USER AUTHORIZATION AND PRESENCE DETECTION IN ISOLATION FROM INTERFERENCE FROM AND CONTROL BY HOST CENTRAL PROCESSING UNIT AND OPERATING SYSTEM

US 20140259125A1
Filed: 03/05/2013
Published: 09/11/2014
Est. Priority Date: 03/05/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus to be used in association with a host, the apparatus comprising:

circuitry to be comprised, at least in part, in the host, the host including at least one host central processing unit (CPU) to execute, at least in part, at least one host operating system (OS), the circuitry being capable of performing, at least in part, at least one operation in isolation both from interference from and control by the at least one host CPU and the at least one host OS, the at least one operation comprising;

user authorization determination in response, at least in part, to indication of physical presence of at least one user in proximity to the host, the user authorization determination being to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host; and

user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the proximity to the host has ceased.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An embodiment may include circuitry to be included, at least in part, in a host. The host may include at least one host central processing unit (CPU) to execute, at least in part, at least one host operating system (OS). The circuitry may perform, at least in part, at least one operation in isolation both from interference from and control by the at least one host CPU and the at least one host OS. The at least one operation may include user authorization determination and user presence determination. The authorization determination may be in response, at least in part, to indication of physical presence of at least one user in proximity to the host. The user presence determination may determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the proximity to the host has ceased.

Citations

23 Claims

1. An apparatus to be used in association with a host, the apparatus comprising:
- circuitry to be comprised, at least in part, in the host, the host including at least one host central processing unit (CPU) to execute, at least in part, at least one host operating system (OS), the circuitry being capable of performing, at least in part, at least one operation in isolation both from interference from and control by the at least one host CPU and the at least one host OS, the at least one operation comprising;
  
  user authorization determination in response, at least in part, to indication of physical presence of at least one user in proximity to the host, the user authorization determination being to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host; and
  
  user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the proximity to the host has ceased.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein:
    - the indication is based at least in part upon at least one of;
      
      activation of at least one secure attention key of the host by the at least one user;
      
      provision of at least one general purpose input/output (GPIO) signal to the circuitry;
      
      detection of at least one physical token associated with the at least one user; and
      
      detection of at least one physical characteristic of the at least one user.
  - 3. The apparatus of claim 1, wherein:
    - the user authorization determination is based, at least in part, upon at least one of;
      
      biometric information associated with the at least one user;
      
      at least one challenge response provided by the at least one user; and
      
      data provided by at least one near field communication device associated with the at least one user.
  - 4. The apparatus of claim 1, wherein:
    - the at least one security-related component comprises a trusted platform module (TPM);
      
      the circuitry is to store, at least in part, user authentication information and user privilege information in a manner that is inaccessible to the at least one host OS and at least one host CPU;
      
      the user authentication determination is based at least in part upon whether the user authentication information matches, at least in part, other user-associated information provided in response, at least in part, to at least one challenge by the circuitry; and
      
      after the circuitry determines, at least in part, that the at least one user is authorized to use, at least in part, the host, the circuitry is to determine, based at least in part, upon the user privilege information, whether the at least one user is authorized to issue the at least one command to the TPM.
  - 5. The apparatus of claim 4, wherein:
    - after the circuitry determines, at least in part, that the at least one user is authorized to issue the at least one command to the TPM, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in assertion of a physical user presence signal of the TPM.
  - 6. The apparatus of claim 4, wherein:
    - after the circuitry determines, at least in part, that the physical presence of the at least one user in the proximity to the host has ceased, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in de-assertion of a physical user presence signal of the TPM.
  - 7. The apparatus of claim 1, wherein:
    - the circuitry satisfies at least one of the following subparagraphs (a) to (g);
      
      (a) the circuitry is to execute, at least in part, at least one software agent to perform, at least in part, at least one of the user authorization determination and the user presence determination, and the at least one agent also is to establish, at least in part, at least one secure communication channel with the at least one security-related component;
      
      (b) the circuitry is comprised, at least in part, in a trusted platform module (TPM);
      
      (c) the circuitry is comprised, at least in part, in a hardware security module;
      
      (d) the at least one software agent is comprised, at least in part, in a virtual machine manager;
      
      (e) the at least one security-related component comprises at least one virtual TPM implemented, at least in part, by the virtual machine manager;
      
      (f) the at least one virtual TPM comprises a plurality of virtual TPM; and
      
      (g) the circuitry is comprised, at least in part, in at least one device that is capable of being removably communicatively coupled to the host.

8. Computer-readable memory storing one or more instructions that when executed by a machine result in performance of operations comprising:
- at least one operation performed, at least in part, by circuitry, the circuitry to be comprised, at least in part, in a host, the host including at least one host central processing unit (CPU) to execute, at least in part, at least one host operating system (OS), the circuitry to perform, at least in part, the at least one operation in isolation both from interference from and control by the at least one host CPU and the at least one host OS, the at least one operation comprising;
  
  user authorization determination in response, at least in part, to indication of physical presence of at least one user in proximity to the host, the user authorization determination being to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host; and
  
  user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the proximity to the host has ceased.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable memory of claim 8, wherein:
    - the indication is based at least in part upon at least one of;
      
      activation of at least one secure attention key of the host by the at least one user;
      
      provision of at least one general purpose input/output (GPIO) signal to the circuitry;
      
      detection of at least one physical token associated with the at least one user; and
      
      detection of at least one physical characteristic of the at least one user.
  - 10. The computer-readable memory of claim 8, wherein:
    - the user authorization determination is based, at least in part, upon at least one of;
      
      biometric information associated with the at least one user;
      
      at least one challenge response provided by the at least one user; and
      
      data provided by at least one near field communication device associated with the at least one user.
  - 11. The computer-readable memory of claim 8, wherein:
    - the at least one security-related component comprises a trusted platform module (TPM);
      
      the circuitry is to store, at least in part, user authentication information and user privilege information in a manner that is inaccessible to the at least one host OS and at least one host CPU;
      
      the user authentication determination is based at least in part upon whether the user authentication information matches, at least in part, other user-associated information provided in response, at least in part, to at least one challenge by the circuitry; and
      
      after the circuitry determines, at least in part, that the at least one user is authorized to use, at least in part, the host, the circuitry is to determine, based at least in part, upon the user privilege information, whether the at least one user is authorized to issue the at least one command to the TPM.
  - 12. The computer-readable memory of claim 11, wherein:
    - after the circuitry determines, at least in part, that the at least one user is authorized to issue the at least one command to the TPM, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in assertion of a physical user presence signal of the TPM.
  - 13. The computer-readable memory of claim 11, wherein:
    - after the circuitry determines, at least in part, that the physical presence of the at least one user in the proximity to the host has ceased, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in de-assertion of a physical user presence signal of the TPM.
  - 14. The computer-readable memory of claim 8, wherein:
    - the circuitry satisfies at least one of the following subparagraphs (a) to (g);
      
      (a) the circuitry is to execute, at least in part, at least one software agent to perform, at least in part, at least one of the user authorization determination and the user presence determination, and the at least one agent also is to establish, at least in part, at least one secure communication channel with the at least one security-related component;
      
      (b) the circuitry is comprised, at least in part, in a trusted platform module (TPM);
      
      (c) the circuitry is comprised, at least in part, in a hardware security module;
      
      (d) the at least one software agent is comprised, at least in part, in a virtual machine manager;
      
      (e) the at least one security-related component comprises at least one virtual TPM implemented, at least in part, by the virtual machine manager;
      
      (f) the at least one virtual TPM comprises a plurality of virtual TPM; and
      
      (g) the circuitry is comprised, at least in part, in at least one device that is capable of being removably communicatively coupled to the host.

15. A method for use in association with a host, the method comprising:
- at least one operation performed, at least in part, by circuitry, the circuitry to be comprised, at least in part, in the host, the host including at least one host central processing unit (CPU) to execute, at least in part, at least one host operating system (OS), the circuitry to perform, at least in part, the at least one operation in isolation both from interference from and control by the at least one host CPU and the at least one host OS, the at least one operation comprising;
  
  user authorization determination in response, at least in part, to indication of physical presence of at least one user in proximity to the host, the user authorization determination being to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host; and
  
  user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the proximity to the host has ceased.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The method of claim 15, wherein:
    - the indication is based at least in part upon at least one of;
      
      activation of at least one secure attention key of the host by the at least one user;
      
      provision of at least one general purpose input/output (GPIO) signal to the circuitry;
      
      detection of at least one physical token associated with the at least one user; and
      
      detection of at least one physical characteristic of the at least one user.
  - 17. The method of claim 15, wherein:
    - the user authorization determination is based, at least in part, upon at least one of;
      
      biometric information associated with the at least one user;
      
      at least one challenge response provided by the at least one user; and
      
      data provided by at least one near field communication device associated with the at least one user.
  - 18. The method of claim 15, wherein:
    - the at least one security-related component comprises a trusted platform module (TPM);
      
      the circuitry is to store, at least in part, user authentication information and user privilege information in a manner that is inaccessible to the at least one host OS and at least one host CPU;
      
      the user authentication determination is based at least in part upon whether the user authentication information matches, at least in part, other user-associated information provided in response, at least in part, to at least one challenge by the circuitry; and
      
      after the circuitry determines, at least in part, that the at least one user is authorized to use, at least in part, the host, the circuitry is to determine, based at least in part, upon the user privilege information, whether the at least one user is authorized to issue the at least one command to the TPM.
  - 19. The method of claim 18, wherein:
    - after the circuitry determines, at least in part, that the at least one user is authorized to issue the at least one command to the TPM, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in assertion of a physical user presence signal of the TPM.
  - 20. The method of claim 18, wherein:
    - after the circuitry determines, at least in part, that the physical presence of the at least one user in the proximity to the host has ceased, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in de-assertion of a physical user presence signal of the TPM.
  - 21. The method of claim 15, wherein:
    - the circuitry satisfies at least one of the following subparagraphs (a) to (g);
      
      (a) the circuitry is to execute, at least in part, at least one software agent to perform, at least in part, at least one of the user authorization determination and the user presence determination, and the at least one agent also is to establish, at least in part, at least one secure communication channel with the at least one security-related component;
      
      (b) the circuitry is comprised, at least in part, in a trusted platform module (TPM);
      
      (c) the circuitry is comprised, at least in part, in a hardware security module;
      
      (d) the at least one software agent is comprised, at least in part, in a virtual machine manager;
      
      (e) the at least one security-related component comprises at least one virtual TPM implemented, at least in part, by the virtual machine manager;
      
      (f) the at least one virtual TPM comprises a plurality of virtual TPM; and
      
      (g) the circuitry is comprised, at least in part, in at least one device that is capable of being removably communicatively coupled to the host.

22. An apparatus, comprising:
- logic, at least partially comprising hardware, to be comprised, at least in part, in a host, the host including at least one host central processing unit (CPU) to execute, at least in part, at least one host operating system (OS), the logic being capable of performing, at least in part, at least one operation in isolation both from interference from and control by the at least one host CPU and the at least one host OS, the at least one operation comprising;
  
  user authorization determination in response, at least in part, to indication of physical presence of at least one user in proximity to the host, the user authorization determination being to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host; and
  
  user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the proximity to the host has ceased.
- View Dependent Claims (23)
- - 23. The apparatus of claim 22, wherein:
    - the indication is based at least in part upon at least one of;
      
      activation of at least one secure attention key of the host by the at least one user;
      
      provision of at least one general purpose input/output (GPIO) signal to the circuitry;
      
      detection of at least one physical token associated with the at least one user; and
      
      detection of at least one physical characteristic of the at least one user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Smith, Ned M., Moore, Victoria C.

Granted Patent

US 9,230,081 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/34   involving the use of extern...

G06F 21/57   Certifying or maintaining t...

G06F 21/575   Secure boot

G06F 21/71   to assure secure computing ...

G06F 2221/2133   Verifying human interaction...

G06F 2221/2139   Recurrent verification

USER AUTHORIZATION AND PRESENCE DETECTION IN ISOLATION FROM INTERFERENCE FROM AND CONTROL BY HOST CENTRAL PROCESSING UNIT AND OPERATING SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

USER AUTHORIZATION AND PRESENCE DETECTION IN ISOLATION FROM INTERFERENCE FROM AND CONTROL BY HOST CENTRAL PROCESSING UNIT AND OPERATING SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links