-
公开(公告)号:US07934063B2
公开(公告)日:2011-04-26
申请号:US11693406
申请日:2007-03-29
IPC分类号: G06F13/28
CPC分类号: G06F9/544
摘要: A method of invoking power processor element (PPE) serviced C library functions on a synergistic processing element (SPE) running in isolated mode. When the SPE initiates a PPE-serviced function, an SPE stub routine allocates a parameter buffer in an open area of a local store (LS) memory within the SPE. The LS memory includes an open area accessible to the PPE, and an isolated area inaccessible to the PPE. The SPE stub routine copies function parameters corresponding to the PPE-serviced function to a buffer within the open area of the LS memory, and writes a message word, which contains an identification variable of the PPE-serviced function and a location variable of the function parameters, to the open area. When execution is temporarily suspended on the SPE, the PPE reads the message word from the open area of the LS memory and executes the PPE-serviced function.
摘要翻译: 一种在隔离模式下运行的协同处理元件(SPE)上调用功率处理器元件(PPE)服务C库函数的方法。 当SPE启动PPE服务功能时,SPE stub例程在SPE内的本地存储(LS)存储器的打开区域中分配参数缓冲区。 LS存储器包括PPE可访问的开放区域和PPE无法访问的隔离区域。 SPE存根例程将对应于PPE服务功能的功能参数复制到LS存储器的开放区域内的缓冲区,并写入一个消息字,其中包含PPE服务功能的标识变量和功能的位置变量 参数,到开放区域。 当执行暂停在SPE上时,PPE从LS存储器的打开区域读取消息字,并执行PPE服务功能。
-
公开(公告)号:US07860246B2
公开(公告)日:2010-12-28
申请号:US11555605
申请日:2006-11-01
CPC分类号: H04L9/0891 , G06F21/602 , H04L9/085 , H04L2209/60
摘要: A system for protecting data in a security system generates and encodes a backup key for encoding long-lived secrets. The system generates a distribution plan for distributing cryptographic splits of the encoded backup key to selected persons based on geographic and organizational diversity. The distribution plan specifies a number M of the cryptographic splits to be generated and a number N of the cryptographic splits required to recover the backup key. The system processes utilize an init file comprising system parameters and state files each comprising parameters reflecting a state of the secure system after a transaction. Any of the state files may be used for any of the system processes. The state files and the init file are encoded by the backup key, thus protecting the long-lived secrets.
摘要翻译: 用于保护安全系统中的数据的系统生成并编码用于编码长寿命秘密的备份密钥。 系统生成分配计划,用于根据地理和组织多样性将所编码备份密钥的加密分裂分发给选定的人员。 分配计划指定要生成的密码分割数M,以及恢复备份密钥所需的密码分割数N。 系统过程利用包括系统参数和状态文件的初始化文件,每个文件包括在事务之后反映安全系统的状态的参数。 任何状态文件可用于任何系统进程。 状态文件和init文件由备份密钥编码,从而保护长命的秘密。
-
13.发明申请Support for Multiple Security Policies on a Unified Authentication Architecture 有权支持统一认证体系结构中的多个安全策略公开(公告)号:US20090086974A1
公开(公告)日:2009-04-02
申请号:US11866020
申请日:2007-10-02
CPC分类号: H04L9/3247 , G06F21/51 , H04L9/0836 , H04L2209/56
摘要: A method, computer program product, and data processing system are disclosed for ensuring that applications executed in the data processing system originate only from trusted sources are disclosed. In a preferred embodiment, a secure operating kernel maintains a “key ring” containing keys corresponding to trusted software vendors. The secure kernel uses vendor keys to verify that a given application was signed by an approved vendor. To make it possible for independent developers to develop software for the herein-described platform, a “global key pair” is provided in which both the public and private keys of the pair are publicly known, so that anyone may sign an application with the global key. Such an application may be allowed to execute by including the global key pair's public key in the key ring as a “vendor key” or, conversely, it may be disallowed by excluding the global public key from the key ring.
摘要翻译: 公开了一种方法,计算机程序产品和数据处理系统,用于确保在数据处理系统中执行的应用仅来自可信源。 在优选实施例中,安全操作内核维护包含与可信软件供应商对应的密钥的“密钥环”。 安全内核使用供应商密钥来验证给定的应用程序是否由经过批准的供应商签名。 为了使独立开发人员能够为本文所述的平台开发软件,提供了一种“全局密钥对”,其中该对的公钥和私钥都是公知的,以便任何人可以使用全局 键。 可以通过将密钥环中的全局密钥对的公钥作为“供应商密钥”来包括全局密钥对的公钥来执行这样的应用,或者相反地,可以通过从密钥环中排除全局公钥来实现。
-
公开(公告)号:US08332635B2
公开(公告)日:2012-12-11
申请号:US11754658
申请日:2007-05-29
CPC分类号: G06F21/575 , G06F21/51 , G06F2221/2143
摘要: A method, computer program product, and data processing system provide an updateable encrypted operating kernel. Secure initialization hardware decrypts a minimal secure kernel containing sensitive portions of data and/or code into a portion of the processor-accessible memory space, from which the kernel is executed. Most system software functions are not directly supported by the secure kernel but are provided by dynamically loaded kernel extensions that are encrypted with a public key so that they can only be decrypted with a private key possessed by the secure kernel. The public/private key pair is processor-specific. Before passing control to a kernel extension, the secure kernel deletes a subset of its sensitive portions, retaining only those sensitive portions needed to perform the task(s) delegated to the kernel extension. Which sensitive portions are retained is determined by a cryptographic key with which the kernel extension is signed.
摘要翻译: 一种方法,计算机程序产品和数据处理系统提供可更新的加密操作内核。 安全初始化硬件将包含敏感部分数据和/或代码的最小安全内核解密为执行内核的处理器可访问内存空间的一部分。 大多数系统软件功能并不直接得到安全内核的支持,而是由使用公钥加密的动态加载内核扩展提供,以便只能使用安全内核拥有的私有密钥进行解密。 公钥/私钥对是处理器特定的。 在将控件传递给内核扩展之前,安全内核将删除其敏感部分的一部分,仅保留执行委托给内核扩展的任务所需的敏感部分。 保留哪些敏感部分由内核扩展名与之签名的加密密钥确定。
-
15.发明授权公开(公告)号:US08166304B2
公开(公告)日:2012-04-24
申请号:US11866020
申请日:2007-10-02
IPC分类号: G06F21/00
CPC分类号: H04L9/3247 , G06F21/51 , H04L9/0836 , H04L2209/56
摘要: A method, computer program product, and data processing system are disclosed for ensuring that applications executed in the data processing system originate only from trusted sources are disclosed. In a preferred embodiment, a secure operating kernel maintains a “key ring” containing keys corresponding to trusted software vendors. The secure kernel uses vendor keys to verify that a given application was signed by an approved vendor. To make it possible for independent developers to develop software for the herein-described platform, a “global key pair” is provided in which both the public and private keys of the pair are publicly known, so that anyone may sign an application with the global key. Such an application may be allowed to execute by including the global key pair's public key in the key ring as a “vendor key” or, conversely, it may be disallowed by excluding the global public key from the key ring.
摘要翻译: 公开了一种方法,计算机程序产品和数据处理系统,用于确保在数据处理系统中执行的应用仅来自可信源。 在优选实施例中,安全操作内核维护包含与可信软件供应商对应的密钥的“密钥环”。 安全内核使用供应商密钥来验证给定的应用程序是否由经过批准的供应商签名。 为了使独立开发人员能够为本文描述的平台开发软件,提供了一个“全局密钥对”,其中该对的公钥和私钥都是公知的,以便任何人都可以使用全局 键。 可以通过将密钥环中的全局密钥对的公钥作为“供应商密钥”来包括全局密钥对的公钥来执行这样的应用,或者相反地,可以通过从密钥环中排除全局公钥来实现。
-
公开(公告)号:US20090323970A1
公开(公告)日:2009-12-31
申请号:US12133658
申请日:2008-06-05
CPC分类号: H04L9/0891 , G06F21/602 , H04L9/085 , H04L2209/60
摘要: A system for protecting data in a security system generates and encodes a backup key for encoding long-lived secrets. The system generates a distribution plan for distributing cryptographic splits of the encoded backup key to selected persons based on geographic and organizational diversity. The distribution plan specifies a number M of the cryptographic splits to be generated and a number N of the cryptographic splits required to recover the backup key. The system processes utilize an init file comprising system parameters and state files each comprising parameters reflecting a state of the secure system after a transaction. Any of the state files may be used for any of the system processes. The state files and the init file are encoded by the backup key, thus protecting the long-lived secrets.
摘要翻译: 用于保护安全系统中的数据的系统生成并编码用于编码长寿命秘密的备份密钥。 系统生成分配计划,用于根据地理和组织多样性将所编码备份密钥的加密分裂分发给选定的人员。 分配计划指定要生成的密码分割数M,以及恢复备份密钥所需的密码分割数N。 系统过程利用包括系统参数和状态文件的初始化文件,每个文件包括在事务之后反映安全系统的状态的参数。 任何状态文件可用于任何系统进程。 状态文件和init文件由备份密钥编码,从而保护长命的秘密。
-
公开(公告)号:US20090089579A1
公开(公告)日:2009-04-02
申请号:US11866001
申请日:2007-10-02
IPC分类号: H04L9/00
CPC分类号: G06F21/575
摘要: A method, computer program product, and data processing system are disclosed for ensuring that applications executed in the data processing system originate only from trusted sources are disclosed. In a preferred embodiment, a secure operating kernel maintains a “key ring” containing keys corresponding to trusted software vendors. The secure kernel uses vendor keys to verify that a given application was signed by an approved vendor. To make it possible for users to execute software from independent software developers, an administrative user may disable the above-described vendor key-checking as an option.
摘要翻译: 公开了一种方法,计算机程序产品和数据处理系统,用于确保在数据处理系统中执行的应用仅来自可信源。 在优选实施例中,安全操作内核维护包含与可信软件供应商对应的密钥的“密钥环”。 安全内核使用供应商密钥来验证给定的应用程序是否由经过批准的供应商签名。 为了使用户可以从独立软件开发人员执行软件,管理用户可以选择禁用上述供应商密钥检查。
-
公开(公告)号:US20080301468A1
公开(公告)日:2008-12-04
申请号:US11754649
申请日:2007-05-29
IPC分类号: G06F12/14
CPC分类号: G06F12/1458 , G06F21/52 , G06F21/575 , G06F21/79 , G06F2221/2143
摘要: A method, computer program product, and data processing system for executing larger-than-physical-memory applications while protecting sensitive program code (and also data) from unauthorized access in a memory space not subject to protection fault or page fault detection are disclosed. Large applications are accommodated by providing a mechanism for secure program overlays, in which a single large application is broken into two or more smaller applications (overlays) that can be executed from the same memory space by overwriting one of the smaller applications with another of the smaller applications when the latter needs to be executed. So that the data may be shared among these smaller applications, each of the applications contains embedded cryptographic keys, which may be used to encrypt or decrypt information to be stored persistently while control is transferred from one application to the other.
摘要翻译: 公开了一种用于执行大于物理存储器应用的方法,计算机程序产品和数据处理系统,同时在不受保护故障或页面故障检测的存储器空间中保护敏感程序代码(以及数据)以防未经授权的访问。 通过提供用于安全程序覆盖的机制来容纳大的应用程序,其中单个大型应用程序被分解成可以从相同存储器空间执行的两个或更多个更小的应用程序(覆盖层),通过用另一个 较小的应用程序,当后者需要执行。 为了使数据可以在这些较小的应用程序之间共享,每个应用程序都包含嵌入式加密密钥,这些密钥可用于加密或解密持续存储的信息,同时控制从一个应用程序传输到另一个应用程序。
-
19.发明申请METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR INVOKING EXTERNALLY ASSISTED CALLS FROM AN ISOLATED ENVIRONMENT 有权用于从隔离环境中调用外部辅助呼叫的方法,系统和计算机程序产品公开(公告)号:US20080244612A1
公开(公告)日:2008-10-02
申请号:US11693406
申请日:2007-03-29
IPC分类号: G06F3/00
CPC分类号: G06F9/544
摘要: A method of invoking power processor element (PPE) serviced C library functions on a synergistic processing element (SPE) running in isolated mode. When the SPE initiates a PPE-serviced function, an SPE stub routine allocates a parameter buffer in an open area of a local store (LS) memory within the SPE. The LS memory includes an open area accessible to the PPE, and an isolated area inaccessible to the PPE. The SPE stub routine copies function parameters corresponding to the PPE-serviced function to a buffer within the open area of the LS memory, and writes a message word, which contains an identification variable of the PPE-serviced function and a location variable of the function parameters, to the open area. When execution is temporarily suspended on the SPE, the PPE reads the message word from the open area of the LS memory and executes the PPE-serviced function.
摘要翻译: 一种在隔离模式下运行的协同处理元件(SPE)上调用功率处理器元件(PPE)服务C库函数的方法。 当SPE启动PPE服务功能时,SPE stub例程在SPE内的本地存储(LS)存储器的打开区域中分配参数缓冲区。 LS存储器包括PPE可访问的开放区域和PPE无法访问的隔离区域。 SPE存根例程将对应于PPE服务功能的功能参数复制到LS存储器的开放区域内的缓冲区,并写入一个消息字,其中包含PPE服务功能的标识变量和功能的位置变量 参数,到开放区域。 当执行暂停在SPE上时,PPE从LS存储器的打开区域读取消息字,并执行PPE服务功能。
-
-
-
-
-
-
-
-
搜索结果
19 条记录 (耗时 0.029 秒)
