公开(公告)号：US08086839B2

公开(公告)日：2011-12-27

申请号：US12346532

申请日：2008-12-30

Applicant: Jiewen Yao ,  Ned McArthur Smith ,  Vincent J. Zimmer ,  Qin Long

Inventor： Jiewen Yao ,  Ned McArthur Smith ,  Vincent J. Zimmer ,  Qin Long

IPC: G06F9/00 ,  G06F21/00 ,  G06F1/26 ,  H04L9/32

CPC classification number: G06F9/4418 ,  G06F9/44 ,  G06F21/575

Abstract: Methods and systems to perform an authentication operation after resuming from a sleep state are presented. In one embodiment, a method includes starting a boot process from a sleep state. The method further includes providing platform services to support an authentication operation as part of the boot process and determining whether to complete the boot process based at least on results of the authentication operation.

Abstract translation: 呈现从休眠状态恢复后执行认证操作的方法和系统。 在一个实施例中，一种方法包括从睡眠状态开始引导过程。 该方法还包括提供平台服务以支持作为引导过程的一部分的认证操作，并且至少基于认证操作的结果来确定是否完成引导过程。

公开(公告)号：US07827371B2

公开(公告)日：2010-11-02

申请号：US11897355

申请日：2007-08-30

Applicant: Jiewen Yao ,  Vincent J. Zimmer ,  Qin Long ,  Liang Cui

Inventor： Jiewen Yao ,  Vincent J. Zimmer ,  Qin Long ,  Liang Cui

IPC: G06F12/00

CPC classification number: G06F21/54 ,  G06F9/45558 ,  G06F12/1491 ,  G06F2009/45583 ,  G06F2221/2141 ,  G06F2221/2149

Abstract: In one embodiment, the present invention includes a method for determining if an isolation driver is present and a processor supports virtualization, launching the isolation driver in a first privilege level different than a system privilege level and user privilege level, creating a 1:1 virtual mapping between a virtual address and a physical address, using the isolation driver, and controlling access to a memory page using the isolation driver. Other embodiments are described and claimed.

Abstract translation: 在一个实施例中，本发明包括一种用于确定是否存在隔离驱动器并且处理器支持虚拟化的方法，以与系统特权级别和用户权限级别不同的第一特权级别启动隔离驱动程序，创建1：1虚拟 使用隔离驱动程序在虚拟地址和物理地址之间进行映射，并使用隔离驱动程序控制对内存页的访问。 描述和要求保护其他实施例。

公开(公告)号：US20100083002A1

公开(公告)日：2010-04-01

申请号：US12242655

申请日：2008-09-30

Applicant: Liang Cui ,  Qin LONG ,  Vincent J. Zimmer ,  Jiewen Yao

Inventor： Liang Cui ,  Qin LONG ,  Vincent J. Zimmer ,  Jiewen Yao

IPC: G06F21/22

CPC classification number: G06F21/575

Abstract: A method and computing device for secure booting of unified extensible firmware interface executables includes generating a platform private key, signing a third party credential, storing the signed third party credential in a database located in a trusted platform module, and executing a unified extensible firmware interface executable only if an associated signed third party credential is stored in the trusted platform module.

Abstract translation: 用于安全引导统一的可扩展固件接口可执行程序的方法和计算设备包括生成平台私钥，签名第三方凭证，将签名的第三方凭证存储在位于可信平台模块中的数据库中，以及执行统一的可扩展固件接口 只有在相关的签名的第三方凭据存储在可信平台模块中才可执行。

公开(公告)号：US08694761B2

公开(公告)日：2014-04-08

申请号：US12347834

申请日：2008-12-31

Applicant: Vincent Zimmer ,  Mohan Kumar ,  Mahesh Natu ,  Jiewen Yao ,  Qin Long ,  Liang Cui

Inventor： Vincent Zimmer ,  Mohan Kumar ,  Mahesh Natu ,  Jiewen Yao ,  Qin Long ,  Liang Cui

IPC: G06F9/00

CPC classification number: G06F21/575

Abstract: In some embodiments, the invention involves using a policy engine during boot, in the driver execution environment (DXE) phases to authenticate that drivers and executable images to be loaded are authenticated. Images to be authenticated include the operating system (OS) loader. The policy engine utilizes a certificate database to hold valid certificates for third party images, according to platform policy. Images that are not authenticated are not loaded at boot time. Other embodiments are described and claimed.

Abstract translation: 在一些实施例中，本发明涉及在引导期间在驱动程序执行环境（DXE）阶段中使用策略引擎来认证要加载的驱动程序和可执行映像被认证。 要认证的图像包括操作系统（OS）加载程序。 根据平台策略，策略引擎使用证书数据库来保存第三方映像的有效证书。 未通过身份验证的图像在引导时未加载。 描述和要求保护其他实施例。

公开(公告)号：US20100169633A1

公开(公告)日：2010-07-01

申请号：US12347834

申请日：2008-12-31

Applicant: Vincent Zimmer ,  Mohan Kumar ,  Mahesh Natu ,  Jiewen Yao ,  Qin Long ,  Liang Cui

Inventor： Vincent Zimmer ,  Mohan Kumar ,  Mahesh Natu ,  Jiewen Yao ,  Qin Long ,  Liang Cui

IPC: G06F9/00 ,  G06F12/14

CPC classification number: G06F21/575

Abstract: In some embodiments, the invention involves using a policy engine during boot, in the driver execution environment (DXE) phases to authenticate that drivers and executable images to be loaded are authenticated. Images to be authenticated include the operating system (OS) loader. The policy engine utilizes a certificate database to hold valid certificates for third party images, according to platform policy. Images that are not authenticated are not loaded at boot time. Other embodiments are described and claimed.

Abstract translation: 在一些实施例中，本发明涉及在引导期间在驱动程序执行环境（DXE）阶段中使用策略引擎来认证要加载的驱动程序和可执行映像被认证。 要认证的图像包括操作系统（OS）加载程序。 根据平台策略，策略引擎使用证书数据库来保存第三方映像的有效证书。 未通过身份验证的图像在引导时未加载。 描述和要求保护其他实施例。

公开(公告)号：US20100169631A1

公开(公告)日：2010-07-01

申请号：US12346532

申请日：2008-12-30

Applicant: Jiewen Yao ,  Ned McArthur Smith ,  Vincent J. Zimmer ,  Qin Long

Inventor： Jiewen Yao ,  Ned McArthur Smith ,  Vincent J. Zimmer ,  Qin Long

IPC: G06F15/177 ,  G06F1/32

CPC classification number: G06F9/4418 ,  G06F9/44 ,  G06F21/575

Abstract: Methods and systems to perform an authentication operation after resuming from a sleep state are presented. In one embodiment, a method includes starting a boot process from a sleep state. The method further includes providing platform services to support an authentication operation as part of the boot process and determining whether to complete the boot process based at least on results of the authentication operation.

Abstract translation: 呈现从休眠状态恢复后执行认证操作的方法和系统。 在一个实施例中，一种方法包括从睡眠状态开始引导过程。 该方法还包括提供平台服务以支持作为引导过程的一部分的认证操作，并且至少基于认证操作的结果来确定是否完成引导过程。

公开(公告)号：US20090063835A1

公开(公告)日：2009-03-05

申请号：US11897355

申请日：2007-08-30

Applicant: Jiewen Yao ,  Vincent J. Zimmer ,  Qin Long ,  Liang Cui

Inventor： Jiewen Yao ,  Vincent J. Zimmer ,  Qin Long ,  Liang Cui

IPC: G06F15/177

CPC classification number: G06F21/54 ,  G06F9/45558 ,  G06F12/1491 ,  G06F2009/45583 ,  G06F2221/2141 ,  G06F2221/2149

Abstract: In one embodiment, the present invention includes a method for determining if an isolation driver is present and a processor supports virtualization, launching the isolation driver in a first privilege level different than a system privilege level and user privilege level, creating a 1:1 virtual mapping between a virtual address and a physical address, using the isolation driver, and controlling access to a memory page using the isolation driver. Other embodiments are described and claimed.

Abstract translation: 在一个实施例中，本发明包括一种用于确定是否存在隔离驱动器并且处理器支持虚拟化的方法，以与系统特权级别和用户权限级别不同的第一特权级别启动隔离驱动程序，创建1：1虚拟 使用隔离驱动程序在虚拟地址和物理地址之间进行映射，并使用隔离驱动程序控制对内存页的访问。 描述和要求保护其他实施例。

公开(公告)号：US20080120499A1

公开(公告)日：2008-05-22

申请号：US11601321

申请日：2006-11-16

Applicant: Vincent J. Zimmer ,  Qin Long

Inventor： Vincent J. Zimmer ,  Qin Long

IPC: G06F21/22 ,  G06F9/00

CPC classification number: G06F21/575 ,  G06F21/52

Abstract: A data processing system supports a virtualization enabled (VE) operating mode. An operating system (OS) is launched during a boot process. However, a trap agent is launched before the OS is launched. The trap agent may intercept an attempt to transition the data processing system to virtual machine (VM) operating mode. In response to intercepting the attempt to transition the data processing system to VM operating mode, the trap agent may automatically determine whether the program that requested the transition is an authorized program. If the program is not authorized, the trap agent may prevent the program from transitioning the data processing system to VM operating mode. In one embodiment, the trap agent is launched before the data processing system selects a boot device. In another embodiment, the trap agent is launched before executing any code from any third-party option ROMs. Other embodiments are described and claimed.

Abstract translation: 数据处理系统支持虚拟化使能（VE）操作模式。 在启动过程中启动操作系统（OS）。 但是，在启动操作系统之前启动了陷阱代理。 陷阱代理可以拦截将数据处理系统转换到虚拟机（VM）操作模式的尝试。 响应于拦截将数据处理系统转换到VM操作模式的尝试，陷阱代理可以自动确定请求转换的程序是否是授权程序。 如果程序未被授权，则陷阱代理可能会阻止程序将数据处理系统转换到VM操作模式。 在一个实施例中，在数据处理系统选择引导设备之前启动陷阱代理。 在另一个实施例中，在从任何第三方选项ROM执行任何代码之前启动陷阱代理。 描述和要求保护其他实施例。