Patent
Method and apparatus for scalable integrity attestation in virtualization environments
| العنوان: | Method and apparatus for scalable integrity attestation in virtualization environments |
|---|---|
| Patent Number: | 8,615,788 |
| تاريخ النشر: | December 24, 2013 |
| Appl. No: | 12/539912 |
| Application Filed: | August 12, 2009 |
| مستخلص: | A computer implemented method for logging extensions to platform configuration registers inside a trusted platform module instance is provided. A request to extend the current state of at least one of a plurality of platform configuration register is received. At least one platform configuration register within the trusted platform module instance is extended. The extension of the at least one platform configuration register is logged inside the trusted platform module instance as a logged entry by storing at least a tuple of platform configuration register indexes and hash values used for extending the platform configuration register. Information about new entries in the consolidated logs can be retrieved by polling or by subscribing to events that are automatically generated. A report of an extend operation and its logged hash value is sent to subscribers interested in receiving notifications of extend operations on a set of PCR registers. |
| Inventors: | Berger, Stefan (Hawthorne, NY, US); Caceres, Ramon (New York, NY, US); Goldman, Kenneth Alan (Hawthorne, NY, US); Perez, Ronald (Yorktown Heights, NY, US); Sailer, Reiner (Hawthorne, NY, US); Srinivasan, Deepa (Raleigh, NC, US) |
| Assignees: | International Business Machines Corporation (Armonk, NY, US) |
| Claim: | 1. A computer implemented method for logging extensions to platform configuration registers inside a trusted platform module instance, the computer implemented method comprising: receiving a request to extend the current state of at least one of a plurality of platform configuration register; extending the at least one platform configuration register within the trusted platform module instance; logging the extension of the at least one platform configuration register inside the trusted platform module instance as logged entries by storing at least a tuple of platform configuration register indexes and hash values used for extending the platform configuration register; and limiting a rate of reporting to a maximum number of notifications sent from the trusted platform module within a certain time interval. |
| Claim: | 2. The computer implemented method of claim 1 , further comprising: restricting the logging to a selected set of the plurality of platform configuration registers. |
| Claim: | 3. The computer implemented method of claim 1 , further comprising: providing read access to the logged entries. |
| Claim: | 4. The computer implemented method of claim 3 , further comprising: restricting the logged entries to be read to a selected subset of logged entries. |
| Claim: | 5. The computer implemented method of claim 1 , further comprising: aggregating multiple trusted platform module instances in a trusted platform interface module. |
| Claim: | 6. The computer implemented method according to claim 5 , further comprising: providing read access to logged entries for said aggregated trusted platform module instances. |
| Claim: | 7. The computer implemented method of claim 1 , further comprising resetting at least one of the plurality of platform configuration registers such that all logging information related to the at least one platform configuration register is cleared. |
| Claim: | 8. The computer implemented method of claim 1 , further comprising initializing the trusted platform module instance such that the trusted platform module instance initializes an empty log. |
| Claim: | 9. The computer implemented method of claim 1 , further comprising securely packaging the logged entries responsive to a request to migrate the state of the trusted platform module instance to another trusted platform module instance. |
| Claim: | 10. A computer implemented method for reporting extensions to platform configuration registers inside a trusted platform module instance, the computer implemented method comprising: receiving a request to extend a current state of at least one of a plurality of platform configuration registers; extending the at least one platform configuration register within the trusted platform module instance; reporting the extension of the specified platform configuration register inside the trusted platform module instance to subscribers by reporting at least a tuple of platform configuration register indexes and hash values used for the extension; automatically reporting extend information from the platform module instance to a subscriber; and limiting a rate of reporting to a maximum number of notifications sent from the trusted platform module within a certain time interval. |
| Claim: | 11. The computer implemented method of claim 10 , further comprising: subscribing to a selected set of the plurality of platform configuration registers and restricting the reporting to the selected set of platform configuration registers. |
| Claim: | 12. The computer implemented method of claim 10 further comprising aggregating multiple trusted platform module instances in a trusted platform interface module. |
| Claim: | 13. The computer implemented method of claim 12 further comprising reporting entries from the aggregated trusted platform module instances to a subscriber. |
| Claim: | 14. A computer implemented method for reporting extensions to platform configuration registers inside a trusted platform module instance, the computer implemented method comprising: receiving a request to extend a current state of at least one of a plurality of platform configuration registers; extending the at least one platform configuration register within the trusted platform module instance; reporting the extension of the specified platform configuration register inside the trusted platform module instance to subscribers by reporting at least a tuple of platform configuration register indexes and hash values used for the extension; and limiting a rate of reporting to a maximum number of notifications sent from the trusted platform module within a certain time interval. |
| Claim: | 15. The computer implemented method of claim 14 , further comprising: subscribing to a selected set of the plurality of platform configuration registers and restricting the reporting to the selected set of platform configuration registers. |
| Claim: | 16. The computer implemented method of claim 14 further comprising automatically reporting extend information from the platform module instance to a subscriber. |
| Claim: | 17. The computer implemented method of claim 14 further comprising aggregating multiple trusted platform module instances in a trusted platform interface module. |
| Claim: | 18. The computer implemented method of claim 17 further comprising reporting entries from the aggregated trusted platform module instances to a subscriber. |
| Current U.S. Class: | 726/2 |
| Patent References Cited: | 7313679 December 2007 Ranganathan 7552419 June 2009 Zimmer et al. 7930733 April 2011 Iftode et al. 2003/0074548 April 2003 Cromer et al. 2003/0188113 October 2003 Grawrock et al. 2005/0132031 June 2005 Sailer et al. 2005/0262571 November 2005 Zimmer et al. 2007/0067617 March 2007 Tarkkala 2007/0226505 September 2007 Brickell 2007/0260545 November 2007 Bade et al. |
| Other References: | Sailer et al., “Design and Implementation of a TCG-based Integrity Measurement Architecture”, Usenix Security Symposium, Aug. 11, 2004. cited by applicant |
| Primary Examiner: | Connolly, Mark |
| Attorney, Agent or Firm: | Cahn & Samuels, LLP |
| رقم الانضمام: | edspgr.08615788 |
| قاعدة البيانات: | USPTO Patent Grants |
| الوصف غير متاح. |