-
1.发明申请GLOBALLY VALID MEASURED OPERATING SYSTEM LAUNCH WITH HIBERNATION SUPPORT 有权全球有效的测量操作系统启动与HIBERNATION支持公开(公告)号:US20120110644A1
公开(公告)日:2012-05-03
申请号:US12938363
申请日:2010-11-02
申请人: Stefan Thom , Nathan Ide , Scott Daniel Anderson , Robert Karl Spiger , David J. Linsley , Mark Fishel Novak , Magnus Nyström
发明人: Stefan Thom , Nathan Ide , Scott Daniel Anderson , Robert Karl Spiger , David J. Linsley , Mark Fishel Novak , Magnus Nyström
CPC分类号: G06F21/57 , G06F2221/2101 , H04L9/0897
摘要: An event log can comprise, not only entries associated with components instantiated since a most recent power on of a computing device, but also entries of components instantiated prior to that power on, such as components that were instantiated, and represent, a state of the computing device prior to hibernation that has now been resumed. Upon hibernation, the current values of the Platform Configuration Registers (PCRs) of a Trusted Platform Module (trusted execution environment), as well as a quote of those current values, and a current value of a monotonic counter of the trusted execution environment can be logged. The monotonic counter can be incremented at each power on to track successive generations of the computing device and to guard against an intervening, not-logged generation. A subsequent parsing of the event log can verify the prior generational entries with reference to the PCR values in the log that are associated with those generations.
摘要翻译: 事件日志不仅可以包括与计算设备的最近上电后实例化的组件相关联的条目,而且还可以包括在该上电之前实例化的组件的条目,诸如被实例化的组件,并且表示 休眠前的计算设备现在已经恢复。 休眠后,可信平台模块(可信执行环境)的平台配置寄存器(PCR)的当前值以及当前值的引用以及可信执行环境的单调计数器的当前值可以是 记录。 在每次打开电源时,单调计数器可以递增,以跟踪计算设备的连续几代,并防止中间,未记录的一代。 事件日志的后续解析可以参考日志中与这些世代相关联的PCR值来验证先前的生成条目。
-
2.发明授权公开(公告)号:US08627464B2
公开(公告)日:2014-01-07
申请号:US12938363
申请日:2010-11-02
申请人: Stefan Thom , Nathan Ide , Scott Danie Anderson , Robert Karl Spiger , David J. Linsley , Mark Fishel Novak , Magnus Nyström
发明人: Stefan Thom , Nathan Ide , Scott Danie Anderson , Robert Karl Spiger , David J. Linsley , Mark Fishel Novak , Magnus Nyström
IPC分类号: G06F12/14
CPC分类号: G06F21/57 , G06F2221/2101 , H04L9/0897
摘要: An event log can comprise, not only entries associated with components instantiated since a most recent power on of a computing device, but also entries of components instantiated prior to that power on, such as components that were instantiated, and represent, a state of the computing device prior to hibernation that has now been resumed. Upon hibernation, the current values of the Platform Configuration Registers (PCRs) of a Trusted Platform Module (trusted execution environment), as well as a quote of those current values, and a current value of a monotonic counter of the trusted execution environment can be logged. The monotonic counter can be incremented at each power on to track successive generations of the computing device and to guard against an intervening, not-logged generation. A subsequent parsing of the event log can verify the prior generational entries with reference to the PCR values in the log that are associated with those generations.
摘要翻译: 事件日志不仅可以包括与计算设备的最近上电后实例化的组件相关联的条目,而且还可以包括在该上电之前实例化的组件的条目,诸如被实例化的组件,并且表示 休眠前的计算设备现在已经恢复。 休眠后,可信平台模块(可信执行环境)的平台配置寄存器(PCR)的当前值以及当前值的引用以及可信执行环境的单调计数器的当前值可以是 记录。 在每次打开电源时,单调计数器可以递增,以跟踪计算设备的连续几代,并防止中间,未记录的一代。 事件日志的后续解析可以参考日志中与这些世代相关联的PCR值来验证先前的生成条目。
-
公开(公告)号:US09690941B2
公开(公告)日:2017-06-27
申请号:US13109685
申请日:2011-05-17
CPC分类号: G06F21/57 , G06F21/602 , G06F21/6209 , H04L2209/127
摘要: One or more techniques and/or systems are provided for provisioning encrypted key blobs and client certificates. That is, a trusted execution environment on a first machine may provide a key service provider with a cryptographic encryption key. The key service provider may encrypt a key blob using the cryptographic encryption key and/or wrap the encrypted key blob with one or more policies, such as a platform policy. The key service provider may provision the encrypted key blob to a client on the first machine. The client may submit the encrypted key blob to the trusted execution environment for validation so that the client may perform key actions, such as sign an email or encrypt data. Because the key blob may be specific to a particular trusted execution environment and/or machine, the key service provider may re-wrap the key blob if the client “roams” to a second machine.
-
公开(公告)号:US20120297200A1
公开(公告)日:2012-11-22
申请号:US13109685
申请日:2011-05-17
IPC分类号: G06F12/14
CPC分类号: G06F21/57 , G06F21/602 , G06F21/6209 , H04L2209/127
摘要: One or more techniques and/or systems are provided for provisioning encrypted key blobs and client certificates. That is, a trusted execution environment on a first machine may provide a key service provider with a cryptographic encryption key. The key service provider may encrypt a key blob using the cryptographic encryption key and/or wrap the encrypted key blob with one or more policies, such as a platform policy. The key service provider may provision the encrypted key blob to a client on the first machine. The client may submit the encrypted key blob to the trusted execution environment for validation so that the client may perform key actions, such as sign an email or encrypt data. Because the key blob may be specific to a particular trusted execution environment and/or machine, the key service provider may re-wrap the key blob if the client “roams” to a second machine.
摘要翻译: 提供一个或多个技术和/或系统用于供应加密的密钥块和客户端证书。 也就是说,第一机器上的受信任执行环境可以向密钥服务提供商提供密码加密密钥。 密钥服务提供商可以使用密码加密密钥来加密密钥块,和/或使用一个或多个策略(例如平台策略)来包裹加密的密钥块。 密钥服务提供商可以将加密的密钥blob提供给第一台机器上的客户端。 客户端可以将加密的密钥blob提交到可信执行环境进行验证,以便客户端可以执行关键操作,例如签署电子邮件或加密数据。 由于密钥blob可能是特定的可信任的执行环境和/或机器,所以如果客户端漫游到第二台机器,则密钥服务提供商可以重新包装密钥块。
-
公开(公告)号:US08417962B2
公开(公告)日:2013-04-09
申请号:US12813955
申请日:2010-06-11
申请人: Mark F. Novak , Robert Karl Spiger , Stefan Thom , David J. Linsley , Scott A. Field , Anil Francis Thomas
发明人: Mark F. Novak , Robert Karl Spiger , Stefan Thom , David J. Linsley , Scott A. Field , Anil Francis Thomas
CPC分类号: G06F21/575
摘要: Booting a computing device includes executing one or more firmware components followed by a boot loader component. A protection component for the computing device, such as an anti-malware program, is identified and executed as an initial component after executing the boot loader component. One or more boot components are also executed, these one or more boot components including only boot components that have been approved by the protection component. A list of boot components that have been previously approved by the protection component can also be maintained in a tamper-proof manner.
-
公开(公告)号:US20110307711A1
公开(公告)日:2011-12-15
申请号:US12813955
申请日:2010-06-11
申请人: Mark F. Novak , Robert Karl Spiger , Stefan Thom , David J. Linsley , Scott A. Field , Anil Francis Thomas
发明人: Mark F. Novak , Robert Karl Spiger , Stefan Thom , David J. Linsley , Scott A. Field , Anil Francis Thomas
IPC分类号: G06F21/00 , G06F12/14 , G06F15/177
CPC分类号: G06F21/575
摘要: Booting a computing device includes executing one or more firmware components followed by a boot loader component. A protection component for the computing device, such as an anti-malware program, is identified and executed as an initial component after executing the boot loader component. One or more boot components are also executed, these one or more boot components including only boot components that have been approved by the protection component. A list of boot components that have been previously approved by the protection component can also be maintained in a tamper-proof manner.
摘要翻译: 启动计算设备包括执行一个或多个固件组件,后跟引导加载程序组件。 在执行引导加载程序组件之后,识别并执行诸如反恶意软件程序之类的计算设备的保护组件作为初始组件。 还执行一个或多个引导组件,这些一个或多个引导组件仅包括被保护组件批准的引导组件。 先前已被保护组件批准的引导组件列表也可以以防篡改的方式进行维护。
-
公开(公告)号:US08924737B2
公开(公告)日:2014-12-30
申请号:US13218029
申请日:2011-08-25
CPC分类号: G06F21/575 , G06F21/602 , G06F21/73
摘要: In accordance with one or more aspects, a representation of a configuration of a firmware environment of a device is generated. A secret of the device is obtained, and a platform secret is generated based on both the firmware environment configuration representation and the secret of the device. One or more keys can be generated based on the platform secret.
摘要翻译: 根据一个或多个方面,生成设备的固件环境的配置的表示。 获得设备的秘密,并且基于固件环境配置表示和设备的秘密生成平台秘密。 可以基于平台秘密生成一个或多个密钥。
-
公开(公告)号:US20130054946A1
公开(公告)日:2013-02-28
申请号:US13218029
申请日:2011-08-25
CPC分类号: G06F21/575 , G06F21/602 , G06F21/73
摘要: In accordance with one or more aspects, a representation of a configuration of a firmware environment of a device is generated. A secret of the device is obtained, and a platform secret is generated based on both the firmware environment configuration representation and the secret of the device. One or more keys can be generated based on the platform secret.
摘要翻译: 根据一个或多个方面,生成设备的固件环境的配置的表示。 获得设备的秘密,并且基于固件环境配置表示和设备的秘密生成平台秘密。 可以基于平台秘密生成一个或多个密钥。
-
公开(公告)号:US20140040890A1
公开(公告)日:2014-02-06
申请号:US13566250
申请日:2012-08-03
申请人: Mark F. Novak , Andrew John Layman , Magnus Nyström , Stefan Thom
发明人: Mark F. Novak , Andrew John Layman , Magnus Nyström , Stefan Thom
IPC分类号: G06F9/455
CPC分类号: G06F21/53
摘要: Cloning of a virtual machine having a trusted executed environment such as a software-based trusted platform module. In order to clone the virtual machine, the virtual machine state of the source virtual machine is copied to formulate a target virtual machine state that is to be associated with a target virtual machine. The target virtual machine is a clone of the source virtual machine state, and thus the storage hierarchy of the trusted execution environment may be the same for the trusted execution environment in the source and target virtual machine states. However, because the identity of the target virtual machine is different than that of the source virtual machine, the endorsement hierarchy of the target virtual machine state is altered such that it is based on the identity of the target virtual machine, rather than the source virtual machine.
摘要翻译: 克隆具有可信执行环境的虚拟机,例如基于软件的可信平台模块。 为了克隆虚拟机,将复制源虚拟机的虚拟机状态以制定与目标虚拟机相关联的目标虚拟机状态。 目标虚拟机是源虚拟机状态的克隆,因此受信任执行环境的存储层次结构对于源虚拟机状态和目标虚拟机状态中的受信任执行环境可能相同。 然而,由于目标虚拟机的身份与源虚拟机的身份不同,所以目标虚拟机状态的认可层级被改变,使得其基于目标虚拟机的身份而不是源虚拟机 机。
-
公开(公告)号:US08954965B2
公开(公告)日:2015-02-10
申请号:US13566250
申请日:2012-08-03
申请人: Mark F. Novak , Andrew John Layman , Magnus Nyström , Stefan Thom
发明人: Mark F. Novak , Andrew John Layman , Magnus Nyström , Stefan Thom
IPC分类号: G06F9/455
CPC分类号: G06F21/53
摘要: Cloning of a virtual machine having a trusted executed environment such as a software-based trusted platform module. In order to clone the virtual machine, the virtual machine state of the source virtual machine is copied to formulate a target virtual machine state that is to be associated with a target virtual machine. The target virtual machine is a clone of the source virtual machine state, and thus the storage hierarchy of the trusted execution environment may be the same for the trusted execution environment in the source and target virtual machine states. However, because the identity of the target virtual machine is different than that of the source virtual machine, the endorsement hierarchy of the target virtual machine state is altered such that it is based on the identity of the target virtual machine, rather than the source virtual machine.
摘要翻译: 克隆具有可信执行环境的虚拟机,例如基于软件的可信平台模块。 为了克隆虚拟机,将复制源虚拟机的虚拟机状态以制定与目标虚拟机相关联的目标虚拟机状态。 目标虚拟机是源虚拟机状态的克隆,因此受信任执行环境的存储层次结构对于源虚拟机状态和目标虚拟机状态中的受信任执行环境可能相同。 然而,由于目标虚拟机的身份与源虚拟机的身份不同,所以目标虚拟机状态的认可层级被改变,使得其基于目标虚拟机的身份而不是源虚拟机 机。
-
-
-
-
-
-
-
-
-
搜索结果
58 条记录 (耗时 0.04 秒)