Trusted computing platform using a trusted device assembly

US 6,988,250 B1
Filed: 02/15/2000
Issued: 01/17/2006
Est. Priority Date: 02/15/1999
Status: Expired due to Term

First Claim

Patent Images

1. Computing apparatus comprising, mounted on an assembly, main processing means, main memory means and a trusted device, each being connected for communication with one or more other components on the assembly,the trusted device being arranged to acquire a true value of an integrity metric of the computing apparatus.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a computing platform, a trusted hardware device (24) is added to the motherboard (20). The trusted hardware device (24) is configured to acquire an integrity metric, for example a hash of the BIOS memory (29), of the computing platform. The trusted hardware device (24) is tamper-resistant, difficult to forge and inaccessible to other functions of the platform. The hash can be used to convince users that that the operation of the platform (hardware or software) has not been subverted in some way, and is safe to interact with in local or remote applications.

In more detail, the main processing unit (21) of the computing platform is directed to address the trusted hardware device (24), in advance of the BIOS memory, after release from ‘reset’. The trusted hardware device (24) is configured to receive memory read signals from the main processing unit (21) and, in response, return instructions, in the native language of the main processing unit (21), that instruct the main processing unit to establish the hash and return the value to be stored by the trusted hardware device (24). Since the hash is calculated in advance of any other system operations, this is a relatively strong method of verifying the integrity of the system. Once the hash has been returned, the final instruction calls the BIOS program and the system boot procedure continues as normal.

Whenever a user wishes to interact with the computing platform, he first requests the integrity metric, which he compares with an authentic integrity metric that was measured by a trusted party. If the metrics are the same, the platform is verified and interactions can continue. Otherwise, interaction halts on the basis that the operation of the platform may have been subverted.

146 Citations

49 Claims

1. Computing apparatus comprising, mounted on an assembly, main processing means, main memory means and a trusted device, each being connected for communication with one or more other components on the assembly,the trusted device being arranged to acquire a true value of an integrity metric of the computing apparatus.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. Computing apparatus according to claim 1, wherein the trusted device comprises device memory means and means for instructing the main processing means to determine the integrity metric and return the integrity metric for storage in the device memory means.
  - 3. Computing apparatus according to claim 2, wherein the means for instructing the main processing means comprises, stored in the device memory means, program code native to the main processing means, and the trusted device is arranged to transfer the instructions of the program code to the main processing means.
  - 4. Computing apparatus according to claim 3, wherein the computing apparatus is arranged to cause the instructions to be the first instructions executed after release from reset.
  - 5. Computing apparatus according to claim 3, wherein the trusted device is arranged to transfer the instructions to the main processing means in response to memory read signals from the main processing means.
  - 6. Computing apparatus according to claim 1, wherein the trusted device comprises device memory means and is arranged to monitor a data bus means by which components mounted on the assembly are adapted to communicate and store in the device memory means a flag in the event the first memory read signals generated by the main processing means after the computing apparatus is released from reset are addressed to the trusted device.
  - 7. Computing apparatus according to claim 1, wherein the trusted device has stored in device memory means at least one of:
    - a unique identity of the trusted device;
      
      an authenticated integrity metric generated by a trusted party; and
      
      a secret.
  - 8. Computing apparatus according to claim 7, wherein the trusted device has stored in device memory means a secret comprising a private asymmetric encryption key.
  - 9. Computing apparatus according to claim 8, wherein the trusted device also has stored in device memory means a respective public encryption key that has been signed by a trusted party.
  - 10. Computing apparatus according to claim 8, wherein the trusted device has stored in device memory means an authenticated integrity metric generated by a trusted party and includes a encryption function, the trusted device being arranged to generate a response to a received challenge, the response comprising an acquired integrity metric and the authenticated integrity metric, both signed by the encryption function using the private asymmetric encryption key.
  - 11. Computing apparatus as claimed in claim 1, wherein the trusted device includes non-volatile memory for storing instructions instructing the main processing means to determine the integrity metric and return the integrity metric for storage in the device memory means.
  - 12. Computing apparatus as claimed in claim 1, wherein the integrity metric is a digest of all or part of the basic input/output software for the computing apparatus.
  - 13. Computing apparatus as claimed in claim 1, wherein the integrity metric is a digest of all or part of the basic input/output software for components or apparatus attached to the computing apparatus.
  - 14. Computing apparatus as claimed in claim 1, wherein the trusted device is implemented as an application specific integrated circuit device.
  - 15. Computing apparatus as claimed in claim 1, wherein the trusted device is implemented as a programmed micro-controller.
  - 16. Computing apparatus as claimed in claim 1, wherein the trusted device is accessed by said main processing means prior to said main processing means accessing basic input/output software instructions stored in non-volatile memory during a boot process of said computing apparatus.
  - 17. Computing apparatus as claimed in claim 1 wherein said trusted device includes:
    - d. a measurement function for acquiring the integrity metric of the computing apparatus;
      
      e. an authentication function for authenticating a user'"'"'s smart card; and
      
      f. a controller for interacting with the main processing means and the measurement and authentication functions.
  - 18. Computing apparatus as claimed in claim 17 wherein said measurement function has access to memory in said trusted device for storing a private key of the trusted device and the integrity metric, the integrity metric indicating whether or not the trusted device was accessed by the main processor before said main processor accesses basic input/output instructions for booting the computing apparatus.

19. A method of operating a system comprising a trusted computing apparatus and a user, the trusted computing apparatus incorporating a trusted device being arranged to acquire the true value of an integrity metric of the trusted computing apparatus, the method comprising the steps of:
- the trusted device acquiring the true value of the integrity metric of the trusted computing apparatus;
  
  the user generating a challenge for the trusted computing apparatus to prove its integrity and submitting the challenge to the trusted computing apparatus;
  
  the trusted computing apparatus receiving the challenge, and the trusted device generating a response including the integrity metric and returning the response to the user; and
  
  the user receiving the response, extracting the integrity metric from the response and comparing the integrity metric with an authenticated metric for the trusted computing apparatus that had been generated by a trusted party.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. A method according to claim 19, wherein the challenge includes a nonce, the response includes the integrity metric and the nonce, both digitally signed by the trusted device using a information security algorithm, and the user verifies the integrity metric and the nonce using a respective information security algorithm.
  - 21. A method according to claim 20, wherein the trusted device uses a private encryption key to sign the integrity metric and the nonce, and the user uses the respective public encryption key to verify the integrity metric and the nonce.
  - 22. A method according to claim 21, wherein the response includes a certificate held by the trusted device, which certificate has been digitally signed by a trusted party using a private encryption key of the trusted party, the certificate including the public encryption key of the trusted device, and the user verifies the certificate using the public encryption key of the trusted party and uses the public encryption key from the certificate to verify the integrity metric and the nonce.
  - 23. A method of establishing a communications channel in a system between trusted computing apparatus and remote computing apparatus, the method including the step of the remote computing apparatus verifying the integrity of the trusted computing apparatus using the method according to claim 19, and maintaining the communications channel for further transactions in the event the integrity of the trusted computing apparatus is successfully verified by the remote computing apparatus.
  - 24. A method of verifying that trusted computing apparatus is trustworthy for use by a user for processing a particular application, the method including the step of the user verifying the integrity of the trusted computing apparatus using the method according to claim 19, and the user using the trusted computing apparatus to process the particular application in the event the integrity of the trusted computing apparatus is successfully verified by the remote computing apparatus.
  - 25. A method according to claim 19, wherein the trusted device acquires the true value of the integrity metric of the trusted computing apparatus before a boot up process of the trusted computing apparatus is completed.

26. Computing apparatus comprising an assembly;
- a main processor, a main memory and a trusted device, each being mounted on the assembly and connected for communication with other components mounted on the assembly, wherein the trusted device is adapted to acquire a value of an integrity metric that measures that the computing apparatus is operating as intended and determining the correctness of the acquired value of the integrity metric.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 27. Computing apparatus as claimed in claim 26, wherein the integrity metric is a digest of all or part of the basic input/output software for the computing apparatus.
  - 28. Computing apparatus as claimed in claim 26, wherein the integrity metric is a digest of all or part of the basic input/output software for components or apparatus attached to the computing apparatus.
  - 29. Computing apparatus as claimed in claim 26, wherein the trusted device is adapted to acquire a plurality of integrity metrics.
  - 30. Computing apparatus as claimed in claim 26, wherein the trusted device is adapted to be tamper resistant.
  - 31. Computing apparatus as claimed in claim 26, wherein the trusted device comprises a device memory.
  - 32. Computing apparatus as claimed in claim 31, wherein the trusted device comprises a trusted device processor.
  - 33. Computing device as claimed in claim 32, wherein the trusted device processor is adapted to instruct the main processor to determine the integrity metric and return the integrity metric for storage in the device memory.
  - 34. Computing apparatus as claimed in claim 32, wherein the trusted device processor is adapted to obtain information necessary to calculate the integrity metric and to calculate the integrity metric for storage in the device memory.
  - 35. Computing apparatus as claimed in claim 32, wherein the trusted device has a secret stored in the device memory.
  - 36. Computing apparatus as claimed in claim 35, wherein the secret comprises a private asymmetric encryption key.
  - 37. Computing apparatus as claimed in claim 36, wherein the trusted device also has stored in the device memory in the device memory a respective public encryption key that has been signed by a trusted third party.
  - 38. Computing apparatus as claimed in claim 37, wherein the trusted device also has stored in the device memory an authenticated integrity metric generated by a trusted third party and wherein the trusted device is adapted to employ an encryption function, the trusted device processor being arranged to generate a response to a received challenge, the response comprising an acquired integrity metric and the authenticated integrity metric, both signed by the encryption function using the private asymmetric encryption key.

39. In a computing apparatus comprising an assembly, a plurality of functional components including a main memory and a main processor mounted on the assembly, each functional component being connected for communication with one or more other functional components on the assembly, a trusted device being one of said functional components and adapted to acquire a value of an integrity metric that measures that the computing apparatus is operating as intended and determining the correctness of the acquired value of the integrity metric.
- View Dependent Claims (40, 41)
- - 40. The combination of claim 39 wherein the trusted device is adapted to acquire the value of the integrity metric before the computing apparatus has completed a boot up process.
  - 41. The combination of claim 39 further including means for testing to assure that the trusted device is accessed by said main processor before said main processor accesses basic input/output instructions for booting the computing apparatus.

42. A trusted device for use as a functional component in a computing apparatus, the trusted device being adapted for mounting on an assembly of the computing apparatus and being adapted for communication with other functional components of the computing apparatus, the trusted device being adapted to acquire a value of an integrity metric that measures that the computing apparatus is operating as intended and determining the correctness of the acquired value of the integrity metric.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49)
- - 43. Computing apparatus as claimed in claim 42, wherein the trusted device is adapted to be tamper resistant.
  - 44. Computing apparatus as claimed in claim 42, wherein the trusted device comprises a device memory.
  - 45. Computing apparatus as claimed in claim 44, wherein the trusted device comprises a trusted device processor.
  - 46. Computing apparatus as claimed in claim 45, wherein the trusted device has a secret stored in the device memory.
  - 47. Computing apparatus as claimed in claim 46, wherein the secret comprises a private asymmetric encryption key.
  - 48. Computing apparatus as claimed in claim 47, wherein the trusted device also has stored in the device memory in the device memory a respective public encryption key that has been signed by a trusted third party.
  - 49. Computing apparatus as claimed in claim 48, wherein the trusted device also has stored in the device memory an authenticated integrity metric generated by a trusted third party and wherein the trusted device is adapted to employ an encryption function, the trusted device processor being arranged to generate a response to a received challenge, the response comprising an acquired integrity metric and the authenticated integrity metric, both signed by the encryption function using the private asymmetric encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Proudler, Graeme John, Chen, Liqun, Chan, David, Gupta, Dipankar, Balacheff, Boris, Pearson, Siani Lynne, Van Wilder, Bruno Edgard
Primary Examiner(s)
DO, THUAN V

Application Number

US09/913,452
Time in Patent Office

2,163 Days
Field of Search

709/226, 716/1, 716/2, 716/17, 716/18, 713/200, 713/160, 713/165, 705/50
US Class Current

713/160
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/445   by mutual authentication, e...

G06F 21/57   Certifying or maintaining t...

G06F 21/606   by securing the transmissio...

G06F 21/64   Protecting data integrity, ...

G06F 21/85   interconnection devices, e....

G06F 2207/7219   Countermeasures against sid...

G06F 2211/009   Trust

G06F 2221/2103   Challenge-response

Trusted computing platform using a trusted device assembly

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

146 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted computing platform using a trusted device assembly

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

146 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links