System and method for N-ary locality in a security co-processor

US 8,479,017 B2
Filed: 06/21/2010
Issued: 07/02/2013
Est. Priority Date: 06/21/2010
Status: Active Grant

First Claim

Patent Images

1. A method of expanding locality in a security co-processor module of a computing system comprising:

setting a security mode of the security co-processor module to an enhanced mode in response to a determination that the computing system provides a capability to obtain the current geographic location;

receiving a request by the security co-processor module to execute an operation;

determining the security mode for the security co-processor module;

when the security mode is set to a normal mode, checking a machine mode of the computing system and executing the requested operation when the machine mode is acceptable;

when the security mode is set to an enhanced mode, getting a security policy, getting a current geographic location of the computing system and a current trusted time, determining if the requested operation is acceptable according to geographic location and trusted time attribute entries specified in the security policy, the current geographic location, and the current trusted time, and checking the machine mode of the computing system; and

when the requested operation and machine mode are both acceptable, executing the requested operation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Enhancing locality in a security co-processor module of a computing system may be achieved by including one or more additional attributes such as geographic location, trusted time, a hardware vendor string, and one or more environmental factors into an access control space for machine mode measurement of a computing system.

Citations

30 Claims

1. A method of expanding locality in a security co-processor module of a computing system comprising:
- setting a security mode of the security co-processor module to an enhanced mode in response to a determination that the computing system provides a capability to obtain the current geographic location;
  
  receiving a request by the security co-processor module to execute an operation;
  
  determining the security mode for the security co-processor module;
  
  when the security mode is set to a normal mode, checking a machine mode of the computing system and executing the requested operation when the machine mode is acceptable;
  
  when the security mode is set to an enhanced mode, getting a security policy, getting a current geographic location of the computing system and a current trusted time, determining if the requested operation is acceptable according to geographic location and trusted time attribute entries specified in the security policy, the current geographic location, and the current trusted time, and checking the machine mode of the computing system; and
  
  when the requested operation and machine mode are both acceptable, executing the requested operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising adding an entry to the security policy for geographic location in response to the determination that the computing system provides the capability to obtain the current geographic location.
  - 3. The method of claim 1, further comprising adding an entry to the security policy for trusted time in response to a determination that the computing system provides a capability to obtain the trusted time.
  - 4. The method of claim 1, further comprising adding an entry to the security policy for a hardware vendor string in response to a determination that the computing system provides a capability to obtain the hardware vendor string.
  - 5. The method of claim 4, further comprising getting the hardware vendor string, and determining if the requested operation is acceptable according to the hardware vendor string entry specified in the security policy and the hardware vendor string.
  - 6. The method of claim 5, wherein the hardware vendor string identifies a vendor of a processor of the computing system.
  - 7. The method of claim 1, further comprising adding an entry to the security policy for environmental factors in response to a determination that the computing system provides a capability to sense one or more environmental factors.
  - 8. The method of claim 7, further comprising getting one or more current environmental factors, and determining if the requested operation is acceptable according to the environmental factors entry specified in the security policy and the current one or more environmental factors.
  - 9. The method of claim 8, wherein the one or more environmental factors comprise one or more of temperature, acceleration, capacitance, elevation and orientation of the computing system.
  - 10. The method of claim 1, further comprising shutting down the computing system when the requested operation or machine mode is unacceptable.

11. An article comprising a non-transitory machine readable medium having a plurality of machine instructions that, in response to execution by a security co-processor module within a computing system, cause the security co-processor module to:
- set a security mode of the security co-processor module to an enhanced mode in response to a determination that the computing system provides a capability to obtain a current geographic location;
  
  receive a request by the security co-processor module to execute an operation;
  
  determine the security mode for the security co-processor module;
  
  when the security mode is set to a normal mode, check a machine mode of the computing system and execute the requested operation when the machine mode is acceptable;
  
  when the security mode is set to the enhanced mode, get a security policy, get a current geographic location of the computing system and a current trusted time, determine if the requested operation is acceptable according to geographic location and trusted time attribute entries specified in the security policy, the current geographic location, and the current trusted time, and check the machine mode of the computing system; and
  
  when the requested operation and the machine mode both are acceptable, execute the requested operation.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The article of claim 11, further comprising instructions that, in response to execution by the security co-processor module, cause the security co-processor module to add an entry to the security policy for geographic location in response to the determination that the computing system provides the capability to obtain the current geographic location.
  - 13. The article of claim 11, further comprising instructions that, in response to execution by the security co-processor module, cause the security co-processor module to add an entry to the security policy for trusted time and set the security mode of the security co-processor module to enhanced in response to a determination that the computing system provides a capability to obtain the trusted time.
  - 14. The article of claim 11, further comprising instructions that, in response to execution by the security co-processor module, cause the security co-processor module to add an entry to the security policy for a hardware vendor string and set the security mode of the security co-processor module to enhanced in response to a determination that the computing system provides a capability to obtain the hardware vendor string.
  - 15. The article of claim 14, further comprising instructions that, in response to execution by the security co-processor module, cause the security co-processor module to get the hardware vendor string, and determine if the requested operation is acceptable according to the hardware vendor string entry specified in the security policy and the hardware vendor string.
  - 16. The article of claim 15, wherein the hardware vendor string identifies a vendor of a processor of the computing system.
  - 17. The article of claim 11, further comprising instructions that, in response to execution by the security co-processor module, cause the security co-processor module to add an entry to the security policy for environmental factors and set the security mode of the security co-processor module to enhanced in response to a determination that the computing system provides a capability to sense one or more environmental factors.
  - 18. The article of claim 17, further comprising instructions that, in response to execution by the security co-processor module, cause the security co-processor module to get one or more current environmental factors, and determining if the requested operation is acceptable according to the environmental factors entry specified in the security policy and the current one or more environmental factors.
  - 19. The article of claim 18, wherein the one or more environmental factors comprise one or more of temperature, acceleration, capacitance, elevation and orientation of the computing system.
  - 20. The article of claim 11, wherein the security co-processor module comprises a trusted platform module (TPM).

21. A security co-processor circuit of a computing system having:
- a security mode configured to be settable to a normal mode or an enhanced mode when the computing system provides a capability to obtain a current geographic location or a current trusted time; and
  
  a security policy configured to receive one or more entries associated with increasing security of the computing system;
  
  wherein the security co-processor circuit is configured to;
  
  receive a request to execute an operation;
  
  when the security mode is set to the normal mode, to check a machine mode of the computing system and to execute the requested operation when the machine mode is acceptable;
  
  when the security mode is set to the enhanced mode, to get a current geographic location of the computing system and a current trusted time, to determine if the requested operation is acceptable according to geographic location and trusted time attribute entries specified in the security policy, the current geographic location, and the current trusted time, and to check the machine mode of the computing system; and
  
  when the requested operation and the machine mode are both acceptable, execute the requested operation.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The security co-processor circuit of claim 21, wherein the security co-processor circuit is further configured to add an entry to the security policy for geographic location in response to the determination that the computing system provides the capability to obtain the current geographic location.
  - 23. The security co-processor circuit of claim 21, wherein the security co-processor circuit is further configured to add an entry to the security policy for trusted time and to set the security mode to enhanced in response to a determination that the computing system provides the capability to obtain the trusted time.
  - 24. The security co-processor circuit of claim 21, wherein the security co-processor circuit is further configured to add an entry to the security policy for a hardware vendor string and to set the security mode to enhanced in response to a determination that the computing system provides a capability to obtain the hardware vendor string.
  - 25. The security co-processor circuit of claim 24, wherein the security co-processor circuit is further configured to get the hardware vendor string, and to determine if the requested operation is acceptable according to the hardware vendor string entry specified in the security policy and the hardware vendor string.
  - 26. The security co-processor circuit of claim 25, wherein the hardware vendor string identifies a vendor of a processor of the computing system.
  - 27. The security co-processor circuit of claim 21, further wherein the security co-processor circuit is further configured to add an entry to the security policy for environmental factors and to set the security mode to enhanced in response to a determination that the computing system provides a capability to sense one or more environmental factors.
  - 28. The security co-processor circuit of claim 27, wherein the security co-processor circuit is further configured to get one or more current environmental factors, and to determine if the requested operation is acceptable according to the environmental factors entry specified in the security policy and the current one or more environmental factors.
  - 29. The security co-processor circuit of claim 28, wherein the one or more environmental factors comprise one or more of temperature, acceleration, capacitance, elevation and orientation of the computing system.
  - 30. The security co-processor circuit of claim 21, wherein the security co-processor circuit comprises a trusted platform module (TPM).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Zimmer, Vincent J., Rothman, Michael A., Swanson, Robert C., Sakthikumar, Palsamy, Bulusu, Mallik
Primary Examiner(s)
GEORGANDELLIS, ANDREW C

Application Number

US12/819,933
Publication Number

US 20110314298A1
Time in Patent Office

1,107 Days
Field of Search

713/189, 713/178, 713/192, 713/194
US Class Current

713/189
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2151   Time stamp

System and method for N-ary locality in a security co-processor

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for N-ary locality in a security co-processor

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links