公开(公告)号：US20060015719A1

公开(公告)日：2006-01-19

申请号：US11203538

申请日：2005-08-12

申请人： Howard Herbert ,  David Grawrock ,  Carl Ellison ,  Roger Golliver ,  Derrick Lin ,  Francis McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James Sutton ,  Shreekant Thakkar ,  Millind Mittal

发明人： Howard Herbert ,  David Grawrock ,  Carl Ellison ,  Roger Golliver ,  Derrick Lin ,  Francis McKeen ,  Gilbert Neiger ,  Ken Reneris ,  James Sutton ,  Shreekant Thakkar ,  Millind Mittal

IPC分类号： H04L9/00

CPC分类号： G06F21/305 ,  G06F9/30189 ,  G06F12/1491 ,  G06F21/35 ,  G06F21/53 ,  G06F21/57 ,  G06F21/575 ,  G06F21/64 ,  G06F21/74 ,  G06F2221/2101 ,  G06F2221/2103 ,  G06F2221/2105 ,  G06F2221/2149

摘要： In one embodiment, a method of remote attestation for a special mode of operation. The method comprises storing an audit log within protected memory of a platform. The audit log is a listing of data representing each of a plurality of IsoX software modules loaded into the platform. The audit log is retrieved from the protected memory in response to receiving a remote attestation request from a remotely located platform. Then, the retrieved audit log is digitally signed to produce a digital signature for transfer to the remotely located platform.

公开(公告)号：US20060013399A1

公开(公告)日：2006-01-19

申请号：US10892265

申请日：2004-07-14

申请人： Ernie Brickell ,  James Sutton ,  Clifford Hall ,  David Grawrock

发明人： Ernie Brickell ,  James Sutton ,  Clifford Hall ,  David Grawrock

IPC分类号： H04L9/00

CPC分类号： H04L63/062 ,  G06F21/57 ,  G06F21/73 ,  H04L9/0841 ,  H04L63/0853 ,  H04L2209/125

摘要： Delivering a Direct Proof private key to a device installed in a client computer system in the field may be accomplished in a secure manner without requiring significant non-volatile storage in the device. A unique pseudo-random value is generated and stored in the device at manufacturing time. The pseudo-random value is used to generate a symmetric key for encrypting a data structure holding a Direct Proof private key and a private key digest associated with the device. The resulting-encrypted data structure is stored on a removable storage medium (such as a CD), and distributed to the owner of the client computer system. When the device is initialized on the client computer system, the system checks if a localized encrypted data structure is present in the system. If not, the system obtains the associated encrypted data structure from the removable storage medium. The device decrypts the encrypted data structure using a symmetric key regenerated from its stored pseudo-random value to obtain the Direct Proof private key. If the private key is valid, it may be used for subsequent authentication processing by the device in the client computer system.

摘要翻译： 将直接证明私钥提供给安装在该领域中的客户端计算机系统中的设备可以以安全的方式来实现，而不需要设备中的显着的非易失性存储。 在制造时产生并存储在设备中的唯一伪随机值。 伪随机值用于生成用于加密持有Direct Proof私钥和与该设备相关联的私钥摘要的数据结构的对称密钥。 所得到的加密数据结构存储在可移动存储介质（例如CD）上，并分发给客户端计算机系统的所有者。 当在客户端计算机系统上初始化设备时，系统会检查系统中是否存在本地化的加密数据结构。 如果不是，系统从可移动存储介质中获得相关联的加密数据结构。 设备使用从其存储的伪随机值重新生成的对称密钥来解密加密数据结构，以获得直接证明私钥。 如果私钥有效，则其可以用于客户端计算机系统中的设备的后续认证处理。

公开(公告)号：US20080109638A1

公开(公告)日：2008-05-08

申请号：US12005570

申请日：2007-12-27

申请人： John Wilson ,  Ioannis Schoinas ,  Mazin Yousif ,  Linda Rankin ,  David Grawrock ,  Robert Greiner ,  James Sutton ,  Kushagra Vaid ,  Willard Wiseman

发明人： John Wilson ,  Ioannis Schoinas ,  Mazin Yousif ,  Linda Rankin ,  David Grawrock ,  Robert Greiner ,  James Sutton ,  Kushagra Vaid ,  Willard Wiseman

IPC分类号： G06F9/06

CPC分类号： G06F21/575 ,  G06F21/44 ,  G06F21/445 ,  G06F21/50 ,  G06F21/606 ,  G06F21/64 ,  G06F21/71 ,  G06F2221/034

摘要： In one embodiment of the present invention, a method includes verifying an initiating logical processor of a system; validating a trusted agent with the initiating logical processor if the initiating logical processor is verified; and launching the trusted agent on a plurality of processors of the system if the trusted agent is validated. After execution of such a trusted agent, a secure kernel may then be launched, in certain embodiments. The system may be a multiprocessor server system having a partially or fully connected topology with arbitrary point-to-point interconnects, for example.

公开(公告)号：US20080109636A1

公开(公告)日：2008-05-08

申请号：US12005450

申请日：2007-12-27

申请人： John Wilson ,  Ioannis Schoinas ,  Mazin Yousif ,  Linda Rankin ,  David Grawrock ,  Robert Greiner ,  James Sutton ,  Kushagra Vaid ,  Willard Wiseman

发明人： John Wilson ,  Ioannis Schoinas ,  Mazin Yousif ,  Linda Rankin ,  David Grawrock ,  Robert Greiner ,  James Sutton ,  Kushagra Vaid ,  Willard Wiseman

IPC分类号： G06F9/06

CPC分类号： G06F21/575 ,  G06F21/44 ,  G06F21/445 ,  G06F21/50 ,  G06F21/606 ,  G06F21/64 ,  G06F21/71 ,  G06F2221/034

摘要： In one embodiment of the present invention, a method includes verifying an initiating logical processor of a system; validating a trusted agent with the initiating logical processor if the initiating logical processor is verified; and launching the trusted agent on a plurality of processors of the system if the trusted agent is validated. After execution of such a trusted agent, a secure kernel may then be launched, in certain embodiments. The system may be a multiprocessor server system having a partially or fully connected topology with arbitrary point-to-point interconnects, for example.

公开(公告)号：US20060013400A1

公开(公告)日：2006-01-19

申请号：US10892280

申请日：2004-07-14

申请人： James Sutton ,  Clifford Hall ,  Ernie Brickell ,  David Grawrock

发明人： James Sutton ,  Clifford Hall ,  Ernie Brickell ,  David Grawrock

IPC分类号： H04L9/00

CPC分类号： H04L63/083 ,  G06F9/4843 ,  G06F12/1036 ,  G06F21/57 ,  G06F21/73 ,  H04L9/0897 ,  H04L9/3218 ,  H04L9/3236 ,  H04L63/04

摘要： Delivering a Direct Proof private key in a signed group of keys to a device installed in a client computer system in the field may be accomplished in a secure manner without requiring significant non-volatile storage in the device. A unique pseudo-random value is generated and stored along with a group number in the device at manufacturing time. The pseudo-random value is used to generate a symmetric key for encrypting a data structure holding a Direct Proof private key and a private key digest associated with the device. The resulting encrypted data structure is stored in a signed group of keys (e.g., a signed group record) on a removable storage medium (such as a CD or DVD), and distributed to the owner of the client computer system. When the device is initialized on the client computer system, the system checks if a localized encrypted data structure is present in the system. If not, the system obtains the associated signed group record of encrypted data structures from the removable storage medium, and verifies the signed group record. The device decrypts the encrypted data structure using a symmetric key regenerated from its stored pseudo-random value to obtain the Direct Proof private key, when the group record is valid. If the private key is valid, it may be used for subsequent authentication processing by the device in the client computer system.

摘要翻译： 在安装在客户端计算机系统中的设备中的签名密钥组中提供直接证明私钥可以以安全的方式实现，而不需要设备中的重要的非易失性存储。 在制造时生成并存储与设备中的组号一起存储唯一的伪随机值。 伪随机值用于生成用于加密持有Direct Proof私钥和与该设备相关联的私钥摘要的数据结构的对称密钥。 所得到的加密数据结构被存储在可移动存储介质（例如CD或DVD）上的签名组密钥（例如，签名组记录）中，并且分发给客户端计算机系统的所有者。 当在客户端计算机系统上初始化设备时，系统会检查系统中是否存在本地化的加密数据结构。 如果没有，系统从可移动存储介质中获得加密数据结构的关联签名组记录，并验证签名组记录。 该设备使用从其存储的伪随机值重新生成的对称密钥来解密加密的数据结构，以便当组记录有效时获得Direct Proof私钥。 如果私钥有效，则其可以用于客户端计算机系统中的设备的后续认证处理。

公开(公告)号：US20050273602A1

公开(公告)日：2005-12-08

申请号：US10859897

申请日：2004-06-03

申请人： John Wilson ,  Ioannis Schoinas ,  Mazin Yousif ,  Linda Rankin ,  David Grawrock ,  Robert Greiner ,  James Sutton ,  Kushagra Vaid ,  Willard Wiseman

发明人： John Wilson ,  Ioannis Schoinas ,  Mazin Yousif ,  Linda Rankin ,  David Grawrock ,  Robert Greiner ,  James Sutton ,  Kushagra Vaid ,  Willard Wiseman

IPC分类号： G06F21/24 ,  G06F1/00 ,  G06F9/445 ,  G06F9/46 ,  G06F12/14 ,  G06F15/163 ,  G06F15/177 ,  H04L9/00

CPC分类号： G06F21/575 ,  G06F21/44 ,  G06F21/445 ,  G06F21/50 ,  G06F21/606 ,  G06F21/64 ,  G06F21/71 ,  G06F2221/034

摘要： In one embodiment of the present invention, a method includes verifying an initiating logical processor of a system; validating a trusted agent with the initiating logical processor if the initiating logical processor is verified; and launching the trusted agent on a plurality of processors of the system if the trusted agent is validated. After execution of such a trusted agent, a secure kernel may then be launched, in certain embodiments. The system may be a multiprocessor server system having a partially or fully connected topology with arbitrary point-to-point interconnects, for example.

摘要翻译： 在本发明的一个实施例中，一种方法包括验证系统的起始逻辑处理器; 如果启动逻辑处理器被验证，则使用起始逻辑处理器验证可信代理; 以及如果所述信任代理被验证，则在所述系统的多个处理器上启动所述可信代理。 在执行这样的可信代理之后，在某些实施例中可以启动安全内核。 该系统可以是例如具有任意点到点互连的部分或完全连接的拓扑的多处理器服务器系统。

公开(公告)号：US20050182940A1

公开(公告)日：2005-08-18

申请号：US11096618

申请日：2005-03-31

申请人： James Sutton ,  David Grawrock

发明人： James Sutton ,  David Grawrock

IPC分类号： G06F12/14 ,  G06F1/00 ,  G06F21/24 ,  H04L9/00

CPC分类号： G06F9/4403 ,  G01N23/223 ,  G01N33/502 ,  G01N33/6872 ,  G01N2223/076 ,  G06F9/44505 ,  G06F12/0802 ,  G06F12/145 ,  G06F12/1458 ,  G06F13/4282 ,  G06F21/57 ,  G06F21/572 ,  G06F2212/1052 ,  G06F2212/60 ,  G06F2213/0026 ,  G06F2221/033 ,  H04L9/32 ,  H04L9/3247

摘要： A method and apparatus for initiating secure operations in a microprocessor system is described. In one embodiment, one initiating logical processor initiates the process by halting the execution of the other logical processors, and then loading initialization and secure virtual machine monitor software into memory. The initiating processor then loads the initialization software into secure memory for authentication and execution. The initialization software then authenticates and registers the secure virtual machine monitor software prior to secure system operations.

摘要翻译： 描述了用于在微处理器系统中发起安全操作的方法和装置。 在一个实施例中，一个起始逻辑处理器通过停止其他逻辑处理器的执行，然后将初始化和将虚拟机监视软件安全地保存到存储器中来启动该过程。 起始处理器然后将初始化软件加载到安全存储器中用于认证和执行。 然后，初始化软件在安全系统操作之前对安全虚拟机监控软件进行身份验证和注册。

公开(公告)号：US20080109655A1

公开(公告)日：2008-05-08

申请号：US12005455

申请日：2007-12-27

申请人： John Wilson ,  Ioannis Schoinas ,  Mazin Yousif ,  Linda Rankin ,  David Grawrock ,  Robert Greiner ,  James Sutton ,  Kushagra Vaid ,  Willard Wiseman

发明人： John Wilson ,  Ioannis Schoinas ,  Mazin Yousif ,  Linda Rankin ,  David Grawrock ,  Robert Greiner ,  James Sutton ,  Kushagra Vaid ,  Willard Wiseman

IPC分类号： H04L9/00

CPC分类号： G06F21/575 ,  G06F21/44 ,  G06F21/445 ,  G06F21/50 ,  G06F21/606 ,  G06F21/64 ,  G06F21/71 ,  G06F2221/034

摘要： In one embodiment of the present invention, a method includes verifying an initiating logical processor of a system; validating a trusted agent with the initiating logical processor if the initiating logical processor is verified; and launching the trusted agent on a plurality of processors of the system if the trusted agent is validated. After execution of such a trusted agent, a secure kernel may then be launched, in certain embodiments. The system may be a multiprocessor server system having a partially or fully connected topology with arbitrary point-to-point interconnects, for example.

摘要翻译： 在本发明的一个实施例中，一种方法包括验证系统的起始逻辑处理器; 如果启动逻辑处理器被验证，则使用起始逻辑处理器验证可信代理; 以及如果所述信任代理被验证，则在所述系统的多个处理器上启动所述可信代理。 在执行这样的可信代理之后，在某些实施例中可以启动安全内核。 该系统可以是例如具有任意点到点互连的部分或完全连接的拓扑的多处理器服务器系统。

公开(公告)号：US20060020785A1

公开(公告)日：2006-01-26

申请号：US10883264

申请日：2004-06-30

申请人： David Grawrock ,  Willard Wiseman ,  James Sutton ,  Clifford Hall ,  Ned Smith

发明人： David Grawrock ,  Willard Wiseman ,  James Sutton ,  Clifford Hall ,  Ned Smith

IPC分类号： H04L9/00

CPC分类号： G06F21/84 ,  G06F21/57

摘要： A system and method for secure distribution of a video card public key. The method provides for loading an authentication code module into a processor, authenticating the authentication code module, and executing the authentication code module. Executing the authentication module causes the authentication code module to assert a hardware indicator to access at least one address in a special protected page on a chipset. Receipt of the hardware indicator by the chipset causes a specific reference to be sent via a dedicated port to a circuit card to retrieve a public key from the circuit card.

摘要翻译： 一种用于安全分发视频卡公钥的系统和方法。 该方法提供将认证码模块加载到处理器中，认证认证码模块和执行认证码模块。 执行认证模块使认证码模块断言硬件指示符访问芯片组中特殊保护页面中的至少一个地址。 通过芯片组接收硬件指示符，将特定的参考信号通过专用端口发送到电路卡以从电路卡中取回公钥。

公开(公告)号：US20060015751A1

公开(公告)日：2006-01-19

申请号：US10891699

申请日：2004-07-14

申请人： Ernie Brickell ,  Alberto Martinez ,  David Grawrock ,  James Sutton ,  Clifford Hall

发明人： Ernie Brickell ,  Alberto Martinez ,  David Grawrock ,  James Sutton ,  Clifford Hall

IPC分类号： G06F12/14

CPC分类号： G06F21/73

摘要： Secure storage and retrieval of a unique value associated with a device to/from a memory of a processing system. In at least one embodiment, the device needs to be able to access the unique value across processing system resets, and the device does not have sufficient non-volatile storage to store the unique value itself. Instead, the unique value is stored in the processing system memory in such a way that the stored unique value does not create a unique identifier for the processing system or the device. A pseudo-randomly or randomly generated initialization vector may be used to vary an encrypted data structure used to store the unique value in the memory.