公开(公告)号：WO2017062128A2

公开(公告)日：2017-04-13

申请号：PCT/US2016/050762

申请日：2016-09-08

Applicant: INTEL CORPORATION

Inventor： NEGI, Ansuya ,  SARANGDHAR, Nitin V. ,  WARRIER, Ulhas S. ,  VENKATACHARY, Ramkumar ,  SAHITA, Ravi L. ,  ROBINSON, Scott H. ,  GREWAL, Karanvir S.

IPC: G06F21/32 ,  G06K9/00 ,  G06F21/45

CPC classification number: H04L9/3231 ,  H04L9/0816 ,  H04L9/0825

Abstract: Technologies for end-to-end biometric-based authentication and locality assertion include a computing device with one or more biometric devices. The computing device may securely exchange a key between a driver and a secure enclave. The driver may receive biometric data from the biometric sensor in a virtualization-protected memory buffer and encrypt the biometric data with the shared key. The secure enclave may decrypt the biometric data and perform a biometric authentication operation. The computing device may measure a virtual machine monitor (VMM) to generate attestation information for the VMM. A secure enclave may execute a virtualization report instruction to request the attestation information. The processor may copy the attestation information into the secure enclave memory. The secure enclave may verify the attestation information with a remote attestation server. If verified, the secure enclave may provide a shared secret to the VMM. Other embodiments are described and claimed.

Abstract translation: 用于基于端到端生物特征的认证和位置断言的技术包括具有一个或多个生物测定装置的计算装置。 计算设备可以安全地交换驾驶员和安全飞地之间的钥匙。 驾驶员可以在虚拟化保护的存储器缓冲器中从生物特征传感器接收生物特征数据，并用共享密钥加密生物特征数据。 安全飞地可以解密生物特征数据并执行生物特征认证操作。 计算设备可以测量虚拟机监视器（VMM）以产生VMM的认证信息。 安全飞地可以执行虚拟化报告指令来请求认证信息。 处理器可以将认证信息复制到安全飞地存储器中。 安全飞地可以使用远程认证服务器验证认证信息。 如果验证，安全飞地可能为VMM提供共享的秘密。 描述和要求保护其他实施例。

公开(公告)号：WO2012039971A2

公开(公告)日：2012-03-29

申请号：PCT/US2011/051160

申请日：2011-09-12

Applicant: INTEL CORPORATION ,  WISHMAN, Allen R. ,  GHETIE, Sergiu D. ,  NEVE DE MEVERGNIE, Michael ,  WARRIER, Ulhas S. ,  KARRAR, Adil ,  MORAN, Douglas R. ,  BRANNOCK, Kirk

Inventor： WISHMAN, Allen R. ,  GHETIE, Sergiu D. ,  NEVE DE MEVERGNIE, Michael ,  WARRIER, Ulhas S. ,  KARRAR, Adil ,  MORAN, Douglas R. ,  BRANNOCK, Kirk

IPC: G06F9/06 ,  G06F9/44 ,  G06F12/14

CPC classification number: G06F21/60 ,  G06F21/572 ,  G06F21/64 ,  G06F21/74 ,  G06F2221/2137

Abstract: A method, apparatus, method, machine-readable medium, and system are disclosed. In one embodiment the method includes is a processor. The processor includes switching a platform firmware update mechanism located in a computer platform to a platform firmware armoring technology (PFAT) mode on a boot of the computer platform. The computer platform includes a platform firmware storage location that stores a platform firmware. The method then persistently locks the platform firmware storage location in response to the platform firmware update mechanism switching to the PFAT mode. When persistently locked, writes are only allowed to the platform firmware storage location by an Authenticated Code Module in the running platform and only after a platform firmware update mechanism unlocking procedure.

Abstract translation: 公开了一种方法，装置，方法，机器可读介质和系统。 在一个实施例中，该方法包括处理器。 处理器包括将计算机平台中的平台固件更新机制切换到计算机平台引导时的平台固件铠装技术（PFAT）模式。 计算机平台包括存储平台固件的平台固件存储位置。 该方法然后持续地锁定平台固件存储位置，以响应平台固件更新机制切换到PFAT模式。 当持续锁定时，只能在运行平台中的认证代码模块才允许平台固件存储位置写入，并且只有在平台固件更新机制解锁过程之后才能进行写操作。

公开(公告)号：WO2016209548A1

公开(公告)日：2016-12-29

申请号：PCT/US2016/034699

申请日：2016-05-27

Applicant: INTEL CORPORATION

Inventor： CHHABRA, Siddhartha ,  DEWAN, Prashant ,  LAL, Reshma ,  WARRIER, Ulhas S.

IPC: H04L9/08 ,  H04L9/14

CPC classification number: H04L63/061 ,  G06F21/74 ,  G06F21/82 ,  H04L63/062 ,  H04L63/0876 ,  H04L67/146 ,  H04L2463/062

Abstract: According to an embodiment provided herein, there is provided a system that binds a trusted output session to a trusted input session. The system includes a processor to execute an enclave application in an architecturally protected memory. The system includes at least one logic unit forming a trusted entity to, responsive to a request to set up a trusted I/O session, generate a unique session identifier logically associated with the trusted I/O session and set a trusted I/O session indicator to a first state. The system includes at least one logic unit forming a cryptographic module to, responsive to the request to set up the trusted I/O session, receive an encrypted encryption key and the unique session identifier from the enclave application; verify the unique session identifier; and responsive a successful verification, decrypt and save the decrypted encryption key in an encryption key register.

Abstract translation: 根据本文提供的实施例，提供了将可信输出会话绑定到可信输入会话的系统。 该系统包括处理器，用于在架构受保护的存储器中执行飞地应用。 系统包括形成可信实体的至少一个逻辑单元，以响应于建立可信I / O会话的请求，生成与可信I / O会话逻辑关联的唯一会话标识符，并设置可信任I / O会话 指标到第一个状态。 该系统包括形成加密模块的至少一个逻辑单元，以响应于建立可信I / O会话的请求，从飞地应用接收加密的加密密钥和唯一的会话标识符; 验证唯一会话标识符; 并响应成功的验证，解密并将解密的加密密钥保存在加密密钥寄存器中。

公开(公告)号：WO2015200858A1

公开(公告)日：2015-12-30

申请号：PCT/US2015/038118

申请日：2015-06-26

Applicant: INTEL CORPORATION

Inventor： BHARGAV-SPANTZEL, Abhilasha ,  SMITH, Ned M. ,  KHOSRAVI, Hormuzd M. ,  WARRIER, Ulhas S.

IPC: H04N21/4415 ,  H04N21/258

CPC classification number: H04L63/123 ,  H04L9/0825 ,  H04L9/14 ,  H04L9/3231 ,  H04L9/3234 ,  H04L63/0428 ,  H04L63/0435 ,  H04L63/0442 ,  H04L63/061 ,  H04L63/0861 ,  H04L2209/24

Abstract: In an embodiment, a system includes at least one core and a trusted execution environment (TEE) to conduct an identity authentication that includes a comparison of streamed video data with previously recorded image data. Responsive to establishment of a match of the streamed video data to the previously recorded image data via the comparison, the TEE is to generate an identity attestation that indicates the match. Other embodiments are described and claimed.

Abstract translation: 在一个实施例中，系统包括至少一个核心和可信执行环境（TEE），以执行包括流传输的视频数据与先前记录的图像数据的比较的身份认证。 响应于通过比较建立流传输的视频数据与先前记录的图像数据的匹配，TEE是生成指示匹配的身份认证。 描述和要求保护其他实施例。