US20060010326A1 - Method for extending the CRTM in a trusted platform - Google Patents

Method for extending the CRTM in a trusted platform Download PDF

Info

Publication number
US20060010326A1
US20060010326A1 US10/887,441 US88744104A US2006010326A1 US 20060010326 A1 US20060010326 A1 US 20060010326A1 US 88744104 A US88744104 A US 88744104A US 2006010326 A1 US2006010326 A1 US 2006010326A1
Authority
US
United States
Prior art keywords
module
core root
trust measurement
crtm
platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/887,441
Inventor
Steven Bade
Ronald Perez
Leendert Van Doorn
Helmut Weber
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to US10/887,441 priority Critical patent/US20060010326A1/en
Assigned to INTERNATIONAL BUSINESS MACHNINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHNINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: WEBER, HELMUT H., BADE, STEVEN A., PEREZ, RONALD, VAN DOORN, LEENDERT PETER
Publication of US20060010326A1 publication Critical patent/US20060010326A1/en
Priority to US12/059,274 priority patent/US8185750B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/572Secure firmware programming, e.g. of basic input output system [BIOS]

Definitions

  • the present invention relates generally to an improved data processing system.
  • the present invention relates to a method, apparatus, and computer instructions for extending the core root of trust for measurement (CRTM) in a trusted platform.
  • CRTM core root of trust for measurement
  • Most data processing systems contain sensitive data and sensitive operations that need to be protected. For example, the integrity of configuration information needs to be protected from illegitimate modification, while other information, such as a password file, needs to be protected from illegitimate disclosure. As another example, a data processing system needs to be able to reliably identify itself to other data processing systems.
  • An operator of a given data processing system may employ many different types of security mechanisms to protect the data processing system.
  • the operating system on the data processing system may provide various software mechanisms to protect sensitive data, such as various authentication and authorization schemes, while certain hardware devices and software applications may rely upon hardware mechanisms to protect sensitive data, such as hardware security tokens and biometric sensor devices.
  • a data processing system's data and operations can be verified or accepted by another entity if that entity has some manner for establishing trust with the data processing system with respect to particular data items or particular operations.
  • TCG Trusted Computing Group
  • TPM trusted platform module
  • a trusted platform enables an entity to determine the state of the software environment in that platform and to seal data to a particular software environment in that platform. The entity deduces whether the state of the computing environment in that platform is acceptable before performing a transaction with that platform. To enable this, the trusted platform provides integrity metrics, also known as integrity measurements, to the entity that reflects the integrity of the software state of the trusted platform, and the integrity measurements require a root of trust within the computing platform. In order for a system to be a trusted platform, the integrity measurements must be taken from the core root of trust for measurement (CRTM) and extended through the initial program load (IPL) process up to the point at which the operating system is initialized.
  • integrity metrics also known as integrity measurements
  • CRTM is a component of a trusted platform system and provides secure measurement functions to the rest of the platform.
  • CRTM is essentially the first piece of code that executes on a platform at boot time. The CRTM builds a chain of hash codes for each portion of the boot. The CRTM then reports to the TPM what software executes after the CRTM executes.
  • the CRTM is required to be an immutable portion of the platform's initialization code, the CRTM is changeable only by a platform manufacturer approved methodology or process. Thus, only code that is owned and controlled by the platform manufacturer will meet the requirements for updating the CRTM.
  • the present invention provides a method, system and computer program product for enhancing the functionality of the existing core root of trust for measurement (CRTM).
  • the CRTM is extended to allow platform manufacturer controlled and certified code to be incorporated into the function of the CRTM, wherein the manufacturer may define the policy for accepting a new function into the CRTM.
  • the firmware or software module image is compiled.
  • the build process then generates a hash value of the firmware or software it is measuring, the hash value representing a fingerprint, or shorthand representation, of the module that is compiled.
  • a determination is then made as to whether the hash value of the firmware or software image are to be a CRTM extension. If so, a digital signature of the module is created using the CRTM extension private key. This signature value is then added to the firmware or software module.
  • the CRTM determines if the module is signed by a core root of trust measurement extension signing key. If so, the CRTM validates the module signature against the public key of the manufacturer. The CRTM then creates an entry in a platform configuration register, wherein the platform configuration register is extended to include functions of the core root of trust measurement and may be used to reflect that the CRTM has been extended.
  • FIG. 1 depicts a representation of a network of data processing systems in which the present invention may be implemented
  • FIG. 2 is a block diagram of a data processing system that may be implemented as a server in accordance with a preferred embodiment of the present invention
  • FIG. 3 is a block diagram of a known trusted platform architecture
  • FIG. 4 is a block diagram illustrating some of the major components of a known trusted platform module
  • FIG. 5 is a flowchart of a process for facilitating the creation of an extension of the CRTM in accordance with a preferred embodiment of the present invention.
  • FIG. 6 is a flowchart of a process for applying standard digital signature techniques for validating the signature in accordance with a preferred embodiment of the present invention.
  • FIG. 1 depicts a network of data processing systems in which the present invention may be implemented.
  • Network data processing system 100 is a network of computers in which the present invention may be implemented.
  • Network data processing system 100 contains a network 102 , which is the medium used to provide communications links between various devices and computers connected together within network data processing system 100 .
  • Network 102 may include connections, such as wire, wireless communication links, or fiber optic cables.
  • server 104 is connected to network 102 along with storage unit 106 .
  • clients 108 , 110 , and 112 are connected to network 102 .
  • These clients 108 , 110 , and 112 may be, for example, personal computers or network computers or personal digital assistants (PDA) devices.
  • server 104 provides data, such as boot files, operating system images, and applications to clients 108 - 112 .
  • Clients 108 , 110 , and 112 are clients to server 104 .
  • Network data processing system 100 may include additional servers, clients, and other devices not shown.
  • network data processing system 100 is the Internet with network 102 representing a worldwide collection of networks and gateways that use the Transmission Control Protocol/Internet Protocol (TCP/IP) suite of protocols to communicate with one another.
  • TCP/IP Transmission Control Protocol/Internet Protocol
  • At the heart of the Internet is a backbone of high-speed data communication lines between major nodes or host computers, consisting of thousands of commercial, government, educational and other computer systems that route data and messages.
  • network data processing system 100 also may be implemented as a number of different types of networks, such as for example, an intranet, a local area network (LAN), or a wide area network (WAN).
  • FIG. 1 is intended as an example, and not as an architectural limitation for the present invention.
  • Data processing system 200 is an example of a client computer, such as clients 108 , 110 , and 112 shown in FIG. 1 .
  • Data processing system 200 employs a peripheral component interconnect (PCI) local bus architecture.
  • PCI peripheral component interconnect
  • AGP Accelerated Graphics Port
  • ISA Industry Standard Architecture
  • Processor 202 and main memory 204 are connected to PCI local bus 206 through PCI bridge 208 .
  • PCI bridge 208 also may include an integrated memory controller and cache memory for processor 202 .
  • PCI local bus 206 may be made through direct component interconnection or through add-in boards.
  • local area network (LAN) adapter 210 SCSI host bus adapter 212 , and expansion bus interface 214 are connected to PCI local bus 206 by direct component connection.
  • audio adapter 216 graphics adapter 218 , and audio/video adapter 219 are connected to PCI local bus 206 by add-in boards inserted into expansion slots.
  • Expansion bus interface 214 provides a connection for a keyboard and mouse adapter 220 , modem 222 , and additional memory 224 .
  • Small computer system interface (SCSI) host bus adapter 212 provides a connection for hard disk drive 226 , tape drive 228 , and CD-ROM drive 230 .
  • Typical PCI local bus implementations will support three or four PCI expansion slots or add-in connectors.
  • An operating system runs on processor 202 and is used to coordinate and provide control of various components within data processing system 200 in FIG. 2 .
  • the operating system may be a commercially available operating system, such as Windows XP, which is available from Microsoft Corporation.
  • An object oriented programming system such as Java may run in conjunction with the operating system and provide calls to the operating system from Java programs or applications executing on data processing system 200 . “Java” is a trademark of Sun Microsystems, Inc. Instructions for the operating system, the object-oriented programming system, and applications or programs are located on storage devices, such as hard disk drive 226 , and may be loaded into main memory 204 for execution by processor 202 .
  • FIG. 2 may vary depending on the implementation.
  • Other internal hardware or peripheral devices such as flash read-only memory (ROM), equivalent nonvolatile memory, or optical disk drives and the like, may be used in addition to or in place of the hardware depicted in FIG. 2 .
  • the processes of the present invention may be applied to a multiprocessor data processing system.
  • the present invention allows for enhancing the functionality of the existing CRTM.
  • the mechanism of the present invention extends the CRTM by allowing platform manufacturer controlled and certified code to be incorporated into the function of the CRTM.
  • the extended CRTM contains code that is owned and controlled by the platform manufacturer, which meets the requirements to update the CRTM.
  • the extended CRTM may be updated using a manufacturer defined policy.
  • the extension of the CRTM is reflected in the system's state by extending the platform configuration register (PCR) to where the CRTM is measured.
  • PCR platform configuration register
  • Each processor comprises a core root of trust for measurement (CRTM), such as CRTM 330 in FIG. 3 described below.
  • a trusted platform starts execution from its core root of trust for measurement, thereby forming the basis or root for trusting the integrity of the software execution state within the trusted platform.
  • the software that the CRTM loads and executes is measured and logged, thereby contributing to the trusted platform's integrity measurements.
  • An integrity measurement is data that reflects the integrity of the software state on a trusted platform. Each subsequent software element or configuration element is measured before execution control is passed.
  • the collective chain of measurements represents the integrity of the trusted platform.
  • a representation of the chain of integrity measurements is stored within the trusted platform module in association with a log of every relevant event.
  • the firmware or software module within the trusted platform module is compiled.
  • the build process measures integrity metrics by generating a hash of the firmware or software it is measuring. A determination is made as to whether the firmware or software image is to be a CRTM extension. If so, a digital signature of the firmware or software module is created using the CRTM extension private key. This signature block is then added to the firmware module.
  • the CRTM executes on the processor determines whether the firmware or software module is signed. If a signature is found, the base CRTM validates the signature against the public portion of the CRTM extension key of the manufacturer. If the module is signed by the CRTM extension private key, an entry is made in the platform configuration register (PCR), which contains a representation of the “chain” of integrity measurements.
  • PCR is a storage location that reflects the aggregate of the system measurement stated. The PCR as an aggregate is used to protect the integrity of the measurement log which contains the discrete measurement events.
  • FIG. 3 a block diagram depicts some of the components in a data processing system constructed using a model of a trusted platform architecture.
  • Trusted platform architectures may be implemented for particular computational environments or for particular classes of devices;
  • FIG. 3 depicts a trusted platform architecture in accordance with the TCG's PC-specific implementation specification.
  • System 300 supports execution of software components, such as operating system 302 , applications 304 , and drivers 306 , on its platform 308 .
  • the software components may be received through a network, such as network 102 shown in FIG. 1 , or may be stored, for example, on hard disk 310 .
  • Platform 308 receives electrical power from power supply 312 for executing the software components on add-on cards 314 and motherboard 316 , which includes typical components for executing software, such as CPU 318 and memory 320 , although motherboard 316 may include multiple CPU's.
  • Interfaces 322 connect motherboard 316 to other hardware components within system 300
  • firmware 324 contains POST BIOS (power-on self-test basic input/output system) 326 .
  • POST BIOS power-on self-test basic input/output system
  • Motherboard 316 also comprises trusted building block (TBB) 328 ; motherboard 316 is supplied by a manufacturer with TBB 328 and other components physically or logically attached and supplied by the manufacturer.
  • TBB 328 comprises the combination of the core root of trust for measurement (CRTM) component 330 , the trusted platform module (TPM) 332 , the connection of the CRTM to motherboard 316 , and the connection of the TPM to motherboard 316 .
  • CRTM core root of trust for measurement
  • TPM trusted platform module
  • CRTM 330 is an immutable portion of the platform's initialization code that executes upon a platform reset; the platform's execution must begin at the CRTM upon any platform reset event.
  • the trust in the platform is -based on the CRTM and the behavior of the TPM, and the trust in all measurements is based on the integrity of the CRTM.
  • the BIOS may be assumed to include a BIOS Boot Block and POST BIOS 326 ; each of these are independent components that can be updated independent of each other, wherein the manufacturer must control the update, modification, and maintenance of the BIOS Boot.
  • the CRTM may be assumed to be the BIOS Boot Block, and the POST BIOS is a measured component of the chain of trust. Alternatively, the CRTM may comprise the entire BIOS.
  • FIG. 4 a block diagram of a known trusted platform module is shown.
  • Trusted platform module 400 comprises input/output component 402 , which manages information flow over communications bus 404 by performing appropriate protocol encoding/decoding operations and routing of messages to appropriate components.
  • Cryptographic co-processor 406 performs cryptographic operations within a trusted platform module.
  • Key generator 408 creates symmetric keys and RSA asymmetric cryptographic key pairs.
  • HMAC engine 410 performs HMAC (Keyed-Hashing for Message Authentication) calculations, whereby message authentication codes are computed using secret keys as integrity checks to validate information transmitted between two parties, e.g., in accordance with Krawczyk et al., “HMAC: Keyed-Hashing for Message Authentication”, Request for Comments (RFC) 2104, Internet Engineering Task Force (IETF), February 1997.
  • HMAC Keyed-Hashing for Message Authentication
  • Random number generator 412 acts as a source of randomness for the computation of various values, such as keys or other values.
  • SHA-1 engine 414 implements the SHA-1 hash algorithm.
  • Power detector 416 manages the power states of a trusted platform module in association with the power states of the platform.
  • Opt-in component 418 maintains the state of persistent and volatile flags and enforces semantics associated with those flags such that the trusted platform module may be enabled and disabled.
  • Execution engine 420 runs program code to execute commands that the trust platform module receives through input/output component 402 .
  • Non-volatile memory 422 stores persistent identity and state associated with the trusted platform module; the non-volatile memory may store static data items but is also available for storing dynamic data items by entities that are authorized by the trusted platform module owner, whereas volatile memory 424 stores dynamic data items.
  • FIG. 5 is a flowchart of a process for facilitating the creation of an extension of the CRTM in accordance with a preferred embodiment of the present invention by allowing the platform manufacturer to utilize a digital signature block to indicate to the executing CRTM that a new function is an extension of the CRTM.
  • FIG. 5 represents a process that is done within the platform manufacturers environment, and may be implemented in a data processing system, such as data processing system 200 in FIG. 2 . It should be noted that in the steps embodied in FIG. 5 , there is no policy decision being made.
  • the process begins with compiling the firmware or software module (step 502 ). As a manufacturer controlled process, the compiling of the firmware or software module is independent of the CRTM or other aspects of trusted computing.
  • the build process uses the firmware image compiled in step 502 .
  • the hash value provides a fingerprint, or shorthand representation, of the module image.
  • a determination is then made as to whether the hash of the firmware image is to be an extension of the CRTM (step 506 ). If not, the firmware is released (shipped) (step 512 ).
  • the build process uses a CRTM extension private key to create the digital signature of the firmware module (step 508 ). This signature value is attached to the module (step 510 ) and the firmware is released (shipped) (step 512 ).
  • FIG. 6 a flowchart is shown of a process for applying standard digital signature techniques for validating the signature in accordance with a preferred embodiment of the present invention, wherein the signature is embedded in the module.
  • This process allows a core root of trust measurement within a trusted computing platform to validate a module signature against a public key of a manufacturer.
  • the base CRTM contains the CRTM extension public key value.
  • the process illustrated in FIG. 6 may be implemented in a data processing system, such as data processing system 200 in FIG. 2 .
  • the process begins with the loading of the new firmware module by the CRTM (step 602 ).
  • the CRTM executing on the processor then determines whether the firmware or software module is signed (step 604 ). For instance, as described in step 512 in FIG. 5 , the module may be digitally signed by the manufacturer, and the signature embedded in the module. The CRTM checks the module to see if it contains such a signature.
  • the base CRTM validates the signature against the public portion of the CRTM extension key of the manufacturer (step 606 ). This step is performed by determining if the module is signed by the CRTM extension private key. If the module is signed by the CRTM extension private key, an entry is made in the platform configuration register (PCR) (step 608 ), with the process continuing thereafter.
  • PCRs contain values representing a sequence of measurements (although not the actual integrity metrics). For instance, PCR(0) may be extended to include an additional function within the CRTM. In other words, PCR(0) is a platform extension, and may be used to reflect that the CRTM has been extended to another module.
  • step 604 if a signature is not found, the module is executed, and the CRTM is not extended.
  • step 606 if it is determined that the module is not signed by the CRTM extension private key, the module is executed and the CRTM is not extended.
  • the base CRTM is not required to provide (attackable) interfaces to update tables. Only the compromise of the platform manufacturer's signing key would allow an attacker to replace a module.
  • the present invention provides a method, apparatus, and computer instructions for enhancing the functionality of the existing core root of trust for measurement (CRTM).
  • CRTM core root of trust for measurement
  • the CRTM is extended to allow platform manufacturer controlled and certified code to be incorporated into the function of the CRTM, wherein the manufacturer may define the policy for accepting a new function into the CRTM.
  • the extended CRTM contains code that is owned and controlled by the platform manufacturer, which meets the requirements to update the CRTM. In this manner, the extended CRTM may be updated using a manufacturer defined policy.

Abstract

A method, system and computer program product for enhancing the functionality of the existing core root of trust measurement (CRTM). The CRTM is extended to allow platform manufacturer controlled and certified code to be incorporated into the function of the CRTM, wherein the manufacturer may define the policy for accepting a new function into the CRTM. When a firmware or software module image is compiled, the build process generates a hash value of the compiled firmware or software image, wherein the hash value reflects a fingerprint (or short hand) representation of the compiled image. A determination is made as to whether the hash value of the firmware or software image is to be a CRTM extension. If so, a digital signature of the module is created using the CRTM extension private key. This signature value is added to the firmware or software module.

Description

    BACKGROUND OF THE INVENTION
  • 1. Technical Field
  • The present invention relates generally to an improved data processing system. In particular, the present invention relates to a method, apparatus, and computer instructions for extending the core root of trust for measurement (CRTM) in a trusted platform.
  • 2. Description of Related Art
  • Most data processing systems contain sensitive data and sensitive operations that need to be protected. For example, the integrity of configuration information needs to be protected from illegitimate modification, while other information, such as a password file, needs to be protected from illegitimate disclosure. As another example, a data processing system needs to be able to reliably identify itself to other data processing systems.
  • An operator of a given data processing system may employ many different types of security mechanisms to protect the data processing system. For example, the operating system on the data processing system may provide various software mechanisms to protect sensitive data, such as various authentication and authorization schemes, while certain hardware devices and software applications may rely upon hardware mechanisms to protect sensitive data, such as hardware security tokens and biometric sensor devices.
  • The integrity of a data processing system's data and its operations, however, centers on the issue of trust. A data processing system's data and operations can be verified or accepted by another entity if that entity has some manner for establishing trust with the data processing system with respect to particular data items or particular operations.
  • Hence, the ability to protect a data processing system is limited by the manner in which trust is created or rooted within the data processing system. To address the issues of protecting data processing systems, a consortium of companies has formed the Trusted Computing Group (TCG) to develop and to promulgate open standards and specifications for trusted computing. According to the specifications of the Trusted Computing Group, trust within a given data processing system or trust between a data processing system and another entity is based on the existence of a hardware component within the data processing system that has been termed the trusted platform module (TPM).
  • A trusted platform enables an entity to determine the state of the software environment in that platform and to seal data to a particular software environment in that platform. The entity deduces whether the state of the computing environment in that platform is acceptable before performing a transaction with that platform. To enable this, the trusted platform provides integrity metrics, also known as integrity measurements, to the entity that reflects the integrity of the software state of the trusted platform, and the integrity measurements require a root of trust within the computing platform. In order for a system to be a trusted platform, the integrity measurements must be taken from the core root of trust for measurement (CRTM) and extended through the initial program load (IPL) process up to the point at which the operating system is initialized.
  • Trusted computing platforms predicate the start of execution from the CRTM. CRTM is a component of a trusted platform system and provides secure measurement functions to the rest of the platform. CRTM is essentially the first piece of code that executes on a platform at boot time. The CRTM builds a chain of hash codes for each portion of the boot. The CRTM then reports to the TPM what software executes after the CRTM executes. In addition, as the CRTM is required to be an immutable portion of the platform's initialization code, the CRTM is changeable only by a platform manufacturer approved methodology or process. Thus, only code that is owned and controlled by the platform manufacturer will meet the requirements for updating the CRTM.
  • Existing methods for updating the CRTM are predicated on unique processor instruction architectural elements. For example, Intel Corporation has introduced an SMX mode which allows for the “late instantion of a hypervisor type function”. A hypervisor is a trusted firmware component and is used to create multiple, isolated, high-integrity supervisor program environments. The processor (firmware, etc.) verifies this “hypervisor” before giving control to the BIOS. Consequently, the Intel model adds additional complexity to the processor architecture. In addition, the Intel model facilitates the extension of the CRTM with code that is not under manufacturer control. Thus, the Intel model does not provide an extension of the CRTM, but rather it provides mechanism for instantiating a replacement CRTM for one set of execution models.
  • Therefore, it would be advantageous to have a mechanism for enhancing the functionality of the existing CRTM by allowing platform manufacturer controlled and certified code to be incorporated into the function of the CRTM.
    • SUMMARY OF THE INVENTION
  • The present invention provides a method, system and computer program product for enhancing the functionality of the existing core root of trust for measurement (CRTM). With the present invention, the CRTM is extended to allow platform manufacturer controlled and certified code to be incorporated into the function of the CRTM, wherein the manufacturer may define the policy for accepting a new function into the CRTM. When the processor initializes the data processing system, the firmware or software module image is compiled. The build process then generates a hash value of the firmware or software it is measuring, the hash value representing a fingerprint, or shorthand representation, of the module that is compiled. A determination is then made as to whether the hash value of the firmware or software image are to be a CRTM extension. If so, a digital signature of the module is created using the CRTM extension private key. This signature value is then added to the firmware or software module.
  • When a module is loaded into the data processing system, the CRTM determines if the module is signed by a core root of trust measurement extension signing key. If so, the CRTM validates the module signature against the public key of the manufacturer. The CRTM then creates an entry in a platform configuration register, wherein the platform configuration register is extended to include functions of the core root of trust measurement and may be used to reflect that the CRTM has been extended.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The novel features believed characteristic of the invention are set forth in the appended claims. The invention itself, however, as well as a preferred mode of use, further objectives and advantages thereof, will best be understood by reference to the following detailed description of an illustrative embodiment when read in conjunction with the accompanying drawings, wherein:
  • FIG. 1 depicts a representation of a network of data processing systems in which the present invention may be implemented;
  • FIG. 2 is a block diagram of a data processing system that may be implemented as a server in accordance with a preferred embodiment of the present invention;
  • FIG. 3 is a block diagram of a known trusted platform architecture;
  • FIG. 4 is a block diagram illustrating some of the major components of a known trusted platform module;
  • FIG. 5 is a flowchart of a process for facilitating the creation of an extension of the CRTM in accordance with a preferred embodiment of the present invention; and
  • FIG. 6 is a flowchart of a process for applying standard digital signature techniques for validating the signature in accordance with a preferred embodiment of the present invention.
    • DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
  • With reference now to the figures, FIG. 1 depicts a network of data processing systems in which the present invention may be implemented. Network data processing system 100 is a network of computers in which the present invention may be implemented. Network data processing system 100 contains a network 102, which is the medium used to provide communications links between various devices and computers connected together within network data processing system 100. Network 102 may include connections, such as wire, wireless communication links, or fiber optic cables.
  • In the depicted example, server 104 is connected to network 102 along with storage unit 106. In addition, clients 108, 110, and 112 are connected to network 102. These clients 108, 110, and 112 may be, for example, personal computers or network computers or personal digital assistants (PDA) devices. In the depicted example, server 104 provides data, such as boot files, operating system images, and applications to clients 108-112. Clients 108, 110, and 112 are clients to server 104. Network data processing system 100 may include additional servers, clients, and other devices not shown.
  • In the depicted example, network data processing system 100 is the Internet with network 102 representing a worldwide collection of networks and gateways that use the Transmission Control Protocol/Internet Protocol (TCP/IP) suite of protocols to communicate with one another. At the heart of the Internet is a backbone of high-speed data communication lines between major nodes or host computers, consisting of thousands of commercial, government, educational and other computer systems that route data and messages. Of course, network data processing system 100 also may be implemented as a number of different types of networks, such as for example, an intranet, a local area network (LAN), or a wide area network (WAN). FIG. 1 is intended as an example, and not as an architectural limitation for the present invention.
  • With reference now to FIG. 2, a block diagram illustrating a data processing system is depicted in which the present invention may be implemented. Data processing system 200 is an example of a client computer, such as clients 108, 110, and 112 shown in FIG. 1. Data processing system 200 employs a peripheral component interconnect (PCI) local bus architecture. Although the depicted example employs a PCI bus, other bus architectures such as Accelerated Graphics Port (AGP) and Industry Standard Architecture (ISA) may be used. Processor 202 and main memory 204 are connected to PCI local bus 206 through PCI bridge 208. PCI bridge 208 also may include an integrated memory controller and cache memory for processor 202. Additional connections to PCI local bus 206 may be made through direct component interconnection or through add-in boards. In the depicted example, local area network (LAN) adapter 210, SCSI host bus adapter 212, and expansion bus interface 214 are connected to PCI local bus 206 by direct component connection. In contrast, audio adapter 216, graphics adapter 218, and audio/video adapter 219 are connected to PCI local bus 206 by add-in boards inserted into expansion slots. Expansion bus interface 214 provides a connection for a keyboard and mouse adapter 220, modem 222, and additional memory 224. Small computer system interface (SCSI) host bus adapter 212 provides a connection for hard disk drive 226, tape drive 228, and CD-ROM drive 230. Typical PCI local bus implementations will support three or four PCI expansion slots or add-in connectors.
  • An operating system runs on processor 202 and is used to coordinate and provide control of various components within data processing system 200 in FIG. 2. The operating system may be a commercially available operating system, such as Windows XP, which is available from Microsoft Corporation. An object oriented programming system such as Java may run in conjunction with the operating system and provide calls to the operating system from Java programs or applications executing on data processing system 200. “Java” is a trademark of Sun Microsystems, Inc. Instructions for the operating system, the object-oriented programming system, and applications or programs are located on storage devices, such as hard disk drive 226, and may be loaded into main memory 204 for execution by processor 202.
  • Those of ordinary skill in the art will appreciate that the hardware in FIG. 2 may vary depending on the implementation. Other internal hardware or peripheral devices, such as flash read-only memory (ROM), equivalent nonvolatile memory, or optical disk drives and the like, may be used in addition to or in place of the hardware depicted in FIG. 2. Also, the processes of the present invention may be applied to a multiprocessor data processing system.
  • The depicted example in FIG. 2 and above-described examples are not meant to imply architectural limitations. In addition, the examples of the present invention herein below employ the terminology and examples from the standards and/or specifications that have been promulgated by the Trusted Computing Group (TCG); it should be noted, however, that the examples are not meant to imply architectural, functional, nor definitional limitations with respect to embodiments of the present invention.
  • The present invention allows for enhancing the functionality of the existing CRTM. The mechanism of the present invention extends the CRTM by allowing platform manufacturer controlled and certified code to be incorporated into the function of the CRTM. Thus, the extended CRTM contains code that is owned and controlled by the platform manufacturer, which meets the requirements to update the CRTM. In this manner, the extended CRTM may be updated using a manufacturer defined policy. In addition, the extension of the CRTM is reflected in the system's state by extending the platform configuration register (PCR) to where the CRTM is measured.
  • Each processor comprises a core root of trust for measurement (CRTM), such as CRTM 330 in FIG. 3 described below. A trusted platform starts execution from its core root of trust for measurement, thereby forming the basis or root for trusting the integrity of the software execution state within the trusted platform. The software that the CRTM loads and executes is measured and logged, thereby contributing to the trusted platform's integrity measurements. An integrity measurement is data that reflects the integrity of the software state on a trusted platform. Each subsequent software element or configuration element is measured before execution control is passed. The collective chain of measurements represents the integrity of the trusted platform. A representation of the chain of integrity measurements is stored within the trusted platform module in association with a log of every relevant event.
  • When the processor initializes the data processing system, the firmware or software module within the trusted platform module is compiled. The build process measures integrity metrics by generating a hash of the firmware or software it is measuring. A determination is made as to whether the firmware or software image is to be a CRTM extension. If so, a digital signature of the firmware or software module is created using the CRTM extension private key. This signature block is then added to the firmware module.
  • When the new firmware or software module is loaded by the CRTM, the CRTM executing on the processor determines whether the firmware or software module is signed. If a signature is found, the base CRTM validates the signature against the public portion of the CRTM extension key of the manufacturer. If the module is signed by the CRTM extension private key, an entry is made in the platform configuration register (PCR), which contains a representation of the “chain” of integrity measurements. The PCR is a storage location that reflects the aggregate of the system measurement stated. The PCR as an aggregate is used to protect the integrity of the measurement log which contains the discrete measurement events.
  • With reference now to FIG. 3, a block diagram depicts some of the components in a data processing system constructed using a model of a trusted platform architecture. Trusted platform architectures may be implemented for particular computational environments or for particular classes of devices; FIG. 3 depicts a trusted platform architecture in accordance with the TCG's PC-specific implementation specification.
  • System 300 supports execution of software components, such as operating system 302, applications 304, and drivers 306, on its platform 308. The software components may be received through a network, such as network 102 shown in FIG. 1, or may be stored, for example, on hard disk 310. Platform 308 receives electrical power from power supply 312 for executing the software components on add-on cards 314 and motherboard 316, which includes typical components for executing software, such as CPU 318 and memory 320, although motherboard 316 may include multiple CPU's. Interfaces 322 connect motherboard 316 to other hardware components within system 300, and firmware 324 contains POST BIOS (power-on self-test basic input/output system) 326.
  • Motherboard 316 also comprises trusted building block (TBB) 328; motherboard 316 is supplied by a manufacturer with TBB 328 and other components physically or logically attached and supplied by the manufacturer. TBB 328 comprises the combination of the core root of trust for measurement (CRTM) component 330, the trusted platform module (TPM) 332, the connection of the CRTM to motherboard 316, and the connection of the TPM to motherboard 316.
  • TPM 332 is explained in more detail with respect to FIG. 3 herein below. CRTM 330 is an immutable portion of the platform's initialization code that executes upon a platform reset; the platform's execution must begin at the CRTM upon any platform reset event. In this manner, the trust in the platform is -based on the CRTM and the behavior of the TPM, and the trust in all measurements is based on the integrity of the CRTM. In the depicted example in FIG. 3, the BIOS may be assumed to include a BIOS Boot Block and POST BIOS 326; each of these are independent components that can be updated independent of each other, wherein the manufacturer must control the update, modification, and maintenance of the BIOS Boot. Block, but a third party supplier may update, modify, or maintain the POST BIOS component. In the depicted example in FIG. 3, the CRTM may be assumed to be the BIOS Boot Block, and the POST BIOS is a measured component of the chain of trust. Alternatively, the CRTM may comprise the entire BIOS.
  • Turning now to FIG. 4, a block diagram of a known trusted platform module is shown. FIG. 4 illustrates components of a trusted platform module according to TCG specifications. Trusted platform module 400 comprises input/output component 402, which manages information flow over communications bus 404 by performing appropriate protocol encoding/decoding operations and routing of messages to appropriate components. Cryptographic co-processor 406 performs cryptographic operations within a trusted platform module. Key generator 408 creates symmetric keys and RSA asymmetric cryptographic key pairs. HMAC engine 410 performs HMAC (Keyed-Hashing for Message Authentication) calculations, whereby message authentication codes are computed using secret keys as integrity checks to validate information transmitted between two parties, e.g., in accordance with Krawczyk et al., “HMAC: Keyed-Hashing for Message Authentication”, Request for Comments (RFC) 2104, Internet Engineering Task Force (IETF), February 1997.
  • Random number generator 412 acts as a source of randomness for the computation of various values, such as keys or other values. SHA-1 engine 414 implements the SHA-1 hash algorithm. Power detector 416 manages the power states of a trusted platform module in association with the power states of the platform. Opt-in component 418 maintains the state of persistent and volatile flags and enforces semantics associated with those flags such that the trusted platform module may be enabled and disabled. Execution engine 420 runs program code to execute commands that the trust platform module receives through input/output component 402. Non-volatile memory 422 stores persistent identity and state associated with the trusted platform module; the non-volatile memory may store static data items but is also available for storing dynamic data items by entities that are authorized by the trusted platform module owner, whereas volatile memory 424 stores dynamic data items.
  • FIG. 5 is a flowchart of a process for facilitating the creation of an extension of the CRTM in accordance with a preferred embodiment of the present invention by allowing the platform manufacturer to utilize a digital signature block to indicate to the executing CRTM that a new function is an extension of the CRTM. FIG. 5 represents a process that is done within the platform manufacturers environment, and may be implemented in a data processing system, such as data processing system 200 in FIG. 2. It should be noted that in the steps embodied in FIG. 5, there is no policy decision being made.
  • The process begins with compiling the firmware or software module (step 502). As a manufacturer controlled process, the compiling of the firmware or software module is independent of the CRTM or other aspects of trusted computing. Next, using the firmware image compiled in step 502, the build process generates a-hash value of the firmware image (step 504). The hash value provides a fingerprint, or shorthand representation, of the module image. A determination is then made as to whether the hash of the firmware image is to be an extension of the CRTM (step 506). If not, the firmware is released (shipped) (step 512).
  • In contrast, if the firmware is to be a CRTM extension, the build process uses a CRTM extension private key to create the digital signature of the firmware module (step 508). This signature value is attached to the module (step 510) and the firmware is released (shipped) (step 512).
  • Turning now to FIG. 6, a flowchart is shown of a process for applying standard digital signature techniques for validating the signature in accordance with a preferred embodiment of the present invention, wherein the signature is embedded in the module. This process allows a core root of trust measurement within a trusted computing platform to validate a module signature against a public key of a manufacturer. In this process, the base CRTM contains the CRTM extension public key value. In addition, the process illustrated in FIG. 6 may be implemented in a data processing system, such as data processing system 200 in FIG. 2.
  • The process begins with the loading of the new firmware module by the CRTM (step 602). The CRTM executing on the processor then determines whether the firmware or software module is signed (step 604). For instance, as described in step 512 in FIG. 5, the module may be digitally signed by the manufacturer, and the signature embedded in the module. The CRTM checks the module to see if it contains such a signature.
  • If a signature is found, the base CRTM validates the signature against the public portion of the CRTM extension key of the manufacturer (step 606). This step is performed by determining if the module is signed by the CRTM extension private key. If the module is signed by the CRTM extension private key, an entry is made in the platform configuration register (PCR) (step 608), with the process continuing thereafter. PCRs contain values representing a sequence of measurements (although not the actual integrity metrics). For instance, PCR(0) may be extended to include an additional function within the CRTM. In other words, PCR(0) is a platform extension, and may be used to reflect that the CRTM has been extended to another module.
  • Turning back to step 604, if a signature is not found, the module is executed, and the CRTM is not extended. Likewise, in step 606, if it is determined that the module is not signed by the CRTM extension private key, the module is executed and the CRTM is not extended.
  • In this manner, the proof of immutability is carried in the signature. The base CRTM is not required to provide (attackable) interfaces to update tables. Only the compromise of the platform manufacturer's signing key would allow an attacker to replace a module.
  • Thus, the present invention provides a method, apparatus, and computer instructions for enhancing the functionality of the existing core root of trust for measurement (CRTM). The advantages of the present invention should be apparent in view of the detailed description that is provided above. With the present invention, the CRTM is extended to allow platform manufacturer controlled and certified code to be incorporated into the function of the CRTM, wherein the manufacturer may define the policy for accepting a new function into the CRTM. Thus, the extended CRTM contains code that is owned and controlled by the platform manufacturer, which meets the requirements to update the CRTM. In this manner, the extended CRTM may be updated using a manufacturer defined policy.
  • It is important to note that while the present invention has been described in the context of a fully functioning data processing system, those of ordinary skill in the art will appreciate that the processes of the present invention are capable of being distributed in the form of a computer readable medium of instructions and a variety of forms and that the present invention applies equally regardless of the particular type of signal bearing media actually used to carry out the distribution. Examples of computer readable media include recordable-type media, such as a floppy disk, a hard disk drive, a RAM, CD-ROMs, DVD-ROMs, and transmission-type media, such as digital and analog communications links, wired or wireless communications links using transmission forms, such as, for example, radio frequency and light wave transmissions. The computer readable media may take the form of coded formats that are decoded for actual use in a particular data processing system.
  • The description of the present invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art. The embodiment was chosen and described in order to best explain the principles of the invention, the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.

Claims (19)

1. A method in a data processing system for extending a core root of trust measurement within a trusted computing platform, comprising:
responsive to compiling a module image, generating a hash value;
determining if the hash value of the module image is to be an extension of the core root of trust measurement;
in response to determining that the hash value of the module image is to be a core root of trust measurement extension, creating a digital signature for the module using the core root of trust measurement private key; and
adding the digital signature to the module, wherein adding the digital signature allows platform manufacturer controlled and certified code to be incorporated into functions of the core root of trust measurement.
2. The method of claim 1, further comprising:
responsive to determining that the hash value of the module image is not to be a core root of trust measurement extension, releasing the module image.
3. The method of claim 1, wherein incorporating platform manufacturer controlled and certified code into the core root of trust measurement allows the platform manufacturer to define a policy for accepting a new function into the core root of trust measurement.
4. The method of claim 3, wherein the extended core root of trust measurement may be updated using the manufacturer defined policy.
5. The method of claim 1, wherein the module is a firmware module.
6. The method of claim 1, wherein the module is a software module.
7. A method in a data processing system for allowing a core root of trust measurement within a trusted computing platform to validate a module signature against a public key of a manufacturer, comprising:
loading the module into the data processing system;
determining if the module is signed by a core root of trust measurement extension signing key;
responsive to determining that the module is signed, validating the module signature against the public key of the manufacturer; and
creating an entry in a platform configuration register, wherein the platform configuration register is extended to include functions of the core root of trust measurement.
8. A data processing system for extending a core root of trust measurement within a trusted computing platform, comprising:
generating means for generating a hash value in response to compiling a module image;
determining means for determining if the hash value of the module image is to be a core root of trust measurement extension;
creating means for creating a digital signature for the module using the core root of trust measurement private key in response to determining that the hash value of the module image is to be a core root of trust measurement extension; and
adding means for adding the digital signature to the module, wherein adding the digital signature allows platform manufacturer controlled and certified code to be incorporated into functions of the core root of trust measurement.
9. The data processing system of claim 8, further comprising:
releasing means for releasing the module image in response determining that the hash value of the module image is not to be a core root of trust measurement extension.
10. The data processing system of claim 8, wherein incorporating platform manufacturer controlled and certified code into the core root of trust measurement allows the platform manufacturer to define a policy for accepting a new function into the CRTM.
11. The data processing system of claim 10, wherein the extended core root of trust measurement may be updated using the manufacturer defined policy.
12. The data processing system of claim 8, wherein the module is a firmware module.
13. The data processing system of claim 8, wherein the module is a software module.
14. A computer program product in a computer readable medium for extending a core root of trust measurement within a trusted computing platform, comprising:
first instructions for generating a hash value in response to compiling a module image;
second instructions for determining if the hash value of the module image is to be a core root of trust measurement extension;
third instructions for creating a digital signature for the module using the core root of trust measurement private key in response to determining that the hash value of the module image is to be a core root of trust measurement extension; and
fourth instructions for adding the digital signature to the module, wherein adding the digital signature allows platform manufacturer controlled and certified code to be incorporated into functions of the core root of trust measurement.
15. The computer program product of claim 14, further comprising:
fifth instructions for releasing the module image in response to determining that the hash value of the module image is not to be a core root of trust measurement extension.
16. The computer program product of claim 14, wherein incorporating platform manufacturer controlled and certified code into the core root of trust measurement allows the platform manufacturer to define a policy for accepting a new function into the core root of trust measurement.
17. The computer program product of claim 16, wherein the extended core root of trust measurement may be updated using the manufacturer defined policy.
18. The computer program product of claim 14, wherein the module is a firmware module.
19. The computer program product of claim 14, wherein the module is a software module.
US10/887,441 2004-07-08 2004-07-08 Method for extending the CRTM in a trusted platform Abandoned US20060010326A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US10/887,441 US20060010326A1 (en) 2004-07-08 2004-07-08 Method for extending the CRTM in a trusted platform
US12/059,274 US8185750B2 (en) 2004-07-08 2008-03-31 Method for extending the CRTM in a trusted platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US10/887,441 US20060010326A1 (en) 2004-07-08 2004-07-08 Method for extending the CRTM in a trusted platform

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US12/059,274 Continuation US8185750B2 (en) 2004-07-08 2008-03-31 Method for extending the CRTM in a trusted platform

Publications (1)

Publication Number Publication Date
US20060010326A1 true US20060010326A1 (en) 2006-01-12

Family

ID=35542704

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/887,441 Abandoned US20060010326A1 (en) 2004-07-08 2004-07-08 Method for extending the CRTM in a trusted platform
US12/059,274 Expired - Fee Related US8185750B2 (en) 2004-07-08 2008-03-31 Method for extending the CRTM in a trusted platform

Family Applications After (1)

Application Number Title Priority Date Filing Date
US12/059,274 Expired - Fee Related US8185750B2 (en) 2004-07-08 2008-03-31 Method for extending the CRTM in a trusted platform

Country Status (1)

Country Link
US (2) US20060010326A1 (en)

Cited By (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050229011A1 (en) * 2004-04-09 2005-10-13 International Business Machines Corporation Reliability platform configuration measurement, authentication, attestation and disclosure
US20060085634A1 (en) * 2004-10-18 2006-04-20 Microsoft Corporation Device certificate individualization
US20060089917A1 (en) * 2004-10-22 2006-04-27 Microsoft Corporation License synchronization
US20060107329A1 (en) * 2004-11-15 2006-05-18 Microsoft Corporation Special PC mode entered upon detection of undesired state
US20060107306A1 (en) * 2004-11-15 2006-05-18 Microsoft Corporation Tuning product policy using observed evidence of customer behavior
US20060107328A1 (en) * 2004-11-15 2006-05-18 Microsoft Corporation Isolated computing environment anchored into CPU and motherboard
US20060143446A1 (en) * 2004-12-23 2006-06-29 Microsoft Corporation System and method to lock TPM always 'on' using a monitor
US20060212363A1 (en) * 1999-03-27 2006-09-21 Microsoft Corporation Rendering digital content in an encrypted rights-protected form
US20060230401A1 (en) * 2005-03-31 2006-10-12 Grawrock David W Platform configuration register virtualization apparatus, systems, and methods
US20060235798A1 (en) * 2005-04-15 2006-10-19 Microsoft Corporation Output protection levels
US20060242406A1 (en) * 2005-04-22 2006-10-26 Microsoft Corporation Protected computing environment
US20060282899A1 (en) * 2005-06-08 2006-12-14 Microsoft Corporation System and method for delivery of a modular operating system
US20070056033A1 (en) * 2005-03-31 2007-03-08 Grawrock David W Platform configuration apparatus, systems, and methods
US20070058807A1 (en) * 2005-04-22 2007-03-15 Microsoft Corporation Establishing a unique session key using a hardware functionality scan
US20070192611A1 (en) * 2006-02-15 2007-08-16 Datta Shamanna M Technique for providing secure firmware
US20070260866A1 (en) * 2006-04-27 2007-11-08 Lan Wang Selectively unlocking a core root of trust for measurement (CRTM)
US20080005574A1 (en) * 2006-06-29 2008-01-03 Cheng Antonio S Method and apparatus for establishing prosessor as core root of trust for measurement
US20080126782A1 (en) * 2006-11-28 2008-05-29 Dayan Richard A Providing core root of trust measurement (crtm) for systems using a backup copy of basic input/output system (bios)
US20080126779A1 (en) * 2006-09-19 2008-05-29 Ned Smith Methods and apparatus to perform secure boot
US20090070598A1 (en) * 2007-09-10 2009-03-12 Daryl Carvis Cromer System and Method for Secure Data Disposal
US20090125716A1 (en) * 2007-11-14 2009-05-14 Microsoft Corporation Computer initialization for secure kernel
US20090133097A1 (en) * 2007-11-15 2009-05-21 Ned Smith Device, system, and method for provisioning trusted platform module policies to a virtual machine monitor
WO2009109811A1 (en) * 2008-03-07 2009-09-11 Ashish Anand Platform security model for networking solution platforms
US20090328022A1 (en) * 2008-06-26 2009-12-31 International Business Machines Corporation Systems and methods for maintaining crtm code
US20090327686A1 (en) * 2008-05-09 2009-12-31 International Business Machines Corporation Updating A Basic Input/Output System ('BIOS') Boot Block Security Module In Compute Nodes Of A Multinode Computer
US20100082987A1 (en) * 2008-09-30 2010-04-01 Microsoft Corporation Transparent trust validation of an unknown platform
US7757098B2 (en) 2006-06-27 2010-07-13 Intel Corporation Method and apparatus for verifying authenticity of initial boot code
US20100280954A1 (en) * 2005-05-20 2010-11-04 Microsoft Corporation Extensible media rights
US20100281253A1 (en) * 2003-02-25 2010-11-04 Microsoft Corporation Issuing a publisher use license off-line in a digital rights management (drm) system
US7913074B2 (en) 2007-09-28 2011-03-22 Microsoft Corporation Securely launching encrypted operating systems
US8438645B2 (en) 2005-04-27 2013-05-07 Microsoft Corporation Secure clock with grace periods
US20130263205A1 (en) * 2012-03-29 2013-10-03 Cisco Technology, Inc. System and method for trusted platform attestation
CN103748594A (en) * 2011-07-29 2014-04-23 微软公司 Firmware-based trusted platform module for arm processor architectures and trustzone security extensions
US20140115689A1 (en) * 2012-10-19 2014-04-24 The Aerospace Corporation Execution stack securing process
US8775784B2 (en) 2011-11-11 2014-07-08 International Business Machines Corporation Secure boot up of a computer based on a hardware based root of trust
US9363481B2 (en) 2005-04-22 2016-06-07 Microsoft Technology Licensing, Llc Protected media pipeline
US9721101B2 (en) 2013-06-24 2017-08-01 Red Hat, Inc. System wide root of trust chaining via signed applications
WO2018031496A1 (en) 2016-08-08 2018-02-15 Data I/O Corporation Embedding foundational root of trust using security algorithms
US20180082083A1 (en) * 2016-09-16 2018-03-22 Intel Corporation Technologies for secure boot provisioning and management of field-programmable gate array images
CN111433774A (en) * 2017-12-08 2020-07-17 西门子股份公司 Method and validation device for integrity validation of a system
CN112597547A (en) * 2020-12-29 2021-04-02 广东国腾量子科技有限公司 Decentralized credible authentication system based on block chain
US11281781B2 (en) 2018-08-29 2022-03-22 Alibaba Group Holding Limited Key processing methods and apparatuses, storage media, and processors
US11349651B2 (en) 2018-08-02 2022-05-31 Alibaba Group Holding Limited Measurement processing of high-speed cryptographic operation
US11347857B2 (en) 2018-07-02 2022-05-31 Alibaba Group Holding Limited Key and certificate distribution method, identity information processing method, device, and medium
US11374745B1 (en) * 2017-11-29 2022-06-28 Amazon Technologies, Inc. Key usage tracking using TPM
US11379586B2 (en) * 2018-08-02 2022-07-05 Alibaba Group Holding Limited Measurement methods, devices and systems based on trusted high-speed encryption card

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8751781B2 (en) 2010-05-28 2014-06-10 Dell Products, Lp System and method for supporting secure subsystems in a client hosted virtualization system
US8990584B2 (en) 2010-05-28 2015-03-24 Dell Products, Lp System and method for supporting task oriented devices in a client hosted virtualization system
US8639923B2 (en) 2010-05-28 2014-01-28 Dell Products, Lp System and method for component authentication of a secure client hosted virtualization in an information handling system
US9134990B2 (en) 2010-05-28 2015-09-15 Dell Products, Lp System and method for implementing a secure client hosted virtualization service layer in an information handling system
US8938774B2 (en) 2010-05-28 2015-01-20 Dell Products, Lp System and method for I/O port assignment and security policy application in a client hosted virtualization system
US8589702B2 (en) 2010-05-28 2013-11-19 Dell Products, Lp System and method for pre-boot authentication of a secure client hosted virtualization in an information handling system
US8527761B2 (en) 2010-05-28 2013-09-03 Dell Products, Lp System and method for fuse enablement of a secure client hosted virtualization in an information handling system
US8719557B2 (en) 2010-05-28 2014-05-06 Dell Products, Lp System and method for secure client hosted virtualization in an information handling system
US8458490B2 (en) 2010-05-28 2013-06-04 Dell Products, Lp System and method for supporting full volume encryption devices in a client hosted virtualization system
JP5832963B2 (en) 2012-06-29 2015-12-16 株式会社東芝 Memory system
US9697358B2 (en) * 2013-06-13 2017-07-04 Google Inc. Non-volatile memory operations
US10013563B2 (en) * 2013-09-30 2018-07-03 Dell Products L.P. Systems and methods for binding a removable cryptoprocessor to an information handling system
US10621351B2 (en) 2016-11-01 2020-04-14 Raptor Engineering, LLC. Systems and methods for tamper-resistant verification of firmware with a trusted platform module
WO2019084908A1 (en) * 2017-11-03 2019-05-09 Nokia Technologies Oy Method and apparatus for trusted computing
CN112784278B (en) * 2020-12-31 2022-02-15 科东(广州)软件科技有限公司 Trusted starting method, device and equipment of computer system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020194482A1 (en) * 2001-06-19 2002-12-19 Hewlett-Packard Company Multiple trusted computing environments with verifiable environment identities
US20030028772A1 (en) * 2001-07-31 2003-02-06 Allison Michael S. Method for generating a read only memory image
US20030191940A1 (en) * 2002-04-03 2003-10-09 Saurabh Sinha Integrity ordainment and ascertainment of computer-executable instructions with consideration for execution context
US20040015724A1 (en) * 2002-07-22 2004-01-22 Duc Pham Logical access block processing protocol for transparent secure file storage
US20040250086A1 (en) * 2003-05-23 2004-12-09 Harris Corporation Method and system for protecting against software misuse and malicious code
US7243230B2 (en) * 2001-11-16 2007-07-10 Microsoft Corporation Transferring application secrets in a trusted operating system environment

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5448045A (en) * 1992-02-26 1995-09-05 Clark; Paul C. System for protecting computers via intelligent tokens or smart cards
US20010007131A1 (en) * 1997-09-11 2001-07-05 Leonard J. Galasso Method for validating expansion roms using cryptography
US6625730B1 (en) * 2000-03-31 2003-09-23 Hewlett-Packard Development Company, L.P. System for validating a bios program and memory coupled therewith by using a boot block program having a validation routine
US7558958B2 (en) * 2002-06-13 2009-07-07 Microsoft Corporation System and method for securely booting from a network

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020194482A1 (en) * 2001-06-19 2002-12-19 Hewlett-Packard Company Multiple trusted computing environments with verifiable environment identities
US20030028772A1 (en) * 2001-07-31 2003-02-06 Allison Michael S. Method for generating a read only memory image
US7243230B2 (en) * 2001-11-16 2007-07-10 Microsoft Corporation Transferring application secrets in a trusted operating system environment
US20030191940A1 (en) * 2002-04-03 2003-10-09 Saurabh Sinha Integrity ordainment and ascertainment of computer-executable instructions with consideration for execution context
US20040015724A1 (en) * 2002-07-22 2004-01-22 Duc Pham Logical access block processing protocol for transparent secure file storage
US20040250086A1 (en) * 2003-05-23 2004-12-09 Harris Corporation Method and system for protecting against software misuse and malicious code

Cited By (81)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060212363A1 (en) * 1999-03-27 2006-09-21 Microsoft Corporation Rendering digital content in an encrypted rights-protected form
US8700535B2 (en) 2003-02-25 2014-04-15 Microsoft Corporation Issuing a publisher use license off-line in a digital rights management (DRM) system
US8719171B2 (en) 2003-02-25 2014-05-06 Microsoft Corporation Issuing a publisher use license off-line in a digital rights management (DRM) system
US20100281253A1 (en) * 2003-02-25 2010-11-04 Microsoft Corporation Issuing a publisher use license off-line in a digital rights management (drm) system
US20050229011A1 (en) * 2004-04-09 2005-10-13 International Business Machines Corporation Reliability platform configuration measurement, authentication, attestation and disclosure
US7752465B2 (en) * 2004-04-09 2010-07-06 International Business Machines Corporation Reliability platform configuration measurement, authentication, attestation and disclosure
US9336359B2 (en) 2004-10-18 2016-05-10 Microsoft Technology Licensing, Llc Device certificate individualization
US20060085634A1 (en) * 2004-10-18 2006-04-20 Microsoft Corporation Device certificate individualization
US8347078B2 (en) 2004-10-18 2013-01-01 Microsoft Corporation Device certificate individualization
US20060089917A1 (en) * 2004-10-22 2006-04-27 Microsoft Corporation License synchronization
US20060107306A1 (en) * 2004-11-15 2006-05-18 Microsoft Corporation Tuning product policy using observed evidence of customer behavior
US8176564B2 (en) 2004-11-15 2012-05-08 Microsoft Corporation Special PC mode entered upon detection of undesired state
US8336085B2 (en) 2004-11-15 2012-12-18 Microsoft Corporation Tuning product policy using observed evidence of customer behavior
US20060107328A1 (en) * 2004-11-15 2006-05-18 Microsoft Corporation Isolated computing environment anchored into CPU and motherboard
US9224168B2 (en) 2004-11-15 2015-12-29 Microsoft Technology Licensing, Llc Tuning product policy using observed evidence of customer behavior
US8464348B2 (en) 2004-11-15 2013-06-11 Microsoft Corporation Isolated computing environment anchored into CPU and motherboard
US20060107329A1 (en) * 2004-11-15 2006-05-18 Microsoft Corporation Special PC mode entered upon detection of undesired state
US20060143446A1 (en) * 2004-12-23 2006-06-29 Microsoft Corporation System and method to lock TPM always 'on' using a monitor
US7360253B2 (en) * 2004-12-23 2008-04-15 Microsoft Corporation System and method to lock TPM always ‘on’ using a monitor
US20060230401A1 (en) * 2005-03-31 2006-10-12 Grawrock David W Platform configuration register virtualization apparatus, systems, and methods
US20070056033A1 (en) * 2005-03-31 2007-03-08 Grawrock David W Platform configuration apparatus, systems, and methods
US7707629B2 (en) * 2005-03-31 2010-04-27 Intel Corporation Platform configuration register virtualization apparatus, systems, and methods
US20060235798A1 (en) * 2005-04-15 2006-10-19 Microsoft Corporation Output protection levels
US8725646B2 (en) 2005-04-15 2014-05-13 Microsoft Corporation Output protection levels
US20060242406A1 (en) * 2005-04-22 2006-10-26 Microsoft Corporation Protected computing environment
US20070058807A1 (en) * 2005-04-22 2007-03-15 Microsoft Corporation Establishing a unique session key using a hardware functionality scan
US9436804B2 (en) 2005-04-22 2016-09-06 Microsoft Technology Licensing, Llc Establishing a unique session key using a hardware functionality scan
US9363481B2 (en) 2005-04-22 2016-06-07 Microsoft Technology Licensing, Llc Protected media pipeline
US9189605B2 (en) 2005-04-22 2015-11-17 Microsoft Technology Licensing, Llc Protected computing environment
US8438645B2 (en) 2005-04-27 2013-05-07 Microsoft Corporation Secure clock with grace periods
US8781969B2 (en) 2005-05-20 2014-07-15 Microsoft Corporation Extensible media rights
US20100280954A1 (en) * 2005-05-20 2010-11-04 Microsoft Corporation Extensible media rights
US20060282899A1 (en) * 2005-06-08 2006-12-14 Microsoft Corporation System and method for delivery of a modular operating system
US8353046B2 (en) 2005-06-08 2013-01-08 Microsoft Corporation System and method for delivery of a modular operating system
US9230116B2 (en) 2006-02-15 2016-01-05 Intel Corporation Technique for providing secure firmware
US8429418B2 (en) * 2006-02-15 2013-04-23 Intel Corporation Technique for providing secure firmware
US20070192611A1 (en) * 2006-02-15 2007-08-16 Datta Shamanna M Technique for providing secure firmware
US20070260866A1 (en) * 2006-04-27 2007-11-08 Lan Wang Selectively unlocking a core root of trust for measurement (CRTM)
US8863309B2 (en) 2006-04-27 2014-10-14 Hewlett-Packard Development Company, L.P. Selectively unlocking a core root of trust for measurement (CRTM)
WO2007130182A1 (en) 2006-04-27 2007-11-15 Hewlett-Packard Development Company, L.P. Selectively unlocking a core root of trust for measurement (crtm)
US7757098B2 (en) 2006-06-27 2010-07-13 Intel Corporation Method and apparatus for verifying authenticity of initial boot code
US8250374B2 (en) 2006-06-27 2012-08-21 Intel Corporation Method and apparatus for verifying authenticity of initial boot code
US7765392B2 (en) * 2006-06-29 2010-07-27 Intel Corporation Method and apparatus for establishing processor as core root of trust for measurement
US20080005574A1 (en) * 2006-06-29 2008-01-03 Cheng Antonio S Method and apparatus for establishing prosessor as core root of trust for measurement
US20080126779A1 (en) * 2006-09-19 2008-05-29 Ned Smith Methods and apparatus to perform secure boot
US7613872B2 (en) 2006-11-28 2009-11-03 International Business Machines Corporation Providing core root of trust measurement (CRTM) for systems using a backup copy of basic input/output system (BIOS)
WO2008065010A1 (en) * 2006-11-28 2008-06-05 International Business Machines Corporation Core root of trust measurement (crtm) provision in computer systems
US20080126782A1 (en) * 2006-11-28 2008-05-29 Dayan Richard A Providing core root of trust measurement (crtm) for systems using a backup copy of basic input/output system (bios)
US20090070598A1 (en) * 2007-09-10 2009-03-12 Daryl Carvis Cromer System and Method for Secure Data Disposal
US7853804B2 (en) * 2007-09-10 2010-12-14 Lenovo (Singapore) Pte. Ltd. System and method for secure data disposal
US7913074B2 (en) 2007-09-28 2011-03-22 Microsoft Corporation Securely launching encrypted operating systems
US20090125716A1 (en) * 2007-11-14 2009-05-14 Microsoft Corporation Computer initialization for secure kernel
US7921286B2 (en) 2007-11-14 2011-04-05 Microsoft Corporation Computer initialization for secure kernel
US20090133097A1 (en) * 2007-11-15 2009-05-21 Ned Smith Device, system, and method for provisioning trusted platform module policies to a virtual machine monitor
WO2009109811A1 (en) * 2008-03-07 2009-09-11 Ashish Anand Platform security model for networking solution platforms
US8140835B2 (en) 2008-05-09 2012-03-20 International Business Machines Corporation Updating a basic input/output system (‘BIOS’) boot block security module in compute nodes of a multinode computer
US20090327686A1 (en) * 2008-05-09 2009-12-31 International Business Machines Corporation Updating A Basic Input/Output System ('BIOS') Boot Block Security Module In Compute Nodes Of A Multinode Computer
US8943491B2 (en) * 2008-06-26 2015-01-27 Lenovo Enterprise Solutions (Singapore) Pte. Ltd. Systems and methods for maintaining CRTM code
US20090328022A1 (en) * 2008-06-26 2009-12-31 International Business Machines Corporation Systems and methods for maintaining crtm code
US20100082987A1 (en) * 2008-09-30 2010-04-01 Microsoft Corporation Transparent trust validation of an unknown platform
US8127146B2 (en) 2008-09-30 2012-02-28 Microsoft Corporation Transparent trust validation of an unknown platform
US9489512B2 (en) 2011-07-29 2016-11-08 Microsoft Technology Licensing, Llc Trustzone-based integrity measurements and verification using a software-based trusted platform module
CN103748594A (en) * 2011-07-29 2014-04-23 微软公司 Firmware-based trusted platform module for arm processor architectures and trustzone security extensions
US9189653B2 (en) 2011-07-29 2015-11-17 Microsoft Technology Licensing, Llc Software-based trusted platform module
US8775784B2 (en) 2011-11-11 2014-07-08 International Business Machines Corporation Secure boot up of a computer based on a hardware based root of trust
US20130263205A1 (en) * 2012-03-29 2013-10-03 Cisco Technology, Inc. System and method for trusted platform attestation
US9262637B2 (en) * 2012-03-29 2016-02-16 Cisco Technology, Inc. System and method for verifying integrity of platform object using locally stored measurement
US9135436B2 (en) * 2012-10-19 2015-09-15 The Aerospace Corporation Execution stack securing process
US20140115689A1 (en) * 2012-10-19 2014-04-24 The Aerospace Corporation Execution stack securing process
US9721101B2 (en) 2013-06-24 2017-08-01 Red Hat, Inc. System wide root of trust chaining via signed applications
WO2018031496A1 (en) 2016-08-08 2018-02-15 Data I/O Corporation Embedding foundational root of trust using security algorithms
EP3497880A4 (en) * 2016-08-08 2020-02-26 Data I/O Corporation Embedding foundational root of trust using security algorithms
US10528765B2 (en) * 2016-09-16 2020-01-07 Intel Corporation Technologies for secure boot provisioning and management of field-programmable gate array images
US20180082083A1 (en) * 2016-09-16 2018-03-22 Intel Corporation Technologies for secure boot provisioning and management of field-programmable gate array images
US11374745B1 (en) * 2017-11-29 2022-06-28 Amazon Technologies, Inc. Key usage tracking using TPM
CN111433774A (en) * 2017-12-08 2020-07-17 西门子股份公司 Method and validation device for integrity validation of a system
US11347857B2 (en) 2018-07-02 2022-05-31 Alibaba Group Holding Limited Key and certificate distribution method, identity information processing method, device, and medium
US11349651B2 (en) 2018-08-02 2022-05-31 Alibaba Group Holding Limited Measurement processing of high-speed cryptographic operation
US11379586B2 (en) * 2018-08-02 2022-07-05 Alibaba Group Holding Limited Measurement methods, devices and systems based on trusted high-speed encryption card
US11281781B2 (en) 2018-08-29 2022-03-22 Alibaba Group Holding Limited Key processing methods and apparatuses, storage media, and processors
CN112597547A (en) * 2020-12-29 2021-04-02 广东国腾量子科技有限公司 Decentralized credible authentication system based on block chain

Also Published As

Publication number Publication date
US8185750B2 (en) 2012-05-22
US20080184040A1 (en) 2008-07-31

Similar Documents

Publication Publication Date Title
US8185750B2 (en) Method for extending the CRTM in a trusted platform
US11503030B2 (en) Service processor and system with secure booting and monitoring of service processor integrity
US11176255B2 (en) Securely booting a service processor and monitoring service processor integrity
US7752458B2 (en) Method and system for hierarchical platform boot measurements in a trusted computing environment
US8055912B2 (en) Method and system for bootstrapping a trusted server having redundant trusted platform modules
US8086852B2 (en) Providing a trusted platform module in a hypervisor environment
Parno et al. Bootstrapping trust in commodity computers
US8065522B2 (en) Method and system for virtualization of trusted platform modules
JP5957004B2 (en) System, method, computer program product, and computer program for providing validation that a trusted host environment is compliant with virtual machine (VM) requirements
US10915632B2 (en) Handling of remote attestation and sealing during concurrent update
US8122256B2 (en) Secure bytecode instrumentation facility
US20060026418A1 (en) Method, apparatus, and product for providing a multi-tiered trust architecture
JP5394441B2 (en) System and method for N-ary locality in a security coprocessor
Martin The ten-page introduction to Trusted Computing
US11095454B2 (en) Releasing secret information in a computer system
KR20220090537A (en) Validate Virtual Environment Type for Policy Enforcement
Seshadri et al. Externally verifiable code execution
Frazelle Securing the Boot Process: The hardware root of trust
Frazelle Securing the boot process
AT&T
Takemori et al. Remote Attestation for HDD Files using Kernel Protection Mechanism
Ma et al. Architecture of Trusted Terminal
Dasgupta et al. TECHNIQUES FOR VALIDATION AND CONTROLLED EXECUTION OF PROCESSES, CODES AND DATA

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHNINES CORPORATION, NEW

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BADE, STEVEN A.;PEREZ, RONALD;VAN DOORN, LEENDERT PETER;AND OTHERS;REEL/FRAME:014893/0797;SIGNING DATES FROM 20040629 TO 20040707

STCB Information on status: application discontinuation

Free format text: EXPRESSLY ABANDONED -- DURING EXAMINATION