Method and apparatus for binding TPM keys to execution entities

US 7,908,483 B2
Filed: 06/30/2005
Issued: 03/15/2011
Est. Priority Date: 06/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

measuring an execution entity to generate a digest value, according to an authorization request issued by the execution entity for authorization data, the digest value required by a trusted platform module (TPM) to use a key protected within the TPM; and

granting the authorization request if the digest value verifies that the execution entity is the owner of the key, to restrict use of the key to an execution entity that is the owner of the key, to ensure that the execution entity has exclusive access to the key, wherein granting the authorization request comprises applying the authorization data to each command issued by the execution entity to the TPM for use of the key to prohibit disclosure of the authorization data to the execution entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for binding trusted platform module (TPM) keys to execution entities are described. In one embodiment, the method includes the receipt of an authorization request issued by an execution entity for authorization data. According to the authorization request, the execution entity may be measured to generate an entity digest value. Once the entity digest value is generated, a platform reference module may grant the authorization request if the entity digest value verifies that the execution entity is an owner of the key held by the TPM. Accordingly, in one embodiment, a platform reference module, rather than an execution entity, holds the authorization data required by a TPM to use a key owned by the execution entity and held within sealed storage by the TPM. Other embodiments are described and claimed.

30 Citations

View as Search Results

13 Claims

1. A method comprising:
- measuring an execution entity to generate a digest value, according to an authorization request issued by the execution entity for authorization data, the digest value required by a trusted platform module (TPM) to use a key protected within the TPM; and
  
  granting the authorization request if the digest value verifies that the execution entity is the owner of the key, to restrict use of the key to an execution entity that is the owner of the key, to ensure that the execution entity has exclusive access to the key, wherein granting the authorization request comprises applying the authorization data to each command issued by the execution entity to the TPM for use of the key to prohibit disclosure of the authorization data to the execution entity.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein granting the authorization request further comprises:
    - transmitting the authorization data to the TPM.
  - 3. The method of claim 1, wherein applying the authorization data further comprises:
    - receiving command parameters from the execution entity;
      
      applying the authorization data to the received command parameters to generate a command digest value;
      
      transmitting the command digest value to the execution entity; and
      
      issuing, by the execution entity, the command digest value to the TPM for use of the key.
  - 4. The method of claim 1, wherein granting compromises:
    - comparing the digest value of execution entity with a digest value of the owner of the key; and
      
      verifying the execution entity as the owner of the key if the digest value of execution entity matches the digest value of the owner of the key.

5. An article of manufacture comprising a non-transitory computer readable storage medium having associated data, wherein the data, when accessed, results in a machine performing:
- generating, by a platform reference module, authorization data for a requested key according to a key generation request issued by an execution entity;
  
  measuring the execution entity to generate an ownership digest value to ensure that the execution entity has exclusive access to the requested key;
  
  issuing a key creation command to a trusted platform module (TPM) including the authorization data, wherein the TPM is to require the authorization data for use of the requested key;
  
  generating a key credential to include a digest of the platform reference module, a digest of trusted computing blocks of the platform reference module and an authorization disclosure mechanism; and
  
  providing the key credential to the execution entity to enable the execution entity to verify that the authorization data required by the TPM for use of the requested key is held by the platform reference module, to restrict use of the key to an execution entity that is the owner of the key.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The article of manufacture of claim 5, wherein providing the execution entity with the key credential further results in the machine performing:
    - signing the key credential with a certification key owned by the platform reference module.
  - 7. The article of manufacture of claim 5, wherein the non-transitory computer readable storage medium further includes data, which when accessed by the machine further results in the machine performing:
    - storing the ownership digest value in combination with the authorization data within a key table held within sealed storage by the TPM.
  - 8. The article of manufacture of claim 7, wherein the non-transitory computer readable storage medium further includes data, which when accessed by the machine further results in the machine performing:
    - receiving an authorization request issued by the execution entity for the authorization data required by the TPM to use the key held within sealed storage by the TPM;
      
      measuring the execution entity to generate an entity digest value; and
      
      granting the authorization request if the entity digest value verifies that the execution entity is an owner of the key.
  - 9. The article of manufacture of claim 8, wherein granting the authorization request further results in the machine performing:
    - comparing the entity digest value with an owner digest value of an owner of the key; and
      
      verifying the execution entity as the owner of the key if the entity digest value of the matches the owner digest value of the owner of the key.

10. A computer platform comprising:
- a trusted platform module (TPM), including a processor and a non-volatile memory to provide sealed storage of at least one entity key owned;
  
  a trusted measurement agent to measure an execution entity to generate an entity digest value according to an authorization request issued by the execution entity for authorization data required by the TPM to use an entity key held within the sealed storage of the TPM; and
  
  a platform reference module to grant an authorization request issued by an execution entity if an entity digest value measured from the execution entity verifies that the execution entity is an owner of the entity key, to restrict use of the key to an execution entity that is the owner of the key to ensure that the execution entity has exclusive access to the key,wherein the TPM is to provide sealed storage of at least one parent key owned by the platform reference module, the TPM to restrict use of the parent key to a trusted platform bootup state to provide the platform reference module exclusive access to load one or more child keys of the parent key during the trusted platform bootup state.
- View Dependent Claims (11, 12, 13)
- - 11. The computer platform of claim 10, wherein the platform reference module is to:
    - generate authorization data for a requested key according to a key generation request issued by the execution entity;
      
      store a measurement of the execution entity as an owner digest value;
      
      issue a key creation command for the requested key to the TPM including the authorization data, wherein the authorization data is required by the TPM for use of the requested key; and
      
      provide a key credential to the execution entity to enable the execution entity to verify that the authorization data required by the TPM for use of the requested key is held by the platform reference module.
  - 12. The computer platform of claim 10, further comprising:
    - a chipset coupled to the TPM;
      
      a processor coupled to the chipset; and
      
      non-volatile memory coupled to the chipset, the non-volatile memory including;
      
      a platform initialization module to bootstrap the platform to a trusted platform bootup state required by the TPM for use of a parent key owned by the platform reference module and held in sealed storage by the TPM to restrict the platform reference module to exclusive access to load one or more child keys of the parent key during the trusted platform bootup state.
  - 13. The computer platform of claim 12, wherein the TPM further comprises:
    - at least one platform configuration register (PCR) to bind use of the parent key to the trusted platform bootup state according to one or more PCR BOOTENV values and a PCR POST_BOOT value, wherein the platform initialization module to modify a platform POST_BOOT value to disable use of the parent key once platform bootup progresses beyond the trusted platform bootup state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Scarlata, Vincent R., Rozas, Carlos V., Iliev, Alexander
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US11/170,853
Publication Number

US 20070006169A1
Time in Patent Office

2,084 Days
Field of Search

713/176, 713/186, 713/164, 713/156, 380/44, 380/277
US Class Current

713/176
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/72   in cryptographic circuits

G06F 2221/2141   Access rights, e.g. capabil...

H04L 9/0897   involving additional device...

Method and apparatus for binding TPM keys to execution entities

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for binding TPM keys to execution entities

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links