PROVIDING SECURITY TO COMPUTING SYSTEMS

US 20170364685A1
Filed: 11/20/2015
Published: 12/21/2017
Est. Priority Date: 11/20/2014
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

performing a secure boot of a base computing platform (BCP), verifying an integrity of and instantiating a security processor on the BCP;

verifying an integrity of one or more subsequent startup components of the BCP, using the security processor, the one or more subsequent startup components comprising at least one of boot code, an operating system, or a hypervisor;

creating a plurality of virtual machines on the BCP;

providing the plurality of virtual machines with virtual access to the security processor on the BCP;

performing a secure start-up of a first virtual machine of the plurality of virtual machines, wherein a guest owner takes ownership of the first virtual machine; and

verifying an integrity of and instantiating a virtual security processor in the first virtual machine.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein are methods, device, and systems that provide security to various computing systems, such as, smartphones, tablets, personal computers, computing servers, or the like. Security is provided to computing systems at various stages of their operational cycles. For example, a secure boot of a base computing platform (BCP) may be performed, and security processor (SecP) may be instantiated on the BCP. Using the SecP, an integrity of the OS of the BCP may be verified, and an integrity of a hypervisor may be verified. A virtual machine (VM) may be created on the BCP. The VM is provided with virtual access to the SecP on the BCP. Using the virtual access to the TAM, an integrity of the guest OS of the VM is verified and an integrity of applications running on the guest OS are verified.

Citations

24 Claims

1. A method comprising:
- performing a secure boot of a base computing platform (BCP), verifying an integrity of and instantiating a security processor on the BCP;
  
  verifying an integrity of one or more subsequent startup components of the BCP, using the security processor, the one or more subsequent startup components comprising at least one of boot code, an operating system, or a hypervisor;
  
  creating a plurality of virtual machines on the BCP;
  
  providing the plurality of virtual machines with virtual access to the security processor on the BCP;
  
  performing a secure start-up of a first virtual machine of the plurality of virtual machines, wherein a guest owner takes ownership of the first virtual machine; and
  
  verifying an integrity of and instantiating a virtual security processor in the first virtual machine.
- View Dependent Claims (2, 3, 4, 5, 8, 9, 10, 11, 12, 13)
- - 2. The method as recited in claim 1, the method further comprising:
    - creating and storing at least one trusted reference value at an initial load of a component, thereby creating a run-time trusted reference value;
      
      validating the component at load-time to create a load-time validation; and
      
      securely binding the load-time validation to the run-time trusted reference value.
  - 3. The method as recited in claim 2, the method further comprising:
    - maintaining, by the BCP, an integrity of the BCP during run-time operation; and
      
      maintaining a log when unloading a subcomponent of the component.
  - 4. The method as recited in claim 3, the method further comprising:
    - determining that a previously unloaded subcomponent is being reloaded; and
      
      performing an integrity check of the subcomponent before reloading the subcomponent.
  - 5. The method as recited in claim 3, wherein the component comprises at least one of code or data, and the subcomponent comprises a portion of the code or data.
  - 8. The method as recited in claim 1, the method further comprising:
    - verifying an integrity of one or more subsequent startup components in the first virtual machine using the virtual security processor, wherein the subsequent startup components in the virtual machine comprise at least one of an operating system (OS) or applications running thereon.
  - 9. The method as recited in claim 8, the method further comprising:
    - creating and storing a trusted reference value at an initial load of a component, thereby creating a run-time trusted reference value;
      
      validating the component at load-time to create a load-time validation; and
      
      securely binding the load-time validation to the run-time trusted reference value.
  - 10. The method as recited in claim 9, the method further comprising:
    - maintaining, by the first virtual machine, an integrity of the BCP during run-time operation; and
      
      maintaining a log when unloading a subcomponent of the component.
  - 11. The method as recited in claim 10, the method further comprising:
    - determining that a previously unloaded subcomponent is being reloaded; and
      
      performing an integrity check of the subcomponent before reloading the subcomponent.
  - 12. The method as recited in claim 10, wherein the component comprises code or data, and the subcomponent comprises a portion of the code or data.
  - 13. The method as recited in claim 1, wherein the security processor comprises a trust access monitor that executes policies to enforce access to resources comprising at least one of a memory, peripheral, communication port, or displays.

6. The method as recited in claim, the method further comprising:
- providing a remote attestation authority with attestation information at startup and during run-time, thereby providing an indication of trust associated with the BCP.

7. (canceled)

14. A computing system comprising a processor and memory, the computing system further comprising computer-executable instructions stored in the memory which, when executed by the processor of the computing system, perform operations comprising:
- performing a secure boot of a base computing platform (BCP);
  
  verifying an integrity of one or more subsequent startup components of the BCP, using the security processor, the one or more subsequent startup components comprising at least one of boot code, an operating system, or a hypervisor;
  
  creating a plurality of virtual machines on the BCP;
  
  providing the plurality of virtual machines with virtual access to the security processor on the BCP;
  
  performing a secure start-up of a first virtual machine of the plurality of virtual machines, wherein a guest owner takes ownership of the first virtual machine; and
  
  verifying an integrity of and instantiating a virtual security processor in the first virtual machine.
- View Dependent Claims (15, 16, 17, 18, 20, 21, 22, 23, 24)
- - 15. The computing system as recited in claim 14, further comprising computer-executable instructions, which when executed by the processor of the computing system, perform further operations comprising:
    - creating and storing a trusted reference value at an initial load of a component, thereby creating a run-time trusted reference value;
      
      validating the component at load-time to create a load-time validation; and
      
      securely binding the load-time validation to the run-time trusted reference value.
  - 16. The computing system as recited in claim 15, further comprising computer-executable instructions, which when executed by the processor of the computing system, perform further operations comprising:
    - maintaining, by the BCP, an integrity of the BCP during run-time operation;
      
      unloading a subcomponent of the component; and
      
      performing an integrity check of the subcomponent before reloading the subcomponent.
  - 17. The computing system as recited in claim 16, further comprising computer-executable instructions, which when executed by the processor of the computing system, perform further operations comprising:
  - 18. The computing system as recited in claim 14, further comprising computer-executable instructions, which when executed by the processor of the computing system, perform further operations comprising:
    - providing a remote attestation authority with attestation information at startup and during run-time, thereby providing an indication of trust associated with the BCP.
  - 20. The computing system as recited in claim 14, further comprising computer-executable instructions, which when executed by the processor of the computing system, perform further operations comprising:
    - verifying an integrity of one or more subsequent startup components in the first virtual machine using the virtual security processor, wherein the subsequent startup components in the virtual machine comprise at least one of an operating system (OS) or applications running thereon.
  - 21. The computing system as recited in claim 14, further comprising computer-executable instructions, which when executed by the processor of the computing system, perform further operations comprising:
    - creating and storing a trusted reference value at an initial load of a component, thereby creating a run-time trusted reference value;
      
      validating the component at load-time to create a load-time validation; and
      
      securely binding the load-time validation to the run-time trusted reference value.
  - 22. The computing system as recited in claim 21, further comprising computer-executable instructions, which when executed by the processor the computing system, perform further operations comprising:
    - maintaining, by the first virtual machine, an integrity of the BCP during run-time operation; and
      
      unloading a subcomponent of the component;
  - 23. The method as recited in claim 22, further comprising computer-executable instructions, which when executed by the processor of the computing system, perform further operations comprising:
    - performing an integrity check of the subcomponent before reloading the subcomponent.
  - 24. The computing system as recited in claim 23, wherein the component comprises code and data, and the subcomponent comprises a portion of the code or data.

19. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
InterDigital Madison Patent Holdings SAS (InterDigital, Inc.)
Original Assignee
InterDigital Patent Holdings, Inc. (InterDigital, Inc.)
Inventors
SHAH, Yogendra C., SCHMIDT, Andreas, MARLAND, John W.

Application Number

US15/528,257
Publication Number

US 20170364685A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/575   Secure boot

G06F 9/45554   Instruction set architectur...

G06F 9/45558   Hypervisor-specific managem...

PROVIDING SECURITY TO COMPUTING SYSTEMS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

PROVIDING SECURITY TO COMPUTING SYSTEMS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links