公开(公告)号：US10326599B2

公开(公告)日：2019-06-18

申请号：US15149870

申请日：2016-05-09

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Thomas M. Laffey

IPC: H04L9/14 ,  H04L9/30 ,  H04L9/32 ,  G06F11/14 ,  G06F21/56 ,  G06F21/57 ,  H04L12/24 ,  H04L29/06 ,  G06F9/4401

Abstract: Examples include sending and receiving recovery agents and recovery plans over networks. Some examples include receiving a recovery request over a network from a requestor, sending a response to the requestor over the network, sending an executable copy of a recovery agent with a validation measure to the requestor, establishing an encrypted connection with the requestor, receiving a second request from the requester over the encrypted connection, determining a recovery plan that includes a command executable by the recovery agent, and sending the recovery plan to the requester over the encrypted connection. In some examples, the recovery request includes data that identifies the requester and the response and the recovery plan are based on the data identifying the requester.

公开(公告)号：US20240348457A1

公开(公告)日：2024-10-17

申请号：US18583323

申请日：2024-02-21

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Thomas M. Laffey

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/3263 ,  H04L9/0869

Abstract: In some examples, a virtual manager in an electronic device generates a seed based on a first key stored in a physical security processor of the electronic device. The virtual manager initializes a virtual security processor by providing the seed to the virtual security processor. The electronic device creates, in the virtual security processor, a virtual security processor key based on the seed, and a virtual security processor certificate based on the virtual security processor key. The virtual security processor key is bound to the physical security processor based on the virtual security processor key being generated from the first key stored in the physical security processor. An identity of a virtual entity in the electronic device is included in the virtual security processor certificate.

公开(公告)号：US20240137363A1

公开(公告)日：2024-04-25

申请号：US18047785

申请日：2022-10-18

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Nigel John Edwards ,  Thomas M. Laffey ,  Ludovic Emmanuel Paul Noel Jacquin ,  Sunil James

IPC: H04L9/40

CPC classification number: H04L63/0876 ,  H04L63/0209

Abstract: In some examples, a system receives information from electronic devices comprising network devices and computing devices in a computing environment that are subject to attestations of interfaces of the network devices and the computing devices. For each interface of a given computing device being attested, the system verifies that the interface of the given computing device is connected to an interface of a corresponding network device that is being attested. For each interface of a given network device being attested, the system verifies that the interface of the given network device is connected to an interface of a corresponding computing device that is being attested or an interface of another network device that is being attested. The system detects a presence of an unauthorized electronic device in the computing environment in response to determining that an interface of a computing device being attested or an interface of a network device being attested is not connected to a corresponding interface of an electronic device being attested.

公开(公告)号：US20230421389A1

公开(公告)日：2023-12-28

申请号：US17808777

申请日：2022-06-24

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Christopher Anthony Grant Hillier ,  Gareth David Richards ,  Ludovic Emmanuel Paul Noel Jacquin ,  Thomas M. Laffey

IPC: H04L9/32 ,  G06F21/64 ,  G06F21/60 ,  H04L41/0893

CPC classification number: H04L9/3263 ,  G06F21/64 ,  G06F21/602 ,  H04L41/0893

Abstract: A process includes communicating by a first device, with a second device. The communicating includes the first device receiving data from the second device that represents a certificate. The certificate binds a hierarchy of logical identifiers to a cryptographic key. The hierarchy of identifiers includes a first logical identifier that corresponds to a group membership. The process includes authenticating, by the first device, the second device based on the certificate. The process includes allowing, by the first device, a secure connection to be set up between the first device and the second device based on whether the first logical identifier represents that the second device is a member of a first group of devices of which the first device is a member.

公开(公告)号：US11360784B2

公开(公告)日：2022-06-14

申请号：US16565915

申请日：2019-09-10

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Ludovic Emmanuel Paul Noel Jacquin ,  Nigel Edwards ,  Thomas M. Laffey

IPC: G06F21/00 ,  G06F9/4401 ,  G06F9/38 ,  G06F21/33 ,  G06F21/44 ,  G06F21/51

Abstract: Examples disclosed herein relate to using an integrity manifest certificate to verify the state of a platform. A device identity of a device that has the device identity provisioned and stored in a security co-processor to retrieve an integrity proof from the security co-processor. The device includes at least one processing element, at least one memory device, and a bus including at least one bus device, and wherein the device identity is associated with a device identity certificate signed by a first authority. The integrity proof includes a representation of each of a plurality of hardware components including the at least one processing element, the at least one memory device, the at least one bus device, and a system board and a representation of plurality of firmware components included in the device. The integrity proof is provided to a certification station. The certification station determines that the integrity proof is an expected value based on an expected provisioning state of the device and the device identity. The certification station signs, using a second authority, an integrity manifest certificate, based on the integrity proof and the device identity. The integrity manifest certificate is stored.

公开(公告)号：US20200117804A1

公开(公告)日：2020-04-16

申请号：US16159365

申请日：2018-10-12

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Thomas M. Laffey ,  Ludovic Emmanuel Paul Noel Jacquin ,  Nigel Edwards

IPC: G06F21/57 ,  G06F1/24 ,  H04L9/32

Abstract: Secure management of computing code is provided herein. The computing code corresponds to computing programs including firmware and software that are stored in the memory of a computing device. When a processor attempts to read or execute computing code, a security controller measures that code and/or corresponding program, thereby generating a security measurement value. The security controller uses the security measurement value to manage access to the memory. The security measurement value can be analyzed together with integrity values of the computing programs, which are calculated while holding the reset of the processor. The integrity values indicate the validity or identity of the stored computing programs, and provide a reference point with which computing programs being read or executed can be compared. The security controller can manage access to memory based on the security measurement value by hiding or exposing portions of the memory to the processor.

公开(公告)号：US20200059469A1

公开(公告)日：2020-02-20

申请号：US16200134

申请日：2018-11-26

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Sharath Srikanth Chellappa ,  Yashavantha Nagaraju Naguvanahalli ,  Dileep Bangalore Sridhara ,  Thomas M. Laffey

IPC: H04L29/06

Abstract: A technique includes receiving a request from a first electronic device to connect to a network and receiving a first part from the first electronic device. The technique includes regulating onboarding of the first electronic device. Regulating the onboarding includes authenticating the first electronic device. Authenticating the first electronic device includes communicating with a plurality of electronic devices that are connected to the network to receive a set of second secret parts; constructing a first secret from the first secret part and the set of second secret parts; and comparing the first secret to a second secret. Regulating the onboarding of the first electronic device includes allowing the first electronic device to connect to the network based on a result of the comparison.

公开(公告)号：US12113907B2

公开(公告)日：2024-10-08

申请号：US17808411

申请日：2022-06-23

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Thomas M. Laffey

IPC: H04L9/32 ,  G06F21/73 ,  H04L9/08

CPC classification number: H04L9/3234 ,  G06F21/73 ,  H04L9/083 ,  H04L9/3265 ,  H04L2209/127

Abstract: Methods and systems for implementing DevID enrollment for hardware redundant Trust Platform Modules (TPMs), are described. A system can include hardware redundancy for management modules, and for TPMs that correspond to each management module. Accordingly, a product can have a dual-TPM configuration, where both modules are associated with the same product. Further, a process that particularly considers the presence of dual-TPMs for creating, issuing, and enrolling DevID certificates is described. The process issues and maintains DevID certificates for each TPM by synchronizing dual sessions that correspond to each TPM. Also, the process accounts for duplicate identification data, for example allowing the certificate authority (CA) to sign certificates for dual-TPMs linked to the same chassis number. The process can include performing validation checks, rendezvous points, and locks to ensure that DevID certificates are successfully issued for each of the dual-TPMs, respectively.

公开(公告)号：US10885196B2

公开(公告)日：2021-01-05

申请号：US16061814

申请日：2016-04-29

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Thomas M. Laffey

IPC: G06F21/57 ,  G06F3/06

Abstract: In some examples, in response to a reset of an electronic device, a method disables hardware write locking of a first region in a non-volatile memory, and executes a first boot code portion from the first region to begin a boot procedure. The executed first boot code portion checks whether an update code for the first boot code portion exists. In response to determining that no update code for the first boot code portion exists, the executed first boot code portion causes hardware write locking of the first region. After causing the hardware write locking of the first region, the boot procedure continues, the boot procedure comprising verifying an integrity of a second boot code portion.

公开(公告)号：US10776493B2

公开(公告)日：2020-09-15

申请号：US16159365

申请日：2018-10-12

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Thomas M. Laffey ,  Ludovic Emmanuel Paul Noel Jacquin ,  Nigel Edwards

IPC: G06F21/57 ,  H04L9/32 ,  G06F1/24

Abstract: Secure management of computing code is provided herein. The computing code corresponds to computing programs including firmware and software that are stored in the memory of a computing device. When a processor attempts to read or execute computing code, a security controller measures that code and/or corresponding program, thereby generating a security measurement value. The security controller uses the security measurement value to manage access to the memory. The security measurement value can be analyzed together with integrity values of the computing programs, which are calculated while holding the reset of the processor. The integrity values indicate the validity or identity of the stored computing programs, and provide a reference point with which computing programs being read or executed can be compared. The security controller can manage access to memory based on the security measurement value by hiding or exposing portions of the memory to the processor.