Virtual machine images encryption using trusted computing group sealing

US 8,694,786 B2
Filed: 10/04/2011
Issued: 04/08/2014
Est. Priority Date: 10/04/2011
Status: Active Grant

First Claim

Patent Images

1. A method for storing a customized virtual machine, the method comprising:

configuring a host machine to a desired state, wherein the host machine has a trusted platform module;

recording a platform configuration register state based on the desired state;

forming a sealed blob from a private key and a platform configuration register state to verify whether the virtual machine can be executed;

receiving a customer'"'"'s symmetric key at a data center;

encrypting the customer'"'"'s symmetric key with a public key of the data center to form a wrapped customer'"'"'s symmetric key;

storing the wrapped customer'"'"'s symmetric key;

provisioning a virtual machine on the host machine, wherein the virtual machine is selected from a catalog of stock virtual machines;

instantiating the virtual machine on the host machine;

configuring the virtual machine, based on customer inputs, to form a customer'"'"'s configured virtual machine;

creating an image from the customer'"'"'s configured virtual machine;

unwrapping the wrapped customer'"'"'s symmetric key to form a copy of the customer'"'"'s symmetric key;

encrypting the customer'"'"'s configured virtual machine with the copy of the customer'"'"'s symmetric key to form an encrypted configured virtual machine; and

storing the encrypted configured virtual machine to non-volatile storage.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A host machine provisions a virtual machine from a catalog of stock virtual machines. The host machine instantiates the virtual machine. The host machine configures the virtual machine, based on customer inputs, to form a customer'"'"'s configured virtual machine. The host machine creates an image from the customer'"'"'s configured virtual machine. The host machine unwraps a sealed customer'"'"'s symmetric key to form a customer'"'"'s symmetric key. The host machine encrypts the customer'"'"'s configured virtual machine with the customer'"'"'s symmetric key to form an encrypted configured virtual machine. The host machine stores the encrypted configured virtual machine to non-volatile storage.

31 Citations

View as Search Results

13 Claims

1. A method for storing a customized virtual machine, the method comprising:
- configuring a host machine to a desired state, wherein the host machine has a trusted platform module;
  
  recording a platform configuration register state based on the desired state;
  
  forming a sealed blob from a private key and a platform configuration register state to verify whether the virtual machine can be executed;
  
  receiving a customer'"'"'s symmetric key at a data center;
  
  encrypting the customer'"'"'s symmetric key with a public key of the data center to form a wrapped customer'"'"'s symmetric key;
  
  storing the wrapped customer'"'"'s symmetric key;
  
  provisioning a virtual machine on the host machine, wherein the virtual machine is selected from a catalog of stock virtual machines;
  
  instantiating the virtual machine on the host machine;
  
  configuring the virtual machine, based on customer inputs, to form a customer'"'"'s configured virtual machine;
  
  creating an image from the customer'"'"'s configured virtual machine;
  
  unwrapping the wrapped customer'"'"'s symmetric key to form a copy of the customer'"'"'s symmetric key;
  
  encrypting the customer'"'"'s configured virtual machine with the copy of the customer'"'"'s symmetric key to form an encrypted configured virtual machine; and
  
  storing the encrypted configured virtual machine to non-volatile storage.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein the method is stored as computer-readable program instructions in one or more computer-readable, tangible storage devices andwherein computer-readable program instructions can be executed by one or more processors.
  - 3. The method of claim 1, wherein the method is executed in a computer system comprising one or more processors, one or more computer-readable memories, one or more computer-readable, tangible storage devices andwherein the method is stored as computer-readable program instructions, which can be executed by the one or more processors via the one or more memories.

4. A method for executing a customer'"'"'s configured virtual machine, the method comprising:
- configuring a host machine to a desired state, wherein the host machine has a trusted platform module;
  
  recording a platform configuration register state based on the desired state;
  
  forming a sealed blob from a private key and a platform configuration register state;
  
  receiving a customer selection of an encrypted configured virtual machine image;
  
  obtaining the sealed blob from a data structure controlled by a data center;
  
  unsealing the sealed blob to form a data center private key, wherein unsealing further comprises;
  
  determining whether the host machine has the current trusted platform state to match a first trusted platform state of the host machine, and in response, decrypting a customer'"'"'s symmetric key with the data center private key, wherein the first trusted platform state of the host machine corresponds to a time during which the sealed blob was created;
  
  decrypting the customer'"'"'s configured virtual machine from the encrypted configured virtual machine; and
  
  executing the customer'"'"'s configured virtual machine on a host processor of the host machine.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 5. The method of claim 4, wherein the private key is created by a data center operator.
  - 6. The method of claim 4, wherein the private key is stored in a hardware security module.
  - 7. The method of claim 4, further comprising:
    - storing the sealed blob in the data structure, wherein storing the sealed blob further comprises sending the sealed blob to a second host machine owned by a data center operator; and
      
      repeatedly performing the configuring, the recording, the forming and the storing for each host among a plurality of hosts to form a sealed blob per each host among the plurality of hosts, wherein each sealed blob corresponds to a host identifier, one corresponding to each host, and each sealed blob is stored in association with each host identifier.
  - 8. The method of claim 7, wherein storing further comprises:
    - obtaining the private key by unsealing the private key from a sealed blob using a trusted platform module platform configuration register (PCR).
  - 9. The method of claim 4, wherein the data structure is stored in a lightweight directory access protocol (LDAP) server.
  - 10. The method of claim 9, wherein the data structure comprises a database.
  - 11. The method of claim 4, wherein the encrypted configured virtual machine image is an image of a virtual machine stored in a form configured according to a customer'"'"'s preferences, which is encrypted prior to storage.
  - 12. The method of claim 4, wherein the method is stored as computer-readable program instructions in one or more computer-readable, tangible storage devices andcomputer-readable program instructions, which are stored on the one or more storage devices and when executed by one or more processors, perform the method of claim 4.
  - 13. The method of claim 4, wherein the method is executed in a computer system comprising one or more processors, one or more computer-readable memories, one or more computer-readable, tangible storage devices and wherein the method is stored ascomputer-readable program instructions, which can be executed by the one or more processors via the one or more memories.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finjan Blue, Inc. (SoftBank Group Corp.)
Original Assignee
International Business Machines Corporation
Inventors
Bade, Steven A., Pendarakis, Dimitrios, Wilson, George C., Augu, Rajiv, Linton, Jeb R, Wilson, Lee Hardy
Primary Examiner(s)
Shaw, Yin-Chen
Assistant Examiner(s)
MOHAMMADI, FAHIMEH M

Application Number

US13/252,713
Publication Number

US 20130086383A1
Time in Patent Office

917 Days
Field of Search

713164-168, 713/171, 713/176, 380/47, 380/227, 705 65- 69
US Class Current

713/171
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

H04L 9/0897 involving additional device...

Virtual machine images encryption using trusted computing group sealing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual machine images encryption using trusted computing group sealing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links