Method and apparatus for binding TPM keys to execution entities
First Claim
1. A method comprising:
- measuring an execution entity to generate a digest value, according to an authorization request issued by the execution entity for authorization data, the digest value required by a trusted platform module (TPM) to use a key protected within the TPM; and
granting the authorization request if the digest value verifies that the execution entity is the owner of the key, to restrict use of the key to an execution entity that is the owner of the key, to ensure that the execution entity has exclusive access to the key, wherein granting the authorization request comprises applying the authorization data to each command issued by the execution entity to the TPM for use of the key to prohibit disclosure of the authorization data to the execution entity.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for binding trusted platform module (TPM) keys to execution entities are described. In one embodiment, the method includes the receipt of an authorization request issued by an execution entity for authorization data. According to the authorization request, the execution entity may be measured to generate an entity digest value. Once the entity digest value is generated, a platform reference module may grant the authorization request if the entity digest value verifies that the execution entity is an owner of the key held by the TPM. Accordingly, in one embodiment, a platform reference module, rather than an execution entity, holds the authorization data required by a TPM to use a key owned by the execution entity and held within sealed storage by the TPM. Other embodiments are described and claimed.
30 Citations
13 Claims
-
1. A method comprising:
-
measuring an execution entity to generate a digest value, according to an authorization request issued by the execution entity for authorization data, the digest value required by a trusted platform module (TPM) to use a key protected within the TPM; and granting the authorization request if the digest value verifies that the execution entity is the owner of the key, to restrict use of the key to an execution entity that is the owner of the key, to ensure that the execution entity has exclusive access to the key, wherein granting the authorization request comprises applying the authorization data to each command issued by the execution entity to the TPM for use of the key to prohibit disclosure of the authorization data to the execution entity. - View Dependent Claims (2, 3, 4)
-
-
5. An article of manufacture comprising a non-transitory computer readable storage medium having associated data, wherein the data, when accessed, results in a machine performing:
-
generating, by a platform reference module, authorization data for a requested key according to a key generation request issued by an execution entity; measuring the execution entity to generate an ownership digest value to ensure that the execution entity has exclusive access to the requested key; issuing a key creation command to a trusted platform module (TPM) including the authorization data, wherein the TPM is to require the authorization data for use of the requested key; generating a key credential to include a digest of the platform reference module, a digest of trusted computing blocks of the platform reference module and an authorization disclosure mechanism; and providing the key credential to the execution entity to enable the execution entity to verify that the authorization data required by the TPM for use of the requested key is held by the platform reference module, to restrict use of the key to an execution entity that is the owner of the key. - View Dependent Claims (6, 7, 8, 9)
-
-
10. A computer platform comprising:
-
a trusted platform module (TPM), including a processor and a non-volatile memory to provide sealed storage of at least one entity key owned; a trusted measurement agent to measure an execution entity to generate an entity digest value according to an authorization request issued by the execution entity for authorization data required by the TPM to use an entity key held within the sealed storage of the TPM; and a platform reference module to grant an authorization request issued by an execution entity if an entity digest value measured from the execution entity verifies that the execution entity is an owner of the entity key, to restrict use of the key to an execution entity that is the owner of the key to ensure that the execution entity has exclusive access to the key, wherein the TPM is to provide sealed storage of at least one parent key owned by the platform reference module, the TPM to restrict use of the parent key to a trusted platform bootup state to provide the platform reference module exclusive access to load one or more child keys of the parent key during the trusted platform bootup state. - View Dependent Claims (11, 12, 13)
-
Specification