公开(公告)号：US07478246B2

公开(公告)日：2009-01-13

申请号：US10902670

申请日：2004-07-29

申请人： Richard Louis Arndt ,  Steven A. Bade ,  Thomas J. Dewkett ,  Charles W. Gainey, Jr. ,  Nia Letise Kelley ,  Siegfried Sutter ,  Helmut H. Weber

发明人： Richard Louis Arndt ,  Steven A. Bade ,  Thomas J. Dewkett ,  Charles W. Gainey, Jr. ,  Nia Letise Kelley ,  Siegfried Sutter ,  Helmut H. Weber

IPC分类号： G06F11/30 ,  H04K1/10

CPC分类号： H04L63/20 ,  G06F21/57 ,  H04L63/0876 ,  H04L63/102

摘要： A method is described for implementing a trusted computing environment within a data processing system where the data processing system includes a single hardware trusted platform module (TPM). Multiple logical partitions are provided in the data processing system. A unique context is generated for each one of the logical partitions. When one of the logical partitions requires access to the hardware TPM, that partition's context is required to be stored in the hardware TPM. The hardware TPM includes a finite number of storage locations, called context slots, for storing contexts. Each context slot can store one partition's context. Each one of the partitions is associated with one of the limited number of context storage slots in the hardware TPM. At least one of the context slots is simultaneously associated with more than one of the logical partitions. Contexts are swapped into and out of the hardware TPM during runtime of the data processing system so that when ones of the partitions require access to the hardware TPM, their required contexts are currently stored in the hardware TPM.

摘要翻译： 描述了一种在数据处理系统内实现可信计算环境的方法，其中数据处理系统包括单个硬件可信平台模块（TPM）。 在数据处理系统中提供了多个逻辑分区。 为每个逻辑分区生成唯一的上下文。 当其中一个逻辑分区需要访问硬件TPM时，该分区的上下文需要存储在硬件TPM中。 硬件TPM包括有限数量的存储位置，称为上下文时隙，用于存储上下文。 每个上下文时隙都可以存储一个分区的上下文。 每个分区与硬件TPM中的有限数量的上下文存储时隙中的一个相关联。 至少一个上下文时隙同时与多于一个的逻辑分区相关联。 在数据处理系统的运行期间，上下文交换进出硬件TPM，以便当这些分区中的一个需要访问硬件TPM时，其所需的上下文当前存储在硬件TPM中。

公开(公告)号：US07996687B2

公开(公告)日：2011-08-09

申请号：US12262445

申请日：2008-10-31

申请人： Richard Louis Arndt ,  Steven A. Bade ,  Thomas J. Dewkett ,  Charles W. Gainey, Jr. ,  Nia Letise Kelley ,  Siegfried Sutter ,  Helmut H. Weber

发明人： Richard Louis Arndt ,  Steven A. Bade ,  Thomas J. Dewkett ,  Charles W. Gainey, Jr. ,  Nia Letise Kelley ,  Siegfried Sutter ,  Helmut H. Weber

IPC分类号： G06F11/30 ,  H04K1/10

CPC分类号： H04L63/20 ,  G06F21/57 ,  H04L63/0876 ,  H04L63/102

摘要： Multiple logical partitions are provided in a data processing system. A unique context is generated for each one of the logical partitions. When one of the logical partitions requires access to the hardware TPM, that partition's context is required to be stored in the hardware TPM. The hardware TPM includes a finite number of storage locations, called context slots, for storing contexts. Each context slot can store one partition's context. Each one of the partitions is associated with one of the limited number of context storage slots in the hardware TPM. At least one of the context slots is simultaneously associated with more than one of the logical partitions. Contexts are swapped into and out of the hardware TPM during runtime of the data processing system so that when ones of the partitions require access to the hardware TPM, their required contexts are currently stored in the hardware TPM.

摘要翻译： 在数据处理系统中提供了多个逻辑分区。 为每个逻辑分区生成唯一的上下文。 当其中一个逻辑分区需要访问硬件TPM时，该分区的上下文需要存储在硬件TPM中。 硬件TPM包括有限数量的存储位置，称为上下文时隙，用于存储上下文。 每个上下文时隙都可以存储一个分区的上下文。 每个分区与硬件TPM中的有限数量的上下文存储时隙中的一个相关联。 至少一个上下文时隙同时与多于一个的逻辑分区相关联。 在数据处理系统的运行期间，上下文交换进出硬件TPM，以便当这些分区中的一个需要访问硬件TPM时，其所需的上下文当前存储在硬件TPM中。

公开(公告)号：US20100042823A1

公开(公告)日：2010-02-18

申请号：US12262445

申请日：2008-10-31

申请人： Richard Louis Arndt ,  Steven A. Bade ,  Thomas J. Dewkett ,  Charles W. Gainey, JR. ,  Nia Letise Kelley ,  Siegfried Sutter ,  Helmut H. Weber

发明人： Richard Louis Arndt ,  Steven A. Bade ,  Thomas J. Dewkett ,  Charles W. Gainey, JR. ,  Nia Letise Kelley ,  Siegfried Sutter ,  Helmut H. Weber

IPC分类号： G06F12/14 ,  G06F9/24 ,  G06F9/455

CPC分类号： H04L63/20 ,  G06F21/57 ,  H04L63/0876 ,  H04L63/102

摘要： A method, apparatus, and computer program product are described for implementing a trusted computing environment within a data processing system where the data processing system includes a single hardware trusted platform module (TPM). Multiple logical partitions are provided in the data processing system. A unique context is generated for each one of the logical partitions. When one of the logical partitions requires access to the hardware TPM, that partition's context is required to be stored in the hardware TPM. The hardware TPM includes a finite number of storage locations, called context slots, for storing contexts. Each context slot can store one partition's context. Each one of the partitions is associated with one of the limited number of context storage slots in the hardware TPM. At least one of the context slots is simultaneously associated with more than one of the logical partitions. Contexts are swapped into and out of the hardware TPM during runtime of the data processing system so that when ones of the partitions require access to the hardware TPM, their required contexts are currently stored in the hardware TPM.

摘要翻译： 描述了一种在数据处理系统内实现可信计算环境的方法，装置和计算机程序产品，其中数据处理系统包括单个硬件可信平台模块（TPM）。 在数据处理系统中提供了多个逻辑分区。 为每个逻辑分区生成唯一的上下文。 当其中一个逻辑分区需要访问硬件TPM时，该分区的上下文需要存储在硬件TPM中。 硬件TPM包括有限数量的存储位置，称为上下文时隙，用于存储上下文。 每个上下文时隙都可以存储一个分区的上下文。 每个分区与硬件TPM中的有限数量的上下文存储时隙中的一个相关联。 至少一个上下文时隙同时与多于一个的逻辑分区相关联。 在数据处理系统的运行期间，上下文交换进出硬件TPM，以便当这些分区中的一个需要访问硬件TPM时，其所需的上下文当前存储在硬件TPM中。

公开(公告)号：US08707383B2

公开(公告)日：2014-04-22

申请号：US11464929

申请日：2006-08-16

申请人： Steven A. Bade ,  Andrew Gregory Kegel ,  Ronald Perez ,  Brian D. You

发明人： Steven A. Bade ,  Andrew Gregory Kegel ,  Ronald Perez ,  Brian D. You

IPC分类号： H04L29/00

CPC分类号： G06F9/4856 ,  G06F9/5027 ,  G06F21/53

摘要： A computer implemented method, data processing system, and computer program product for managing computer workloads with security policy enforcement. When a determination is made that a component in a data processing system has failed to meet processing requirements, a candidate host to where the component may be migrated based on performance considerations is identified. A first security policy associated with the component is compared to a second security policy associated with the candidate host to determine if the first security policy is equivalent to or stronger than the second security policy. Responsive to a determination that the first security policy is equivalent to or stronger than the second security policy, the component is migrated to the candidate host.

摘要翻译： 一种计算机实现的方法，数据处理系统和用于通过安全策略实施管理计算机工作负载的计算机程序产品。 当确定数据处理系统中的组件不能满足处理要求时，识别基于性能考虑可以迁移组件的候选主机。 将与组件相关联的第一安全策略与与候选主机相关联的第二安全策略进行比较，以确定第一安全策略是否等于或强于第二安全策略。 响应于确定第一安全策略等于或强于第二安全策略，组件将迁移到候选主机。

公开(公告)号：US20080046960A1

公开(公告)日：2008-02-21

申请号：US11464929

申请日：2006-08-16

申请人： Steven A. Bade ,  Andrew Gregory Kegel ,  Ronald Perez ,  Brian D. You

发明人： Steven A. Bade ,  Andrew Gregory Kegel ,  Ronald Perez ,  Brian D. You

IPC分类号： H04L9/00

CPC分类号： G06F9/4856 ,  G06F9/5027 ,  G06F21/53

摘要： A computer implemented method, data processing system, and computer program product for managing computer workloads with security policy enforcement. When a determination is made that a component in a data processing system has failed to meet processing requirements, a candidate host to where the component may be migrated based on performance considerations is identified. A first security policy associated with the component is compared to a second security policy associated with the candidate host to determine if the first security policy is equivalent to or stronger than the second security policy. Responsive to a determination that the first security policy is equivalent to or stronger than the second security policy, the component is migrated to the candidate host.

摘要翻译： 一种计算机实现的方法，数据处理系统和用于通过安全策略实施管理计算机工作负载的计算机程序产品。 当确定数据处理系统中的组件不能满足处理要求时，识别基于性能考虑可以迁移组件的候选主机。 将与组件相关联的第一安全策略与与候选主机相关联的第二安全策略进行比较，以确定第一安全策略是否等于或强于第二安全策略。 响应于确定第一安全策略等于或强于第二安全策略，组件将迁移到候选主机。

公开(公告)号：US20090063857A1

公开(公告)日：2009-03-05

申请号：US12261060

申请日：2008-10-30

申请人： Steven A. Bade ,  Ryan Charles Catherman ,  James Patrick Hoff ,  Nia Letise Kelley ,  Emily Jane Ratliff

发明人： Steven A. Bade ,  Ryan Charles Catherman ,  James Patrick Hoff ,  Nia Letise Kelley ,  Emily Jane Ratliff

IPC分类号： G06F21/00

CPC分类号： G06F21/53

摘要： A method is presented for implementing a trusted computing environment within a data processing system. A hypervisor is initialized within the data processing system, and the hypervisor supervises a plurality of logical, partitionable, runtime environments within the data processing system. The hypervisor reserves a logical partition for a hypervisor-based trusted platform module (TPM) and presents the hypervisor-based trusted platform module to other logical partitions as a virtual device via a device interface. Each time that the hypervisor creates a logical partition within the data processing system, the hypervisor also instantiates a logical TPM within the reserved partition such that the logical TPM is anchored to the hypervisor-based TPM. The hypervisor manages multiple logical TPM's within the reserved partition such that each logical TPM is uniquely associated with a logical partition.

公开(公告)号：US06778837B2

公开(公告)日：2004-08-17

申请号：US09815542

申请日：2001-03-22

申请人： Steven A. Bade ,  Robert H. LeGrand, III ,  Mark-David J. McLaughlin

发明人： Steven A. Bade ,  Robert H. LeGrand, III ,  Mark-David J. McLaughlin

IPC分类号： H04Q720

CPC分类号： H04W12/08 ,  H04W88/02

摘要： The present invention includes as one embodiment a method for automatically controlling access to a mobile computing device with pertinent data. The method includes predefining access parameters of the mobile computing device, determining an actual location of the mobile computing device and using the actual location of the mobile computing device to automatically control access to the mobile computing device based on the predefined access parameters. Also, the method includes storing the predefined access parameters in a private Internet networked location, accessing and updating the predefined access parameters and sending the updated access parameters to the mobile computing device.

摘要翻译： 本发明包括作为一个实施例的用于使用相关数据自动控制对移动计算设备的访问的方法。 该方法包括预定义移动计算设备的接入参数，确定移动计算设备的实际位置并使用移动计算设备的实际位置来基于预定义的接入参数来自动控制对移动计算设备的接入。 此外，该方法包括将预定义的访问参数存储在专用因特网联网位置，访问和更新预定义的访问参数并将更新的访问参数发送到移动计算设备。

公开(公告)号：US08065522B2

公开(公告)日：2011-11-22

申请号：US12125871

申请日：2008-05-22

申请人： Steven A. Bade ,  Linda Nancy Betz ,  Andrew Gregory Kegel ,  Michael J. Kelly ,  William Lee Terrell

发明人： Steven A. Bade ,  Linda Nancy Betz ,  Andrew Gregory Kegel ,  Michael J. Kelly ,  William Lee Terrell

IPC分类号： H04L29/00 ,  H04L9/00

CPC分类号： G06F21/57 ,  G06F21/53 ,  H04L9/0897

摘要： A method, an apparatus, a system, and a computer program product is presented for virtualizing trusted platform modules within a data processing system. A virtual trusted platform module along with a virtual endorsement key is created within a physical trusted platform module within the data processing system using a platform signing key of the physical trusted platform module, thereby providing a transitive trust relationship between the virtual trusted platform module and the core root of trust for the trusted platform. The virtual trusted platform module can be uniquely associated with a partition in a partitionable runtime environment within the data processing system.

摘要翻译： 提出了一种方法，装置，系统和计算机程序产品，用于虚拟化数据处理系统内的可信平台模块。 使用物理可信平台模块的平台签名密钥在数据处理系统内的物理可信平台模块内创建虚拟可信平台模块以及虚拟认证密钥，从而在虚拟可信平台模块和虚拟可信平台模块之间提供传递信任关系 信任平台的核心信任根源。 虚拟可信平台模块可以与数据处理系统内的可分区运行时环境中的分区唯一关联。

公开(公告)号：US07809821B2

公开(公告)日：2010-10-05

申请号：US11913193

申请日：2007-02-16

申请人： Steven A. Bade ,  Andrew G. Kegel ,  Leendert P. Van Doorn

发明人： Steven A. Bade ,  Andrew G. Kegel ,  Leendert P. Van Doorn

IPC分类号： G06F15/173 ,  G06F15/16 ,  G06F11/30 ,  G21C17/00

CPC分类号： G06F21/577 ,  G06F11/3409 ,  G06F2201/81

摘要： A solution for evaluating trust in a computer infrastructure is provided. In particular, a plurality of computing devices in the computer infrastructure evaluate one or more other computing devices in the computer infrastructure based on a set of device measurements for the other computing device(s) and a set of reference measurements. To this extent, each of the plurality of computing devices also provides a set of device measurements for processing by the other computing device(s) in the computer infrastructure.

摘要翻译： 提供了一种评估计算机基础设施信任的解决方案。 特别地，计算机基础设施中的多个计算设备基于用于其他计算设备的一组设备测量值和一组参考测量结果来评估计算机基础结构中的一个或多个其他计算设备。 在这种程度上，多个计算设备中的每一个还提供一组设备测量值以供计算机基础设施中的其他计算设备处理。

公开(公告)号：US07653819B2

公开(公告)日：2010-01-26

申请号：US10957545

申请日：2004-10-01

申请人： Steven A. Bade ,  Charles Douglas Ball ,  Ryan Charles Catherman ,  James Patrick Hoff ,  James Peter Ward

发明人： Steven A. Bade ,  Charles Douglas Ball ,  Ryan Charles Catherman ,  James Patrick Hoff ,  James Peter Ward

IPC分类号： G06F21/00

CPC分类号： G06F21/57

摘要： A method, computer program, and system for paging platform configuration registers in and out of a trusted platform module. In a trusted computing platform, an unlimited number of platform configuration registers can be obtained through paging. The trust platform module encrypts and decrypts platform configuration registers for storage outside the trusted platform module.

摘要翻译： 用于寻呼平台配置的方法，计算机程序和系统在可信平台模块内进出。 在可信赖的计算平台中，可以通过寻呼获得无限数量的平台配置寄存器。 信任平台模块对平台配置寄存器进行加密和解密，以便在可信平台模块之外进行存储。