US2011154023A1PendingUtilityA1
Protected device management
Est. expiryDec 21, 2029(~3.4 yrs left)· nominal 20-yr term from priority
H04L 63/18H04L 63/0807G06F 2221/2147G06F 21/85G06F 3/0632H04L 9/321H04L 9/0894G06F 21/74H04L 9/32G06F 21/602G06F 2221/2149H04L 63/08G06F 21/78G06F 3/0623G06F 3/0671G06F 21/305H04L 63/083
56
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
A method, apparatus, system, and computer program product for management of storage devices protected by encryption, user authentication, and password protection and auditing schemes in virtualized and non-virtualized environments.
Claims
exact text as granted — not AI-modified1 . A computer-implemented method comprising:
receiving a request to unlock an encrypted device coupled to a system, wherein the request is received by a secure partition of the system via a secure communication channel established between a trusted remote console and the secure partition, and the secure partition is isolated from a host operating system of the system; and the secure partition unlocking the encrypted device in response to the request without involvement of the host operating system.
2 . The method of claim 1 , further comprising:
receiving a token from the trusted remote console by the secure partition; and using the token to unwrap a key used to encrypt blocks of the encrypted device.
3 . The method of claim 2 , further comprising:
obtaining the key from a secure storage area of the encrypted device, wherein the secure storage area is hidden from the host operating system.
4 . The method of claim 1 , further comprising:
confirming that the request originated with the trusted remote console prior to unlocking the encrypted device.
5 . The method of claim 1 , further comprising:
performing a management operation after the encrypted device is unlocked, wherein the request further specifies the management operation to be performed; and booting the host operating system after the management operation is performed.
6 . The method of claim 1 , wherein
unlocking the encrypted device is performed when the host operating system of the system is malfunctioning.
7 . The method of claim 1 , wherein
unlocking the encrypted device is performed without involvement of a user of the system.
8 . The method of claim 1 , wherein
the request comprises a password for the encrypted device; and unlocking the encrypted device comprises using the password to unlock the encrypted device.
9 . An apparatus comprising:
at least one processor; a secure partition isolated from a host operating system executing on the processor; and a memory comprising instructions for a device manager executing in the secure partition to perform the following:
receiving a request to unlock an encrypted device coupled to the apparatus, wherein the request is received by the secure partition via a secure communication channel established between a trusted remote console and the secure partition, and the secure partition is isolated from the host operating system; and
unlocking the encrypted device in response to the request without involvement of the host operating system.
10 . A computer program product comprising:
a computer-readable storage medium; and instructions in the computer-readable storage medium, wherein the instructions, when executed in a secure partition of a processing system, cause the secure partition to perform operations comprising:
receiving a request to unlock an encrypted device coupled to the processing system, wherein the request is received by the secure partition via a secure communication channel established between a trusted remote console and the secure partition, and the secure partition is isolated from a host operating system of the processing system; and
unlocking the encrypted device in response to the request without involvement of the host operating system.
11 . A computer-implemented method comprising:
establishing a secure communication channel between a trusted remote console and a secure partition of a system, wherein the secure partition is isolated from a host operating system of the system; and sending a request to unlock an encrypted device coupled to the system, wherein the request is sent via the secure communication channel to the secure partition, and wherein the encrypted device is unlocked by the secure partition without involvement of a host operating system of the system.
12 . The method of claim 11 , further comprising:
providing a token from the trusted remote console to the secure partition in the request, wherein the secure partition uses the token to unwrap a key used to decrypt blocks stored on the encrypted device.
13 . The method of claim 11 , further comprising:
providing a password for the encrypted device in the request, wherein the secure partition uses the password to unlock the encrypted device.
14 . The method of claim 11 , further comprising:
specifying in the request a management operation to be performed after the encrypted device is unlocked, wherein the secure partition performs the management operation after the encrypted device is unlocked.
15 . A computer-implemented method comprising:
authenticating first credentials of a user of a system before access is allowed to any device of a plurality of devices attached to the system; intercepting an event indicating attachment of a new device to the system, wherein the intercepting is performed by a secure partition of the system, and the secure partition is isolated from a host operating system of the system; requesting second credentials to access the new device, wherein the second credentials are requested without booting the system; authenticating the second credentials; enabling access to the new device after authenticating the second credentials; and delivering a hot plug event for the new device to the host operating system.
16 . The method of claim 15 , wherein
requesting the second credentials to access the new device comprises using trusted path connections to a display device to display a request for the second credentials and a user input device to receive the second credentials.
17 . The method of claim 15 , wherein
enabling access to the new device comprises using a native command for the device to enable decryption of the new device.
18 . The method of claim 15 , wherein
the second credentials comprise a password for the new device; and enabling access to the new device comprises using the password to unlock the new device.
19 . The method of claim 15 , wherein
the second credentials comprise a user identifier; and enabling access to the new device comprises providing the user identifier to a trusted third party and enabling access to the new device if the trusted third party authenticates the user identifier.
20 . An apparatus comprising:
at least one processor; a secure partition isolated from a host operating system executing on the processor; and a memory comprising instructions for firmware executing in the secure partition to perform the following:
authenticating first credentials of a user of a system before access is allowed to any device of a plurality of devices attached to the system;
intercepting an event indicating attachment of a new device to the system, wherein the intercepting is performed by the secure partition;
requesting second credentials to access the new device, wherein the second credentials are requested without booting the system;
authenticating the second credentials;
enabling access to the new device after authenticating the second credentials; and
delivering a hot plug event for the new device to the host operating system.
21 . A computer program product comprising:
a computer-readable storage medium; and instructions in the computer-readable storage medium, wherein the instructions, when executed in a secure partition of a processing system, cause the secure partition to perform operations comprising:
authenticating first credentials of a user of a system before access is allowed to any device of a plurality of devices attached to the system;
intercepting an event indicating attachment of a new device to the system, wherein the intercepting is performed by the secure partition, and the secure partition is isolated from a host operating system of the system;
requesting second credentials to access the new device, wherein the second credentials are requested without booting the system;
authenticating the second credentials;
enabling access to the new device after authenticating the second credentials; and
delivering a hot plug event for the new device to the host operating system.
22 . A computer-implemented method comprising:
identifying an auditable event being performed in a secure partition of a system, wherein the secure partition is isolated from a host operating system of the system; generating an audit event record for the auditable event; and writing the audit event record to an audit log, wherein the audit log is isolated from the host operating system.
23 . The method of claim 22 wherein
the audit log is a first audit log of a plurality of audit logs,
the plurality of audit logs is accessible only from within the secure partition, and
each audit log of the plurality of audit logs is isolated from the host operating system;
and the method further comprises:
determining whether the first audit log is available;
sending the audit event record to a first audit subsystem associated with the first audit log if the first audit log is available, wherein the first audit subsystem performs writing the audit event record to the first audit log; and
sending the audit event record to a second audit subsystem associated with a second audit log of the plurality of audit logs if the first audit log is not available, wherein the second audit subsystem performs writing the audit event record to the second audit log.
24 . A computer-implemented method comprising:
receiving a request to service an audit log from a secure partition of a requesting system, wherein the secure partition is isolated from a host operating system of the requesting system, the audit log contains an audit event record of an auditable event performed in the secure partition, and the audit log is isolated from the host operating system of the requesting system; establishing a secure communication channel with the secure partition; and servicing the audit log via the secure communication channel.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.