PROTECTED DEVICE MANAGEMENT

US 20160342798A1
Filed: 07/25/2016
Published: 11/24/2016
Est. Priority Date: 12/21/2009
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method comprising:

identifying an auditable event being performed in a secure partition of a system, wherein the secure partition is isolated from a host operating system of the system;

generating an audit event record for the auditable event; and

writing the audit event record to an audit log, wherein the audit log is isolated from the host operating system.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus, system, and computer program product for management of storage devices protected by encryption, user authentication, and password protection and auditing schemes in virtualized and non-virtualized environments.

Citations

16 Claims

1. A computer-implemented method comprising:
- identifying an auditable event being performed in a secure partition of a system, wherein the secure partition is isolated from a host operating system of the system;
  
  generating an audit event record for the auditable event; and
  
  writing the audit event record to an audit log, wherein the audit log is isolated from the host operating system.
- View Dependent Claims (3, 4, 5, 6, 7)
- - 3. The method of claim 1, further comprising:
    - authenticating first credentials of a user of the system before access is allowed to any device of a plurality of devices attached to the system;
      
      intercepting an event indicating attachment of a new device to the system, wherein the intercepting is performed by the secure partition of the system;
      
      requesting second credentials to access the new device, wherein the second credentials are requested without booting the system;
      
      authenticating the second credentials;
      
      enabling access to the new device after authenticating the second credentials; and
      
      delivering a hot plug event for the new device to the host operating system.
  - 4. The method of claim 3, whereinrequesting the second credentials to access the new device comprises using trusted path connections to a display device to display a request for the second credentials and a user input device to receive the second credentials.
  - 5. The method of claim 3, wherein enabling access to the new device comprises using a native command for the device to enable decryption of the new device.
  - 6. The method of claim 3, wherein:
    - the second credentials comprise a password for the new device; and
      
      enabling access to the new device comprises using the password to unlock the new device.
  - 7. The method of claim 3, wherein:
    - the second credentials comprise a user identifier; and
      
      enabling access to the new device comprises providing the user identifier to a trusted third party and enabling access to the new device if the trusted third party authenticates the user identifier.

2. The method of claim 2 whereinthe audit log is a first audit log of a plurality of audit logs,the plurality of audit logs is accessible only from within the secure partition, andeach audit log of the plurality of audit logs is isolated from the host operating system;
- and the method further comprises;
  
  determining whether the first audit log is available;
  
  sending the audit event record to a first audit subsystem associated with the first audit log if the first audit log is available, wherein the first audit subsystem performs writing the audit event record to the first audit log; and
  
  sending the audit event record to a second audit subsystem associated with a second audit log of the plurality of audit logs if the first audit log is not available, wherein the second audit subsystem performs writing the audit event record to the second audit log.

8. A computer-implemented method comprising:
- receiving a request to service an audit log from a secure partition of a requesting system, wherein the secure partition is isolated from a host operating system of the requesting system, the audit log contains an audit event record of an auditable event performed in the secure partition, and the audit log is isolated from the host operating system of the requesting system;
  
  establishing a secure communication channel with the secure partition; and
  
  servicing the audit log via the secure communication channel.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The method of claim 8, wherein the secure communication channel is established between a trusted remote console and the secure partition, and the method further comprises:
    - receiving a request to unlock an encrypted device coupled to the requesting system, wherein the request is received by the secure partition via the secure communication channel; and
      
      unlocking the encrypted device with the secure partition in response to the request to unlock, without involvement of the host operating system.
  - 10. The method of claim 9, further comprising:
    - receiving, with the secure partition, a token from the trusted remote console; and
      
      using the token to unwrap a key used to encrypt blocks of the encrypted device.
  - 11. The method of claim 10, further comprising:
    - obtaining the key from a secure storage area of the encrypted device, wherein the secure storage area is hidden from the host operating system.
  - 12. The method of claim 9, further comprising confirming that the request to unlock originated with the trusted remote console prior to unlocking the encrypted device.
  - 13. The method of claim 9, further comprising:
    - performing a management operation after the encrypted device is unlocked, wherein the request to unlock specifies the management operation to be performed; and
      
      booting the host operating system after the management operation is performed.
  - 14. The method of claim 9, wherein unlocking the encrypted device is performed when the host operating system of the system is malfunctioning.
  - 15. The method of claim 9, wherein unlocking the encrypted device is performed without involvement of a user of the system.
  - 16. The method of claim 9, wherein:
    - the request to unlock comprises a password for the encrypted device; and
      
      unlocking the encrypted device comprises using the password to unlock the encrypted device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Smith, NED M., MOORE, VICTORIA C., GROBMAN, STEVEN L.

Application Number

US15/218,978
Publication Number

US 20160342798A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/305   by remotely controlling dev...

G06F 21/602   Providing cryptographic fac...

G06F 21/74   operating in dual or compar...

G06F 21/78   to assure secure storage of...

G06F 21/85   interconnection devices, e....

G06F 2221/2147   Locking files

G06F 2221/2149   Restricted operating enviro...

G06F 3/0623   in relation to content

G06F 3/0632   by initialisation or re-ini...

G06F 3/0671   In-line storage system

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/18   using different networks or...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/321   involving a third party or ...

PROTECTED DEVICE MANAGEMENT

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

PROTECTED DEVICE MANAGEMENT

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links