System and Method for Processor-Based Security
First Claim
1. A system for providing processor-based security, comprising:
- a processor having a processor core, a cache memory, a plurality of registers for storing at least one hash value, and a memory interface; and
at least one on-chip instruction for performing a secure launch of a hypervisor program, the instruction causing the processor to;
compute a first storage hash value over a current state of a first hypervisor program;
compare the first storage hash value to a second storage hash value stored in the plurality of registers;
if the first storage hash value matches the second storage hash value, allow the first hypervisor program corresponding to the first storage hash value to access contents of a secure storage area in a non-volatile memory previously stored by a second hypervisor program corresponding to the second storage hash value; and
if the first storage hash value does not match the second storage hash value, preventing access to the contents stored in the secure storage area and allocating a new secure storage area for the first hypervisor, and copying the first storage hash value into a register containing the second storage hash value,wherein the processor encrypts and hashes data written to, and decrypts and verifies hashes of data read from, the secure storage area using a first on-chip encryption key and a first on-chip storage hash value,wherein the processor encrypts and hashes data written to, and decrypts and verifies hashes of data read from, a secure storage area corresponding to a first trusted software module using a second encryption key and a second storage hash value, andwherein the secure storage area corresponding to the first trusted software module program is defined by a module identity, an encryption key, and a pre-defined storage hash value.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method for processor-based security is provided, for on-chip security and trusted computing services for software applications. A processor is provided having a processor core, a cache memory, a plurality of registers for storing at least one hash value and at least one encryption key, a memory interface, and at least one on-chip instruction for creating a secure memory area in a memory external to the processor, and a hypervisor program executed by the processor. The hypervisor program instructs the processor to execute the at least one on-chip instruction to create a secure memory area for a software area for a software module, and the processor encrypts data written to, and decrypts data read from, the external memory using the at least one encryption key and the verifying data read from the external memory using the at least one hash value. Secure module interactions are provided, as well as the generation of a power-on key which can be used to protect memory in the event of a re-boot event. Lightweight, run-time attestation reports are generated which include selected information about software modules executed by the processors, for use in determining whether the processor is trusted to provide secure services.
-
Citations
22 Claims
-
1. A system for providing processor-based security, comprising:
-
a processor having a processor core, a cache memory, a plurality of registers for storing at least one hash value, and a memory interface; and at least one on-chip instruction for performing a secure launch of a hypervisor program, the instruction causing the processor to; compute a first storage hash value over a current state of a first hypervisor program; compare the first storage hash value to a second storage hash value stored in the plurality of registers; if the first storage hash value matches the second storage hash value, allow the first hypervisor program corresponding to the first storage hash value to access contents of a secure storage area in a non-volatile memory previously stored by a second hypervisor program corresponding to the second storage hash value; and if the first storage hash value does not match the second storage hash value, preventing access to the contents stored in the secure storage area and allocating a new secure storage area for the first hypervisor, and copying the first storage hash value into a register containing the second storage hash value, wherein the processor encrypts and hashes data written to, and decrypts and verifies hashes of data read from, the secure storage area using a first on-chip encryption key and a first on-chip storage hash value, wherein the processor encrypts and hashes data written to, and decrypts and verifies hashes of data read from, a secure storage area corresponding to a first trusted software module using a second encryption key and a second storage hash value, and wherein the secure storage area corresponding to the first trusted software module program is defined by a module identity, an encryption key, and a pre-defined storage hash value. - View Dependent Claims (10, 11, 14, 15, 18)
-
-
2. (canceled)
-
3. (canceled)
-
4. (canceled)
-
5. A method for providing processor-based security, comprising the steps of:
-
computing in a processor a first storage hash value using a current state of a first hypervisor program executed by the processor; comparing the first storage hash value to a second storage hash value stored in one of a plurality of registers of the processor; if the first storage hash value matches the second storage hash value, allowing the first hypervisor program corresponding to the first storage hash value to access contents of a secure storage area in a non-volatile memory previously stored by a second hypervisor program corresponding to the second storage hash value; if the first storage hash value does not match the second storage hash value, preventing access to the contents stored in the secure storage area and allocating a new secure storage area for the first hypervisor, and copying the first hash value into a register containing the second storage hash value; encrypting and hashing data written to, and decrypting and verifying hashes of data read from, the secure storage area using a first on-chip encryption key and a first on-chip storage hash value; encrypting and hashing data written to, and decrypting and verifying hashes of data read from, a secure storage area corresponding to a first trusted software module using a second encryption key and a second storage hash value; and defining a secure storage area corresponding to a trusted software module program by a module identity, an encryption key, and a pre-defined storage hash value. - View Dependent Claims (7, 12, 13, 19, 22)
-
-
6. (canceled)
-
8. (canceled)
-
9. (canceled)
-
16. (canceled)
-
17. (canceled)
-
20. (canceled)
-
21. (canceled)
Specification