Updating software
First Claim
Patent Images
1. A method comprising:
- loading, using a boot process, a first set of boot components in a chain of trust;
establishing, using a hypervisor, the chain of trust for the set of boot components, wherein the hypervisor represents a trust anchor for the chain of trust;
storing, in a platform configuration register, a first set of boot component measurements for the first set of boot components, the first set of boot component measurement representing a first set of attestation values for use in verifying the chain of trust;
loading, with respect to the first set of boot components, an update forming part of the chain of trust during a boot process in an execution environment, the update creating a second set of boot components;
detecting, for the second set of boot components, a second set of boot component measurements;
storing, in the platform configuration register, the second set of boot component measurements as a second set of attestation values;
notifying an attestation system that the second set of attestation values correspond to the chain of trust including the update;
retrieving, by an attestation process performed by the attestation system, based on the notice, the second set of attestation values for attestation of the chain of trust;
comparing, by the attestation process, the second set of boot component measurements with the second set of attestation values;
determining, by the attestation process and based on comparing the second set of boot component measurements with the second set of attestation values, a pass indication for the chain of trust including the update; and
performing, in response to determining the pass indication for the chain of trust, the update for the second set of boot components.
1 Assignment
0 Petitions
Accused Products
Abstract
Updating boot components in compliance with a chain of trust by loading a boot component update forming part of the chain of trust during a boot process in an execution environment. Boot component measurements are detected and stored as a revised set of attestation values for retrieval by an attestation system. Performing the boot component update upon determining a pass indication for the chain of trust including the boot component update.
96 Citations
6 Claims
-
1. A method comprising:
-
loading, using a boot process, a first set of boot components in a chain of trust; establishing, using a hypervisor, the chain of trust for the set of boot components, wherein the hypervisor represents a trust anchor for the chain of trust; storing, in a platform configuration register, a first set of boot component measurements for the first set of boot components, the first set of boot component measurement representing a first set of attestation values for use in verifying the chain of trust; loading, with respect to the first set of boot components, an update forming part of the chain of trust during a boot process in an execution environment, the update creating a second set of boot components; detecting, for the second set of boot components, a second set of boot component measurements; storing, in the platform configuration register, the second set of boot component measurements as a second set of attestation values; notifying an attestation system that the second set of attestation values correspond to the chain of trust including the update; retrieving, by an attestation process performed by the attestation system, based on the notice, the second set of attestation values for attestation of the chain of trust; comparing, by the attestation process, the second set of boot component measurements with the second set of attestation values; determining, by the attestation process and based on comparing the second set of boot component measurements with the second set of attestation values, a pass indication for the chain of trust including the update; and performing, in response to determining the pass indication for the chain of trust, the update for the second set of boot components. - View Dependent Claims (2)
-
-
3. A computer program product comprising a non-transitory computer-readable storage medium having a set of instructions stored therein which, when executed by a processor, causes the processor to update a set of boot components by:
-
loading, using a boot process, a first set of boot components in a chain of trust; establishing, using a hypervisor, the chain of trust for the set of boot components, wherein the hypervisor represents a trust anchor for the chain of trust; storing, in a platform configuration register, a first set of boot component measurements for the first set of boot components, the first set of boot component measurement representing a first set of attestation values for use in verifying the chain of trust; loading, with respect to the first set of boot components, an update forming part of the chain of trust during a boot process in an execution environment, the update creating a second set of boot components; detecting, for the second set of boot components, a second set of boot component measurements; storing, in the platform configuration register, the second set of boot component measurements as a second set of attestation values; notifying an attestation system that the second set of attestation values correspond to the chain of trust including the update; retrieving, by an attestation process performed by the attestation system, based on the notice, the second set of attestation values for attestation of the chain of trust; comparing, by the attestation process, the second set of boot component measurements with the second set of attestation values; determining, by the attestation process and based on comparing the second set of boot component measurements with the second set of attestation values, a pass indication for the chain of trust including the update; and performing, in response to determining the pass indication for the chain of trust, the update for the second set of boot components. - View Dependent Claims (4)
-
-
5. A computer system comprising:
-
a processor set; and a computer readable storage medium; wherein; the processor set is structured, located, connected, and/or programmed to run program instructions stored on the computer readable storage medium; and the program instructions which, when executed by the processor set, cause the processor set to update a set of boot components by; loading, using a boot process, a first set of boot components in a chain of trust; establishing, using a hypervisor, the chain of trust for the set of boot components, wherein the hypervisor represents a trust anchor for the chain of trust; storing, in a platform configuration register, a first set of boot component measurements for the first set of boot components, the first set of boot component measurement representing a first set of attestation values for use in verifying the chain of trust; loading, with respect to the first set of boot components, an update forming part of the chain of trust during a boot process in an execution environment, the update creating a second set of boot components; detecting, for the second set of boot components, a second set of boot component measurements; storing, in the platform configuration register, the second set of boot component measurements as a second set of attestation values; notifying an attestation system that the second set of attestation values correspond to the chain of trust including the update; retrieving, by an attestation process performed by the attestation system, based on the notice, the second set of attestation values for attestation of the chain of trust; comparing, by the attestation process, the second set of boot component measurements with the second set of attestation values; determining, by the attestation process and based on comparing the second set of boot component measurements with the second set of attestation values, a pass indication for the chain of trust including the update; and performing, in response to determining the pass indication for the chain of trust, the update for the second set of boot components. - View Dependent Claims (6)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsGilbert, David A., Haikney, David, Walker, James W.
-
Primary Examiner(s)Dao, Thuy
-
Application NumberUS15/967,940Publication NumberTime in Patent Office714 DaysField of SearchUS Class CurrentCPC Class CodesG06F 11/3664 Environments for testing or...G06F 11/3688 for test execution, e.g. sc...G06F 2009/45562 Creating, deleting, cloning...G06F 21/575 Secure bootG06F 8/60 Software deploymentG06F 8/65 Updates security arrangemen...G06F 8/656 while runningG06F 8/70 Software maintenance or man...G06F 8/71 Version control security ar...G06F 9/4406 Loading of operating systemG06F 9/45558 Hypervisor-specific managem...
