Remotely interacting with a virtualized machine instance
US-9244743-B1 · Jan 26, 2016 · US
Updating software
US10620936B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10620936-B2 |
| Application number | US-201815967940-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 1, 2018 |
| Priority date | Jan 19, 2011 |
| Publication date | Apr 14, 2020 |
| Grant date | Apr 14, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Updating boot components in compliance with a chain of trust by loading a boot component update forming part of the chain of trust during a boot process in an execution environment. Boot component measurements are detected and stored as a revised set of attestation values for retrieval by an attestation system. Performing the boot component update upon determining a pass indication for the chain of trust including the boot component update.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: loading, using a boot process, a first set of boot components in a chain of trust; establishing, using a hypervisor, the chain of trust for the set of boot components, wherein the hypervisor represents a trust anchor for the chain of trust; storing, in a platform configuration register, a first set of boot component measurements for the first set of boot components, the first set of boot component measurement representing a first set of attestation values for use in verifying the chain of trust; loading, with respect to the first set of boot components, an update forming part of the chain of trust during a boot process in an execution environment, the update creating a second set of boot components; detecting, for the second set of boot components, a second set of boot component measurements; storing, in the platform configuration register, the second set of boot component measurements as a second set of attestation values; notifying an attestation system that the second set of attestation values correspond to the chain of trust including the update; retrieving, by an attestation process performed by the attestation system, based on the notice, the second set of attestation values for attestation of the chain of trust; comparing, by the attestation process, the second set of boot component measurements with the second set of attestation values; determining, by the attestation process and based on comparing the second set of boot component measurements with the second set of attestation values, a pass indication for the chain of trust including the update; and performing, in response to determining the pass indication for the chain of trust, the update for the second set of boot components. 2. The method of claim 1 , wherein storing, in the platform configuration register, the second set of boot component measurements as a second set of attestation values includes: modifying the first set of boot component measurements in the platform configuration register. 3. A computer program product comprising a non-transitory computer-readable storage medium having a set of instructions stored therein which, when executed by a processor, causes the processor to update a set of boot components by: loading, using a boot process, a first set of boot components in a chain of trust; establishing, using a hypervisor, the chain of trust for the set of boot components, wherein the hypervisor represents a trust anchor for the chain of trust; storing, in a platform configuration register, a first set of boot component measurements for the first set of boot components, the first set of boot component measurement representing a first set of attestation values for use in verifying the chain of trust; loading, with respect to the first set of boot components, an update forming part of the chain of trust during a boot process in an execution environment, the update creating a second set of boot components; detecting, for the second set of boot components, a second set of boot component measurements; storing, in the platform configuration register, the second set of boot component measurements as a second set of attestation values; notifying an attestation system that the second set of attestation values correspond to the chain of trust including the update; retrieving, by an attestation process performed by the attestation system, based on the notice, the second set of attestation values for attestation of the chain of trust; comparing, by the attestation process, the second set of boot component measurements with the second set of attestation values; determining, by the attestation process and based on comparing the second set of boot component measurements with the second set of attestation values, a pass indication for the chain of trust including the update; and performing, in response to determining the pass indication for the chain of trust, the update for the second set of boot components. 4. The computer program product of claim 3 , wherein storing, in the platform configuration register, the second set of boot component measurements as a second set of attestation values includes: modifying the first set of boot component measurements in the platform configuration register. 5. A computer system comprising: a processor set; and a computer readable storage medium; wherein: the processor set is structured, located, connected, and/or programmed to run program instructions stored on the computer readable storage medium; and the program instructions which, when executed by the processor set, cause the processor set to update a set of boot components by: loading, using a boot process, a first set of boot components in a chain of trust; establishing, using a hypervisor, the chain of trust for the set of boot components, wherein the hypervisor represents a trust anchor for the chain of trust; storing, in a platform configuration register, a first set of boot component measurements for the first set of boot components, the first set of boot component measurement representing a first set of attestation values for use in verifying the chain of trust; loading, with respect to the first set of boot components, an update forming part of the chain of trust during a boot process in an execution environment, the update creating a second set of boot components; detecting, for the second set of boot components, a second set of boot component measurements; storing, in the platform configuration register, the second set of boot component measurements as a second set of attestation values; notifying an attestation system that the second set of attestation values correspond to the chain of trust including the update; retrieving, by an attestation process performed by the attestation system, based on the notice, the second set of attestation values for attestation of the chain of trust; comparing, by the attestation process, the second set of boot component measurements with the second set of attestation values; determining, by the attestation process and based on comparing the second set of boot component measurements with the second set of attestation values, a pass indication for the chain of trust including the update; and performing, in response to determining the pass indication for the chain of trust, the update for the second set of boot components. 6. The computer system of claim 5 , wherein storing, in the platform configuration register, the second set of boot component measurements as a second set of attestation values includes: modifying the first set of boot component measurements in the platform configuration register.
Assignees
Inventors
Classifications
while running · CPC title
Hypervisor-specific management and integration aspects · CPC title
- G06F8/65Primary
Updates (security arrangements therefor G06F21/57) · CPC title
Secure boot · CPC title
Loading of operating system · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10620936B2 cover?
- Updating boot components in compliance with a chain of trust by loading a boot component update forming part of the chain of trust during a boot process in an execution environment. Boot component measurements are detected and stored as a revised set of attestation values for retrieval by an attestation system. Performing the boot component update upon determining a pass indication for the chai…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification G06F8/65. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Apr 14 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).