CN101147154B - Methods, devices and data structures for trusted data - Google Patents

Methods, devices and data structures for trusted data Download PDF

Info

Publication number
CN101147154B
CN101147154B CN200680009269.XA CN200680009269A CN101147154B CN 101147154 B CN101147154 B CN 101147154B CN 200680009269 A CN200680009269 A CN 200680009269A CN 101147154 B CN101147154 B CN 101147154B
Authority
CN
China
Prior art keywords
data structure
platform
data
value
credible
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200680009269.XA
Other languages
Chinese (zh)
Other versions
CN101147154A (en
Inventor
G·J·普鲁德勒
D·普拉奎恩
W·伯顿
D·库尔曼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Development Co LP
Original Assignee
Hewlett Packard Development Co LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from GB0510558A external-priority patent/GB0510558D0/en
Priority claimed from GB0512370A external-priority patent/GB0512370D0/en
Priority claimed from GB0516534A external-priority patent/GB0516534D0/en
Priority claimed from GB0521836A external-priority patent/GB0521836D0/en
Priority claimed from GB0522598A external-priority patent/GB0522598D0/en
Application filed by Hewlett Packard Development Co LP filed Critical Hewlett Packard Development Co LP
Priority claimed from PCT/GB2006/050063 external-priority patent/WO2006100522A1/en
Publication of CN101147154A publication Critical patent/CN101147154A/en
Application granted granted Critical
Publication of CN101147154B publication Critical patent/CN101147154B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Abstract

A data structure has within it the following elements: an identification of a data structure type; and a proof that two or more instances of the data structure type are as trustworthy as each other. Methods and devices using such data structures are described.

Description

The method, equipment and the data structure that are used for trust data
Technical field
The present invention relates to data trusty, its meaning is to assuring that these data have prepared at least one trusted entity.It has related to the data (such as data structure or executable instruction) that comprise software especially, and has related to the upgrading or the replacement of software on the computing equipment in an embodiment.
Background technology
A mutual important consideration is to trust between the computational entity---external computational entity is to take action in reliable and predictable mode, still (or) is damaged.By the company that forms Trusted Computing group (TCG) developed comprise at least logically avoid the assembly that destroys trusted system---this group has developed the standard in this field, for example in " the TCPA technology in credible calculating platform---the context ", Siani Pearson write in 2003, was discussed among the Prentice Hall PTR.The implicit trusted component of trusted system can be measured trusted system and then these forms of measuring with integrity measurement can be provided, and wishes and the mutual suitable entity of trusted system to supply with.Receiving entity then can determine that trusted system is according to desired operating according to measured integrity measurement and the consistance of value known or expectation.
Integrity measurement will generally include the measurement of the software that trusted system is used.These measurements can be used to indicate the state or the trusted status of trusted system usually in combination.In Trusted Computing group standard, instructed and be used for the mechanism of data " sealing " to the particular platform state---this just causes the sealing data encryption is immesurable " opaque spot ", and it comprises the value that derives according to the measurement of the software on the platform to small part.This measurement comprises the summary of software, because digest value will change to any modification of software the time.If trusted component measure current platform status and find it by with opaque spot in identical value representation, then can only recover the sealing data.
Will be understood that, any change in the software will cause a plurality of problems, both particular procedures and be more typically software measurement and be taken as situation for the expression of computer system state hereto---no matter how little the variation of software have, and the effective form of measurement (such as summary) will provide different values.---its may be for example for improving function or removing wrong and weakness is expected fully---has and stoped sealing the shortcoming that data are carried out connected reference in the example of above " sealing ", to this means the variation of software.And this is an exemplary issue, still---new or replace have in the software with priginal soft in identical trust be to have general difficulty, this general difficulty has the practical difficulties of following in the maintenance function based on this trust.
Desired is to find a kind of mode to upgrade or change to be trusted to be used to provide in the trust and successional software in the software function.
Summary of the invention
In one aspect, the invention provides a kind of data structure, the two or more example that comprises the sign of type of data structure and the type of data structure credible evidence that is no difference.
Description of drawings
Now will only the preferred embodiments of the present invention be described by way of example and with reference to the accompanying drawings, in the described accompanying drawing:
Fig. 1 is the diagram that is applicable to the example prior art computer platform of the embodiment of the invention;
The function element that Fig. 2 indication exists on the motherboard of the prior art Trusted Computing machine platform that is applicable to the embodiment of the invention;
Fig. 3 indication is applicable to the function element of credible equipment of Trusted Computing machine platform of Fig. 2 of the embodiment of the invention;
Fig. 4 explanation expands to value the process in the platform configuration register of Trusted Computing machine platform of the Fig. 2 that is applicable to the embodiment of the invention;
The process of integrity measurement is write down in Fig. 5 explanation according to an embodiment of the invention;
Fig. 6 illustrates two embodiment that trust the equivalence set and second set of integrity measurement according to an embodiment of the invention;
Statement new or that replace software is assured in Fig. 7 explanation according to an embodiment of the invention;
Fig. 8 illustrates according to an embodiment of the invention the lists of links in the statement of type shown in Fig. 5;
Fig. 9 explanation strengthens version in the confidentiality of the statement of type shown in Fig. 8 according to an embodiment of the invention;
The configuration of two integrity measurement set of equivalence is trusted in Figure 10 explanation according to an embodiment of the invention, and the synthetic set of PCR value;
Figure 11 schematically illustrates the migration of virtual credible platform from a physics credible platform to another physics credible platform according to the embodiment of the invention; With
Figure 12 explanation is according to the method that is used for virtual credible platform is moved to from a physics credible platform another physics credible platform of the embodiment of the invention.
Embodiment
Before describing embodiments of the invention, will a kind of credible calculating platform of carrying out embodiments of the invention that generally is applicable to be described in conjunction with Fig. 1 to 4.To this declarative description of credible calculating platform some fundamental element of its structure and operation.In this article, " user " can be the long-distance user, such as the remote computation entity.The exercise question that credible calculating platform is also submitted on February 15th, 2000 the applicant is to describe among the international patent application No.PCT/GB00/00528 of " credible calculating platform ", and its content is incorporated in this as a reference.The technician will understand, the present invention does not rely on accurately the credible calculating platform that uses by as described below for its operation: embodiments of the invention are described at this credible calculating platform, but the technician will understand, these aspects of the present invention can be applied to dissimilar computer platforms, and these computer platforms need not used all aspects of the credible calculating platform function of Trusted Computing group.
This credible calculating platform as described herein is that credible equipment merges to computing platform wherein, the function of credible equipment is that the data of reliable measurements provide one or more integrity measurements of platform with the data binding of the identity of platform (identity) with reliable measurements.This identity and integrity measurement and the expectation value that provided by trusted party (TP) are compared, and trusted party is prepared the credible degree that is used for assuring platform.If there is coupling, hinted that then at least a portion platform correctly operates, this depends on the scope of integrity measurement.
The proper operation of user's verification platform before exchanging other data with platform.The user provides its identity and one or more integrity measurement to do like this by the request credible equipment.(alternatively, if the proper operation that credible equipment itself can not verification platform, then credible equipment provides refusal the evidence of identity.) user receives the evidence of identity and one or more identity tolerance, and with they with think real value comparison.These suitable values are provided by another entity that TP or user trusted.If with identical by data that TP provided, then the user believes this platform by the data of credible equipment report.This is because the user believes this entity.This entity is believed platform, because it had before confirmed identity, and has determined the suitable integrity measurement of platform.
In case the trusted operations of platform that the user is verified, then he and platform exchange other data.For the local user, this exchange may be by carrying out alternately with some software application of moving on platform.For the long-distance user, this exchange may relate to security affairs.In either case, the data of exchange are by credible equipment " signature ".The user can exchange the platform that data are being trusted with behavior and have bigger degree of confidence so.The data that exchanged can be and the relevant information of the some or all of softwares that move on computer platform.The Trusted Computing machine platform of existing Trusted Computing group is suitable for providing the summary of software on the platform---and they can be compared with the public freelist of the known digests of known software.But this provides the sign of the specific software of moving really on credible calculating platform---this owner for the credible calculating platform in secret place may not expect.As will be described below, aspects more of the present invention can be used for improving the aspect of credible calculating platform owner's secure location.
The credible equipment process that accesses to your password, but do not need to provide external interface to those password procedure.Credible equipment should logically not be subjected to the influence of other entity---comprise it itself also being the platform other parts of a platform part.And the embodiment of expectation is to make credible equipment anti-tamper, with by making them protect secret for other stage function inaccessible and environment (that is, all being protected physically and in logic) to the no unauthorized modifications immunity being provided basically.Because anti-tamper is impossible, so best approximate schemes is anti-distorting or the credible equipment of tamper detection.Therefore, this credible equipment preferably is made up of an anti-physical assemblies of distorting.With anti-to distort relevant technology be known for the technician of security fields.These technology comprise and are used for anti-method of distorting (such as suitable encapsulation credible equipment), are used for the method (such as detecting overshoot voltage, X ray or lose physical integrity at the credible equipment shell) of tamper detection and are used for when the method that detects elimination data when distorting.
Credible platform 10 is to illustrate in the figure of Fig. 1.Computer platform 10 looks it is traditional fully---it is associated with the standard feature of keyboard 14, mouse 16 and visual display unit (VDU) 18, and these features provide the physics " user interface " of platform.
As shown in Figure 2, the motherboard 20 of credible calculating platform 10 comprises (except other standard package) primary processor 21, primary memory 22, credible equipment 24, data bus 26 and control corresponding line 27 and 28, comprises the BIOS storer 29 and I/O (IO) equipment 23 of the BISO program of platform 10, mutual between the assembly of IO equipment 23 control motherboards and keyboard 14, mouse 16 and the VDU18.Primary memory 22 is random access storage device (RAM) normally.In operation, platform 10 will be such as Window XP from the hard disk (not shown) TMOperating system be loaded among the RAM.In addition, in operation, platform 10 can be loaded into the RAM by process or the application that platform 10 is carried out from the hard disk (not shown).
Usually, in personal computer, bios program is positioned at special reserved storage area territory, and among the top 64K of first GB of system storage (address F Φ Φ Φ h is to FFFFh), and primary processor is arranged to according to industrial general standard and at first checks this storage unit.The significant difference of this platform and traditional platform is that after resetting, primary processor is controlled by credible equipment initially, and it then transfers control to the bios program specific to platform, and this program is transferred all input-output apparatus of initialization routinely.After having carried out bios program, control is transferred operating system program to by bios program routinely, and such as Window XP (TM), operating system program is loaded into the primary memory 212 from the hard disk drive (not shown) usually.Primary processor is initially by credible equipment control, because it need be provided with trust to first measurement that will carry out on credible calculating platform.This first measurement agency who measures is called as root of trust for measurement (RTM) and is partly trusted at least usually, because its origin is trusted.In the useful embodiment of reality, RTM is a platform, and primary processor is under the control of credible equipment.Following briefly described, the effect of RTM is to measure these to measure the agency before other measurement agency is used and relies on its measurement.RTM is the basis of trust chain.Notice that RTM and follow-up measurement agency do not need to verify follow-up measurement agency, and only need before their are carried out, measure and write down them.This is called as " bootup process of authentication ".Effectively measure summary that the agency can be by will measuring the agency and effectively measure the summary lists of acting on behalf of and compare and discern.Unlisted measurement the agency will can not be identified, and be incredible by the measurement that they and follow-up measurement agency make.
Credible equipment 24 comprises a plurality of, as shown in Figure 3.After system was reset, credible equipment 24 was carried out the authentication bootup processs and is recorded in the mode of operation of guaranteeing platform 10 mode with safety.During the authentication bootup process, credible equipment 24 obtains the integrity measurement of computing platform 10.Credible equipment 24 is also carried out secure data via encrypt/decrypt and signature/verification and is transmitted, and for example authentication between it and smart card.Credible equipment 24 also can be carried out various safety control strategies safely, such as the locking user interface.In particular preferred scheme, the display driver of computing platform is arranged in credible equipment 24, the data presentation that provided to this display by credible equipment 24 of local user's trusted consequently---this exercise question of also submitting on May 25th, 2000 the applicant is described for the international patent application No.PCT/GB00/02005 of " system of the user interface that is used for providing credible ", and its content is incorporated in this as a reference.
Particularly, the credible equipment in the present embodiment comprises: controller 30, it is programmed the whole operations that are used to control credible equipment 24, and with credible equipment 24 on other function and mutual with the miscellaneous equipment on the motherboard 20; Measurement function 31 is used for via direct measurement or replacedly obtains first integrity measurement via the executable instruction that will carry out from platform 10 indirectly on the primary processor of platform; Cryptographic function 32 is used for signature, encrypts or the deciphering predetermined data; Authentication functions 33 is used for the authentication smart card; With interface circuit 34, have and be used for the credible equipment 24 corresponding proper port (36,37 and 38) that are connected to data bus 26, control line 27 and the address wire 28 of motherboard 20.Each piece in the credible equipment 24 can be visited the suitable volatile storage area 4 and/or the nonvolatile storage 3 of (usually via controller 30) credible equipment 24.In addition, in known manner credible equipment 24 is designed to anti-distorting.
Because the reason of performance, credible equipment 24 can be implemented as application-specific IC (ASIC).But, for dirigibility, the microcontroller that credible equipment 24 is preferably suitably programmed.ASIC and microcontroller all are known in microelectronic, and here are not described in further detail.
A data item of storage is a certificate 350 in the nonvolatile memory 3 of credible equipment 24.Certificate 350 comprises the public keys 351 of credible equipment 24 and the authentication values 352 of the platform integrity metric measured by trusted party (TP) at least.Certificate 350 used the private cipher key of TP to sign by TP before being stored in credible equipment 24.After communication session in, the user of platform 10 can release public keys by the checking signature of TP on certificate and belong to credible equipment.And the user of platform 10 can compare the integrality of verification platform 10 by the integrity measurement that will be obtained and real integrity measurement.If there is coupling, then the user can to believe that platform 10 does not also have destroyed.The knowledge of the general available public keys of TP can be carried out simple authentication to certificate 350.Nonvolatile memory 35 also comprises identity (ID) label 353.ID label 353 is traditional ID labels, sequence number for example, and it is unique in some contexts.ID label 353 generally is used for the index and the mark of the data relevant with credible equipment 24, but itself is not enough to prove that the identity of platform 10 is under trusted conditions.
Credible equipment 24 is equipped with at least one method that is used for reliable measurements or obtains the integrity measurement of the computing platform related with it 10.In the present embodiment, in the process that relates to the summary that in the BIOS storer, generates the BIOS instruction, obtain storer first integrity measurement by measurement function 31.The integrity measurement that this obtained if be verified as described above, then provides platform 10 also not in hardware or the ruined high-level degree of confidence of bios program level for the potential user of platform 10.Other known procedure, virus checking for example will checked operation system and application code have destroyed in position usually.
Measurement function 31 has been visited: nonvolatile memory 3, be used to store the hash routine 354 and the private cipher key 355 of credible equipment 24, with nonvolatile memory 4, be used to store the integrity measurement that is obtained, credible equipment has limited storer, but its expectation storage is measured relevant information with a large amount of integrity measurements.This finishes in credible calculating platform by usage platform configuration register (PCR) 8a-8n, as described in Trusted Computing group.Credible equipment have a plurality of fixed sizes PCR (with summary big or small identical)---when the initialization platform, they are set to fixedly initial value.Integrity measurement then passes through the process quilt " expansion " shown in Fig. 4 in PCR.PCR8i value and input 401 cascades 403, input 401 is the values that will expand to the integrity measurement among the PCR.Then with this cascade hash 402 to form new 160 bit value.This hash is fed back to PCR to form its new value.Except integrity measurement expanded to PCR, for the clear history of performed measurement is provided, measuring process also can be recorded in (it can be arranged in the primary memory of computer platform simply) in the traditional logs file.But in order to trust purpose, what will be relied on is the PCR value and is not software log.
Clearly, there are a plurality of different modes, wherein can calculate initial integrity measurement according to the scope of require trust.The measurement of the integrality of bios program provides to be checked the basis of the integrality of the base conditioning environment of platform.Integrity measurement should have so a kind of form, makes it can release the validity of bootup process---and the value of integrity measurement can be used to verify whether use correct BIOS to come guide platform.Alternatively, each functional block in the BIOS can have their digest value, and overall BIOS summary is the summary of these each summaries.This makes a kind of strategy can state which part of BIOS operation is crucial for its intended purposes, and which is (each summary must be stored in such a manner and make that the validity of operation is proved under this strategy in this case) that has nothing to do.
Other integrity checking can relate to and confirms that various equipment, assembly or devices that other is attached to platform exist and according to correct job order.In an example, the bios program related with scsi controller can be verified guaranteeing can be trusted with communicating by letter of peripherals.In another example, the miscellaneous equipment on the platform, for example the integrality of memory device or coprocessor can be verified alternately by formulating fixing inquiry/response, to guarantee the consistance result.As above indication, a large amount of integrity measurements can be collected by measuring the agency who is directly or indirectly measured by RTM, and these integrity measurements expand among the PCR of credible equipment 24.Some of these integrity measurements---many with relevant with the application state of credible platform.
Preferably, the BIOS bootup process comprises the mechanism of the integrality of checking bootup process own.This mechanism is for example learnt from the draft " Wired for Management baselinespecification v2.0-BOOT Integrity Service " of Intel, and is related to the summary that calculated this software or firmware before load software or firmware.The summary that is calculated compares with the value that is stored in the certificate that is provided by trusted entity like this, and the public keys of trusted entity is known for BIOS.If the value of being calculated coupling from the desired value of certificate, is then followed load software/firmware, and has been used the public keys of trusted entity to come certification effective.Otherwise, call suitable exception handler.Alternatively, after having received the BIOS summary that calculates,, then control is not delivered to BIOS if credible equipment 24 can be checked the right value of BIOS summary in the certificate and the summary that calculates this right value that do not match---can call suitable exception handler.
Describe technology and third-party checking that credible calculating platform is made briefly, go through in " credible calculating platform---the TCPA technology in the context " that is identified in the above but it does not belong to basic meaning of the present invention.
First example (it may be in the manufacturing), the TP that assures for credible platform will check the type of platform is to judge whether being its guarantee.Relevant with check result with the credible equipment identity certificate---this then is written to credible equipment to this TP with one of signature.
Point after during platform operations certain, for example when it was switched on or resets, credible equipment 24 obtained the also integrity measurement of storage platform.When the user wished to communicate by letter with platform, he used inquiry/response routines to inquire credible equipment 24 (operating system of platform or appropriate software are used and can be set to discern this inquiry and via calling of BIOS type it be passed to credible equipment 24 usually in a suitable manner).Credible equipment 24 receives inquiry and creates appropriate responsive based on one or more integrity measurements of measuring---and this can have certificate and signature.This provides sufficient information to allow user rs authentication.
Can be used as the indication of credible platform state by the value of PCR preservation.Different PCR can be assigned specific purpose (this for example finishes) in Trusted Computing group standard.Can require credible equipment that its some or all of PCR value of providing (be the summary of these values in the reality---by TPM_Quote order) and these values of signing are provided.As mentioned above, data (normally key or password) can sealed at the summary of the value of some or all of PCR (by the TPM_Seal order) in opaque spot.This will guarantee if platform under represented (credible) state of PCR, then only uses the data that sealed.Corresponding TPM_Unseal order is carried out identical summary to the currency of PCR.If the summary in new summary and the opaque spot is inequality, the user can not order restore data by TPM_Unseal so.If it is relevant with the software on the platform that has changed to have derived any measurement of PCR value, then Dui Ying PCR will have different values---the data that therefore traditional credible platform will can not recover to seal.
Referring now to the embodiment that under situation about revising to some extent, uses aforesaid credible calculating platform structure each side of the present invention is described.Provide the method new or update software of equivalent function and credible attribute at first to be described, be used to allow credible calculating platform to indicate its software function and verify its trusted status and do not need to appear the mechanism of its employed specific software together with also having described.Exemplary method is described for being illustrated in and is used on the function and trusts the software of going up equivalence and replace before the described software and PCR value afterwards can be shown as equivalence, and use this method solve such as on regard to application state and seal the problem described in the data.
Notice that in existing credible calculating platform was arranged, in fact entity was claimed as the basis with their degree of confidence in credible calculating platform with the signature relevant with installed software in platform.The inventor understands, the statement experimental evidence that credible platform can provide software to be trusted, rather than actual software measurement is provided.This has some advantages.If credible equipment is no longer preserved the value of software measurement, the value can not reporting software measured of credible equipment physically then.If the evidence (and statement is made by credible measurement entity) of the trust equivalence of the value that comprises two software measurements is handled in checking, then after changing software with prescribed manner, credible equipment will comprise and can be used to the information that (following described in the exemplary arrangement) can visit the sealing plain text data again.
Positive result get in the work of carrying out according to the statement of the software of guarantee in the platform, rather than the actual software in the platform.If guarantee has a side of software now and prepares to assure that replacing software can accept just as existing software, then the purposes of suitable statement for this purpose can so be used and make platform can visit the plain text data of sealing again after this replacement software is installed.In practice, the owner of credible platform must select him to expect the each side that assures for his platform.The owner can select any side or their set, if this one or in many ways for having credibility with mutual those people of platform.The owner can change each side or their set, as long as those sides are ready to confirm to be each other trusted peers.This makes commercial company all assure identical credible platform with nonprofit organization.
Fig. 5 has illustrated according to embodiments of the invention and has measured and they are recorded in remarkable step in the process among the TPM507.In step 5.1, for root of trust for measurement (RTM) or measure the summary that agency 501 makes digital object 502.In step 5.2, RTM or measure agency 501 and read the checking statement 503 related with digital object 502.In step 5.3, RTM or measurement agency 501 write out description summary object 502 and 503 daily record 504 is stated in checking.In step 5.4, RTM or measure the described checking statement 503 of agency's 501 checkings and with any failure logging in the mark related 505 with PCR506.In step 5.5, RTM or measurement agency 501 will verify that the clearly indication of processing 503 is recorded among the PCR506.
Fig. 6 illustrates two set 601,602 (application state of second expression and first expression is trusted the application state of equivalence) of integrity measurement, adds the 3rd set 603, and it is the version of employed second set 602 in this embodiment of the present invention.First set 601 of integrity measurement is made up of three integrity measurements, is labeled as A, B and C.Second set 602 of integrity measurement also is made up of three integrity measurements, is labeled as A, B1 and C.Tolerance A in first set 601 is identical with second tolerance A and the C that gathers in 602 with C.If the software that software of being represented by integrity measurement B1 and integrity measurement B represent is trusted equivalence, then second set, 602 and first set 601 is trusted equivalent.The 3rd set 603 of integrity measurement has illustrated integrity measurement A, B, B1, C, according to present embodiment of the present invention, they must be recorded so that allow and are identified as and the platform status trust equivalence that is generated by software A, B, C by the platform status that software A, B1, C generate.
If a side wants to assure specific program, then it produces the statement of signature.If this program is not upgrading or replaces, then should create new statement in the side, if perhaps this program is upgrading or replaces, then in the statement tabulation, create next clauses and subclauses.Statement can be described one or more programs.If more than one program is described in statement, then hinted all programs by signer when as identical and credible equally to the task function of expectation.
The exemplary forms of statement shown in Figure 7.Statement 701 has structure [programDigestsN, statementID_N, prevStatementDigestN, nextPubKeyN] and has supplementary structure 732[pubKeyN] (734) and [signatureValueN] (736).Field pubKey and statement ID are enough to clearly be identified in the checking that hints in the statement to be handled.The element of statement 701 will be described below.
O programDigests710 is the program digest by the statement guarantee.This needs not be the summary of single program---and it may be made up of the structure of the summary that comprises an above program of being assured by statement.It in addition may be the structural summary that comprises by the summary of an above program of statement guarantee.Clearly, in such embodiment, actual summary also must can be used for platform.As described below, may there be security advantages for the user of a plurality of programs, be called programDigests.
O statementID720 is a label, makes it possible to discern the description of the purpose of statement.This description can comprise the effect of expection use, the program of description, the program of program, about another information and random number or other number of program.StatementID is used as from stating with distinguishing any other data of same key signature.
If the o program is not the upgrading or the replacement of another program, then prevStatementDigest730 is NULL, and PubKey is the key that should be used to verify signatureValue.But if program is the upgrading or the replacement of existing program, then prevStatementDigest is summary of this previous statement, and is the key that should be used to verify signatureValue from nextPubKey740 of this previous statement.In other words, the nextPubKey in statement is the PubKey that must use in next statement.
As can be seen, list of links---such being connected by Fig. 8 illustrates the relevant statement formation of nextPubKey and the prevStatement between them permission backward with forward.Use and pubKey0 734.0, nextPubKey0 740.0, and nextPubKey1 740.1 ... the private cipher key of .nextPubKeyN 740.N correspondence links the tabulation of such statement 801,802 and 803 forward by the signature value.By prevStatementDigestl 730.1 ... ..prevStatementDigestN 730.N comes the back link tabulation.By signature value 736.0 736.1 736.N one or more programs are arrived in each member link of tabulation by the data that comprise programDigests710.0 710.1 710.N.
In a kind of method shown in Figure 8, the tabulation of statement starts from [statementID_0720.0 is arranged, programDigests0 710.0, NULL 730.0, nextPubKey0 740.0] and the pubKey0 734.0 of [signatureValue0 736.0], it is to use the private cipher key signature corresponding with pubKey0 734.0 [statementID_0 720.0, and programDigests0 710.0, NULL730.1, nextPubKey0 740.0] the result.Tabulation is so that [statementID_1 720.1, programDigests1 710.1, prevStatementDigest1 730.1, nextPubKey1740.1] and [signatureValue1 736.1] continuation, it is to use the private cipher key signature [statementID_1720.1 corresponding with nextPubKey0 740.0, programDigests1 710.1, and prevStatementDigest1 730.1, and nextPubKey1 740.1] the result.Tabulation continues in an identical manner.
Arrow among Fig. 8 has illustrated that nextPubKey0 740.0 is identical with pubKey1 734.1, and nextPubKey1 740.1 is identical with pubKeyN 734.N, and the rest may be inferred.
Issue statement side should be appreciated that the statement in the tabulation has the common evidence of function equivalent and trust jointly, but in others, statement can be different.For example, the program related with statementN must must not be the program related with statementM, so programDigestsN needn't be identical with programDigestsM.This means, tabulation begin locate with state related program can with the related program different (or identical) of statement in the end of any intermediate point of tabulating or tabulation.Similarly, the PubKeyN in the tabulation can or can be not identical with nextPubKeyN.Therefore, be used to verify the key of signatureValue0 can or can be not be used to verify that the key of signatureValueN is identical, no matter N be in the tabulation in the middle of final statement in statement or the tabulation.Therefore, one can maybe can give the opposing party with its signature key of change separated by a distance (according to the safety practice of recommending) with trusting handing-over with different signature keys.
In the modification of this method, PubKey and nextPubKey can be the summary of key or the summary that comprises the structure of one or more keys.Clearly, in such embodiment, actual public keys must also can be used for platform.Under these circumstances, any private cipher key corresponding with any public keys summary in this structure can be used for signature to be stated, and a plurality of can be credible to assure platform simultaneously.
Should be noted that for given software type, need as one man use the statement of the type or not use their (and for example using traditional TCG method on the contrary).If statement will be used for a kind of software type, then to need have statement by first example of the software type of platform guarantee.As described, switching to the upgrading with statement from traditional TCG method is not feasible method.
To describe now and when being required to discern its software, allow credible platform to realize the mechanism that privately owned confidentiality is measured.In fact the side that statement is sent in this requirement sends two statements, as described above one and the similar auxiliary statement of having omitted the programDigests field.Fig. 9 has illustrated auxiliary statement 910, and it is by field pubKey 734, and StatementID 720, and prevStatementDigest 730, and nextPubKey 740, and signatureValue 736 forms and lack programDigests field 710.These auxiliary statements rather than previously described main statement may be returned to the interrogator that receives integrity measurement from credible equipment.These auxiliary statements can prevent to discern the practical programs that is installed in the platform.If the programDigests field in the main statement has only been described a program, if then its certain this program of identification is used by platform---when therefore auxiliary statement should be used, just there is clearly security advantages in query-response.Even the programDigests field description some programs, it can be considered to appear the information of too many relevant platform, and if require private ownership, then auxiliary statement should be used in query-response.Have only when the many programs of programDigests field description, the use of the main statement in the query-response is just obviously irrelevant with private ownership.Be used to verify that the public keys of main statement must also be used to verify auxiliary statement, and identical statementID should occur in two statements.These constraints are necessary for the connection verified between main statement and the auxiliary statement is provided.Naturally, the signature value of main statement is different from the signature value of auxiliary statement.
Describe the checking new or instead of software related with statement now, this will be the record that checking is handled.The essence of this processing is to replace single extended operation (for an aspect of platform), the statement that each extended operation description is relevant with this respect of platform with one or more extended operations.
Checking for carrying out and write down has required subsequently: credible measurement agency carries out the statement checking and handles, and credible checking entity must proving program, must verify and state and must verify that the tabulation of stating fully links.Measuring entity is to act on behalf of the entity measuring that carries out because of the proof relevant with entity or by credible measurement by trust.
For proving program, measure the summary of entity set-up program and will make a summary with state in the information comparison of (from field programDigests).Measure entity and must write down the whether successful indication of this processing.An embodiment is the verifiedProgram mark that is recorded as true or false in credible equipment.If program is related with lists of links, last statement was finished during then this comparison should only be used and tabulate.(previous statement only provides history that program develops and the proof of program in the tabulation).
In order to create the record verified of statement, measure entity and whether must in credible equipment, write down the signature of statement at least by good authentication.An embodiment is that recording setting is the verifiedStatement mark of true or false in credible equipment.
But, measure the agency and must write down the technology that is used to carry out checking for the record of the audit of the checking of creating statement.An embodiment is the public keys (pubKey or nextPubKey) that record is used to verify the signature in the statement in credible equipment.If feasible, measurement agency also checking is used to verify that this public keys of the signature in the statement is existing (not cancelled), but this may surpass most of measurements agencies' ability.If also may determine this, then measure entity always when public keys is not existing the verifiedStatement mark be set to vacation.
The statement of single type does not then require the statement relevant with the intention of signing if the private cipher key corresponding with public keys only is used to sign.Otherwise indicating the information that belongs to certain claims of signing must come record with public keys.An embodiment is to write down StatementID in credible equipment.
In order to distinguish the beginning of single statement or tabulation, if embodiment is or not the digest value of previous statement if statement is not the prevStatementDigest nextPubKey checking or statement with another statement, then come the checking of statement is tagged, otherwise come the checking of statement is tagged with mark startStatement==FALSE with mark startStatement==TRUE.
Any member of lists of links must be verified forward and backward.If the link test is passed through, then statement tags with mark verifiedList==TRUE.Otherwise statement tags with mark verifiedList===FALSE.
In order to create the complete documentation of the tabulation that is verified statement, measure entity must write down all statements in the tabulation in credible equipment essential characteristics, and whether all statements in the tabulation have passed through their validation test.Preferred implementation is all statements during record is tabulated in credible equipment, the validation test result during record is tabulated separately in credible equipment simultaneously in each statement.
According to this method, after access assertion, to measure entity and can in credible equipment, be recorded to minority according to structure STATEMENT_VERIFICATION, it comprises the public keys that (1) is used to verify statement at least, (2) statementID, if present.For each PCR, credible equipment is safeguarded the upgradesPermitted mark, when this is marked at the PCR initialization for true but whenever platform runs into related with this PCR and verifiedProgram==FALSE, or verifiedStatement==FALSE, or be reset to vacation during the statement of verifiedList==FALSE.If upgradesPermitted is false, then the information content of Guan Lian PCR is unreliable.If upgradesPermitted is false, then credible equipment (TPM) must be carried out the safe operation of predicting by refusal when proofreading and correct this PCR value, such as (for example to the sealing data of this PCR, " digestAtCreation " parameter of establishment TCG), Kaifeng data (for example, checking " digestAtRelease " parameter of TCG).If upgradesPermitted is false, then TPM can refuse report (for example using TPM_quote) this PCM value, or replacedly can report value and the PCR value of upgradesPermitted.
A kind of algorithm that is used for replacing with the record that the record or the statement of statement are tabulated traditional TCG integrity measurement is described:
O measures entity (before loading procedure) and initially follows common TCG process by the summary of creation procedure.Measure entity and determine then whether one or more statements are related with this program.
If o not statement is related with program, then measures entity and follow existing TCG process by utilizing TPM_Extend that the summary of program is expanded to credible equipment.
If the o statement is related with program, then measures entity and statement must be resolved to single statement and statement chain.When single statement was identified, suitable mark and STATEMENT_VERIFICATION must be recorded in (but noticing that suitable verifiedList is not recorded and does not even need and calculated) in the credible equipment.When the beginning of chain or intermediate link were identified, suitable STATEMENT_VERIFICATION and label record be (but noticing that suitable verifiedProgram is not recorded and does not even need and calculated) in credible equipment.When the end of chain was identified, suitable STATEMENT VERIFICATION structure and label record were in credible equipment.Some algorithms that use when resolving statement are: (a) always calculate verifiedStatement; (b) if exist before and/or statement subsequently then calculate verifiedList; (c) if (do not exist statement) subsequently or (if statement subsequently has startStatement==TRUE) then calculate verifiedProgram; (d) always write down STATEMENT_VERIFICATION;
(e) whenever verifiedProgram==FALSE, or verifiedStatement==FALSE,
Or during verifiedList==FALSE, the upgradesPermitted mark that resets suitable.
Above-described checking is handled and has been caught confirmation upgrading or replacement software and the equivalence of previous software trust and needed information.The related secret misgivings of application state during with the report inquiry therefore can be by the statement of the many programs of use description or by using auxiliary statement to improve.Require further step to solve the problem of visit for the data in the opaque spot of previous platform status and previous software sealed-in.Following with pointed, may fill out these opaque spots of envelope again to the PCR value related with new application state.This requires a plurality of actions, is equivalent to the evidence of the PCR value after the previous PCR value that has sealed opaque spot derives legally effectively.Require four types action: proving to derive a PCR value from another PCR value; Prove the replacement that an integrity measurement is another integrity measurement (proving that two integrity measurements are linked); The equivalence of the PCR value that proof is made up of the summary of measuring; With the equivalence that proves the composite PCR value that constitutes by a plurality of PCR values.Each action is based upon on the previous action, and describes each action, the new function that proposes to replenish existing Trusted Computing group system below successively in example embodiment.Describe the use of these functions in the example embodiment of replacing the first composite PCR value in the opaque sealing spot with the second composite PCR value, the second composite PCR value and the first composite PCR value are trusted equivalence.
Should be noted that the set of PCR value is described to the TPM_COMPOSITE_HASH value in Trusted Computing group technology.The Trusted Computing group is the summary of TPM_PCR_COMPOSITE structure with the TPM_COMPOSITE_HASH value defined, and this structure is defined as:
typedef?struct?tdTPM_PCR_COMPOSITE
TPM_PCR_SELECTION?select;
UINT32?valueSize;
[size_is(valueSize)]TPM_PCRVALUE?pcrValue[];
}TPM_PCR_COMPO?SITE;
This means, TPM_PCR_COMPOSITE structure (in fact) be with have four byte values, with there being PCR value to link the TPM_PCR_SELECTION of number.The TPM_COMPOSITE_HASH value is the result of those structures of serial hash in hashing algorithm.
When completeness of description tolerance and PCR value, in this instructions, use specific nomenclature subsequently.Capitalization represents the integrity measurement value and with there being the capitalization of tilde "~" to represent the PCR value, wherein capitalization is the nearest integrity measurement value of indicating to expand among the PCR.Therefore, PCR state A~meaning is that the nearest integrity measurement that will expand among the PCR has value A.With integrality metric B expansion A~the operation of PCR value write as X (A~, B), draw PCR value B~.It must be understood that, by [letter]~expression the PCR value be many-valued.Actual PCR value depends on the previous history of PCR.
Run through method that this example embodiment uses be used for supervisory routine with guiding credible equipment (TPM) by series of steps, each step has been created as empirical tests the data of asserting evidence of credible equipment.(exist interchangeable mode to come to realize relating to the same target of inspection, but described method is selected as with to have the Trusted Computing group of methods now consistent by the credible equipment of signature statement.) credible equipment can identify it subsequently and create this evidence.These recognition methodss are known for those skilled in the art, and use in existing Trusted Computing group technology.This identification makes TPM can believe asserting of declaring when data are re-loaded to TPM in data.
In one embodiment, credible equipment requires to prove that two PCR value sets are the new abilities of trusting equivalence.Prototype credible equipment command history has subsequently illustrated notion:
TPM_upgrade_extend (A~, B) producing a PCR value can be from the evidence of another PCR value derivation.This order produce output data [Uextend, A~, B~, B] as PCR value B~can have the evidence of value B from PCR value A~derivations and the nearest integrity measurement of expanding.In order to produce this evidence, TPM load have value A~interim PCR and use integrity measurement B to expand it, produced PCR value B~.Credible equipment tags so that the type of evidence to be shown to output data with string " Uextend ".After credible equipment has been exported data, discardable interim PCR.
TPM_upgrade_concat ([Uextend, A~, B~, B], [Uextend, B~, C~, C]) producing a PCR value can be from the evidence of another PCR value derivation.Its produce output data [Uextend, A~, C~, C] as PCR value C~can have the evidence of value C from PCR value A~generations and the nearest integrity measurement of expanding.In order to produce this evidence, TPM be loaded data structure [Uextend, A~, B~, B] and [Uextend, B~, C~, C] and checking: it creates this two structures (1); (2) [Uextend, A~, B~, B] and [Uextend, B~, C~, C] all comprise the string Uextend; (3) [Uextend, A~, B~, B] in B value with [Uextend, B~, C~, C] in the value of B identical.Credible equipment tags so that the type of evidence to be shown to output data with string " Uextend ".
(SA SB) produces the evidence that an integrity measurement and another integrity measurement are trusted equivalence to TPM_upgrade_link.It produces output data [Ulinked, A, B] is trusted equivalence as integrity measurement value B and integrity measurement value A evidence.In order to produce this evidence, TPM has been loaded statement SA and SB, wherein SA completeness of description tolerance A (pubKey-A and statementID-A) and SB completeness of description tolerance B (pubKey-B and statementID-B).TPM checking SA is linked to SB forward and SA is arrived in the SB back link, and produces output data [Ulinked, A, B].String " Ulinked " indicates the type of evidence.
TPM_upgrade_forkRoot (Uextend, A~, B~, B) create the evidences that are branched into two equivalent sequences of trust from single integrity measurement sequence, and the generation output data [Ufork, A~, B~, B, B~, B].String " Ufork " indicates the type of evidence.The canonical representation of Ufork data structure be [Ufork, A~, B~, B, C~, C], indicate two PCR states [B~, B] [C~, C] and be trust equivalence and from identical PCR state A~derivation.TPM_upgrade_forkRoot is created in the evidence of bifurcation place state, and produce data structure [Ufork, A~, B~, B, B~, B], the meaning is that two PCR states that are equal to [B~, B] and [B~, B] trust equivalently, this is obvious.In order to produce this evidence, TPM be loaded data structure [Uextend, A~, B~, B].This TPM checking: it has created this structure (1); And (2) it comprises string Uextend.
TPM_upgrade_forkLink ([Ufork, A~, B~, B, C~, C], [Ulinked, E, F], [branch]) TPM is revised have two trust equivalent PCR values [B~, B] and [C~, C] set in [branch] PCR value, but require integrity measurement F and integrity measurement E to trust equivalent evidence.If [branch] parameter is 0 and B==E, then should order have expanded a PCR value [B~, B] to [F~, F] with F, still the 2nd PCR value [C~, C] is constant.Therefore, these order generation data [Ufork, A~, F~, F, C~, C].If [branch] parameter is 1 and C==E, then should order have expanded the 2nd PCR value [C~, C] to [F~, F] with F, still a PCR value [B~, B] is constant.Therefore, these order generation data [Ufork, A~, B~, B, F~, F].TPM be loaded data structure [Ufork, A~, B~, B, C~, C], [Ulinked, E, F], [branch].This TPM always verifies: it has created first and second structures (1); (2) first structures comprise string Ufork; (3) second structures comprise string Ulinked.As before, the string in the output data " Ufork " is the type of evidence.
TPM_upgrade_forkExtend ([Ufork, A~, B~, B, C~, C] and, [D]) make TPM revise two branches that trust equivalent PCR values [B~, B] and [C~, C].This order generation output data [Ufork, A~, X (B~, D), D, X (C~, D), D].TPM be loaded data structure [Ufork, A~, B~, B, C~, C] and integrity measurement D.This TPM checking: it has created first structure (1); And (2) first structures comprise string Ufork.As before, the string in the output data " Ufork " is the type of evidence.
TPM_upgrade_forkPCR ([Ufork, A~, B~, B, C~, C] and, [PCR-index]) to create PCR value B~and C~for specific PCR be the equivalent evidence of trust.TPM be loaded data structure [Ufork, A~, B~, B, C~, C] and [PCR-index].This TPM checking: it has created first structure (1); (2) first structures comprise string Ufork; (3) A~be initialization value with PCR of index [PCR-index].This TPM produce output data [uPCR, PCR-index, B~, C~] be to trust equivalent value so that PCR state B~and C~for the PCR with index PCR-index to be shown.String in the output data " uPCR " is the type of evidence.
TPM_upgrade_forkHash ([uPCR, PCR-index, A~, B~], [PCR-index, C~], [...] ...) to create two composite PCRs summaries [compHash] and [compHash﹠] be equivalent evidence [Uhash, compHash of trust for the PCR of indication in tabulation [PCR-indexList], compHash﹠, PCR-indexList].TPM be loaded form for [uPCR, PCR-index, A~, B~] or a plurality of data structures of [PCR-index, C~].This TPM checking: (1) it created form for [uPCR, PCR-index, A~, B~] any data structure; (2) such data structure comprises string uPCR.This order in, form be [uPCR, PCR-index, A~, B~] data structure indicate have index PCR-index PCR must by the PCR value A among the compound hash compHash~with compound hash compHash﹠amp; In PCR value B~represent.Form be the data structure of [PCR-index, C~] indicate PCR with index PCR-index must be by compound hash compHash and compound hash compHash﹠amp; In PCR value C~represent.TPM from the relevant PCR value of input extracting data, and is used to create compound hash compHash and compHash﹠amp with them with the order that reflects among the PCR-indexList; String Uhash in the output data is the type of evidence.
TPM_upgrade_seal ([sealedBlob], [Uhash, compHash, compHash﹠amp; , PCR-indexList]) with compound hashed value compHash﹠amp; Replace the compound hashed value compHash in the sealing spot [sealedBlob].TPM has been loaded sealing spot [sealedBlob] and [Uhash, compHash, compHash﹠amp; , PCR-indexList].This TPM verifies that it has created these two structures and second structure comprises string Uhash.[if sealedBlob] use with PCR-indexList in listed identical PCR and its to close hashed value be compHash, this TPM compHash﹠amp then; Replace compHash, and the sealing spot of output modifications.
A purposes of these new functions is described as an example now purely.
Figure 10 has illustrated two integrity measurement sequences 1001,1002 of trusting equivalence.These two sequences all are the upgradings of same integrity measurement sequence A 0 B0 C0 D0 E0.First sequence 1001 has been different from second sequence 1002 and has been upgraded.The first integrity measurement sequence 1001 is A0B1C0 D1 E0.The second integrity measurement sequence 1002 is A0 B0 C1 D2 E0.Numeral after the letter indicates the differentiation of upgrading: integrity measurement A0 is not upgrading; Integrity measurement B1 is the upgrading from B0; Integrity measurement C1 is the upgrading from C0; Integrity measurement D1 is the upgrading from D0; Integrity measurement D2 is the upgrading from D1; Integrity measurement E0 is not upgrading.These passes tie up to explanation in Figure 100 3 and 1004, and wherein each continuation column is the integrity measurement of credible platform different aspect, and every row have illustrated the differentiation of specific integrity measurement.Be loaded into actual sequence explanation in Figure 100 5 and 1006 of the integrity measurement among the PCR according to this embodiment of the invention.With the actual sequence of the integrity measurement of first sequence, 1001 equivalences are A0 B0 B1 C0 D0D1 E0 1005.With the actual sequence of the integrity measurement of second sequence, 1002 equivalences are A0 B0C0 C1 D0 D1 D2 E0 1006.Integrity measurement sequence explanation in Figure 100 7 and 1008 of gained.With the actual sequence of the PCR value of first sequence, 1001 equivalences be 1007R~A0~B0~B1~C0~D0~D1~E0~, R~be the reset mode of this specific PCR wherein.With the actual sequence of the PCR value of second sequence, 1002 equivalences be 1008R~A0~B0~C0~C1~D0~D1~D2~E0~.Requirement proves that to TPM a PCR sequence 1007 and the 2nd PCR sequence 1008 are to trust equivalence.Surface function embodiment is in the use:
1.TPM_upgrade_extend(R~,A0)=>[Uextend,R~,A0~,A0]
2.TPM_upgrade_extend(A0~,B0)=>[Uextend,R~,B0~,B0]
3.TPM_upgrade_concat([Uextend,R~,A0~,A0],[Uextend,A0~,B0~,B0])
Figure S06809269X20070926D000201
[Uextend,R~,B0~,B0]
4.TPM_upgrade_forkRoot(Uextend,R~,B0~,B0)=>[Ufork,R~,B0~,B0,B0~,B0]
5.TPM_upgrade_link(B0,B1)=>[Ulinked,B0,B1]
6.TPM_upgrade_forkLink([Ufork,R~,B0~,B0,B0~,B0],[Ulinked,B0,B1],[0])=>[Ufork,R~,B1~,B1,B0~,B0]
7.TPM_upgrade_forkExtend([Ufork,R~,B1~,B1,B0~,B0],[C0])=>[Ufork,A~,C0~,C0,C0~,C0]
8.TPM_upgrade_link(C0,C1)=>[Ulinked,C0,C1]
9.TPM_upgrade_forkLink([Ufork,R~,C0~,C0,C0~,C0],[Ulinked,C0,C1],[1])=>[Ufork,R~,C0~,C0,C1~,C1]
10.TPM_upgrade_forkExtend([Ufork,R~,C0~,C0,C1~,C1],[D0])=>[Ufork,R~,D0~,D0,D0~,D0]
11.TPM_upgrade_forkExtend([Ufork,R~,D0~,D0,D0~,D0],[D1])=>[Ufork,R~,D1~,D1,D1~,D1]
12.TPM_upgrade_link(D1,D2)=>[Ulinked,D1,D2]
13.TPM_upgrade_forkLink([Ufork,R~,D1~,D1,D1~,D1],[Ulinked,D1,D2],[1])=>[Ufork,R~,D1~,D1,D2~,D2]
14.TPM_upgrade_forkExtend([Ufork,R~,D1~,D1,D2~,D2],[E0])=>[Ufork,R~,E0~,E0,E0~,E0]
15.TPM_upgrade_forkPCR([Ufork,R~,E0~,E0,E0~,E0],P)=>[uPCR,P,E0~,E0~]
Structure [uPCR, P, E0~, E0~] can then be used from and create the composite PCR digest value of trusting equivalence with TPM_upgrade_forkHash one.These values can then in TPM_upgrade_seal, be used for upgrading compound hashed value of sealing spot.
Preferably, the existing Trusted Computing group of methods of generation composite PCR is changed in the composite PCR value in the middle of each follow-up PCR value is expanded to.So, do not require TPM_upgrade_forkHash.
In a compensation process, further new credible equipment ability is created and the voucher of the content that comprises the data spot that is produced by these new abilities of having signed.Such voucher can be provided for the third party together with the evidence (such as what created by TPM_Quote) of current platform status, with new state and the same credible evidence of previous state as platform.Such voucher must comprise label, and such as digestPairData, compositePairData or the like is to indicate the meaning of voucher.Should be according to the common enforcement in the Trusted Computing group, one of proof identity of use TPM such voucher of signing is with the protection confidentiality.
The application state (as what by related PCR value prove) of this method after allowing as a whole is associated with before application state.Therefore, the spot of addressable sealing is possible although application state changes also, can replace old TPM_COMPOSITE_HASH value from old derivation of PCR value and new TPM_COMPOSITE_HASH value because new PCR value can be shown as.Suitable method is to upgrade all such " sealing spots " as just the upgrading on credible platform or the step of replacing in the processing of software.
If platform is such, make it not have enough resources and carry out statement checking processing that credible equipment can have the ability that those checkings are handled of carrying out.Therefore, new credible equipment ability can be used for verifying signature in the statement, the lists of links of checking statement etc. by measuring entity.Credible equipment even can be used as scratch-pad storage and store the intermediate result that checking is handled, therefore, the result that checking is handled can be handled by checking in the future and use and do not need to be stored in the outside of credible equipment.In Trusted Computing group technology, used similar techniques to calculate summary and this summary expanded among the PCR.
So far, supposed that it is reciprocal trusting equivalence: for example the software of being represented by integrity measurement A0 is credible equally with the software of being represented by integrity measurement A1.May always not such situation.The reason of upgrade software may be to proofread and correct or improve the credible degree of software, for example in this case, the software of being represented by integrity measurement A1 may replace the software of being represented by integrity measurement A0 and use, and the software that integrity measurement A0 represents may not replace the software of being represented by integrity measurement A1 and use.Therefore, extraneous information is added to statement 701, indicate credible degree whether be reciprocal be necessary.This must be comprised with the part of the data of creating signature value 736 as signing, and in new TPM function, reflected, make that the integrity measurement in (when needing) branch is always identical with integrity measurement in another branch, perhaps the tolerance of back link in other branch.
In one embodiment:
The reciprocalFlag field is inserted in the statement 701, and if last (link) forward tolerance be the replacement accepted of current (back link) tolerance, then be set to very, otherwise be vacation.
Structure [Ulinked, A, B] is modified to and becomes [Ulinked, A, B, reciprocalLink] and the meaning is if reciprocalLink is for true, and then A can be replaced and B can only be replaced by A by B.
(SA, if SB) be modified to generation reciprocalLink mark and [reciprocalFlag of SB is for false], then reciprocalLink is set to vacation to order TPM_upgrade_link.
Structure [Ufork, A~, B~, B, C~, C] be modified to and become [Ufork1, A~, B~, B, C~, C, reciproca10, reciproca11].Reciproca10 and reciproca10 are set to very by TPM_upgrade_forkRoot.If once expanded first integrality set [B~, B] and its reciprocalLink be vacation in TPM_upgrade_link operating period, then reciproca10 is set to vacation.Similarly, if once expanded second integrality set [C~, C] and its reciprocalLink be vacation in TPM_upgrade_link operating period, then reciprocall is set to vacation.
If reciproca10 in being input to the Ufork1 data of TPM_upgrade_forkLink for false, then should order in [branch]==1 o'clock must failure.Similarly, if reciproca11 in being input to the Ufork1 data of TPM_upgrade_forkLink for false, then should order in [branch]==0 o'clock must failure.
Order TPM_upgrade_forkPCR is modified to mark reciproca10 and the reciproca11 that checks in the input Ufork structure.If indicating a PCR value, those marks can be used to break a seal with the data of other PCR value sealing, otherwise but not as the same, the uPCR structure [uPCR that the TPM ordering is revised, PCR-index, X~, Y~] in the PCR value, make and can use Y~Kaifeng for the data of X~sealing.
In an embodiment, this invention relates to the lists of links of the statement among the record TPM.We have described the each side of the embodiments of the invention relevant with the length of such lists of links now.The record of complete lists of links be supposed to write down the clearly complete pedigree of platform status.Unfortunately, the record complete list will increase the record required time of integrity measurement, and increase the needed storage of checking statement, and these two or one may not expected.Therefore, desired is to remove older statement from lists of links, and lists of links is reduced to single statement (link recently statement) in restriction.
The statement of any amount (comprising only statement) can be recorded among the TPM, as long as they are the adjacent members with the identical lists of links of consecutive order record.By for root of trust for measurement or measure recording processing that the agency carries out adapted into easily tabulation length---RTM/MA only passes this tabulation, regardless of its length, as previously mentioned, the result that the record checking is handled in TPM also in TPM the record checking handle.Still the lists of links and original (longer) lists of links that will shorten to the TPM proof is to trust equivalence.This evidence depend on shorten tabulation begin to state to be the evidence of the part of long list more.In one embodiment, this relates to (previously described) [Ulinked, Slong, Sstartshort] structure, wherein Sstartshort be shorten tabulation begin state and Slong is more certain statement before the Sstartshort in the long list.This Ulinked structure is that statement Slong and Sstartshort are the evidences that statement in the same lists of links and Slong appear at certain position in the tabulation before the Sstartshort.Unless statement Slong is adjacent in lists of links with statement Sstartshort, then generate this Ulinked structural requirement further new order (as described below) to merge two Ulinked structures be single Ulinked structure.Given evidence [Ulinked, Slong, Sstartshort] and any structure of Ufork arbitrarily [Ufork, A~, B~, B, C~, C], this shows, legal Ufork structure in addition can by expansion have the B of Slong~and expansion have the C of Sstartshort~, produce data structure [Ufork, A~, Slong~, Slong, Sstartshort~, Sstartshort] derive.This requires further new order (as described below).If Slong is the beginning of lists of links and the beginning of the shortening version that Sstartshort is lists of links, [Ufork for example, A~, Slong~, Slong, Sstartshort~, Sstartshort] be the equivalence of evidence PCR (its statement of record recently is the beginning of first tabulation) trusts to(for) another PCR (its statement of record recently is the beginning that version is shortened in first tabulation).Can follow and to any order that the Ufork structure is operated come together to use data structure [Ufork, A~, Slong~, Slong, Sstartshort~, Sstartshort].
Under limited case, wherein only be recorded among the TPM from the single statement of given tabulation, the function that is provided by order TPM_upgrade_forkLink becomes redundant.Previously described new construction is modified to and has omitted the statement value.Under these circumstances, the Ufork structure [Ufork, A~, B~, B, C~, C] for example become [Ufork, A~, B~, C~].
Mention in front, can require further newer command the synthetic single Ulinked structure of two Ulinked structural group.An example of this further newer command is TPM_upgrade_link_concat ([Ulinked, A, B], [Ulinked, C, D]).This order produces the evidence that integrity measurement D is linked to integrity measurement A.This evidence adopts the form of data structure [Ulinked, A, D].In order to produce this evidence, TPM has been loaded statement ([Ulinked, A, B] and [Ulinked, C, D]).TPM has verified these two Ulinked structures by the TPM establishment, and has verified B==C.Then TPM creates export structure [Ulinked, A, D].
Mention in front, can require further newer command to expand and have a PCR value of first statement and expand the 2nd PCR, the 2nd PCR and the PCR with second statement that is linked to first statement trust equivalence.The example of this further newer command be TPM_upgrade_forkLink1 ([Ufork, A~, B~, B, C~, C], [Ulinked, E, F], [branch]), it makes TPM expansion have [branch] PCR value of statement E and has another PCR value of stating F.TPM always verifies that it had created Ufork and Ulinked structure before producing any output.If [branch] parameter is 0, then this order expansion have E to the PCR value B of [E~, E]~and have F arrive the PCR value C of [F~, F]~.So this order generation output data [Ufork, A~, E~, E, F~, F].If [branch] parameter is 1, then this order expansion have F to the PCR value B of [F~, F]~and have E arrive the PCR value C of [E~, E]~.So this order generation output data [Ufork, A~, F~, F, E~, E].
We describe the upgrading of PCR now purely as an example, wherein have only the single statement of lists of links to be recorded among the TPM.We suppose that we are required to prove that integrity measurement sequence A 0 B0 and integrity measurement sequence A 0 B1 trust equivalence.This example uses the modification data structure of having omitted the declaration field of as above mentioning.An embodiment is:
1.TPM_upgrade_extend(R~,A0)=>[Uextend,R~,A0~]
2.TPM_upgrade_forkRoot(Uextend,R~,A0~)=>[Ufork,R~,A0~,A0~]
3.TPM_upgrade_link(B0,B1)=>[Ulinked,B0,B1]
4.TPM_upgrade_forkLink([Ufork,R~,A0~,A0~],[Ulinked,B0,B1],[0])=>[Ufork,R~,B0~,B1~]
5.TPM_upgrade_forkPCR([Ufork,R~,B0~,B1~],P)=>[uPCR,P,B0~,B1~]
Structure [uPCR, P, B0~, B1~] can then be used from and create the composite PCR digest value of trusting equivalence with TPM_upgrade_forkHash one.These values compound hashed value in the sealing spot that then in TPM_upgrade_seal, is used for upgrading.
Previous embodiment of the present invention with lists of links with only a program implementation is related.(although the aspect relevant with a plurality of statements in the lists of links is recorded among the TPM, and each lists of links has only a program in fact to carry out on the computing machine that loads TPM).Further embodiment of the present invention relates to the identification of each section of adjacent statement in the lists of links, has followed in computing machine and has carried out a program for each statement in the section.This is of value to a plurality of programs that identical entity can be assured carry out on platform, kept the trust equivalence simultaneously.Preferably, declaration structure illustrated in fig. 7 is modified to the excessive data that comprises each section of difference lists of links, even a section only comprises a statement.For example, identical but these data can be all members for same section for the different value of different adjacent segment in the tabulation.These data make tabulation can be resolved the one-tenth section.
As RTM or measure that the agency passes lists of links and checking statement and with outcome record in TPM the time, RTM or measure each section that the agency can discern lists of links.Each statement in the section can be used in fact verifying independent program, and each this program can be carried out by computing machine.
This allows entity to use identical lists of links to assure a plurality of continuous programs of carrying out on a platform, and need not be necessary for each independent lists of links of other program creation.
This also allows entity to use with a plurality of programs of single Program Trust equivalence and replaces single program.In order to do like this, entity provides the lists of links section that comprises the adjacent link statement quantity identical with the program of replacement quantity, and described replacement program chains arrives and the related tabulation of original single program.RTM in the platform or measure each statement in the proxy authentication section, each corresponding program of each statement in checking and the section will verify outcome record in TPM, and execution is stated the program of verifying by those.Before the technology of describing with reference to embodiments of the invention can be then used in guiding TPM by following test, trusted the platform that is equivalent to original single platform guiding with the platform of a plurality of program designations.
If a plurality of statements in the same section of lists of links are used to assure a plurality of programs of carrying out on platform, then the statement in this section can be used as the limb of the branch of independent lists of links, independent statement in each branched chain section of receiving.As mentioned above, such branch can be used for supporting the section for each lists of links only to carry out a program, or carries out a plurality of programs for the section of each lists of links.Therefore, created the statement tree of link.
In further embodiment of the present invention, if program is no longer carried out on computer platform, then entity can use the checking statement to assure that the trusted status of platform does not change.This method allows to trust the state of equivalence to comprise than original state program still less.
In this embodiment of the present invention, programDigests 710 fields are allowed to comprise the NULL designator.RTM or measure the agency and should run into the statement that comprises the NULL designator does not have related program need be performed, not verify that the result need be recorded among the TPM and do not have validation value to be recorded among the TPM because it has been inferred.When TPM guides by proving that two PCR values are when trusting the processing of equivalence, to use the statement that comprises the NULL designator.If the programDigests710 field among the statement SA only comprises the NULL mark, then order TPM_upgrade_link (SA, SB) be modified to generation output data [Ulinked, NULL, B], and if state that the programDigests710 field among the SB only comprises the NULL mark, then be revised as producing output data [Ulinked, A, NULL].Order TPM_upgrade_forkLink ([Ufork, A~, B~, B, C~, C], [Ulinked, E, F], [branch]) if so revised and make that E is NULL, then should not be changed with the branch that E upgrades, and if F be NULL, then should not be changed with the branch that F upgrades.
Be for example purely, we have described the mode of guiding TPM by following test, and described test promptly is that the computer mode before removing program B0 is that trust is equivalent with the computer mode that removes after the program B0.Suppose platform boot and generate integrity measurement [A0], [B0], [C0], first set of [D0].Then platform guides and generates integrity measurement [A0] again, [C0], second set of [D0].This second set and [A0], [B1], [C0], [D0] is identical, wherein B1==NULL.Purpose is to prove integrity measurement [A0] to TPM, [B0], [C0], first set and integrity measurement [A0] of [D0], [NULL], and [C0], second set of [D0] is to trust equivalence.An embodiment comprises sequence:
1.TPM_upgrade_forkRoot(Uextend,R~,A0~,A0)=>[Ufork,R~,A0~,A0,A0~,A0]
2.TPM_upgrade_link(B0,B1)=>[Ulinked,B0,NULL]
3.TPM_upgrade_forkLink([Ufork,R~,A0~,A0,A0~,A0],[Ulinked,B0,NULL],[0])=>[Ufork,R~,B0~,B0,A0~,A0]
4.TPM_upgrade_forkExtend([Ufork,R~,B0~,B0,A0~,A0],[C0])=>[Ufork,R~,X(B0~,C0),C0,X(A0~,C0),C0]
Remaining test is carried out as described above like that.
Embodiments of the invention allow three types upgrading:
" substitute ", one of them program is trusted equivalent program with one and is replaced
" more ", one of them program is replaced with the equivalent program of more than one trust
" less ", one of them program is eliminated but result phase is still recognized and be to be trusted equivalence
In further embodiment of the present invention, when the automatic compound hash that allows the sealing data is upgraded, the entity of creating the sealing data has been stated the type of upgrading clearly, and data structure records the designator of the type of the integrity measurement upgrading that has taken place is shown.This allows entity to state clearly can cause that the compound hashed value that seals in the data is by the upgrading type of auto-update.If for example the data owner be ready the program of accepting single upgrading but do not increase or remove program, perhaps do not expect to accept any upgrading automatically, then this is useful.
Sealing data, the data that break a seal also guide TPM by proving that a compound hashed value and another compound hashed value are to trust the processing of equivalent processing and previously described identical, and following variation is arranged:
Data structure [Ufork, A~, B~, B, C~, C], [uPCR, PCR-index, A~, B~], [Uhash, compHash, compHash﹠amp; , PCR-indexList] be changed to comprising mark " substitute ", " more " and " less ".
" substitute ", " more " and " less " that order TPM_upgrade_forkRoot is changed to exporting in the Ufork structure are set to vacation.
Order TPM_upgrade_forkLink is changed, and makes:
O trusts the equivalence statement when replacing statement with one when this order, and its substitute in exporting the Ufork structure is set to very;
When o replaced statement when this order with more than one trust equivalence statement, it is provided with more=in output Ufork structure true;
When o eliminated statement when this order, it is provided with less=in output Ufork structure true.
Order TPM_upgrade_forkPCR is changed to making it that the state of " substitute ", " more " and " less " mark is copied to output uPCR structure from input Ufork structure.
Order TPM_upgrade_forkHash is changed to making state that it will import " substitute " in the uPCR structure, " more " and " less " mark copy to and exports the Uhash structure.
The new upgradeOptions field that comprises mark " substitute ", " more " and " less " by interpolation is revised existing TCG structure TPM_STORED_DATA and/or TPM_STORED_DATA12.
If o is upgradeOptions=〉substitute is false (default value), then replaces variation to compound hash when contribution is arranged 1 couple 1 of program, forbids upgrading automatically the compound hashed value among the TPM_STORED_DATA_UFLAGS.
If o is upgradeOptions=〉more is false (default value), then when 1 couple of program variations of replacing compound hash have contribution more, forbids upgrading automatically the compound hashed value among the TPM_STORED_DATA_UFLAGS.
If o is upgradeOptions=〉less is false (default value), then when the elimination of program has contribution to the variation of compound hash, forbids upgrading automatically the compound hashed value among the TPM_STORED_DATA_UFLAGS.
Existing TCG order TPM_Seal and TPM_Unseal and new order TPM_upgrade_seal are changed to making them operate the TPM_STORED_DATA structure of revising.
O TPM_Seal is changed to comprising extra input parameter " substitute ", " more " and " less ".The state of these extra input parameters is copied to the parameter that has same names in the output TPM_STORED_DATA structure.
The operation of o TPM_Unseal does not change.
O TPM_upgrade_seal is changed to making
Figure S06809269X20070926D000281
If upgradeOptions=〉substitute is vacation but Uhash=〉substitute is for true, then order failure.
Figure S06809269X20070926D000282
If upgradeOptions=〉more is vacation but Uhash=〉more is for true, then order failure.
Figure S06809269X20070926D000283
If upgradeOptions=〉less is vacation but Uhash=〉less (true) is for true, then order failure.
In further embodiment of the present invention, can select to create the entity of sealing data to force compound hashed value variation in the sealing data.For example, this allows entity to ratify clearly to visit existing sealing data by the program of upgrading.The following variation of the processing requirements of the data that just sealing and breaking a seal:
The new upgradeAuth field that comprises standard TCG authorization value by interpolation is revised existing TCG structure TPM_STORED_DATA and/or TPM_STORED_DATA12.
Changing existing TCG order TPM_Seal and TPM_Unseal makes them operate the TPM_STORED_DATA that revises.
O changes existing TCG order TPM_Seal and comprises extra input parameter upgradeAuth (normally encrypting).
The operation of o TPM_Unseal does not change.
Use standard TCG authorized agreement is authorized new TPM order TPM_upgrade_SealForce, and ([sealedBlob] compHash), has and the identical value of upgradeAuth among the sealedBlob with proof.TPM opens existing sealedBlob, replaces the sealing spot of existing compound hashed value and output modifications with value compHash.
Can not carry out automatic compound hash upgrading and some data owners and thinking that they use the spot of sealing under can not the situation of auto-update with the TCG technology is current.TCG has stated the intention that no matter when may keep downward compatibility.What therefore do not expect is to allow to use existing order and structure to come auto-update sealing spot.Preferably, create the redaction of data structure and order to be embodied as the technology that embodiments of the invention are described.When the data owner wished to allow auto-update, they should use these new structure and orders, and when they do not expect to allow auto-update, continued to use these new structure and orders.TCG also may expect only to oppose existing TPM_STORED_DATA structure and TPM_Seal and TPM_Unseal order with regard to TPM in the future.Therefore being designed to allow any new construction of auto-update and order also should make the auto-update can be disabled.Distrust the data owner of some or all of form auto-updates may expect to use explicit upgrading, the data structure that it will be looked for novelty inherently.Therefore, any new structure and order also should allow explicit upgrading.Therefore, preferred:
Existing TPM_STORED_DATA and/or TPM_STORED_DATA12 structure be by being modified as mentioned above, but by to TPM_STORED_DATA and/or TPM_STORED_DATA12 increases field upgradeOptions and the upgradeAuth field is created new structure (being called TPM_STORED_DATA_UPGRADE).
TPM_Seal and TPM_Unseal be by being modified as mentioned above, but by to TPM_Seal with TPM_Unseal increases upgradeOptions and the upgradeAuth field is created new order.This new order should be operated the TPM_STORED_DATA_UPGRADE structure.
([sealedBlob] compHash) should only operate the TPM_STORED_DATA_UPGRADE structure for order TPM_upgrade_seal and TPM_upgrade_SealForce.
Now with an example of the upgrading of completeness of description tolerance and PCR value.This occurs in virtual platform move to another main frame credible platform from a main frame credible platform during.This example hypothesis virtual platform uses the data spot to the sealing of PCR value, the attribute of described PCR value representation host platform.The PCR value that embodiments of the invention allow to write down in these sealing data spots is not upgraded under their current environment that can be broken a seal.Therefore, use the advantage of embodiments of the invention to be that virtual platform can be customized to before or after moving to different host platforms and work on different host platforms.
If the client is ready to trust virtual platform, the entity that the client should the trust management host platform then.This is because management entity has the ability that virtual platform is moved to different host platforms.Desired is that management entity should take action the virtual platform on the same credible host platform of instantiation.This is because rogue's host platform can destroy any virtual platform that it loads, and virtual platform can't protect it oneself to avoid the destruction of rogue's host platform or rogue's management entity.Therefore use the client of virtual platform can require not know host platform---otherwise the same credible host platform of management entity instantiation on virtual platform, or its not instantiation.
PCR value, event log and the certificate that the third party returns by complete inquiry and inspection found the trust attribute of platform.Disclosing platform and whether be virtual information (and the character of host platform, it may itself be virtual) can be in the PCR of virtual platform and/or can be in the certificate of virtual platform.
To there be an advantage for the Host Administration entity with the security service PCR stack that relevant information puts into virtual platform of reaching an agreement on.This advantage is that it makes that the EQUILIBRIUM CALCULATION FOR PROCESS load is more prone to when keeping the safe class of being reached an agreement on.The user of virtual platform can be sealed to their data the PCR of the security service grade agreement (SSLA) that indicates its agreement.SSLA restriction is few more, can support that user's the scope of host platform is just big more, host entity service is provided and between host platform the exchange virtual platform just easier.If user's SLA value in the actual SSLA PCR value of the virtual platform coupling sealing data spot, then his data of user-accessible and consume platform resource.Otherwise the user can not visit and consume.Therefore, if the Host Administration entity moves to the main frame of the SSLA that does not satisfy the user with the client, then user's data will be prevented from automatically in the unsuitable environment and use.
The factor of representing in SSLA comprises:
The classification of virtual TPM
The IP address
Uptime
The geographic position
The existence of virtual lan
The type of virtual lan
Whether virtual platform can clone
The dirigibility of platform algorithm
There is a shortcoming in the PCR stack of the information relevant with host platform being put into virtual platform for the client.This is because the PCR stack of virtual platform can be different from the PCR stack of special use (non-virtual) platform, therefore is configured to use the software of dedicated platform operation not operate on virtual platform naturally.
Some devisers can determine the information relevant with host platform is put in the certificate of the virtual platform that is loaded, other deviser decision host information is put into the virtual platform that loaded on PCR in, and other deviser may select both.
If the deviser host information is placed on the virtual platform that loaded on PCR in, and the user creates the data spot to those PCR sealings, then desired is, those PCR values of upgrading, prerequisite be the destination host platform attribute at least with the attribute equivalence of source host platform.This can finish by using aforementioned techniques.Aforesaid PCR and integrity measurement upgrade technique are especially favourable, because they do not require that the environment by the current description of sealing data exists.Therefore, virtual platform can migrate to new main frame and is created again when it arrives this new main frame, or vice versa.
This advantage for an influence of Host Administration entity is, the Host Administration entity can be given and use the client of the virtual platform that is provided by the Host Administration entity that preference is provided, and prerequisite is that they agree that the information relevant with the virtual examples of platformsization that allows appears in the PCR stack of platform.Therefore, if user's sealing data spot always comprises the PCR of the information that its value representation is relevant with the examples of platformsization that is allowed, even then when platform was dedicated platform, the user also can use identical software arrangements on all platforms, and when using virtual platform, utilize preference.Naturally, this technology also allows the client to use their sealing data on dissimilar dedicated platforms.
We have described virtual platform VP now purely as an example moves to another main frame credible platform P2 from a main frame credible platform P1.The element of platform shown in Figure 11, having schematically illustrated.Platform P1 can be physics or virtual platform.Platform P2 can be physics or virtual platform.Host platform comprises TPM (being called TPM-P1 on the P1 and being called TPM-P2 on P2).Virtual platform VP comprises main virtual platform computing environment VPCE and virtual credible platform module (VTPM).At least one attribute record of its host platform is in the PCR of VTPM.This VPCE comprises by the data spot of VTPM protection and can be sealed to the PCR that depends on the host platform attribute.Host platform with VPCE and VTPM each other and isolated with other parts of host platform.Host platform is included in the migrating processes MP (being called MP-P1 on the P1 and being called MP-P2 on P2) that moves in the computing environment of another isolation.The assembly that isolation is provided in the host platform is virtualisation component (VC) (being called VC-P1 on the P1 and being called VC-P2 on P2).PCR value among the TPM of host platform comprises its MP of expression and all required data of vc state.
VP initially on P1 by instantiation.When VP needs migration (when user request or as from supplier's attended operation the time), migrating processes MP-P1 at first hang up VPCE on P1 execution and then hang up corresponding VTPM.Although the hang-up of VTPM may not require any additional step, the hang-up of VTPM must be guaranteed to be removed and protected by TPM-P1 from storer by any secret VTPM-secret that VTPM uses.As shown in figure 12, MP-P1 is then moved to P2 with VP from P1 by carrying out following steps.
1) checks that (1210) destination platform P2 is suitable genuine and believable platform and obtains one of its proof identity key.
If MP-P1 also distrusts P2 and knows one of its TPM key that then P1 uses with inquiry-response protocol of P2 and determines whether P2 is legal credible platform (that is, whether MP-P1 trusts the structure of TPM-P2 and P2).It is the details of the specific T PM key of the proof of genuine and believable platform of particular type and P2 that this inquiry-response process provides P2 to MP-P1.
2) integrity measurement of upgrading (1220) in the sealing spot of protecting by VTPM
If the attribute that is provided by P2 is equivalent to the Host Properties (or its superset) of record in the PCR value in being sealed to the individual data spot of VTPM, upgrade those other VTPM sealing spots of MP-P1 then, establishment comprises the novel sealing spot of PCR value, and the attribute that is provided by P2 is provided this PCR value.Depend on upgrade method, this can maybe can not require the explicit mandate from the upgrading entity that is associated with the sealing spot.
3) the VTP-secret is moved (1230) to P2 from P1
MP-P1 carries out the migration order from TPM-P1 to TPM-P2 and the gained data is sent to MP-P2 VTPM-is secret.The data that MP-P2 receives by providing finish migrating processes to TPM-P2.Use standard TCG technology is unavailable in P2 to guarantee the VTPM-secret, unless P2 is carrying out the desired version of MP-P2 and VC-P2.
4) MP-P1 sends the data of (1240) expression VPCE and VTPM to P2 (and MP-P2 operation VTPM).
By creating the example of VPCE and VTPM, MP-P2 uses these data to come to create identical VP example on P2.MP-P2 then recovers VTPM to be carried out.After recovery, VTPM attempts to reload the VTPM-secret in storer.Can not do like this and indicate upward unacceptable VP environment of P2.If reload success, then MP-P2 recovers VPCE, and this VPCE can use VTPM now and protect them when the secret of being protected by VTPM is on P1.At last attempt the data that break a seal and on sealing spot, store by the VTPM protection in the application on the VP.Failure has indicated P2 and has been not suitable for disclosing specific sealing data.
Notice that step 2 and 3 can be carried out with opposite order, in this case, the spot of VTPM sealing is being moved to P2 before the upgrading on the P2.
The upgrading of any data structure that comprises integrity measurement or derive from integrity measurement obviously can be used and be suitable for to above-mentioned method.This method can be used for providing an integrity measurement and another integrity measurement to trust the evidence that equivalence, a PCR value and another PCR value are trusted equivalence and a PCR_COMPOSITE value and the equivalence of another PCR_COMPOSITE value trust.Therefore these methods can be used for upgrading and depend on the arbitrary data structure of integrity measurement, PCR value and PCR_COMPOSITE value.Some examples of other data structure that can upgrade are TCG structures, and it depends on the PCR_COMPOSITE value, such as TCG key structure TPM_KEY, TPM-KEY12 and supplementary structure thereof.The TPM order that is similar to TPM_upgrade_seal for example can be used for the upgrading PCR_COMPOSITE value of TPM-KEY structure.When primal environment is unavailable, when from backup during restore data or when when different system is duplicated it, the upgrading of key structure for example may be desired.Especially, transportable key can be used for convenient backup and recovers, and is used for copy data (on different platforms or in different operating system).The order of current TCG key migration has been ignored the PCR_COMPOSITE value clearly such as TPM_CreateMIgrationBlob and TPM_CMK_CreateBlob.Therefore TCG credible platform technology can have benefited from described in an embodiment of the present invention method, thereby changes the compound-PCR value in the TPM key structure.

Claims (28)

1. method that the evidence of computer platform state is provided comprises:
The state of metering computer platform, wherein measurement comprises first data structure in the metering computer platform to state, so that the first measurement state to be provided;
In the evidence of computer platform state, use the first measurement state;
In computer platform, replace first data structure with second data structure;
Measure the state of having replaced the computer platform of first data structure with second data structure, so that the second measurement state to be provided;
The second measurement state of verifying is the same credible with the first measurement state; With
In the evidence of computer platform state, replace the first measurement state with the second measurement state,
Wherein computer platform comprises the credible equipment of avoiding destroying, and this credible equipment execution measurement, checking and replacement step,
Wherein credible equipment comprises one or more platform configuration register, by with current platform configuration register value and measurement data cascade, the result is carried out hash and replaces current platform configuration register value with hash result measured value is placed in the described platform configuration register, wherein the platform configuration register value from first data structure derives the first measurement state, and replaced it the back by second data structure in first data structure and derive the second measurement state from the platform configuration register value, and verification step comprises: the platform configuration register value after determining the platform configuration register value of first data structure and being replaced it by second data structure in first data structure is relevant.
2. the method described in claim 1, wherein the first and second measurement states include the value that derives from a plurality of platform configuration register, and verification step comprises: determine that value included in value included in the first measurement state and the second measurement state is relevant.
3. the method described in claim 2, wherein in the first measurement state in the included value and the second measurement state included value be from a plurality of platform configuration register, to derive by the value in cascade and those platform configuration register of hash.
4. the method described in claim 1, wherein credible equipment is suitable for confirming that a platform configuration register value sequence and another platform configuration register value sequence are to trust equivalence.
5. as the described method of the arbitrary claim in front, wherein evidence comprises the data to the value sealing of deriving from the measurement state, make when the currency of the measurement state of computer platform during corresponding to measured value only to visit this data.
6. as any one described method in the claim 1 to 4, wherein second data structure is a plurality of data structures.
7. as any one described method in the claim 1 to 4, wherein second data structure is empty data structure.
8. as any one described method in the claim 1 to 4, wherein first and second data structures comprise first software and second software, all are provided for the public function purpose.
9. the method described in claim 8, wherein second software is more credible than first software.
10. the method described in claim 8, the wherein said first and second measurement states comprise the summary of first software and second software respectively or derive from the summary of first software and second software respectively, and wherein verification step comprises: the summary of determining second software is relevant with the summary of first software.
11. the method described in claim 10, wherein the relation between the summary of the summary of first software and second software is provided by the statement of trusted software provider proof, and verification step comprises this statement of checking.
12. as any one described method in the claim 1 to 4, wherein first and second data structures comprise first key and second key, all are provided for public purpose.
13. being subordinated to described in claim 12 the process of claim 1 wherein that public purpose is the proof key as credible equipment.
14. computer platform, comprise the credible equipment of avoiding destroying and being suitable for measuring and assuring data structure on this computer platform, wherein this credible equipment is suitable for determining that second data structure is the same with first data structure credible when first data structure on the computer platform is replaced by second data structure
Wherein credible equipment is suitable for coming according to the measured value that comprises the measured value relevant with first data structure or second data structure state of metering computer platform,
Wherein credible equipment comprises one or more platform configuration register, by with current platform configuration register value and measurement data cascade, the result is carried out hash and replaces current platform configuration register value with hash result measured value is placed in the described platform configuration register, wherein credible equipment be suitable for determining first platform status when with the second platform status equivalence, first platform status is by the determined platform configuration register value representation of the measured value that comprises the measured value relevant with first data structure, and second platform status is by the determined platform configuration register value representation of the measured value that comprises the measured value relevant with second data structure.
15. the computer platform described in claim 14, wherein credible equipment is suitable for providing the evidence of platform status.
16. as any one described computer platform in the claim 14 to 15, wherein credible equipment is suitable for the value sealing data to deriving from the platform status of measuring, make when the currency of platform status during corresponding to measured value only to visit this data.
17. as any one described computer platform in the claim 14 to 15, wherein first data structure comprises that first software and second data structure comprise second software, and wherein first software all is provided for public function purpose and consistent on function with second software.
18. the computer platform described in claim 17, wherein credible equipment is according to the statement of trusted software provider proof and by verifying that this states to determine function consistance and trust.
19. the method that integrity measurement is provided on the computing platform that comprises the credible equipment of avoiding destroying comprises:
Data structure or the data structure of measuring at least a portion are right; With
Record is measured in credible equipment,
Wherein said data structure comprises the two or more example of the sign of type of data structure and this type of data structure credible evidence that is no difference,
Wherein said data structure is to comprising a pair of described data structure; One or more summaries that should also comprise to a data structure in the described data structure example of type of data structure; Or the data from making a summary and deriving; The summary that should another data structure in the described data structure not comprised the example of type of data structure; Or the data from making a summary and deriving; Credible evidence should be no difference to the two or more example that each data structure in the described data structure has the sign of identical type of data structure and this type of data structure
Wherein credible equipment comprises one or more platform configuration register, by with current platform configuration register value and measurement data cascade, the result is carried out hash and replace current platform configuration register value with hash result measured value is placed in the described platform configuration register, and wherein credible equipment is suitable for confirming that a platform configuration register value sequence and another platform configuration register value sequence are to trust equivalence.
20. the method described in claim 19, the described evidence in the wherein said data structure comprise the proof from the credible provider of upgrading or replacement.
21. the method described in claim 19 or claim 20, the described evidence in the wherein said data structure comprise the statement sign as a statement lists of links part relevant with institute recognition data structure type.
22. the method described in claim 19 or claim 20, the data structure of wherein said measured at least a portion also comprises one or more summaries of the example of type of data structure, or the data that derive from summary.
23. the method described in claim 19 or claim 20, the data structure of wherein said measured at least a portion does not comprise the summary of the example of type of data structure, or the data that derive from summary.
24. the method described in claim 19 or claim 20, wherein type of data structure is the software of equivalent function.
25. the method described in claim 19 or claim 20, wherein type of data structure is a key.
26. the method described in claim 19 or claim 20, wherein said data structure forms the part of the lists of links of data structure, and wherein measuring process comprises that measurement is used at least a portion data structure of lists of links first and last data structure.
27. the method described in claim 26 also comprises the part of data structure lists of links is provided, and has showed that the full concatenation tabulation of this part lists of links and data structure is to trust equivalence.
28. the method described in claim 19 or claim 20 also comprises: write down whether success of following checking individually, promptly data structure is the two or more example of the type of data structure credible vaild evidence that is no difference.
CN200680009269.XA 2005-03-22 2006-03-22 Methods, devices and data structures for trusted data Expired - Fee Related CN101147154B (en)

Applications Claiming Priority (13)

Application Number Priority Date Filing Date Title
GB0505746.8 2005-03-22
GB0505746A GB2424494A (en) 2005-03-22 2005-03-22 Methods, devices and data structures for trusted data
GB0510558.0 2005-05-25
GB0510558A GB0510558D0 (en) 2005-05-25 2005-05-25 Methods, devices and data structures for trusted data
GB0512370.8 2005-06-17
GB0512370A GB0512370D0 (en) 2005-06-17 2005-06-17 Methods, devices and data structures for trusted data
GB0516534A GB0516534D0 (en) 2005-08-12 2005-08-12 Methods, devices and data structures for trusted data
GB0516534.5 2005-08-12
GB0521836A GB0521836D0 (en) 2005-10-27 2005-10-27 Methods, devices and data structures for trusted data
GB0521836.7 2005-10-27
GB0522598A GB0522598D0 (en) 2005-11-07 2005-11-07 Methods, devices and data structures for trusted data
GB0522598.2 2005-11-07
PCT/GB2006/050063 WO2006100522A1 (en) 2005-03-22 2006-03-22 Methods, devices and data structures for trusted data

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN 200910137034 Division CN101551841B (en) 2005-03-22 2006-03-22 Methods, devices and data structures for trusted data

Publications (2)

Publication Number Publication Date
CN101147154A CN101147154A (en) 2008-03-19
CN101147154B true CN101147154B (en) 2010-12-22

Family

ID=34531579

Family Applications (2)

Application Number Title Priority Date Filing Date
CN200680009269.XA Expired - Fee Related CN101147154B (en) 2005-03-22 2006-03-22 Methods, devices and data structures for trusted data
CN 200910137034 Expired - Fee Related CN101551841B (en) 2005-03-22 2006-03-22 Methods, devices and data structures for trusted data

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN 200910137034 Expired - Fee Related CN101551841B (en) 2005-03-22 2006-03-22 Methods, devices and data structures for trusted data

Country Status (2)

Country Link
CN (2) CN101147154B (en)
GB (1) GB2424494A (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0707150D0 (en) * 2007-04-13 2007-05-23 Hewlett Packard Development Co Dynamic trust management
JP5443498B2 (en) 2009-02-18 2014-03-19 パナソニック株式会社 Information processing apparatus and information processing method
CN105515776A (en) * 2010-03-05 2016-04-20 交互数字专利控股公司 Method and apparatus for providing security to devices
GB2482652B (en) * 2010-05-21 2016-08-24 Hewlett Packard Development Co Lp Extending integrity measurements in a trusted device using a policy register
US8516551B2 (en) * 2010-07-28 2013-08-20 Intel Corporation Providing a multi-phase lockstep integrity reporting mechanism
US8943334B2 (en) 2010-09-23 2015-01-27 Intel Corporation Providing per core voltage and frequency control
EP3221996B1 (en) * 2014-11-17 2019-07-24 Intel Corporation Symmetric keying and chain of trust
DE102020206526A1 (en) * 2020-05-26 2021-12-02 Robert Bosch Gesellschaft mit beschränkter Haftung Method of operating an electronic device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1512342A (en) * 2002-12-27 2004-07-14 技嘉科技股份有限公司 Upgrading control method for intelligent cured software

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0020371D0 (en) * 2000-08-18 2000-10-04 Hewlett Packard Co Apparatus and method for establishing trust
EP1282027A1 (en) * 2001-07-30 2003-02-05 Hewlett-Packard Company Trusted platform evaluation
US7216369B2 (en) * 2002-06-28 2007-05-08 Intel Corporation Trusted platform apparatus, system, and method
US7200758B2 (en) * 2002-10-09 2007-04-03 Intel Corporation Encapsulation of a TCPA trusted platform module functionality within a server management coprocessor subsystem
US7634807B2 (en) * 2003-08-08 2009-12-15 Nokia Corporation System and method to establish and maintain conditional trust by stating signal of distrust

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1512342A (en) * 2002-12-27 2004-07-14 技嘉科技股份有限公司 Upgrading control method for intelligent cured software

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
TRUSTED COMPUTING GROUP.TCG Specification Architecture Overview 1.2.TRUSTED COMPUTING GROUP,2004,6-9.
TRUSTED COMPUTING GROUP.TCG Specification Architecture Overview 1.2.TRUSTED COMPUTING GROUP,2004,6-9. *

Also Published As

Publication number Publication date
GB2424494A (en) 2006-09-27
CN101551841B (en) 2012-10-03
CN101147154A (en) 2008-03-19
CN101551841A (en) 2009-10-07
GB0505746D0 (en) 2005-04-27

Similar Documents

Publication Publication Date Title
JP4732508B2 (en) Methods, devices, and data structures for trusted data
CN101147154B (en) Methods, devices and data structures for trusted data
CN101523401B (en) Secure use of user secrets on a computing platform
CN103038745B (en) Extension integrity measurement
JP4818542B2 (en) Executing services on computing platforms
EP1980970B1 (en) Dynamic trust management
US7467370B2 (en) Apparatus and method for creating a trusted environment
EP1030237A1 (en) Trusted hardware device in a computer
CN101650764B (en) Creditable calculation password platform and realization method thereof
US20100115625A1 (en) Policy enforcement in trusted platforms
KR101598738B1 (en) Control program management system and method for changing control program
WO2011030455A1 (en) Secure audit system and secure audit method
JP2002536757A (en) Credit computing platform
NL2033097B1 (en) Method for remotely monitoring host based on chip-level privacy-preserving computation (ppc)
US20160239662A1 (en) Control system and authentication device
WO2024036832A1 (en) Method for realizing smart token cryptography application interface on basis of tpm
WO2020261430A1 (en) Information processing device, information processing method, and information processing program
Zhang et al. Security verification of hardware-enabled attestation protocols
JP2023097587A (en) Authentication device, authentication device control method, and program
CN114201761A (en) Enhancing security of a metric agent in a trusted computing system
CN116956267A (en) Management controller based verification of platform certificates
BR102017004113A2 (en) method and system to ensure data security and legally relevant functions in electronic equipment
GB2412822A (en) Privacy preserving interaction between computing entities

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20101222