Computing devices

US 10,339,317 B2
Filed: 03/04/2016
Issued: 07/02/2019
Est. Priority Date: 12/18/2015
Status: Active Grant

First Claim

Patent Images

1. A computing device, comprising:

a trusted execution environment;

a Basic Input/Output System (BIOS) configured to request a Key Encryption Key (KEK) from the trusted execution environment; and

a Self-Encrypting Storage (SES) associated with the KEK;

wherein the trusted execution environment is configured to verify the BIOS and provide the KEK to the BIOS subsequent to verification of the BIOS, and the BIOS is configured to provide the KEK to the SES to unlock the SES for access by the trusted execution environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are embodiments related to security in cloudlet environments. In some embodiments, for example, a computing device (e.g., a cloudlet) may include: a trusted execution environment; a Basic Input/Output System (BIOS) to request a Key Encryption Key (KEK) from the trusted execution environment; and a Self-Encrypting Storage (SES) associated with the KEK; wherein the trusted execution environment is to verify the BIOS and provide the KEK to the BIOS subsequent to verification of the BIOS, and the BIOS is to provide the KEK to the SES to unlock the SES for access by the trusted execution environment.

16 Citations

View as Search Results

25 Claims

1. A computing device, comprising:
- a trusted execution environment;
  
  a Basic Input/Output System (BIOS) configured to request a Key Encryption Key (KEK) from the trusted execution environment; and
  
  a Self-Encrypting Storage (SES) associated with the KEK;
  
  wherein the trusted execution environment is configured to verify the BIOS and provide the KEK to the BIOS subsequent to verification of the BIOS, and the BIOS is configured to provide the KEK to the SES to unlock the SES for access by the trusted execution environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computing device of claim 1, wherein the trusted execution environment is a root-of-trust for the computing device.
  - 3. The computing device of claim 1, wherein the trusted execution environment includes processing resources that are hardware and software isolated from execution of an operating system on the computing device.
  - 4. The computing device of claim 1, wherein the computing device is a cloudlet.
  - 5. The computing device of claim 1, wherein the trusted execution environment is configured to communicate with a remote management computing device to receive updates.
  - 6. The computing device of claim 5, wherein the trusted execution environment includes a lifecycle manager configured to communicate with the remote management computing device over a RESTful interface.
  - 7. The computing device of claim 6, wherein the lifecycle manager is configured to emulate a read-only device exposing configuration parameters to another computing device.
  - 8. The computing device of claim 6, wherein the lifecycle manager is configured to emulate a read-only device exposing log or diagnostic information to another computing device.
  - 9. The computing device of claim 1, further comprising Virtualized Network Function (VNF) logic.
  - 10. The computing device of claim 1, further comprising Virtual Machine (VM) logic.

11. A networked computing system, comprising:
- a cloudlet, including;
  
  a trusted execution environment,a Basic Input/Output System (BIOS) configured to request a Key Encryption Key (KEK) from the trusted execution environment, anda Self-Encrypting Storage (SES) associated with the KEK,wherein the trusted execution environment is configured to provide the KEK to the BIOS, and the BIOS is configured to provide the KEK to the SES to unlock the SES for access by the trusted execution environment; and
  
  a cloudlet management center, remote from the cloudlet, in communication with the trusted execution environment.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The networked computing system of claim 11, wherein the networked computing system is a Mobile Edge Computing (MEC) system.
  - 13. The networked computing system of claim 11, wherein the networked computing system is a Fifth Generation Mobile Network (5G) system.
  - 14. The networked computing system of claim 11, further comprising multiple cloudlets in communication with the cloudlet management center.
  - 15. The networked computing system of claim 11, wherein the trusted execution environment is an operator root-of-trust.
  - 16. The networked computing system of claim 11, wherein the trusted execution environment is a manufacturer root-of-trust.
  - 17. The networked computing system of claim 11, wherein the trusted execution environment is configured to receive an update image from the cloudlet management center while an operating system of the cloudlet continues to execute.

18. One or more non-transitory computer readable media having instructions thereon that, in response to execution by a Basic Input/Output System (BIOS) of a computing device, cause the computing device to:
- request a Key Encryption Key (KEK) for a Self-Encrypting Storage (SES) of the computing device;
  
  receive, from a trusted execution environment of the computing device in response to verification of the BIOS, the KEK; and
  
  provide the KEK to unlock the SES, wherein the SES is to use the KEK to unlock a Media Encryption Key (MEK), and the MEK encrypts data stored in the SES.
- View Dependent Claims (19, 20, 21)
- - 19. The one or more non-transitory computer readable media of claim 18, wherein the SES is partitioned and providing the key to unlock the SES includes providing the key to unlock a partition of the SES associated with the KEK.
  - 20. The one or more non-transitory computer readable media of claim 18, wherein firmware configuration information is stored in the SES.
  - 21. The one or more non-transitory computer readable media of claim 18, wherein the computing device is an edge server in a Mobile Edge Computing (MEC) network.

22. A method of operating a computing device, including:
- requesting, by a Basic Input/Output System (BIOS) of the computing device, a Key Encryption Key (KEK) for a Self-Encrypting Storage (SES) of the computing device;
  
  receiving, by the BIOS from a trusted execution environment of the computing device in response to verification of the BIOS, the KEK; and
  
  providing, by the BIOS, the KEK to unlock the SES for access by the trusted execution environment.
- View Dependent Claims (23, 24, 25)
- - 23. The method of claim 22, wherein the computing device is a server in a Mobile Edge Computing (MEC) network.
  - 24. The method of claim 22, wherein the computing device is a server in a Fifth Generation Mobile Network (5G) system.
  - 25. The method of claim 22, wherein the SES is to use the KEK to unlock a Media Encryption Key (MEK), and the MEK encrypts data stored in the SES.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Raghuram, Yeluri, Balle, Susanne M., Cook, Nigel Thomas, Sood, Kapil
Primary Examiner(s)
Bae, Ji H

Application Number

US15/060,844
Publication Number

US 20170177873A1
Time in Patent Office

1,215 Days
Field of Search

713 2
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/53   by executing in a restricte...

G06F 21/575   Secure boot

G06F 21/71   to assure secure computing ...

H04L 9/0822   using key encryption key

H04L 9/0894   Escrow, recovery or storing...

Computing devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Computing devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others