Secure vault service for software components within an execution environment
First Claim
1. A computing platform comprising:
- at least one processor that includes hardware and is capable of executing an operating system;
the operating system comprising at least one operating system component capable of determining, at least in part, in response at least in part to at least one event associated at least in part with software, whether to provide the software with an execution environment of the operating system, the determining being based at least in part upon user-definable policy and verification of cryptographic signature information, the cryptographic signature information being obtainable, at least in part, by the at least one operating system component, the cryptographic signature information being associated, at least in part, with integrity verification of the software, the integrity verification being based upon a state associated with the software at time of manufacture of the software, the integrity verification being (1) to detect unauthorized modification of the software from the state at the time of the manufacture and (2) to prevent provision of the execution environment to unrecognized software;
the execution environment, if provided, being associated with at least one access restriction to prevent unauthorized access by at least one unauthorized component, the at least one access restriction being associated at least in part with the software and the cryptographic signature information;
the execution environment being one of multiple possible execution environments that are capable of being provided for multiple respective components in the platform, at least one of the multiple respective components in at least one other of the multiple possible execution environments to be prevented, at least in part, by the at least one operating system component, from accessing the one of the multiple possible execution environments based at least in part upon the user-definable policy and the cryptographic signature information.
0 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of apparatuses, articles, methods, and systems for secure vault service for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the authenticated/authorized/verified software component. Other embodiments may be described and claimed.
131 Citations
8 Claims
-
1. A computing platform comprising:
-
at least one processor that includes hardware and is capable of executing an operating system; the operating system comprising at least one operating system component capable of determining, at least in part, in response at least in part to at least one event associated at least in part with software, whether to provide the software with an execution environment of the operating system, the determining being based at least in part upon user-definable policy and verification of cryptographic signature information, the cryptographic signature information being obtainable, at least in part, by the at least one operating system component, the cryptographic signature information being associated, at least in part, with integrity verification of the software, the integrity verification being based upon a state associated with the software at time of manufacture of the software, the integrity verification being (1) to detect unauthorized modification of the software from the state at the time of the manufacture and (2) to prevent provision of the execution environment to unrecognized software; the execution environment, if provided, being associated with at least one access restriction to prevent unauthorized access by at least one unauthorized component, the at least one access restriction being associated at least in part with the software and the cryptographic signature information; the execution environment being one of multiple possible execution environments that are capable of being provided for multiple respective components in the platform, at least one of the multiple respective components in at least one other of the multiple possible execution environments to be prevented, at least in part, by the at least one operating system component, from accessing the one of the multiple possible execution environments based at least in part upon the user-definable policy and the cryptographic signature information. - View Dependent Claims (2, 3, 4)
-
-
5. One or more non-transitory machine-readable media storing instructions that when executed by at least one processor result in performance of operations comprising:
-
executing an operating system; the operating system comprising at least one operating system component capable of determining, at least in part, in response at least in part to at least one event associated at least in part with software, whether to provide the software with an execution environment of the operating system, the determining being based at least in part upon user-definable policy and verification of cryptographic signature information, the cryptographic signature information being obtainable, at least in part, by the at least one operating system component, the cryptographic signature information being associated, at least in part, with integrity verification of the software, the integrity verification being based upon a state associated with the software at time of manufacture of the software, the integrity verification being (1) to detect unauthorized modification of the software from the state at the time of the manufacture and (2) to prevent provision of the execution environment to unrecognized software; the execution environment, if provided, being associated with at least one access restriction to prevent unauthorized access by at least one unauthorized component, the at least one access restriction being associated at least in part with the software and the cryptographic signature information; the execution environment being one of multiple possible execution environments that are capable of being provided for multiple respective components in the platform, at least one of the multiple respective components in at least one other of the multiple possible execution environments to be prevented, at least in part, by the at least one operating system component, from accessing the one of the multiple possible execution environments based at least in part upon the user-definable policy and the cryptographic signature information. - View Dependent Claims (6, 7, 8)
-
Specification