What technology area does this patent fall under?

Primary CPC classification G06F21/73. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Nov 03 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Technologies for authenticated USB device policy enforcement

US10824766B2 · US · B2

Patent metadata
Field	Value
Publication number	US-10824766-B2
Application number	US-201715833298-A
Country	US
Kind code	B2
Filing date	Dec 6, 2017
Priority date	Dec 6, 2017
Publication date	Nov 3, 2020
Grant date	Nov 3, 2020

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Technologies for USB device policy enforcement include a computing device having a USB controller and secure enclave support. On boot, a firmware enclave randomly generates a binding identity and then securely provisions the binding identity to the USB controller. The firmware enclave also seals the binding identity to a policy enforcement enclave. At runtime, the policy enforcement enclave unseals the binding identity and includes the binding identity in a policy enforcement command sent to the USB controller. The USB controller verifies that the binding identity included in the command matches the binding identity that was previously provisioned. If the binding identities are successfully verified, the USB controller enforces the command. The USB controller may block data transfers or device configuration changes for one or more specified devices. Each of the firmware enclave and the policy enforcement enclave are trusted execution environments. Other embodiments are described and claimed.

First claim

Opening claim text (preview).

The invention claimed is: 1. A computing device for device policy enforcement, the computing device comprising: a USB controller; a firmware enclave to (i) randomly generate a binding identity, (ii) securely provision the binding identity to the USB controller, and (iii) seal the binding identity to generate an encrypted binding identity, wherein the firmware enclave comprises a trusted execution environment; and a policy enforcement enclave to (i) unseal the encrypted binding identity to recover the binding identity and (ii) send a policy enforcement command to the USB controller, wherein the policy enforcement command comprises the binding identity, and wherein the policy enforcement enclave comprises a trusted execution environment; wherein the USB controller is to (i) determine whether the binding identity of the policy enforcement command matches the securely provisioned binding identity and (ii) enforce the policy enforcement command in response to a determination that the binding identity of the policy enforcement command matches the securely provisioned binding identity; wherein to enforce the policy enforcement command comprises to block configuration changes associated with a USB device coupled to the USB controller, and wherein to block the configuration changes comprises to monitor an internal control transfer ring of the USB controller to identify configuration change requests for the USB device. 2. The computing device of claim 1 , wherein to enforce the policy enforcement command further comprises to block data transfers associated with a USB device coupled to the USB controller. 3. The computing device of claim 2 , wherein to block the data transfers comprises to prevent a device slot associated with the USB device from entering a configured state. 4. The computing device of claim 1 , further comprising: a processor that includes secure enclave support; and a firmware environment to load the firmware enclave with the secure enclave support of the processor in response to a boot of the computing device; wherein to randomly generate the binding identity comprises to randomly generate the binding identity in response to a load of the firmware enclave. 5. The computing device of claim 4 , further comprising: a runtime environment to load the policy enforcement enclave with the secure enclave support; wherein to unseal the encrypted binding identity comprises to unseal the encrypted binding identity in response to a load of the policy enforcement enclave. 6. The computing device of claim 1 , wherein the USB controller is further to indicate a verification error in response to a determination that the binding identity of the policy enforcement command does not match the securely provisioned binding identity. 7. The computing device of claim 1 , wherein: to seal the binding identity comprises to seal the binding identity with a first signing identity of the firmware enclave; and to unseal the encrypted binding identity comprises to unseal the encrypted binding identity with a second signing identity of the policy enforcement enclave, wherein the first signing identity matches the second signing identity. 8. The computing device of claim 7 , wherein the first signing identity and the second signing identity comprise an identity of an authority of the firmware enclave and the policy enforcement enclave. 9. The computing device of claim 1 , wherein to securely provision the binding identity to the USB controller comprises to send the binding identity to a static configuration device via a secure I/O channel, wherein the static configuration device is statically coupled to the USB controller. 10. The computing device of claim 1 , wherein to securely provision the binding identity to the USB controller comprises to: execute a first processor instruction to bind the binding identity to the USB controller; and execute a second processor instruction to unwrap the binding identity and deliver the binding identity to the USB controller via a secure fabric of the computing device. 11. A method for device policy enforcement, the method comprising: randomly generating, by a firmware enclave of a computing device, a binding identity, wherein the firmware enclave comprises a trusted execution environment; securely provisioning, by the firmware enclave, the binding identity to a USB controller of the computing device; sealing, by the firmware enclave, the binding identity to generate an encrypted binding identity; unsealing, by a policy enforcement enclave, the encrypted binding identity to recover the binding identity, wherein the policy enforcement enclave comprises a trusted execution environment; sending, by the policy enforcement enclave, a policy enforcement command to the USB controller, wherein the policy enforcement command comprises the binding identity; determining, by the USB controller, whether the binding identity of the policy enforcement command matches the securely provisioned binding identity; and enforcing, by the USB controller, the policy enforcement command in response to determining that the binding identity of the policy enforcement command matches the securely provisioned binding identity; wherein enforcing the policy enforcement command comprises blocking configuration changes associated with a USB device coupled to the USB controller, and wherein blocking the configuration changes comprises monitoring an internal control transfer ring of the USB controller to identify configuration change requests for the USB device. 12. The method of claim 11 , wherein enforcing the policy enforcement command further comprises blocking data transfers associated with a USB device coupled to the USB controller. 13. The method of claim 11 , further comprising: loading, by a firmware environment of the computing device, the firmware enclave using secure enclave support of a processor of the computing device in response to a boot of the computing device; wherein randomly generating the binding identity comprises randomly generating the binding identity in response to loading the firmware enclave. 14. The method of claim 13 , further comprising: loading, by a runtime environment of the computing device, the policy enforcement enclave using the secure enclave support; wherein unsealing the encrypted binding identity comprises unsealing the encrypted binding identity in response to loading the policy enforcement enclave. 15. One or more non-transitory, computer-readable storage media comprising a plurality of instructions stored thereon that, in response to being executed, cause a computing device to: randomly generate, by a firmware enclave of the computing device, a binding identity, wherein the firmware enclave comprises a trusted execution environment; securely provision, by the firmware enclave, the binding identity to a USB controller of the computing device; seal, by the firmware enclave, the binding identity to generate an encrypted binding identity; unseal, by a policy enforcement enclave, the encrypted binding identity to recover the binding identity, wherein the policy enforcement enclave comprises a trusted execution environment; send, by the policy enforcement enclave, a policy enforcement command to the USB controller, wherein the policy enforcement command comprises the binding identity; determine, by the USB controller, whether the binding identity of the policy enforcement command matches the securely provisioned binding identity; and enforce, by the USB controller, the policy enforcement command in response to determining that the binding identity of the policy e

Assignees

Intel Corp

Inventors

Classifications

G06F21/53
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
G06F21/73Primary
by creating or determining hardware identification, e.g. serial numbers · CPC title
G06F21/44
Program or device authentication · CPC title
G06F13/4282
on a serial bus, e.g. I2C bus, SPI bus (on daisy chain buses G06F13/4247) · CPC title
G06F13/20
for access to input/output bus · CPC title

Patent family

Related publications grouped by family.

View patent family 65229750

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US10824766B2 cover?: Technologies for USB device policy enforcement include a computing device having a USB controller and secure enclave support. On boot, a firmware enclave randomly generates a binding identity and then securely provisions the binding identity to the USB controller. The firmware enclave also seals the binding identity to a policy enforcement enclave. At runtime, the policy enforcement enclave uns…
Who is the assignee on this patent?: Intel Corp
What technology area does this patent fall under?: Primary CPC classification G06F21/73. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Nov 03 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).