发明名称 |
Trusted computing |
摘要 |
A trusted computing device (TCD) includes an isolated environment, host interface, secure interface, and program instructions. The environment includes an isolated environment processor (IEP), memory (secure and non-secure partition), and an auxiliary processor (AP). Memory and AP are connected for data communication with the IEP, and communicate with a host only through the IEP. The host interface and each secure interface are connected for data communication with the IEP. The instructions provision TCD for cryptographic operations via a secure interface; present a first file system partition comprising a write file and a read file with file creation/deletion privileges allocated only to the IEP at the host interface via the IEP; present a non-secured file system partition with access to the non-secure partition via the host interface via the IEP; receive, via the write file, requests to perform trusted computing; perform requested computing using the IEP, secure memory, and AP; and write results to the read file. |
申请公布号 |
US9569638(B2) |
申请公布日期 |
2017.02.14 |
申请号 |
US201414587551 |
申请日期 |
2014.12.31 |
申请人 |
GOOGLE INC. |
发明人 |
Zatko Peiter Charles;Rizzo Dominic |
分类号 |
G06F21/71;G06F21/35;G06F21/79;G06F21/62;G06F21/74 |
主分类号 |
G06F21/71 |
代理机构 |
Johnson, Marcou & Isaacs, LLC |
代理人 |
Johnson, Marcou & Isaacs, LLC |
主权项 |
1. A trusted computing device, comprising:
an isolated environment comprising:
an isolated environment processor;memory comprising a secure partition and a non-secure partition, the memory connected for data communication with the isolated environment processor; andan auxiliary processor connected for data communication with the isolated environment processor and the memory,wherein the memory and the auxiliary processor communicate with a host only through the isolated environment processor; a host interface connected for data communication with the isolated environment processor; at least one secure interface, separate from the host interface and connected for data communication with the isolated environment processor; and a computer program product comprising a non-transitory computer-readable media having computer-executable program instructions embodied thereon that, when executed by the trusted computing device, cause the trusted computing device to:
provision the trusted computing device for cryptographic operations via the at least one secure interface;present a first file system partition at the host interface via the isolated environment processor, the first file system partition comprising a host write file and a host read file, wherein file creation and file deletion privileges are allocated only to the isolated environment processor;present a non-secured second file system partition with access to the memory non-secure partition via the host interface via the isolated environment processor;receive, via the host write file, requests to perform trusted computing in the isolated environment, the trusted computing comprising one or more of: random number generation, append-only logging, monotonic counting, streaming encryption and decryption, bulk encryption and decryption, and isolated storage;perform the requested trusted computing using at least one of the isolated environment processor, the memory secure partition and the auxiliary processor; andwrite the trusted computing results to the host read-only file. |
地址 |
Mountain View CA US |