POLICY BOUND KEY CREATION AND RE-WRAP SERVICE
    1.
    发明申请
    POLICY BOUND KEY CREATION AND RE-WRAP SERVICE 有权
    政策关键创新和重覆服务

    公开(公告)号:US20120297200A1

    公开(公告)日:2012-11-22

    申请号:US13109685

    申请日:2011-05-17

    IPC分类号: G06F12/14

    摘要: One or more techniques and/or systems are provided for provisioning encrypted key blobs and client certificates. That is, a trusted execution environment on a first machine may provide a key service provider with a cryptographic encryption key. The key service provider may encrypt a key blob using the cryptographic encryption key and/or wrap the encrypted key blob with one or more policies, such as a platform policy. The key service provider may provision the encrypted key blob to a client on the first machine. The client may submit the encrypted key blob to the trusted execution environment for validation so that the client may perform key actions, such as sign an email or encrypt data. Because the key blob may be specific to a particular trusted execution environment and/or machine, the key service provider may re-wrap the key blob if the client “roams” to a second machine.

    摘要翻译: 提供一个或多个技术和/或系统用于供应加密的密钥块和客户端证书。 也就是说,第一机器上的受信任执行环境可以向密钥服务提供商提供密码加密密钥。 密钥服务提供商可以使用密码加密密钥来加密密钥块,和/或使用一个或多个策略(例如平台策略)来包裹加密的密钥块。 密钥服务提供商可以将加密的密钥blob提供给第一台机器上的客户端。 客户端可以将加密的密钥blob提交到可信执行环境进行验证,以便客户端可以执行关键操作,例如签署电子邮件或加密数据。 由于密钥blob可能是特定的可信任的执行环境和/或机器,所以如果客户端漫游到第二台机器,则密钥服务提供商可以重新包装密钥块。

    Globally valid measured operating system launch with hibernation support
    3.
    发明授权
    Globally valid measured operating system launch with hibernation support 有权
    全球有效的测量操作系统启动与冬眠支持

    公开(公告)号:US08627464B2

    公开(公告)日:2014-01-07

    申请号:US12938363

    申请日:2010-11-02

    IPC分类号: G06F12/14

    摘要: An event log can comprise, not only entries associated with components instantiated since a most recent power on of a computing device, but also entries of components instantiated prior to that power on, such as components that were instantiated, and represent, a state of the computing device prior to hibernation that has now been resumed. Upon hibernation, the current values of the Platform Configuration Registers (PCRs) of a Trusted Platform Module (trusted execution environment), as well as a quote of those current values, and a current value of a monotonic counter of the trusted execution environment can be logged. The monotonic counter can be incremented at each power on to track successive generations of the computing device and to guard against an intervening, not-logged generation. A subsequent parsing of the event log can verify the prior generational entries with reference to the PCR values in the log that are associated with those generations.

    摘要翻译: 事件日志不仅可以包括与计算设备的最近上电后实例化的组件相关联的条目,而且还可以包括在该上电之前实例化的组件的条目,诸如被实例化的组件,并且表示 休眠前的计算设备现在已经恢复。 休眠后,可信平台模块(可信执行环境)的平台配置寄存器(PCR)的当前值以及当前值的引用以及可信执行环境的单调计数器的当前值可以是 记录。 在每次打开电源时,单调计数器可以递增,以跟踪计算设备的连续几代,并防止中间,未记录的一代。 事件日志的后续解析可以参考日志中与这些世代相关联的PCR值来验证先前的生成条目。

    DEVICE BOOTING WITH AN INITIAL PROTECTION COMPONENT
    5.
    发明申请
    DEVICE BOOTING WITH AN INITIAL PROTECTION COMPONENT 有权
    具有初始保护组件的设备启动

    公开(公告)号:US20110307711A1

    公开(公告)日:2011-12-15

    申请号:US12813955

    申请日:2010-06-11

    CPC分类号: G06F21/575

    摘要: Booting a computing device includes executing one or more firmware components followed by a boot loader component. A protection component for the computing device, such as an anti-malware program, is identified and executed as an initial component after executing the boot loader component. One or more boot components are also executed, these one or more boot components including only boot components that have been approved by the protection component. A list of boot components that have been previously approved by the protection component can also be maintained in a tamper-proof manner.

    摘要翻译: 启动计算设备包括执行一个或多个固件组件,后跟引导加载程序组件。 在执行引导加载程序组件之后,识别并执行诸如反恶意软件程序之类的计算设备的保护组件作为初始组件。 还执行一个或多个引导组件,这些一个或多个引导组件仅包括被保护组件批准的引导组件。 先前已被保护组件批准的引导组件列表也可以以防篡改的方式进行维护。

    GLOBALLY VALID MEASURED OPERATING SYSTEM LAUNCH WITH HIBERNATION SUPPORT
    8.
    发明申请
    GLOBALLY VALID MEASURED OPERATING SYSTEM LAUNCH WITH HIBERNATION SUPPORT 有权
    全球有效的测量操作系统启动与HIBERNATION支持

    公开(公告)号:US20120110644A1

    公开(公告)日:2012-05-03

    申请号:US12938363

    申请日:2010-11-02

    IPC分类号: H04L9/32 G06F15/16 G06F21/00

    摘要: An event log can comprise, not only entries associated with components instantiated since a most recent power on of a computing device, but also entries of components instantiated prior to that power on, such as components that were instantiated, and represent, a state of the computing device prior to hibernation that has now been resumed. Upon hibernation, the current values of the Platform Configuration Registers (PCRs) of a Trusted Platform Module (trusted execution environment), as well as a quote of those current values, and a current value of a monotonic counter of the trusted execution environment can be logged. The monotonic counter can be incremented at each power on to track successive generations of the computing device and to guard against an intervening, not-logged generation. A subsequent parsing of the event log can verify the prior generational entries with reference to the PCR values in the log that are associated with those generations.

    摘要翻译: 事件日志不仅可以包括与计算设备的最近上电后实例化的组件相关联的条目,而且还可以包括在该上电之前实例化的组件的条目,诸如被实例化的组件,并且表示 休眠前的计算设备现在已经恢复。 休眠后,可信平台模块(可信执行环境)的平台配置寄存器(PCR)的当前值以及当前值的引用以及可信执行环境的单调计数器的当前值可以是 记录。 在每次打开电源时,单调计数器可以递增,以跟踪计算设备的连续几代,并防止中间,未记录的一代。 事件日志的后续解析可以参考日志中与这些世代相关联的PCR值来验证先前的生成条目。

    PROTECTING OPERATING SYSTEM CONFIGURATION VALUES
    10.
    发明申请
    PROTECTING OPERATING SYSTEM CONFIGURATION VALUES 有权
    保护操作系统配置值

    公开(公告)号:US20120226895A1

    公开(公告)日:2012-09-06

    申请号:US13037962

    申请日:2011-03-01

    IPC分类号: G06F9/00

    CPC分类号: G06F21/575

    摘要: In a pre-operating system environment on a device prior to loading and running an operating system on the device, a policy identifying configuration settings for the operating system is obtained. The operating system itself is prevented from changing this policy, but the policy can be changed under certain circumstances by components of the pre-operating system environment. The policy is compared to configuration values used by the operating system, and the operating system is allowed to boot with the configuration values if the configuration values satisfy the policy. However, if the configuration values do not satisfy the policy, then a responsive action is taken.

    摘要翻译: 在装置上装载和运行操作系统之前的设备上的预操作系统环境中,获得识别操作系统的配置设置的策略。 操作系统本身被阻止更改此策略,但在特定情况下可以通过操作前系统环境的组件来更改策略。 该策略与操作系统使用的配置值进行比较,如果配置值满足策略,则允许操作系统使用配置值进行引导。 但是,如果配置值不符合策略,则执行响应动作。