-
公开(公告)号:US12120222B2
公开(公告)日:2024-10-15
申请号:US17393449
申请日:2021-08-04
CPC分类号: H04L9/085 , G06F21/72 , H04L9/0822 , H04L9/0825 , H04L9/0891 , H04L9/14 , H04L9/3247
摘要: A computer-implemented method for providing a system-specific secret to a computing system having a plurality of computing components is disclosed. The method includes storing permanently a component-specific import key as part of a computing component and storing the component-specific import key in a manufacturing-side storage system. Upon a request for the system-specific secret for a computing system, the method includes identifying the computing component comprised in the computing system, retrieving a record relating to the identified computing component, determining the system-specific secret protected by a hardware security module and determining a system-specific auxiliary key. Furthermore, the method includes encrypting the system-specific auxiliary key with the retrieved component-specific import key, thereby creating a auxiliary key bundle, encrypting the system-specific secret and storing the auxiliary key bundle and a system record in a storage medium of the computing system.
-
公开(公告)号:US11829495B2
公开(公告)日:2023-11-28
申请号:US17394963
申请日:2021-08-05
发明人: Jonathan D. Bradbury , Reinhard Theodor Buendgen , Janosch Andreas Frank , Marc Hartmayer , Viktor Mihajlovski
CPC分类号: G06F21/62 , G06F9/45558 , G06F21/64 , H04L9/088 , H04L9/0861 , H04L63/04 , G06F2009/45575 , G06F2009/45587
摘要: A secure guest of a computing environment requests confidential data. The confidential data is included in metadata of the secure guest, which is stored in a trusted execution environment of the computing environment. Based on the request, the confidential data is obtained from the metadata of the secure guest that is stored in the trusted execution environment.
-
公开(公告)号:US20210232709A1
公开(公告)日:2021-07-29
申请号:US16775887
申请日:2020-01-29
发明人: Reinhard Theodor Buendgen , Volker Urban , Richard Victor Kisley , Jonathan D. Bradbury , Torsten Hendel , Harald Freudenberger , Benedikt Klotz , Klaus Werner , Markus Selve
摘要: A security module, such as a cryptographic adapter, is reserved for a secure guest of a computing environment. The reserving includes binding one or more queues of the security module to the secure guest. The one or more queues are then managed based on one or more actions relating to the reservation.
-
公开(公告)号:US11068310B2
公开(公告)日:2021-07-20
申请号:US16296311
申请日:2019-03-08
发明人: Utz Bacher , Reinhard Theodor Buendgen , Jonathan D. Bradbury , Lisa Cranton Heller , Fadi Y. Busaba
摘要: According to one or more embodiments of the present invention, a computer implemented method includes receiving a query for an amount of storage in memory of a computer system to be donated to a secure interface control of the computer system. The secure interface control can determine the amount of storage to be donated based on a plurality of secure entities supported by the secure interface control as a plurality of predetermined values. The secure interface control can return a response to the query indicative of the amount of storage as a response to the query. A donation of storage to secure for use by the secure interface control can be received based on the response to the query.
-
公开(公告)号:US20200287709A1
公开(公告)日:2020-09-10
申请号:US16296303
申请日:2019-03-08
发明人: Jonathan D. Bradbury , Christian Borntraeger , Heiko Carstens , Martin Schwidefsky , Reinhard Theodor Buendgen
摘要: According to one or more embodiments of the present invention, a computer implemented method includes computing a hash value of a page of memory of a computer system and comparing the hash value with a previously computed hash value of the page. A per-encryption value per page can be used in encrypting the page based on determining that the hash value matches the previously computed hash value. A modified value of the per-encryption value per page can be used in encrypting the page based on determining that the hash value mismatches the previously computed hash value.
-
公开(公告)号:US20240176913A1
公开(公告)日:2024-05-30
申请号:US18159376
申请日:2023-01-25
发明人: Reinhard Theodor Buendgen , Viktor Mihajlovski , Jonathan D. Bradbury , Harald Freudenberger , Steffen Eiden , Volker Urban , Eric David Rossman
IPC分类号: G06F21/72
CPC分类号: G06F21/72
摘要: A method for a policy-based association of a hardware security module to a secure guest is disclosed. The method comprises maintaining a binding between a secure guest and an HSM. Thereby, the binding enables the trusted guest to send only non-sensitive request to the HSM. The method comprises further maintaining, for a secure guest, a pair of a secret and a secret name, submitting a query to the bound HSM for obtaining HSM configuration data, and upon determining that the obtained HSM configuration data match a rule available to the secure guest, wherein the rule associates the HSM to a secret name, requesting to associate the secret from the pair of secret and the secret name to the bound HSM, thereby triggering that the trusted firmware allows the secure guest to submit a sensitive crypto-request to the bound and associated HSM.
-
公开(公告)号:US20240176634A1
公开(公告)日:2024-05-30
申请号:US18162734
申请日:2023-02-01
CPC分类号: G06F9/4555 , G06F21/572
摘要: A computer-implemented method for personalizing a secure guest instance from a generic boot image using trusted firmware that maintains metadata of the secure guest instance is disclosed. The method comprises passing a request structure from the secure guest instance to the trusted firmware for modifying the metadata of the secure guest instance and to establish at least one retrievable secret in the metadata of the secure guest instance that is specific to the secure guest instance, verifying, by the trusted firmware, the request structure and upon success modifying the metadata as specified by the request structure, retrieving, by the secure guest instance, a secret object derived from the retrievable secret from the trusted firmware, and using, by the secure guest instance, the retrieved secret object to personalize the secure guest instance.
-
公开(公告)号:US11809607B2
公开(公告)日:2023-11-07
申请号:US17395006
申请日:2021-08-05
CPC分类号: G06F21/64 , G06F9/45545 , G06F9/45558 , G06F21/44 , G06F21/53 , G06F21/602 , G06F21/71 , G06F2009/45587
摘要: A trusted execution environment obtains a secure guest image and metadata to be used to start a secure guest. The metadata includes multiple parts and a plurality of integrity measures. A first part of the metadata includes one or more integrity measures of the plurality of integrity measures, and a second part of the metadata includes customized confidential data of the secure guest and one or more other integrity measures of the plurality of integrity measures. The trusted execution environment is used to verify at least one select part of the metadata using at least one integrity measure of the plurality of integrity measures of the metadata. Based on successful verification of the at least one select part of the metadata, the trusted execution environment starts the secure guest using the secure guest image and at least a portion of the metadata.
-
公开(公告)号:US20230043503A1
公开(公告)日:2023-02-09
申请号:US17394963
申请日:2021-08-05
发明人: Jonathan D. Bradbury , Reinhard Theodor Buendgen , Janosch Andreas Frank , Marc Hartmayer , Viktor Mihajlovski
摘要: A secure guest of a computing environment requests confidential data. The confidential data is included in metadata of the secure guest, which is stored in a trusted execution environment of the computing environment. Based on the request, the confidential data is obtained from the metadata of the secure guest that is stored in the trusted execution environment.
-
公开(公告)号:US11475138B2
公开(公告)日:2022-10-18
申请号:US16737974
申请日:2020-01-09
摘要: A computer-implemented method for creating a secure software container. The method comprises providing a first layered software container image, transforming all files, except corresponding metadata, of each layer of the first layered software container image into a volume, the volume comprises a set of blocks, wherein each layer comprises an incremental difference to a next lower layer, encrypting each block of the set of blocks of a portion of the layers, and storing each encrypted set of the blocks as a layer of an encrypted container image along with unencrypted metadata for rebuilding an order of the set of blocks equal to an order of the first layered software container image, so that a secure encrypted software container is created.
-
-
-
-
-
-
-
-
-
搜索结果
32 条记录 (耗时 0.025 秒)
