-
公开(公告)号:US11574060B2
公开(公告)日:2023-02-07
申请号:US16392833
申请日:2019-04-24
IPC分类号: G06F21/57
摘要: An initial program load of a system component of a computing environment is performed. A determination is made as to whether one or more signatures of one or more signed binary code components relating to the system component are verified. Based on determining that the one or more signatures are verified, additional verification is performed. The additional verification includes obtaining a select binary code component of one or more binary code components relating to the system component and determining whether the select binary code component is a particular signed binary code component. Based on determining that the select binary code component is the particular signed binary code component, a check is performed. The initial program load is continued based on a successful check.
-
公开(公告)号:US11354418B2
公开(公告)日:2022-06-07
申请号:US16296334
申请日:2019-03-08
发明人: Reinhard T. Buendgen , Christian Borntraeger , Jonathan D. Bradbury , Fadi Y. Busaba , Lisa C. Heller , Viktor Mihajlovski
IPC分类号: G06F21/57 , G06F9/4401 , G06F9/455
摘要: Secure processing within a computing environment is provided by incrementally decrypting a secure operating system image, including receiving, for a page of the secure operating system image, a page address and a tweak value used during encryption of the page. Processing determines that the tweak value has not previously been used during decryption of another page of the secure operating system image, and decrypts memory page content at the page address using an image encryption key and the tweak value to facilitate obtaining a decrypted secure operating system image. Further, integrity of the secure operating system image is verified, and based on verifying integrity of the secure operating system image, execution of the decrypted secure operating system image is started.
-
公开(公告)号:US20200285759A1
公开(公告)日:2020-09-10
申请号:US16296478
申请日:2019-03-08
摘要: A method, computer program product, and a system where a secure interface control determines functionality of a secure guest based on metadata. The secure interface control (“SC”) obtains metadata linked to an image of a secure guest to be started by an owner and managed by the hypervisor, where the metadata comprises control(s) that indicate whether a secure guest generated with the image is permitted to obtain a response to a particular request. The SC intercepts, from the secure guest generated with the image, during runtime, a request. The SC determines, based on the control(s), if the secure guest is permitted to obtain a response to the request. If permitted, the SC commences fulfillment of the request, within the computing system. If not permitted, the SC ignores the request.
-
公开(公告)号:US20200285746A1
公开(公告)日:2020-09-10
申请号:US16296411
申请日:2019-03-08
摘要: A method, computer program product, and a system where a secure interface control configures a hardware security module for exclusive use by a secure guest. The secure interface control (“SC”) obtains a configuration request (via a hypervisor) to configure the hardware security module (HSM), from a given guest of guests managed by the hypervisor. The SC determines if the HSM is already configured to a specific guest of the one or more guests, but based on determining that the HSM is not configured to the and is a secure guest the SC forecloses establishing a configuration of the HSM by limiting accesses by guests to the HSM exclusively to the given guest. The SC logs the given guest into the HSM by utilizing a secret of the given guest. The SC obtains, from the HSM, a session code and retains the session code.
-
公开(公告)号:US10585671B2
公开(公告)日:2020-03-10
申请号:US15651181
申请日:2017-07-17
IPC分类号: G06F9/4401 , G06F9/445 , G06F9/50
摘要: A computer-implemented method, for booting a computer system, that provides a list with entries of startup processes. Each startup process defines a resource of the computer system. For each startup process a requirement is defined. The method further comprises fetching one of the entries of the list with entries of startup processes; determining whether the requirement is satisfied for the one of the entries of the list with entries of startup processes; fetching, in case the requirement is not fulfilled, a next one of the entries of the list with entries of startup processes; starting, in case the required resource is fulfilled, the startup process; and repeating the fetching a next one of the entries, the determining and the starting until all startup processes of the list of startup processes have been started.
-
公开(公告)号:US20190215161A1
公开(公告)日:2019-07-11
申请号:US16354253
申请日:2019-03-15
CPC分类号: H04L9/30 , G06F9/45558 , G06F12/1408 , G06F21/00 , G06F21/57 , G06F2009/45583 , G06F2009/45587 , G06F2009/45591 , G06F2212/1052 , H04L9/0822 , H04L9/0894 , H04L9/14 , H04L9/3247 , H04L9/3271
摘要: A method for generating a dump comprising data generated by a virtual system in a computing environment is depicted. The method comprises: initiating a dump process for dumping data generated by the virtual system and stored in guest memory; sending a dump request for the data from the virtual machine monitor to the trusted component; in response to receiving the dump request, generating a symmetric dump generating key; reading the data from the guest memory; encrypting the data with the symmetric dump generating key; encrypting the symmetric dump generating key with the public cryptographic key of the client system; providing the encrypted dump data and the encrypted symmetric dump generating key to the virtual machine monitor; generating a dump comprising the encrypted dump data and the encrypted symmetric dump generating key; and providing the dump to the client system.
-
公开(公告)号:US10019279B2
公开(公告)日:2018-07-10
申请号:US14972280
申请日:2015-12-17
CPC分类号: G06F9/45558 , G06F3/0622 , G06F3/0623 , G06F3/065 , G06F3/067 , G06F3/0683 , G06F21/53 , G06F21/57 , G06F21/60 , G06F21/604 , G06F2009/45583 , G06F2009/45587 , H05K999/99
摘要: A method and system for transparent secure interception handling is provided. The method and system include deploying a virtual machine (VM) in an environment comprising a hypervisor and a firmware. The method and system include providing buffers in response to deploying the VM, and include executing VM instructions. The method and system include intercepting VM instructions which require access to instruction data and copying the VM state into a shadow VM state. Furthermore, the instruction data is copied to buffers, and the intercepted VM instruction is executed using the buffer. The method and system also include updating the shadow VM state buffer and the VM data in the VM memory using result data in the buffer in response to the executing of the intercepted VM instruction results. Furthermore execution of the VM instructions is resumed based on a state stored in the shadow VM state buffer.
-
公开(公告)号:US20180063136A1
公开(公告)日:2018-03-01
申请号:US15816220
申请日:2017-11-17
发明人: Khary J. Alexander , Utz Bacher , Reinhard T. Buendgen , Patrick J. Callaghan , John C. Dayka , Thomas B. Mathias , K. Paul Muller , James A. O'Connor , William J. Rooney , Kurt N. Schroeder , Peter G. Spera , Tiberiu Suto , Sean Swehla , Stefan Usenbinz , Craig R. Walters
CPC分类号: H04L63/0876 , G06F8/63 , G06F9/45558 , G06F2009/45575 , G06F2009/45587 , G06F2009/45595 , H04L9/0825 , H04L9/32 , H04L9/3268 , H04L63/06 , H04L63/061 , H04L63/08 , H04L63/123 , H04L63/126 , H04L67/04 , H04L67/10 , H04L67/146 , H04L67/20 , H04L67/2842 , H04L67/42
摘要: Technical solutions are described for securely deploying a shrouded virtual server. An example method includes sending, by a host manager, authentication information of a hosting system to a client device in response to a request from the client device. The \method also includes receiving a request to deploy a virtual server using a shrouded mode. The method also includes deploying a preconfigured hypervisor on the hosting system, where the preconfigured hypervisor is deployed in an immutable mode that disables changes to security settings of the preconfigured hypervisor. The method also includes deploying, by the preconfigured hypervisor, a preconfigured boot image as an instance of the virtual server on the preconfigured hypervisor. The method also includes sending, by the host manager, an identifier of the virtual server for receipt by the client device.
-
公开(公告)号:US20170003996A1
公开(公告)日:2017-01-05
申请号:US14788992
申请日:2015-07-01
CPC分类号: G06F9/45558 , G06F12/145 , G06F2009/45562 , G06F2009/4557 , G06F2009/45583 , G06F2009/45587 , G06F2212/1052 , G06F2212/151
摘要: A computer-implemented method includes receiving a definition of a source guest memory area for utilization by a virtual machine on a source system, wherein the source system includes a source trusted firmware and a source hypervisor. The method restricts write access to the source guest memory area of the virtual machine. The method receives repeatedly a source guest memory page location, content for each of a plurality of source guest memory pages, and an integrity value for each of a plurality of source guest memory page locations. The method receives a global integrity value for integrity values associated with the plurality of source guest memory page locations, wherein a latest integrity values for each of the plurality of source guest memory page locations is utilized. Subsequent to verifying the global integrity value, the method initializes the virtual machine on the source hypervisor.
-
10.发明授权Method for booting and dumping a confidential image on a trusted computer system 有权在受信任的计算机系统上引导和转储机密图像的方法公开(公告)号:US09454662B1
公开(公告)日:2016-09-27
申请号:US15071303
申请日:2016-03-16
CPC分类号: H04L63/0853 , G06F9/4406 , G06F9/4416 , G06F12/14 , G06F21/121 , G06F21/53 , G06F21/57 , G06F21/572 , G06F21/575 , G06F21/602 , G06F2221/034 , G06F2221/2107 , H04L9/08 , H04L9/14 , H04L9/3263 , H04L63/0442 , H04L63/061 , H04L63/0876
摘要: A method for booting a confidential image on a trusted computer system. A trusted computer system loads an encrypted client image key onto a protected area on the trusted computer system. The trusted computer system loads an encrypted boot image onto a secure logical partition on the trusted computer system. The trusted computer system decrypts the encrypted client image key to obtain a client image key in the protected area. The trusted computer system decrypts, with the client image key, the encrypted boot image to obtain a boot image and a client data key. The trusted computer system starts the boot image, and the boot image mounts the encrypted client data onto the secure logical partition. The client data key is used by the boot image to decrypt data read from the encrypted client data and to encrypt data written to the encrypted client data.
摘要翻译: 用于在可信计算机系统上引导机密图像的方法。 受信任的计算机系统将加密的客户端映像密钥加载到可信计算机系统上的保护区域上。 受信任的计算机系统将加密的引导映像加载到可信计算机系统上的安全逻辑分区上。 受信任的计算机系统解密加密的客户端图像密钥以获得保护区域中的客户端图像密钥。 受信任的计算机系统利用客户端图像密钥解密加密的引导映像,以获得引导映像和客户端数据密钥。 受信任的计算机系统启动引导映像,引导映像将加密的客户端数据加载到安全逻辑分区上。 引导映像使用客户端数据密钥来解密从加密的客户端数据读取的数据,并加密写入加密的客户机数据的数据。
-
-
-
-
-
-
-
-
-
搜索结果
81 条记录 (耗时 0.039 秒)
