Processing attestation data associated with a plurality of data processing systems

US 9,075,994 B2
Filed: 04/30/2012
Issued: 07/07/2015
Est. Priority Date: 11/18/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A method for processing attestation data associated with a plurality of data processing systems comprising a first data processing system and a second data processing system, wherein the first data processing system comprises a first data processor coupled to a first memory and the second data processing system comprises a second data processor coupled to a second memory, the method comprising the steps of:

receiving, by the first data processing system, a request for attestation from a requester;

in response to receiving the request, retrieving, by the first data processor of the first data processing system, a list of one or more children of the first data processing system, wherein the one or more children comprise the second data processing system;

in response to retrieving the list, retrieving and storing in the first memory, by the first data processor of the first data processing system, child attestation data associated with each of the one or more children including second data processing system attestation data of the second data processing system comprising the second data processor coupled to the second memory;

retrieving, by the first data processor of the first data processing system, first attestation data associated with the first data processing system; and

sending to the requester, by the first data processing system, a concatenated response containing the first attestation data associated with the first data processing system and the child attestation data associated with each of the one or more children.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An attestation technique is provided for processing attestation data associated with a plurality of data processing systems. A first data processing system is operable for receiving a request for attestation from a requester. In response to receiving the request, the first data processing system is further operable for retrieving a list of one or more children, wherein the one or more children include the second data processing system; retrieving and storing attestation data associated with each of the one or more children; retrieving and storing attestation data associated with the first data processing system; and sending to the requester a concatenated response containing the attestation data associated with the first data processing system and the child attestation data associated with the one or more children.

42 Citations

View as Search Results

17 Claims

1. A method for processing attestation data associated with a plurality of data processing systems comprising a first data processing system and a second data processing system, wherein the first data processing system comprises a first data processor coupled to a first memory and the second data processing system comprises a second data processor coupled to a second memory, the method comprising the steps of:
- receiving, by the first data processing system, a request for attestation from a requester;
  
  in response to receiving the request, retrieving, by the first data processor of the first data processing system, a list of one or more children of the first data processing system, wherein the one or more children comprise the second data processing system;
  
  in response to retrieving the list, retrieving and storing in the first memory, by the first data processor of the first data processing system, child attestation data associated with each of the one or more children including second data processing system attestation data of the second data processing system comprising the second data processor coupled to the second memory;
  
  retrieving, by the first data processor of the first data processing system, first attestation data associated with the first data processing system; and
  
  sending to the requester, by the first data processing system, a concatenated response containing the first attestation data associated with the first data processing system and the child attestation data associated with each of the one or more children.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising:
    - configuring an attestation chain of the plurality of data processing systems, wherein the attestation chain identifies the plurality of data processing systems to be attested, and wherein each data processing system member of the attestation chain holds a list of its children.
  - 3. The method of claim 1, further comprising the step of:
    - confirming, by the first data processing system, the child attestation data associated with each of the one or more children.
  - 4. The method of claim 3, wherein the confirming is performed prior to the retrieving, by the first data processing system, the first attestation data associated with the first data processing system.
  - 5. The method of claim 1, wherein the first attestation data associated with the first data processing system comprises a value maintained in a Platform Control Register (PCR) and an event log.
  - 6. The method of claim 1, further comprising the step of:
    - determining either a trusted state or an untrusted state for an associated PCR in accordance with an expected attestation value or a trusted value.
  - 7. The method of claim 1, wherein the first data processing system uses the child attestation data to determine a trusted state of the second data processing system.
  - 8. The method of claim 7, wherein the first data processing system stores the child attestation data in PCRs and an event log of the first data processing system.
  - 9. The method of claim 1, wherein the requester is a managing system and uses the first attestation data associated with the first data processing system and the child attestation data associated with each of the one or more children to determine a trusted state of the first data processing system and the second data processing system, respectively.
  - 10. The method of claim 9, wherein the managing system stores the child attestation data in PCRs and an event log of the managing system.
  - 11. The method of claim 10, wherein the managing system stores an indication of a state associated with the first data processing system and second data processing system.
  - 12. The method of claim 1, wherein the requester is a managing system that receives and stores the child attestation data associated with the one or more children.
  - 13. The method of claim 1, wherein each data processing system of the plurality of data processing systems represents a managed system.
  - 14. The method of claim 1, wherein the first data processing system further comprises a first trusted platform module (first TPM) and a second trusted platform module (second TPM), and wherein the first attestation data associated with the first data processing system is stored in the first TPM and the child attestation data is stored in the second TPM.
  - 15. The method of claim 1, wherein the first data processing system further comprises a first trusted platform module (first TPM) and the second data processing system comprises a second trusted platform module (second TPM), and wherein the first attestation data associated with the first data processing system is stored in the first TPM and the child attestation data is stored in the second TPM.
  - 16. The method of claim 1, wherein the first data processing system further comprises a trusted platform module (TPM), and wherein the child attestation data is stored in the TPM.

17. A method for processing attestation data associated with a plurality of data processing systems comprising a first data processing system and a second data processing system, wherein the first data processing system comprises a first data processor coupled to a first memory and the second data processing system comprises a second data processor coupled to a second memory, the method comprising the steps of:
- receiving, by the first data processing system, a first request for attestation from a requester;
  
  in response to receiving the first request, retrieving, by the first data processor of the first data processing system, a list of one or more children of the first data processing system, wherein the one or more children comprise the second data processing system;
  
  in response to retrieving the list, retrieving and storing in the first memory, by the first data processor of the first data processing system, child attestation data associated with each of the one or more children including second data processing system attestation data of the second data processing system comprising the second data processor coupled to the second memory;
  
  retrieving, by the first data processor of the first data processing system, first attestation data associated with the first data processing system;
  
  sending to the requester, by the first data processing system, a concatenated response containing the first attestation data associated with the first data processing system and the child attestation data associated with each of the one or more children;
  
  receiving, by the second data processing system, a second request for attestation from the first data processing system;
  
  in response to receiving the second request for attestation from the first data processing system, retrieving, by the second data processing system, a list of one or more second children of the second data processing system, wherein the one or more second children comprise a third data processing system comprising a third data processor coupled to a third memory;
  
  in response to retrieving the list of one or more second children of the second data processing system, retrieving and storing in the second memory, by the second data processing system, second child attestation data associated with each of the one or more second children; and
  
  retrieving and sending to the first data processing system storing, by the second data processing system, third attestation data associated with the second data processing system;
  
  wherein the first data processing system further comprises a first trusted platform module (first TPM) and a second trusted platform module (second TPM), and the second data processing system comprises a third trusted platform module (third TPM), and wherein the attestation data associated with the first data processing system is stored in the first TPM, the child attestation data is stored in the second TPM, and the third attestation data is stored in the third TPM.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Haikney, David, Mackintosh, David N., Perez, Jose J. P.
Primary Examiner(s)
Davis, Zachary A

Application Number

US13/460,080
Publication Number

US 20120216255A1
Time in Patent Office

1,163 Days
Field of Search

713/187, 713/189, 713/193, 713/164, 713/168, 726/3, 726/22, 726/26, 718/1
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/57   Certifying or maintaining t...

G06F 2221/034   Test or assess a computer o...

G06F 9/4401   Bootstrapping security arra...

Processing attestation data associated with a plurality of data processing systems

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Processing attestation data associated with a plurality of data processing systems

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links