Encave pool management
First Claim
1. An apparatus, comprising:
- a device including at least one memory adapted to store run-time data for the device, and at least one processor that is adapted to execute processor-executable code that, in response to execution, enables the device to perform actions, including;
forming an enclave pool, wherein the enclave pool includes a plurality of enclaves, wherein the enclaves are secure execution environments, and wherein each enclave of the enclave pool has an enclave key pair including a private enclave key and a public enclave key;
registering the public enclave key of each enclave in the enclave pool in an enclave pool registry;
generating a shared enclave pool key that is derived from the public enclave key of each enclave of the enclave pool;
storing, in a shared key ledger, the shared enclave pool key as a first version of the shared enclave pool key;
each time a change in membership occurs to the enclave pool;
updating the enclave pool registry based on the change in membership to the enclave pool, such that the updated enclave pool registry includes a registration of the public enclave key of each enclave in the changed enclave pool;
replacing the shared enclave pool key with an updated shared enclave pool key that is derived from the public enclave key of each enclave in the changed enclave pool; and
storing, in the shared key ledger, the updated shared enclave pool key as another version of the shared enclave pool key;
allocating a first enclave of the enclave pool to a first cryptlet;
receiving a payload of the first enclave such that the payload of the first enclave has a first digital signature by the private enclave key of the first enclave;
allocating a second enclave of the enclave pool to the first cryptlet;
receiving a payload of the second enclave such that the payload of the second enclave has a second digital signature by the private enclave key of the second enclave;
validating the first digital signature against each version of the shared enclave pool key in the shared key ledger; and
validating the second digital signature against each version of the shared enclave pool key in the shared key ledger.
1 Assignment
0 Petitions
Accused Products
Abstract
The public enclave key of each enclave in an enclave pool may be registered in an enclave pool registry, and the registry updated each time there is an enclave pool membership change. A shared enclave pool key may be derived from the public enclave key of each enclave of the enclave pool. The shared enclave pool key may be stored, in a shared key ledger, as a first version of the shared enclave key, and an updated version of the shared key may be generated and stored as another version each time there is an enclave pool membership change. The output of a cryptlet that executed in multiple enclaves may be signed with the enclave private key of each enclave in which the cryptlet executed. Each enclave signature may be compared against each version of the of the shared enclave pool key in the shared key ledger.
96 Citations
20 Claims
-
1. An apparatus, comprising:
a device including at least one memory adapted to store run-time data for the device, and at least one processor that is adapted to execute processor-executable code that, in response to execution, enables the device to perform actions, including; forming an enclave pool, wherein the enclave pool includes a plurality of enclaves, wherein the enclaves are secure execution environments, and wherein each enclave of the enclave pool has an enclave key pair including a private enclave key and a public enclave key; registering the public enclave key of each enclave in the enclave pool in an enclave pool registry; generating a shared enclave pool key that is derived from the public enclave key of each enclave of the enclave pool; storing, in a shared key ledger, the shared enclave pool key as a first version of the shared enclave pool key; each time a change in membership occurs to the enclave pool; updating the enclave pool registry based on the change in membership to the enclave pool, such that the updated enclave pool registry includes a registration of the public enclave key of each enclave in the changed enclave pool; replacing the shared enclave pool key with an updated shared enclave pool key that is derived from the public enclave key of each enclave in the changed enclave pool; and storing, in the shared key ledger, the updated shared enclave pool key as another version of the shared enclave pool key; allocating a first enclave of the enclave pool to a first cryptlet; receiving a payload of the first enclave such that the payload of the first enclave has a first digital signature by the private enclave key of the first enclave; allocating a second enclave of the enclave pool to the first cryptlet; receiving a payload of the second enclave such that the payload of the second enclave has a second digital signature by the private enclave key of the second enclave; validating the first digital signature against each version of the shared enclave pool key in the shared key ledger; and validating the second digital signature against each version of the shared enclave pool key in the shared key ledger. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
10. A method, comprising:
-
each time a change in membership occurs to an enclave pool, wherein the enclave pool includes a plurality of enclaves, wherein the enclaves are secure execution environments, and wherein each enclave of the enclave pool has an enclave key pair including a private enclave key and a public enclave key; updating an enclave pool registry that is associated with the enclave pool based on the change in membership to the enclave pool, such that the updated enclave pool registry includes a registration of the public enclave key of each enclave in the changed enclave pool; replacing a shared enclave pool key that is associated with the enclave pool with an updated shared enclave pool key that is derived from the public enclave key of each enclave in the changed enclave pool; and storing, in a shared key ledger, a version of the shared enclave pool key; and validating at least one payload of at least one enclave of the changed enclave pool based on the shared enclave pool key. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A processor-readable storage medium, having stored thereon processor-executable code that, upon execution by at least one processor, enables actions, comprising:
-
upon a membership change occurring with an enclave pool, wherein the enclave pool includes a plurality of enclaves; updating a shared enclave pool key that is associated with the enclave pool with an updated shared enclave pool key that is generated based on a public enclave key of each enclave in the changed enclave pool; and adding, to a shared key ledger, a version of the shared enclave pool key; and validating at least one payload of at least one enclave of the changed enclave pool based on the shared enclave pool key. - View Dependent Claims (18, 19, 20)
-
Specification