916 or via one or more wired communication interfaces 930 (e.g., a universal serial bus or USB); one or more wireless communication interfaces 920 (e.g., bluetooth, near field communication, or NFC); and/or one or more network interfaces 970(IEEE 802.3 or Ethernet, IEEE 802.11 orEtc.).

The set of processor-readable instructions 914 and other programs, applications, logic sets, and/or modules may be stored in whole or in part in the system memory 940. Such instruction set 914 may be transferred, in whole or in part, from one or more data storage devices 960. Instruction set 914 may be loaded, stored, or otherwise retained in system memory 940, in whole or in part, during execution by processor core 918 and/or graphics processor circuitry 912.

The computing device 900 may include power management circuitry 950 to control one or more operational aspects of the energy storage device 952. In embodiments, the energy storage device 952 may include one or more primary (i.e., non-rechargeable) or secondary (i.e., rechargeable) batteries or similar energy storage devices. In an embodiment, the energy storage device 952 may include one or more ultracapacitors or ultracapacitors. In embodiments, the power management circuitry 950 may alter, regulate, or control the flow of energy from the external power source 954 to the energy storage device 952 and/or to the computing device 900. The power source 954 may include, but is not limited to, a solar energy system, a commercial power grid, a portable generator, an external energy storage device, or any combination thereof.

For convenience, the processor core 918, the graphics processor circuitry 912, the wireless I/O interface 920, the wired I/O interface 930, the storage 960, and the network interface 970 are shown communicatively coupled to each other via the bus 916 to provide connections between the aforementioned components. In alternative embodiments, the above components may be communicatively coupled in a different manner than shown in FIG. 9. For example, one or more of the above components may be directly coupled to the other components, or may be coupled to each other via one or more intermediate components (not shown). In another example, one or more of the above components may be integrated into processor core 918 and/or graphics processor circuitry 912. In some embodiments, all or a portion of bus 916 may be omitted, and these components are directly coupled to each other using a suitable wired or wireless connection.

For example, embodiments may be provided as a computer program product that may include one or more machine-readable media having stored thereon machine-executable instructions that, when executed by one or more machines such as a computer, network of computers, or other electronic devices, may cause the one or more machines to perform operations according to embodiments described herein. The machine-readable medium may include, but is not limited to, floppy diskettes, optical disks, CD-ROMs (compact disc read-only memories), and magneto-optical disks, ROMs, RAMs, EPROMs (erasable programmable read-only memories), EEPROMs (electrically erasable programmable read-only memories), magnetic or optical cards, flash memory, or other type of media/machine-readable medium suitable for storing machine-executable instructions.

Moreover, embodiments may be downloaded as a computer program product, wherein the program may be transferred from a remote computer (e.g., a server) to a requesting computer (e.g., a client) by way of one or more data signals embodied in and/or modulated by a carrier wave or other propagation medium via a communication link (e.g., a modem and/or network connection).

Throughout the document, the term "user" may be interchangeably referred to as "viewer," "observer," "speaker," "person," "individual," "end user," and the like. It should be noted that throughout this document, terms such as "graphics domain" may be referred to interchangeably with "graphics processing unit," graphics processor, "or simply" GPU, "and similarly," CPU domain "or" host domain "may be referred to interchangeably with" computer processing unit, "" application processor, "or simply" CPU.

It should be noted that terms such as "node," "computing node," "server appliance," "cloud computer," "cloud server computer," "machine," "host machine," "appliance," "computing device," "computer," "computing system," and the like may be used interchangeably throughout this document. It should also be noted that terms such as "application," "software application," "program," "software program," "package," "software package," and the like may be used interchangeably throughout this document. Also, terms such as "job," "input," "request," "message," and the like may be used interchangeably throughout this document.

In various implementations, the computing device may be a laptop computer, a netbook, a notebook computer, an ultrabook, a smartphone, a tablet computer, a Personal Digital Assistant (PDA), an ultra mobile PC, a mobile phone, a desktop computer, a server, a set-top box, an entertainment control unit, a digital camera, a portable music player, or a digital video recorder. The computing device may be stationary, portable, or wearable. In further embodiments, the computing device may be any other electronic device that processes data or records data for processing elsewhere.

The figures and the foregoing description give examples of embodiments. Those skilled in the art will appreciate that one or more of the described elements may well be combined into a single functional element. Alternatively, some elements may be divided into a plurality of functional elements. Elements from one embodiment may be added to another embodiment. For example, the order of the processes described herein may be changed and is not limited to the manner described herein. Moreover, the actions of any flow diagram need not be performed in the order shown; nor does it necessarily require all actions to be performed. Also, those acts that are not dependent on other acts may be performed in parallel with the other acts. The scope of embodiments is in no way limited by these specific examples. Numerous variations, whether explicitly given in the specification or not, such as differences in structure, dimension, and use of material, are possible. The scope of the embodiments is at least as broad as given by the appended claims.

For example, embodiments may be provided as a computer program product that may include one or more transitory or non-transitory machine-readable storage media having stored thereon machine-executable instructions that, when executed by one or more machines such as a computer, network of computers, or other electronic devices, may cause the one or more machines to perform operations according to embodiments described herein. The machine-readable medium may include, but is not limited to, floppy diskettes, optical disks, CD-ROMs (compact disc read-only memories), and magneto-optical disks, ROMs, RAMs, EPROMs (erasable programmable read-only memories), EEPROMs (electrically erasable programmable read-only memories), magnetic or optical cards, flash memory, or other type of media/machine-readable medium suitable for storing machine-executable instructions.

Some embodiments are directed to example 1, which includes an apparatus to facilitate security within a computing system, the apparatus including a non-volatile memory including a storage drive, a controller including a trusted port with one or more key slots to program one or more cryptographic keys, and an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys, and decrypt data read from the storage drive using the cryptographic keys.

Example 2 includes the subject matter of example 1, wherein the one or more cryptographic keys are programmed into the controller during manufacture of the non-volatile memory.

Example 3 includes the subject matter of examples 1 and 2, wherein the non-volatile memory further comprises a security controller to generate the cryptographic key.

Example 4 includes the subject matter of examples 1 to 3, wherein the security controller receives the cryptographic key from a Physical Unclonable Function (PUF) engine.

Example 5 includes the subject matter of examples 1 to 4, wherein the security controller receives the cryptographic key from the fuse controller.

Example 6 includes the subject matter of examples 1 to 5, wherein the non-volatile memory further comprises basic input/output system (BIOS) firmware to supply the operating system image into the non-volatile memory during a boot process.

Example 7 includes the subject matter of examples 1 to 6, wherein the BIOS firmware reads a security header included in the operating system image.

Example 8 includes the subject matter of examples 1 to 7, wherein the security header provides an indication of a storage block in the storage drive that stores the operating system image as plaintext.

Example 9 includes the subject matter of examples 1 to 8, wherein the BIOS firmware configures the controller not to decrypt the memory blocks in the storage device indicated in the security header.

Example 10 includes the subject matter of examples 1 to 9, wherein the BIOS reads the operating system image from the memory block.

Example 11 includes the subject matter of examples 1 to 10, wherein the controller is to encrypt the operating system image with a cryptographic key and store the encrypted operating system image to the storage drive.

Some embodiments are directed to example 12, which includes a method of facilitating security of a non-volatile memory, the method including receiving a write request to write data to the non-volatile memory, encrypting, at an encryption engine included in the non-volatile memory, the write data with one or more cryptographic keys, and storing the encrypted write data at a storage drive within the non-volatile memory.

Example 13 includes the subject matter of example 12, further comprising receiving a read request to read data from the non-volatile memory, retrieving encrypted data from a storage drive within the non-volatile memory, and decrypting the data at the encryption engine using one or more cryptographic keys.

Example 14 includes the subject matter of examples 12 and 13, further comprising transmitting the data.

Some embodiments relate to example 15, which includes a computing device comprising a processor, a memory device, an architectural interface coupled between the processor and the memory device, and a non-volatile memory coupled to the architectural interface, the non-volatile memory comprising a storage drive, a controller, and an encryption engine, the controller comprising a trusted port with one or more key slots to program one or more cryptographic keys, the encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys, and decrypt data read from the storage drive using the cryptographic keys.

Example 16 includes the subject matter of example 15, wherein the one or more cryptographic keys are programmed into the controller during manufacture of the non-volatile memory.

Example 17 includes the subject matter of examples 15 and 16, further comprising a security controller coupled to the architecture interface to generate the cryptographic key.

Example 18 includes the subject matter of examples 15 to 17, wherein the security controller is to receive a cryptographic key from a Physical Unclonable Function (PUF) engine.

Example 19 includes the subject matter of examples 15 to 18, wherein the security controller receives the cryptographic key from the fuse controller.

Example 20 includes the subject matter of examples 15 to 19, wherein the non-volatile memory further comprises basic input/output system (BIOS) firmware to supply the operating system image into the non-volatile memory during a boot process.

Example embodiments have been described above with reference to specific embodiments. However, those skilled in the art will appreciate that various modifications and changes may be made to the embodiments without departing from the broader spirit and scope as set forth in the appended claims. The foregoing description and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense.