Technologies for end-to-end biometric-based authentication and platform locality assertion
First Claim
1. A computing device for end-to-end biometric authentication, the computing device comprising:
- one or more processors;
communication circuitry coupled to the one or more processors; and
one or more memory devices having stored therein a plurality of instructions that, when executed by the one or more processors, cause the computing device to;
securely exchange a shared key between a biometric device driver of the computing device and an authentication secure enclave of the computing device, wherein the authentication secure enclave is established with secure enclave support of a processor of the computing device;
allocate a virtualization-protected memory buffer in a memory range that is inaccessible to an operating system of the computing device and that is inaccessible to the authentication secure enclave;
receive, by the biometric device driver, biometric data from a biometric device of the computing device in the virtualization-protected memory buffer, wherein the virtualization-protected memory buffer is secured by hardware virtualization support using extended page table support of the processor of the computing device,encrypt, by the biometric device driver, the biometric data with the shared key to generate encrypted biometric data, wherein the shared key is secured by the hardware virtualization support of the processor;
decrypt, by the authentication secure enclave, the encrypted biometric data with the shared key; and
perform, by the authentication secure enclave, a biometric authentication operation based on the biometric data in response to decryption of the encrypted biometric data.
1 Assignment
0 Petitions
Accused Products
Abstract
Technologies for end-to-end biometric-based authentication and locality assertion include a computing device with one or more biometric devices. The computing device may securely exchange a key between a driver and a secure enclave. The driver may receive biometric data from the biometric sensor in a virtualization-protected memory buffer and encrypt the biometric data with the shared key. The secure enclave may decrypt the biometric data and perform a biometric authentication operation. The computing device may measure a virtual machine monitor (VMM) to generate attestation information for the VMM. A secure enclave may execute a virtualization report instruction to request the attestation information. The processor may copy the attestation information into the secure enclave memory. The secure enclave may verify the attestation information with a remote attestation server. If verified, the secure enclave may provide a shared secret to the VMM. Other embodiments are described and claimed.
12 Citations
11 Claims
-
1. A computing device for end-to-end biometric authentication, the computing device comprising:
-
one or more processors; communication circuitry coupled to the one or more processors; and one or more memory devices having stored therein a plurality of instructions that, when executed by the one or more processors, cause the computing device to; securely exchange a shared key between a biometric device driver of the computing device and an authentication secure enclave of the computing device, wherein the authentication secure enclave is established with secure enclave support of a processor of the computing device; allocate a virtualization-protected memory buffer in a memory range that is inaccessible to an operating system of the computing device and that is inaccessible to the authentication secure enclave; receive, by the biometric device driver, biometric data from a biometric device of the computing device in the virtualization-protected memory buffer, wherein the virtualization-protected memory buffer is secured by hardware virtualization support using extended page table support of the processor of the computing device, encrypt, by the biometric device driver, the biometric data with the shared key to generate encrypted biometric data, wherein the shared key is secured by the hardware virtualization support of the processor; decrypt, by the authentication secure enclave, the encrypted biometric data with the shared key; and perform, by the authentication secure enclave, a biometric authentication operation based on the biometric data in response to decryption of the encrypted biometric data. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. One or more non-transitory machine readable storage media comprising a plurality of instructions that in response to being executed cause a computing device to:
-
securely exchange a shared key between a biometric device driver of the computing device and an authentication secure enclave of the computing device, wherein the authentication secure enclave is established with secure enclave support of a processor of the computing device; allocate a virtualization-protected memory buffer in a memory range that is inaccessible to an operating system of the computing device and that is inaccessible to the authentication secure enclave; receive, by the biometric device driver, biometric data from a biometric device of the computing device in the virtualization-protected memory buffer, wherein the virtualization-protected memory buffer is secured by hardware virtualization support using extended page table support of the processor of the computing device; encrypt, by the biometric device driver, the biometric data with the shared key to generate encrypted biometric data, wherein the shared key is secured by the hardware virtualization support of the processor; decrypt, by the authentication secure enclave, the encrypted biometric data with the shared key; and perform, by the authentication secure enclave, a biometric authentication operation based on the biometric data in response to decrypting the encrypted biometric data. - View Dependent Claims (8, 9, 10, 11)
-
Specification