Virtualization of software configuration registers of the TPM cryptographic processor

US 7,836,299 B2
Filed: 03/15/2005
Issued: 11/16/2010
Est. Priority Date: 03/15/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method of checking an application program of a software platform in a Trusted Platform Module (TPM) to determine if the application program can be trusted by the software platform, comprising:

a computer providing a TPM interface to virtualize at least one physical platform control register (PCR) of said TPM for storage of a log of values representative of a state of the application program and its environment;

said computer providing the TPM interface that identifies a virtualized PCR by name;

said TPM interface enabling the application program to command the TPM interface to create a data structure containing the contents of the identified virtualized PCR;

said computer hashing contents and names of one or more virtualized PCRs together and loading a resultant value into a physical PCR of said TPM, wherein one of the hashed virtualized PCRs contains the log of values representative of the state of the application program and its environment;

said TPM interface providing selective access to said identified virtualized PCR for storage of said log of values for said application program;

said TPM interface modifying or resetting said identified virtualized PCR to a value representative of a trusted state of said application program; and

said TPM interface initializing at least one virtualized PCR with information of interest to said application program,said information of interest to said application program comprising a security identifier of said application program, andwherein said information of interest to said application program further comprises a virtual machine identifier of a virtual machine partition using said virtualized PCR.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A virtual PCR (VPCR) construct is provided that can be cryptographically tagged as optionally resettable or as enduring for the life of a client (process, virtual machine, and the like) and that can be loaded into a resettable hardware PCR to make use of the functionality of a Trusted Platform Module (TPM). The VPCRs may cryptographically reflect their characteristics (resettable or not) in their stored values. Also, since the PCRs are virtualized, they are (effectively) unlimited in number and may be given general names (UUIDs) that are less likely to collide. The VPCRs can be loaded into a physical PCR as needed, but in a way that stops one piece of software from impersonating another piece of software. The VPCRs thus enable all software using the TPM to be given access to TPM functionality (sealing, quoting, etc.) without security concerns.

63 Citations

View as Search Results

15 Claims

1. A computer-implemented method of checking an application program of a software platform in a Trusted Platform Module (TPM) to determine if the application program can be trusted by the software platform, comprising:
- a computer providing a TPM interface to virtualize at least one physical platform control register (PCR) of said TPM for storage of a log of values representative of a state of the application program and its environment;
  
  said computer providing the TPM interface that identifies a virtualized PCR by name;
  
  said TPM interface enabling the application program to command the TPM interface to create a data structure containing the contents of the identified virtualized PCR;
  
  said computer hashing contents and names of one or more virtualized PCRs together and loading a resultant value into a physical PCR of said TPM, wherein one of the hashed virtualized PCRs contains the log of values representative of the state of the application program and its environment;
  
  said TPM interface providing selective access to said identified virtualized PCR for storage of said log of values for said application program;
  
  said TPM interface modifying or resetting said identified virtualized PCR to a value representative of a trusted state of said application program; and
  
  said TPM interface initializing at least one virtualized PCR with information of interest to said application program,said information of interest to said application program comprising a security identifier of said application program, andwherein said information of interest to said application program further comprises a virtual machine identifier of a virtual machine partition using said virtualized PCR.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method as in claim 1, wherein loading resultant values into the physical PCR of said TPM provides TPM functions to values stored in said virtualized PCR, the TPM functions including at least one of TPM extend, TPM quoting, and TPM sealing.
  - 3. A method as in claim 1, comprising the step of starting said identified virtualized PCR at a start value representative of behavior of said identified virtualized PCR.
  - 4. A method as in claim 1, comprising the further steps of hashing at least two identified data structures together and resetting and loading said physical PCR with the hashed value.
  - 5. A method as in claim 1, wherein the step of modifying or resetting of said identified virtualized PCR is performed by said TPM interface.
  - 6. A method as in claim 1, comprising the further step of initializing at least one virtualized PCR with information of interest to said application program, said information including at least one of a process identifier for said application program, a hash of a BIOS that booted an operating system of said application program in a virtual machine environment, and a credential based on an identity of said application program.

7. A system for checking an application program of a software platform to determine if the application program can be trusted by the software platform, comprising:
- a Trusted Platform Module (TPM) including a cryptographic processor and at least one physical platform control register (PCR); and
  
  a computer readable medium excluding signals, said computer readable medium including instructions for a TPM interface, said TPM interface virtualizing at least one physical PCR of said TPM for storage of a log of values representative of a state of the application program and its environment, identifying a virtualized PCR by name, enabling the application program to command the TPM interface to create a data structure containing the contents of the identified virtualized PCR and its name, hashing contents and names of one or more virtualized PCRs together and loading a resultant value into a physical PCR of said TPM wherein one of the hashed virtualized PCRs contains the log of values, selectively accessing said identified virtualized PCR for storage of said log of values for said application program, modifying or resetting said identified virtualized PCR to a value representative of a trusted state of said application program, and initializing at least one virtualized PCR with information of interest to said application program, wherein said information of interest to said application program comprises a security identifier of said application program, and wherein said information of interest to said application program further comprises a virtual machine identifier of a virtual machine partition using said virtualized PCR.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. A system as in claim 7, wherein loading resultant values into the physical PCR of said TPM provides TPM functions to values stored in said virtualized PCR.
  - 9. A system as in claim 8, wherein the TPM functions include at least one of TPM extend, TPM quoting, and TPM sealing.
  - 10. A system as in claim 7, wherein said TPM interface starts said identified virtualized PCR at a start value representative of behavior of said identified virtualized PCR.
  - 11. A system as in claim 7, wherein said TPM interface further hashes at least two identified data structures together and resets and loads said physical PCR with the hashed value for application of TPM functions to the hashed value.
  - 12. A system as in claim 7, wherein the TPM interface prohibits anything other than said TPM interface from modifying or resetting said identified virtualized PCR.
  - 13. A system as in claim 7, wherein said TPM interface initializes at least one virtualized PCR with information of interest to said application program, said information including at least one of a process identifier for said application program, a hash of a BIOS that booted an operating system of said application program in a virtual machine environment, and a credential based on an identity of said application program.
  - 14. A system as in claim 7, wherein a name of each virtualized PCR is a universally unique identifier (UUID).

15. A computer readable medium excluding signals having instructions stored thereon that when executed by a processor cause said processor to implement a method comprising the steps of:
- virtualizing at least one physical platform control register (PCR) of a Trusted Platform Module (TPM) for storage of a log of values representative of a state of an application program and its environment;
  
  identifying a virtualized PCR by name;
  
  enabling the application program to command the TPM interface to create a data structure containing the contents of the identified virtualized PCR;
  
  hashing contents and names of one or more virtualized PCRs together and loading a resultant value into a physical PCR of said TPM wherein one of the hashed virtualized PCRs contains the log of values;
  
  providing said application program with selective access to said identified virtualized PCR for storage of said log of values for said application program;
  
  modifying or resetting said identified virtualized PCR to a value representative of a trusted state of said application program; and
  
  initializing at least one virtualized PCR with information of interest to said application program,wherein said information comprising a security identifier of said application program, andwherein said information further comprises a virtual machine identifier of a virtual machine partition using said virtualized PCR.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Setzer, Matthew C., England, Paul
Primary Examiner(s)
Dada; Beemnet W
Assistant Examiner(s)
SCHWARTZ, DARREN B

Application Number

US11/080,906
Publication Number

US 20060212939A1
Time in Patent Office

2,072 Days
Field of Search

713/150, 713155-156, 713164-167, 713175-176, 713/180, 713187-189, 713/193, 711/100, 711147-148, 717120-121, 717/127, 718/1
US Class Current

713/162
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

Virtualization of software configuration registers of the TPM cryptographic processor

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Virtualization of software configuration registers of the TPM cryptographic processor

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links