公开(公告)号：US09461994B2

公开(公告)日：2016-10-04

申请号：US14554467

申请日：2014-11-26

Applicant: Intel Corporation

Inventor： Mark E. Scott-Nash ,  Annapurna Dasari ,  Willard M. Wiseman

IPC: H04L9/32 ,  H04L29/06

CPC classification number: H04L63/0876 ,  G06F21/57 ,  H04L63/0457 ,  H04L63/0853

Abstract: In an embodiment, at least one computer readable medium has instructions stored thereon for causing a system to cryptographically sign, at a secure platform services enclave (PSE) of a computing system and using a secure attestation key (SGX AK), a public portion of a trusted platform module attestation key (TPM AK) associated with a trusted computing base of a physical platform, to form a certified TPM AK public portion. Also included are instructions to store the certified TPM AK public portion in the PSE, and instructions to, responsive to an attestation request received from a requester at a virtual trusted platform module (vTPM) associated with a virtual machine (VM) that has migrated onto the physical platform, provide to the requester the certified TPM AK public portion stored in the PSE. Other embodiments are described and claimed.

Abstract translation: 在一个实施例中，至少一个计算机可读介质具有存储在其上的指令，用于使系统在计算系统的安全平台服务飞地（PSE）处进行密码地签名，并使用安全认证密钥（SGX AK），公共部分 与物理平台的可信计算基础相关联的可信平台模块认证密钥（TPM AK），以形成认证的TPM AK公共部分。 还包括用于将经认证的TPM AK公共部分存储在PSE中的指令，以及响应于从虚拟机（VM）相关联的虚拟可信平台模块（vTPM）处从请求者接收到的认证请求的指令，所述虚拟可信平台模块（vTPM）已迁移到 物理平台，向请求者提供存储在PSE中的认证TPM AK公共部分。 描述和要求保护其他实施例。

公开(公告)号：US20160085969A1

公开(公告)日：2016-03-24

申请号：US14956817

申请日：2015-12-02

Applicant: Intel Corporation

Inventor： Willard M. Wiseman

IPC: G06F21/57 ,  G06F21/60 ,  G06F9/44

CPC classification number: G06F21/572 ,  G06F9/4401 ,  G06F11/1417 ,  G06F12/0246 ,  G06F13/14 ,  G06F21/60 ,  G06F2221/033

Abstract: Embodiments of apparatuses and methods for using a trusted platform module for boot policy and secure firmware are disclosed. In one embodiment, a trusted platform module includes a non-volatile memory, a port, and a mapping structure. The port is to receive an input/output transaction from a serial bus. The transaction includes a system memory address in the address space of a processor. The mapping structure is to map the system memory address to a first location in non-volatile memory.

Abstract translation: 公开了用于使用信任平台模块进行引导策略和安全固件的装置和方法的实施例。 在一个实施例中，可信平台模块包括非易失性存储器，端口和映射结构。 端口是从串行总线接收输入/输出事务。 交易包括处理器的地址空间中的系统存储器地址。 映射结构将系统内存地址映射到非易失性存储器中的第一个位置。

公开(公告)号：US09059855B2

公开(公告)日：2015-06-16

申请号：US13843954

申请日：2013-03-15

Applicant: Intel Corporation

Inventor： Simon P. Johnson ,  Vincent R. Scarlata ,  Willard M. Wiseman

IPC: G06F21/00 ,  H04L9/32 ,  G06F21/10 ,  G06F21/57

CPC classification number: G06F21/71 ,  G06F21/10 ,  G06F21/57 ,  G06F2221/0748 ,  G06F2221/0797 ,  H04L9/3234

Abstract: An apparatus and method are described for implementing a trusted dynamic launch and trusted platform module (TPM) using a secure enclave. For example, a computer-implemented method according to one embodiment of the invention comprises: initializing a secure enclave in response to a first command, the secure enclave comprising a trusted software execution environment which prevents software executing outside the enclave from having access to software and data inside the enclave; and executing a trusted platform module (TPM) from within the secure enclave, the trusted platform module securely reading data from a set of platform control registers (PCR) in a processor or chipset component into a memory region allocated to the secure enclave.

Abstract translation: 描述了使用安全飞地实现可信的动态发射和可信平台模块（TPM）的装置和方法。 例如，根据本发明的一个实施例的计算机实现的方法包括：响应于第一命令初始化安全飞地，所述安全飞地包括可信软件执行环境，其防止在飞地之外执行的软件访问软件，以及 飞地内的数据; 以及从所述安全飞地内执行可信平台模块（TPM），所述可信平台模块将处理器或芯片组组件中的一组平台控制寄存器（PCR）中的数据安全地读取到分配给所述安全飞地的存储器区域中。

公开(公告)号：US10693851B2

公开(公告)日：2020-06-23

申请号：US16036579

申请日：2018-07-16

Applicant: Intel Corporation

Inventor： Willard M. Wiseman ,  Philip B. Tricca

IPC: H04L29/06 ,  G06F21/57 ,  H04L9/32

Abstract: One embodiment provides a client device. The client device includes a Trusted Platform Module (TPM). The TPM includes a secure controller to extend a secure hash digest with at least a portion of a data stream or a hash of the at least a portion of the data stream.Another embodiment provides a server system. The server system includes verifier logic. The verifier logic is to verify that an attestation identity key (AIK) public key associated with a received Trusted Platform Module (TPM) quote corresponds to an authenticated client device.

公开(公告)号：US10218711B2

公开(公告)日：2019-02-26

申请号：US15152755

申请日：2016-05-12

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  Simon P. Johnson ,  Steve Orrin ,  Willard M. Wiseman

IPC: H04L29/06 ,  G06F21/57 ,  H04W4/021 ,  H04W12/06 ,  H04W12/08

Abstract: In one embodiment, a method includes determining a location of a system responsive to location information received from at least one of a location sensor and a wireless device of the system, associating the location with a key present in the system to generate an authenticated location of the system, and determining whether the authenticated location is within a geofence boundary indicated in a location portion of a launch control policy (LCP) that provides a geographic-specific policy. Other embodiments are described and claimed.

公开(公告)号：US20180343237A1

公开(公告)日：2018-11-29

申请号：US16036579

申请日：2018-07-16

Applicant: Intel Corporation

Inventor： Willard M. Wiseman ,  Philip B. Tricca

IPC: H04L29/06 ,  G06F21/57 ,  H04L9/32

CPC classification number: H04L63/045 ,  G06F21/57 ,  H04L9/3247 ,  H04L63/0853 ,  H04L63/126 ,  H04L2209/127

Abstract: One embodiment provides a client device. The client device includes a Trusted Platform Module (TPM). The TPM includes a secure controller to extend a secure hash digest with at least a portion of a data stream or a hash of the at least a portion of the data stream.Another embodiment provides a server system. The server system includes verifier logic. The verifier logic is to verify that an attestation identity key (AIK) public key associated with a received Trusted Platform Module (TPM) quote corresponds to an authenticated client device.

公开(公告)号：US09846787B2

公开(公告)日：2017-12-19

申请号：US14633701

申请日：2015-02-27

Applicant: INTEL CORPORATION

Inventor： Simon P. Johnson ,  Vincent R. Scarlata ,  Willard M. Wiseman

IPC: G06F21/00 ,  G06F21/71 ,  G06F21/10 ,  G06F21/57 ,  H04L9/32

CPC classification number: G06F21/71 ,  G06F21/10 ,  G06F21/57 ,  G06F2221/0748 ,  G06F2221/0797 ,  H04L9/3234

Abstract: An apparatus and method are described for implementing a trusted dynamic launch and trusted platform module (TPM) using a secure enclave. For example, a computer-implemented method according to one embodiment of the invention comprises: initializing a secure enclave in response to a first command, the secure enclave comprising a trusted software execution environment which prevents software executing outside the enclave from having access to software and data inside the enclave; and executing a trusted platform module (TPM) from within the secure enclave, the trusted platform module securely reading data from a set of platform control registers (PCR) in a processor or chipset component into a memory region allocated to the secure enclave.

公开(公告)号：US09779249B2

公开(公告)日：2017-10-03

申请号：US15292301

申请日：2016-10-13

Applicant: Intel Corporation

Inventor： John H. Wilson ,  Ioannis T. Schoinas ,  Mazin S. Yousif ,  Linda J. Rankin ,  David W. Grawrock ,  Robert J. Greiner ,  James A. Sutton ,  Kushagra Vaid ,  Willard M. Wiseman

IPC: G06F21/00 ,  G06F21/57 ,  G06F21/44 ,  G06F21/50 ,  G06F21/71

CPC classification number: G06F21/575 ,  G06F21/44 ,  G06F21/445 ,  G06F21/50 ,  G06F21/606 ,  G06F21/64 ,  G06F21/71 ,  G06F2221/034

Abstract: In one embodiment of the present invention, a method includes verifying a master processor of a system; validating a trusted agent with the master processor if the master processor is verified; and launching the trusted agent on a plurality of processors of the system if the trusted agent is validated. After execution of such a trusted agent, a secure kernel may then be launched, in certain embodiments. The system may be a multiprocessor server system having a partially or fully connected topology with arbitrary point-to-point interconnects, for example.

公开(公告)号：US20170098085A1

公开(公告)日：2017-04-06

申请号：US15292301

申请日：2016-10-13

Applicant: Intel Corporation

Inventor： John H. Wilson ,  Ioannis T. Schoinas ,  Mazin S. Yousif ,  Linda J. Rankin ,  David W. Grawrock ,  Robert J. Greiner ,  James A. Sutton ,  Kushagra Vaid ,  Willard M. Wiseman

IPC: G06F21/57 ,  G06F21/44

CPC classification number: G06F21/575 ,  G06F21/44 ,  G06F21/445 ,  G06F21/50 ,  G06F21/606 ,  G06F21/64 ,  G06F21/71 ,  G06F2221/034

Abstract: In one embodiment of the present invention, a method includes verifying a master processor of a system; validating a trusted agent with the master processor if the master processor is verified; and launching the trusted agent on a plurality of processors of the system if the trusted agent is validated. After execution of such a trusted agent, a secure kernel may then be launched, in certain embodiments. The system may be a multiprocessor server system having a partially or fully connected topology with arbitrary point-to-point interconnects, for example.

公开(公告)号：US09384352B2

公开(公告)日：2016-07-05

申请号：US14127211

申请日：2013-10-02

Applicant: Intel Corporation

Inventor： Jiewen Yao ,  Vincent J. Zimmer ,  Nicholas J. Adams ,  Willard M. Wiseman ,  Qin Long ,  Shihui Li

IPC: G06F9/00 ,  G06F21/57 ,  G06F21/72 ,  G06F9/44

CPC classification number: G06F21/575 ,  G06F9/4403 ,  G06F21/72

Abstract: An embodiment includes an apparatus comprising: an out-of-band cryptoprocessor including secure non-volatile storage that couples to a root index, having a fixed address, and comprises first and second variables referenced by the root index; and semiconductor integrated code (SIC) including embedded processor logic to initialize a processor and embedded memory logic to initialize a memory coupled to the processor; wherein (a) the SIC is to be executed responsive to resetting the processor and prior to providing control to boot code, and (b) the SIC is to perform pre-boot operations in response to accessing at least one of the first and second variables. Other embodiments are described herein.

Abstract translation: 实施例包括一种装置，包括：带外密码处理器，包括耦合到具有固定地址的根索引的安全非易失性存储器，并且包括由根索引引用的第一和第二变量; 以及包括用于初始化处理器和嵌入式存储器逻辑的嵌入式处理器逻辑以初始化耦合到所述处理器的存储器的半导体集成代码（SIC）; 其中（a）响应于重置所述处理器并且在向引导代码提供控制之前响应于所述SIC执行所述SIC，以及（b）所述SIC响应于访问所述第一和第二变量中的至少一个来执行预引导操作 。 本文描述了其它实施例。