Associating a multi-context trusted platform module with distributed platforms

US 8,108,668 B2
Filed: 06/26/2006
Issued: 01/31/2012
Est. Priority Date: 06/26/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

creating an instance of a virtual trusted platform module (TPM) in a manager platform corresponding to a first server including TPM hardware, the manager platform a central repository of TPM services for a plurality of managed platforms coupled to the manager platform;

associating the instance of the virtual TPM with a first one of the managed platforms coupled to the manager platform, the managed platforms each a server including platform resources, a plurality of virtual machines and a platform manager, wherein the virtual TPM instance remains on the manager platform when the virtual TPM instance performs secure operations for the first managed platform and private keys of the virtual TPM instance remain on the manager platform and are not accessible to the first managed platform; and

updating the virtual TPM instance from the first managed platform to a second managed platform based on load information, and without re-authenticating the virtual TPM instance.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, the present invention includes a method for creating an instance of a virtual trusted platform module (TPM) in a central platform and associating the instance with a managed platform coupled to the central platform. Multiple such vTPM'"'"'s may be instantiated, each associated with a different managed platform coupled to the central platform. The instances may all be maintained on the central platform, improving security. Other embodiments are described and claimed.

69 Citations

View as Search Results

23 Claims

1. A method comprising:
- creating an instance of a virtual trusted platform module (TPM) in a manager platform corresponding to a first server including TPM hardware, the manager platform a central repository of TPM services for a plurality of managed platforms coupled to the manager platform;
  
  associating the instance of the virtual TPM with a first one of the managed platforms coupled to the manager platform, the managed platforms each a server including platform resources, a plurality of virtual machines and a platform manager, wherein the virtual TPM instance remains on the manager platform when the virtual TPM instance performs secure operations for the first managed platform and private keys of the virtual TPM instance remain on the manager platform and are not accessible to the first managed platform; and
  
  updating the virtual TPM instance from the first managed platform to a second managed platform based on load information, and without re-authenticating the virtual TPM instance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 19, 22)
- - 2. The method of claim 1, further comprising authenticating the first managed platform before associating the instance of the virtual TPM with the first managed platform.
  - 3. The method of claim 2, wherein authenticating the first managed platform comprises establishing a secure channel between the first managed platform and the manager platform.
  - 4. The method of claim 1, further comprising maintaining an instance of the virtual TPM on the manager platform for each of the plurality of managed platforms.
  - 5. The method of claim 1, further comprising receiving a request for a secure operation destined to the instance of the virtual TPM from the first managed platform, wherein the first managed platform has insufficient resources to perform the secure operation.
  - 6. The method of claim 5, further comprising handling the request on the manager platform.
  - 7. The method of claim 5, further comprising handling the request on the instance of the virtual TPM on the manager platform.
  - 19. The method of claim 5, wherein the first managed platform performs at least one attestation operation using a TPM hardware of the first managed platform, prior to sending the request for the secure operation to the managed platform.
  - 22. The method of claim 1, further comprising updating association of the instance of the virtual TPM from the first managed platform to the second managed platform, wherein the instance is maintained on the manager platform, by update to an association table that lists the virtual TPM instances and corresponding managed platforms.

8. An apparatus comprising:
- a manager device to create instances of a virtual trusted platform module (TPM) and associate each of the instances with corresponding managed platforms coupled to the manager device, wherein the virtual TPM instances remain on the manager device while the virtual TPM instances perform a secure operation for the corresponding managed platforms and are to be maintained by the manager device, the manager device comprising a server of a server center including at least one hardware TPM, and the managed platforms comprise other servers of the server center, wherein the manager device is to change association of an instance of a virtual TPM from a first managed platform to a second managed platform based on load information, wherein the instance is maintained on the manager device, by update to an association table that lists the virtual TPM instances and corresponding managed platforms and without re-authentication of the instance.
- View Dependent Claims (9, 10, 11, 12, 20, 21)
- - 9. The apparatus of claim 8, further comprising secure channels to couple the managed platforms to the manager device.
  - 10. The apparatus of claim 8, further comprising a platform center manager coupled to the manager device to manage the managed platforms.
  - 11. The apparatus of claim 8, wherein the corresponding instance of the virtual TPM is to process a request for a secure operation from a managed platform.
  - 12. The apparatus of claim 11, wherein the corresponding instance of the virtual TPM is to transmit the request to the manager device for processing.
  - 20. The apparatus of claim 8, wherein the manager device is to determine if the second managed platform is present on a list of an authenticated platforms, and if not to prevent the update.
  - 21. The apparatus of claim 20, wherein the manager device is to report a notification to the platform center manager regarding the prevention, and responsive to an instruction from the platform center manager, authorize the second managed platform to enable a virtual TPM migration thereto.

13. An article comprising a non-transitory machine-accessible storage medium including instructions that when executed cause a system to:
- instantiate a first virtual security coprocessor in a central location corresponding to a first server;
  
  associate the first virtual security coprocessor with a first managed platform corresponding to a second server coupled to the central location responsive to a request from the first managed platform, wherein the first virtual security coprocessor is to remain in the central location; and
  
  update association of the first virtual security coprocessor to a second managed platform corresponding to a third server coupled to the central location responsive to a management command from a platform manager based on load information via update to an association table that lists virtual security coprocessor instances and corresponding managed platforms to associate the first virtual security coprocessor with the second managed platform without re-authentication of the first virtual security coprocessor, wherein the first virtual security coprocessor is to remain in the central location after the update.
- View Dependent Claims (14, 15, 16)
- - 14. The article of claim 13, further comprising instructions that when executed cause the system to receive a request for a secure operation from the first managed platform and perform the secure operation using the first virtual security coprocessor in the central location.
  - 15. The article of claim 14, further comprising instructions that when executed cause the system to perform the secure operation using the central location responsive to a request from the first virtual security coprocessor.
  - 16. The article of claim 13, further comprising instructions that when executed cause the system to instantiate a plurality of virtual security coprocessors in the central location and to associate each of the plurality of virtual security coprocessors with a corresponding one of a plurality of managed platforms coupled to the central location.

17. A system comprising:
- a plurality of managed platforms each a server having at least one hardware resource to be used in a virtualized environment;
  
  a management platform having a hardware trusted platform module (TPM) and corresponding to a TPM server coupled to the plurality of managed platforms to create instances of a virtual security module and associate each of the instances with a corresponding one of the plurality of managed platforms, wherein the management platform is to maintain the instances of the virtual security module on the management platform while the virtual security module instances perform a secure operation for the corresponding managed platform and private keys of the virtual security module instances remain on the management platform and are not accessible to the corresponding managed platforms during the secure operation; and
  
  a platform manager coupled to the management platform, when the platform manager is to instruct the management platform to migrate an instance of the virtual security module from a first managed platform to a second managed platform based on load information without re-authorization activities, wherein the instance is maintained on the management platform.
- View Dependent Claims (18, 23)
- - 18. The system of claim 17, wherein the management platform is to transmit a request for a secure operation received from one of the plurality of managed platforms to the corresponding instance of the virtual security module for processing.
  - 23. The system of claim 17, wherein the migration is via update to an association table that lists virtual security module instances and corresponding managed platforms.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Rozas, Carlos V.
Primary Examiner(s)
Dada, Beemnet
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US11/474,778
Publication Number

US 20070300069A1
Time in Patent Office

2,045 Days
Field of Search

713/155, 713/156, 713/157, 713/158, 380/277
US Class Current

713/155
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2129   Authenticate client device ...

G06F 2221/2145   Inheriting rights or proper...

Associating a multi-context trusted platform module with distributed platforms

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

69 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Associating a multi-context trusted platform module with distributed platforms

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links