IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
US-0668585
(2000-09-22)
|
발명자
/ 주소 |
- Ellison, Carl M.
- Golliver, Roger A.
- Herbert, Howard C.
- Lin, Derrick C.
- McKeen, Francis X.
- Neiger, Gilbert
- Reneris, Ken
- Sutton, James A.
- Thakkar, Shreekant S.
- Mittal, Milland
|
출원인 / 주소 |
|
인용정보 |
피인용 횟수 :
15 인용 특허 :
172 |
초록
▼
A processor executive (PE) handles an operating system executive (OSE) in a secure environment. The secure environment has a platform key (PK) and is associated with an isolated memory area in the platform. The OSE manages a subset of an operating system (OS) running on the platform. The platform ha
A processor executive (PE) handles an operating system executive (OSE) in a secure environment. The secure environment has a platform key (PK) and is associated with an isolated memory area in the platform. The OSE manages a subset of an operating system (OS) running on the platform. The platform has a processor operating in one of a normal execution mode and an isolated execution mode. The isolated memory area is accessible to the processor in the isolated execution mode. A PE supplement supplements the PE with a PE manifest representing the PE and a PE identifier to identify the PE. A PE handler handles the PE using the PK and the PE supplement.
대표청구항
▼
1. A method comprising:in a platform with a processor and a memory, configuring the processor to run in an isolated execution mode within a ring 0 operating mode, wherein the processor also supports one or more higher ring operating modes, as well as a non-isolated execution mode within at least the
1. A method comprising:in a platform with a processor and a memory, configuring the processor to run in an isolated execution mode within a ring 0 operating mode, wherein the processor also supports one or more higher ring operating modes, as well as a non-isolated execution mode within at least the ring 0 operating mode; configuring the platform to establish an isolated memory area in the memory and a non-isolated memory area in the memory, wherein the platform does not allow access to the isolated memory area if the processor is not in the isolated execution mode; executing a processor executive on the processor, with the processor running in the isolated execution mode; loading an operating system (OS) executive into the isolated memory area, the OS executive to manage at least a subset of an OS to run on the platform; verifying the OS executive, using the processor executive; and after verifying the OS executive, launching the OS executive, the launching of the OS executive performed by the processor executive. 2. The method of claim 1, wherein the operation of verifying the OS executive comprises:verifying the OS executive during a process of booting the platform. 3. The method of claim 2, further comprising:logging a processor executive identifier during the process of booting the platform; and logging an OS executive identifier during the process of booting the platform. 4. The method of claim 1, further comprising:loading the processor executive into the isolated memory area; and verifying the processor executive, based at least in part on a processor executive manifest. 5. The method of claim 1, wherein the operation of launching the OS executive comprises:launching the OS executive to run in the isolated execution mode. 6. The method of claim 1, further comprising:switching from the isolated execution mode to the non-isolated execution mode; loading an OS kernel into non-isolated memory; and executing the OS kernel in the non-isolated mode of the processor. 7. The method of claim 1, wherein:the platform comprises a platform key (PK); and verification of the OS executive is based at least in part on the PK. 8. The method of claim 7, wherein the PK comprises a symmetric encryption/decryption key that is substantially uniquely assigned to the platform.9. The method of claim 7, further comprising:generating a processor executive key (PEK), based at least in part on a processor executive identifier and the PK. 10. The method of claim 9, further comprising:generating a binding key (BK), based at least in part on the PEK. 11. The method of claim 10, further comprising:generating an OS executive key (OSEK), based at least in part on an OS executive identifier and the BK. 12. The method of claim 1, wherein the OS executive manages at least the subset of the OS by performing operations comprising:loading a module into the isolated memory area; managing paging in the isolated memory area; and interfacing with an OS kernel. 13. The method of claim 1, wherein the OS executive performs operations comprising:loading a module into the isolated memory area, the module selected from a group consisting of an application module, an applet module, and a support module. 14. The method of claim 13, wherein the OS executive performs further operations comprising:generating an applet key associated with the applet module. 15. The method of claim 14, wherein the OS executive generates the applet key based at least in part on an OS executive key and an applet identifier identifying the applet module.16. The method of claim 1, further comprising:executing an isolated create instruction during a process of booting the platform, wherein execution of the isolated create instruction launches an atomic sequence of operations, the atomic sequence being non-interruptible, the atomic sequence of operations comprising: reading a thread count register in a chipset to determine if the processor is the first processor in the isolated execution mode; configuring the processor in the isolated execution mode; loading a processor executive handler into the isolated memory area, verifying the loaded processor executive handler; and transferring control to the loaded processor executive handler. 17. The method of claim 16, wherein the chipset includes at least one hub selected from a group consisting of a memory controller hub (MCH) and an input/output controller hub (ICH).18. An apparatus comprising:a machine accessible medium; and instructions encoded in the machine accessible medium, wherein the instructions, when executed in a platform featuring a processor and a memory, cause the platform to perform operations comprising: configuring the processor to run in an isolated execution mode within a ring 0 operating mode, wherein the processor also supports one or more higher ring operating modes, as well as a non-isolated execution mode within at least the ring 0 operating mode; establishing an isolated memory area in the memory and a non-isolated memory area in the memory, wherein the platform does not allow access to the isolated memory area if the processor is not in the isolated execution mode; executing a processor executive on the processor, with the processor running in the isolated execution mode; loading an operating system (OS) executive into the isolated memory area, the OS executive to manage at least a subset of an OS to run on the platform; verifying the OS executive, using the processor executive; and after verifying the OS executive, launching the OS executive, the launching of the OS executive performed by the processor executive. 19. The apparatus of claim 18, wherein the operation of verifying the OS executive comprises:verifying the OS executive during a process of booting the platform. 20. The apparatus of claim 19, wherein the instructions cause the platform to perform further operations comprising:logging a processor executive identifier during the process of booting the platform; and logging an OS executive identifier during the process of booting the platform. 21. The apparatus of claim 18, wherein the instructions cause the platform to perform further operations comprising:loading the processor executive into the isolated memory area; and verifying the processor executive, based at least in part on a processor executive manifest. 22. The apparatus of claim 18, wherein the operation of launching the OS executive comprises:launching the OS executive to run in the isolated execution mode. 23. The apparatus of claim 18, wherein the instructions cause the platform to perform further operations comprising:switching the processor from the isolated execution mode to the non-isolated execution mode; loading an OS kernel into non-isolated memory; and executing the OS kernel in the non-isolated mode of the processor. 24. The apparatus of claim 18, wherein:the platform comprises a platform key (PK); and the platform verifies the OS executive, based at least in part on the PK. 25. The apparatus of claim 24, wherein the instructions cause the platform to perform further operations comprising:generating a processor executive key (PEK), based at least in part on a processor executive identifier and the PK. 26. The apparatus of claim 25, wherein the instructions cause the platform to perform further operations comprising:generating a binding key (BK), based at least in part on the PEK; and generating an OS executive key (OSEK), based at least in part on an OS executive identifier and the BK. 27. The apparatus of claim 18, wherein:the instructions comprise the OS executive; and the OS executive manages at least the subset of the OS by performing operations comprising: loading a module into the isolated memory area; managing paging in the isolated memory area; and interfacing with an OS kernel. 28. The apparatus of claim 18, wherein:the instructions comprise the OS executive; and the OS executive loads a module into the isolated memory area, the module selected from a group consisting of an application module, an applet module, and a support module. 29. The apparatus of claim 28, wherein the OS executive generates an applet key associated with the applet module, the applet key based at least in part on an OS executive key and an applet identifier identifying the applet module.30. The apparatus of claim 18, wherein the instructions cause the platform to perform further operations comprising:executing an isolated create instruction during a process of booting the platform, wherein execution of the isolated create instruction launches an atomic sequence of operations, the atomic sequence being non-interruptible, the atomic sequence of operations comprising: reading a thread count register in a chipset to determine if the processor is the first processor in the isolated execution mode; configuring the processor in the isolated execution mode; loading a processor executive handler into the isolated memory area; verifying the loaded processor executive handler; and transferring control to the loaded processor executive handler. 31. A system comprising:a platform featuring memory and a processor, wherein the processor is capable of running in an isolated execution mode within a ring 0 operating mode, wherein the processor supports one or more higher ring operating modes, and wherein the processor supports a non-isolated execution mode within at least the ring 0 operating mode; multiple machine accessible media in the platform, the multiple machine accessible media comprising at least non-volatile memory and storage within the processor; and instructions encoded in at least one of the machine accessible media, wherein the instructions, when executed in the platform, cause the platform to perform operations comprising: configuring the processor to run in the isolated execution mode; establishing an isolated memory area in the memory and a non-isolated memory area in the memory, wherein the platform does not allow access to the isolated memory area if the processor is not in the isolated execution mode; executing a processor executive on the processor, with the processor running in the isolated execution mode; loading an operating system (OS) executive into the isolated memory area, the OS executive to manage at least a subset of an OS to run on the platform; verifying the OS executive, using the processor executive; and after verifying the OS executive, launching the OS executive, the launching of the OS executive performed by the processor executive. 32. The system of claim 31, wherein the operation of verifying the OS executive comprises:verifying the OS executive during a process of booting the platform. 33. The system of claim 32, wherein the instructions cause the platform to perform further operations comprising:logging a processor executive identifier during the process of booting the platform; and logging an OS executive identifier during the process of booting the platform. 34. The system of claim 31, wherein the instructions cause the platform to perform further operations comprising:loading the processor executive into the isolated memory area; and verifying the processor executive, based at least in part on a processor executive manifest. 35. The system of claim 31, wherein the operation of launching the OS executive comprises:launching the OS executive to run in the isolated execution mode. 36. The system of claim 31, wherein the instructions cause the platform to perform further operations comprising:switching the processor from the isolated execution mode to the non-isolated execution mode; loading an OS kernel into non-isolated memory; and executing the OS kernel in the non-isolated mode of the processor. 37. The system of claim 31, wherein:the system further comprises a platform key (PK); and the platform verifies the OS executive, based at least in part on the PK. 38. The system of claim 31, wherein he platform further comprises:a chipset communicatively coupled to the processor; an input/output controller hub in the chipset; and a platform key (PK) stored in the input/output controller hub; and wherein the platform verifies the OS executive, based at least in part on the PK. 39. The system of claim 38, wherein the instructions cause the platform to perform further operations comprising:generating a processor executive key (PEK), based at least in part on a processor executive identifier and the PK. 40. The system of claim 39, wherein the instructions cause the platform to perform further operations comprising:generating a binding key (BK), based at least in part on the PEK; and generating an OS executive key (OSEK), based at least in part on an OS executive identifier and the BK. 41. The system of claim 31, wherein:the instructions comprise the OS executive; and the OS executive manages at least the subset of the OS by performing operations comprising: loading a module into the isolated memory area; managing paging in the isolated memory area; and interfacing with an OS kernel. 42. The system of claim 31, wherein:the instructions comprise the OS executive; and the OS executive loads a module into the isolated memory area, the module selected from a group consisting of an application module, an applet module, and a support module. 43. The system of claim 42, wherein the OS executive generates an applet key associated with the applet module, the applet key based at least in part on an OS executive key and an applet identifier identifying the applet module.44. The system of claim 31, wherein the instructions cause the platform to perform further operations comprising:executing an isolated create instruction during a process of booting the platform, wherein execution of the isolated create instruction launches an atomic sequence of operations, the atomic sequence being non-interruptible, the atomic sequence of operations comprising: reading a thread count register in a chipset to determine if the processor is the first processor in the isolated execution mode; configuring the processor in the isolated execution mode; loading a processor executive handler into the isolated memory area; verifying the loaded processor executive handler; and transferring control to the loaded processor executive handler.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.