Virtualization of software configuration registers of the TPM cryptographic processor
First Claim
1. A computer-implemented method of checking an application program of a software platform in a Trusted Platform Module (TPM) to determine if the application program can be trusted by the software platform, comprising:
- a computer providing a TPM interface to virtualize at least one physical platform control register (PCR) of said TPM for storage of a log of values representative of a state of the application program and its environment;
said computer providing the TPM interface that identifies a virtualized PCR by name;
said TPM interface enabling the application program to command the TPM interface to create a data structure containing the contents of the identified virtualized PCR;
said computer hashing contents and names of one or more virtualized PCRs together and loading a resultant value into a physical PCR of said TPM, wherein one of the hashed virtualized PCRs contains the log of values representative of the state of the application program and its environment;
said TPM interface providing selective access to said identified virtualized PCR for storage of said log of values for said application program;
said TPM interface modifying or resetting said identified virtualized PCR to a value representative of a trusted state of said application program; and
said TPM interface initializing at least one virtualized PCR with information of interest to said application program,said information of interest to said application program comprising a security identifier of said application program, andwherein said information of interest to said application program further comprises a virtual machine identifier of a virtual machine partition using said virtualized PCR.
2 Assignments
0 Petitions
Accused Products
Abstract
A virtual PCR (VPCR) construct is provided that can be cryptographically tagged as optionally resettable or as enduring for the life of a client (process, virtual machine, and the like) and that can be loaded into a resettable hardware PCR to make use of the functionality of a Trusted Platform Module (TPM). The VPCRs may cryptographically reflect their characteristics (resettable or not) in their stored values. Also, since the PCRs are virtualized, they are (effectively) unlimited in number and may be given general names (UUIDs) that are less likely to collide. The VPCRs can be loaded into a physical PCR as needed, but in a way that stops one piece of software from impersonating another piece of software. The VPCRs thus enable all software using the TPM to be given access to TPM functionality (sealing, quoting, etc.) without security concerns.
63 Citations
15 Claims
-
1. A computer-implemented method of checking an application program of a software platform in a Trusted Platform Module (TPM) to determine if the application program can be trusted by the software platform, comprising:
-
a computer providing a TPM interface to virtualize at least one physical platform control register (PCR) of said TPM for storage of a log of values representative of a state of the application program and its environment; said computer providing the TPM interface that identifies a virtualized PCR by name; said TPM interface enabling the application program to command the TPM interface to create a data structure containing the contents of the identified virtualized PCR; said computer hashing contents and names of one or more virtualized PCRs together and loading a resultant value into a physical PCR of said TPM, wherein one of the hashed virtualized PCRs contains the log of values representative of the state of the application program and its environment; said TPM interface providing selective access to said identified virtualized PCR for storage of said log of values for said application program; said TPM interface modifying or resetting said identified virtualized PCR to a value representative of a trusted state of said application program; and said TPM interface initializing at least one virtualized PCR with information of interest to said application program, said information of interest to said application program comprising a security identifier of said application program, and wherein said information of interest to said application program further comprises a virtual machine identifier of a virtual machine partition using said virtualized PCR. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for checking an application program of a software platform to determine if the application program can be trusted by the software platform, comprising:
-
a Trusted Platform Module (TPM) including a cryptographic processor and at least one physical platform control register (PCR); and a computer readable medium excluding signals, said computer readable medium including instructions for a TPM interface, said TPM interface virtualizing at least one physical PCR of said TPM for storage of a log of values representative of a state of the application program and its environment, identifying a virtualized PCR by name, enabling the application program to command the TPM interface to create a data structure containing the contents of the identified virtualized PCR and its name, hashing contents and names of one or more virtualized PCRs together and loading a resultant value into a physical PCR of said TPM wherein one of the hashed virtualized PCRs contains the log of values, selectively accessing said identified virtualized PCR for storage of said log of values for said application program, modifying or resetting said identified virtualized PCR to a value representative of a trusted state of said application program, and initializing at least one virtualized PCR with information of interest to said application program, wherein said information of interest to said application program comprises a security identifier of said application program, and wherein said information of interest to said application program further comprises a virtual machine identifier of a virtual machine partition using said virtualized PCR. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer readable medium excluding signals having instructions stored thereon that when executed by a processor cause said processor to implement a method comprising the steps of:
-
virtualizing at least one physical platform control register (PCR) of a Trusted Platform Module (TPM) for storage of a log of values representative of a state of an application program and its environment; identifying a virtualized PCR by name; enabling the application program to command the TPM interface to create a data structure containing the contents of the identified virtualized PCR; hashing contents and names of one or more virtualized PCRs together and loading a resultant value into a physical PCR of said TPM wherein one of the hashed virtualized PCRs contains the log of values; providing said application program with selective access to said identified virtualized PCR for storage of said log of values for said application program; modifying or resetting said identified virtualized PCR to a value representative of a trusted state of said application program; and initializing at least one virtualized PCR with information of interest to said application program, wherein said information comprising a security identifier of said application program, and wherein said information further comprises a virtual machine identifier of a virtual machine partition using said virtualized PCR.
-
Specification