CRYPTOGRAPHIC CERTIFICATION OF SECURE HOSTED EXECUTION ENVIRONMENTS
First Claim
Patent Images
1. A method comprising:
- initializing, by a security-enabled processor of a computing system, a secure execution environment cryptographically certifiable as including a hardware-protected memory area established in an activation state to refrain from executing software not trusted by a client system, the hardware-protected memory area inaccessible to code that executes outside of the hardware-protected memory area, the hardware-protected memory area executing non-kernel mode code; and
providing, by a host operating system of the computing system, a persistence module executing in the secure execution environment with an encrypted checkpoint, the encrypted checkpoint derived at least partly from another secure execution environment cryptographically certifiable as including another hardware-protected memory area established in an activation state to refrain from executing software not trusted by the client system.
2 Assignments
0 Petitions
Accused Products
Abstract
Implementations for providing a persistent secure execution environment with a hosted computer are described. A host operating system of a computing system provides an encrypted checkpoint to a persistence module that executes in a secure execution environment of a hardware-protected memory area initialized by a security-enabled processor. The encrypted checkpoint is derived at least partly from another secure execution environment that is cryptographically certifiable as including another hardware-protected memory area established in an activation state to refrain from executing software not trusted by the client system.
159 Citations
20 Claims
-
1. A method comprising:
-
initializing, by a security-enabled processor of a computing system, a secure execution environment cryptographically certifiable as including a hardware-protected memory area established in an activation state to refrain from executing software not trusted by a client system, the hardware-protected memory area inaccessible to code that executes outside of the hardware-protected memory area, the hardware-protected memory area executing non-kernel mode code; and providing, by a host operating system of the computing system, a persistence module executing in the secure execution environment with an encrypted checkpoint, the encrypted checkpoint derived at least partly from another secure execution environment cryptographically certifiable as including another hardware-protected memory area established in an activation state to refrain from executing software not trusted by the client system. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. Computer-readable media comprising a plurality of programming instructions that are executable by one or more processors to cause a computing system to:
-
execute a secure execution environment that is cryptographically certifiable as including a hardware-protected memory area that is established in an activation state to refrain from executing software not trusted by a client system, the hardware-protected memory area inaccessible to code that executes outside of the hardware-protected memory area, the hardware-protected memory area configured to execute non-kernel mode code; provide a persistence module in the secure execution environment with an encrypted checkpoint and a sealed persistence key, the encrypted checkpoint derived at least partly from another secure execution environment that is cryptographically certifiable as including another hardware-protected memory area that includes no software untrusted by the client system. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computing system comprising:
-
memory; one or more processors, including a security-enabled processor configured to establish at least a hardware-protected memory area on the memory in an activation state to refrain from executing software not trusted by a client system, the hardware-protected memory area inaccessible to code that executes outside of the hardware-protected memory area, the hardware-protected memory area configured to execute non-kernel mode code; and a persistence module stored in the protected memory area and executable by the one or more processors to; receive from a host Operating System a request to persist an execution state of a secure execution environment executing within the protected memory area; cause, at least partly in response to the request, one or more threads associated with the execution state of the secure execution environment to quiesce; store state information of the execution state to the protected memory area; encrypt contents of the protected memory area, including the state information, to form an encrypted checkpoint, the encrypted checkpoint encrypted with a persistence key; and transmit to persistent storage the encrypted checkpoint and a sealed persistence key, the sealed persistence key derived at least partly from the persistence key. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification