Patent application number | Description | Published |
20080244292 | Method and Apparatus to Re-create trust model after sleep state - A processing system features random access memory (RAM), a processor, and a trusted platform module (TPM). When the processing system enters a sleep mode during which the RAM is to stay powered, the processing system may measuring a VMM and one or more secure VMs in the processing system. However, the processing system may not measure or encrypt all of system memory. Upon resuming from sleep, the processing system may verify the measurements, to ensure that the VMM and secure VMs have not been tampered with. Other steps may include sealing encryption keys to the TPM, while preserving the blobs in memory. Other embodiments are described and claimed. | 10-02-2008 |
20090044187 | Methods And Apparatus For Creating An Isolated Partition For A Virtual Trusted Platform Module - A data processing system isolates a virtual trusted platform module (vTPM) manager in the processing system from other management software in the processing system. In one example process, the processing system launches a virtual machine monitor (VMM) that includes a memory-mapped input/output (MMIO) trap. The processing system also launches a vTPM manager in a first virtual machine (VM). In addition, the processing system launches a second VM to contain virtual machine management programs other than the vTPM manager and the MMIO trap. Other embodiments are described and claimed. | 02-12-2009 |
20090055641 | Method and apparatus for virtualization of a multi-context hardware trusted platform module (TPM) - In one embodiment, the present invention includes a method for receiving a request for a trusted platform module (TPM) operation from a virtual machine, determining whether the request is for a modification of a TPM version, and associating part of a multi-context hardware TPM with a virtual TPM (vTPM) to enable the modification. Other embodiments are described and claimed. | 02-26-2009 |
20090086979 | VIRTUAL TPM KEYS ROOTED IN A HARDWARE TPM - The present subject matter related to trusted computing, and more particularly, to virtual trusted platform module keys rooted in a hardware trusted platform module. Some embodiments include a trusted platform virtualization module operable to capture virtual machine trusted platform module calls and operates to generate, maintain, and utilize hardware trusted platform module keys on behalf of the one or more virtual machines. Some embodiments include virtual trusted platform module keys having a public portion on top of an private portion including an encrypted hardware trusted platform module key. | 04-02-2009 |
20090089582 | METHODS AND APPARATUS FOR PROVIDING UPGRADEABLE KEY BINDINGS FOR TRUSTED PLATFORM MODULES - A processing system with a trusted platform module (TPM) supports migration of digital keys. For instance, an application in the processing system may create a first configuration key as a child of a TPM storage root key (SRK) when the processing system has a first configuration. The application may also create an upgradable root user key associated with an upgrade authority as a child of the first configuration key. The application may also create a user key as a child of the upgradable root user key. When the processing system has a second configuration, the application may create a second configuration key as a child of the SRK. The application may request migration approval from the upgrade authority. In response to receiving the approval from the upgrade authority, the application may migrate the root user key to be a child of the second configuration key. Other embodiments are described and claimed. | 04-02-2009 |
20090165117 | Methods And Apparatus Supporting Access To Physical And Virtual Trusted Platform Modules - A data processing system features a hardware trusted platform module (TPM), and a virtual TPM (vTPM) manager. When executed, the vTPM manager detects a first request from a service virtual machine (VM) in the processing system, the first request to involve access to the hardware TPM (hTPM). In response, the vTPM manager automatically determines whether the first request should be allowed, based on filter rules identifying allowed or disallowed operations for the hTPM. The vTPM manager may also detect a second request to involve access to a software TPM (sTPM) in the processing system. In response, the vTPM manager may automatically determine whether the second request should be allowed, based on a second filter list identifying allowed or disallowed operations for the sTPM. Other embodiments are described and claimed. | 06-25-2009 |
20090169012 | VIRTUAL TPM KEY MIGRATION USING HARDWARE KEYS - The present subject matter is related to trusted computing, and more particularly to migration of virtual trusted platform module keys that are rooted in a hardware trusted platform module. Some embodiments include a trusted platform virtualization module that may perform one or more of inbound and outbound trusted platform module key migrations. Such migrations may be performed between a virtual trusted platform module and either a hardware or a virtual trusted platform module. | 07-02-2009 |
20090307493 | SYSTEM AND METHOD FOR COMBINING USER AND PLATFORM AUTHENTICATION IN NEGOTIATED CHANNEL SECURITY PROTOCOLS - A network security handshake exchange for combining user and platform authentication. The security handshake exchange performs operations on a pre-master secret to increase identity verification and security. The pre-master secret is augmented and authenticated with platform identity and user identity credentials of one endpoint. A second phase of exchanges may include exchange of a master secret that is the pre-master secret modified with platform identity and user identity of the other endpoint. | 12-10-2009 |
20110138166 | Extensible Pre-Boot Authentication - In one embodiment, the present invention includes a method for obtaining a pre-boot authentication (PBA) image from a non-volatile storage that is configured with full disk encryption (FDE), and storing the PBA image in a memory. Then a callback protocol can be performed between a loader executing on an engine of a chipset and an integrity checker of a third party that provided the PBA image to confirm integrity of the PBA image, the PBA image is executed if the integrity is confirmed, and otherwise it is deleted. Other embodiments are described and claimed. | 06-09-2011 |
20110145598 | Providing Integrity Verification And Attestation In A Hidden Execution Environment - In one embodiment, a processor includes a microcode storage including processor instructions to create and execute a hidden resource manager (HRM) to execute in a hidden environment that is not visible to system software. The processor may further include an extend register to store security information including a measurement of at least one kernel code module of the hidden environment and a status of a verification of the at least one kernel code module. Other embodiments are described and claimed. | 06-16-2011 |
20110154023 | Protected device management - A method, apparatus, system, and computer program product for management of storage devices protected by encryption, user authentication, and password protection and auditing schemes in virtualized and non-virtualized environments. | 06-23-2011 |
20110314472 | Method And Apparatus For Virtualization Of A Multi-Context Hardware Trusted Platform Module (TPM) - In one embodiment, the present invention includes a method for receiving a request for a trusted platform module (TPM) operation from a virtual machine, determining whether the request is for a modification of a TPM version, and associating part of a multi-context hardware TPM with a virtual TPM (vTPM) to enable the modification. Other embodiments are described and claimed. | 12-22-2011 |
20120017271 | DOMAIN-AUTHENTICATED CONTROL OF PLATFORM RESOURCES - A method, apparatus, system, and computer program product for domain-authenticated control of platform resources. Resources under the control of the platform are managed in accordance with access control rules that are centrally managed by a directory service. Security policies are uniformly applied by requiring authorization of the user's access to platform resources including hard drives, flash memory, sensors, network controllers and power state controllers. | 01-19-2012 |
20120030676 | Methods And Apparatus For Creating An Isolated Partition For A Virtual Trusted Platform Module - A data processing system isolates a virtual trusted platform module (vTPM) manager in the processing system from other management software in the processing system. In one example process, the processing system launches a virtual machine monitor (VMM) that includes a memory-mapped input/output (MMIO) trap. The processing system also launches a vTPM manager in a first virtual machine (VM). In addition, the processing system launches a second VM to contain virtual machine management programs other than the vTPM manager and the MMIO trap. Other embodiments are described and claimed. | 02-02-2012 |
20120030730 | PROVIDING A MULTI-PHASE LOCKSTEP INTEGRITY REPORTING MECHANISM - In one embodiment, a processor can enforce a blacklist and validate, according to a multi-phase lockstep integrity protocol, a device coupled to the processor. Such enforcement may prevent the device from accessing one or more resources of a system prior to the validation. The blacklist may include a list of devices that have not been validated according to the multi-phase lockstep integrity protocol. Other embodiments are described and claimed. | 02-02-2012 |
20130179693 | Providing Integrity Verification And Attestation In A Hidden Execution Environment - In one embodiment, a processor includes a microcode storage including processor instructions to create and execute a hidden resource manager (HRM) to execute in a hidden environment that is not visible to system software. The processor may further include an extend register to store security information including a measurement of at least one kernel code module of the hidden environment and a status of a verification of the at least one kernel code module. Other embodiments are described and claimed. | 07-11-2013 |
20130248717 | METHOD AND APPARATUS TO DETERMINE USER PRESENCE - According to some embodiments, a method and apparatus are provided to receive a first signal from a sensor, determine that a user is present based on the received first signal, receive a second signal from the sensor, and determine if the user is still present based on the received second signal. | 09-26-2013 |
20130283369 | Providing A Multi-Phase Lockstep Integrity Reporting Mechanism - In one embodiment, a processor can enforce a blacklist and validate, according to a multi-phase lockstep integrity protocol, a device coupled to the processor. Such enforcement may prevent the device from accessing one or more resources of a system prior to the validation. The blacklist may include a list of devices that have not been validated according to the multi-phase lockstep integrity protocol. Other embodiments are described and claimed. | 10-24-2013 |
20140013116 | APPARATUS AND METHOD FOR PERFORMING OVER-THE-AIR IDENTITY PROVISIONING - A method for controlling access to information includes sending a request from an identity requester to an identity provider through an over-the-air (OTA) link. Data received from the identity provider in response to the request includes information used to establish a first identity of a user for a first service. The first identity information is received during a Sigma session, and a second identity of the user is established for a second service based on the received first identity information. The user may be a user of a mobile communication terminal or other device, which is to receive the first and second services. | 01-09-2014 |
20140181535 | TAP-TO-WAKE AND TAP-TO-LOGIN NEAR FIELD COMMUNICATION (NFC) DEVICE - Described herein are techniques related to a tap-to-wake and tap-to-login system. This Abstract is submitted with the understanding that it will not be used to interpret or limit the scope and meaning of the claims. A tap-to-wake and tap-to-login system allows a user of a near field device to wake up a computing platform from a deep sleep state using a bump/tap without having to move a mouse or enter a keyboard stroke. | 06-26-2014 |
20140181925 | Privacy Enhanced Key Management For A Web Service Provider Using A Converged Security Engine - In an embodiment, a security engine of a processor includes an identity provider logic to generate a first key pair of a key pairing associating system user and a service provider that provides a web service and having a second system coupled to the system via a network, to perform a secure communication with the second system to enable the second system to verify that the identity provider logic is executing in a trusted execution environment, and responsive to the verification, to send a first key of the first key pair to the second system. This key may enable the second system to verify an assertion communicated by the identity provider logic that the user has been authenticated to the system according to a multi-factor authentication. Other embodiments are described and claimed. | 06-26-2014 |
20140181995 | PUBLICATION AND REMOVAL OF ATTRIBUTES IN A MULTI-USER COMPUTING SYSTEM - Embodiments of the present disclosure are directed toward publication and/or removal of attributes in a multi-user computing environment. In some embodiments, a consumer information manager (CIM) associated with a user of a multi-user computing system may receive a notification, from a dimension authority (DA), of a decrease in a population count of users of the computing system who have published an attribute within the computing system, and may determine whether the user has published the attribute. In response to receiving the notification of the decrease and determining that the user has published the attribute, the CIM may determine a likelihood that continued publication of the attribute will enable identification of the user, compare the likelihood to a threshold, and, when the likelihood exceeds the threshold, remove the attribute from publication. Other embodiments may be disclosed and/or claimed. | 06-26-2014 |
20140259125 | USER AUTHORIZATION AND PRESENCE DETECTION IN ISOLATION FROM INTERFERENCE FROM AND CONTROL BY HOST CENTRAL PROCESSING UNIT AND OPERATING SYSTEM - An embodiment may include circuitry to be included, at least in part, in a host. The host may include at least one host central processing unit (CPU) to execute, at least in part, at least one host operating system (OS). The circuitry may perform, at least in part, at least one operation in isolation both from interference from and control by the at least one host CPU and the at least one host OS. The at least one operation may include user authorization determination and user presence determination. The authorization determination may be in response, at least in part, to indication of physical presence of at least one user in proximity to the host. The user presence determination may determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the proximity to the host has ceased. | 09-11-2014 |
20140316886 | PROVISION OF ANONYMOUS CONTEXT INFORMATION AND GENERATION OF TARGETED CONTENT - Embodiments of the present disclosure are directed towards selective disclosure of user or computing environment attributes to facilitate generation and/or provision of targeted content. In various embodiments, a likelihood that disclosure of an attribute of a user or of a computing environment associated with the user will enable identification of the user may be determined based on an associated population count of users or computing environments sharing the same attribute. In various embodiments, the attribute may be selectively disclosed to a content provider configured to provide targeted content, or a recommendation may be selectively provided to the user as to whether the user should disclose the attribute to the content provider, based on the determination and a risk tolerance associated with the user. In various embodiments, a dimension authority may track and make available population counts of users or computing environments having various attributes. | 10-23-2014 |
20140359754 | Providing A Multi-Phase Lockstep Integrity Reporting Mechanism - In one embodiment, a processor can enforce a blacklist and validate, according to a multi-phase lockstep integrity protocol, a device coupled to the processor. Such enforcement may prevent the device from accessing one or more resources of a system prior to the validation. The blacklist may include a list of devices that have not been validated according to the multi-phase lockstep integrity protocol. Other embodiments are described and claimed. | 12-04-2014 |
20140366116 | PROTECTED DEVICE MANAGEMENT - A method, apparatus, system, and computer program product for management of storage devices protected by encryption, user authentication, and password protection and auditing schemes in virtualized and non-virtualized environments. | 12-11-2014 |
20150079933 | SECURELY MANAGED LOCATION-AND-TRACKING SERVICE ACCESS - Systems and techniques for securely managed location-and-tracking service (LTS) access are described herein. A trusted execution environment (TEE) may establish a connection to an LTS. The TEE may provide verification to the LTS that the connection origination from the TEE. The TEE may request an LTS location for the mobile device from the LTS using the connection. The TEE may provide the LTS location to applications of the mobile device. | 03-19-2015 |