US2023342459A1PendingUtilityA1
Platform security mechanism
Est. expiryJun 22, 2041(~14.9 yrs left)· nominal 20-yr term from priority
G06F 21/556G06F 21/554G06F 21/572G06F 21/606G06F 21/575G06F 21/445G06F 2221/2129
69
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
An apparatus comprising a computer platform, including a central processing unit (CPU) comprising a first security engine to perform security operations at the CPU and a chipset comprising a second security engine to perform security operations at the chipset, wherein the first security engine and the second security engine establish a secure channel session between the CPU and the chipset to secure data transmitted between the CPU and the chipset.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . An apparatus comprising:
a computer platform including a first integrated circuit (IC) comprising:
an interface;
a first set of hardware devices, coupled via the interface, having a plurality of firmware versions associated with the first IC; and
a security engine, coupled via the interface, to perform firmware verification to prevent a secure session channel from being established with a second IC via a hardware device having an incompatible firmware version.
2 . The apparatus of claim 1 , wherein the security engine programs the interface with a secure session key.
3 . The apparatus of claim 2 , wherein the first set of hardware devices communicate with a second set of hardware devices at the second IC once the interface has been programmed with the secure session key.
4 . The apparatus of claim 1 , wherein one or more of the first set of hardware devices include firmware comprising image content and an image version progression associated with a pairing between the first IC and the second IC.
5 . The apparatus of claim 4 , wherein the image content comprises a first manifest field including an identifier of a first generation, a second manifest field including an identifier of an associated second IC generation and a third manifest field including a first security version number (SVN) value.
6 . The apparatus of claim 5 , wherein the security engine enforces generation and SVN matching during establishment of a secure channel with the second IC to confirm that a second security engine within the second IC has a generation and SVN matching the security engine upon a determination that the security engine firmware has been loaded prior to establishing the secure session channel.
7 . The apparatus of claim 6 , wherein the security engine enforces the generation and SVN matching during the firmware verification to confirm that a security engine image has a generation and SVN matching the second security engine upon a determination that the security engine firmware has not been loaded prior to establishing the secure session channel.
8 . The apparatus of claim 1 , wherein the first security engine and the second security engine establish an identity key prior to establishing the secure session channel.
9 . The apparatus of claim 8 , wherein the first security engine and the second security engine read the identity key stored from a previous secure channel session.
10 . The apparatus of claim 9 , wherein the identity key is used to generate the session key.
11 . The apparatus of claim 9 , wherein the secure session channel is established using dynamic security parameters including parameters for which there is a functional reason to pair the first IC and the second IC.
12 . The apparatus of claim 11 , wherein the first security engine and the second security engine initiate secure session channel establishment after the dynamic parameters have been synchronized.
13 . A method comprising:
enforcing firmware generation pairing between a first integrated circuit (IC) and a second IC, including:
determining whether firmware has been loaded at the first IC prior to establishing a secure channel with the second IC; and
performing generation matching between the first IC and the second IC during the establishment of the secure channel upon determining that the firmware has been loaded at the first IC.
14 . The method of claim 13 , wherein performing the generation matching comprises matching values within a firmware manifest with one or more values received from the second IC.
15 . The method of claim 14 , wherein the one or more values comprises a security version number (SVN).
16 . The method of claim 13 , further comprising performing the generation matching during firmware verification upon determining that the firmware has not been loaded at the first IC.
17 . At least one computer readable medium having instructions stored thereon, which when executed by one or more processors, cause the processors to:
enforce firmware generation pairing between a first integrated circuit (IC) and a second IC, including:
determining whether firmware has been loaded at the first IC prior to establishing a secure channel with the second IC; and
performing generation matching between the first IC and the second IC during the establishment of the secure channel upon determining that the firmware has been loaded at the first IC.
18 . The computer readable medium of claim 17 , wherein performing the generation matching comprises matching values within a firmware manifest with one or more values received from the second IC.
19 . The computer readable medium of claim 18 , wherein the one or more values comprises a security version number (SVN).
20 . The computer readable medium of claim 19 , having instructions stored thereon, which when executed by one or more processors, further cause the processors to perform the generation matching during firmware verification upon determining that the firmware has not been loaded at the first IC.Join the waitlist — get patent alerts
Track US2023342459A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.