公开(公告)号：US07921286B2

公开(公告)日：2011-04-05

申请号：US11939568

申请日：2007-11-14

申请人： David Rudolph Wooten

发明人： David Rudolph Wooten

IPC分类号： H04L29/06

CPC分类号： G06F21/57

摘要： Dynamic Root of Trust for Measurement (DRTM) mechanisms can be initiated, not by CPU-manufacturer-specific instructions, but by the execution of code in System Management Mode (SMM) that can modify the values stored in specific Platform Configuration Registers (PCRs) of a Trusted Platform Module (TPM). The SMM code can be verified prior to execution and it can be trusted based on the secure mechanisms used to update such code. The SMM code can restore a known, trusted state of the computing device and can initiate the measuring of subsequently executed code. In such a manner the Trusted Computing Base (TCB) can be limited.

摘要翻译： 可以启动用于测量（DRTM）机制的动态根源，而不是通过CPU制造商特定的指令，而是通过执行可以修改存储在特定平台配置寄存器（PCR）中的值的系统管理模式（SMM）中的代码， 的可信平台模块（TPM）。 SMM代码可以在执行之前进行验证，并且可以基于用于更新此类代码的安全机制进行信任。 SMM代码可以恢复计算设备的已知的可信状态，并且可以启动随后执行的代码的测量。 以这种方式，可信计算基础（TCB）可以被限制。

公开(公告)号：US20090125716A1

公开(公告)日：2009-05-14

申请号：US11939568

申请日：2007-11-14

申请人： David Rudolph Wooten

发明人： David Rudolph Wooten

IPC分类号： H04L9/00

CPC分类号： G06F21/57

摘要： Dynamic Root of Trust for Measurement (DRTM) mechanisms can be initiated, not by CPU-manufacturer-specific instructions, but by the execution of code in System Management Mode (SMM) that can modify the values stored in specific Platform Configuration Registers (PCRs) of a Trusted Platform Module (TPM). The SMM code can be verified prior to execution and it can be trusted based on the secure mechanisms used to update such code. The SMM code can restore a known, trusted state of the computing device and can initiate the measuring of subsequently executed code. In such a manner the Trusted Computing Base (TCB) can be limited.

摘要翻译： 可以启动用于测量（DRTM）机制的动态根源，而不是通过CPU制造商特定的指令，而是通过执行可以修改存储在特定平台配置寄存器（PCR）中的值的系统管理模式（SMM）中的代码， 的可信平台模块（TPM）。 SMM代码可以在执行之前进行验证，并且可以基于用于更新此类代码的安全机制进行信任。 SMM代码可以恢复计算设备的已知的可信状态，并且可以启动随后执行的代码的测量。 以这种方式，可信计算基础（TCB）可以被限制。

公开(公告)号：US07225287B2

公开(公告)日：2007-05-29

申请号：US11142514

申请日：2005-06-01

申请人： David Rudolph Wooten

发明人： David Rudolph Wooten

IPC分类号： G06F13/36 ,  G06F13/00

CPC分类号： G06F13/28 ,  G06F12/1027 ,  G06F12/1072 ,  G06F12/1081 ,  G06F2212/1048 ,  G06F2212/681 ,  G06F2212/683

摘要： A system for addressing bus components comprises a bus controller component that controls access between a CPU and a memory address space. A plurality of bus components connected to said bus controller over a bus are addressable via a memory mapped address within the address space. An address translation table is stored on at least one of the plurality of bus components. The bus translation table stores a translation between a virtual address and a real address.

摘要翻译： 用于寻址总线组件的系统包括控制CPU和存储器地址空间之间的访问的总线控制器组件。 通过总线连接到总线控制器的多个总线组件可通过地址空间内的存储器映射地址寻址。 地址转换表存储在多个总线组件中的至少一个上。 总线转换表存储虚拟地址和实际地址之间的转换。

公开(公告)号：US08341430B2

公开(公告)日：2012-12-25

申请号：US12245064

申请日：2008-10-03

申请人： Octavian T. Ureche ,  Scott A. Brender ,  Karan Mehra ,  David Rudolph Wooten

发明人： Octavian T. Ureche ,  Scott A. Brender ,  Karan Mehra ,  David Rudolph Wooten

IPC分类号： G06F12/14

CPC分类号： G06F21/80 ,  G06F21/72

摘要： Hardware encrypting storage devices can provide for hardware encryption of data being written to the storage media of such storage devices, and hardware decryption of data being read from that storage media. To utilize existing key management resources, which can be more flexible and accommodating, mechanisms for storing keys protected by the existing resources, but not the hardware encryption of the storage device, can be developed. Dedicated partitions that do not have corresponding encryption bands can be utilized to store keys in a non-hardware-encrypted manner. Likewise, partitions can be defined larger than their associated encryption bands, leaving room near the beginning and end for non-hardware encrypted storage. Or a separate bit can be used to individually specify which data should be hardware encrypted. Additionally automated processes can maintain synchronization between a partition table of the computing device and a band table of the hardware encrypting storage device.

摘要翻译： 硬件加密存储设备可以提供对正被写入这种存储设备的存储介质的数据的硬件加密以及从该存储介质读取的数据的硬件解密。 为了利用可以更灵活和容纳的现有密钥管理资源，可以开发用于存储由现有资源保护的密钥但不是存储设备的硬件加密的机制。 不具有对应的加密频带的专用分区可用于以非硬件加密的方式存储密钥。 同样，分区可以定义为大于其相关联的加密频带，为非硬件加密存储留下开始和结束的空间。 或者可以使用单独的位来单独指定哪些数据应该是硬件加密的。 另外，自动化过程可以保持计算设备的分区表与硬件加密存储设备的频带表之间的同步。

公开(公告)号：US20100088525A1

公开(公告)日：2010-04-08

申请号：US12245064

申请日：2008-10-03

申请人： Octavian T. Ureche ,  Scott A. Brender ,  Karan Mehra ,  David Rudolph Wooten

发明人： Octavian T. Ureche ,  Scott A. Brender ,  Karan Mehra ,  David Rudolph Wooten

IPC分类号： G06F12/14

CPC分类号： G06F21/80 ,  G06F21/72

摘要： Hardware encrypting storage devices can provide for hardware encryption of data being written to the storage media of such storage devices, and hardware decryption of data being read from that storage media. To utilize existing key management resources, which can be more flexible and accommodating, mechanisms for storing keys protected by the existing resources, but not the hardware encryption of the storage device, can be developed. Dedicated partitions that do not have corresponding encryption bands can be utilized to store keys in a non-hardware-encrypted manner. Likewise, partitions can be defined larger than their associated encryption bands, leaving room near the beginning and end for non-hardware encrypted storage. Or a separate bit can be used to individually specify which data should be hardware encrypted. Additionally automated processes can maintain synchronization between a partition table of the computing device and a band table of the hardware encrypting storage device.

摘要翻译： 硬件加密存储设备可以提供对正被写入这种存储设备的存储介质的数据的硬件加密以及从该存储介质读取的数据的硬件解密。 为了利用可以更灵活和容纳的现有密钥管理资源，可以开发用于存储由现有资源保护的密钥但不是存储设备的硬件加密的机制。 不具有对应的加密频带的专用分区可用于以非硬件加密的方式存储密钥。 同样，分区可以定义为大于其相关联的加密频带，为非硬件加密存储留下开始和结束的空间。 或者可以使用单独的位来单独指定哪些数据应该是硬件加密的。 另外，自动化过程可以保持计算设备的分区表与硬件加密存储设备的频带表之间的同步。

公开(公告)号：US07426627B2

公开(公告)日：2008-09-16

申请号：US11372703

申请日：2006-03-10

申请人： David Rudolph Wooten

发明人： David Rudolph Wooten

IPC分类号： G06F12/00

CPC分类号： G06F12/1027 ,  G06F12/1081

摘要： A computing system has a resource for providing resource services, where each resource service is accessed by way of a system address (SA). A device requests the resource services of the resource by way of requests, where each request includes a remote address (RA) corresponding to an SA of the resource. A centralized address translator (CAT) has a database of RA/SA translations for the resource and the device, where each RA/SA translation in the database corresponds to a respective RA and SA. The device has a remote address translator (RAT) with a cache for storing priority RA/SA translations as obtained from the CAT. Each priority RA/SA translation in the cache of the RAT includes a validity flag set to indicate whether the priority translation is valid based on whether the SA has changed at the CAT.

摘要翻译： 计算系统具有用于提供资源服务的资源，其中通过系统地址（SA）访问每个资源服务。 设备通过请求来请求资源的资源服务，其中每个请求包括对应于资源的SA的远程地址（RA）。 集中地址转换器（CAT）具有用于资源和设备的RA / SA转换数据库，其中数据库中的每个RA / SA转换对应于相应的RA和SA。 该设备具有远程地址转换器（RAT），其具有用于存储从CAT获得的优先级RA / SA转换的高速缓存。 RAT的高速缓存中的每个优先级RA / SA转换包括设置为基于SA是否已经在CAT上改变来指示优先级转换是否有效的有效性标志。

公开(公告)号：US07574610B2

公开(公告)日：2009-08-11

申请号：US10954917

申请日：2004-09-30

申请人： Bryan Mark Willman ,  Christine M. Chew ,  Paul C. Roberts ,  David Rudolph Wooten ,  John E. Paff

发明人： Bryan Mark Willman ,  Christine M. Chew ,  Paul C. Roberts ,  David Rudolph Wooten ,  John E. Paff

IPC分类号： G06F11/30 ,  G06F12/14

CPC分类号： G06F21/577 ,  Y10S257/922

摘要： A security device watches over the secure functionality in a computer system. This “watcher” security device may be integrated within the computer system or may be separate from it. The security device queries the secure functionality to determine whether the state of the secure functionality is acceptable. If no satisfactory state exists, or if no response is received, then a signal is transmitted. The signal may be auditory (a buzzer) or visual (a flashing light) in order to signal to any user that the secure functionality has been compromised. Optionally, human input devices may be disabled, or a monitoring service notified, in conjunction with or in lieu of the signal. If the secure functionality includes a secret shared between the secure functionality and the user, then the security device may signal the secret. For example, where the secret is visual, the security device may display the secret. Where there is more than one element of secure functionality in the computer system, the security device may separately watch and report on more than one element of secure functionality. The security device may also display status information regarding the computer system. Some or all of the security device may be distributed via a trusted distribution infrastructure.

摘要翻译： 安全设备监视计算机系统中的安全功能。 该“观察者”安全装置可以集成在计算机系统内，或者可以与计算机系统分开。 安全设备查询安全功能以确定安全功能的状态是否可接受。 如果不存在令人满意的状态，或者如果没有接收到响应，则发送信号。 该信号可以是听觉（蜂鸣器）或视觉（闪烁的光），以便向任何用户发出信号安全功能被破坏。 可选地，可以结合或代替信号来禁止人类输入设备或通知监视服务。 如果安全功能包括在安全功能和用户之间共享的秘密，则安全设备可以发出秘密信号。 例如，秘密是可视的，安全设备可以显示秘密。 在计算机系统中存在多于一个安全功能的元件的情况下，安全设备可以分别监视和报告安全功能的多个元件。 安全设备还可以显示关于计算机系统的状态信息。 安全设备的一些或全部可以经由受信任的分发基础设施来分发。