Client-side boot domains and boot rules
First Claim
1. One or more computer-readable media having stored thereon instructions for establishing a boot domain on a client computer that, when executed by one or more processors, cause the one or more processors to:
- select a boot certificate associated with the boot domain;
create a verified operating system identity from the boot certificate; and
load each one of a plurality of operating system components in accordance with a set of boot rules based on the boot certificate,wherein each of the plurality of operating system components is associated with a component certificate and the set of boot rules comprises;
verifying that each component certificate is signed by a boot authority that issued the boot certificate;
verifying that each component certificate is valid as of an issue date for the boot certificate; and
verifying that each component is not listed in a revocation list associated with the boot certificate.
1 Assignment
0 Petitions
Accused Products
Abstract
Each software component loaded for a verified operating system on a client computer must satisfy a set of boot rules for a boot certificate. A verified operating system identifier is created from the boot certificate. The boot certificate is published and signed by a boot authority that attests to the validity of the operating system booted under the boot certificate. Each software component for the operating system is associated with a component certificate published and signed by the same boot authority that signed the boot certificate. The boot rules determine the validity of the software component based on the contents of the component and boot certificates. The client computer can transmit the verified operating system identity and the boot certificate to a server computer, such as a content provider, and the content provider can determine whether to trust the verified operating system with its content.
-
Citations
10 Claims
-
1. One or more computer-readable media having stored thereon instructions for establishing a boot domain on a client computer that, when executed by one or more processors, cause the one or more processors to:
-
select a boot certificate associated with the boot domain;
create a verified operating system identity from the boot certificate; andload each one of a plurality of operating system components in accordance with a set of boot rules based on the boot certificate, wherein each of the plurality of operating system components is associated with a component certificate and the set of boot rules comprises; verifying that each component certificate is signed by a boot authority that issued the boot certificate; verifying that each component certificate is valid as of an issue date for the boot certificate; and verifying that each component is not listed in a revocation list associated with the boot certificate. - View Dependent Claims (2, 3)
-
-
4. One or more computer-readable media having stored thereon instructions for establishing a boot domain on a client computer that, when executed by one or more processors, cause the one or more processors to:
-
select a boot certificate associated with the boot domain; create a verified operating system identity from the boot certificate; load each one of a plurality of operating system components in accordance with a set of boot rules based on the boot certificate; secure data for use in the boot domain using a key based on the verified identity of the operating system; obtain a new boot certificate; create a new verified operating system identity from the new boot certificate; and re-secure the data in the boot domain with the new verified operating system identity. - View Dependent Claims (5, 6, 7)
-
-
8. A system for establishing a boot domain on a client computer comprising:
-
means for selecting a boot certificate associated with the boot domain; means for creating a verified operating system identity from the boot certificate; means for loading each one of a plurality of operating system components in accordance with a set of boot rules based on the boot certificate; means for securing data for use in the boot domain using a key based on the verified identity of the operating system; means for obtaining a new boot certificate; means for creating a new verified operating system identity from the new boot certificate; and means for re-securing the data in the boot domain with the new verified operating system identity. - View Dependent Claims (9, 10)
-
Specification