Secure vault service for software components within an execution environment

摘要

Embodiments of apparatuses, articles, methods, and systems for secure vault service for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the authenticated/authorized/verified software component. Other embodiments may be described and claimed.

主权项

1. A computing platform comprising:
at least one processor capable of executing at least one operating system of the computing platform; the computing platform being capable of executing, at least in part, at least one virtual machine monitor (VMM), the computing platform also comprising at least one module; the at least one VMM being capable of providing, at least in part, multiple execution environments of the platform, the at least one VMM also being capable of controlling, at least in part, access by at least one component to at least one other component, the at least one component to be executed in at least one of the multiple execution environments, the at least one other component to be executed in at least one other of the multiple execution environments, the controlling of the access being based at least in part upon policy; the at least one module being implemented, at least in part, by hardware; the at least one module being associated, at least in part, with periodic verification of integrity of at least one kernel component during execution of the at least one kernel component in the platform, the verification being for detecting, at least in part, unauthorized modification of the at least one kernel component, the verification being capable of resulting in a verification result that reflects a degree of integrity verification between pass and fail, a failure of the verification resulting, at least in part, in an alert; and the platform also being capable, at least in part, of encrypting, based at least in part upon at least one encryption key, data stored in the platform and associated with at least one of the multiple execution environments.