公开(公告)号：US11436318B2

公开(公告)日：2022-09-06

申请号：US16905652

申请日：2020-06-18

Applicant: VMware, Inc.

Inventor： Ye Li ,  David Ott ,  Cyprien Laplace ,  Alexander Fainkichen ,  Shruthi Hiriyuru

IPC: G06F9/455 ,  G06F21/53 ,  G06F21/57 ,  G06F21/60 ,  H04L9/08 ,  H04L9/32

Abstract: System and method for performing a remote attestation for creation of a trusted execution environment (TEE) using a virtual secure enclave device running in a virtualized environment utilizes a trusted bootloader appliance in a TEE virtual computing instance, which is created in response to a request for a TEE from a software process running in the system. The trusted bootloader appliance manages the provisioning of a TEE in the TEE virtual computing instance for the software process. The remote attestation includes performing a first stage attestation on the trusted bootloader appliance by a hardware platform of the computer system and performing a second stage attestation on the provisioned TEE by the trusted bootloader appliance.

公开(公告)号：US12147530B2

公开(公告)日：2024-11-19

申请号：US17960738

申请日：2022-10-05

Applicant: VMware, Inc.

Inventor： Ye Li ,  Anoop Jaishankar ,  John Manferdelli ,  David Ott ,  Andrei Warkentin

IPC: G06F21/53 ,  G06F21/12 ,  G06F21/54

Abstract: The disclosure herein describes deploying a Virtual Secure Enclave (VSE) using a universal enclave binary and a Trusted Runtime (TR). A universal enclave binary is generated that includes a set of binaries of Instruction Set Architectures (ISAs) associated with Trusted Execution Environment (TEE) hardware backends. A TEE hardware backend is identified in association with a VSE-compatible device. A VSE that is compatible with the identified TEE hardware backend is generated on the VSE-compatible device and an ISA binary that matches the TEE hardware backend is selected from the universal enclave binary. The selected binary is linked to a runtime library of the TR and loads the linked binary into memory of the generated VSE. The execution of a trusted application is initiated in the generated VSE using a set of interfaces of the TR. The trusted application depends on the TR interfaces rather than the selected ISA binary.

公开(公告)号：US11513825B2

公开(公告)日：2022-11-29

申请号：US16671086

申请日：2019-10-31

Applicant: VMware, Inc.

Inventor： Ye Li ,  David Ott ,  Cyprien Laplace ,  Andrei Warkentin ,  Alexander Fainkichen

IPC: G06F9/54 ,  G06F9/455 ,  G06F9/30 ,  G06F13/42

Abstract: System and method for providing trusted execution environments uses a peripheral component interconnect (PCI) device of a computer system to receive and process commands to create and manage a trusted execution environment for a software process running in the computer system. The trusted execution environment created in the PCI device is then used to execute operations for the software process.

公开(公告)号：US11316879B2

公开(公告)日：2022-04-26

申请号：US16255551

申请日：2019-01-23

Applicant: VMware, Inc.

Inventor： David Ott ,  Lei Xu ,  Ruimin Sun ,  Vijay Ganti ,  Dennis R. Moreau

IPC: G06F9/455 ,  H04L29/06

Abstract: A computer-implemented method and system for protecting a host computer in a computer network from security threats uses local security-relevant data for the host computer, as well as global security-relevant data for other components in the computer network downloaded from a security information plane system to the host computer, to determine a security threat to the host computer. When a security threat is determined to be a legitimate threat, a security alert is issued, and then an action is initiated in response to the security alert.

公开(公告)号：US20240235846A1

公开(公告)日：2024-07-11

申请号：US18094431

申请日：2023-01-09

Applicant: VMware, Inc.

Inventor： Sean James Huntley ,  David Ott ,  Daniel Beveridge

IPC: H04L9/32

CPC classification number: H04L9/3247 ,  H04L9/3221

Abstract: Disclosed are various embodiments for binding the configuration state of client devices to the blockchain and utilizing the binding for managing cryptographic compliance. A management agent can send a request to a smart contract hosted by a blockchain network for a zero-knowledge proof (ZKP) of a configuration state for a computing device, the state including cryptographic policies. Cryptographic operations performed by the client device can be performed by complying with the policies stored on the blockchain network.

公开(公告)号：US11818278B2

公开(公告)日：2023-11-14

申请号：US17385633

申请日：2021-07-26

Applicant: VMware, Inc.

Inventor： Marc Wayne Brotherson ,  Mark Benson ,  Daniel James Beveridge ,  Sean Huntley ,  Akeem Jenkins ,  David Ott

IPC: H04L9/32 ,  H04L9/08 ,  H04L9/00

CPC classification number: H04L9/3268 ,  H04L9/0819 ,  H04L9/3236 ,  H04L9/50

Abstract: The disclosure provides an approach for certificate management for cryptographic agility. Embodiments include receiving, by a cryptographic agility system, a cryptographic request related to an application. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information associated with the cryptographic request. Embodiments include determining, by the cryptographic agility system, based on the cryptographic request, a certificate for authenticating a key related to the cryptographic technique. Embodiments include providing, by the cryptographic agility system, the certificate to an endpoint related to the cryptographic request for use in authenticating the key.

公开(公告)号：US11178181B2

公开(公告)日：2021-11-16

申请号：US16228681

申请日：2018-12-20

Applicant: VMware, Inc.

Inventor： David Ott ,  Lei Xu ,  Dennis R. Moreau

IPC: H04L29/06 ,  H04L29/08 ,  H04L12/26 ,  G06N20/00 ,  G06F9/455

Abstract: System and method for managing security-relevant information in a computer network uses a security information plane (SIP) manager to which different types of security-relevant data are uploaded from components in the computer network and from which networkwide aggregated security information produced from the security-relevant data is download to a global security controller. The downloaded networkwide aggregated security information is used by the global security controller to control security applications running in the computer network.

公开(公告)号：US12166907B2

公开(公告)日：2024-12-10

申请号：US18360019

申请日：2023-07-27

Applicant: VMware, Inc.

Inventor： Marc Wayne Brotherson ,  Mark Benson ,  Daniel James Beveridge ,  Sean Huntley ,  Akeem Jenkins ,  David Ott

IPC: H04L9/32 ,  H04L9/08 ,  H04L9/00

Abstract: The disclosure provides an approach for certificate management for cryptographic agility. Embodiments include receiving, by a cryptographic agility system, a cryptographic request related to an application. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information associated with the cryptographic request. Embodiments include determining, by the cryptographic agility system, based on the cryptographic request, a certificate for authenticating a key related to the cryptographic technique. Embodiments include providing, by the cryptographic agility system, the certificate to an endpoint related to the cryptographic request for use in authenticating the key.

公开(公告)号：US20240259391A1

公开(公告)日：2024-08-01

申请号：US18101616

申请日：2023-01-26

Applicant: VMware, Inc.

Inventor： Daniel Beveridge ,  Sean James Huntley ,  David Ott

IPC: H04L9/40 ,  H04L9/32

CPC classification number: H04L63/107 ,  H04L9/3218 ,  H04L63/20

Abstract: Disclosed are various embodiments for binding the configuration state of client devices to the blockchain and utilizing the binding for managing compliance. A management agent can send a request to a smart contract hosted by a blockchain network for a configuration state for a computing device, the state including data sovereignty and governance policies of the computing device. The management agent can update the configuration of the computing device based upon the configuration state obtained from the blockchain network.

公开(公告)号：US11954198B2

公开(公告)日：2024-04-09

申请号：US16671106

申请日：2019-10-31

Applicant: VMware, Inc.

Inventor： Ye Li ,  David Ott ,  Cyprien Laplace ,  Andrei Warkentin ,  Regis Duchesne

IPC: G06F21/53 ,  G06F9/455 ,  G06F21/60

CPC classification number: G06F21/53 ,  G06F9/45558 ,  G06F21/604 ,  G06F2009/45591 ,  G06F2221/033

Abstract: System and method for creating and managing trusted execution environments (TEEs) using different underlying hardware TEE mechanisms use a virtual secure enclave device which runs in a virtualized environment in a computer system. The device enables an enclave command transmitted to the virtual secure enclave device to be retrieved and parsed to extract an enclave operation to be executed. A TEE backend module is used to interact with a particular hardware TEE mechanism among those available in the computer system. The module ensures the enclave operation for the software process is executed by the particular hardware TEE mechanism, or the TEE scheme based on a particular hardware TEE mechanism.