Keying infrastructure
First Claim
1. One or more non-transitory computer-readable media storing computer-executable instructions, the computer-executable instructions upon execution, to instruct one or more processors to perform operations comprising:
- generating an encryption key hierarchy with a key derivation function, the encryption key hierarchy including (i) a Trusted Execution Environment (TrEE) loader encryption key that is associated with a current security configuration of a TrEE loader and (ii) a TrEE encryption key that is associated with a current security configuration of a TrEE core, the TrEE encryption key being generated based at least in part on the TrEE loader encryption key;
utilizing the TrEE encryption key to encrypt data;
derive an application key for a sequence of application keys with the key derivation function, the application key being based on at least one of a preceding application key that directly precedes the application key in the sequence of application keys and a hash of an application that is loaded or executed during a current stage of a boot process; and
determine whether to load a next stage of the boot process based on whether additional applications are to be loaded and executed during the boot process, wherein the key derivation function is based at least in part on a debug status that indicates a number of times that debugging has been enabled or disabled.
2 Assignments
0 Petitions
Accused Products
Abstract
A keying infrastructure may generate and/or manage cryptographic keys. The cryptographic keys may include identity keys, encryption keys, and a variety of other types of keys. The cryptographic keys may be derived or created with a key derivation function (KDF) or other one-way function. The cryptographic keys may include keys that are accessible to a boot loader, keys that are accessible to particular components of a Trusted Execution Environment (TrEE), and so on. In some examples, a key may be derived from a preceding key in a sequence of keys. The preceding key may be deleted when the key is derived.
-
Citations
20 Claims
-
1. One or more non-transitory computer-readable media storing computer-executable instructions, the computer-executable instructions upon execution, to instruct one or more processors to perform operations comprising:
-
generating an encryption key hierarchy with a key derivation function, the encryption key hierarchy including (i) a Trusted Execution Environment (TrEE) loader encryption key that is associated with a current security configuration of a TrEE loader and (ii) a TrEE encryption key that is associated with a current security configuration of a TrEE core, the TrEE encryption key being generated based at least in part on the TrEE loader encryption key; utilizing the TrEE encryption key to encrypt data; derive an application key for a sequence of application keys with the key derivation function, the application key being based on at least one of a preceding application key that directly precedes the application key in the sequence of application keys and a hash of an application that is loaded or executed during a current stage of a boot process; and determine whether to load a next stage of the boot process based on whether additional applications are to be loaded and executed during the boot process, wherein the key derivation function is based at least in part on a debug status that indicates a number of times that debugging has been enabled or disabled. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method comprising:
-
deriving, by a computing device and with a key derivation function, a Trusted Execution Environment (TrEE) loader encryption key that is associated with a security configuration of a TrEE loader, the TrEE loader being configured to load a TrEE core that implements a TrEE; deriving, by the computing device and with the key derivation function, a TrEE encryption key that is associated with a security configuration of the TrEE core, the TrEE encryption key being derived based at least in part on the TrEE loader encryption key; utilizing the TrEE encryption key to encrypt data; deriving an application key for a sequence of application keys with the key derivation function, the application key being based on at least one of a preceding application key that directly precedes the application key in the sequence of application keys and a hash of an application that is loaded or executed during a current stage of a boot process; and determining whether to load a next stage of the boot process based on whether additional applications are to be loaded and executed during the boot process, wherein the key derivation function is based at least in part on a debug status that indicates a number of times that debugging has been enabled or disabled. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A computing device comprising:
-
one or more hardware processors; and one or more computer-readable media storing instructions that, when executed by the one or more hardware processors, cause the one or more hardware processors to perform operations comprising; generating, with a first key derivation function, a first encryption key that is associated with a security configuration of a Trusted Execution Environment (TrEE) loader;
generating, with a second key derivation function, a second encryption key that is associated with a security configuration of a TrEE core, the second encryption key being generated based at least in part on the first encryption key;utilizing the second encryption key to at least one of encrypt data or decrypt data; deriving an application key for a sequence of application keys with a third key derivation function, the application key being based on at least one of a preceding application key that directly precedes the application key in the sequence of application keys and a hash of an application that is loaded or executed during a current stage of a boot process; and determining whether to load a next stage of the boot process based on whether additional applications are to be loaded and executed during the boot process, wherein the third key derivation function is based at least in part on a debug status that indicates a number of times that debugging has been enabled or disabled. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification