PROVISIONING OF OPERATING SYSTEMS TO USER TERMINALS

US 20140317394A1
Filed: 07/04/2012
Published: 10/23/2014
Est. Priority Date: 09/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method for provisioning an operating system image from a server to an untrusted user terminal via a data communications network, the method comprising:

creating a connection to a user terminal of a trusted device having a tamper-resistant storage, wherein the tamper-resistant storage comprises bootloader logic for controlling booting of a user terminal and security data;

booting the user terminal via said bootloader logic on the trusted device;

establishing a connection, under control of the bootloader logic, to the server via the network and authenticating the server using said security data on the trusted device;

receiving an operating system boot image from the server via said connection; and

using the boot image to provision an operating system image from the server p) to the user terminal for executing the operating system at the user terminal.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are provided for provisioning an operating system image from a server (2) to an untrusted user terminal (4) via a data communications network (3). A trusted device (5) such as a pocket USB device has tamper-resistant storage (9) containing bootloader logic, for controlling booting of a user terminal, and security data. On connection of the trusted device (5) to an untrusted user terminal (4), the user terminal is booted via the bootloader logic on the trusted device. Under control of the bootloader logic, a connection is established to the server (2) via the network (3) and the server is authenticated using the security data on the trusted device (5). An operating system boot image is received from the server (2) via this connection. The boot image is used to provision an operating system image from the server (2) to the user terminal (4) for execution of the operating system at the user terminal (4).

48 Citations

View as Search Results

21 Claims

1. A method for provisioning an operating system image from a server to an untrusted user terminal via a data communications network, the method comprising:
- creating a connection to a user terminal of a trusted device having a tamper-resistant storage, wherein the tamper-resistant storage comprises bootloader logic for controlling booting of a user terminal and security data;
  
  booting the user terminal via said bootloader logic on the trusted device;
  
  establishing a connection, under control of the bootloader logic, to the server via the network and authenticating the server using said security data on the trusted device;
  
  receiving an operating system boot image from the server via said connection; and
  
  using the boot image to provision an operating system image from the server p) to the user terminal for executing the operating system at the user terminal.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method as claimed in claim 1, wherein said operating system is a hypervisor.
  - 3. The method as claimed in claim 2, further comprising:
    - provisioning at least one virtual machine image from the server to the user terminal for execution the virtual machine at the user terminal, wherein the user terminal is under control of the hypervisor.
  - 4. The method as claimed in claim 1,wherein said boot image comprises a kernel for the operating system, andan initial RAM disk for facilitating provisioning of the operating system;
    - andwherein upon receipt of the boot image, starting the RAM disk and booting the operating system kernel on the user terminal.
  - 5. The method as claimed in claim 1, wherein the operating system image is provisioned from the server to the user terminal by streaming.
  - 6. The method as claimed in claim 5, further comprising:
    - copying blocks of the image to local storage at the user terminal to build up a local image of the operating system.
  - 7. The method as claimed in claim 6, further comprising:
    - copying said blocks to a hard disk of the user terminal.
  - 8. The method as claimed in claim 6, wherein copying of said blocks continues until the local operating system image is complete.
  - 9. The method as claimed in claim 6, further comprising:
    - copying blocks of the local operating system image which are modified in operation of the operating system at the user terminal back to the server via the network.
  - 10. The method as claimed in claim 1, wherein said connection is established between the trusted device and the server via the user terminal.
  - 11. The method as claimed in claim 1, further comprising:
    - establishing an encrypted channel to the server; and
      
      provisioning the operating system image over the encrypted channel.
  - 12. The method as claimed in claim 6, further comprising:
    - storing the blocks in encrypted form in said local storage.
  - 13. The method as claimed in claim 1, further comprising:
    - establishing a mutually-authenticated, end-to-end encrypted channel between the server and the trusted device, via the user terminal), to secure communication of data between the server and trusted device.
  - 14. The method as claimed in claim 11, further comprising:
    - receiving a cryptographic key, for decrypting of the operating system image, from the server via the mutually-authenticated channel; and
      
      storing the key in the secure storage of the trusted device.
  - 15. A computer readable non-transitory article of manufacture tangibly embodying computer readable instructions which, when executed, cause a computer to carry out the steps of a method according to claim 1.

16. A device for controlling provisioning of an operating system image from a server to an untrusted user terminal via a data communications network, the device comprising:
- a terminal interface for connecting the device to a user terminal; and
  
  a tamper-resistant storage containing bootloader logic and security data, wherein when the device to the user terminal is connected to the terminal interface, the bootloader logic is adapted, to execute a method comprising;
  
  booting the user terminal;
  
  establishing a connection to the server via the network and authenticating the the server using said security data on the trusted device;
  
  receiving an operating system boot image from the server via said connection; and
  
  using the boot image to provision an operating system image from the server the user terminal for executing the operating system at the user terminal.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The device as claimed in claim 16, wherein the bootloaderlogic is further adapted to execute the following;
    - checking whether an offline indicator is set signifying availability, in local storage at the user terminal, of a local operating system image already provisioned to the user terminal from the server upon booting of the user terminal; and
      
      controlling the booting of the local operating system image for executing the user terminal.
  - 18. The device as claimed in claim 17, wherein the bootloader logic is further adapted to execute the following:
    - checking an integrity of the local image; and
      
      controlling booting subject to said integrity being confirmed.
  - 19. The device as claimed in claim 16, further comprising user interface for communication with a user of the device.
  - 20. The device as claimed in claim 16, wherein the device is a pocket USB device.

21. An apparatus for provisioning an operating system image to an untrusted user terminal via a data communications network, the apparatus comprising:
- a server for providing access to the operating system image via the network; and
  
  a device for controlling the provisioning of the operating system image from the server to an untrusted user terminal upon connection of the device to the user terminal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Buhler, Peter, Clerc, David, Gschwind, Thomas, Rooney, John G., Schade, Andreas, Scotton, Paolo, Garcs-Erice, Luis

Granted Patent

US 9,904,557 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/2
CPC Class Codes

G06F 21/575 Secure boot

G06F 9/4416 Network booting; Remote ini...

PROVISIONING OF OPERATING SYSTEMS TO USER TERMINALS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

48 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

PROVISIONING OF OPERATING SYSTEMS TO USER TERMINALS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links