公开(公告)号：US20070192597A1

公开(公告)日：2007-08-16

申请号：US11352762

申请日：2006-02-13

申请人： Steven Bade ,  Thomas Dewkett ,  Nia Kelley ,  Siegfried Sutter ,  Helmut Weber

发明人： Steven Bade ,  Thomas Dewkett ,  Nia Kelley ,  Siegfried Sutter ,  Helmut Weber

IPC分类号： H04L9/00

CPC分类号： G06F21/57

摘要： A computer implemented method for recovering a partition context in the event of a system or hardware device failure. Upon receiving a command from a partition to modify context data in a trusted platform module (TPM) hardware device, a trusted platform module input/output host partition (TMPIOP) provides an encrypted copy of the context data and the command to the TPM hardware device, which processes the command and updates the context data. If the TPM hardware device successfully processes the command, the TMPIOP receives the updated context data from the TPM hardware device and stores the updated context data received in encrypted form in a context data cache or a non-volatile storage off-board the TPM hardware device. If the TPM hardware device fails to successfully process the command, the TMPIOP uses a last valid copy of the context data to retry processing of the command on a different TPM hardware device.

摘要翻译： 一种用于在系统或硬件设备故障的情况下恢复分区上下文的计算机实现的方法。 信任平台模块输入/输出主机分区（TMPIOP）在接收到来自分区的命令以修改可信平台模块（TPM）硬件设备中的上下文数据时，将上下文数据的加密副本提供给TPM硬件设备 ，它处理命令并更新上下文数据。 如果TPM硬件设备成功地处理该命令，则TMPIOP从TPM硬件设备接收更新的上下文数据，并将以加密形式接收到的更新的上下文数据存储在上行数据高速缓存或TPM硬件设备的非易失性存储器 。 如果TPM硬件设备无法成功处理该命令，则TMPIOP将使用上一个上下文数据的最后一个有效副本来重试不同TPM硬件设备上的命令处理。

公开(公告)号：US20070136577A1

公开(公告)日：2007-06-14

申请号：US11301803

申请日：2005-12-13

申请人： Steven Bade ,  Andrew Kegel ,  Leendert Van Doorn

发明人： Steven Bade ,  Andrew Kegel ,  Leendert Van Doorn

IPC分类号： H04L9/00

CPC分类号： G06F21/57

摘要： A method, system and computer program product for implementing general purpose PCRs with extended semantics (referred to herein as “ePCRs”) in a trusted, measured software module. The module is designed to run in one of a hypervisor context, an isolated partition, or under other isolated configurations. Because the software module is provided using trusted (measured) code, the software implementing the PCRs is able to run as a simple software process in the operating system (OS), as long as the software is first measured and logged. The software-implemented ePCRs are generated as needed to record specific measurements of the software and hardware elements on which an application depends, and the ePCRs are able to ignore other non-dependencies.

摘要翻译： 一种用于在可信测量的软件模块中实现具有扩展语义（在本文中称为“ePCR”）的通用PCR的方法，系统和计算机程序产品。 该模块设计为在虚拟机管理程序上下文，隔离分区或其他隔离配置之一下运行。 由于使用可信（测量）代码提供软件模块，所以实施PCR的软件只要首先测量和记录软件，就可以在操作系统（OS）中作为简单的软件过程运行。 根据需要生成软件实现的ePCR，以记录应用程序所依赖的软件和硬件元素的特定测量，ePCR可以忽略其他不依赖性。

公开(公告)号：US20070079120A1

公开(公告)日：2007-04-05

申请号：US11242673

申请日：2005-10-03

申请人： Steven Bade ,  Stefan Berger ,  Kenneth Goldman ,  Ronald Perez ,  Reiner Sailer ,  Leendert Van Doorn

发明人： Steven Bade ,  Stefan Berger ,  Kenneth Goldman ,  Ronald Perez ,  Reiner Sailer ,  Leendert Van Doorn

IPC分类号： H04L9/00

CPC分类号： G06F21/57

摘要： A trusted platform module is presented that is capable of creating, dynamically, multiple virtual trusted platform modules in a hierarchical organization. A trusted platform module domain is created. The trusted platform module creates virtual trusted platform modules, as needed, in the trusted platform module domain. The virtual trusted platform modules can inherit the permissions of a parent trusted platform module to have the ability to create virtual trusted platform modules themselves. Each virtual trusted platform module is associated with a specific partition. Each partition is associated with an individual operating system. The hierarchy of created operating systems and their privilege of spawning new operating systems is reflected in the hierarchy of trusted platform modules and the privileges each of the trusted platform modules has.

摘要翻译： 提出了一种可信任的平台模块，能够在层次结构中动态创建多个虚拟可信平台模块。 创建可信平台模块域。 可信平台模块根据需要在可信平台模块域中创建虚拟可信平台模块。 虚拟可信平台模块可以继承父信任平台模块的权限，以便能够自己创建虚拟可信平台模块。 每个虚拟可信平台模块与特定分区关联。 每个分区与单个操作系统相关联。 创建的操作系统的层次结构及其产生新操作系统的特权体现在可信平台模块的层次结构和每个可信平台模块所具有的特权上。

公开(公告)号：US20060088167A1

公开(公告)日：2006-04-27

申请号：US10970459

申请日：2004-10-21

申请人： Steven Bade ,  David Challener

发明人： Steven Bade ,  David Challener

IPC分类号： H04L9/00

CPC分类号： H04L63/0428 ,  G06F21/57 ,  H04L9/0894 ,  H04L9/30

摘要： A method and system for backup and restore of a context encryption key (CEK) for a trusted device within a secured processing system maintains security of virtualized trusted device contexts, providing for replacement of a trusted device in the field. The CEK is encrypted along with a system identifier by a random number to yield a first result. The first result is again encrypted with a manufacturer public key. The resulting blob is stored along with the random number. To restore, the system sends the blob and the device ID to a server. The server obtains the first result by decrypting with the manufacturer private key, re-encrypts with the device public key and sends the new result back. The system sends the new result to the device along with the associated random number. The device decrypts the new result using its private key and decrypts the CEK using the random number.

摘要翻译： 用于备份和还原安全处理系统内的可信设备的上下文加密密钥（CEK）的方法和系统维护虚拟可信设备上下文的安全性，从而提供现场可信设备的替换。 CEK通过随机数加密系统标识符，产生第一个结果。 第一个结果再次用制造商公钥加密。 所得到的blob与随机数一起存储。 要恢复，系统将blob和设备ID发送到服务器。 服务器通过使用制造商私钥解密获取第一个结果，使用设备公钥重新加密，然后发回新结果。 系统将新结果与相关随机数一起发送到设备。 该设备使用其私钥解密新结果，并使用随机数解密CEK。

公开(公告)号：US20050246552A1

公开(公告)日：2005-11-03

申请号：US10835330

申请日：2004-04-29

申请人： Steven Bade ,  Linda Betz ,  Andrew Kegel ,  Michael Kelly ,  William Terrell

发明人： Steven Bade ,  Linda Betz ,  Andrew Kegel ,  Michael Kelly ,  William Terrell

IPC分类号： G06F11/30 ,  G06F12/14 ,  G06F21/00 ,  H04L9/32

CPC分类号： G06F21/57 ,  G06F21/53 ,  H04L9/0897

摘要： A method, an apparatus, a system, and a computer program product is presented for virtualizing trusted platform modules within a data processing system. A virtual trusted platform module along with a virtual endorsement key is created within a physical trusted platform module within the data processing system using a platform signing key of the physical trusted platform module, thereby providing a transitive trust relationship between the virtual trusted platform module and the core root of trust for the trusted platform. The virtual trusted platform module can be uniquely associated with a partition in a partitionable runtime environment within the data processing system.

摘要翻译： 提出了一种方法，装置，系统和计算机程序产品，用于虚拟化数据处理系统内的可信平台模块。 使用物理可信平台模块的平台签名密钥在数据处理系统内的物理可信平台模块内创建虚拟可信平台模块以及虚拟认证密钥，从而在虚拟可信平台模块和虚拟可信平台模块之间提供传递信任关系 信任平台的核心信任根源。 虚拟可信平台模块可以与数据处理系统内的可分区运行时环境中的分区唯一关联。