Provisioning a computing system for digital rights management

US 8,661,552 B2
Filed: 06/28/2007
Issued: 02/25/2014
Est. Priority Date: 06/28/2007
Status: Active Grant

First Claim

Patent Images

1. A single-device system comprising:

one or more computer-readable storage media hardware;

computer-readable instructions on the one or more computer-readable storage media hardware which, responsive to execution by at least one processor, are configured to;

provide a digital rights management (DRM) partition which, when created, comprises an empty operating environment that does not include DRM functionality and is to be provisioned with DRM software, including executable DRM software configured to acquire, manage, and enforce licenses associated with protected content;

provide a hypervisor that is configured to;

provide partitioning functionality on the system, including the DRM partition which is to be provisioned with the DRM software,wherein the DRM partition is configured to have all associated DRM functionality executing within the DRM partition remotely provisioned; and

maintain isolation between partitions on the system; and

wherein the DRM partition is further configured to generate an attestation request to a network-accessible individualization service to initiate a provisioning process in which it receives the DRM software, wherein the attestation request includes;

an identification of the DRM partition;

an identification of the single-device associated with the DRM partition;

an identification of a version of an operating system running on the single-device; and

an identification of the hypervisor that is running on the single-device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments utilize hardware-enforced boundaries to provide various aspects of digital rights management or DRM in an open computing environment. Against the backdrop of these hardware-enforced boundaries, DRM provisioning techniques are employed to provision such things as keys and DRM software code in a secure and robust way. Further, at least some embodiments utilize secure time provisioning techniques to provision time to the computing environment, as well as techniques that provide for tamper-resistant storage.

Citations

20 Claims

1. A single-device system comprising:
- one or more computer-readable storage media hardware;
  
  computer-readable instructions on the one or more computer-readable storage media hardware which, responsive to execution by at least one processor, are configured to;
  
  provide a digital rights management (DRM) partition which, when created, comprises an empty operating environment that does not include DRM functionality and is to be provisioned with DRM software, including executable DRM software configured to acquire, manage, and enforce licenses associated with protected content;
  
  provide a hypervisor that is configured to;
  
  provide partitioning functionality on the system, including the DRM partition which is to be provisioned with the DRM software,wherein the DRM partition is configured to have all associated DRM functionality executing within the DRM partition remotely provisioned; and
  
  maintain isolation between partitions on the system; and
  
  wherein the DRM partition is further configured to generate an attestation request to a network-accessible individualization service to initiate a provisioning process in which it receives the DRM software, wherein the attestation request includes;
  
  an identification of the DRM partition;
  
  an identification of the single-device associated with the DRM partition;
  
  an identification of a version of an operating system running on the single-device; and
  
  an identification of the hypervisor that is running on the single-device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The single-device system of claim 1, wherein the DRM partition is configured to, as part of the provisioning process, receive one or more encrypted keys.
  - 3. The single-device system of claim 1, wherein the DRM partition is configured to, as part of the provisioning process, receive one or more encrypted keys and cause said one or more keys to be stored in a gated, hardware key storage.
  - 4. The single-device of claim 1, wherein the DRM partition is configured to, as part of the provisioning process, receive one or more encrypted keys, and wherein only a specifically identified version of the DRM partition identified in the attestation request can make use of the one or more keys.
  - 5. The single-device of claim 1, wherein the DRM partition is configured to receive encrypted DRM software and cause said software to be stored, in encrypted form, in a local storage.
  - 6. The single-device of claim 1, wherein the DRM partition is configured to receive encrypted DRM software and cause said software to be stored, in encrypted form, in a local storage, and wherein the DRM partition is configured to receive one or more encrypted keys and said encrypted DRM software via the Internet.
  - 7. The system of claim 1, wherein the hypervisor is further configured to enable access to the DRM partition through one or more programmatic interface calls associated with the hypervisor.
  - 8. The single-device system of claim 1, wherein at least some DRM software comprises a policy enforcement module configured to perform one or more time-based DRM decisions associated with the protected content.

9. A computer-implemented method comprising:
- contacting a remote provisioning service that is configured to provision Digital Rights Management (DRM) functionality to one or more computing devices, wherein at least some provisionable DRM functionality includes DRM software configured to acquire, manage, and enforce licenses associated with protected content, the DRM software further being encrypted and configured to only decrypt in a DRM partition, the DRM partition configured to have all associated DRM functionality executing within the DRM partition remotely provisioned, wherein said act of contacting is performed, at least in part, by a DRM partition that is managed by a hypervisor;
  
  receiving, from the remote provisioning service, encrypted content that is to be used to provision the DRM functionality on a computing device that performed said act of contacting;
  
  using said encrypted content to provision DRM functionality on said computing device; and
  
  responsive to receiving provisioned DRM functionality, using at least some of said provisioned DRM functionality to acquire, manage, and enforce one or more licenses associated with protected content,wherein contacting the remote provisioning service comprises sending an attestation request to initiate a provisioning process, the attestation request comprising;
  
  an identification of the DRM partition;
  
  an identification of the computer associated with the DRM partition;
  
  an identification of a version of an operating system running on the computer; and
  
  an identification of the hypervisor that is running on the computer.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein said act of contacting is performed over the Internet.
  - 11. The method of claim 9, wherein said encrypted content comprises an encrypted private key.
  - 12. The method of claim 9, wherein said encrypted content comprises encrypted DRM software.
  - 13. The method of claim 9, wherein said encrypted content comprises an encrypted private key and encrypted DRM software.
  - 14. The method of claim 9, wherein said encrypted content comprises an encrypted private key and encrypted DRM software and further comprising storing said private key in a gated, hardware key storage.
  - 15. The method of claim 9, wherein said encrypted content comprises an encrypted private key and encrypted DRM software and further comprising storing said encrypted DRM content in a local storage.
  - 16. The computer-implemented method of claim 9, wherein at least some provisioned DRM functionality comprises decryption functionality.

17. A computer implemented method comprising:
- preparing, using a Digital Rights Management (DRM) partition, an attestation request that includes an identification of the DRM partition, an identification of a computing device associated with the DRM partition, an identification of a version of an operating system running on the computing device, and an identification of a hypervisor that is running on the computing device, the hypervisor configured to provide partitioning functionality, the DRM partition configured to have all associated DRM functionality executing within the DRM partition remotely provisioned;
  
  sending the attestation request to an individualization service that is configured to provision DRM software to the DRM partition, wherein at least some of the DRM software comprises software configured to acquire, manage, and enforce licenses associated with protected content;
  
  receiving, from the individualization service, an encrypted private key;
  
  storing the private key in a gated, hardware key storage;
  
  receiving encrypted DRM software from the individualization service;
  
  storing the encrypted DRM software in a local storage;
  
  decrypting the encrypted DRM software for usage; and
  
  re-encrypting said decrypted DRM software when the usage is done, wherein at least some of said re-encrypted DRM software is executable software.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the hardware key storage is gated by the hypervisor.
  - 19. The method of claim 17, wherein the DRM software is encrypted using a public key associated with the encrypted private key.
  - 20. The method of claim 17, wherein the act of sending and both of said acts of receiving are performed using the Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Alkove, James M., Grigorovitch, Alexandre V., Barde, Sumedh N., Schnell, Patrik
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
KANAAN, SIMON P

Application Number

US11/823,572
Publication Number

US 20090006862A1
Time in Patent Office

2,434 Days
Field of Search

380/229, 726 26- 33, 705 51- 59, 713/178, 713/194
US Class Current

726/27
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/121   Restricting unauthorised ex...

G06F 21/6209   to a single file or object,...

G06F 21/74   operating in dual or compar...

Provisioning a computing system for digital rights management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Provisioning a computing system for digital rights management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links