Method and apparatus for binding TPM keys to execution entities
First Claim
1. A method comprising:
- measuring an execution entity to generate a digest value according to an authorization request issued by the execution entity for authorization data required by a trusted platform module (TPM) to use a key protected within the TPM; and
granting the authorization request if the digest value verifies that the execution entity is an owner of the key.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for binding trusted platform module (TPM) keys to execution entities are described. In one embodiment, the method includes the receipt of an authorization request issued by an execution entity for authorization data. According to the authorization request, the execution entity may be measured to generate an entity digest value. Once the entity digest value is generated, a platform reference module may grant the authorization request if the entity digest value verifies that the execution entity is an owner of the key held by the TPM. Accordingly, in one embodiment, a platform reference module, rather than an execution entity, holds the authorization data required by a TPM to use a key owned by the execution entity and held within sealed storage by the TPM. Other embodiments are described and claimed.
-
Citations
20 Claims
-
1. A method comprising:
-
measuring an execution entity to generate a digest value according to an authorization request issued by the execution entity for authorization data required by a trusted platform module (TPM) to use a key protected within the TPM; and
granting the authorization request if the digest value verifies that the execution entity is an owner of the key. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An article of manufacture comprising a machine-accessible medium having associated data, wherein the data, when accessed, results in a machine performing:
-
generating, by a platform reference module, authorization data for a requested key according to a key generation request issued by an execution entity;
measuring the execution entity to generate an ownership digest value;
issuing a key creation command to a trusted platform module (TPM) including the authorization data, wherein the TPM is to require the authorization data for use of the requested key; and
providing a key credential to the execution entity to enable the execution entity to verify that the authorization data required by the TPM for use of the requested key is held by the platform reference module. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method comprising:
-
restricting use of at least one parent key owned by a trusted platform service to a trusted platform bootup state; and
loading, for the trusted platform service, one or more child keys of the parent key if platform metrics indicate the trusted platform bootup state. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A platform comprising:
-
a trusted platform module (TPM), including a processor and a non-volatile memory to provide sealed storage of at least one entity key owned;
a trusted measurement agent to measure an execution entity to generate an entity digest value according to an authorization request issued by the execution entity for authorization data required by the TPM to use an entity key held within the sealed storage of the TPM; and
a platform reference module to grant an authorization request issued by an execution entity if an entity digest value measured from the execution entity verifies that the execution entity is an owner of the entity key. - View Dependent Claims (17, 18, 19, 20)
-
Specification