Service partition virtualization system and method having a secure application

US 9,483,639 B2
Filed: 10/17/2014
Issued: 11/01/2016
Est. Priority Date: 03/13/2014
Status: Active Grant

First Claim

Patent Images

1. A virtualization method for a host computing device having at least one host processor and system resources including memory divided into most privileged system memory and less privileged user memory, the method comprising:

providing an ultraboot application that operates in the less privileged user memory and divides the host computing device into a resource management partition, at least one virtual service partition and at least one virtual guest partition,executing the ultraboot application to divide the host computing device into the resource management partition, the at least one virtual guest partition providing a virtualization environment for at least one guest operating system, the at least one virtual service partition providing a virtualization environment for the basic operations of the virtualization system, and the resource management partition maintaining a resource database for use in managing the use of the at least one host processor and the system resources;

building a secure application;

executing the secure application in the at least one virtual guest partition, wherein the at least one virtual guest partition is an isolated secure partition, wherein the isolated secure partition includes a security manifest portion for controlling the execution of the secure application within the isolated secure partition, wherein the isolated secure partition includes a secure application operating system (OS) portion that supports only the execution of the secure application within the isolated secure partition, wherein the secure application operating system (OS) portion includes a secure application runtime portion that provides the runtime needed to execute the secure application within the isolated secure partition;

maintaining, by a monitor in the most privileged system memory, guest applications in the at least one virtual guest partition within memory space allocated by the at least one virtual service partition to the at least one virtual guest partition; and

controlling multitask processing in the partitions on the at least one host processor by a context switch between the at least one monitor and the respective virtual guest partitions and the at least one virtual service partition,wherein the at least one virtual service partition further comprises a plurality of isolated secure partitions isolated from one another, wherein at least one of the isolated secure partitions includes a secure application executing therein and isolated from the other isolated secure partitions, and wherein at least one of the isolated secure partitions includes a primary secure application executing therein and sharing the isolated secure partition with at least one other secure application that is allowed to be executed with the primary secure application within the isolated secure partition.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure application system and method for a host computing device. The system includes an ultraboot application divides the host computing device into a resource management partition, at least one virtual service partition and at least one virtual guest partition. The virtual service partition provides a virtualization environment for the basic operations of the virtualization system. The virtual service partition is an isolated secure partition having a secure application executing therein. The isolated secure partition includes a security manifest portion for controlling the execution of the secure application within the isolated secure partition, and a secure application operating system (OS) portion that supports only the execution of the secure application within the isolated secure partition. The secure application is executed within the isolated secure partition without the need for any standard operating system (OS).

41 Citations

View as Search Results

26 Claims

1. A virtualization method for a host computing device having at least one host processor and system resources including memory divided into most privileged system memory and less privileged user memory, the method comprising:
- providing an ultraboot application that operates in the less privileged user memory and divides the host computing device into a resource management partition, at least one virtual service partition and at least one virtual guest partition,executing the ultraboot application to divide the host computing device into the resource management partition, the at least one virtual guest partition providing a virtualization environment for at least one guest operating system, the at least one virtual service partition providing a virtualization environment for the basic operations of the virtualization system, and the resource management partition maintaining a resource database for use in managing the use of the at least one host processor and the system resources;
  
  building a secure application;
  
  executing the secure application in the at least one virtual guest partition, wherein the at least one virtual guest partition is an isolated secure partition, wherein the isolated secure partition includes a security manifest portion for controlling the execution of the secure application within the isolated secure partition, wherein the isolated secure partition includes a secure application operating system (OS) portion that supports only the execution of the secure application within the isolated secure partition, wherein the secure application operating system (OS) portion includes a secure application runtime portion that provides the runtime needed to execute the secure application within the isolated secure partition;
  
  maintaining, by a monitor in the most privileged system memory, guest applications in the at least one virtual guest partition within memory space allocated by the at least one virtual service partition to the at least one virtual guest partition; and
  
  controlling multitask processing in the partitions on the at least one host processor by a context switch between the at least one monitor and the respective virtual guest partitions and the at least one virtual service partition,wherein the at least one virtual service partition further comprises a plurality of isolated secure partitions isolated from one another, wherein at least one of the isolated secure partitions includes a secure application executing therein and isolated from the other isolated secure partitions, and wherein at least one of the isolated secure partitions includes a primary secure application executing therein and sharing the isolated secure partition with at least one other secure application that is allowed to be executed with the primary secure application within the isolated secure partition.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method as recited in claim 1, wherein the secure application further comprises a primary secure application, and wherein the primary secure application shares the isolated secure partition with at least one other secure application that is allowed to be executed with the primary secure application within the isolated secure partition.
  - 3. The method as recited in claim 1, wherein the security manifest portion controls the sharing of the isolated secure partition by the primary secure application with the at least one secure application.
  - 4. The method as recited in claim 1, wherein the security manifest portion controls what hardware and software resources the secure application can access within the isolated secure partition.
  - 5. The method as recited in claim 1, wherein the secure application operating system (OS) portion is a Just Enough Operating System (JeOS) that includes only the portions of an operating system required to support the secure application being executed in the isolated secure partition.
  - 6. The method as recited in claim 1, wherein the secure application operating system (OS) portion provides input/output (I/O) functionality and process scheduling needed to execute the secure application within the isolated secure partition.
  - 7. The method as recited in claim 1, wherein the secure application is executed in the isolated secure partition using an s-Par service partition (s-Par) architecture.
  - 8. The method as recited in claim 1, wherein the secure application is executed in the isolated secure partition using a reduced s-Par service partition (s-Par Lite) architecture.
  - 9. The method as recited in claim 1, wherein the secure application is configured to be able to save its current execution state to a physical data storage device coupled to the isolated secure partition, and wherein the secure application is configured to be able resume its previously-saved current execution state without losing any execution progress.
  - 10. The method as recited in claim 1, wherein the secure application is configured to be transferred to at least one platform or device within or coupled to the host computing system.
  - 11. The method as recited in claim 1, further comprising loading the secure application to the isolated secure partition from a flash memory portion of the host computing device.
  - 12. The method as recited in claim 1, wherein the ultraboot application is a Unified Extensible Firmware Interface (UEFI) application, and wherein the UEFI application operates to establish the security of the isolated secure partition and the security of the at least one virtual service partition.
  - 13. The method as recited in claim 1, further comprising authenticating the secure application using a developer certificate.

14. A virtualization system for a host computing device having at least one host processor and system resources including memory divided into most privileged system memory and less privileged user memory, the system comprising:
- an ultraboot application that is stored and operates in the less privileged user memory and divides the host computing device into a resource management partition, at least one virtual service partition and at least one virtual guest partition, the at least one virtual guest partition providing a virtualization environment for at least one guest operating system, the at least one virtual service partition providing a virtualization environment for the basic operations of the virtualization system, and the resource management partition maintaining a resource database for use in managing the use of the at least one host processor and the system resources;
  
  wherein the at least one virtual service partition is an isolated secure partition having a secure application executing therein, wherein the isolated secure partition includes a security manifest portion for controlling the execution of the secure application within the isolated secure partition, wherein the isolated secure partition includes a secure application operating system (OS) portion that supports only the execution of the secure application within the isolated secure partition, wherein the secure application operating system (OS) portion includes a secure application runtime portion that provides the runtime needed to execute the secure application within the isolated secure partition;
  
  at least one monitor that is stored and operates in the most privileged system memory and maintains guest applications in the at least one virtual guest partition within memory space allocated by the at least one virtual service partition to the at least one virtual guest partition; and
  
  a context switch between the at least one monitor and the respective virtual guest partitions and the at least one virtual service partition for controlling multitask processing in the partitions on the at least one host processor,wherein the at least one virtual service partition further comprises a plurality of isolated secure partitions isolated from one another, wherein at least one of the isolated secure partitions includes a secure application executing therein and isolated from the other isolated secure partitions, and wherein at least one of the isolated secure partitions includes a primary secure application executing therein and sharing the isolated secure partition with at least one other secure application that is allowed to be executed with the primary secure application within the isolated secure partition.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The system as recited in claim 14, wherein the secure application further comprises a primary secure application, and wherein the primary secure application shares the isolated secure partition with at least one other secure application that is allowed to be executed with the primary secure application within the isolated secure partition.
  - 16. The system as recited in claim 15, wherein the security manifest portion controls the sharing of the isolated secure partition by the primary secure application with the at least one secure application.
  - 17. The system as recited in claim 14, wherein the security manifest portion controls what hardware and software resources the secure application can access within the isolated secure partition.
  - 18. The system as recited in claim 14, wherein the secure application operating system (OS) portion is a Just Enough Operating System (JeOS) that includes only the portions of an operating system required to support the secure application being executed in the isolated secure partition.
  - 19. The system as recited in claim 14, wherein the secure application operating system (OS) portion provides input/output (I/O) functionality and process scheduling needed to execute the secure application within the isolated secure partition.
  - 20. The system as recited in claim 14, wherein the secure application is executed in the isolated secure partition using an s-Par service partition (s-Par) architecture.
  - 21. The system as recited in claim 14, wherein the secure application is executed in the isolated secure partition using a reduced s-Par service partition (s-Par Lite) architecture.
  - 22. The system as recited in claim 14, wherein the secure application is configured to be able to save its current execution state to a physical data storage device coupled to the isolated secure partition, and wherein the secure application is configured to be able resume its previously-saved current execution state without losing any execution progress.
  - 23. The system as recited in claim 14, wherein the secure application is configured to be transferred to at least one platform or device within or coupled to the host computing system.
  - 24. The system as recited in claim 14, wherein the secure application is loaded to the isolated secure partition from a flash memory portion of the host computing device.
  - 25. The system as recited in claim 14, wherein the ultraboot application is a Unified Extensible Firmware Interface (UEFI) application, and wherein the UEFI application operates to establish the security of the isolated secure partition and the security of the at least one virtual service partition.
  - 26. The system as recited in claim 14, wherein the secure application is authenticated by a developer certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unisys Corporation
Original Assignee
Unisys Corporation
Inventors
DiDomenico, Michael J, Sliwa, Robert J, Burchett, Brittney
Primary Examiner(s)
DAO, THUY CHAN

Application Number

US14/517,038
Publication Number

US 20150261560A1
Time in Patent Office

746 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/64   Protecting data integrity, ...

G06F 2221/034   Test or assess a computer o...

G06F 9/5077   Logical partitioning of res...

Service partition virtualization system and method having a secure application

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Service partition virtualization system and method having a secure application

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links