Methods and apparatus for protecting data
First Claim
Patent Images
1. A method for protecting data, the method comprising:
- retrieving an encrypted version of a cryptographic key from storage of a processing system into a processing unit of the processing system;
using a processing unit key to decrypt the encrypted version of the cryptographic key;
storing the decrypted key in protected storage in the processing unit, wherein the protected storage cannot be accessed by snooping a processing system bus communicatively coupled to the processing unit; and
using the decrypted key to establish a protected communication channel between the processing unit and a trusted platform module (TPM) of the processing system.
1 Assignment
0 Petitions
Accused Products
Abstract
An augmented boot code module includes instructions to be executed by a processing unit during a boot process. The augmented boot code module also includes an encrypted version of a cryptographic key that can be decrypted with a cryptographic key that remains in the processing unit despite a reset of the processing unit. In one embodiment, the processing unit may decrypt the encrypted version of the cryptographic key and then use the decrypted key to establish a protected communication channel with a security processor, such as a trusted platform module (TPM). Other embodiments are described and claimed.
38 Citations
21 Claims
-
1. A method for protecting data, the method comprising:
-
retrieving an encrypted version of a cryptographic key from storage of a processing system into a processing unit of the processing system; using a processing unit key to decrypt the encrypted version of the cryptographic key; storing the decrypted key in protected storage in the processing unit, wherein the protected storage cannot be accessed by snooping a processing system bus communicatively coupled to the processing unit; and using the decrypted key to establish a protected communication channel between the processing unit and a trusted platform module (TPM) of the processing system. - View Dependent Claims (2, 3, 4, 7)
-
-
5-6. -6. (canceled)
-
8. A method comprising:
-
saving a first key to a trusted platform module (TPM) of a processing system; sending the first key to a remote processing system; receiving an encrypted version of the first key from the remote processing system; and saving a code module to boot storage in the processing system, wherein the code module comprises user data, the encrypted version of the first key, and a signature generated with a second key. - View Dependent Claims (9, 10, 11)
-
-
12. An apparatus comprising:
-
a machine-accessible medium; and an augmented boot code module in the machine-accessible medium, wherein the augmented boot code module comprises; instructions to be executed by a processing unit of a processing system during a boot process; and an encrypted version of a first cryptographic key that can be decrypted with a second cryptographic key stored in storage of the processing unit, wherein the second cryptographic key comprises a processing unit key (PUK). - View Dependent Claims (13)
-
-
14. (canceled)
-
15. A processing system comprising:
-
a processing unit; nonvolatile storage in communication with the processing unit; a trusted platform module (TPM) in communication with the processing unit; and an augmented code module in the nonvolatile storage, wherein the augmented code module comprises; instructions to be executed by the processing unit during a boot process; and
an encrypted version of a first cryptographic key that can be decrypted with a second cryptographic key that remains in the processing unit despite a reset of the processing unit. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification