-
公开(公告)号:US11777717B2
公开(公告)日:2023-10-03
申请号:US17425896
申请日:2019-01-25
Applicant: Huawei Technologies Co., Ltd.
Inventor: Sampo Sovio , Jan-Erik Ekberg
CPC classification number: H04L9/0825 , H04L9/302 , H04L9/3242 , H04L9/3252 , H04L9/3268
Abstract: A method for attestation of Control Flow Integrity (CFI) of an application running on an end entity whereby an asymmetric key pair is generated by a Key Management Module (KMM) comprising a private key and a public key, then the public key is signed with a device key unique to the end entity thereby generating a public key certificate which attests to the private key being in possession of the end entity. The asymmetric key pair is based on the executing code of the application and the device key. The attestation claims regarding CFI of the application are signed by the private key in a dedicated signature module.
-
公开(公告)号:US11126706B2
公开(公告)日:2021-09-21
申请号:US16491319
申请日:2017-03-07
Applicant: HUAWEI TECHNOLOGIES CO., LTD.
Inventor: Sampo Sovio , Martti Takala , Valentin Manea , Parvez Shaik , Liming Wu
Abstract: An apparatus including a processor and a memory configured to provide an SEE and an REE. The processor is configured to provide a client application configured to execute at a user privilege level and a hypervisor configured to execute at a hypervisor privilege level. The user privilege level is more restrictive than the hypervisor privilege level. The processor is further configured to provide a trusted application configured to execute within the SEE. The trusted application provides secure services to the client application. The processor is configured to send a request for secure services from the client application to the trusted application, send a measurement request to the hypervisor, generate within the hypervisor a measured value based on the client application, return the measured value to the trusted application, and determine whether the client application is authorized to access the secure services. The authorization determination is based on the measured value.
-
公开(公告)号:US20200186357A1
公开(公告)日:2020-06-11
申请号:US16638291
申请日:2017-08-11
Applicant: Pekka LAITINEN , Huawei Technologies Co., Ltd.
Inventor: Pekka Laitinen , Qiming Li , Sampo Sovio , Gang Lian , Zhihua Shan
Abstract: A device with key attestation features comprises an operating system stored in its memory, the operating system comprising a secure environment including a trusted application, and two or more device certificates, each associated with a device key pair, stored in the memory of the device. The trusted application is configured to handle key pair generation requests and key pair attestation requests to read an indication of a preferred device certificate. An attestation certificate that is generated in response to the key pair attestation request is then signed using one of the two or more device certificates with its associated device key pair based on the indication of a preferred device certificate.
-
公开(公告)号:US20230058046A1
公开(公告)日:2023-02-23
申请号:US17792292
申请日:2020-01-29
Applicant: Sampo SOVIO , Huawei Technologies Co., Ltd.
Inventor: Sampo Sovio , Qiming Li , Gang Lian , Kui Wang , Santeri Salko , Vladimir Ushakov
IPC: G06F21/53
Abstract: An apparatus is configured to protect the privacy of shared objects by loading shared object into a user memory of a rich execution environment. The shared object has an encrypted segment and metadata. A request for decryption is sent to a trusted execution environment and the encrypted segment is decrypted based on the metadata and a predetermined platform key to produce a decrypted segment. The decrypted segment is written into the shared object. A request to lock the shared object is sent and a memory occupied by the shared object is locked or set to execute only. The lock of the memory region occupied by the decrypted shared object maps the memory region to be non-readable and non-writable to applications executing at a first privilege level and to the operating system kernel executing at a second privilege level.
-
公开(公告)号:US11374766B2
公开(公告)日:2022-06-28
申请号:US16638291
申请日:2017-08-11
Applicant: Huawei Technologies Co., Ltd.
Inventor: Pekka Laitinen , Qiming Li , Sampo Sovio , Gang Lian , Zhihua Shan
Abstract: A device with key attestation features comprises an operating system stored in its memory, the operating system comprising a secure environment including a trusted application, and two or more device certificates, each associated with a device key pair, stored in the memory of the device. The trusted application is configured to handle key pair generation requests and key pair attestation requests to read an indication of a preferred device certificate. An attestation certificate that is generated in response to the key pair attestation request is then signed using one of the two or more device certificates with its associated device key pair based on the indication of a preferred device certificate.
-
Patent Agency Ranking
公开(公告)号:US11283626B2
公开(公告)日:2022-03-22
申请号:US16331055
申请日:2016-09-06
Applicant: Huawei Technologies Co., Ltd.
Inventor: Gang Lian , Sampo Sovio , Taisheng Deng , Xiaopu Wang , Zongbo Ye
Abstract: An apparatus including a processor and a memory, where the processor and the memory are configured to provide a secure execution environment and the memory stores a hardware unique key and a class key. The processor is configured to recover, in the secure execution environment, a certificate signing key based on the class key, where the certificate signing key is associated with a certificate authority. The processor is further configured to derive a device key pair based on the hardware unique key, where the device key pair includes a device public key and a device private key, and generate a device certificate based on the device public key and the certificate signing key. The generated device certificate is configured to be validated based on a public key associated with the certificate authority.
-
公开(公告)号:US20200374112A1
公开(公告)日:2020-11-26
申请号:US16768501
申请日:2017-12-01
Applicant: Huawei Technologies Co., Ltd.
Inventor: Sampo Sovio , Qiming Li , Pekka Laitinen , Gang Lian , Meilun Xie , Xiwen Fang , Zhihua Shan
Abstract: In a method for secure provisioning of data to a client device, a non-trusted manufacturing facility is equipped with a secure server device to establish a secure data provisioning channel from the secure server device to trusted hardware in client devices without the secure server device and the client devices needing to have a shared secret.
-
公开(公告)号:US12197563B2
公开(公告)日:2025-01-14
申请号:US17792292
申请日:2020-01-29
Applicant: Huawei Technologies Co., Ltd. , Sampo Sovio
Inventor: Sampo Sovio , Qiming Li , Gang Lian , Kui Wang , Santeri Salko , Vladimir Ushakov
IPC: G06F21/53
Abstract: An apparatus is configured to protect the privacy of shared objects by loading shared object into a user memory of a rich execution environment. The shared object has an encrypted segment and metadata. A request for decryption is sent to a trusted execution environment and the encrypted segment is decrypted based on the metadata and a predetermined platform key to produce a decrypted segment. The decrypted segment is written into the shared object. A request to lock the shared object is sent and a memory occupied by the shared object is locked or set to execute only. The lock of the memory region occupied by the decrypted shared object maps the memory region to be non-readable and non-writable to applications executing at a first privilege level and to the operating system kernel executing at a second privilege level.
-
公开(公告)号:US11455399B2
公开(公告)日:2022-09-27
申请号:US16415939
申请日:2019-05-17
Applicant: Huawei Technologies Co., Ltd.
Inventor: Janne Hirvimies , Sampo Sovio
Abstract: An electronic device and a software provisioning server are provided. The electronic device is configured to obey an Anti-Roll Back (ARB) enforcement policy, obtain an ARB exception associated with a software, wherein the ARB exception comprises a signature of the ARB exception and a revision number of the software, check the validity of the signature of the ARB exception, and execute the software having the revision number so as to overrun the ARB enforcement policy if the signature of the ARB exception is valid. The software provisioning server is configured to determine an ARB exception associated with a software for overrunning an ARB enforcement policy in an electronic device, wherein the ARB exception comprises a signature of the ARB exception and a revision number of the software, provide the ARB exception to the electronic device.
-
公开(公告)号:US20190238342A1
公开(公告)日:2019-08-01
申请号:US16331055
申请日:2016-09-06
Applicant: Huawei Technologies Co., Ltd.
Inventor: Gang Lian , Sampo Sovio , Taisheng Deng , Xiaopu Wang , Zongbo Ye
CPC classification number: H04L9/3263 , H04L9/0894 , H04L9/321 , H04L63/0823 , H04L2209/64 , H04L2209/80 , H04L2463/061
Abstract: An apparatus including a processor and a memory, where the processor and the memory are configured to provide a secure execution environment and the memory stores a hardware unique key and a class key. The processor is configured to recover, in the secure execution environment, a certificate signing key based on the class key, where the certificate signing key is associated with a certificate authority. The processor is further configured to derive a device key pair based on the hardware unique key, where the device key pair includes a device public key and a device private key, and generate a device certificate based on the device public key and the certificate signing key. The generated device certificate is configured to be validated based on a public key associated with the certificate authority.
-
-
-
-
-
-
-
-
-
Search Results
10
records
(took 0.016 seconds)
