公开(公告)号：US20170324562A1

公开(公告)日：2017-11-09

申请号：US15149870

申请日：2016-05-09

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Thomas M. Laffey

IPC: H04L9/32 ,  G06F11/14 ,  H04L29/06 ,  H04L9/30 ,  G06F9/44 ,  G06F21/57 ,  H04L9/14 ,  G06F21/56 ,  H04L12/24

CPC classification number: H04L41/0654 ,  G06F9/4416 ,  G06F11/1464 ,  G06F11/1469 ,  G06F21/56 ,  G06F21/575 ,  G06F2201/80 ,  G06F2221/032 ,  H04L9/0891 ,  H04L9/3268 ,  H04L41/046 ,  H04L63/0428 ,  H04L63/06

Abstract: Examples include sending and receiving recovery agents and recovery plans over networks. Some examples include receiving a recovery request over a network from a requestor, sending a response to the requestor over the network, sending an executable copy of a recovery agent with a validation measure to the requestor, establishing an encrypted connection with the requestor, receiving a second request from the requester over the encrypted connection, determining a recovery plan that includes a command executable by the recovery agent, and sending the recovery plan to the requester over the encrypted connection. In some examples, the recovery request includes data that identifies the requester and the response and the recovery plan are based on the data identifying the requester.

公开(公告)号：US12244733B2

公开(公告)日：2025-03-04

申请号：US17808777

申请日：2022-06-24

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Christopher Anthony Grant Hillier ,  Gareth David Richards ,  Ludovic Emmanuel Paul Noel Jacquin ,  Thomas M. Laffey

IPC: H04L9/32 ,  G06F21/60 ,  G06F21/64 ,  H04L41/0893

Abstract: A process includes communicating by a first device, with a second device. The communicating includes the first device receiving data from the second device that represents a certificate. The certificate binds a hierarchy of logical identifiers to a cryptographic key. The hierarchy of identifiers includes a first logical identifier that corresponds to a group membership. The process includes authenticating, by the first device, the second device based on the certificate. The process includes allowing, by the first device, a secure connection to be set up between the first device and the second device based on whether the first logical identifier represents that the second device is a member of a first group of devices of which the first device is a member.

公开(公告)号：US12105806B2

公开(公告)日：2024-10-01

申请号：US17585646

申请日：2022-01-27

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Ludovic Emmanuel Paul Noel Jacquin ,  Thomas M. Laffey ,  Darrell Haskell

IPC: G06F21/57 ,  G06F21/72 ,  H04L9/08

CPC classification number: G06F21/572 ,  G06F21/575 ,  G06F21/72 ,  H04L9/0825

Abstract: A computer platform includes a security processor; at least one hardware processor; and a memory. The security processor stores data representing a private platform key. The private platform key is part of an asymmetric pair of keys, and the asymmetric pair of keys includes a public platform key. The memory stores a firmware image. The firmware image includes data representing a root certificate of a public key infrastructure that signs a second certificate that is associated with the computer platform. The second certificate includes the public platform key and binding information binding the second certificate to the computer platform. The firmware image includes instructions that, when executed by the hardware processor(s), cause the hardware processor(s) to access data representing the second certificate and determine whether the second certificate is valid based on the root certificate and the binding information. The instructions, when executed by the hardware processor(s), further cause the hardware processor(s) to, responsive to determining that the second certificate is valid, use the public platform key to secure communication with the security processor.

公开(公告)号：US11438161B2

公开(公告)日：2022-09-06

申请号：US16671088

申请日：2019-10-31

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Thomas M. Laffey ,  Charles F. Clark

IPC: H04L9/32 ,  H04L9/40 ,  H04L9/08

Abstract: A method and apparatus for use in a trusted network environment together or separately employ an implicit attestation that a requesting computing resource is in a trusted state before access to a network resource is granted. The method includes: verifying that a requesting computing resource is in a trusted state; accessing the private key using the released key authorization value; and creating a digital signature for the requesting device from the accessed private key. The apparatus may implement the method.

公开(公告)号：US20210135872A1

公开(公告)日：2021-05-06

申请号：US16671088

申请日：2019-10-31

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Thomas M. Laffey ,  Charles F. Clark

IPC: H04L9/32 ,  H04L29/06 ,  H04L9/08

Abstract: A method and apparatus for use in a trusted network environment together or separately employ an implicit attestation that a requesting computing resource is in a trusted state before access to a network resource is granted. The method includes: verifying that a requesting computing resource is in a trusted state; accessing the private key using the released key authorization value; and creating a digital signature for the requesting device from the accessed private key. The apparatus may implement the method.

公开(公告)号：US20210073003A1

公开(公告)日：2021-03-11

申请号：US16565915

申请日：2019-09-10

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Ludovic Emmanuel Paul Noel Jacquin ,  Nigel Edwards ,  Thomas M. Laffey

IPC: G06F9/4401 ,  G06F21/51 ,  G06F21/33 ,  G06F21/44 ,  G06F9/38

Abstract: Examples disclosed herein relate to using an integrity manifest certificate to verify the state of a platform. A device identity of a device that has the device identity provisioned and stored in a security co-processor to retrieve an integrity proof from the security co-processor. The device includes at least one processing element, at least one memory device, and a bus including at least one bus device, and wherein the device identity is associated with a device identity certificate signed by a first authority. The integrity proof includes a representation of each of a plurality of hardware components including the at least one processing element, the at least one memory device, the at least one bus device, and a system board and a representation of plurality of firmware components included in the device. The integrity proof is provided to a certification station. The certification station determines that the integrity proof is an expected value based on an expected provisioning state of the device and the device identity. The certification station signs, using a second authority, an integrity manifest certificate, based on the integrity proof and the device identity. The integrity manifest certificate is stored.

公开(公告)号：US10242195B2

公开(公告)日：2019-03-26

申请号：US15217583

申请日：2016-07-22

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Ludovic Emmanuel Paul Noel Jacquin ,  Thomas M. Laffey ,  Adrian Shaw

IPC: H04L9/32 ,  G06F21/57

Abstract: Examples described herein include a computing device with a processing resource to execute beginning booting instructions of the computing device. The beginning booting instructions may include a first booting instruction. The computing device also includes an access line to access the first booting instruction, a measuring engine to duplicate the first booting instruction and to generate a first integrity value associated with the first booting instruction, and a measurement register to store the first integrity value. The measuring engine may be operationally screened from the processing resource and the measurement register may be inaccessible to the processing resource.

公开(公告)号：US20190005245A1

公开(公告)日：2019-01-03

申请号：US16061814

申请日：2016-04-29

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Thomas M. Laffey

IPC: G06F21/57 ,  G06F3/06

Abstract: In some examples, in response to a reset of an electronic device, a method disables hardware write locking of a first region in a non-volatile memory, and executes a first boot code portion from the first region to begin a boot procedure. The executed first boot code portion checks whether an update code for the first boot code portion exists. In response to determining that no update code for the first boot code portion exists, the executed first boot code portion causes hardware write locking of the first region. After causing the hardware write locking of the first region, the boot procedure continues, the boot procedure comprising verifying an integrity of a second boot code portion.

公开(公告)号：US12072990B2

公开(公告)日：2024-08-27

申请号：US17451829

申请日：2021-10-22

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Ludovic Emmanuel Paul Noel Jacquin ,  Nigel J. Edwards ,  Thomas M. Laffey ,  Shiva R. Dasari

IPC: G06F21/60 ,  G06F21/57 ,  G06F21/85

CPC classification number: G06F21/606 ,  G06F21/572 ,  G06F21/85

Abstract: A process includes a first tenant of a plurality of tenants communicating with a security processor of a computer platform, via a first physical request interface of the security processor, to acquire ownership of a first command execution engine of the security processor associated with the first physical request interface. The process includes a second tenant of the plurality of tenants communicating with the security processor, via a second physical request interface of the security processor, to acquire ownership of a second command execution engine of the security processor associated with the second physical request interface. The process includes the security processor receiving a first request from the first tenant in the first physical interface, and the second processor receiving a second request from the second tenant in the second physical request interface. The process includes, pursuant to block, the first command execution engine processing the first request and the second command execution engine processing the second request to perform corresponding trusted computing operations.

公开(公告)号：US20240236089A9

公开(公告)日：2024-07-11

申请号：US18047785

申请日：2022-10-19

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Nigel John Edwards ,  Thomas M. Laffey ,  Ludovic Emmanuel Paul Noel Jacquin ,  Sunil James

IPC: H04L9/40

CPC classification number: H04L63/0876 ,  H04L63/0209

Abstract: In some examples, a system receives information from electronic devices comprising network devices and computing devices in a computing environment that are subject to attestations of interfaces of the network devices and the computing devices. For each interface of a given computing device being attested, the system verifies that the interface of the given computing device is connected to an interface of a corresponding network device that is being attested. For each interface of a given network device being attested, the system verifies that the interface of the given network device is connected to an interface of a corresponding computing device that is being attested or an interface of another network device that is being attested. The system detects a presence of an unauthorized electronic device in the computing environment in response to determining that an interface of a computing device being attested or an interface of a network device being attested is not connected to a corresponding interface of an electronic device being attested.