US 11,841,985 B2
Method and system for implementing security operations in an input/output device
Enrico Schiattarella, Los Altos, CA (US); David Antony Clear, San Jose, CA (US); and Vipin Jain, San Jose, CA (US)
Assigned to Pensando Systems Inc., Milpitas, CA (US)
Filed by Pensando Systems Inc., Milpitas, CA (US)
Filed on Sep. 3, 2020, as Appl. No. 17/011,884.
Prior Publication US 2022/0067221 A1, Mar. 3, 2022
Int. Cl. G06F 21/85 (2013.01); G06F 21/60 (2013.01); H04L 9/08 (2006.01); G06F 1/00 (2006.01); H04L 9/32 (2006.01); H04L 9/40 (2022.01); G06F 21/31 (2013.01); G06F 13/42 (2006.01); G06F 9/455 (2018.01)
CPC G06F 21/85 (2013.01) [G06F 9/45533 (2013.01); G06F 13/4221 (2013.01); G06F 21/31 (2013.01); G06F 21/602 (2013.01); H04L 9/088 (2013.01); H04L 9/0897 (2013.01); H04L 9/3278 (2013.01); H04L 63/20 (2013.01); G06F 2213/0026 (2013.01)] 23 Claims
OG exemplary drawing
 
1. An integrated circuit device comprising:
an I/O port;
a host interface configured to be connected to a host, wherein the host interface comprises a Peripheral Component Interface express (PCIe) interface;
a data processing pipeline within the integrated circuit device coupled to the I/O port and to the PCIe interface to process and forward data between the I/O port and the PCIe interface; and
a hardware security module (HSM) within the integrated circuit device coupled to the PCIe interface and to the data processing pipeline, the HSM comprising a crypto engine configured to encrypt and decrypt data of the data processing pipeline, and a secure key storage coupled to the crypto engine and configured to contain encryption keys for use in encrypting and decrypting packets, wherein the secure key storage is configured to contain keys that are encrypted by the HSM and that are accessible through the HSM;
wherein the HSM further comprises a key usage interface coupled to the data processing pipeline, wherein the key usage interface is configured to be accessed by key users of the host through the PCIe interface to encrypt and decrypt data in the data processing pipeline and wherein the key usage interface is configured to authenticate and identify the key users based on functions of the PCIe interface that are invoked by the key users to access the data processing pipeline; and
wherein the key users are virtual machines and wherein the functions are virtual functions of the PCIe interface and wherein the virtual machines are authenticated based on presence on the PCIe interface and identified based on virtual functions invoked by the respective virtual machine.