Apparatus and method for creating a trusted environment

US 20050223221A1
Filed: 03/25/2005
Published: 10/06/2005
Est. Priority Date: 11/22/2001
Status: Active Grant

First Claim

Patent Images

1. A computer apparatus for creating a trusted environment comprising a trusted device arranged to acquire a first integrity metric to allow determination as to whether the computer apparatus is operating in a trusted manner;

a processor arranged to allow execution of a first trust routine and associated first operating environment, and means for restricting access of the first operating environment to resources available to the trust routine, wherein the trust routine is arranged to acquire a second integrity metric to allow determination as to whether the first operating environment is operating in a trusted manner.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer apparatus for creating a trusted environment comprising a trusted device arranged to acquire a first integrity metric to allow determination as to whether the computer apparatus is operating in a trusted manner; a processor arranged to allow execution of a first trust routine and associated first operating environment, and means for restricting the first operating environment access to resources available to the trust routine, wherein the trust routine being arranged to acquire the first integrity metric and a second integrity metric to allow determination as to whether the first operating environment is operating in a trusted manner.

Citations

18 Claims

1. A computer apparatus for creating a trusted environment comprising a trusted device arranged to acquire a first integrity metric to allow determination as to whether the computer apparatus is operating in a trusted manner;
- a processor arranged to allow execution of a first trust routine and associated first operating environment, and means for restricting access of the first operating environment to resources available to the trust routine, wherein the trust routine is arranged to acquire a second integrity metric to allow determination as to whether the first operating environment is operating in a trusted manner.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A computer apparatus as claimed in claim 1, wherein the means for restricting access of the first operating environment comprises a control layer of software and an operating system of the first operating environment adapted such that any instructions in the operating system of the first operating environment with potential to affect any environment outside the first operating environment cause a transition to the control layer.
  - 3. A computer apparatus according to claim 2, wherein the trusted device is a tamper resistant device.
  - 4. A computer apparatus according to claim 2, wherein the trust routine is arranged to incorporate cryptographical functionality for restricting access to data associated with the trust routine.
  - 5. A computer apparatus according to claim 1, wherein the trusted device has an attestation identity and an attestation identity certificate containing attestation by a third party that the trusted device comprises a valid trusted platform module and that the computer apparatus comprises a valid trusted platform.
  - 6. A computer apparatus according to claim 5, wherein the trust routine has an endorsement credential providing attestation by the trusted device that the trust routine comprises a valid virtual trusted platform module and a platform credential providing attestation by the trusted device that the trust routine and the first operating environment comprises a valid virtual trusted platform.
  - 7. A computer apparatus according to claim 6, wherein the trust routine has an attestation identity and an attestation identity certificate containing attestation that the trusted device comprises a valid trusted platform module and that the computer apparatus comprises a valid trusted platform.
  - 8. A computer apparatus according to claim 7, wherein the attestation is provided by a third party.
  - 9. A computer apparatus according to claim 7, wherein the attestation is provided by the trusted device.
  - 10. A computer apparatus according to claim 7, wherein the trusted device is arranged on powering down of the computer apparatus to store the endorsement credential, the platform credential and the attestation identity certificate of the trust routine.

11. A method for creating a trusted environment comprising acquiring a first integrity metric to allow determination as to whether a computer apparatus is operating in a trusted manner;
- executing a first trust routine and an associated first operating environment, restricting the first operating environment'"'"'s access to resources available to the trust routine, and arranging the trust routine to acquire a second integrity metric to allow determination as to whether the first operating environment is operating in a trusted manner.
- View Dependent Claims (12, 13, 14)
- - 12. A method according to claim 11, wherein the first integrity metric is acquired by a trusted device in the computing apparatus, the trusted device having an attestation identity attested by a third party.
  - 13. A method according to claim 12, further comprising the trusted device providing the trust routine with an endorsement credential providing attestation by the trusted device that the trust routine comprises a valid virtual trusted platform module and a platform credential providing attestation by the trusted device that the trust routine and the first operating environment comprises a valid virtual trusted platform.
  - 14. A method according to claim 13, further comprising the trust routine generating an attestation identity and obtaining an attestation identity certificate using the endorsement credential and the platform credential.

15. A data structure comprising an attestation identity certificate for a trusted device in computer apparatus, the attestation identity certificate comprising at least a public key, a label, and a description of the computer apparatus including its virtualization processes to enable the trusted device to provide credentials for trust routines, all being signed by a trusted party.

16. A data structure comprising an attestation identity certificate for a trust routine running on computer apparatus having a trusted device, the attestation identity certificate comprising at least a public key and a label, all being signed by a trusted party.
- View Dependent Claims (17, 18)
- - 17. A data structure according to claim 16, wherein the trusted party is a third party and the attestation identity certificate further comprises an indication of the attestation identity of the trusted device.
  - 18. A data structure according to claim 16, wherein the trusted party is the trusted device and the attestation identity certificate further comprises a description of the computer apparatus including its virtualization processes and a description of the trust routine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Proudler, Graeme John, Plaquin, David, Balacheff, Boris

Granted Patent

US 7,467,370 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/164
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/575   Secure boot

G06F 21/62   Protecting access to data v...

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2153   Using hardware token as a s...

Apparatus and method for creating a trusted environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for creating a trusted environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links