Current processors may provide support for a trusted execution environment such as a secure enclave. Secure enclaves include segments of memory (including code and/or data) protected by the processor from unauthorized access including unauthorized reads and writes. In particular, certain processors may include Intel® Software Guard Extensions (SGX) to provide secure enclave support. In particular, SGX provides confidentiality, integrity, and replay-protection to the secure enclave data while the data is resident in the platform memory and thus provides protection against both software and hardware attacks. The on-chip boundary forms a natural security boundary, where data and code may be stored in plaintext and assumed to be secure. Intel® SGX does not protect I/O data that moves across the on-chip boundary.
Trusted I/O (TIO) technology enables an application to send and/or receive I/O data securely to/from a device. In addition to the hardware that produces or consumes the I/O data, several software and firmware components in the I/O pipeline might also process the data. HCTIO (Hardware Cryptography-based Trusted I/O) is a technology that provides cryptographic protection of DMA data via an inline Crypto Engine (CE) in the system-on-a-chip (SoC). Channel ID, an identifier, uniquely identifies a DMA channel on the platform, and the CE filters DMA traffic and encrypts select I/O transactions upon a match with the Channel ID programmed in the CE.
Computing devices using TIO technology may securely discover devices and controllers using a platform manifest. As described in U.S. Patent Application Publication No. 2017/0024570, a platform manifest may be bound to a computing device by including a unique identifier in the manifest while also permanently storing the identifier on the computing device, for example using a field programmable fuse (FPF) of the computing device.