SYSTEM AND METHOD FOR PROVIDING SECURE VIRTUAL MACHINES

US 20120137117A1
Filed: 07/16/2010
Published: 05/31/2012
Est. Priority Date: 07/16/2009
Status: Active Grant

First Claim

Patent Images

1. A processor for hosting a plurality of secure virtual machines created at the request of an owner, comprisinga memory configured to store a processor private key;

a first generator configured to generate a first public/private key pair to be associated with an instance of a zone manager;

a first certification agent for certifying said first public/private key pair by means of said processor private key;

a receiver configured to securely receive a virtual machine instantiation command from said owner;

a second generator configured to generate a second public/private key pair to be associated with an instance of a virtual machine of said plurality of virtual machines, created in response to said instantiation command; and

a second certification agent for certifying said second public/private key pair by means of said first public/private key pair.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides improved security in a virtual machine. By extending the capabilities of modern secure processors, privacy of computation is provided from both the owner of the equipment and other users executing on the processor, which is an advantageous feature for rentable, secure computers. In addition to the hardware extensions required to secure a virtualizable computer, an infrastructure for the deployment of such processors is also provided. Furthermore, a signaling flow to establish the various relationships between the owner, user and manufacturer of the equipment is disclosed.

95 Citations

View as Search Results

15 Claims

1. A processor for hosting a plurality of secure virtual machines created at the request of an owner, comprisinga memory configured to store a processor private key;
- a first generator configured to generate a first public/private key pair to be associated with an instance of a zone manager;
  
  a first certification agent for certifying said first public/private key pair by means of said processor private key;
  
  a receiver configured to securely receive a virtual machine instantiation command from said owner;
  
  a second generator configured to generate a second public/private key pair to be associated with an instance of a virtual machine of said plurality of virtual machines, created in response to said instantiation command; and
  
  a second certification agent for certifying said second public/private key pair by means of said first public/private key pair.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The processor according to claim 1, further comprising a private boot area for storing an initial boot program.
  - 3. The processor according to claim 1, further comprising means for receiving and validating an image file comprising said zone manager.
  - 4. The processor according to claim 1, further comprising a memory for use by said plurality of secure virtual machines, wherein access to said memory is secured by a different cryptographic key for different ones of said plurality of secure virtual machines.
  - 5. The processor according to claim 1, further comprising a memory configured to store digital access permission information for said plurality of secure virtual machines.

6. A method for setting up a secure virtual machine in a processor at the request of an owner, comprisingbooting said processor with a zone manager image;
- procuring at said processor a first public/private key pair associated with the zone manager session;
  
  certifying the public key of said first public/private key pair at said processor with a private key associated with said processor;
  
  receiving at said zone manager a secure virtual machine instantiation command from said owner;
  
  creating between said zone manager and said user a secure communication channel;
  
  procuring a second public/private key pair associated with the secure virtual machine; and
  
  certifying the public key of said second public/private key pair with the private key of said first public/private key pair.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 7. The method according to claim 6, further comprising booting a processor from a program stored in a private boot area.
  - 8. The method according to claim 6, further comprising downloading said zone manager image to said processor, and verifying at said processor a validation value pertaining to said zone manager image, as a precondition for said booting of said zone manager image.
  - 9. The method according to claim 6, further comprising associating with said secure virtual machine a cryptographic key for accessing particular content stored in a shared memory of said processor.
  - 10. The method according to claim 6, wherein said secure virtual machine instantiation command comprises a certificate pertaining to said user.
  - 11. The method according to claim 10, wherein a security aspect of said secure communication channel relies on said certificate pertaining to said user.
  - 12. The method according to claim 10, further comprising providing said certificate pertaining to said user to said zone manager.
  - 13. The method according to claim 10, wherein said secure communication channel is secured by means of public key
  - 14. The method according to claim 6, further comprising updating a capability matrix with access permissions for said virtual machine.
  - 15. The method according to claim 6, further comprising preparing said secure virtual machine by providing it with a boot program;
    - andstarting said secure virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Bosch, Peter, Kolesnikov, Vladimir, Dobbelaere, Philippe, Mullender, Sape, Mckie, Jim, Mclellan, Hubert

Granted Patent

US 8,856,544 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/2
CPC Class Codes

G06F 21/53 by executing in a restricte...

G06F 21/572 Secure firmware programming...

SYSTEM AND METHOD FOR PROVIDING SECURE VIRTUAL MACHINES

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR PROVIDING SECURE VIRTUAL MACHINES

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links