Blockchain for general computation
US-2020204346-A1 · Jun 25, 2020 · US
Enclave fork support
US10949547B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10949547-B2 |
| Application number | US-201816153039-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 5, 2018 |
| Priority date | Oct 5, 2018 |
| Publication date | Mar 16, 2021 |
| Grant date | Mar 16, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A fork support is provided for duplicating an application running inside an enclave entity. In this regard, a request to duplicate an application running inside a first enclave may be received by one or more processors of a host computing device of the first enclave. A snapshot of the first enclave including the application may be generated. The snapshot may be encrypted with a snapshot key and copied to untrusted memory of the host. A second enclave may be generated. The snapshot key may be sent from the first enclave to the second enclave through a secure communication channel. The encrypted snapshot may be copied from the untrusted memory of the host into the second enclave. The encrypted snapshot may be decrypted inside the second enclave with the snapshot key.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method, comprising: receiving, by one or more processors of a host computing device of a first enclave, a request to duplicate an application running inside the first enclave; generating, by the one or more processors, a snapshot of the first enclave including the application; generating, by the one or more processors, a second enclave; generating, by the one or more processors, a first key pair inside the first enclave and a second key pair inside a second enclave; generating, by the one or more processors, a secret key using the first key pair and the second key pair; establishing, by the one or more processors, a secure communication channel between the first enclave and the second enclave using the secret key; encrypting, by the one or more processors, the snapshot inside the first enclave with a snapshot key; copying, by the one or more processors, the encrypted snapshot from the first enclave to untrusted memory of the host; sending, by the one or more processors, the snapshot key from the first enclave to the second enclave through the secure communication channel; copying, by the one or more processors, the encrypted snapshot from the untrusted memory of the host into the second enclave; and decrypting, by the one or more processors, the encrypted snapshot inside the second enclave with the snapshot key. 2. The method of claim 1 , further comprising creating, by the one or more processors, an entry for the first enclave, the entry allowing a snapshotting thread to enter the first enclave from the host, wherein the snapshot is taken by the snapshotting thread inside the first enclave. 3. The method of claim 2 , further comprising generating, by the one or more processors, an entry barrier for the entry created for the first enclave, and wherein the entry barrier prevents host-side threads other than the snapshotting thread from entering the first enclave. 4. The method of claim 1 , further comprising generating, by the one or more processors, a fork indication inside the first enclave indicating that one snapshot can be taken of the first enclave, and wherein the fork indication permits only one snapshotting thread to take a snapshot. 5. The method of claim 4 , further comprising removing, by the one or more processors, the fork indication inside the first enclave in response to the one snapshotting thread entering the first enclave, wherein the one snapshot is taken in response to the fork indication being removed. 6. The method of claim 1 , wherein the copying the encrypted snapshot from the untrusted memory of the host into the second enclave further comprises copying, by the one or more processors, the encrypted snapshot from the first enclave to a first process of the host, and wherein the first enclave is generated using the first process. 7. The method of claim 6 , wherein the copying the encrypted snapshot from the untrusted memory of the host into the second enclave further comprises: copying, by the one or more processors, the encrypted snapshot from the first process to a second process of the host, wherein the second enclave being generated using the second process; and copying, by the one or more processors, the encrypted snapshot from the second process into the second enclave. 8. The method of claim 7 , wherein the second process is generated by calling a host-side fork function on the first process. 9. The method of claim 1 , wherein the first key pair includes a first public key and a first private key, the second key pair includes a second public key and a second private key, and wherein generating the secret key includes: generating the secret key inside the first enclave using the first private key and the second public key; and generating the secret key inside the second enclave using the second private key and the first public key. 10. The method of claim 9 , further comprising: generating, by the one or more processors, a first assertion inside the first enclave, the first assertion being bound to the first public key; sending, by the one or more processors, the first assertion to the second enclave; verifying, by the one or more processors, that the first assertion is bound to the first public key; generating, by the one or more processors, a second assertion inside the second enclave, the second assertion being bound to the second public key; sending, by the one or more processors, the second assertion to the first enclave; and verifying, by the one or more processors, that the second assertion is bound to the second public key, and wherein the generating the secret key is based on the first assertion and the second assertion being verified. 11. The method of claim 9 , further comprising: generating, by the one or more processors, a first assertion inside the first enclave, the first assertion being bound to the first public key; sending, by the one or more processors, the first assertion to the second enclave; verifying, by the one or more processors, a first identity of the first enclave using the first assertion; generating, by the one or more processors, a second assertion inside the second enclave, the second assertion being bound to the second public key; sending, by the one or more processors, the second assertion to the first enclave; and verifying, by the one or more processors, a second identity of the second enclave using the second assertion, and wherein the generating the secret key is based on the first identity and the second identity being verified. 12. The method of claim 11 , further comprising creating, by the one or more processors, an entry for the first enclave, the entry allowing an attesting thread to enter the first enclave from the host, and wherein the first assertion is generated in response to a request by the attesting thread. 13. The method of claim 11 , wherein the first identity is identical to the second identity. 14. The method of claim 11 , further comprising creating, by the one or more processors, an entry for the first enclave, the entry allowing an authenticating thread to enter the first enclave from the host, and wherein the second assertion is verified by the first enclave in response to a request by the authenticating thread. 15. The method of claim 1 , wherein the first key pair includes a first public key and a first private key, the second key pair includes a second public key and a second private key, and wherein the method further includes: generating the secret key inside the first enclave using the first private key and the second public key; and encrypting, by the one or more processors, the snapshot key in the first enclave using the secret key. 16. The method of claim 15 , further comprising creating, by the one or more processors, an entry for the first enclave, the entry allowing an encrypting thread to enter the first enclave from the host to encrypt the snapshot key with the secret key. 17. The method of claim 15 , further comprising: generating, by the one or more processors, the secret key inside the second enclave using the first public key and the second private key; and decrypting, by the one or more processors, the encrypted snapshot key inside the second enclave using the secret key. 18. The method of claim 17 , further comprising creating, by the one or more processors, an entry for the second enclave, the entry allowing a restoring thread to enter the second enclave from the host, and wherein the snapshot key is decrypted by the restoring thread inside the second enclave.
Assignees
Inventors
Classifications
operating in dual or compartmented mode, i.e. at least one secure mode · CPC title
Generation of secret information including derivation or calculation of cryptographic keys or passwords · CPC title
Protecting data · CPC title
by mutual authentication, e.g. between devices or programs · CPC title
using a plurality of keys or algorithms · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10949547B2 cover?
- A fork support is provided for duplicating an application running inside an enclave entity. In this regard, a request to duplicate an application running inside a first enclave may be received by one or more processors of a host computing device of the first enclave. A snapshot of the first enclave including the application may be generated. The snapshot may be encrypted with a snapshot key and…
- Who is the assignee on this patent?
- Google Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/53. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 16 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).