公开(公告)号：US08032942B2

公开(公告)日：2011-10-04

申请号：US11967300

申请日：2007-12-31

申请人： Ned Smith ,  Willard Wiseman ,  Alok Kumar ,  Tasneem Brutch ,  Vincent Scarlata ,  Faraz Siddiqi

发明人： Ned Smith ,  Willard Wiseman ,  Alok Kumar ,  Tasneem Brutch ,  Vincent Scarlata ,  Faraz Siddiqi

IPC分类号： H04L9/00 ,  H04L9/32 ,  G06F7/04

CPC分类号： G06F21/572 ,  G06F21/57 ,  G06F2221/2101

摘要： Systems, methods and machine readable media for configuring virtual platform modules are disclosed. One method includes launching a virtual machine monitor, and determining, with the virtual machine monitor, whether a configuration policy that defines a configuration for a virtual trusted platform module is trusted. The method further includes configuring the virtual trusted platform module per the configuration policy in response to the virtual machine monitor determining that the configuration policy is trusted. The method also includes launching, via the virtual machine monitor, a virtual machine associated with the virtual trusted platform module.

摘要翻译： 公开了用于配置虚拟平台模块的系统，方法和机器可读介质。 一种方法包括启动虚拟机监视器，并且利用虚拟机监视器确定定义虚拟可信平台模块的配置的配置策略是否被信任。 该方法还包括根据虚拟机监视器确定配置策略被信任来配置每个配置策略的虚拟可信平台模块。 该方法还包括通过虚拟机监视器启动与虚拟可信平台模块相关联的虚拟机。

公开(公告)号：US20090169017A1

公开(公告)日：2009-07-02

申请号：US11967300

申请日：2007-12-31

申请人： Ned Smith ,  Willard M. Wiseman ,  Alok Kumar ,  Tasneem Brutch ,  Vincent Scarlata ,  Faraz Siddiqi

发明人： Ned Smith ,  Willard M. Wiseman ,  Alok Kumar ,  Tasneem Brutch ,  Vincent Scarlata ,  Faraz Siddiqi

IPC分类号： G06F21/00 ,  H04L9/14

CPC分类号： G06F21/572 ,  G06F21/57 ,  G06F2221/2101

摘要： Systems, methods and machine readable media for configuring virtual platform modules are disclosed. One method includes launching a virtual machine monitor, and determining, with the virtual machine monitor, whether a configuration policy that defines a configuration for a virtual trusted platform module is trusted. The method further includes configuring the virtual trusted platform module per the configuration policy in response to the virtual machine monitor determining that the configuration policy is trusted. The method also includes launching, via the virtual machine monitor, a virtual machine associated with the virtual trusted platform module.

摘要翻译： 公开了用于配置虚拟平台模块的系统，方法和机器可读介质。 一种方法包括启动虚拟机监视器，并且利用虚拟机监视器确定定义虚拟可信平台模块的配置的配置策略是否被信任。 该方法还包括根据虚拟机监视器确定配置策略被信任来配置每个配置策略的虚拟可信平台模块。 该方法还包括通过虚拟机监视器启动与虚拟可信平台模块相关联的虚拟机。

公开(公告)号：US20090133097A1

公开(公告)日：2009-05-21

申请号：US11984321

申请日：2007-11-15

申请人： Ned Smith ,  Willard M. Wiseman ,  Alok Kumar ,  Vincent R. Scarlata ,  Faraz Siddiqi ,  Tasneem Brutch

发明人： Ned Smith ,  Willard M. Wiseman ,  Alok Kumar ,  Vincent R. Scarlata ,  Faraz Siddiqi ,  Tasneem Brutch

IPC分类号： H04L9/00

CPC分类号： G06F21/57 ,  G06F21/53

摘要： A method, apparatus and system for a trusted platform module accepting a customized integrity policy provisioned to a virtual machine monitor, verifying the security of a first policy object, for example, including the customized integrity policy, by comparing a counter associated with the first policy object with a counter associated with a second policy object, and customizing a virtual trusted platform module of the virtual machine monitor according to the first policy object, for example, when the first policy object is verified. The customized integrity policy may include user specified configurations for implementing a customized virtual environment. Other embodiments are described and claimed.

摘要翻译： 一种可信平台模块的方法，装置和系统，其接受提供给虚拟机监视器的定制完整性策略，通过比较与第一策略相关联的计数器来验证第一策略对象的安全性，例如包括定制完整性策略 对象与与第二策略对象相关联的计数器，以及根据第一策略对象，例如当第一策略对象被验证时，自定义虚拟机监视器的虚拟可信平台模块。 定制的完整性策略可以包括用于实现定制的虚拟环境的用户指定的配置。 描述和要求保护其他实施例。

公开(公告)号：US20170185814A1

公开(公告)日：2017-06-29

申请号：US14757398

申请日：2015-12-23

申请人： Ned Smith ,  Sven Schrecker ,  Willard Wiseman ,  David Clark ,  Jennifer Gilburg De Magnin ,  Howard Herbert

发明人： Ned Smith ,  Sven Schrecker ,  Willard Wiseman ,  David Clark ,  Jennifer Gilburg De Magnin ,  Howard Herbert

IPC分类号： G06K7/10

CPC分类号： G06F21/00 ,  G06K7/10257 ,  G06Q10/10 ,  G06Q50/10 ,  G06Q2220/00 ,  H04L9/0819

摘要： Technologies for verification include storage with private keys, wherein each private key is associated with a group affiliation. The storage also includes characteristic information about an apparatus. The technologies also include a wireless interface configured to receive a request from a reader for verification of membership of the apparatus within a group affiliation. The technologies further include a controller with programmable logic for configuring the controller to determine whether to verify membership of the apparatus within a given group affiliation. The controller is also configured to verify membership of the apparatus within the given group affiliation by signing data with a private key associated with the given group affiliation. The signed data is sent to the reader. Membership within the given group affiliation conveys a subset of the characteristic information.

公开(公告)号：US20140095876A1

公开(公告)日：2014-04-03

申请号：US13629887

申请日：2012-09-28

申请人： Ned Smith ,  Sharon Smith ,  Willard Wiseman

发明人： Ned Smith ,  Sharon Smith ,  Willard Wiseman

IPC分类号： H04L9/32

CPC分类号： G06F21/57 ,  H04L9/32 ,  H04L9/3265 ,  H04L9/3271

摘要： Systems and methods may provide introducing a first root of trust on a platform to a second root of trust on the same platform. In one example, the method may include using an authenticated code module to transfer a first encryption key from a first root of trust on a platform to a second root of trust on the platform, receiving a challenge response from the first root of trust at the second root of trust, and using the first encryption key to verify the challenge response

摘要翻译： 系统和方法可以提供将平台上的第一信任根引入同一平台上的第二信任根。 在一个示例中，该方法可以包括使用经认证的代码模块将第一加密密钥从平台上的第一信任根传递到平台上的第二信任根，在第一根信任根源处接收挑战响应 第二个信任根，并使用第一个加密密钥验证挑战响应

公开(公告)号：US20060020785A1

公开(公告)日：2006-01-26

申请号：US10883264

申请日：2004-06-30

申请人： David Grawrock ,  Willard Wiseman ,  James Sutton ,  Clifford Hall ,  Ned Smith

发明人： David Grawrock ,  Willard Wiseman ,  James Sutton ,  Clifford Hall ,  Ned Smith

IPC分类号： H04L9/00

CPC分类号： G06F21/84 ,  G06F21/57

摘要： A system and method for secure distribution of a video card public key. The method provides for loading an authentication code module into a processor, authenticating the authentication code module, and executing the authentication code module. Executing the authentication module causes the authentication code module to assert a hardware indicator to access at least one address in a special protected page on a chipset. Receipt of the hardware indicator by the chipset causes a specific reference to be sent via a dedicated port to a circuit card to retrieve a public key from the circuit card.

摘要翻译： 一种用于安全分发视频卡公钥的系统和方法。 该方法提供将认证码模块加载到处理器中，认证认证码模块和执行认证码模块。 执行认证模块使认证码模块断言硬件指示符访问芯片组中特殊保护页面中的至少一个地址。 通过芯片组接收硬件指示符，将特定的参考信号通过专用端口发送到电路卡以从电路卡中取回公钥。

公开(公告)号：US20100107224A1

公开(公告)日：2010-04-29

申请号：US12655024

申请日：2009-12-22

申请人： David Durham ,  Ravi Sahita ,  Karanvir Grewal ,  Ned Smith ,  Kapil Sood

发明人： David Durham ,  Ravi Sahita ,  Karanvir Grewal ,  Ned Smith ,  Kapil Sood

IPC分类号： G06F17/00

CPC分类号： H04L63/10 ,  G06F2221/2141 ,  H04L9/3234 ,  H04L9/3247 ,  H04L9/3263 ,  H04L63/0209 ,  H04L63/08 ,  H04L63/20

摘要： Architectures and techniques that allow a firmware agent to operate as a tamper-resistant agent on a host platform that may be used as a trusted policy enforcement point (PEP) on the host platform to enforce policies even when the host operating system is compromised. The PEP may be used to open access control and/or remediation channels on the host platform. The firmware agent may also act as a local policy decision point (PDP) on the host platform in accordance with an authorized enterprise PDP entity by providing policies if a host trust agent is non-responsive and may function as a passive agent when the host trust agent is functional.

摘要翻译： 允许固件代理在主机平台上作为防篡改代理操作的体系结构和技术，可在主机平台上用作受信任的策略执行点（PEP），即使主机操作系统受到威胁也可执行策略。 PEP可用于在主机平台上打开访问控制和/或修复通道。 固件代理还可以根据授权的企业PDP实体在主机平台上作为本地策略决策点（PDP），通过在主机信任代理不响应时提供策略，并且当主机信任时可以用作被动代理 代理功能。

公开(公告)号：US20090319806A1

公开(公告)日：2009-12-24

申请号：US12214830

申请日：2008-06-23

申请人： Ned Smith ,  Vincent J. Zimmer

发明人： Ned Smith ,  Vincent J. Zimmer

IPC分类号： H04L9/32 ,  G06F12/14

CPC分类号： G06F21/575

摘要： In one embodiment, the present invention includes a method for obtaining a pre-boot authentication (PBA) image from a full disk encryption disk in a pre-boot environment, executing the PBA using a chipset to obtain user credential information, authorizing the user based on the user credential information and stored credential information, and storing the user credential information in a PBA metadata region of the disk. Other embodiments are described and claimed.

摘要翻译： 在一个实施例中，本发明包括一种用于在预引导环境中从全盘加密盘获得预引导认证（PBA）图像的方法，使用芯片组执行PBA以获得用户凭证信息，授权用户 关于用户凭证信息和存储的凭证信息，以及将用户凭证信息存储在盘的PBA元数据区域中。 描述和要求保护其他实施例。

公开(公告)号：US20070110244A1

公开(公告)日：2007-05-17

申请号：US11281713

申请日：2005-11-16

申请人： Kapil Sood ,  Jesse Walker ,  Ned Smith

发明人： Kapil Sood ,  Jesse Walker ,  Ned Smith

IPC分类号： H04K1/00

CPC分类号： H04L9/0822 ,  G06F9/45558 ,  G06F2009/45587 ,  H04L9/0897 ,  H04L63/0428 ,  H04L63/06 ,  H04L2209/80 ,  H04W12/04 ,  H04W76/10 ,  H04W80/04

摘要： A method, apparatus and system enable a secure wireless platform. Specifically, embodiments of the present invention may utilize a secure processing area to enforce security mechanisms on the wireless platform, thus isolating the security measures (e.g., security keys) from the host operating system on the wireless node.

摘要翻译： 一种方法，装置和系统能够实现安全的无线平台。 具体地，本发明的实施例可以利用安全处理区域来在无线平台上实施安全机制，从而将安全措施（例如，安全密钥）与主机操作系统隔离在无线节点上。

公开(公告)号：US20160092700A1

公开(公告)日：2016-03-31

申请号：US14496056

申请日：2014-09-25

申请人： Ned Smith ,  Esteban Gutierrez ,  Andrew Woodruff ,  Aditya Kapoor

发明人： Ned Smith ,  Esteban Gutierrez ,  Andrew Woodruff ,  Aditya Kapoor

IPC分类号： G06F21/64 ,  G06F21/56 ,  G06F21/62

CPC分类号： G06F21/64 ,  G06F21/51 ,  G06F21/52 ,  G06F21/566 ,  G06F21/6281 ,  G06F2221/032 ,  G06F2221/2115

摘要： Particular embodiments described herein provide for an electronic device that can be configured to receive untrusted input data at an enclave in an electronic device, isolate the untrusted input data from at least a portion of the enclave, communicate at least a portion of the untrusted data to an integrity verification module using an attestation channel, and receive data integrity verification of the untrusted input data from the integrity verification module. The integrity verification module can perform data integrity attestation functions to verify the untrusted data and the data integrity attestation functions include a data attestation policy and a whitelist.

摘要翻译： 本文所述的特定实施例提供了一种电子设备，其可以被配置为在电子设备中的飞地处接收不受信任的输入数据，将不受信任的输入数据与飞地的至少一部分隔离，将不可信数据的至少一部分传达到 使用认证通道的完整性验证模块，以及从完整性验证模块接收不可信输入数据的数据完整性验证。 完整性验证模块可以执行数据完整性认证功能，以验证不可信数据，数据完整性认证功能包括数据认证策略和白名单。