-
公开(公告)号:US20080184040A1
公开(公告)日:2008-07-31
申请号:US12059274
申请日:2008-03-31
IPC分类号: H04L9/06
CPC分类号: G06F21/572
摘要: A method, system and computer program product for enhancing the functionality of the existing core root of trust measurement (CRTM). The CRTM is extended to allow platform manufacturer controlled and certified code to be incorporated into the function of the CRTM, wherein the manufacturer may define the policy for accepting a new function into the CRTM. When a firmware or software module image is compiled, the build process generates a hash value of the compiled firmware or software image, wherein the hash value reflects a fingerprint (or short hand) representation of the compiled image. A determination is made as to whether the hash value of the firmware or software image is to be a CRTM extension. If so, a digital signature of the module is created using the CRTM extension private key. This signature value is added to the firmware or software module.
摘要翻译: 一种用于增强现有核心信任度量(CRTM)功能的方法,系统和计算机程序产品。 CRTM被扩展为允许平台制造商控制和认证的代码被并入CRTM的功能,其中制造商可以将接受新功能的策略定义到CRTM中。 当编译固件或软件模块图像时,构建过程产生编译的固件或软件映像的哈希值,其中散列值反映编译图像的指纹(或短手)表示。 确定固件或软件映像的哈希值是否为CRTM扩展。 如果是这样,使用CRTM扩展专用密钥创建模块的数字签名。 该签名值被添加到固件或软件模块。
-
公开(公告)号:US08185750B2
公开(公告)日:2012-05-22
申请号:US12059274
申请日:2008-03-31
CPC分类号: G06F21/572
摘要: A method, system and computer program product for enhancing the functionality of the existing core root of trust measurement (CRTM). The CRTM is extended to allow platform manufacturer controlled and certified code to be incorporated into the function of the CRTM, wherein the manufacturer may define the policy for accepting a new function into the CRTM. When a firmware or software module image is compiled, the build process generates a hash value of the compiled firmware or software image, wherein the hash value reflects a fingerprint (or short hand) representation of the compiled image. A determination is made as to whether the hash value of the firmware or software image is to be a CRTM extension. If so, a digital signature of the module is created using the CRTM extension private key. This signature value is added to the firmware or software module.
摘要翻译: 一种用于增强现有核心信任度量(CRTM)功能的方法,系统和计算机程序产品。 CRTM被扩展为允许平台制造商控制和认证的代码被并入CRTM的功能,其中制造商可以将接受新功能的策略定义到CRTM中。 当编译固件或软件模块图像时,构建过程产生编译的固件或软件映像的哈希值,其中散列值反映编译图像的指纹(或短手)表示。 确定固件或软件映像的哈希值是否为CRTM扩展。 如果是这样,使用CRTM扩展专用密钥创建模块的数字签名。 该签名值被添加到固件或软件模块。
-
3.发明授权公开(公告)号:US08549288B2
公开(公告)日:2013-10-01
申请号:US12128952
申请日:2008-05-29
申请人: Steven A. Bade , Stefan Berger , Kenneth Alan Goldman , Ronald Perez , Reiner Sailer , Leendert Peter Van Doorn
发明人: Steven A. Bade , Stefan Berger , Kenneth Alan Goldman , Ronald Perez , Reiner Sailer , Leendert Peter Van Doorn
IPC分类号: H04L29/06
CPC分类号: G06F21/57
摘要: A trusted platform module is presented that is capable of creating, dynamically, multiple virtual trusted platform modules in a hierarchical organization. A trusted platform module domain is created. The trusted platform module creates virtual trusted platform modules, as needed, in the trusted platform module domain. The virtual trusted platform modules can inherit the permissions of a parent trusted platform module to have the ability to create virtual trusted platform modules themselves. Each virtual trusted platform module is associated with a specific partition. Each partition is associated with an individual operating system. The hierarchy of created operating systems and their privilege of spawning new operating systems is reflected in the hierarchy of trusted platform modules and the privileges each of the trusted platform modules has.
摘要翻译: 提出了一种可信任的平台模块,能够在层次结构中动态创建多个虚拟可信平台模块。 创建可信平台模块域。 可信平台模块根据需要在可信平台模块域中创建虚拟可信平台模块。 虚拟可信平台模块可以继承父信任平台模块的权限,以便能够自己创建虚拟可信平台模块。 每个虚拟可信平台模块与特定分区关联。 每个分区与单个操作系统相关联。 创建的操作系统的层次结构及其产生新操作系统的特权体现在可信平台模块的层次结构和每个可信平台模块所具有的特权上。
-
4.发明申请公开(公告)号:US20080235804A1
公开(公告)日:2008-09-25
申请号:US12128952
申请日:2008-05-29
申请人: Steven A. Bade , Stefan Berger , Kenneth Alan Goldman , Ronald Perez , Reiner Sailer , Leendert Peter Van Doorn
发明人: Steven A. Bade , Stefan Berger , Kenneth Alan Goldman , Ronald Perez , Reiner Sailer , Leendert Peter Van Doorn
IPC分类号: G06F21/00
CPC分类号: G06F21/57
摘要: A trusted platform module is presented that is capable of creating, dynamically, multiple virtual trusted platform modules in a hierarchical organization. A trusted platform module domain is created. The trusted platform module creates virtual trusted platform modules, as needed, in the trusted platform module domain. The virtual trusted platform modules can inherit the permissions of a parent trusted platform module to have the ability to create virtual trusted platform modules themselves. Each virtual trusted platform module is associated with a specific partition. Each partition is associated with an individual operating system. The hierarchy of created operating systems and their privilege of spawning new operating systems is reflected in the hierarchy of trusted platform modules and the privileges each of the trusted platform modules has.
摘要翻译: 提出了一种可信任的平台模块,能够在层次结构中动态创建多个虚拟可信平台模块。 创建可信平台模块域。 可信平台模块根据需要在可信平台模块域中创建虚拟可信平台模块。 虚拟可信平台模块可以继承父信任平台模块的权限,以便能够自己创建虚拟可信平台模块。 每个虚拟可信平台模块与特定分区关联。 每个分区与单个操作系统相关联。 创建的操作系统的层次结构及其产生新操作系统的特权体现在可信平台模块的层次结构和每个可信平台模块所具有的特权上。
-
5.发明授权Method and system for bootstrapping a trusted server having redundant trusted platform modules 有权用于引导具有冗余可信平台模块的可信服务器的方法和系统公开(公告)号:US08055912B2
公开(公告)日:2011-11-08
申请号:US12621524
申请日:2009-11-19
申请人: Steven A. Bade , Linda Nancy Betz , Andrew Gregory Kegel , David R. Safford , Leendert Peter Van Doorn
发明人: Steven A. Bade , Linda Nancy Betz , Andrew Gregory Kegel , David R. Safford , Leendert Peter Van Doorn
IPC分类号: G06F11/30
CPC分类号: G06F21/575
摘要: Multiple trusted platform modules within a data processing system are used in a redundant manner that provides a reliable mechanism for securely storing secret data at rest that is used to bootstrap a system trusted platform module. A hypervisor requests each trusted platform module to encrypt a copy of the secret data, thereby generating multiple versions of encrypted secret data values, which are then stored within a non-volatile memory within the trusted platform. At some later point in time, the encrypted secret data values are retrieved, decrypted by the trusted platform module that performed the previous encryption, and then compared to each other. If any of the decrypted values do not match a quorum of values from the comparison operation, then a corresponding trusted platform module for a non-matching decrypted value is designated as defective because it has not been able to correctly decrypt a value that it previously encrypted.
摘要翻译: 以冗余的方式使用数据处理系统内的多个可信任的平台模块,其提供用于安全地存储用于引导系统可信平台模块的休息处的秘密数据的可靠机制。 管理程序请求每个可信平台模块加密秘密数据的副本,从而生成加密的秘密数据值的多个版本,然后存储在可信平台内的非易失性存储器中。 在稍后的时间点,加密的秘密数据值由执行先前加密的可信任平台模块进行解密,然后进行比较。 如果解密值中的任何一个与比较操作中的值的数量不匹配,则用于非匹配解密值的相应的可信平台模块被指定为有缺陷的,因为它不能正确解密之前加密的值 。
-
6.发明申请METHOD AND SYSTEM FOR BOOTSTRAPPING A TRUSTED SERVER HAVING REDUNDANT TRUSTED PLATFORM MODULES 有权用于引导具有冗余引导平台模块的有效服务器的方法和系统公开(公告)号:US20100070781A1
公开(公告)日:2010-03-18
申请号:US12621524
申请日:2009-11-19
申请人: Steven A. Bade , Linda Nancy Betz , Andrew Gregory Kegel , David R. Safford , Leendert Peter Van Doorn
发明人: Steven A. Bade , Linda Nancy Betz , Andrew Gregory Kegel , David R. Safford , Leendert Peter Van Doorn
IPC分类号: G06F11/30
CPC分类号: G06F21/575
摘要: Multiple trusted platform modules within a data processing system are used in a redundant manner that provides a reliable mechanism for securely storing secret data at rest that is used to bootstrap a system trusted platform module. A hypervisor requests each trusted platform module to encrypt a copy of the secret data, thereby generating multiple versions of encrypted secret data values, which are then stored within a non-volatile memory within the trusted platform. At some later point in time, the encrypted secret data values are retrieved, decrypted by the trusted platform module that performed the previous encryption, and then compared to each other. If any of the decrypted values do not match a quorum of values from the comparison operation, then a corresponding trusted platform module for a non-matching decrypted value is designated as defective because it has not been able to correctly decrypt a value that it previously encrypted.
摘要翻译: 以冗余的方式使用数据处理系统内的多个可信任的平台模块,其提供用于安全地存储用于引导系统可信平台模块的休息处的秘密数据的可靠机制。 管理程序请求每个可信平台模块加密秘密数据的副本,从而生成加密的秘密数据值的多个版本,然后存储在可信平台内的非易失性存储器中。 在稍后的时间点,加密的秘密数据值由执行先前加密的可信任平台模块进行解密,然后进行比较。 如果解密值中的任何一个与比较操作中的值的数量不匹配,则用于非匹配解密值的相应的可信平台模块被指定为有缺陷的,因为它不能正确解密其先前加密的值 。
-
7.发明授权Method and system for bootstrapping a trusted server having redundant trusted platform modules 失效用于引导具有冗余可信平台模块的可信服务器的方法和系统公开(公告)号:US07664965B2
公开(公告)日:2010-02-16
申请号:US10835498
申请日:2004-04-29
申请人: Steven A. Bade , Linda Nancy Betz , Andrew Gregory Kegel , David R. Safford , Leendert Peter Van Doorn
发明人: Steven A. Bade , Linda Nancy Betz , Andrew Gregory Kegel , David R. Safford , Leendert Peter Van Doorn
IPC分类号: G06F11/30
CPC分类号: G06F21/575
摘要: Multiple trusted platform modules within a data processing system are used in a redundant manner that provides a reliable mechanism for securely storing secret data at rest that is used to bootstrap a system trusted platform module. A hypervisor requests each trusted platform module to encrypt a copy of the secret data, thereby generating multiple versions of encrypted secret data values, which are then stored within a non-volatile memory within the trusted platform. At some later point in time, the encrypted secret data values are retrieved, decrypted by the trusted platform module that performed the previous encryption, and then compared to each other. If any of the decrypted values do not match a quorum of values from the comparison operation, then a corresponding trusted platform module for a non-matching decrypted value is designated as defective because it has not been able to correctly decrypt a value that it previously encrypted.
摘要翻译: 以冗余的方式使用数据处理系统内的多个可信任的平台模块,其提供用于安全地存储用于引导系统可信平台模块的休息处的秘密数据的可靠机制。 管理程序请求每个可信平台模块加密秘密数据的副本,从而生成加密的秘密数据值的多个版本,然后存储在可信平台内的非易失性存储器中。 在稍后的时间点,加密的秘密数据值由执行先前加密的可信任平台模块进行解密,然后进行比较。 如果解密值中的任何一个与比较操作中的值的数量不匹配,则用于非匹配解密值的相应的可信平台模块被指定为有缺陷的,因为它不能正确解密其先前加密的值 。
-
公开(公告)号:US07900059B2
公开(公告)日:2011-03-01
申请号:US11301803
申请日:2005-12-13
CPC分类号: G06F21/57
摘要: A method, system and computer program product for implementing general purpose PCRs with extended semantics (referred to herein as “ePCRs”) in a trusted, measured software module. The module is designed to run in one of a hypervisor context, an isolated partition, or under other isolated configurations. Because the software module is provided using trusted (measured) code, the software implementing the PCRs is able to run as a simple software process in the operating system (OS), as long as the software is first measured and logged. The software-implemented ePCRs are generated as needed to record specific measurements of the software and hardware elements on which an application depends, and the ePCRs are able to ignore other non-dependencies.
摘要翻译: 一种用于在可信测量的软件模块中实现具有扩展语义(在本文中称为“ePCR”)的通用PCR的方法,系统和计算机程序产品。 该模块设计为在虚拟机管理程序上下文,隔离分区或其他隔离配置之一下运行。 由于使用可信(测量)代码提供软件模块,所以实施PCR的软件只要首先测量和记录软件,就可以在操作系统(OS)中作为简单的软件过程运行。 根据需要生成软件实现的ePCR,以记录应用程序所依赖的软件和硬件元素的特定测量,ePCR可以忽略其他不依赖性。
-
9.发明授权Establishing virtual endorsement credentials for dynamically generated endorsement keys in a trusted computing platform 有权在可信计算平台中为动态生成的认可密钥建立虚拟认可凭据公开(公告)号:US08549592B2
公开(公告)日:2013-10-01
申请号:US11179238
申请日:2005-07-12
IPC分类号: H04L29/06
CPC分类号: G06F21/57 , H04L9/0877 , H04L9/321 , H04L9/3234 , H04L9/3263
摘要: A method and apparatus are disclosed in a data processing system for establishing virtual endorsement credentials. The data processing system includes a hardware trusted platform module (TPM). Logical partitions are generated in the system. A different virtual TPM is generated for each one of the logical partitions. For each one of the logical partitions, the virtual TPM that was generated for the logical partition then dynamically generates a virtual endorsement key, which is stored only within a corresponding virtual TPM. Using the virtual endorsement key, each virtual TPM also generates a virtual endorsement credential for use by the logical partition that includes the virtual TPM. The virtual endorsement credential is generated within the data processing system without the data processing system or its devices accessing a trusted third party that is external to the data processing system.
摘要翻译: 在用于建立虚拟背书凭证的数据处理系统中公开了一种方法和装置。 数据处理系统包括硬件可信平台模块(TPM)。 逻辑分区在系统中生成。 为每个逻辑分区生成不同的虚拟TPM。 对于逻辑分区中的每一个,为逻辑分区生成的虚拟TPM然后动态地生成仅存储在相应虚拟TPM内的虚拟签名密钥。 使用虚拟认可密钥,每个虚拟TPM还生成供包括虚拟TPM的逻辑分区使用的虚拟签注凭证。 在数据处理系统内生成虚拟签注凭证,而数据处理系统或其设备访问数据处理系统外部的受信任的第三方。
-
10.发明授权Protocol for trusted platform module recovery through context checkpointing 有权通过上下文检查点对可信平台模块进行恢复的协议公开(公告)号:US07624283B2
公开(公告)日:2009-11-24
申请号:US11352762
申请日:2006-02-13
CPC分类号: G06F21/57
摘要: A computer implemented method for recovering a partition context in the event of a system or hardware device failure. Upon receiving a command from a partition to modify context data in a trusted platform module (TPM) hardware device, a trusted platform module input/output host partition (TMPIOP) provides an encrypted copy of the context data and the command to the TPM hardware device, which processes the command and updates the context data. If the TPM hardware device successfully processes the command, the TMPIOP receives the updated context data from the TPM hardware device and stores the updated context data received in encrypted form in a context data cache or a non-volatile storage off-board the TPM hardware device. If the TPM hardware device fails to successfully process the command, the TMPIOP uses a last valid copy of the context data to retry processing of the command on a different TPM hardware device.
摘要翻译: 一种用于在系统或硬件设备故障的情况下恢复分区上下文的计算机实现的方法。 信任平台模块输入/输出主机分区(TMPIOP)在接收到来自分区的命令以修改可信平台模块(TPM)硬件设备中的上下文数据时,将上下文数据的加密副本提供给TPM硬件设备 ,它处理命令并更新上下文数据。 如果TPM硬件设备成功地处理该命令,则TMPIOP从TPM硬件设备接收更新的上下文数据,并将以加密形式接收到的更新的上下文数据存储在上行数据高速缓存或TPM硬件设备的非易失性存储器 。 如果TPM硬件设备无法成功处理该命令,则TMPIOP将使用上一个上下文数据的最后一个有效副本来重试不同TPM硬件设备上的命令处理。
-
-
-
-
-
-
-
-
-
搜索结果
51 条记录 (耗时 0.026 秒)
