Methods and arrangements to launch trusted, coexisting environments

摘要

Methods and arrangements to launch trusted, distinct, co-existing environments are disclosed. Embodiments may launch trusted, distinct, co-existing environments in pre-OS space with high assurance. A hardware-enforced isolation scheme may isolate the partitions to facilitate storage and execution of code and data. In many embodiments, the system may launch a partition manager to establish embedded and main partitions. Embedded partitions may not be visible to the main OS and may host critical operations. A main partition may host a general-purpose OS and user applications, and may manage resources that are not assigned to the embedded partitions. Trustworthiness in the launch of the embedded partition is established by comparing integrity metrics for the runtime environment against integrity measurements of a trusted runtime environment for the embedded partition, e.g., by sealing a cryptographic key with the integrity metrics in a trusted platform module. Other embodiments are described and claimed.

主权项

1. A system to launch trusted, co-existing environments, the system comprising:
resources to support partitions for at least a first embedded environment and a second embedded environment, the resources comprising data storage with a first protected area and a second protected area; a trusted platform module (TPM) comprising hardware, the TPM comprising a first register, the TPM to unseal a first key in response to extension of a measurement of integrity metrics of a first embedded environment into the first register and to unseal a second key in response to extension of a measurement of integrity metrics of a second embedded environment into the first register; and a partition manager to request extension of the measurement of integrity metrics of the first embedded environment into the first register, to decrypt data in the first protected area with the first key, to request extension of the measurement of integrity metrics of the second embedded environment into the first register, and to decrypt data in the second protected area with the second key, wherein the partition manager comprises logic to define an order of operations to launch the embedded environments, wherein the order of operations comprises extension of measurement of integrity metrics of each of the embedded environments sequentially.