System and method for performing secure device communications in a peer-to-peer bus architecture
First Claim
1. A method for protecting a first device coupled to an input/output (I/O) bus from being accessed in an unauthorized manner by a second device coupled to the I/O bus, the method comprising:
- transmitting to the first device a request to perform a peer-to-peer operation across the I/O bus without intervention from an operating system;
determining if said request is authentic as being dispatched from the second device;
determining if the second device is authorized to request the first device to perform said peer-to-peer operation; and
performing said peer-to-peer operation by said first device, without intervention from the operating system, if said request is authentic from the second device and if the second device is authorized to request said peer-to-peer operation.
4 Assignments
0 Petitions
Accused Products
Abstract
A system and method for performing secure peer-to-peer device communications on an I/O bus, such as a PCI bus, a Fiber Channel bus, an IEEE, 1394 bus or a Universal Serial Bus. The system includes a plurality of intelligent I/O devices, such as intelligent storage devices and/or controllers, communications devices, video devices and audio devices. The I/O devices perform peer-to-peer message and data transfers, thereby bypassing the operating system running on the computer'"'"'s CPU. The intelligent I/O devices encrypt messages and data before transmitting them on the I/O bus and conversely decrypt the messages and data upon reception. The encryption provides secrecy and/or authentication of the sender. The devices use keys or passwords to encrypt/decrypt the data. The keys are stored in non-volatile memory in the devices and are distributed to the devices by the system BIOS at initialization time. The devices perform access authorization validation using rule sets also distributed by the BIOS at initialization time. The rule sets specify which I/O operations are valid for a peer I/O device to request of a respective I/O device based, preferably, upon the device class/subclasses of the requesting device. In another embodiment, one of the intelligent I/O devices may be a communications device which serves as a firewall for the I/O bus. In this embodiment, the rule set further includes identification information of the remote machines/devices.
-
Citations
34 Claims
-
1. A method for protecting a first device coupled to an input/output (I/O) bus from being accessed in an unauthorized manner by a second device coupled to the I/O bus, the method comprising:
-
transmitting to the first device a request to perform a peer-to-peer operation across the I/O bus without intervention from an operating system; determining if said request is authentic as being dispatched from the second device; determining if the second device is authorized to request the first device to perform said peer-to-peer operation; and performing said peer-to-peer operation by said first device, without intervention from the operating system, if said request is authentic from the second device and if the second device is authorized to request said peer-to-peer operation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer system, comprising:
-
an input/output (I/O) bus; first and second devices coupled to the I/O bus, wherein the second device is operable to transmit on the I/O bus to the first device a message including a request to perform a peer-to-peer I/O operation without intervention from an operating system; wherein the first device is operable to receive said message and determine if said message is authentically derived from the second device; wherein the first device is operable to determine if the second device is authorized to request the first device to perform said peer-to-peer I/O operation; and wherein the first device performs said peer-to-peer I/O operation, without intervention from the operating system, only if said peer-to-peer I/O operation request is authentically derived from the second device and if the second device is authorized to request said peer-to-peer I/O operation. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. An I/O device for coupling to an I/O bus, comprising:
-
a processor for performing security services; a memory coupled to the processor for storing a rule set and a key; wherein the I/O device is operable to receive on the I/O bus from a peer I/O device a message including a request to perform a peer-to-peer I/O operation without intervention from an operating system; wherein the I/O device is operable to receive said message and determine if said message is authentically from the peer I/O device using said key stored in said memory; wherein the I/O device is operable to determine if the peer I/O device is authorized to request the I/O device to perform said peer-to-peer I/O operation based upon said rule set stored in said memory; and wherein the first device performs said peer-to-peer I/O operation, without intervention from the operating system, only if said peer-to-peer I/O operation request is authentically from the peer I/O device based upon said key and if the peer I/O device is authorized to request said peer-to-peer I/O operation based upon said rule set. - View Dependent Claims (32, 33)
-
-
34. An I/O device for coupling to an I/O bus, comprising:
-
a processor for performing security services; a memory coupled to the processor for storing a rule set and a key; wherein the I/O device is operable to receive from a remote computer a packet including a request for a peer I/O device also coupled to the I/O bus to perform an I/O operation without intervention from an operating system; wherein the I/O device is operable to determine if said packet is authentic from the remote computer using said key stored in said memory; wherein the I/O device is operable to determine if the remote computer is authorized to request the peer I/O device to perform said I/O operation based upon said rule set stored in said memory; and wherein the I/O device forwards said I/O operation request to said peer I/O device only if said packet is authentically from the remote computer based upon said key and if the remote computer is authorized to request said I/O operation based upon said rule set.
-
Specification