摘要:
A trusted platform module is presented that is capable of creating, dynamically, multiple virtual trusted platform modules in a hierarchical organization. A trusted platform module domain is created. The trusted platform module creates virtual trusted platform modules, as needed, in the trusted platform module domain. The virtual trusted platform modules can inherit the permissions of a parent trusted platform module to have the ability to create virtual trusted platform modules themselves. Each virtual trusted platform module is associated with a specific partition. Each partition is associated with an individual operating system. The hierarchy of created operating systems and their privilege of spawning new operating systems is reflected in the hierarchy of trusted platform modules and the privileges each of the trusted platform modules has.
摘要:
A trusted platform module is presented that is capable of creating, dynamically, multiple virtual trusted platform modules in a hierarchical organization. A trusted platform module domain is created. The trusted platform module creates virtual trusted platform modules, as needed, in the trusted platform module domain. The virtual trusted platform modules can inherit the permissions of a parent trusted platform module to have the ability to create virtual trusted platform modules themselves. Each virtual trusted platform module is associated with a specific partition. Each partition is associated with an individual operating system. The hierarchy of created operating systems and their privilege of spawning new operating systems is reflected in the hierarchy of trusted platform modules and the privileges each of the trusted platform modules has.
摘要:
A computer implemented method for logging extensions to platform configuration registers inside a trusted platform module instance is provided. A request to extend the current state of at least one of a plurality of platform configuration register is received. At least one platform configuration register within the trusted platform module instance is extended. The extension of the at least one platform configuration register is logged inside the trusted platform module instance as a logged entry by storing at least a tuple of platform configuration register indexes and hash values used for extending the platform configuration register. Information about new entries in the consolidated logs can be retrieved by polling or by subscribing to events that are automatically generated. A report of an extend operation and its logged hash value is sent to subscribers interested in receiving notifications of extend operations on a set of PCR registers.
摘要:
A computer implemented method for logging extensions to platform configuration registers inside a trusted platform module instance is provided. A request to extend the current state of at least one of a plurality of platform configuration register is received. At least one platform configuration register within the trusted platform module instance is extended. The extension of the at least one platform configuration register is logged inside the trusted platform module instance as a logged entry by storing at least a tuple of platform configuration register indexes and hash values used for extending the platform configuration register. Information about new entries in the consolidated logs can be retrieved by polling or by subscribing to events that are automatically generated. A report of an extend operation and its logged hash value is sent to subscribers interested in receiving notifications of extend operations on a set of PCR registers.
摘要:
A system and method for providing attestation and/or integrity of a server execution environment are described. One or more parts of a server environment are selected for measurement. The one or more parts in a server execution environment are measured, and the measurements result in a unique fingerprint for each respective selected part. The unique fingerprints are aggregated by an aggregation function to create an aggregated value, which is determinative of running programs in the server environment. A measurement parameter may include the unique fingerprints, the aggregated value or a base system value and may be sent over a network interface to indicate the server environment status or state.
摘要:
A system and method for providing attestation and/or integrity of a server execution environment are described. One or more parts of a server environment are selected for measurement. The one or more parts in a server execution environment are measured, and the measurements result in a unique fingerprint for each respective selected part. The unique fingerprints are aggregated by an aggregation function to create an aggregated value, which is determinative of running programs in the server environment. A measurement parameter may include the unique fingerprints, the aggregated value or a base system value and may be sent over a network interface to indicate the server environment status or state.
摘要:
A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.
摘要:
The presented method allows a virtual TRUSTED PLATFORM MODULE (TPM) instance to map the Platform Configuration Registers (PCR) register state of a parent virtual TPM instance into its own register space and export the state of those registers to applications inside the virtual machine associated with the virtual TPM instance. Through the mapping of PCR registers, the procedure of attesting to the overall state of a virtual machine can be accelerated, since the state of all measurements relevant to the trustworthiness of a virtual machine are all visible in the combined view of mapped and non-mapped PCR registers. Registers that are mapped into the register space of a virtual TPM instance reflect the state of trustworthiness of those virtual machines that were involved in the creation of the virtual machine that is being challenged.
摘要:
The presented method allows a virtual TRUSTED PLATFORM MODULE (TPM) instance to map the Platform Configuration Registers (PCR) register state of a parent virtual TPM instance into its own register space and export the state of those registers to applications inside the virtual machine associated with the virtual TPM instance. Through the mapping of PCR registers, the procedure of attesting to the overall state of a virtual machine can be accelerated, since the state of all measurements relevant to the trustworthiness of a virtual machine are all visible in the combined view of mapped and non-mapped PCR registers. Registers that are mapped into the register space of a virtual TPM instance reflect the state of trustworthiness of those virtual machines that were involved in the creation of the virtual machine that is being challenged.
摘要:
A scheme for protecting policy state information during the lifetime of a virtual machine is presented. In order to protect and preserve the policy state information of the virtual machine, a process creates a source policy, a mapping policy, and a binary policy. These policies are all different representations of a security policy. The different policy representations are chained together via cryptographic hashes.