Managing a secure platform using a hierarchical executive architecture in isolated execution mode

US 20050188198A1
Filed: 04/26/2005
Published: 08/25/2005
Est. Priority Date: 03/31/2000
Status: Abandoned Application

First Claim

Patent Images

1. A processing system, comprising:

a processor to execute in an isolated execution mode in a ring 0 operating mode, wherein the processor also supports one or more higher ring operating modes, as well as a normal execution mode in at least the ring 0 operating mode;

memory responsive to the processor; and

a machine-accessible medium responsive to the processor, the machine-accessible medium having instructions which, when executed by the processor, result in the processing system performing operations comprising;

configuring the processor to run in the isolated execution mode;

configuring the processing system to establish an isolated memory area in the memory, wherein the processing system does not allow access to the isolated memory area if the processor is not in the isolated execution mode;

loading initialization software into the isolated memory area; and

providing a manifest for the initialization software, wherein the manifest represents the initialization software.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example processing system comprises a processor to execute in an isolated execution mode in a ring 0 operating mode. The processor also supports one or more higher ring operating modes, as well as a normal execution mode. The processing system also comprises memory, as well as a machine-accessible medium having instructions. When the processing system executes the instructions, the processing system configures the processor to run in the isolated execution mode, configures the processing system to establish an isolated memory area in the memory, and loads initialization software into the isolated memory area. The processing system may provide a manifest that represents the initialization software. The initialization software may be verified, based at least in part on the manifest.

Citations

26 Claims

1. A processing system, comprising:
- a processor to execute in an isolated execution mode in a ring 0 operating mode, wherein the processor also supports one or more higher ring operating modes, as well as a normal execution mode in at least the ring 0 operating mode;
  
  memory responsive to the processor; and
  
  a machine-accessible medium responsive to the processor, the machine-accessible medium having instructions which, when executed by the processor, result in the processing system performing operations comprising;
  
  configuring the processor to run in the isolated execution mode;
  
  configuring the processing system to establish an isolated memory area in the memory, wherein the processing system does not allow access to the isolated memory area if the processor is not in the isolated execution mode;
  
  loading initialization software into the isolated memory area; and
  
  providing a manifest for the initialization software, wherein the manifest represents the initialization software.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 16, 17, 18)
- - 2. A processing system according to claim 1, wherein the operations performed by the processing system further comprise:
    - verifying the initialization software, based at least in part on the manifest for the initialization software.
  - 3. A processing system according to claim 2, wherein:
    - the processing system comprises a platform key (PK); and
      
      verification of the initialization software is based at least in part on the PK.
  - 4. A processing system according to claim 3, wherein the PK comprises an encryption/decryption key that is substantially uniquely assigned to the processing system.
  - 5. A processing system according to claim 1, wherein the operations performed by the processing system further comprise:
    - verifying the initialization software, based at least in part on the manifest for the initialization software; and
      
      after verifying the initialization software, launching the initialization software.
  - 6. A processing system according to claim 5, wherein the operation of launching the initialization software comprises:
    - launching the initialization software to run in the isolated execution mode.
  - 7. A processing system according to claim 1, wherein the operations performed by the processing system further comprise:
    - executing an isolated create instruction during a process of booting the processing system, wherein execution of the isolated create instruction launches an atomic sequence of operations, the atomic sequence being non-interruptible, the atomic sequence of operations comprising;
      
      configuring the processor in the isolated execution mode;
      
      verifying at least part of the initialization software; and
      
      after successful verification, transferring control to the initialization software.
  - 16. A method according to claim 1, wherein the operation of loading initialization software comprises loading software to perform operations comprising at least one operation from the group consisting of:
    - managing paging in the isolated memory area; and
      
      interfacing with an operating system (OS).
  - 17. A method according to claim 1, wherein the initialization software performs operations comprising:
    - generating an applet key associated with an applet module.
  - 18. A method according to claim 1, further comprising:
    - executing an isolated create instruction during a process of booting the platform, wherein execution of the isolated create instruction launches an atomic sequence of operations, the atomic sequence being non-interruptible, the atomic sequence of operations comprising;
      
      configuring the processor in the isolated execution mode;
      
      verifying at least part of the initialization software; and
      
      after successful verification, transferring control to the initialization software.

8. A method comprising:
- in a platform with a processor and a memory, configuring the processor to run in an isolated execution mode in a ring 0 operating mode, wherein the processor also supports one or more higher ring operating modes, as well as a normal execution mode in at least the ring 0 operating mode;
  
  configuring the platform to establish an isolated memory area in the memory, wherein the platform does not allow access to the isolated memory area if the processor is not in the isolated execution mode;
  
  loading initialization software into the isolated memory area; and
  
  providing a manifest for the initialization software, wherein the manifest represents the initialization software.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. A method according to claim 8, further comprising:
    - verifying the initialization software, based at least in part on the manifest for the initialization software.
  - 10. A method according to claim 9, further comprising:
    - verifying the initialization software during a process of booting the platform.
  - 11. A method according to claim 10, wherein:
    - the platform comprises a platform key (PK); and
      
      verification of the initialization software is based at least in part on the PK.
  - 12. A method according to claim 11, wherein the PK comprises an encryption/decryption key that is substantially uniquely assigned to the platform.
  - 13. A method according to 11, further comprising:
    - generating at least one additional key, based at least in part on
  - 14. A method according to claim 8, further comprising:
    - verifying the initialization software, based at least in part on the manifest for the initialization software; and
      
      after verifying the initialization software, launching the initialization software.
  - 15. A method according to claim 12, wherein the operation of launching the initialization software comprises:
    - launching the initialization software to run in the isolated execution mode. the PK.

19. An article comprising a machine-accessible media having instructions which, when executed by a machine, result in the machine performing operations comprising:
- configuring a processor in the machine to run in an isolated execution mode in a ring 0 operating mode, wherein the processor also supports one or more higher ring operating modes, as well as a normal execution mode in at least the ring 0 operating mode;
  
  configuring the machine to establish an isolated memory area in a memory in the machine, wherein the machine does not allow access to the isolated memory area if the processor is not in the isolated execution mode;
  
  loading initialization software into the isolated memory area; and
  
  providing a manifest for the initialization software, wherein the manifest represents the initialization software.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. An article according to claim 19, wherein the operations performed by the machine when executing the instructions further comprise:
    - verifying the initialization software, based at least in part on the manifest for the initialization software.
  - 21. An article according to claim 20, wherein:
    - the platform comprises a platform key (PK); and
      
      verification of the initialization software is based at least in part on the PK.
  - 22. An article according to claim 21, wherein the PK comprises an encryption/decryption key that is substantially uniquely assigned to the platform.
  - 23. An article according to claim 19, wherein the operations performed by the machine when executing the instructions further comprise:
    - verifying the initialization software, based at least in part on the manifest for the initialization software; and
      
      after verifying the initialization software, launching the initialization software.
  - 24. An article according to claim 23, wherein the operation of launching the initialization software comprises:
    - launching the initialization software to run in the isolated execution mode.

25. A method comprising:
- in a platform with a processor and a memory, configuring the processor to run in an isolated execution mode in a ring 0 operating mode, wherein the processor also supports one or more higher ring operating modes, as well as a normal execution mode in at least the ring 0 operating mode;
  
  configuring the platform to establish an isolated memory area in the memory, wherein the platform does not allow access to the isolated memory area if the processor is not in the isolated execution mode;
  
  loading initialization software into the isolated memory area; and
  
  providing a digest for the initialization software, the digest based at least in part on a hash value derived from initialization software.
- View Dependent Claims (26)
- - 26. A method according to claim 25, further comprising:
    - verifying the initialization software, based at least in part on the digest for the initialization software.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Thakkar, Shreekant S., Neiger, Gilbert, Ellison, Carl M., Mittal, Millind, Reneris, Ken, Lin, Derrick C., McKeen, Francis X., Sutton, James A., Herbert, Howard C., Golliver, Roger A.

Application Number

US11/115,829
Publication Number

US 20050188198A1
Time in Patent Office

Days
Field of Search
US Class Current

713/164
CPC Class Codes

G06F 12/1491   in a hierarchical protectio...

G06F 21/57   Certifying or maintaining t...

G06F 21/74   operating in dual or compar...

Managing a secure platform using a hierarchical executive architecture in isolated execution mode

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Managing a secure platform using a hierarchical executive architecture in isolated execution mode

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links