Domain-authenticated control of platform resources
First Claim
Patent Images
1. A computer-implemented method comprising:
- obtaining a domain credential for a platform prior to loading an operating system for the platform;
authenticating, prior to loading the operating system for the platform, the domain credential with a domain controller remote from the platform;
establishing, prior to loading the operating system for the platform, a secure channel between the platform and the remote domain controller to receive an access control policy for the platform;
receiving, prior to loading the operating system for the platform, the access control policy via the secure channel in response to authenticating the domain credential with the domain controller, wherein the access control policy comprises a resource identifier corresponding to a local resource of the platform that the domain credential has authority to access and firmware measurement data usable to verify the identity of the resource;
identifying, prior to loading the operating system for the platform, the local resource of the platform that the domain credential has authority to access based on the resource identifier of the access control policy and the firmware measurement data; and
using the domain credential to unlock the local resource of the platform prior to loading the operating system for the platform.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, apparatus, system, and computer program product for domain-authenticated control of platform resources. Resources under the control of the platform are managed in accordance with access control rules that are centrally managed by a directory service. Security policies are uniformly applied by requiring authorization of the user'"'"'s access to platform resources including hard drives, flash memory, sensors, network controllers and power state controllers.
24 Citations
27 Claims
-
1. A computer-implemented method comprising:
-
obtaining a domain credential for a platform prior to loading an operating system for the platform; authenticating, prior to loading the operating system for the platform, the domain credential with a domain controller remote from the platform; establishing, prior to loading the operating system for the platform, a secure channel between the platform and the remote domain controller to receive an access control policy for the platform; receiving, prior to loading the operating system for the platform, the access control policy via the secure channel in response to authenticating the domain credential with the domain controller, wherein the access control policy comprises a resource identifier corresponding to a local resource of the platform that the domain credential has authority to access and firmware measurement data usable to verify the identity of the resource; identifying, prior to loading the operating system for the platform, the local resource of the platform that the domain credential has authority to access based on the resource identifier of the access control policy and the firmware measurement data; and using the domain credential to unlock the local resource of the platform prior to loading the operating system for the platform. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system comprising:
-
at least one processor; and a memory coupled to the at least one processor, the memory comprising instructions for performing the following; obtaining a domain credential for a platform prior to loading an operating system for the platform; authenticating, prior to loading the operating system for the platform, the domain credential with a domain controller remote from the platform; establishing, prior to loading the operating system for the platform, a secure channel between the platform and the remote domain controller to receive an access control policy for the platform; receiving, prior to loading the operating system for the platform, the access control policy via the secure channel in response to authenticating the domain credential with the domain controller, wherein the access control policy comprises a resource identifier corresponding to a local resource of the platform that the domain credential has authority to access and firmware measurement data usable to verify the identity of the resource; identifying, prior to loading the operating system for the platform, the local resource of the platform that the domain credential has authority to access based on the resource identifier of the access control policy and the firmware measurement data; and using the domain credential to unlock the local resource of the platform prior to loading the operating system for the platform. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer program product comprising:
-
a computer-readable storage medium; and instructions in the computer-readable storage medium, wherein the instructions, when executed in a processing system, cause the processing system to perform operations comprising; obtaining a domain credential for a platform prior to loading an operating system for the platform; authenticating, prior to loading the operating system for the platform, the domain credential with a domain controller remote from the platform; establishing, prior to loading the operating system for the platform, a secure channel between the platform and the remote domain controller to receive an access control policy for the platform; receiving, prior to loading the operating system for the platform, the access control policy via the secure channel in response to authenticating the domain credential with the domain controller, wherein the access control policy comprises a resource identifier corresponding to a local resource of the platform that the domain credential has authority to access and firmware measurement data usable to verify the identity of the resource; identifying, prior to loading the operating system for the platform, the local resource of the platform that the domain credential has authority to access based on the resource identifier of the access control policy and the firmware measurement data; and using the domain credential to unlock the local resource of the platform prior to loading the operating system for the platform. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer-implemented method comprising:
-
receiving a domain credential for a platform at a domain controller remote from the platform prior to loading an operating system for the platform; authenticating, prior to loading the operating system for the platform, the domain credential; establishing, prior to loading the operating system for the platform, a secure channel between the platform and the domain controller to provide an access control policy to the platform; and providing, prior to loading the operating system for the platform, the access control policy, via the secure channel, to the platform in response to authenticating the domain credential, wherein the access policy comprises a resource identifier for identifying a local resource of the platform that the domain credential has authority to access, firmware measurement data usable to verify the identity of the resource and a token to unlock the local resource. - View Dependent Claims (26, 27)
-
Specification