Trusted Execution Environment Extensible Computing Device Interface

US 20160080320A1
Filed: 09/14/2014
Published: 03/17/2016
Est. Priority Date: 09/14/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving from a first application or service within a client environment, via a non-extensible interface, a message to establish a communication with a second application or service within a third party environment;

selecting, one extensible interface from a plurality of extensible interfaces, the one extensible interface being appropriately associated with the second application or service within the third party environment; and

establishing the communication between the first application or service and the second application or service.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Constructs to define a Trusted Execution Environment Driver that can implement a standard communication interface in a first environment for discovering and/or exchanging messages with secure applications/services executed in a Trusted Execution Environment (TrEE). The first environment can represent an environment with a different security policy from the TrEE. The TrEE driver can include a standard interface and/or mechanism by which applications/services and drivers within a first environment can access secure applications/services in the TrEE, a standard interface and/or mechanism by which third-party vendors can expose their TrEE applications/services to a first environment, a standard interface and/or mechanism by which a TrEE can request applications/services, on its own behalf, from the first environment, and a standard interface and/or mechanism to facilitate the management of secure application/services and/or provide I/O prioritization and security protection for individual secure applications/services.

18 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving from a first application or service within a client environment, via a non-extensible interface, a message to establish a communication with a second application or service within a third party environment;
  
  selecting, one extensible interface from a plurality of extensible interfaces, the one extensible interface being appropriately associated with the second application or service within the third party environment; and
  
  establishing the communication between the first application or service and the second application or service.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as claim 1 recites, wherein the third party environment comprises at least one of an operating system, a hypervisor layer or firmware.
  - 3. A method as claim 1 recites, wherein the non-extensible interface is configured to communicate with the client environment and an individual extensible interface of the plurality of extensible interfaces is configured to communicate with a corresponding individual third party environment.
  - 4. A method as claim 1 recites, wherein the client environment and the third party environment have different security policies.
  - 5. A method as claim 1 recites, further comprising, in response to the establishing the communication, transmitting and receiving data between a first application or service and a second application or service.
  - 6. A method as claim 1 recites, wherein establishing the communication further comprises:
    - identifying an Access Control List (ACL) associated with the third party environment;
      
      verifying, by the ACL, that the first application or service is permitted to access the second application or service; and
      
      establishing the communication between the first application or service and the second application service based at least in part on ACL permissions.
  - 7. A method as claim 6 recites, wherein the ACL includes at least one security policy associated with an individual application or services within the third party environment.

8. A system comprising:
- one or more processors;
  
  a computer readable medium coupled to the one or more processors, including one or more modules that are executable by the one or more processors to;
  
  receive a request from a first application or service in a first environment, via an Application Programming Interface (API), to access a second application or service in a trusted execution environment;
  
  identify an extensible interface associated with the trusted execution environment; and
  
  establish a communication via the extensible interface between the first application or service and the second application or service.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. A system as claim 8 recites, wherein the request from the first application or service is a first request and the communication is a first communication, further comprising one or more processors to:
    - determine, a quality of service associated with the first environment, the quality of service identifying a current priority of applications or services to be executed on the first environment;
      
      receive at least a second request from a different application or service in the first environment to access at least another application or service in the trusted execution environment;
      
      associate, at least a second communication interface with the at least second request;
      
      determine, an order of establishing the first communication and the at least second communication based at least in part on the determined quality of service; and
      
      establish the at least second communication interface based at least in part on the determined order.
  - 10. A system as claim 9 recites, wherein the determining the quality of service further comprises one or more processors to determine whether the first request or the at least second request is associated with an operation in the foreground or the background of the first environment.
  - 11. A system as claim 9 recites, wherein the determining the order of establishing the first communication and the at least communication is based at least in part on power management requirements associated with the first environment.
  - 12. A system as claim 8 recites, further comprising one or more processors to:
    - prior to the receiving the request from the first application or service in the first environment, to receive a query from the client environment for a list of dependencies associated with executing the second application or service with the trusted execution environment, the list of dependencies comprising a sequence of operations required to access the second application or service.
  - 13. A system as claim 12 recites, further comprising one or more processors to:
    - prior to establishing the communication interface between the first application or service and the second application or service, to initiate the sequence of operations required to access the second application or service, based at least in part on the list of dependencies.
  - 14. A system as claim 12 recites, further comprising one or more processors to:
    - remove the communication interface between the first application or service and the second application or service based on a determination that the sequence of operations required to access the second application or service, fails to initiate.
  - 15. A system as claim 8 recites, wherein the communication interface comprises at least one of TPM 2.0, Play/Ready DRM, secure variables or a secure pipeline.
  - 16. A system as claim 8 recites, wherein the extensible interface is implemented by firmware associated with the trusted execution environment.

17. A computer-readable medium having computer-executable instructions thereon, that upon execution configure a computer to perform operations comprising:
- receiving, via an extensible interface, a message from a first application or service within a first environment to establish a communication with a second application or service within a second environment, the first environment and the second environment having different security policies; and
  
  establishing, via a non-extensible interface associated with the second environment, the communication with the first application or service and the second application or service.
- View Dependent Claims (18, 19, 20)
- - 18. A computer-readable medium as claim 17 recites, wherein the first environment has a higher level security policy than the second environment security policy.
  - 19. A computer-readable medium as claim 17 recites, wherein the message comprises a request to access a resource in the second environment, the resource including at least one of an application, storage facility or service.
  - 20. A computer-readable medium as claim 17 recites, further comprising, in response to the establishing the communication, transmitting and receiving data between a first application or service and a second application or service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Barakat, Youssef, Kinshumann, Kinshuman, Perkins, Brian, Moon, Jinsub

Granted Patent

US 10,097,513 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

H04L 63/00   Network architectures or ne...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

Trusted Execution Environment Extensible Computing Device Interface

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Trusted Execution Environment Extensible Computing Device Interface

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others