Managing a secure environment using a chipset in isolated execution mode

US 7,085,935 B1
Filed: 09/22/2000
Issued: 08/01/2006
Est. Priority Date: 03/31/2000
Status: Expired due to Term

First Claim

Patent Images

1. An apparatus comprising:

a PE handler storage to store a PE handler image to be loaded into an isolated memory area within a memory of a processing system after at least a portion of a chipset circuit of the processing system is initialized, the PE handler image to be executed by a processor of the processing system, the processor capable of operating in a normal execution mode and in an isolated execution mode; and

an initialization storage to configure the processing system in the isolated execution mode, the processor capable of accessing the isolated memory area when operating in the isolated execution mode.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A chipset is initialized in a secure environment for an isolated execution mode by an initialization storage. The secure environment has a plurality of executive entities and is associated with an isolated memory area accessible by at least one processor. The at least one processor has a plurality of threads and operates in one of a normal execution mode and the isolated execution mode. The executive entities include a processor executive (PE) handler. PE handler data corresponding to the PE handler are stored in a PE handler storage. The PE handler data include a PE handler image to be loaded into the isolated memory area after the chipset is initialized. The loaded PE handler image corresponds to the PE handler.

Citations

53 Claims

1. An apparatus comprising:
- a PE handler storage to store a PE handler image to be loaded into an isolated memory area within a memory of a processing system after at least a portion of a chipset circuit of the processing system is initialized, the PE handler image to be executed by a processor of the processing system, the processor capable of operating in a normal execution mode and in an isolated execution mode; and
  
  an initialization storage to configure the processing system in the isolated execution mode, the processor capable of accessing the isolated memory area when operating in the isolated execution mode.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The apparatus of claim 1, further comprising:
    - a thread count storage to store a thread count indicating a number of threads currently initialized for operation in the isolated execution mode.
  - 3. The apparatus of claim 1, further comprising:
    - an identifier log storage to store a cryptographic identifier of an executive entity loaded into the isolated execution mode.
  - 4. The apparatus of claim 3, wherein the executive entity comprises at least one entity selected from the group consisting of a PE, a PE handler, and an operating system executive (OSE).
  - 5. The apparatus of claim 1, further comprising:
    - a platform key storage to store a platform key used in handling an executive entity loaded into the isolated execution mode; and
      
      a scratch storage to store isolated settings used to configure the isolated execution mode.
  - 6. The apparatus of claim 5 wherein the isolated settings comprise one or more values selected from the group consisting of an isolated base value for the isolated memory area, an isolated length value for the isolated memory area, and a processor executive entry address.
  - 7. The apparatus of claim 1, further comprising:
    - a chipset circuit that provides the PE handler storage and the initialization storage, the chipset circuit capable of supporting at least one chipset mode selected from the around consisting of;
      
      an initialization waiting mode to indicate the chipset circuit is waiting for initialization;
      
      a PE initialization in-progress mode to indicate the PE is being executed;
      
      a PE initialization completion mode to indicate the PE is completed;
      
      an OSE loaded mode to indicate the OSE has been loaded; and
      
      a closing mode to indicate the isolated execution mode is closed.
  - 8. The apparatus of claim 1, wherein the initialization storage:
    - returns an incremented thread count when a thread enrolls in the isolated execution mode and returns a decremented thread count when an enrolled thread withdraws from the isolated execution mode.
  - 9. The apparatus of claim 1, further comprising a mode write circuit to write a failure mode into the chipset circuit when a thread limit is reached.
  - 10. The apparatus of claim 1, the PE handler storage further to store at least one item selected from the group consisting of a cryptographic PE handler identifier, a PE handler size, and a PE handler address.
  - 11. The apparatus of claim 1, wherein the PE handler storage comprises a read-only memory.
  - 12. The apparatus of claim 1, further comprising a platform key storage to return a platform key when the chipset circuit is read in an initialization waiting mode.
  - 13. The apparatus of claim 12 wherein the platform key is programmed to a random value.
  - 14. The apparatus of claim 1, further comprising:
    - a status storage to store a status value of an isolated unlock pin used in setting platform settings.

15. A method comprising:
- storing a processor executive (PE) handler image in a PE handler storage of a chipset circuit, the chipset circuit in communication with a processor that supports a normal execution mode and an isolated execution mode, and in communication with a memory to include an isolated memory area accessible to the processor in the isolated execution mode; and
  
  after at least a portion of the chipset circuit is initialized, loading the PE handler image into the isolated memory area.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 16. The method of claim 15, further comprising:
    - storing a thread count in a thread count storage indicating number of threads currently initialized for operation in the isolated execution mode.
  - 17. The method of claim 15, further comprising:
    - storing cryptographic identifiers of executive entities loaded into the isolated execution mode.
  - 18. The method of claim 17, wherein the executive entities comprise at least one entity selected from the group consisting of a PE, a PE handler, and an operating system executive (OSE).
  - 19. The method of claim 15, further comprising:
    - obtaining a platform key used in handling the executive entities from a platform key storage; and
      
      obtaining isolated settings used to configure the isolated execution mode from the chipset circuit.
  - 20. The method of claim 19 wherein the operation of obtaining isolated settings comprises obtaining at least one value selected from the group consisting of an isolated base value for the isolated memory area, an isolated length value for the isolated memory area, and a processor executive entry address.
  - 21. The method of the claim 15, further comprising operating in a series of chipset modes comprising:
    - an initialization waiting mode to indicate the chipset circuit is waiting for initialization;
      
      a PE initialization in-progress mode to indicate the PE is being executed;
      
      a PE initialization completion mode to indicate the PE is completed;
      
      an OSE loaded mode to indicate the OSE has been loaded; and
      
      a closing mode to indicate the isolated execution mode is closed.
  - 22. The method of claim 15, further comprising initializing at least a portion of the chipset circuit.
  - 23. The method of claim 15, further comprising:
    - returning an incremented thread count when a thread enrolls in the isolated execution mode; and
      
      returning a decremented thread count when an enrolled thread withdraws from the isolated execution mode.
  - 24. The method of claim 15, further comprising writing a chipset mode corresponding to a failure mode when the a thread count reaches a thread limit.
  - 25. The method of claim 15, wherein the PE handler storage comprises read-only memory.
  - 26. The method of claim 15, further comprising obtaining a platform key from a platform key storage when the chipset circuit is in an initialization waiting mode.
  - 27. The method of claim 15, further comprising:
    - storing a status value of an isolated unlock pin used to unlock platform settings.

28. A system comprising:
- a processor capable of selectively operating in a normal execution mode and, alternatively, in an isolated execution mode;
  
  a memory to include an isolated memory area accessible to the processor in the isolated execution mode;
  
  a chipset circuit in communication with the processor and the memory; and
  
  a PE handler storage in the chipset circuit, the PE handler storage to store a PE handler image to be loaded into the isolated memory area after at least a portion of the chipset circuit is initialized.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 29. The system of claim 28 wherein the chipset circuit further comprises:
    - a thread count storage to store a thread count indicating a number of threads currently associated with the isolated execution mode.
  - 30. The system of claim 28 wherein the chipset circuit further comprises:
    - an identifier log storage to store cryptographic identifiers of executive entities associated with the isolated execution mode.
  - 31. The system of claim 30 wherein the executive entities comprise:
    - a processor executive (PE);
      
      a PE handler; and
      
      an operating system executive (OSE).
  - 32. The system of claim 28 wherein the chipset circuit further comprises:
    - a platform key storage to store a platform key used in handling executive entities; and
      
      a scratch storage to store isolated settings used to configure the isolated execution mode.
  - 33. The system of claim 32 wherein the platform key is returned when the platform key storage is read with the chipset circuit in an initialization waiting mode.
  - 34. The system of claim 32 wherein the platform key comprises a random value.
  - 35. The system of claim 32 wherein the isolated settings comprise one or more values selected from the group consisting of an isolated base value for the isolated memory area, an isolated length value for the isolated memory area, and a processor executive entry address.
  - 36. The system of claim 28 wherein the chipset circuit further comprises a mode storage to store a chipset mode indicating a mode of operation of the chipset circuit, the chipset mode comprising one or more modes selected from the group consisting of:
    - an initialization waiting mode to indicate the chipset circuit is waiting for initialization;
      
      a PE initialization in-progress mode to indicate the PE is being executed;
      
      a PE initialization completion mode to indicate the PE is completed;
      
      an OSE loaded mode to indicate the OSE has been loaded; and
      
      a closing mode to indicate the isolated execution mode is closed.
  - 37. The system of claim 36 wherein the chipset circuit further comprises a mode write circuit to write a failure mode into the mode storage when a thread limit is reached.
  - 38. The system of claim 28 wherein the chipset circuit further comprises an initialization storageto return an incremented thread count when a thread enrolls in the isolated execution mode, and to return a decremented thread count when an enrolled thread withdraws from the isolated execution mode.
  - 39. The system of claim 28, the PE handler storage further to store at least one item selected from the group consisting of a PE handler cryptographic identifier, a PE handler size, and a PE handler address.
  - 40. The system of claim 28 wherein the PE handler storage comprises a non-volatile memory.
  - 41. The system of claim 28 wherein the chipset circuit further comprises:
    - a status storage to store a status value of an isolated unlock pin used to unlock platform settings.

42. An apparatus comprising:
- a machine accessible medium; and
  
  instructions encoded in the machine accessible medium, wherein the instructions, when executed by a processing system with a processor and a chipset circuit that supports a normal execution mode and an isolated execution mode, cause the processing system to perform operations comprising;
  
  obtaining a processor executive (PE) handler image from a PE handler storage in the chipset circuit; and
  
  after at least a portion of the chipset circuit is initialized, loading the PE handler image into an isolated memory area within a memory of the processing system, the isolated memory area accessible to the processor in the isolated execution mode.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 43. The apparatus of claim 42, wherein the machine accessible medium further comprises:
    - instructions to store a thread count indicating number of threads currently initialized for operation in the isolated execution mode.
  - 44. The apparatus of claim 42, wherein the machine accessible medium further comprises:
    - instructions to store cryptographic identifiers of executive entities loaded into the isolated execution mode.
  - 45. The apparatus of claim 42, wherein the machine accessible medium further comprises:
    - instructions to store a platform key used in handling executive entities.
  - 46. The apparatus of claim 42, wherein the machine accessible medium further comprises:
    - instructions to configure the isolated execution mode, based at least in part on isolated settings associated with the processing system.
  - 47. The apparatus of claim 46, wherein the isolated settings include at least one value selected from the group consisting of an isolated base value for the isolated memory area, an isolated length value for the isolated memory area, and a processor executive entry address.
  - 48. The apparatus of claim 42, wherein the instructions implement executive entities comprising at least one entity selected from the group consisting of:
    - a PE;
      
      a PE handler; and
      
      an operating system executive (OSE).
  - 49. The apparatus of claim 42, wherein the machine accessible medium further comprises:
    - instructions to initialize at least a portion of the chipset circuit.
  - 50. The apparatus of claim 42, wherein the machine accessible medium further comprises:
    - instructions to increment a thread count when a thread enrolls in the isolated execution mode; and
      
      instructions to decrement a thread count when an enrolled thread withdraws from the isolated execution mode.
  - 51. The apparatus of claim 42, wherein the instructions obtain the PE handler image from a read-only memory.
  - 52. The apparatus of claim 42, wherein the instructions obtain a platform key from a platform key storage when the chipset circuit is in an initialization waiting mode.
  - 53. The apparatus of claim 42, wherein the machine accessible medium further comprises instructions to store a status value of an isolated unlock pin used to unlock platform settings.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alibaba Group Holding Ltd.
Original Assignee
Intel Corporation
Inventors
Neiger, Gilbert, Reneris, Ken, Sutton, James A., Thakkar, Shreekant S., Mittal, Millind, Ellison, Carl M., Golliver, Roger A., Herbert, Howard C., Lin, Derrick C., McKeen, Francis X.
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Arani, Taghi T.

Application Number

US09/668,408
Time in Patent Office

2,139 Days
Field of Search

713164-182, 713/200, 709100-250, 711110-170, 712 10-300
US Class Current

726/2
CPC Class Codes

G06F 12/1491 in a hierarchical protectio...

Managing a secure environment using a chipset in isolated execution mode

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

53 Claims

Specification

Solutions

Use Cases

Quick Links

Managing a secure environment using a chipset in isolated execution mode

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

53 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links