Domain-authenticated control of platform resources

US 10,482,254 B2
Filed: 07/14/2010
Issued: 11/19/2019
Est. Priority Date: 07/14/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

obtaining a domain credential for a platform prior to loading an operating system for the platform;

authenticating, prior to loading the operating system for the platform, the domain credential with a domain controller remote from the platform;

establishing, prior to loading the operating system for the platform, a secure channel between the platform and the remote domain controller to receive an access control policy for the platform;

receiving, prior to loading the operating system for the platform, the access control policy via the secure channel in response to authenticating the domain credential with the domain controller, wherein the access control policy comprises a resource identifier corresponding to a local resource of the platform that the domain credential has authority to access and firmware measurement data usable to verify the identity of the resource;

identifying, prior to loading the operating system for the platform, the local resource of the platform that the domain credential has authority to access based on the resource identifier of the access control policy and the firmware measurement data; and

using the domain credential to unlock the local resource of the platform prior to loading the operating system for the platform.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus, system, and computer program product for domain-authenticated control of platform resources. Resources under the control of the platform are managed in accordance with access control rules that are centrally managed by a directory service. Security policies are uniformly applied by requiring authorization of the user'"'"'s access to platform resources including hard drives, flash memory, sensors, network controllers and power state controllers.

24 Citations

27 Claims

1. A computer-implemented method comprising:
- obtaining a domain credential for a platform prior to loading an operating system for the platform;
  
  authenticating, prior to loading the operating system for the platform, the domain credential with a domain controller remote from the platform;
  
  establishing, prior to loading the operating system for the platform, a secure channel between the platform and the remote domain controller to receive an access control policy for the platform;
  
  receiving, prior to loading the operating system for the platform, the access control policy via the secure channel in response to authenticating the domain credential with the domain controller, wherein the access control policy comprises a resource identifier corresponding to a local resource of the platform that the domain credential has authority to access and firmware measurement data usable to verify the identity of the resource;
  
  identifying, prior to loading the operating system for the platform, the local resource of the platform that the domain credential has authority to access based on the resource identifier of the access control policy and the firmware measurement data; and
  
  using the domain credential to unlock the local resource of the platform prior to loading the operating system for the platform.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the domain credential comprises at least one of a credential for a user of the platform and a credential for a secure partition of the platform.
  - 3. The method of claim 1 further comprising:
    - using the domain credential to obtain a key to decrypt data stored on the local resource; and
      
      using the key to decrypt the data stored on the local resource.
  - 4. The method of claim 1, wherein the access control policy for the platform is maintained by the domain controller;
    - andwherein identifying the local resource of the platform that the domain credential has authority to access comprises reviewing the received access control policy for the platform.
  - 5. The method of claim 1, wherein unlocking the local resource of the platform comprises establishing a secure communication session between the remote domain controller and the local resource.
  - 6. The method of claim 1, wherein unlocking the local resource comprises providing power to the local resource.
  - 7. The method of claim 1 further comprising:
    - obtaining an unlock token from the domain controller, wherein unlocking the local resource comprises using the unlock token to unlock the local resource.
  - 8. The method of claim 1, wherein the local resource comprises at least one of an ATA device and a chipset-controlled resource.

9. A system comprising:
- at least one processor; and
  
  a memory coupled to the at least one processor, the memory comprising instructions for performing the following;
  
  obtaining a domain credential for a platform prior to loading an operating system for the platform;
  
  authenticating, prior to loading the operating system for the platform, the domain credential with a domain controller remote from the platform;
  
  establishing, prior to loading the operating system for the platform, a secure channel between the platform and the remote domain controller to receive an access control policy for the platform;
  
  receiving, prior to loading the operating system for the platform, the access control policy via the secure channel in response to authenticating the domain credential with the domain controller, wherein the access control policy comprises a resource identifier corresponding to a local resource of the platform that the domain credential has authority to access and firmware measurement data usable to verify the identity of the resource;
  
  identifying, prior to loading the operating system for the platform, the local resource of the platform that the domain credential has authority to access based on the resource identifier of the access control policy and the firmware measurement data; and
  
  using the domain credential to unlock the local resource of the platform prior to loading the operating system for the platform.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the domain credential comprises at least one of a credential for a user of the platform and a credential for a secure partition of the platform.
  - 11. The system of claim 9, wherein the instructions further comprise instructions for performing the following:
    - using the domain credential to obtain a key to decrypt data stored on the local resource; and
      
      using the key to decrypt the data stored on the local resource.
  - 12. The system of claim 9, wherein the access control policy for the platform is maintained by the domain controller;
    - andwherein identifying the local resource of the platform that the domain credential has authority to access comprises reviewing the received access control policy for the platform.
  - 13. The system of claim 9, wherein unlocking the local resource of the platform comprises establishing a secure communication session between the remote domain controller and the local resource.
  - 14. The system of claim 9, wherein unlocking the local resource comprises providing power to the local resource.
  - 15. The system of claim 9, wherein the instructions further comprise instructions for performing the following:
    - obtaining an unlock token from the domain controller, wherein unlocking the local resource comprises using the unlock token to unlock the local resource.
  - 16. The system of claim 9, wherein the local resource comprises at least one of an ATA device and a chipset-controlled resource.

17. A computer program product comprising:
- a computer-readable storage medium; and
  
  instructions in the computer-readable storage medium, wherein the instructions, when executed in a processing system, cause the processing system to perform operations comprising;
  
  obtaining a domain credential for a platform prior to loading an operating system for the platform;
  
  authenticating, prior to loading the operating system for the platform, the domain credential with a domain controller remote from the platform;
  
  establishing, prior to loading the operating system for the platform, a secure channel between the platform and the remote domain controller to receive an access control policy for the platform;
  
  receiving, prior to loading the operating system for the platform, the access control policy via the secure channel in response to authenticating the domain credential with the domain controller, wherein the access control policy comprises a resource identifier corresponding to a local resource of the platform that the domain credential has authority to access and firmware measurement data usable to verify the identity of the resource;
  
  identifying, prior to loading the operating system for the platform, the local resource of the platform that the domain credential has authority to access based on the resource identifier of the access control policy and the firmware measurement data; and
  
  using the domain credential to unlock the local resource of the platform prior to loading the operating system for the platform.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer program product of claim 17, wherein the domain credential comprises at least one of a credential for a user of the platform and a credential for a secure partition of the platform.
  - 19. The computer program product of claim 17, wherein the instructions further cause the processing system to perform operations comprising:
    - using the domain credential to obtain a key to decrypt data stored on the local resource; and
      
      using the key to decrypt the data stored on the local resource.
  - 20. The computer program product of claim 17, wherein the access control policy for the platform is maintained by the domain controller;
    - andwherein identifying the local resource of the platform that the domain credential has authority to access comprises reviewing the received access control policy for the platform.
  - 21. The computer program product of claim 17, wherein unlocking the local resource of the platform comprises establishing a secure communication session between the remote domain controller and the local resource.
  - 22. The computer program product of claim 17, wherein unlocking the local resource comprises providing power to the local resource.
  - 23. The computer program product of claim 17, wherein the instructions further cause the processing system to perform operations comprising:
    - obtaining an unlock token from the domain controller, wherein unlocking the local resource comprises using the unlock token to unlock the local resource.
  - 24. The computer program product of claim 17, wherein the local resource comprises at least one of an ATA device and a chipset-controlled resource.

25. A computer-implemented method comprising:
- receiving a domain credential for a platform at a domain controller remote from the platform prior to loading an operating system for the platform;
  
  authenticating, prior to loading the operating system for the platform, the domain credential;
  
  establishing, prior to loading the operating system for the platform, a secure channel between the platform and the domain controller to provide an access control policy to the platform; and
  
  providing, prior to loading the operating system for the platform, the access control policy, via the secure channel, to the platform in response to authenticating the domain credential, wherein the access policy comprises a resource identifier for identifying a local resource of the platform that the domain credential has authority to access, firmware measurement data usable to verify the identity of the resource and a token to unlock the local resource.
- View Dependent Claims (26, 27)
- - 26. The method of claim 25, wherein the domain credential comprises at least one of a credential for a user of the platform and a credential for a secure partition of the platform.
  - 27. The method of claim 25, wherein the local resource comprises at least one of an ATA device and a chipset-controlled resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Smith, Ned M., Grobman, Steven L., Owen, Craig T.
Primary Examiner(s)
Kyle, Tamara T

Application Number

US12/836,156
Publication Number

US 20120017271A1
Time in Patent Office

3,415 Days
Field of Search

726 16- 21, 726 26- 29
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/575   Secure boot

G06F 21/74   operating in dual or compar...

G06F 21/88   Detecting or preventing the...

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2147   Locking files

G06F 2221/2149   Restricted operating enviro...

G06F 9/4401   Bootstrapping security arra...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/102   Entity profiles

Domain-authenticated control of platform resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

Domain-authenticated control of platform resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others