Secure application attestation using dynamic measurement kernels

摘要

Methods and apparatus to provide secure application attestation using dynamic measurement kernels are described. In some embodiments, secure application attestation is provided by using dynamic measurement kernels. In various embodiments, P-MAPS (Processor-Measured Application Protection Service), Secure Enclaves (SE), and/or combinations thereof may be used to provide dynamic measurement kernels to support secure application attestation. Other embodiments are also described.

主权项

1. A method comprising:
receiving an attestation request at an application from a third party; loading an attestation kernel into a storage unit in response to the attestation request, wherein code stored in the storage unit is allowed to access memory outside of the storage unit whereas code stored outside of the storage unit is blocked from accessing any memory location in the storage unit; executing one or more operations at hardware logic, corresponding to the attestation request and in accordance with data stored in the storage unit, to generate a manifest, wherein the hardware logic executes the one or more operations in response to a transmission from a virtual machine manager logic, wherein the transmission is generated by the virtual machine manager logic in response to the attestation request; generating an attestation of data stored in the storage unit; verifying a state of the application based on the generated attestation of the data stored in the storage unit and the manifest; generating a statement of application measurement based on a hash of the manifest; and transmitting the application measurement, the manifest, and the attestation data to both the application and the third party.