Methods and systems to measure a hypervisor after the hypervisor has already been measured and booted
First Claim
1. At least one non-transitory machine-readable medium having stored thereon data which, if used by at least one machine, causes the at least one machine to perform operations comprising:
- receive a request for a measurement of a hypervisor from at least one computing node that is external to the at least one machine;
execute a previously measured measuring agent to measure the hypervisor, after the hypervisor is measured and booted, to generate a measurement while;
(a) the at least one machine is in virtual machine extension (VMX) root operation, and (b) the measuring agent is in a protected mode;
attest to the measurement, based on at least one encryption credential, to generate an attested measurement output; and
communicate the attested measurement output to the at least one computing node;
wherein the hypervisor does not include the at least one encryption credential while the measuring agent is measuring the booted hypervisor.
0 Assignments
0 Petitions
Accused Products
Abstract
An embodiment: (a) receives a request for a measurement of a hypervisor from at least one computing node that is external to the at least one machine; (b) executes a previously measured measuring agent to measure the hypervisor, after the hypervisor is measured and booted, to generate a measurement while: (b)(i) the at least one machine is in virtual machine extension (VMX) root operation, and (b)(ii) the measuring agent is in a protected mode; (c) attest to the measurement, based on at least one encryption credential, to generate an attested measurement output; and (d) communicate the attested measurement output to the at least one computing node. The hypervisor does not include the at least one encryption credential while the measuring agent is measuring the booted hypervisor. Other embodiments are described herein.
38 Citations
20 Claims
-
1. At least one non-transitory machine-readable medium having stored thereon data which, if used by at least one machine, causes the at least one machine to perform operations comprising:
-
receive a request for a measurement of a hypervisor from at least one computing node that is external to the at least one machine; execute a previously measured measuring agent to measure the hypervisor, after the hypervisor is measured and booted, to generate a measurement while;
(a) the at least one machine is in virtual machine extension (VMX) root operation, and (b) the measuring agent is in a protected mode;attest to the measurement, based on at least one encryption credential, to generate an attested measurement output; and communicate the attested measurement output to the at least one computing node; wherein the hypervisor does not include the at least one encryption credential while the measuring agent is measuring the booted hypervisor. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus comprising:
-
at least one memory and at least one processor, coupled to the at least one memory, to perform operations comprising; measure a hypervisor; measure a measuring agent; receive a request for a measurement of the hypervisor from at least one computing node; execute the previously measured measuring agent to measure the hypervisor, after the hypervisor has been booted and measured, to generate a measurement while;
(a) the at least one processor is in virtual machine extension (VMX) root operation, and (b) the measuring agent is in a protected mode;attest to the measurement, based on at least one encryption credential, to generate an attested measurement output; and communicate the attested measurement output to the at least one computing node; wherein the hypervisor does not include the at least one encryption credential while the measuring agent is measuring the booted hypervisor. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method comprising:
-
receiving a request for a measurement of hypervisor from at least one computing node; prompting a previously measured measuring agent to measure the hypervisor, after the hypervisor is measured and booted, to generate a measurement while;
(a) at least one machine, coupled to the hypervisor, is in virtual machine extension (VMX) root operation, and (b) the measuring agent is in a protected mode;attesting to the measurement, based on at least one encryption credential, to generate an attested measurement output; and communicating the attested measurement output to the at least one computing node; wherein the hypervisor does not include the at least one encryption credential while the measuring agent is measuring the booted hypervisor. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A system comprising:
-
means for receiving a request for a measurement of a hypervisor from at least one computing node; means for executing a previously measured measuring agent to measure the hypervisor, after the hypervisor is measured and booted, to generate a measurement while;
(a) at least one machine, coupled to the hypervisor, is in virtual machine extension (VMX) root operation, and (b) the measuring agent is in a protected mode;means for attesting to the measurement, based on at least one encryption credential, to generate an attested measurement output; and means for communicating the attested measurement output to the at least one computing node; wherein the hypervisor does not include the at least one encryption credential while the measuring agent is measuring the booted hypervisor. - View Dependent Claims (17, 18, 19, 20)
-
Specification