User authorization and presence detection in isolation from interference from and control by host central processing unit and operating system
First Claim
1. An apparatus to be used in association with a host, the apparatus comprising:
- circuitry to be comprised, at least in part, in the host, the host including at least one host central processing unit (CPU) and one or more chipsets, the one or more chipsets comprising one or more embedded controllers, the one or more CPU to execute, at least in part, at least one host operating system (OS), the circuitry being comprised, at least in part, in at least one of;
the one or more embedded controllers; and
one or more hardware partitions comprised in the one or more CPU;
the at least one of the one or more embedded controllers and the one or more hardware partitions being capable of performing, at least in part, at least one operation in isolation from interference from, access by, and control by the at least one host OS, the at least one operation comprising;
user authorization determination in response, at least in part, to indication of physical presence of at least one user within one or more geographic regions comprising the host, the user authorization determination to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host, wherein the indication is based at least in part upon at least one of;
activation of at least one secure attention key of the host by the at least one user;
provision of at least one general purpose input/output (GPIO) signal to the circuitry;
detection of at least one physical token associated with the at least one user; and
detection of at least one physical characteristic of the at least one user; and
user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the one or more regions has ceased;
wherein the circuitry is to satisfy at least one of the following subparagraphs (a) to (e);
(a) the circuitry is to execute, at least in part, at least one software agent to perform, at least in part, at least one of the user authorization determination and the user presence determination, and the at least one agent also is to establish, at least in part, at least one secure communication channel with the at least one security-related component;
(b) the at least one software agent is to be comprised, at least in part, in a virtual machine manager;
(c) the at least one security-related component comprises at least one virtual trusted platform module (TPM) that is to be implemented, at least in part, by the virtual machine manager;
(d) the at least one virtual TPM comprises a plurality of virtual TPM; and
(e) the circuitry is comprised, at least in part, in at least one device that is capable of being removably communicatively coupled to the host.
1 Assignment
0 Petitions
Accused Products
Abstract
An embodiment may include circuitry to be included, at least in part, in a host. The host may include at least one host central processing unit (CPU) to execute, at least in part, at least one host operating system (OS). The circuitry may perform, at least in part, at least one operation in isolation both from interference from and control by the at least one host CPU and the at least one host OS. The at least one operation may include user authorization determination and user presence determination. The authorization determination may be in response, at least in part, to indication of physical presence of at least one user in proximity to the host. The user presence determination may determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the proximity to the host has ceased.
64 Citations
16 Claims
-
1. An apparatus to be used in association with a host, the apparatus comprising:
-
circuitry to be comprised, at least in part, in the host, the host including at least one host central processing unit (CPU) and one or more chipsets, the one or more chipsets comprising one or more embedded controllers, the one or more CPU to execute, at least in part, at least one host operating system (OS), the circuitry being comprised, at least in part, in at least one of; the one or more embedded controllers; and one or more hardware partitions comprised in the one or more CPU; the at least one of the one or more embedded controllers and the one or more hardware partitions being capable of performing, at least in part, at least one operation in isolation from interference from, access by, and control by the at least one host OS, the at least one operation comprising; user authorization determination in response, at least in part, to indication of physical presence of at least one user within one or more geographic regions comprising the host, the user authorization determination to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host, wherein the indication is based at least in part upon at least one of; activation of at least one secure attention key of the host by the at least one user; provision of at least one general purpose input/output (GPIO) signal to the circuitry; detection of at least one physical token associated with the at least one user; and detection of at least one physical characteristic of the at least one user; and user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the one or more regions has ceased; wherein the circuitry is to satisfy at least one of the following subparagraphs (a) to (e); (a) the circuitry is to execute, at least in part, at least one software agent to perform, at least in part, at least one of the user authorization determination and the user presence determination, and the at least one agent also is to establish, at least in part, at least one secure communication channel with the at least one security-related component; (b) the at least one software agent is to be comprised, at least in part, in a virtual machine manager; (c) the at least one security-related component comprises at least one virtual trusted platform module (TPM) that is to be implemented, at least in part, by the virtual machine manager; (d) the at least one virtual TPM comprises a plurality of virtual TPM; and (e) the circuitry is comprised, at least in part, in at least one device that is capable of being removably communicatively coupled to the host. - View Dependent Claims (2, 3, 4, 5)
-
-
6. Non-transitory computer-readable memory storing one or more instructions that when executed by a machine result in performance of operations comprising:
-
at least one operation performed, at least in part, by circuitry, the circuitry to be comprised, at least in part, in a host, the host including at least one host central processing unit (CPU) to execute, at least in part, at least one host operating system (OS) and one or more chipsets, the one or more chipsets comprising one or more embedded controllers, the one or more CPU to execute, at least in part, at least one host operating system (OS), the circuitry being comprised, at least in part, in at least one of; the one or more embedded controllers; and one or more hardware partitions comprised in the one or more CPU; the at least one of the one or more embedded controllers and the one or more hardware partitions to perform, at least in part, the at least one operation in isolation from interference from, access by, and control by the at least one host OS, the at least one operation comprising; user authorization determination in response, at least in part to indication of physical presence of at least one user within one or more geographic regions comprising the host, the user authorization determination to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host, wherein the indication is based at least in part upon at least one of; activation of at least one secure attention key of the host by the at least one user; provision of at least one general purpose input/output (GPIO) signal to the circuitry; detection of at least one physical token associated with the at least one user; and detection of at least one physical characteristic of the at least one user; and user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the one or more regions has ceased; wherein the circuitry is to satisfy at least one of the following subparagraphs (a) to (e); (a) the circuitry is to execute, at least in part, at least one software agent to perform, at least in part, at least one of the user authorization determination and the user presence determination, and the at least one agent also is to establish, at least in part, at least one secure communication channel with the at least one security-related component; (b) the at least one software agent is to be comprised, at least in part, in a virtual machine manager; (c) the at least one security-related component comprises at least one TPM that is to be implemented, at least in part, by the virtual machine manager; (d) the at least one virtual TPM comprises a plurality of virtual TPM; and (e) the circuitry is comprised, at least in part, in at least one device that is capable of being removably communicatively coupled to the host. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method for use in association with a host, the method comprising:
-
at least one operation performed, at least in part, by circuitry, the circuitry to be comprised, at least in part, in the host, the host including at least one host central processing unit (CPU) and one or more chipsets, the one more chipsets comprising one or more embedded controllers, the one more CPU to execute, at least in part, at least one host operating system (OS), the circuitry being comprised, at least in part, in at least one of; the one or more embedded controllers; and one or more hardware partitions comprised in the one or more CPU; the at least one of the one or more embedded controllers and the one or more hardware partitions to perform, at least in part, the at least one operation in isolation from interference from, access by, and control by the at least one host OS, the at least one operation comprising; user authorization determination in response, at least in part, to indication of physical presence of at least one user within one or more geographic regions comprising the host, the user authorization determination to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host; and user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the one or more regions has ceased, wherein the indication is based at least in part upon at least one of; activation of at least one secure attention key of the host by the at least one user; provision of at least one general purpose input/output (GPIO) signal to the circuitry; detection of at least one physical token associated with the at least one user; and detection of at least one physical characteristic of the at least one user; wherein the circuitry is to satisfy at least one of the following subparagraphs (a) to (e); (a) the circuitry is to execute, at least in part, at least one software agent to perform, at least in part, at least one of the user authorization determination and the user presence determination, and the at least one agent also is to establish, at least in part, at least one secure communication channel with the at least one security-related component; (b) the at least one software agent is to be comprised, at least in part, in a virtual machine manager; (c) the at least one security-related component comprises at least one TPM that is to be implemented, at least in part, by the virtual machine manager; (d) the at least one virtual TPM comprises a plurality of virtual TPM; and (e) the circuitry is comprised, at least in part, in at least one device that is capable of being removably communicatively coupled to the host. - View Dependent Claims (12, 13, 14, 15)
-
-
16. An apparatus, comprising:
-
logic, at least partially comprising hardware, to be comprised, at least in part, in a host, the host including at least one host central processing unit (CPU) and one or more chipsets, the one or more chipsets comprising one or more embedded controllers, the one or more CPU to execute, at least in part, at least one host operating system (OS), the logic being comprised, at least in part, in at least one of; the one or more embedded controllers; and one or more hardware partitions comprised in the one or more CPU; the at least one of the one or more embedded controllers and the one or more hardware partitions being capable of performing, at least in part, at least one operation in isolation from interference from, access by, and control by the at least one host OS, the at least one operation comprising; user authorization determination in response, at least in part, to indication of physical presence of at least one user within one or more geographic regions comprising the host, the user authorization determination to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host, wherein the indication is based at least in part upon at least one of; activation of at least one secure attention key of the host by the at least one user; provision of at least one general purpose input/output (GPIO) signal to the circuitry; detection of at least one physical token associated with the at least one user; and detection of at least one physical characteristic of the at least one user; and user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the one or more regions has ceased; wherein the circuitry is to satisfy at least one of the following subparagraphs (a) to (e); (a) the circuitry is to execute, at least in part, at least one software agent to perform, at least in part, at least one of the user authorization determination and the user presence determination, and the at least one agent also is to establish, at least in part, at least one secure communication channel with the at least one security-related component; (b) the at least one software agent is to be comprised, at least in part, in a virtual machine manager; (c) the at least one security-related component comprises at least one TPM that is to be implemented, at least in part, by the virtual machine manager; (d) the at least one virtual TPM comprises a plurality of virtual TPM; and (e) the circuitry is comprised, at least in part, in at least one device that is capable of being removably communicatively coupled to the host.
-
Specification