公开(公告)号：US20180341768A1

公开(公告)日：2018-11-29

申请号：US15607294

申请日：2017-05-26

Applicant: Microsoft Technology Licensing, LLC

Inventor： Allen Marshall ,  Mathew John ,  Samartha Chandrashekar

IPC: G06F21/53 ,  H04L29/06 ,  G06F9/455

Abstract: Techniques for tenant management of virtualized computing resources are described. Virtualized computing resources are allocated to a tenant who is allowed to request access to the allocated virtualized computing resources. A request is received for launch of a virtual machine instance based on the allocated virtualized computing resources. In response to the request, a secure enclave is instantiated and information is obtained that is indicative of the host computing environment and the secure enclave. The information is sent to the tenant, and an indication is received from the tenant to launch the virtual machine based on an independent attestation by the tenant based on the sent information. The virtual machine is launched in response to the indication.

公开(公告)号：US20160357988A1

公开(公告)日：2016-12-08

申请号：US15243647

申请日：2016-08-22

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Niels T. Ferguson ,  Yevgeniy Anatolievich Samsonov ,  Kinshuman Kinshumann ,  Samartha Chandrashekar ,  John Anthony Messec ,  Mark Fishel Novak ,  Christopher McCarron ,  Amitabh Prakash Tamhane ,  Qiang Wang ,  David Matthew Kruse ,  Nir Ben-Zvi ,  Anders Bertil Vinberg

IPC: G06F21/62 ,  G06F9/455 ,  H04L9/32 ,  G06F12/08 ,  H04L29/06 ,  H04L9/08

CPC classification number: G06F21/6281 ,  G06F9/45558 ,  G06F12/08 ,  G06F21/57 ,  G06F21/6209 ,  G06F2009/4557 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2009/45595 ,  G06F2212/652 ,  H04L9/0822 ,  H04L9/0894 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/0823 ,  H04L63/12 ,  H04L2209/127 ,  H04L2209/24 ,  H04L2209/72 ,  H04L2463/062 ,  H04W12/10

Abstract: A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.

Abstract translation: 在与多个不同信任级别相关联的计算环境中操作的虚拟机启用虚拟安全模式。 首先，将虚拟安全模式图像加载到虚拟机的虚拟存储器空间的一个或多个存储器页面中。 然后，虚拟存储器空间的一个或多个存储器页面使一个或多个具有比由虚拟安全模式加载器用于加载虚拟安全模式映像的启动信任级别的信任级别相对较低的信任级别访问不可访问。 对于高于启动信任级别的虚拟机的启动虚拟处理器，也会启用目标虚拟信任级别。

公开(公告)号：US10176095B2

公开(公告)日：2019-01-08

申请号：US15243647

申请日：2016-08-22

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Niels T. Ferguson ,  Yevgeniy Anatolievich Samsonov ,  Kinshumann ,  Samartha Chandrashekar ,  John Anthony Messec ,  Mark Fishel Novak ,  Christopher McCarron ,  Amitabh Prakash Tamhane ,  Qiang Wang ,  David Matthew Kruse ,  Nir Ben-Zvi ,  Anders Bertil Vinberg

IPC: G06F21/62 ,  G06F12/08 ,  H04L9/32 ,  H04L29/06 ,  G06F9/455 ,  G06F21/57 ,  H04L9/08

Abstract: A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.

公开(公告)号：US10068092B2

公开(公告)日：2018-09-04

申请号：US14825116

申请日：2015-08-12

Applicant: Microsoft Technology Licensing, LLC

Inventor： Lawrence Ralph Cleeton ,  Yevgeniy A. Samsonov ,  Kinshumann Kinshumann ,  Jingbo Wu ,  Kevin Michael Broas ,  Samartha Chandrashekar

IPC: G06F21/57 ,  G06F21/60 ,  G06F9/4401

Abstract: A facility for booting a virtual machine hosted on a host is described. In one example facility, the facility boots the virtual machine in accordance with a policy instance associated with the virtual machine. As part of the booting, the facility extracts information needed to complete the booting from a virtual trusted platform module associated with the virtual machine, the extraction based upon the policy instance associated with the virtual machine. At the completion of the booting, the facility copies contents of a policy instance associated with the host into the policy instance associated with the virtual machine.

公开(公告)号：US20160210457A1

公开(公告)日：2016-07-21

申请号：US14825116

申请日：2015-08-12

Applicant: Microsoft Technology Licensing, LLC

Inventor： Lawrence Ralph Cleeton ,  Yevgeniy A. Samsonov ,  Kinshumann Kinshumann ,  Jingbo Wu ,  Kevin Michael Broas ,  Samartha Chandrashekar

IPC: G06F21/57 ,  G06F9/44 ,  G06F21/60

CPC classification number: G06F21/575 ,  G06F9/4406 ,  G06F21/60

Abstract: A facility for booting a virtual machine hosted on a host is described. In one example facility, the facility boots the virtual machine in accordance with a policy instance associated with the virtual machine. As part of the booting, the facility extracts information needed to complete the booting from a virtual trusted platform module associated with the virtual machine, the extraction based upon the policy instance associated with the virtual machine. At the completion of the booting, the facility copies contents of a policy instance associated with the host into the policy instance associated with the virtual machine.

Abstract translation: 描述用于引导托管在主机上的虚拟机的设施。 在一个示例工具中，设备根据与虚拟机关联的策略实例引导虚拟机。 作为引导的一部分，设施从与虚拟机相关联的虚拟可信平台模块提取完成引导所需的信息，基于与虚拟机相关联的策略实例的提取。 在引导完成后，设备将与主机关联的策略实例的内容复制到与虚拟机关联的策略实例中。

公开(公告)号：US10956321B2

公开(公告)日：2021-03-23

申请号：US16240763

申请日：2019-01-06

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Niels T. Ferguson ,  Yevgeniy Anatolievich Samsonov ,  Kinshumann ,  Samartha Chandrashekar ,  John Anthony Messec ,  Mark Fishel Novak ,  Christopher McCarron ,  Amitabh Prakash Tamhane ,  Qiang Wang ,  David Matthew Kruse ,  Nir Ben-Zvi ,  Anders Bertil Vinberg

IPC: G06F21/57 ,  G06F12/08 ,  H04L9/32 ,  G06F9/455 ,  G06F21/62 ,  H04L9/08 ,  H04L29/06 ,  H04W12/10

Abstract: A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.

公开(公告)号：US20190155728A1

公开(公告)日：2019-05-23

申请号：US16240763

申请日：2019-01-06

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Niels T. Ferguson ,  Yevgeniy Anatolievich Samsonov ,  Kinshumann ,  Samartha Chandrashekar ,  John Anthony Messec ,  Mark Fishel Novak ,  Christopher McCarron ,  Amitabh Prakash Tamhane ,  Qiang Wang ,  David Matthew Kruse ,  Nir Ben-Zvi ,  Anders Bertil Vinberg

IPC: G06F12/08 ,  G06F9/455 ,  H04L29/06 ,  G06F21/57 ,  G06F21/62 ,  H04L9/08 ,  H04L9/32

Abstract: A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.

公开(公告)号：US09578017B2

公开(公告)日：2017-02-21

申请号：US14504096

申请日：2014-10-01

Applicant: Microsoft Technology Licensing, LLC

Inventor： Niels T. Ferguson ,  Yevgeniy Anatolievich Samsonov ,  Kinshuman Kinshumann ,  Samartha Chandrashekar ,  John Anthony Messec ,  Mark Fishel Novak ,  Christopher McCarron ,  Amitabh Prakash Tamhane ,  Qiang Wang ,  David Matthew Kruse ,  Nir Ben-Zvi ,  Anders Bertil Vinberg

IPC: G06F21/57 ,  H04L29/06 ,  H04L9/32 ,  G06F21/62 ,  H04L9/08 ,  H04W12/10 ,  G06F9/455

CPC classification number: G06F21/6281 ,  G06F9/45558 ,  G06F12/08 ,  G06F21/57 ,  G06F21/6209 ,  G06F2009/4557 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2009/45595 ,  G06F2212/652 ,  H04L9/0822 ,  H04L9/0894 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/0823 ,  H04L63/12 ,  H04L2209/127 ,  H04L2209/24 ,  H04L2209/72 ,  H04L2463/062 ,  H04W12/10

Abstract: Deploying an encrypted entity on a trusted entity is illustrated herein. A method includes, at a trusted entity, wherein the trusted entity is trusted by an authority as a result of providing a verifiable indication of certain characteristics of the trusted entity meeting certain requirements, receiving an encrypted entity from an untrusted entity. The untrusted entity is not trusted by the authority. At the trusted entity, a trust credential from the authority is used to obtain a key from a key distribution service. The key distribution service is trusted by the authority. The key is used to decrypt the encrypted entity to allow the encrypted entity to be deployed at the trusted entity.

Abstract translation: 这里示出了在可信实体上部署加密实体。 一种方法包括在可信实体处，其中信任实体被授权机构信任，作为提供满足某些要求的可信实体的某些特性的可验证指示的结果，从不可信实体接收加密的实体。 不信任的实体不被权限信任。 在可信实体，来自权限的信任凭证被用于从密钥分发服务获得密钥。 主要分销服务是权威机构信赖的。 密钥用于解密加密实体，以允许加密实体部署在可信实体。