Low cost trusted platform

US 20070016766A1
Filed: 06/28/2005
Published: 01/18/2007
Est. Priority Date: 06/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating a system management interrupt (SMI) during a secure launch; and

initializing a stand-alone trusted platform module (TPM) emulator in a virtual monitor, based on the SMI.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus is described herein for emulating a physical trusted platform module (TPM) in a virtual monitor, such as a system management mode (SMM) or a system management interrupt (SMI) transfer monitor (STM). By allowing SMIs during a secure launch, SMM is allowed into the secure launch trust perimeter and a virtual monitor may emulate the structures, behaviors, and protcted storage of a physical TMP, such as the storage of cryptographic keys, secure verification, attestation, and other TPM functions.

88 Citations

View as Search Results

20 Claims

1. A method comprising:
- generating a system management interrupt (SMI) during a secure launch; and
  
  initializing a stand-alone trusted platform module (TPM) emulator in a virtual monitor, based on the SMI.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the virtual monitor is selected from a group consisting of a system management monitor (SMM), a SMI transfer monitor (STM), and a virtual machine monitor (VMM).
  - 3. The method of claim 1, wherein initializing the stand-alone TPM emulator in the virtual monitor comprises:
    - attesting a system configuration based on platform configuration register values stored in a protected segment of a nonvolatile memory, the nonvolatile memory also to store boot-software.
  - 4. The method of claim 3, wherein initializing the stand-alone TPM emulator in the virtual monitor further comprises storing a first key in a protected memory range of a system memory associated with the virtual monitor;
    - generating a second key; and
      
      storing the second key in the protected memory range associated with the virtual monitor.
  - 5. The method of claim 7, wherein each of the first and the second keys is selected from a group consisting of a public key, a private key, an endorsement key, an attestation identity key (AIK), a storage root key, an encryption key, a signing key, and an endorsement credential key.
  - 6. The method of claim 3, wherein the nonvolatile memory and boot-software are part of an extensible firmware interface (EFI) framework.
  - 7. The method of claim 1, further comprising:
    - issuing a TPM ordinal;
      
      emulating a command stream of the TPM ordinal in the virtual monitor; and
      
      handling the command stream of the TPM ordinal in the virtual monitor.

8. An article of manufacture including program code which, when executed by a machine, causes the machine to perform the operations of:
- initializing a machine state register (MSR) to generate a system management interrupt (SMI) upon execution of an instruction; and
  
  emulating a stand-alone trusted platform module (TPM) in a protected range of system memory, upon generating the SMI;
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The article of manufacture of claim 8, further comprises:
    - allowing the SMI to be generated during a secure launch of the machine.
  - 10. The article of manufacture of claim 8, wherein the instruction is a secure-enter (SENTER) instruction.
  - 11. The article of manufacture of claim 8, wherein the instruction is a secure initialization instruction.
  - 12. The article of manufacture of claim 8, wherein the protected range of memory is at least partially overlapping with a range of memory associated with a virtual monitor, the virtual monitor being selected from a group consisting of a system management monitor (SMM), a SMI transfer monitor (STM), and a virtual machine monitor (VMM).
  - 13. The article of manufacture of claim 8, wherein emulating a stand-alone TPM in a protected range of system memory comprises:
    - emulating a TPM structure in the protected range of system memory, the TPM structure being selected from a group consisting of, a user key hierarchy, a platform configuration register (PCR), a monotonic counter, a data integrity register, an endorsement key, an attestation identity key (AIK), a storage root key, an encryption key, a signing key, and an endorsement credential key.

14. A system comprising:
- a nonvolatile memory to store boot-code, the nonvolatile memory having a secure portion to store cryptographic information;
  
  a system memory to include a range of memory associated with a virtual monitor, the range of memory further including stand-alone trusted platform module (TPM) emulator code to perform cryptographic operations on at least the cryptographic information;
  
  a controller hub coupled to the nonvolatile memory, the system memory, and a microprocessor, wherein the microprocessor is capable of operating in a virtual monitor mode to execute the stand-alone TPM emulator code from the protected range of memory.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14, wherein the cryptographic information is selected from a group consisting of a platform configuration value, a private key, a public key, an endorsement key, an attestation identity key (AIK), a storage root key, an encryption key, a signing key, and an endorsement credential key.
  - 16. The system of claim 14, wherein the cryptographic information includes a first hash value based on a previous system configuration, and wherein the cryptographic operations include determining a second hash value, upon booting the system, based upon a current system configuration, and comparing the first and second hash values to determine if the system configurations match.
  - 17. The system of claim 14, wherein the cryptographic operations are selected from a group consisting of data protection, hashing, sealing an internally generate asymmetric key pair to a particular computing platform, signing information with a private key, and signing information with a public key.
  - 18. The system of claim 14, wherein the microprocessor is also to issue a TPM ordinal, wherein the TPM ordinal references the range of memory associated with the stand-alone trusted platform module (TPM) emulator code.
  - 19. The system of claim 18, wherein upon detecting the issue of the TPM ordinal, the microprocessor is to execute the stand-alone TPM emulator code to handle the TPM ordinal.
  - 20. The system of claim 14, wherein the virtual monitor is selected from a group consisting of a system management monitor (SMM), a SMI transfer monitor (STM), and a virtual machine monitor (VMM).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Rothman, Michael, Zimmer, Vincent, Richmond, Michael

Granted Patent

US 8,806,224 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/100
CPC Class Codes

G06F 21/53 by executing in a restricte...

G06F 21/57 Certifying or maintaining t...

Low cost trusted platform

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

88 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Low cost trusted platform

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

88 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links