Method and apparatus for binding TPM keys to execution entities
First Claim
1. A method comprising:
- measuring an execution entity to generate a digest value, according to an authorization request issued by the execution entity for authorization data, wherein the digest value is for a trusted hardware entity to use a key protected within the trusted entity; and
granting the authorization request if it is verified via the digest value that the execution entity is an owner of the key,wherein granting the authorization request is to ensure that the execution entity has exclusive access to the key.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for binding trusted platform module (TPM) keys to execution entities are described. In one embodiment, the method includes the receipt of an authorization request issued by an execution entity for authorization data. According to the authorization request, the execution entity may be measured to generate an entity digest value. Once the entity digest value is generated, a platform reference module may grant the authorization request if the entity digest value verifies that the execution entity is an owner of the key held by the TPM. Accordingly, in one embodiment, a platform reference module, rather than an execution entity, holds the authorization data required by a TPM to use a key owned by the execution entity and held within sealed storage by the TPM. Other embodiments are described and claimed.
18 Citations
31 Claims
-
1. A method comprising:
-
measuring an execution entity to generate a digest value, according to an authorization request issued by the execution entity for authorization data, wherein the digest value is for a trusted hardware entity to use a key protected within the trusted entity; and granting the authorization request if it is verified via the digest value that the execution entity is an owner of the key, wherein granting the authorization request is to ensure that the execution entity has exclusive access to the key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An article of manufacture comprising a non-transitory machine-accessible storage medium having associated instructions that, when accessed, results in a machine performing a method comprising:
-
measuring an execution entity to generate a digest value, according to an authorization request issued by the execution entity for authorization data, wherein the digest value is for a trusted entity to use a key protected within the trusted entity; and granting the authorization request if it is verified via the digest value that the execution entity is an owner of the key, wherein granting the authorization request is to ensure that the execution entity has exclusive access to the key. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method comprising:
-
generating authorization data for a requested key according to a key generation request issued by an execution entity; measuring the execution entity to generate an ownership digest value; issuing a key creation command to a trusted entity including the authorization data, wherein the trusted entity is to require the authorization data for use of the requested key; and providing a key credential to the execution entity to enable the execution entity to verify that the authorization data required by the trusted entity for use of the requested key is held by a platform reference module, wherein the execution entity to have exclusive access to the requested key. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A platform comprising:
-
a trusted entity including a processor and a non-volatile memory to provide storage of a key; a trusted measurement agent to measure an execution entity to generate a digest value according to an authorization request issued by the execution entity for authorization data, wherein the digest value is for the trusted entity to use a key held within the non-volatile memory of the trusted entity; and a platform reference module to grant an authorization request issued by the execution entity if it is verified via the digest value from the trusted measurement agent that the execution entity is an owner of the key, wherein granting the authorization request is to ensure that the execution entity has exclusive access to the key. - View Dependent Claims (28, 29, 30, 31)
-
Specification