Hardware trust anchors in SP-enabled processors

US 9,317,708 B2
Filed: 08/14/2009
Issued: 04/19/2016
Est. Priority Date: 08/14/2008
Status: Active Grant

First Claim

Patent Images

1. A computing device having a hardware portion and at least one memory external to said hardware portion, said computing device comprising:

at least one hash register for storing a root hash of a hash tree corresponding to a secure storage area within the at least one memory external to said hardware portion, said root hash encoding information about the integrity of said secure storage area, said register constructed within said hardware portion; and

at least one symmetric cryptographic key register physically constructed within said hardware portion at a location such that probing of said register by a user is difficult to achieve without rendering data in said register useless for its intended purpose,wherein said hardware portion includes at least one processing element with hardware circuitry capable of executing software code, and the processing element is connected to said hash register and said cryptographic key register,and wherein said computing device includes a trusted software module (TSM), said TSM having exclusive access to data or programs in said secure storage area, said TSM using said at least one hash register to verify the integrity of data fetched from said secure storage area, and said TSM using key data based on said symmetric cryptographic key register to decrypt data fetched from said secure storage area.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A trust system and method is disclosed for use in computing devices, particularly portable devices, in which a central Authority shares secrets and sensitive data with users of the respective devices. The central Authority maintains control over how and when shared secrets and data are used. In one embodiment, the secrets and data are protected by hardware-rooted encryption and cryptographic hashing, and can be stored securely in untrusted storage. The problem of transient trust and revocation of data is reduced to that of secure key management and keeping a runtime check of the integrity of the secure storage areas containing these keys (and other secrets). These hardware-protected keys and other secrets can further protect the confidentiality and/or integrity of any amount of other information of arbitrary size (e.g., files, programs, data) by the use of strong encryption and/or keyed-hashing, respectively. In addition to secrets the Authority owns, the system provides access to third party secrets from the computing devices. In one embodiment, the hardware-rooted encryption and hashing each use a single hardware register fabricated as part of the computing device'"'"'s processor or System-on-Chip (SoC) and protected from external probing. The secret data is protected while in the device even during operating system malfunctions and becomes non-accessible from storage according to various rules, one of the rules being the passage of a certain time period. The use of the keys (or other secrets) can be bound to security policies that cannot be separated from the keys (or other secrets). The Authority is also able to establish remote trust and secure communications to the devices after deployment in the field using a special tamper-resistant hardware register in the device, to enable, disable or update the keys or secrets stored securely by the device.

Citations

40 Claims

1. A computing device having a hardware portion and at least one memory external to said hardware portion, said computing device comprising:
- at least one hash register for storing a root hash of a hash tree corresponding to a secure storage area within the at least one memory external to said hardware portion, said root hash encoding information about the integrity of said secure storage area, said register constructed within said hardware portion; and
  
  at least one symmetric cryptographic key register physically constructed within said hardware portion at a location such that probing of said register by a user is difficult to achieve without rendering data in said register useless for its intended purpose,wherein said hardware portion includes at least one processing element with hardware circuitry capable of executing software code, and the processing element is connected to said hash register and said cryptographic key register,and wherein said computing device includes a trusted software module (TSM), said TSM having exclusive access to data or programs in said secure storage area, said TSM using said at least one hash register to verify the integrity of data fetched from said secure storage area, and said TSM using key data based on said symmetric cryptographic key register to decrypt data fetched from said secure storage area.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computing device of claim 1 further comprising:
    - means for allowing data to be changed within said registers only by particular software or only when the computing device is put into a particular state or processing mode.
  - 3. The computing device of claim 1 further comprising:
    - means for allowing contents from said cryptographic key register to be used only by other hardware components and not by any software components, and means for at least one of those hardware components to cryptographically transform said contents before making the result accessible to software.
  - 4. The computing device of claim 1 wherein said TSM is operative for controlling data stored on said computing device, said stored data being stored under said TSM control being encrypted using encryption key data stored in said cryptographic key register or derived from said cryptographic key register and said stored data is hashed by said TSM by updating intermediate values of the hash tree and the root hash value in said hash register.
  - 5. The computing device of claim 4 further comprising:
    - a dynamic code integrity checking circuit for dynamically checking code of said TSM using said registers.
  - 6. The computing device of claim 4 further comprising:
    - means for encrypting and/or hashing secure data in the hardware belonging to said TSM before said data leaves said hardware portion, said encrypting based on information in at least one of said registers.
  - 7. The computing device of claim 4 further comprising:
    - means for encrypting of general registers during interrupts, system calls or context switches, said encryption based on information in at least one of said registers; and
      
      means for decrypting said last-mention encrypted registers after returning from said interrupts, system calls or context switches, said decryption based on information in at least one of said registers.
  - 8. The computing device of claim 4 further comprising:
    - at least one region of memory that is only accessible to the TSM.
  - 9. The computing device of claim 8 further comprising:
    - means to access said TSM-only memory regions using special instructions that access only said regions of memory.
  - 10. The computing device of claim 9 further comprising:
    - means to access said TSM-only memory regions by specifying an address range to the hardware.
  - 11. The computing device of claim 1 wherein said registers are non-volatile.
  - 12. The computing device of claim 1, wherein the computing device signs Trusted Software Module (TSM) code by computing hash values over cache lines of code and embeds the computed hash values into each cache line of code.
  - 13. The device of claim 1, wherein the secure storage area stores cryptographic keys and polices for usage of the keys to allow the TSM to control access to encrypted files, and wherein decryption of said encrypted files and access to decrypted versions of the files is granted only if the policies allow the user to access the files.
  - 14. The device of claim 13, wherein the keys and policies are bound together by an integrity mechanism of the secure storage area using the hash register, and cannot be separated.

15. A system of computers each having at least one hardware processor and at least one memory external to said processors each said computer comprising:
- at least one cryptographic key register and at least one cryptographic hash value register, said at least one hash value register storing a root hash of a hash tree corresponding to a secure storage area in said at least one memory, said root hash encoding information about the integrity of said secure storage area, each register physically constructed within said hardware processor at a location such that probing of said registers by a user is difficult to achieve without rendering data in said register useless for its intended purpose;
  
  each said computers having loaded thereon at least one trusted software module (TSM); and
  
  a unique symmetric device root encryption key loaded in said cryptographic key register, each set of said registers operatively responding only to a TSM loaded on the same computer.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 16. The system of claim 15 further comprising:
    - loading secure data into at least some of said computers, said secure data being controlled by access rules and said secure data encrypted and hashed under control of said TSM operating with at least indirect or limited access to data in said registers.
  - 17. The system of claim 16 wherein said secure data is loaded to a computer from an authority common to the computers.
  - 18. The system of claim 17 further comprising:
    - means for testing a transmission between said authority and said computer to ensure that said cryptographic key has not been compromised.
  - 19. The system of claim 18 further comprising:
    - means for ensuring that if said cryptographic key has not been compromised, then all data encrypted by said cryptographic key has not been compromised, and that said hash register can only be changed by said TSM.
  - 20. The system of claim 17 wherein said secure data is bound to a usage key which usage key is also bound to a set of zero or more rules, which rules can be different for each set of secure data, and wherein each usage key is bound to a particular system computer.
  - 21. The system of claim 16 wherein said rules provide for revocation of access rights for secure data stored on one or more of said computers.
  - 22. The system of claim 21 wherein said revocation is enforced by said TSM on said specific computer.
  - 23. The system of claim 16 wherein said secure data can be loaded to or added to a specific computer from a third party other than the authority common to said computers upon passage of a certification of authenticity from said specific system computer to said third party, said certificate of authenticity only being allowed under control of said TSM on said specific computer and only in accordance with rules placed on said specific computer by said authority, said rules being part of said secure data loaded from said authority.
  - 24. The system of claim 15 further comprising:
    - means for dynamic code integrity checking of said TSM using said registers.
  - 25. The system of claim 15 wherein said registers are non-volatile.
  - 26. The system of claim 15, wherein the system signs TSM code by computing hash values over cache lines of code and embeds the computed hash values into each cache line of code.

27. A method for storing data on a computer, said method comprising:
- storing a symmetric device root key (DRK) by a trusted authority for storage in a first register contained within a processor of said computer;
  
  storing a storage root hash (SRH) in a second register contained within a processor of said computer, said storage root hash corresponding to a root hash of a hash tree corresponding to a secure storage area within at least one memory external to said hardware portion, said root hash encoding information about the integrity of said secure storage area;
  
  storing a trusted software module (TSM) by said authority on said computer, said TSM being the only software on said computer that can interact with said SRH; and
  
  encrypting any secure data to be stored on said computer under control of said TSM working in conjunction with said DRK.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 28. The method of claim 27 wherein said storing further comprises:
    - associating rules for usage of stored secure data, said rules bound to a derivative key using same said DRK to generate such derivative key.
  - 29. The method of claim 27 wherein said DRK and said hash registers are non-volatile.
  - 30. The method of claim 27 further comprising:
    - allowing DRK to be changed only at initialization of said computer.
  - 31. The method of claim 30 wherein said initialization comprises:
    - bypassing the normal boot process to allow for the setting of said DRK.
  - 32. The method of claim 31 further comprising:
    - setting a flag within said processor prior to running the normal boot process, said flag preventing further modifications to said DRK.
  - 33. The method of claim 31 further comprising:
    - controlling data stored on said computer by said TSM, said stored data being stored under said TSM control being encrypted using said DRK or a derivative thereof in conjunction with said DRK such that said TSM does not gain access to said DRK.
  - 34. The method of claim 27 further comprising:
    - dynamically checking code of said TSM to ensure said code has not been compromised while said TSM is performing its operation on data.
  - 35. The method of claim 27 further comprising:
    - encrypting and/or hashing secure data in the hardware belonging to said TSM before said data leaves said processor, said encrypting based on information in at least one of said registers.
  - 36. The method claim 27 further comprising:
    - encrypting of general registers during interrupts;
      
      system calls or context switches, said encryption based on information in at least one of said registers; and
      
      decrypting said last-mention encrypted registers after returning from said interrupts, system calls or context switches, said decryption based on information in at least one of said registers.
  - 37. The method of claim 27 wherein secure data is bound to a usage key which usage key is bound to at least one or a set of rules, which rules can be different for each set of secure data, and wherein each usage key is bound to said processor via said DRK and is protected from modification by said cryptographic hash register.
  - 38. The method of claim 27 further comprising:
    - at least one region of memory that is only accessible to the TSM.
  - 39. The method of claim 38 further comprising:
    - accessing said TSM-only memory regions using special instructions that access only said regions of memory.
  - 40. The method of claim 27, further comprising signing TSM code by computing hash values over cache lines of code and embedding the computed hash values into each cache line of code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Coresecure Technologies, LLC
Original Assignee
Teleputers, LLC
Inventors
Lee, Ruby B., Dwoskin, Jeffrey S.
Primary Examiner(s)
Hirl, Joseph P.
Assistant Examiner(s)
TRUVAN, LEYNNA THANH

Application Number

US12/541,823
Publication Number

US 20100042824A1
Time in Patent Office

2,440 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/575   Secure boot

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

G06F 2221/2115   Third party

H04L 2209/12   Details relating to cryptog...

H04L 2209/60   Digital content management,...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/083   involving central third par...

H04L 9/0844   with user authentication or...

H04L 9/0894   Escrow, recovery or storing...

Hardware trust anchors in SP-enabled processors

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Hardware trust anchors in SP-enabled processors

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links