-
公开(公告)号:US20200250319A1
公开(公告)日:2020-08-06
申请号:US16737974
申请日:2020-01-09
摘要: A computer-implemented method for creating a secure software container. The method comprises providing a first layered software container image, transforming all files, except corresponding metadata, of each layer of the first layered software container image into a volume, the volume comprises a set of blocks, wherein each layer comprises an incremental difference to a next lower layer, encrypting each block of the set of blocks of a portion of the layers, and storing each encrypted set of the blocks as a layer of an encrypted container image along with unencrypted metadata for rebuilding an order of the set of blocks equal to an order of the first layered software container image, so that a secure encrypted software container is created.
-
公开(公告)号:US12130953B2
公开(公告)日:2024-10-29
申请号:US17395089
申请日:2021-08-05
CPC分类号: G06F21/71 , G06F21/572 , G06F21/64 , H04L9/0819 , H04L9/3271 , G06F9/45558 , G06F2009/45575 , G06F2221/033
摘要: A secure guest generates an updated image for the secure guest, and computes one or more measurements for the updated image. The secure guest provides the one or more measurements to a trusted execution environment and obtains from the trusted execution environment metadata for the updated image. The metadata is generated based on metadata of the secure guest and obtaining the one or more measurements.
-
公开(公告)号:US20240176885A1
公开(公告)日:2024-05-30
申请号:US18159698
申请日:2023-01-26
CPC分类号: G06F21/572 , G06F9/45545 , G06F9/45558 , G06F21/575 , G06F21/64 , G06F2009/45575 , G06F2221/033
摘要: A method for securely modifying metadata of a secure guest instance that is personalized by an initialization code, using firmware that maintains metadata of the secure guest is disclosed. The method comprises starting a secure guest instance using a hypervisor, receiving, by the secure guest instance, user-specific data, and personalizing, by the secure guest instance, the secure guest instance using the user-specific data. The method comprises also receiving, by the secure guest instance, a request structure for modifying the metadata of the secure guest instance, verifying partially, by the secure guest instance, the request structure using the user-specific data and upon successful verification passing the request structure to the trusted firmware for modifying the metadata of the secure guest instance, and verifying, by the trusted firmware, the request structure and upon success modifying the metadata, as specified by the request structure.
-
公开(公告)号:US11985230B2
公开(公告)日:2024-05-14
申请号:US17655055
申请日:2022-03-16
IPC分类号: H04L9/08
CPC分类号: H04L9/0825 , H04L9/0877 , H04L9/0891
摘要: A method for updating a current master key (MK) with a new MK, protected by an HSM, while a software component using a key is active, is disclosed. The method comprises signaling that a new master key has been loaded to the HSMs, re-encrypting the key encrypted with the current MK, storing the re-encrypted key as respective newKey component of a key object, wherein a current key is stored in a curKey component of the key object, and setting the new MK in a first HSM, and signaling to the active software component that the new MK is set in at least one of the HSMs. Upon determining that the new MK is set in the HSM, restricting usage of the HSMs to the selected HSM, and upon determining that the new MK is set in all HSMs, moving the value of the newKey to the curKey component.
-
公开(公告)号:US11635991B2
公开(公告)日:2023-04-25
申请号:US17321869
申请日:2021-05-17
发明人: Utz Bacher , Reinhard Theodor Buendgen , Jonathan D. Bradbury , Lisa Cranton Heller , Fadi Y. Busaba
摘要: According to one or more embodiments of the present invention, a computer implemented method includes receiving a query for an amount of storage in memory of a computer system to be donated to a secure interface control of the computer system. The secure interface control can determine the amount of storage to be donated based on a plurality of secure entities supported by the secure interface control as a plurality of predetermined values. The secure interface control can return a response to the query indicative of the amount of storage as a response to the query. A donation of storage to secure for use by the secure interface control can be received based on the response to the query.
-
公开(公告)号:US20230037746A1
公开(公告)日:2023-02-09
申请号:US17395006
申请日:2021-08-05
摘要: A trusted execution environment obtains a secure guest image and metadata to be used to start a secure guest. The metadata includes multiple parts and a plurality of integrity measures. A first part of the metadata includes one or more integrity measures of the plurality of integrity measures, and a second part of the metadata includes customized confidential data of the secure guest and one or more other integrity measures of the plurality of integrity measures. The trusted execution environment is used to verify at least one select part of the metadata using at least one integrity measure of the plurality of integrity measures of the metadata. Based on successful verification of the at least one select part of the metadata, the trusted execution environment starts the secure guest using the secure guest image and at least a portion of the metadata.
-
公开(公告)号:US11533174B2
公开(公告)日:2022-12-20
申请号:US16775851
申请日:2020-01-29
摘要: At least one secure object of a security module is bound to a secure guest. A trusted component determines whether metadata of the secure guest includes a confidential binding attribute for the security module. Based on determining that the metadata includes the confidential binding attribute, the trusted component configures the security module for the secure guest in a select mode. The select mode prevents certain operations from being intercepted by a hypervisor associated with the secure guest. The trusted component intercepts a security module communication and performs a cryptographic operation on one or more secure objects of the security module communication using the confidential binding attribute to provide a cryptographic result. An outcome of the security module communication, which includes the cryptographic result, is provided to a receiver.
-
公开(公告)号:US12019772B2
公开(公告)日:2024-06-25
申请号:US17474220
申请日:2021-09-14
发明人: Jonathan D. Bradbury , Torsten Hendel , Reinhard Theodor Buendgen , Claudio Imbrenda , Christian Borntraeger , Janosch Andreas Frank
IPC分类号: G06F21/62
CPC分类号: G06F21/6209
摘要: At least one request to store diagnostic state of a virtual machine is obtained. Based on obtaining the at least one request, a store of diagnostic state of the virtual machine is performed to provide stored diagnostic state of the virtual machine. The performing the store includes encrypting the diagnostic state of the virtual machine that is unencrypted and being stored to prevent a reading of the diagnostic state of the virtual machine by an untrusted entity prior to encrypting the diagnostic state of the virtual machine that is unencrypted and being stored.
-
公开(公告)号:US20230040468A1
公开(公告)日:2023-02-09
申请号:US17393449
申请日:2021-08-04
摘要: A computer-implemented method for providing a system-specific secret to a computing system having a plurality of computing components is disclosed. The method includes storing permanently a component-specific import key as part of a computing component and storing the component-specific import key in a manufacturing-side storage system. Upon a request for the system-specific secret for a computing system, the method includes identifying the computing component comprised in the computing system, retrieving a record relating to the identified computing component, determining the system-specific secret protected by a hardware security module and determining a system-specific auxiliary key. Furthermore, the method includes encrypting the system-specific auxiliary key with the retrieved component-specific import key, thereby creating a auxiliary key bundle, encrypting the system-specific secret and storing the auxiliary key bundle and a system record in a storage medium of the computing system.
-
公开(公告)号:US11475167B2
公开(公告)日:2022-10-18
申请号:US16775887
申请日:2020-01-29
发明人: Reinhard Theodor Buendgen , Volker Urban , Richard Victor Kisley , Jonathan D. Bradbury , Torsten Hendel , Harald Freudenberger , Benedikt Klotz , Klaus Werner , Markus Selve
摘要: A security module, such as a cryptographic adapter, is reserved for a secure guest of a computing environment. The reserving includes binding one or more queues of the security module to the secure guest. The one or more queues are then managed based on one or more actions relating to the reservation.
-
-
-
-
-
-
-
-
-
搜索结果
32 条记录 (耗时 0.03 秒)
