公开(公告)号：US08549288B2

公开(公告)日：2013-10-01

申请号：US12128952

申请日：2008-05-29

申请人： Steven A. Bade ,  Stefan Berger ,  Kenneth Alan Goldman ,  Ronald Perez ,  Reiner Sailer ,  Leendert Peter Van Doorn

发明人： Steven A. Bade ,  Stefan Berger ,  Kenneth Alan Goldman ,  Ronald Perez ,  Reiner Sailer ,  Leendert Peter Van Doorn

IPC分类号： H04L29/06

CPC分类号： G06F21/57

摘要： A trusted platform module is presented that is capable of creating, dynamically, multiple virtual trusted platform modules in a hierarchical organization. A trusted platform module domain is created. The trusted platform module creates virtual trusted platform modules, as needed, in the trusted platform module domain. The virtual trusted platform modules can inherit the permissions of a parent trusted platform module to have the ability to create virtual trusted platform modules themselves. Each virtual trusted platform module is associated with a specific partition. Each partition is associated with an individual operating system. The hierarchy of created operating systems and their privilege of spawning new operating systems is reflected in the hierarchy of trusted platform modules and the privileges each of the trusted platform modules has.

摘要翻译： 提出了一种可信任的平台模块，能够在层次结构中动态创建多个虚拟可信平台模块。 创建可信平台模块域。 可信平台模块根据需要在可信平台模块域中创建虚拟可信平台模块。 虚拟可信平台模块可以继承父信任平台模块的权限，以便能够自己创建虚拟可信平台模块。 每个虚拟可信平台模块与特定分区关联。 每个分区与单个操作系统相关联。 创建的操作系统的层次结构及其产生新操作系统的特权体现在可信平台模块的层次结构和每个可信平台模块所具有的特权上。

公开(公告)号：US20080235804A1

公开(公告)日：2008-09-25

申请号：US12128952

申请日：2008-05-29

申请人： Steven A. Bade ,  Stefan Berger ,  Kenneth Alan Goldman ,  Ronald Perez ,  Reiner Sailer ,  Leendert Peter Van Doorn

发明人： Steven A. Bade ,  Stefan Berger ,  Kenneth Alan Goldman ,  Ronald Perez ,  Reiner Sailer ,  Leendert Peter Van Doorn

IPC分类号： G06F21/00

CPC分类号： G06F21/57

摘要： A trusted platform module is presented that is capable of creating, dynamically, multiple virtual trusted platform modules in a hierarchical organization. A trusted platform module domain is created. The trusted platform module creates virtual trusted platform modules, as needed, in the trusted platform module domain. The virtual trusted platform modules can inherit the permissions of a parent trusted platform module to have the ability to create virtual trusted platform modules themselves. Each virtual trusted platform module is associated with a specific partition. Each partition is associated with an individual operating system. The hierarchy of created operating systems and their privilege of spawning new operating systems is reflected in the hierarchy of trusted platform modules and the privileges each of the trusted platform modules has.

摘要翻译： 提出了一种可信任的平台模块，能够在层次结构中动态创建多个虚拟可信平台模块。 创建可信平台模块域。 可信平台模块根据需要在可信平台模块域中创建虚拟可信平台模块。 虚拟可信平台模块可以继承父信任平台模块的权限，以便能够自己创建虚拟可信平台模块。 每个虚拟可信平台模块与特定分区关联。 每个分区与单个操作系统相关联。 创建的操作系统的层次结构及其产生新操作系统的特权体现在可信平台模块的层次结构和每个可信平台模块所具有的特权上。

公开(公告)号：US08615788B2

公开(公告)日：2013-12-24

申请号：US12539912

申请日：2009-08-12

申请人： Stefan Berger ,  Ramon Caceres ,  Kenneth Alan Goldman ,  Ronald Perez ,  Reiner Sailer ,  Deepa Srinivasan

发明人： Stefan Berger ,  Ramon Caceres ,  Kenneth Alan Goldman ,  Ronald Perez ,  Reiner Sailer ,  Deepa Srinivasan

IPC分类号： G06F7/04 ,  G06F9/00 ,  G06F12/14 ,  G06F15/177 ,  G06F17/30 ,  H04L9/32

CPC分类号： G06F21/57 ,  G06F9/45558 ,  G06F21/53 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2221/2101

摘要： A computer implemented method for logging extensions to platform configuration registers inside a trusted platform module instance is provided. A request to extend the current state of at least one of a plurality of platform configuration register is received. At least one platform configuration register within the trusted platform module instance is extended. The extension of the at least one platform configuration register is logged inside the trusted platform module instance as a logged entry by storing at least a tuple of platform configuration register indexes and hash values used for extending the platform configuration register. Information about new entries in the consolidated logs can be retrieved by polling or by subscribing to events that are automatically generated. A report of an extend operation and its logged hash value is sent to subscribers interested in receiving notifications of extend operations on a set of PCR registers.

摘要翻译： 提供了一种用于在可信平台模块实例内记录扩展到平台配置寄存器的计算机实现的方法。 接收到扩展多个平台配置寄存器中的至少一个的当前状态的请求。 可信平台模块实例中至少有一个平台配置寄存器被扩展。 至少一个平台配置寄存器的扩展通过存储用于扩展平台配置寄存器的平台配置寄存器索引和散列值的至少一个元组来记录在可信平台模块实例内作为记录条目。 可以通过轮询或订阅自动生成的事件来检索关于合并日志中的新条目的信息。 扩展操作的报告及其记录的哈希值被发送给有兴趣接收一组PCR寄存器的扩展操作通知的用户。

公开(公告)号：US20110040957A1

公开(公告)日：2011-02-17

申请号：US12539912

申请日：2009-08-12

申请人： Stefan Berger ,  Ramon Caceres ,  Kenneth Alan Goldman ,  Ronald Perez ,  Reiner Sailer ,  Deepa Srinivasan

发明人： Stefan Berger ,  Ramon Caceres ,  Kenneth Alan Goldman ,  Ronald Perez ,  Reiner Sailer ,  Deepa Srinivasan

IPC分类号： G06F9/00

CPC分类号： G06F21/57 ,  G06F9/45558 ,  G06F21/53 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2221/2101

摘要： A computer implemented method for logging extensions to platform configuration registers inside a trusted platform module instance is provided. A request to extend the current state of at least one of a plurality of platform configuration register is received. At least one platform configuration register within the trusted platform module instance is extended. The extension of the at least one platform configuration register is logged inside the trusted platform module instance as a logged entry by storing at least a tuple of platform configuration register indexes and hash values used for extending the platform configuration register. Information about new entries in the consolidated logs can be retrieved by polling or by subscribing to events that are automatically generated. A report of an extend operation and its logged hash value is sent to subscribers interested in receiving notifications of extend operations on a set of PCR registers.

摘要翻译： 提供了一种用于在可信平台模块实例内记录扩展到平台配置寄存器的计算机实现的方法。 接收到扩展多个平台配置寄存器中的至少一个的当前状态的请求。 可信平台模块实例中至少有一个平台配置寄存器被扩展。 至少一个平台配置寄存器的扩展通过存储用于扩展平台配置寄存器的平台配置寄存器索引和散列值的至少一个元组来记录在可信平台模块实例内作为记录条目。 可以通过轮询或订阅自动生成的事件来检索关于合并日志中的新条目的信息。 扩展操作的报告及其记录的哈希值被发送给有兴趣接收一组PCR寄存器的扩展操作通知的用户。

公开(公告)号：US20080235372A1

公开(公告)日：2008-09-25

申请号：US12131184

申请日：2008-06-02

申请人： Reiner Sailer ,  Leendert Peter van Doorn ,  Xiaolan Zhang

发明人： Reiner Sailer ,  Leendert Peter van Doorn ,  Xiaolan Zhang

IPC分类号： G06F15/173

CPC分类号： G06F21/577

摘要： A system and method for providing attestation and/or integrity of a server execution environment are described. One or more parts of a server environment are selected for measurement. The one or more parts in a server execution environment are measured, and the measurements result in a unique fingerprint for each respective selected part. The unique fingerprints are aggregated by an aggregation function to create an aggregated value, which is determinative of running programs in the server environment. A measurement parameter may include the unique fingerprints, the aggregated value or a base system value and may be sent over a network interface to indicate the server environment status or state.

摘要翻译： 描述了用于提供服务器执行环境的证明和/或完整性的系统和方法。 选择服务器环境的一个或多个部分进行测量。 测量服务器执行环境中的一个或多个部分，并且测量结果为每个相应的选定部分产生唯一的指纹。 唯一的指纹通过聚合功能进行聚合，以创建聚合值，这决定了在服务器环境中运行的程序。 测量参数可以包括唯一指纹，聚合值或基本系统值，并且可以通过网络接口发送以指示服务器环境状态或状态。

公开(公告)号：US07882221B2

公开(公告)日：2011-02-01

申请号：US12131184

申请日：2008-06-02

申请人： Reiner Sailer ,  Leendert Peter van Doorn ,  Xiaolan Zhang

发明人： Reiner Sailer ,  Leendert Peter van Doorn ,  Xiaolan Zhang

IPC分类号： G06F15/173

CPC分类号： G06F21/577

摘要： A system and method for providing attestation and/or integrity of a server execution environment are described. One or more parts of a server environment are selected for measurement. The one or more parts in a server execution environment are measured, and the measurements result in a unique fingerprint for each respective selected part. The unique fingerprints are aggregated by an aggregation function to create an aggregated value, which is determinative of running programs in the server environment. A measurement parameter may include the unique fingerprints, the aggregated value or a base system value and may be sent over a network interface to indicate the server environment status or state.

摘要翻译： 描述了用于提供服务器执行环境的证明和/或完整性的系统和方法。 选择服务器环境的一个或多个部分进行测量。 测量服务器执行环境中的一个或多个部分，并且测量结果为每个相应的选定部分产生唯一的指纹。 唯一的指纹通过聚合功能进行聚合，以创建聚合值，这决定了在服务器环境中运行的程序。 测量参数可以包括唯一指纹，聚合值或基本系统值，并且可以通过网络接口发送以指示服务器环境状态或状态。

公开(公告)号：US09298922B2

公开(公告)日：2016-03-29

申请号：US12170504

申请日：2008-07-10

申请人： Stefan Berger ,  Kenneth Goldman ,  Trenton R. Jaeger ,  Ronald Perez ,  Reiner Sailer ,  Enriquillo Valdez

发明人： Stefan Berger ,  Kenneth Goldman ,  Trenton R. Jaeger ,  Ronald Perez ,  Reiner Sailer ,  Enriquillo Valdez

IPC分类号： G06F21/57 ,  H04L9/32 ,  H04L29/06

CPC分类号： G06F21/57 ,  H04L9/3271 ,  H04L63/0428 ,  H04L63/06 ,  H04L63/0823 ,  H04L63/0853 ,  H04L63/1433 ,  H04L63/164 ,  H04L63/166 ,  H04L2209/127

摘要： A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.

摘要翻译： 提供了一种用于远程验证计算系统状态的方法，系统和程序产品。 具体地，本发明允许远程系统建立对计算机系统的属性的信任。 要被信任的属性从通常的系统软件层和相关的配置文件扩展到新的类型的数据，例如计算机系统特有的静态数据，在系统启动时确定的动态数据，或者作为计算机系统运行应用程序创建的动态数据。

公开(公告)号：US20080178176A1

公开(公告)日：2008-07-24

申请号：US11624911

申请日：2007-01-19

申请人： Stefan Berger ,  Kenneth A. Goldman ,  Ronald Perez ,  Reiner Sailer

发明人： Stefan Berger ,  Kenneth A. Goldman ,  Ronald Perez ,  Reiner Sailer

IPC分类号： G06F9/00 ,  G06F9/455

CPC分类号： G06F9/45558 ,  G06F2009/45566 ,  G06F2009/45587

摘要： The presented method allows a virtual TRUSTED PLATFORM MODULE (TPM) instance to map the Platform Configuration Registers (PCR) register state of a parent virtual TPM instance into its own register space and export the state of those registers to applications inside the virtual machine associated with the virtual TPM instance. Through the mapping of PCR registers, the procedure of attesting to the overall state of a virtual machine can be accelerated, since the state of all measurements relevant to the trustworthiness of a virtual machine are all visible in the combined view of mapped and non-mapped PCR registers. Registers that are mapped into the register space of a virtual TPM instance reflect the state of trustworthiness of those virtual machines that were involved in the creation of the virtual machine that is being challenged.

摘要翻译： 所提出的方法允许虚拟TRUSTED PLATFORM MODULE（TPM）实例将父虚拟TPM实例的平台配置寄存器（PCR）寄存器状态映射到其自己的寄存器空间中，并将这些寄存器的状态导出到与虚拟机相关联的虚拟机内的应用 虚拟TPM实例。 通过PCR寄存器的映射，可以加速验证虚拟机的整体状态的过程，因为与虚拟机的可信赖度相关的所有测量的状态在映射和未映射的组合视图中都是可见的 PCR寄存器。 映射到虚拟TPM实例的寄存器空间的寄存器反映了参与创建正在受到挑战的虚拟机的虚拟机的可信赖状态。

公开(公告)号：US07840801B2

公开(公告)日：2010-11-23

申请号：US11624911

申请日：2007-01-19

申请人： Stefan Berger ,  Kenneth A. Goldman ,  Ronald Perez ,  Reiner Sailer

发明人： Stefan Berger ,  Kenneth A. Goldman ,  Ronald Perez ,  Reiner Sailer

IPC分类号： G06F9/445 ,  H04L29/10 ,  G06F15/177

CPC分类号： G06F9/45558 ,  G06F2009/45566 ,  G06F2009/45587

摘要： The presented method allows a virtual TRUSTED PLATFORM MODULE (TPM) instance to map the Platform Configuration Registers (PCR) register state of a parent virtual TPM instance into its own register space and export the state of those registers to applications inside the virtual machine associated with the virtual TPM instance. Through the mapping of PCR registers, the procedure of attesting to the overall state of a virtual machine can be accelerated, since the state of all measurements relevant to the trustworthiness of a virtual machine are all visible in the combined view of mapped and non-mapped PCR registers. Registers that are mapped into the register space of a virtual TPM instance reflect the state of trustworthiness of those virtual machines that were involved in the creation of the virtual machine that is being challenged.

摘要翻译： 所提出的方法允许虚拟TRUSTED PLATFORM MODULE（TPM）实例将父虚拟TPM实例的平台配置寄存器（PCR）寄存器状态映射到其自己的寄存器空间中，并将这些寄存器的状态导出到与虚拟机相关联的虚拟机内的应用 虚拟TPM实例。 通过PCR寄存器的映射，可以加速验证虚拟机整体状态的过程，因为与映射和未映射的组合视图中虚拟机的可信赖性相关的所有测量的状态都是可见的 PCR寄存器。 映射到虚拟TPM实例的寄存器空间的寄存器反映了参与创建正在受到挑战的虚拟机的虚拟机的可信赖状态。

公开(公告)号：US07856653B2

公开(公告)日：2010-12-21

申请号：US11392349

申请日：2006-03-29

申请人： Stefan Berger ,  Trent Ray Jaeger ,  Ronald Perez ,  Reiner Sailer ,  Enriquillo Valdez

发明人： Stefan Berger ,  Trent Ray Jaeger ,  Ronald Perez ,  Reiner Sailer ,  Enriquillo Valdez

IPC分类号： G06F17/00

CPC分类号： H04L63/102 ,  H04L63/12

摘要： A scheme for protecting policy state information during the lifetime of a virtual machine is presented. In order to protect and preserve the policy state information of the virtual machine, a process creates a source policy, a mapping policy, and a binary policy. These policies are all different representations of a security policy. The different policy representations are chained together via cryptographic hashes.

摘要翻译： 提出了一种在虚拟机生命周期内保护策略状态信息的方案。 为了保护和保存虚拟机的策略状态信息，进程创建源策略，映射策略和二进制策略。 这些策略都是安全策略的不同表示形式。 不同的策略表示通过加密散列链接在一​​起。