公开(公告)号：US20120297200A1

公开(公告)日：2012-11-22

申请号：US13109685

申请日：2011-05-17

申请人： Stefan Thom ,  Robert Karl Spiger ,  Valerie Kathleen Bays ,  Bo Gustaf Magnus Nyström

发明人： Stefan Thom ,  Robert Karl Spiger ,  Valerie Kathleen Bays ,  Bo Gustaf Magnus Nyström

IPC分类号： G06F12/14

CPC分类号： G06F21/57 ,  G06F21/602 ,  G06F21/6209 ,  H04L2209/127

摘要： One or more techniques and/or systems are provided for provisioning encrypted key blobs and client certificates. That is, a trusted execution environment on a first machine may provide a key service provider with a cryptographic encryption key. The key service provider may encrypt a key blob using the cryptographic encryption key and/or wrap the encrypted key blob with one or more policies, such as a platform policy. The key service provider may provision the encrypted key blob to a client on the first machine. The client may submit the encrypted key blob to the trusted execution environment for validation so that the client may perform key actions, such as sign an email or encrypt data. Because the key blob may be specific to a particular trusted execution environment and/or machine, the key service provider may re-wrap the key blob if the client “roams” to a second machine.

摘要翻译： 提供一个或多个技术和/或系统用于供应加密的密钥块和客户端证书。 也就是说，第一机器上的受信任执行环境可以向密钥服务提供商提供密码加密密钥。 密钥服务提供商可以使用密码加密密钥来加密密钥块，和/或使用一个或多个策略（例如平台策略）来包裹加密的密钥块。 密钥服务提供商可以将加密的密钥blob提供给第一台机器上的客户端。 客户端可以将加密的密钥blob提交到可信执行环境进行验证，以便客户端可以执行关键操作，例如签署电子邮件或加密数据。 由于密钥blob可能是特定的可信任的执行环境和/或机器，所以如果客户端漫游到第二台机器，则密钥服务提供商可以重新包装密钥块。

公开(公告)号：US09690941B2

公开(公告)日：2017-06-27

申请号：US13109685

申请日：2011-05-17

申请人： Stefan Thom ,  Robert Karl Spiger ,  Valerie Kathleen Bays ,  Bo Gustaf Magnus Nyström

发明人： Stefan Thom ,  Robert Karl Spiger ,  Valerie Kathleen Bays ,  Bo Gustaf Magnus Nyström

IPC分类号： G06F21/57 ,  G06F21/62 ,  G06F21/60

CPC分类号： G06F21/57 ,  G06F21/602 ,  G06F21/6209 ,  H04L2209/127

摘要： One or more techniques and/or systems are provided for provisioning encrypted key blobs and client certificates. That is, a trusted execution environment on a first machine may provide a key service provider with a cryptographic encryption key. The key service provider may encrypt a key blob using the cryptographic encryption key and/or wrap the encrypted key blob with one or more policies, such as a platform policy. The key service provider may provision the encrypted key blob to a client on the first machine. The client may submit the encrypted key blob to the trusted execution environment for validation so that the client may perform key actions, such as sign an email or encrypt data. Because the key blob may be specific to a particular trusted execution environment and/or machine, the key service provider may re-wrap the key blob if the client “roams” to a second machine.

公开(公告)号：US08627464B2

公开(公告)日：2014-01-07

申请号：US12938363

申请日：2010-11-02

申请人： Stefan Thom ,  Nathan Ide ,  Scott Danie Anderson ,  Robert Karl Spiger ,  David J. Linsley ,  Mark Fishel Novak ,  Magnus Nyström

发明人： Stefan Thom ,  Nathan Ide ,  Scott Danie Anderson ,  Robert Karl Spiger ,  David J. Linsley ,  Mark Fishel Novak ,  Magnus Nyström

IPC分类号： G06F12/14

CPC分类号： G06F21/57 ,  G06F2221/2101 ,  H04L9/0897

摘要： An event log can comprise, not only entries associated with components instantiated since a most recent power on of a computing device, but also entries of components instantiated prior to that power on, such as components that were instantiated, and represent, a state of the computing device prior to hibernation that has now been resumed. Upon hibernation, the current values of the Platform Configuration Registers (PCRs) of a Trusted Platform Module (trusted execution environment), as well as a quote of those current values, and a current value of a monotonic counter of the trusted execution environment can be logged. The monotonic counter can be incremented at each power on to track successive generations of the computing device and to guard against an intervening, not-logged generation. A subsequent parsing of the event log can verify the prior generational entries with reference to the PCR values in the log that are associated with those generations.

摘要翻译： 事件日志不仅可以包括与计算设备的最近上电后实例化的组件相关联的条目，而且还可以包括在该上电之前实例化的组件的条目，诸如被实例化的组件，并且表示 休眠前的计算设备现在已经恢复。 休眠后，可信平台模块（可信执行环境）的平台配置寄存器（PCR）的当前值以及当前值的引用以及可信执行环境的单调计数器的当前值可以是 记录。 在每次打开电源时，单调计数器可以递增，以跟踪计算设备的连续几代，并防止中间，未记录的一代。 事件日志的后续解析可以参考日志中与这些世代相关联的PCR值来验证先前的生成条目。

公开(公告)号：US08417962B2

公开(公告)日：2013-04-09

申请号：US12813955

申请日：2010-06-11

申请人： Mark F. Novak ,  Robert Karl Spiger ,  Stefan Thom ,  David J. Linsley ,  Scott A. Field ,  Anil Francis Thomas

发明人： Mark F. Novak ,  Robert Karl Spiger ,  Stefan Thom ,  David J. Linsley ,  Scott A. Field ,  Anil Francis Thomas

IPC分类号： G06F11/30 ,  G06F12/14

CPC分类号： G06F21/575

摘要： Booting a computing device includes executing one or more firmware components followed by a boot loader component. A protection component for the computing device, such as an anti-malware program, is identified and executed as an initial component after executing the boot loader component. One or more boot components are also executed, these one or more boot components including only boot components that have been approved by the protection component. A list of boot components that have been previously approved by the protection component can also be maintained in a tamper-proof manner.

公开(公告)号：US20110307711A1

公开(公告)日：2011-12-15

申请号：US12813955

申请日：2010-06-11

申请人： Mark F. Novak ,  Robert Karl Spiger ,  Stefan Thom ,  David J. Linsley ,  Scott A. Field ,  Anil Francis Thomas

发明人： Mark F. Novak ,  Robert Karl Spiger ,  Stefan Thom ,  David J. Linsley ,  Scott A. Field ,  Anil Francis Thomas

IPC分类号： G06F21/00 ,  G06F12/14 ,  G06F15/177

CPC分类号： G06F21/575

摘要： Booting a computing device includes executing one or more firmware components followed by a boot loader component. A protection component for the computing device, such as an anti-malware program, is identified and executed as an initial component after executing the boot loader component. One or more boot components are also executed, these one or more boot components including only boot components that have been approved by the protection component. A list of boot components that have been previously approved by the protection component can also be maintained in a tamper-proof manner.

摘要翻译： 启动计算设备包括执行一个或多个固件组件，后跟引导加载程序组件。 在执行引导加载程序组件之后，识别并执行诸如反恶意软件程序之类的计算设备的保护组件作为初始组件。 还执行一个或多个引导组件，这些一个或多个引导组件仅包括被保护组件批准的引导组件。 先前已被保护组件批准的引导组件列表也可以以防篡改的方式进行维护。

公开(公告)号：US08924737B2

公开(公告)日：2014-12-30

申请号：US13218029

申请日：2011-08-25

申请人： Stefan Thom ,  Robert Karl Spiger ,  Magnus Bo Gustaf Nyström ,  David R. Wooten

发明人： Stefan Thom ,  Robert Karl Spiger ,  Magnus Bo Gustaf Nyström ,  David R. Wooten

IPC分类号： G06F21/60 ,  G06F21/62 ,  G06F21/57

CPC分类号： G06F21/575 ,  G06F21/602 ,  G06F21/73

摘要： In accordance with one or more aspects, a representation of a configuration of a firmware environment of a device is generated. A secret of the device is obtained, and a platform secret is generated based on both the firmware environment configuration representation and the secret of the device. One or more keys can be generated based on the platform secret.

摘要翻译： 根据一个或多个方面，生成设备的固件环境的配置的表示。 获得设备的秘密，并且基于固件环境配置表示和设备的秘密生成平台秘密。 可以基于平台秘密生成一个或多个密钥。

公开(公告)号：US20130054946A1

公开(公告)日：2013-02-28

申请号：US13218029

申请日：2011-08-25

申请人： Stefan Thom ,  Robert Karl Spiger ,  Magnus Bo Gustaf Nyström ,  David R. Wooten

发明人： Stefan Thom ,  Robert Karl Spiger ,  Magnus Bo Gustaf Nyström ,  David R. Wooten

IPC分类号： G06F21/22 ,  G06F9/06

CPC分类号： G06F21/575 ,  G06F21/602 ,  G06F21/73

摘要： In accordance with one or more aspects, a representation of a configuration of a firmware environment of a device is generated. A secret of the device is obtained, and a platform secret is generated based on both the firmware environment configuration representation and the secret of the device. One or more keys can be generated based on the platform secret.

摘要翻译： 根据一个或多个方面，生成设备的固件环境的配置的表示。 获得设备的秘密，并且基于固件环境配置表示和设备的秘密生成平台秘密。 可以基于平台秘密生成一个或多个密钥。

公开(公告)号：US20120110644A1

公开(公告)日：2012-05-03

申请号：US12938363

申请日：2010-11-02

申请人： Stefan Thom ,  Nathan Ide ,  Scott Daniel Anderson ,  Robert Karl Spiger ,  David J. Linsley ,  Mark Fishel Novak ,  Magnus Nyström

发明人： Stefan Thom ,  Nathan Ide ,  Scott Daniel Anderson ,  Robert Karl Spiger ,  David J. Linsley ,  Mark Fishel Novak ,  Magnus Nyström

IPC分类号： H04L9/32 ,  G06F15/16 ,  G06F21/00

CPC分类号： G06F21/57 ,  G06F2221/2101 ,  H04L9/0897

摘要： An event log can comprise, not only entries associated with components instantiated since a most recent power on of a computing device, but also entries of components instantiated prior to that power on, such as components that were instantiated, and represent, a state of the computing device prior to hibernation that has now been resumed. Upon hibernation, the current values of the Platform Configuration Registers (PCRs) of a Trusted Platform Module (trusted execution environment), as well as a quote of those current values, and a current value of a monotonic counter of the trusted execution environment can be logged. The monotonic counter can be incremented at each power on to track successive generations of the computing device and to guard against an intervening, not-logged generation. A subsequent parsing of the event log can verify the prior generational entries with reference to the PCR values in the log that are associated with those generations.

摘要翻译： 事件日志不仅可以包括与计算设备的最近上电后实例化的组件相关联的条目，而且还可以包括在该上电之前实例化的组件的条目，诸如被实例化的组件，并且表示 休眠前的计算设备现在已经恢复。 休眠后，可信平台模块（可信执行环境）的平台配置寄存器（PCR）的当前值以及当前值的引用以及可信执行环境的单调计数器的当前值可以是 记录。 在每次打开电源时，单调计数器可以递增，以跟踪计算设备的连续几代，并防止中间，未记录的一代。 事件日志的后续解析可以参考日志中与这些世代相关联的PCR值来验证先前的生成条目。

公开(公告)号：US09256745B2

公开(公告)日：2016-02-09

申请号：US13037962

申请日：2011-03-01

申请人： Scott D. Anderson ,  David J. Linsley ,  Magnus Bo Gustaf Nyström ,  Douglas M. MacIver ,  Robert Karl Spiger

发明人： Scott D. Anderson ,  David J. Linsley ,  Magnus Bo Gustaf Nyström ,  Douglas M. MacIver ,  Robert Karl Spiger

IPC分类号： G06F9/00 ,  G06F15/177 ,  G06F21/57

CPC分类号： G06F21/575

摘要： In a pre-operating system environment on a device prior to loading and running an operating system on the device, a policy identifying configuration settings for the operating system is obtained. The operating system itself is prevented from changing this policy, but the policy can be changed under certain circumstances by components of the pre-operating system environment. The policy is compared to configuration values used by the operating system, and the operating system is allowed to boot with the configuration values if the configuration values satisfy the policy. However, if the configuration values do not satisfy the policy, then a responsive action is taken.

公开(公告)号：US20120226895A1

公开(公告)日：2012-09-06

申请号：US13037962

申请日：2011-03-01

申请人： Scott D. Anderson ,  David J. Linsley ,  Magnus Bo Gustaf Nyström ,  Douglas M. MacIver ,  Robert Karl Spiger

发明人： Scott D. Anderson ,  David J. Linsley ,  Magnus Bo Gustaf Nyström ,  Douglas M. MacIver ,  Robert Karl Spiger

IPC分类号： G06F9/00

CPC分类号： G06F21/575

摘要： In a pre-operating system environment on a device prior to loading and running an operating system on the device, a policy identifying configuration settings for the operating system is obtained. The operating system itself is prevented from changing this policy, but the policy can be changed under certain circumstances by components of the pre-operating system environment. The policy is compared to configuration values used by the operating system, and the operating system is allowed to boot with the configuration values if the configuration values satisfy the policy. However, if the configuration values do not satisfy the policy, then a responsive action is taken.

摘要翻译： 在装置上装载和运行操作系统之前的设备上的预操作系统环境中，获得识别操作系统的配置设置的策略。 操作系统本身被阻止更改此策略，但在特定情况下可以通过操作前系统环境的组件来更改策略。 该策略与操作系统使用的配置值进行比较，如果配置值满足策略，则允许操作系统使用配置值进行引导。 但是，如果配置值不符合策略，则执行响应动作。