User authorization and presence detection in isolation from interference from and control by host central processing unit and operating system

US 9,230,081 B2
Filed: 03/05/2013
Issued: 01/05/2016
Est. Priority Date: 03/05/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus to be used in association with a host, the apparatus comprising:

circuitry to be comprised, at least in part, in the host, the host including at least one host central processing unit (CPU) and one or more chipsets, the one or more chipsets comprising one or more embedded controllers, the one or more CPU to execute, at least in part, at least one host operating system (OS), the circuitry being comprised, at least in part, in at least one of;

the one or more embedded controllers; and

one or more hardware partitions comprised in the one or more CPU;

the at least one of the one or more embedded controllers and the one or more hardware partitions being capable of performing, at least in part, at least one operation in isolation from interference from, access by, and control by the at least one host OS, the at least one operation comprising;

user authorization determination in response, at least in part, to indication of physical presence of at least one user within one or more geographic regions comprising the host, the user authorization determination to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host, wherein the indication is based at least in part upon at least one of;

activation of at least one secure attention key of the host by the at least one user;

provision of at least one general purpose input/output (GPIO) signal to the circuitry;

detection of at least one physical token associated with the at least one user; and

detection of at least one physical characteristic of the at least one user; and

user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the one or more regions has ceased;

wherein the circuitry is to satisfy at least one of the following subparagraphs (a) to (e);

(a) the circuitry is to execute, at least in part, at least one software agent to perform, at least in part, at least one of the user authorization determination and the user presence determination, and the at least one agent also is to establish, at least in part, at least one secure communication channel with the at least one security-related component;

(b) the at least one software agent is to be comprised, at least in part, in a virtual machine manager;

(c) the at least one security-related component comprises at least one virtual trusted platform module (TPM) that is to be implemented, at least in part, by the virtual machine manager;

(d) the at least one virtual TPM comprises a plurality of virtual TPM; and

(e) the circuitry is comprised, at least in part, in at least one device that is capable of being removably communicatively coupled to the host.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An embodiment may include circuitry to be included, at least in part, in a host. The host may include at least one host central processing unit (CPU) to execute, at least in part, at least one host operating system (OS). The circuitry may perform, at least in part, at least one operation in isolation both from interference from and control by the at least one host CPU and the at least one host OS. The at least one operation may include user authorization determination and user presence determination. The authorization determination may be in response, at least in part, to indication of physical presence of at least one user in proximity to the host. The user presence determination may determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the proximity to the host has ceased.

64 Citations

View as Search Results

16 Claims

1. An apparatus to be used in association with a host, the apparatus comprising:
- circuitry to be comprised, at least in part, in the host, the host including at least one host central processing unit (CPU) and one or more chipsets, the one or more chipsets comprising one or more embedded controllers, the one or more CPU to execute, at least in part, at least one host operating system (OS), the circuitry being comprised, at least in part, in at least one of;
  
  the one or more embedded controllers; and
  
  one or more hardware partitions comprised in the one or more CPU;
  
  the at least one of the one or more embedded controllers and the one or more hardware partitions being capable of performing, at least in part, at least one operation in isolation from interference from, access by, and control by the at least one host OS, the at least one operation comprising;
  
  user authorization determination in response, at least in part, to indication of physical presence of at least one user within one or more geographic regions comprising the host, the user authorization determination to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host, wherein the indication is based at least in part upon at least one of;
  
  activation of at least one secure attention key of the host by the at least one user;
  
  provision of at least one general purpose input/output (GPIO) signal to the circuitry;
  
  detection of at least one physical token associated with the at least one user; and
  
  detection of at least one physical characteristic of the at least one user; and
  
  user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the one or more regions has ceased;
  
  wherein the circuitry is to satisfy at least one of the following subparagraphs (a) to (e);
  
  (a) the circuitry is to execute, at least in part, at least one software agent to perform, at least in part, at least one of the user authorization determination and the user presence determination, and the at least one agent also is to establish, at least in part, at least one secure communication channel with the at least one security-related component;
  
  (b) the at least one software agent is to be comprised, at least in part, in a virtual machine manager;
  
  (c) the at least one security-related component comprises at least one virtual trusted platform module (TPM) that is to be implemented, at least in part, by the virtual machine manager;
  
  (d) the at least one virtual TPM comprises a plurality of virtual TPM; and
  
  (e) the circuitry is comprised, at least in part, in at least one device that is capable of being removably communicatively coupled to the host.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The apparatus of claim 1, wherein:
    - the user authorization determination is based, at least in part, upon at least one of;
      
      biometric information associated with the at least one user;
      
      at least one challenge response provided by the at least one user; and
      
      data provided by at least one near field communication device associated with the at least one user.
  - 3. The apparatus of claim 1, wherein:
    - the at least one security-related component comprises another TPM;
      
      the circuitry is to store, at least in part, user authentication information and user privilege information in a manner that is inaccessible to the at least one host OS and at least one host CPU;
      
      the user authentication determination is based at least in part upon whether the user authentication information matches, at least in part, other user-associated information provided in response, at least in part, to at least one challenge by the circuitry; and
      
      after the circuitry determines, at least in part, that the at least one user is authorized to use, at least in part, the host, the circuitry is to determine, based at least in part, upon the user privilege information, whether the at least one user is authorized to issue the at least one command to the another TPM.
  - 4. The apparatus of claim 3, wherein:
    - after the circuitry determines, at least in part, that the at least one user is authorized to issue the at least one command to the another TPM, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in assertion of a physical user presence signal of the another TPM.
  - 5. The apparatus of claim 3, wherein:
    - after the circuitry determines, at least in part, that the physical presence of the at least one user in the one or more regions has ceased, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in de-assertion of a physical user presence signal of the another TPM.

6. Non-transitory computer-readable memory storing one or more instructions that when executed by a machine result in performance of operations comprising:
- at least one operation performed, at least in part, by circuitry, the circuitry to be comprised, at least in part, in a host, the host including at least one host central processing unit (CPU) to execute, at least in part, at least one host operating system (OS) and one or more chipsets, the one or more chipsets comprising one or more embedded controllers, the one or more CPU to execute, at least in part, at least one host operating system (OS), the circuitry being comprised, at least in part, in at least one of;
  
  the one or more embedded controllers; and
  
  one or more hardware partitions comprised in the one or more CPU;
  
  the at least one of the one or more embedded controllers and the one or more hardware partitions to perform, at least in part, the at least one operation in isolation from interference from, access by, and control by the at least one host OS, the at least one operation comprising;
  
  user authorization determination in response, at least in part to indication of physical presence of at least one user within one or more geographic regions comprising the host, the user authorization determination to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host, wherein the indication is based at least in part upon at least one of;
  
  activation of at least one secure attention key of the host by the at least one user;
  
  provision of at least one general purpose input/output (GPIO) signal to the circuitry;
  
  detection of at least one physical token associated with the at least one user; and
  
  detection of at least one physical characteristic of the at least one user; and
  
  user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the one or more regions has ceased;
  
  wherein the circuitry is to satisfy at least one of the following subparagraphs (a) to (e);
  
  (a) the circuitry is to execute, at least in part, at least one software agent to perform, at least in part, at least one of the user authorization determination and the user presence determination, and the at least one agent also is to establish, at least in part, at least one secure communication channel with the at least one security-related component;
  
  (b) the at least one software agent is to be comprised, at least in part, in a virtual machine manager;
  
  (c) the at least one security-related component comprises at least one TPM that is to be implemented, at least in part, by the virtual machine manager;
  
  (d) the at least one virtual TPM comprises a plurality of virtual TPM; and
  
  (e) the circuitry is comprised, at least in part, in at least one device that is capable of being removably communicatively coupled to the host.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer-readable memory of claim 6, wherein:
    - the user authorization determination is based, at least in part, upon at least one of;
      
      biometric information associated with the at least one user;
      
      at least one challenge response provided by the at least one user; and
      
      data provided by at least one near field communication device associated with the at least one user.
  - 8. The computer-readable memory of claim 6, wherein:
    - the at least one security-related component comprises another TPM;
      
      the circuitry is to store, at least in part, user authentication information and user privilege information in a manner that is inaccessible to the at least one host OS and at least one host CPU;
      
      the user authentication determination is based at least in part upon whether the user authentication information matches, at least in part, other user-associated information provided in response, at least in part, to at least one challenge by the circuitry; and
      
      after the circuitry determines, at least in part, that the at least one user is authorized to use, at least in part, the host, the circuitry is to determine, based at least in part, upon the user privilege information, whether the at least one user is authorized to issue the at least one command to the another TPM.
  - 9. The computer-readable memory of claim 8, wherein:
    - after the circuitry determines, at least in part, that the at least one user is authorized to issue the at least one command to the another TPM, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in assertion of a physical user presence signal of the another TPM.
  - 10. The computer-readable memory of claim 8, wherein:
    - after the circuitry determines, at least in part, that the physical presence of the at least one user in the one or more regions has ceased, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in de-assertion of a physical user presence signal of the another TPM.

11. A method for use in association with a host, the method comprising:
- at least one operation performed, at least in part, by circuitry, the circuitry to be comprised, at least in part, in the host, the host including at least one host central processing unit (CPU) and one or more chipsets, the one more chipsets comprising one or more embedded controllers, the one more CPU to execute, at least in part, at least one host operating system (OS), the circuitry being comprised, at least in part, in at least one of;
  
  the one or more embedded controllers; and
  
  one or more hardware partitions comprised in the one or more CPU;
  
  the at least one of the one or more embedded controllers and the one or more hardware partitions to perform, at least in part, the at least one operation in isolation from interference from, access by, and control by the at least one host OS, the at least one operation comprising;
  
  user authorization determination in response, at least in part, to indication of physical presence of at least one user within one or more geographic regions comprising the host, the user authorization determination to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host; and
  
  user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the one or more regions has ceased, wherein the indication is based at least in part upon at least one of;
  
  activation of at least one secure attention key of the host by the at least one user;
  
  provision of at least one general purpose input/output (GPIO) signal to the circuitry;
  
  detection of at least one physical token associated with the at least one user; and
  
  detection of at least one physical characteristic of the at least one user;
  
  wherein the circuitry is to satisfy at least one of the following subparagraphs (a) to (e);
  
  (a) the circuitry is to execute, at least in part, at least one software agent to perform, at least in part, at least one of the user authorization determination and the user presence determination, and the at least one agent also is to establish, at least in part, at least one secure communication channel with the at least one security-related component;
  
  (b) the at least one software agent is to be comprised, at least in part, in a virtual machine manager;
  
  (c) the at least one security-related component comprises at least one TPM that is to be implemented, at least in part, by the virtual machine manager;
  
  (d) the at least one virtual TPM comprises a plurality of virtual TPM; and
  
  (e) the circuitry is comprised, at least in part, in at least one device that is capable of being removably communicatively coupled to the host.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein:
    - the user authorization determination is based, at least in part, upon at least one of;
      
      biometric information associated with the at least one user;
      
      at least one challenge response provided by the at least one user; and
      
      data provided by at least one near field communication device associated with the at least one user.
  - 13. The method of claim 11, wherein:
    - the at least one security-related component comprises another TPM;
      
      the circuitry is to store, at least in part, user authentication information and user privilege information in a manner that is inaccessible to the at least one host OS and at least one host CPU;
      
      the user authentication determination is based at least in part upon whether the user authentication information matches, at least in part, other user-associated information provided in response, at least in part, to at least one challenge by the circuitry; and
      
      after the circuitry determines, at least in part, that the at least one user is authorized to use, at least in part, the host, the circuitry is to determine, based at least in part, upon the user privilege information, whether the at least one user is authorized to issue the at least one command to the another TPM.
  - 14. The method of claim 13, wherein:
    - after the circuitry determines, at least in part, that the at least one user is authorized to issue the at least one command to the another TPM, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in assertion of a physical user presence signal of the another TPM.
  - 15. The method of claim 13, wherein:
    - after the circuitry determines, at least in part, that the physical presence of the at least one user in the one or more regions has ceased, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in de-assertion of a physical user presence signal of the another TPM.

16. An apparatus, comprising:
- logic, at least partially comprising hardware, to be comprised, at least in part, in a host, the host including at least one host central processing unit (CPU) and one or more chipsets, the one or more chipsets comprising one or more embedded controllers, the one or more CPU to execute, at least in part, at least one host operating system (OS), the logic being comprised, at least in part, in at least one of;
  
  the one or more embedded controllers; and
  
  one or more hardware partitions comprised in the one or more CPU;
  
  the at least one of the one or more embedded controllers and the one or more hardware partitions being capable of performing, at least in part, at least one operation in isolation from interference from, access by, and control by the at least one host OS, the at least one operation comprising;
  
  user authorization determination in response, at least in part, to indication of physical presence of at least one user within one or more geographic regions comprising the host, the user authorization determination to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host, wherein the indication is based at least in part upon at least one of;
  
  activation of at least one secure attention key of the host by the at least one user;
  
  provision of at least one general purpose input/output (GPIO) signal to the circuitry;
  
  detection of at least one physical token associated with the at least one user; and
  
  detection of at least one physical characteristic of the at least one user; and
  
  user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the one or more regions has ceased;
  
  wherein the circuitry is to satisfy at least one of the following subparagraphs (a) to (e);
  
  (a) the circuitry is to execute, at least in part, at least one software agent to perform, at least in part, at least one of the user authorization determination and the user presence determination, and the at least one agent also is to establish, at least in part, at least one secure communication channel with the at least one security-related component;
  
  (b) the at least one software agent is to be comprised, at least in part, in a virtual machine manager;
  
  (c) the at least one security-related component comprises at least one TPM that is to be implemented, at least in part, by the virtual machine manager;
  
  (d) the at least one virtual TPM comprises a plurality of virtual TPM; and
  
  (e) the circuitry is comprised, at least in part, in at least one device that is capable of being removably communicatively coupled to the host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Smith, Ned M., Moore, Victoria C.
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Pan, Peiliang

Application Number

US13/785,883
Publication Number

US 20140259125A1
Time in Patent Office

1,036 Days
Field of Search

726/4, 726/5
US Class Current

1/1
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/34   involving the use of extern...

G06F 21/57   Certifying or maintaining t...

G06F 21/575   Secure boot

G06F 21/71   to assure secure computing ...

G06F 2221/2133   Verifying human interaction...

G06F 2221/2139   Recurrent verification

User authorization and presence detection in isolation from interference from and control by host central processing unit and operating system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

64 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

User authorization and presence detection in isolation from interference from and control by host central processing unit and operating system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links