公开(公告)号：US09654464B2

公开(公告)日：2017-05-16

申请号：US14746469

申请日：2015-06-22

Applicant: Intel Corporation

Inventor： Vincent J. Zimmer ,  Michael A. Rothman

IPC: H04L29/06 ,  G06F21/57 ,  G06F21/71 ,  G06F21/72 ,  G06F21/80 ,  G06F13/40 ,  H04L9/32

CPC classification number: H04L63/0823 ,  G06F13/4068 ,  G06F21/575 ,  G06F21/71 ,  G06F21/72 ,  G06F21/80 ,  G06F2221/2107 ,  G06F2221/2115 ,  H04L9/3268 ,  H04L63/0435 ,  H04L63/061 ,  H04L63/08

Abstract: In one embodiment, a method is provided that may include one or more operations. One of these operations may include, in response, at least in part, to a request to store input data in storage, encrypting, based least in part upon one or more keys, the input data to generate output data to store in the storage. The one or more keys may be authorized by a remote authority. Alternatively or additionally, another of these operations may include, in response, at least in part, to a request to retrieve the input data from the storage, decrypting, based at least in part upon the at least one key, the output data. Many modifications, variations, and alternatives are possible without departing from this embodiment.

公开(公告)号：US09589155B2

公开(公告)日：2017-03-07

申请号：US14493786

申请日：2014-09-23

Applicant: Intel Corporation

Inventor： Rajesh Poornachandran ,  Vincent J. Zimmer ,  Shahrokh Shahidzadeh ,  Gopinatth Selvaraje

IPC: G06F21/73 ,  G06F21/55

CPC classification number: G06F21/73 ,  G06F21/55 ,  G06F21/575 ,  G06F21/74

Abstract: Technologies for verifying hardware components of a computing device include retrieving platform identification data of the computing device, wherein the platform identification data is indicative of one or more reference hardware components of the computing device, accessing hardware component identification data from one or more dual-headed identification devices of the computing device, and comparing the platform identification data to the hardware component identification data to determine whether a hardware component of the computing device has been modified. Each of the one or more dual-headed identification devices is secured to a corresponding hardware component of the computing device, includes identification data indicative of an identity of the corresponding hardware component of the computing device, and is capable of wired and wireless communication.

Abstract translation: 用于验证计算设备的硬件组件的技术包括检索所述计算设备的平台识别数据，其中所述平台标识数据指示所述计算设备的一个或多个参考硬件组件，从一个或多个双头 计算装置的识别装置，以及将平台识别数据与硬件部件识别数据进行比较，以确定计算装置的硬件部件是否已被修改。 一个或多个双头识别装置中的每一个被固定到计算装置的对应的硬件部件，包括指示计算装置的对应硬件部件的身份的识别数据，并且能够进行有线和无线通信。

公开(公告)号：US09589138B2

公开(公告)日：2017-03-07

申请号：US14860640

申请日：2015-09-21

Applicant: Intel Corporation

Inventor： Jiewen Yao ,  Vincent J. Zimmer

IPC: G06F9/24 ,  G06F9/00 ,  G06F15/177 ,  H04L29/06 ,  H04L9/32 ,  G06F12/14 ,  G06F7/04 ,  G06F17/30 ,  G06F21/57 ,  H04L9/30 ,  G06F21/79 ,  G06F9/44 ,  G06F21/60 ,  G06F21/51 ,  G06F21/64 ,  G06F21/44

CPC classification number: G06F21/572 ,  G06F9/24 ,  G06F9/4401 ,  G06F9/4416 ,  G06F21/44 ,  G06F21/51 ,  G06F21/575 ,  G06F21/60 ,  G06F21/64 ,  G06F21/79 ,  H04L9/30 ,  H04L9/3247 ,  H04L63/0442 ,  H04L63/0853

Abstract: Various embodiments are generally directed to authenticating a chain of components of boot software of a computing device. An apparatus comprises a processor circuit and storage storing an initial boot software component comprising instructions operative on the processor circuit to select a first set of boot software components of multiple sets of boot software components, each set of boot software components defines a pathway that branches from the initial boot software component and that rejoins at a latter boot software component; authenticate a first boot software component of the first set of boot software components; and execute a sequence of instructions of the first boot software component to authenticate a second boot software component of the first set of boot software components to form a chain of authentication through a first pathway defined by the first set of boot software components. Other embodiments are described and claimed herein.

Abstract translation: 各种实施例通常涉及认证计算设备的引导软件的组件链。 一种装置包括处理器电路和存储存储包括在处理器电路上操作的指令的初始引导软件组件的存储器，以选择多组引导软件组件的第一组引导软件组件，每组引导软件组件定义了从 初始引导软件组件，并在后一个引导软件组件中重新加入; 验证第一组引导软件组件的第一引导软件组件; 以及执行所述第一引导软件组件的指令序列以验证所述第一组引导软件组件的第二引导软件组件，以通过由所述第一组引导软件组件定义的第一路径形成认证链。 在此描述和要求保护的其它实施例。

公开(公告)号：US20160378976A1

公开(公告)日：2016-12-29

申请号：US14749856

申请日：2015-06-25

Applicant: Intel Corporation

Inventor： Karunakara Kotary ,  Rajesh Poornachandran ,  Scott D. Brenden ,  Vincent J. Zimmer

IPC: G06F21/53 ,  G06F21/57 ,  G06F12/14 ,  G06F3/06

CPC classification number: G06F21/53 ,  G06F3/0623 ,  G06F3/0655 ,  G06F3/0679 ,  G06F12/1408 ,  G06F21/572 ,  G06F2212/1052 ,  G06F2221/2111

Abstract: Systems, apparatuses and methods may provide for receiving, from a host driver, factory data including one or more of calibration data, platform identifier data, manufacturer data or wireless carrier data, and verifying integrity of the factory data. Additionally, the factory data may be provisioned into non-volatile memory (NVM) in accordance with an operating system independent format managed by a platform root-of-trust such as a Trusted Execution Environment (TEE). In one example, provisioning the factory data includes defining one or more partitions in the NVM, initiating storage of the factory data to the NVM along the one or more partitions, and specifying a restriction profile for the one or more partitions, wherein the restriction profile includes one or more of read restrictions, write restrictions, time bound restrictions or location bound restrictions.

Abstract translation: 系统，装置和方法可以提供从主机驱动器接收包括校准数据，平台标识符数据，制造商数据或无线载体数据中的一个或多个的工厂数据，以及验证工厂数据的完整性。 此外，工厂数据可以根据由诸如可信执行环境（TEE）的平台信任根目录管理的操作系统独立格式而被提供给非易失性存储器（NVM）。 在一个示例中，提供工厂数据包括定义NVM中的一个或多个分区，沿着一个或多个分区启动工厂数据到NVM的存储，以及指定一个或多个分区的限制简档，其中限制简档 包括读取限制，写入限制，时间限制限制或位置绑定限制中的一个或多个。

公开(公告)号：US09465623B2

公开(公告)日：2016-10-11

申请号：US14478603

申请日：2014-09-05

Applicant: Intel Corporation

Inventor： Vincent J. Zimmer ,  Michael A. Rothman

IPC: G06F9/44 ,  H04L29/08 ,  H04L12/24

CPC classification number: G06F9/4408 ,  G06F9/4401 ,  H04L41/0803 ,  H04L69/32

Abstract: A computer system is partitioned during a pre-boot phase of the computer system between a first partition and a second partition, wherein the first partition to include a first processing unit and the second partition to include a second processing unit. An Input/Output (I/O) operating system is booted on the first partition. A general purpose operating system is booted on the second partition. Network transactions are issued by the general purpose operating system to be performed by the I/O operating system. The network transactions are performed by the I/O operating system.

Abstract translation: 计算机系统在计算机系统的预引导阶段在第一分区和第二分区之间进行分区，其中第一分区包括第一处理单元，第二分区包括第二处理单元。 在第一个分区上引导输入/输出（I / O）操作系统。 通用操作系统在第二个分区上启动。 网络事务由通用操作系统由I / O操作系统执行。 网络事务由I / O操作系统执行。

公开(公告)号：US09262178B2

公开(公告)日：2016-02-16

申请号：US13718060

申请日：2012-12-18

Applicant: Intel Corporation

Inventor： Michael A. Rothman ,  Vincent J. Zimmer ,  Mark S. Doran ,  Michael D. Kinney

IPC: G06F9/44

CPC classification number: G06F9/4406

Abstract: Methods, systems and computer program products are disclosed for enhanced system boot processing that is faster to launch an operating system, as certain devices such as user input hardware devices may not be initialized unless it is determined that a user-interruption to the boot process is likely. That is, although an interface for the devices is exposed, no initialization occurs unless a call to the interface occurs. Other embodiments are described and claimed.

Abstract translation: 公开了用于增强系统启动处理的方法，系统和计算机程序产品，其更快地启动操作系统，因为某些设备（例如用户输入硬件设备）可能不被初始化，除非确定用户中断引导过程是 很可能 也就是说，虽然暴露了设备的接口，但是除非发生对接口的调用，否则不会进行初始化。 描述和要求保护其他实施例。

公开(公告)号：US20150213269A1

公开(公告)日：2015-07-30

申请号：US14679145

申请日：2015-04-06

Applicant: Intel Corporation

Inventor： Vincent J. Zimmer ,  Bryant E. Bigbee ,  Andrew J. Fish ,  Mark S. Doran

IPC: G06F21/57 ,  G06F9/44

CPC classification number: G06F21/57 ,  G06F9/4401 ,  G06F9/4406 ,  G06F9/4416 ,  G06F21/575 ,  G06F2221/034

Abstract: In one embodiment, the present invention includes a method to establish a secure pre-boot environment in a computer system and performs at least one secure operation in the secure environment. In one embodiment, the secure operation may be storage of a secret in the secure pre-boot environment.

Abstract translation: 在一个实施例中，本发明包括在计算机系统中建立安全预引导环境并在安全环境中执行至少一个安全操作的方法。 在一个实施例中，安全操作可以是安全预引导环境中的秘密的存储。

公开(公告)号：US11907704B2

公开(公告)日：2024-02-20

申请号：US17734669

申请日：2022-05-02

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  Kshitij Arun Doshi ,  John J. Browne ,  Vincent J. Zimmer ,  Francesc Guim Bernat ,  Kapil Sood

IPC: G06F8/65 ,  G06F21/44 ,  G06F21/64 ,  H04L9/12 ,  H04L9/14 ,  H04L9/40 ,  H04L9/32 ,  H04L9/08

CPC classification number: G06F8/65 ,  G06F21/44 ,  G06F21/64 ,  H04L9/0861 ,  H04L9/0891 ,  H04L9/0894 ,  H04L9/12 ,  H04L9/14 ,  H04L9/3213 ,  H04L9/3228 ,  H04L9/3236 ,  H04L9/3247 ,  H04L9/3263 ,  H04L9/3273 ,  H04L63/0876 ,  H04L63/12

Abstract: Various systems and methods for enabling derivation and distribution of an attestation manifest for a software update image are described. In an example, these systems and methods include orchestration functions and communications, providing functionality and components for a software update process which also provides verification and attestation among multiple devices and operators.

公开(公告)号：US11182172B2

公开(公告)日：2021-11-23

申请号：US15589467

申请日：2017-05-08

Applicant: Intel Corporation

Inventor： Michael A. Rothman ,  Vincent J. Zimmer ,  Zijian You

IPC: G06F9/4401 ,  G06F9/54 ,  G06F9/48

Abstract: Technologies for transitioning between operating systems include a computing device having a main memory and a data storage device. The computing device executes a first operating system and monitors for an operating system toggle event. The toggle event may be a software command, a hardware buttonpress, or other user command. In response to the toggle event, the computing device copies state data of the first operating system to a reserved memory area. After copying the state data, the computing device executes a second operating system. While the second operating system is executing, the computing device copies the state data of the first operating system from the reserved memory area to the data storage device. The computing device monitors for operating system toggle events during execution of the second operating system and may similarly toggle execution back to the first operating system. Other embodiments are described and claimed.

公开(公告)号：US10776524B2

公开(公告)日：2020-09-15

申请号：US15773262

申请日：2016-01-14

Applicant: Intel Corporation

Inventor： Jiewen Jacques Yao ,  Vincent J. Zimmer ,  Bassam N. Coury

IPC: H04L29/06 ,  G06F21/74 ,  G06F9/455 ,  G06F21/44 ,  H04L9/32

Abstract: Embodiments are directed to securing system management mode (SMM) in a computer system. A CPU is configurable to execute first code in a normal mode, and second code in a SMM. A SMM control engine is operative to transition the CPU from the normal mode to the SMM in response to a SMM transition call, and to control access by the CPU in the SMM to data from an originator of the SMM transition call. The access is controlled based on an authorization state assigned to the SMM transition call. An authorization engine is operative to perform authentication of the originator of the SMM transition call and to assign the authorization state based on an authentication result. The CPU in the SMM is prevented from accessing the data in response to the authentication result being a failure of authentication.