Platform and method for remote attestation of a platform

US 7,254,707 B2
Filed: 08/12/2005
Issued: 08/07/2007
Est. Priority Date: 03/31/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

configuring a processor of a platform to operate in an isolated execution mode in a ring 0 operating mode, wherein the processor also supports one or more higher ring operating modes, as well as a normal execution mode in at least the ring 0 operating mode;

loading at least one software module into a random access memory (RAM) of the platform while the platform is operating in the isolated execution mode;

storing an audit log within protected memory of the platform, the audit log including data representing the software module loaded in the isolated execution mode;

retrieving the audit log from the protected memory in response to receiving an attestation request; and

digitally signing the audit log to produce a digital signature in response to the attestation request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method of attestation involves a special mode of operation. The method comprises storing an audit log within protected memory of a platform. The audit log is a listing of data representing one or more software modules loaded into the platform. The audit log is retrieved from the protected memory in response to receiving an attestation request. Then, the retrieved audit log is digitally signed to produce a digital signature in response to the attestation request.

31 Citations

View as Search Results

16 Claims

1. A method comprising:
- configuring a processor of a platform to operate in an isolated execution mode in a ring 0 operating mode, wherein the processor also supports one or more higher ring operating modes, as well as a normal execution mode in at least the ring 0 operating mode;
  
  loading at least one software module into a random access memory (RAM) of the platform while the platform is operating in the isolated execution mode;
  
  storing an audit log within protected memory of the platform, the audit log including data representing the software module loaded in the isolated execution mode;
  
  retrieving the audit log from the protected memory in response to receiving an attestation request; and
  
  digitally signing the audit log to produce a digital signature in response to the attestation request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the data representing the software module comprises a cryptographic hash value.
  - 3. A method according to claim 1, comprising:
    - issuing attestation cycles in response to receiving the attestation request; and
      
      utilizing the attestation cycles to retrieve the audit log from the protected memory.
  - 4. A method according to claim 1, wherein the operation of digitally signing the audit log comprises:
    - utilizing a private key to digitally sign the audit log.
  - 5. A method according to claim 1, wherein:
    - the operation of loading at least one software module comprises loading, in a high privilege ring of the platform, at least one module selected from the group consisting of a processor nub and an operating system (OS) nub; and
      
      the operation of storing an audit log within protected memory of the platform comprises storing, in the audit log, data that represents at least one loaded module.
  - 6. A method according to claim 1, wherein:
    - the operation of loading at least one software module comprises loading, in a high privilege ring of the platform, at least one module selected from the group consisting of a processor nub and an operating system (OS) nub; and
      
      the operation of storing an audit log within protected memory of the platform comprises storing, in the audit log, a cryptographic hash value for at least one loaded module.
  - 7. A method according to claim 1, wherein:
    - the platform comprises a first platform;
      
      the operation of receiving an attestation request comprises receiving the attestation request from a second platform; and
      
      the method further comprises transmitting a response that attests to integrity of the first platform to the second platform.
  - 8. A method according to claim 1, further comprising:
    - receiving user input; and
      
      determining whether or not to provide remote attestation, based on the user input.

9. A method comprising:
- configuring a processor of a processing system to operate in an isolated execution mode in a ring 0 operating mode, wherein the processor also supports one or more higher ring operating modes, as well as a non-isolated execution mode in at least the ring 0 operating mode;
  
  configuring the processing system to establish an isolated memory area in a random access memory (RAM) of the processing system and a non-isolated memory area in the RAM, wherein the processing system does not allow access to the isolated memory area if the processor is not in the isolated execution mode;
  
  loading at least one software module into the isolated memory area of the RAM while the processor is operating in the isolated execution mode;
  
  storing an audit log in the processing system, the audit log including data representing the software module loaded into the isolated memory area;
  
  retrieving the audit log in response to receiving an attestation request; and
  
  digitally signing the audit log to produce a digital signature in response to the attestation request.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. A method according to claim 9, wherein:
    - the operation of storing an audit log comprises storing the audit log within protected memory of the processing system.
  - 11. A method according to claim 9, wherein:
    - the operation of storing an audit log comprises storing the audit log within protected memory of the processing system; and
      
      the operation of retrieving the audit log comprises retrieving the audit log from the protected memory.
  - 12. A method according to claim 9, wherein the operation of storing an audit log comprises storing, in the audit log, data that represents software for booting the processing system.
  - 13. A method according to claim 9, further comprising:
    - executing a processor nub on the processor in the isolated execution mode;
      
      loading an operating system (OS) nub into the isolated memory area, the OS nub to manage at least a subset of an OS to run on the processing system;
      
      verifying the OS nub, using the processor nub; and
      
      after verifying the OS nub, launching the OS nub.
  - 14. A method according to claim 13, wherein the operation of storing an audit log comprises storing data that represents the processor nub in the audit log.
  - 15. A method according to claim 13, wherein the operation of storing an audit log comprises storing data that represents the OS nub in the audit log.
  - 16. A method according to claim 13, wherein the operation of storing an audit log comprises:
    - storing data that represents the processor nub in the audit log; and
      
      storing data that represents the OS nub in the audit log.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Thakkar, Shreekant S., Neiger, Gilbert, Ellison, Carl M., Mittal, Millind, Reneris, Ken, Grawrock, David W., McKeen, Francis X., Sutton, James A., Herbert, Howard C., Golliver, Roger A., Lin, Derrick C.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Tran; Tongoc

Application Number

US11/203,538
Publication Number

US 20060015719A1
Time in Patent Office

725 Days
Field of Search

713164-173, 713/193, 711/152, 711/153, 711/173, 711/170, 711/163
US Class Current

713/164
CPC Class Codes

G06F 12/1491   in a hierarchical protectio...

G06F 21/305   by remotely controlling dev...

G06F 21/35   communicating wirelessly

G06F 21/53   by executing in a restricte...

G06F 21/57   Certifying or maintaining t...

G06F 21/575   Secure boot

G06F 21/64   Protecting data integrity, ...

G06F 21/74   operating in dual or compar...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2103   Challenge-response

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2149   Restricted operating enviro...

G06F 9/30189   according to execution mode...

Platform and method for remote attestation of a platform

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Platform and method for remote attestation of a platform

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links