Trusted computing

摘要

A trusted computing device (TCD) includes an isolated environment, host interface, secure interface, and program instructions. The environment includes an isolated environment processor (IEP), memory (secure and non-secure partition), and an auxiliary processor (AP). Memory and AP are connected for data communication with the IEP, and communicate with a host only through the IEP. The host interface and each secure interface are connected for data communication with the IEP. The instructions provision TCD for cryptographic operations via a secure interface; present a first file system partition comprising a write file and a read file with file creation/deletion privileges allocated only to the IEP at the host interface via the IEP; present a non-secured file system partition with access to the non-secure partition via the host interface via the IEP; receive, via the write file, requests to perform trusted computing; perform requested computing using the IEP, secure memory, and AP; and write results to the read file.

主权项

1. A trusted computing device, comprising:
an isolated environment comprising:
an isolated environment processor;memory comprising a secure partition and a non-secure partition, the memory connected for data communication with the isolated environment processor; andan auxiliary processor connected for data communication with the isolated environment processor and the memory,wherein the memory and the auxiliary processor communicate with a host only through the isolated environment processor; a host interface connected for data communication with the isolated environment processor; at least one secure interface, separate from the host interface and connected for data communication with the isolated environment processor; and a computer program product comprising a non-transitory computer-readable media having computer-executable program instructions embodied thereon that, when executed by the trusted computing device, cause the trusted computing device to:
provision the trusted computing device for cryptographic operations via the at least one secure interface;present a first file system partition at the host interface via the isolated environment processor, the first file system partition comprising a host write file and a host read file, wherein file creation and file deletion privileges are allocated only to the isolated environment processor;present a non-secured second file system partition with access to the memory non-secure partition via the host interface via the isolated environment processor;receive, via the host write file, requests to perform trusted computing in the isolated environment, the trusted computing comprising one or more of: random number generation, append-only logging, monotonic counting, streaming encryption and decryption, bulk encryption and decryption, and isolated storage;perform the requested trusted computing using at least one of the isolated environment processor, the memory secure partition and the auxiliary processor; andwrite the trusted computing results to the host read-only file.