公开(公告)号：US20170213054A1

公开(公告)日：2017-07-27

申请号：US15328408

申请日：2014-10-30

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Liqun Chen ,  Chris I. Dalton ,  Fraser John Dickin ,  Nigel Edwards ,  Simon Kai-Ying Shiu

IPC: G06F21/79 ,  H04L9/08 ,  G06F21/60 ,  G06F21/64

CPC classification number: G06F21/79 ,  G06F21/606 ,  G06F21/64 ,  H04L9/0822 ,  H04L9/083 ,  H04L2463/061

Abstract: In an example, transactions are secured between electronic circuits in a memory fabric. An electronic circuit may receive a transaction integrity key. The electronic circuit may compute a truncated message authentication code (MAC) using the received transaction integrity key and attach the truncated MAC to a security message header (SMH) of the transaction.

公开(公告)号：US20160232379A1

公开(公告)日：2016-08-11

申请号：US15021022

申请日：2013-10-31

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Nigel Edwards ,  Chris Dalton ,  Paolo Faraboschi

IPC: G06F21/64 ,  G06F12/14 ,  G06F21/62

CPC classification number: G06F21/64 ,  G06F12/1416 ,  G06F21/52 ,  G06F21/566 ,  G06F21/6218 ,  G06F21/79 ,  G06F2212/1052

Abstract: According to an example, memory integrity checking may include receiving computer program code, and using a loader to load the computer program code in memory. Memory integrity checking may further include verifying the integrity of the computer program code by selectively implementing synchronous verification and/or asynchronous verification. The synchronous verification may be based on loader security features associated with the loading of the computer program code. Further, the asynchronous verification may be based on a media controller associated with the memory containing the computer program code.

Abstract translation: 根据示例，存储器完整性检查可以包括接收计算机程序代码，并且使用加载器将计算机程序代码加载到存储器中。 存储器完整性检查还可以包括通过选择性地实现同步验证和/或异步验证来验证计算机程序代码的完整性。 同步验证可以基于与加载计算机程序代码相关联的加载器安全特征。 此外，异步验证可以基于与包含计算机程序代码的存储器相关联的媒体控制器。

公开(公告)号：US11868474B2

公开(公告)日：2024-01-09

申请号：US17280507

申请日：2019-01-08

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Nigel Edwards ,  Michael R. Krause ,  Melvin Benedict ,  Ludovic Emmanuel Paul Noel Jacquin ,  Luis Luciani ,  Thomas Laffey ,  Theofrastos Koulouris ,  Shiva Dasari

IPC: G06F21/00 ,  G06F21/57 ,  G06F21/32 ,  H04L9/08 ,  H04L9/32

CPC classification number: G06F21/57 ,  G06F21/32 ,  H04L9/0816 ,  H04L9/3226

Abstract: A method for securing a plurality of compute nodes includes authenticating a hardware architecture of each of a plurality of components of the compute nodes. The method also includes authenticating a firmware of each of the plurality of components. Further, the method includes generating an authentication database comprising a plurality of authentication descriptions that are based on the authenticated hardware architecture and the authenticated firmware. Additionally, a policy for securing a specified subset of the plurality of compute nodes is implemented by using the authentication database.

公开(公告)号：US11714910B2

公开(公告)日：2023-08-01

申请号：US16007722

申请日：2018-06-13

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Geoffrey Ndu ,  David Altobelli ,  Nigel Edwards ,  Luis Luciani, Jr.

IPC: G06F21/57 ,  G06F21/55

CPC classification number: G06F21/577 ,  G06F21/554 ,  G06F21/575 ,  G06F2221/033

Abstract: Examples disclosed herein relate to integrity monitoring of a computing system. Trust of state information is verified. Kernel code and module code are loaded into memory that is accessible to a device separate from a processor that loads the kernel code and module code. A measurement module is verified and loaded into memory. The state information can correspond to multiple symbols. The measurement module can measure the state information corresponding to each of the respective symbols to generate a set of initial measurements. The set of initial measurements can be provided to a device for integrity monitoring.

公开(公告)号：US11372970B2

公开(公告)日：2022-06-28

申请号：US16299258

申请日：2019-03-12

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Yongqi Wang ,  Ludovic Emmanuel Paul Noel Jacquin ,  Nigel Edwards

IPC: G06F21/00 ,  G06F21/55

Abstract: Systems and methods for multi-dimensional attestation are provided. One method for multi-dimensional attestation includes upon occurrence of a triggering event, taking triggered measurements of a platform, the platform including a security co-processor and a volatile memory; extending a platform configuration register of the volatile memory to include the triggered measurements; taking snapshots of the platform configuration register over time; storing the snapshots in a snapshot memory; and upon request, sending the triggered measurements and the snapshots to a verifier for detection of potential attacks.

公开(公告)号：US11360784B2

公开(公告)日：2022-06-14

申请号：US16565915

申请日：2019-09-10

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Ludovic Emmanuel Paul Noel Jacquin ,  Nigel Edwards ,  Thomas M. Laffey

IPC: G06F21/00 ,  G06F9/4401 ,  G06F9/38 ,  G06F21/33 ,  G06F21/44 ,  G06F21/51

Abstract: Examples disclosed herein relate to using an integrity manifest certificate to verify the state of a platform. A device identity of a device that has the device identity provisioned and stored in a security co-processor to retrieve an integrity proof from the security co-processor. The device includes at least one processing element, at least one memory device, and a bus including at least one bus device, and wherein the device identity is associated with a device identity certificate signed by a first authority. The integrity proof includes a representation of each of a plurality of hardware components including the at least one processing element, the at least one memory device, the at least one bus device, and a system board and a representation of plurality of firmware components included in the device. The integrity proof is provided to a certification station. The certification station determines that the integrity proof is an expected value based on an expected provisioning state of the device and the device identity. The certification station signs, using a second authority, an integrity manifest certificate, based on the integrity proof and the device identity. The integrity manifest certificate is stored.

公开(公告)号：US11017090B2

公开(公告)日：2021-05-25

申请号：US16222293

申请日：2018-12-17

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Ludovic Emmanuel Paul Noel Jacquin ,  Hamza Attak ,  Nigel Edwards

IPC: G06F21/57 ,  H04L9/06

Abstract: A method of certifying a state of a platform includes receiving one or more software elements of a software stack of the platform by an authentication module and performing a hash algorithm on the software stack to generate one or more hash values. The software stack uniquely determines a software state of the platform. The method includes generating creation data, a creation hash, and a creation ticket, corresponding to the hash values and sending the creation ticket to the platform. The method also includes receiving the creation ticket by the authentication module and certifying the creation data and the creation hash based on the creation ticket. The method further includes generating a certified structure based on the creation data and performing the hash algorithm on the certified structure to generate a hash of the certified structure. The certified structure uniquely determines the software state of the platform.

公开(公告)号：US20210026948A1

公开(公告)日：2021-01-28

申请号：US16523085

申请日：2019-07-26

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Geoffrey Ndu ,  Nigel Edwards

IPC: G06F21/54 ,  G06F21/56 ,  G06F21/12 ,  G06F11/30 ,  G06F9/455

Abstract: In some examples, a system executes a monitor separate from an operating system (OS) that uses mapping information in accessing data in a physical memory. The monitor identifies, using the mapping information, invariant information, that comprises program code, of the OS without suspending execution of the OS, the identifying comprising the monitor accessing the physical memory independently of the OS. The monitor determines, based on monitoring the invariant information of the OS, whether a security issue is present.

公开(公告)号：US10783246B2

公开(公告)日：2020-09-22

申请号：US15420404

申请日：2017-01-31

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Nigel Edwards ,  Michael John Wray

IPC: G06F21/56

Abstract: Examples relate to snapshots of system memory. In an example implementation, structural information of a process in a snapshot of system memory is compared with hashes or fuzzy hashes of executable regions of the same process in a previous snapshot of system memory to determine whether there is a structural anomaly.

公开(公告)号：US10771264B2

公开(公告)日：2020-09-08

申请号：US16155983

申请日：2018-10-10

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Nigel Edwards ,  Ludovic Emmanuel Paul Noel Jacquin ,  Thomas Laffey ,  Theofrastos Koulouris

IPC: H04L29/06 ,  H04L9/32 ,  G06F21/57 ,  H04L9/06

Abstract: A method for secure data protection includes generating a firmware digital certificate for a layer of firmware. The firmware operates a hardware component of a compute node. The firmware digital certificate is an attribute certificate. The firmware digital certificate includes a cumulative hash of the layer of firmware and a nonce. The cumulative hash includes a concatenation of a hash of the layer of firmware and a hash of each one or more lower layers of the firmware. The method includes authenticating the layer of firmware using a trusted data store. The trusted data store includes a binary image of an expected layer of firmware and a certificate chain comprising the hardware digital certificate and the firmware digital certificate.