Identity based hierarchical sessions

What is claimed is: 1 . A computer-implemented method for establishing identity-based hierarchical sessions on a hardware security module (HSM) for binding secure keys to a guest system, the method comprising: establishing a communication channel between the guest system and the HSM, wherein the communication channel is identity-based, end-to-end, and encrypted, thereby establishing a session; transferring login information of the guest system through the communication channel to the HSM; maintaining a predefined security level throughout a hierarchy of sessions, wherein each child session does not have a higher security level than its parent session; and performing a challenge-response protocol based on a session ownership verification with the guest, such that an HSM-generated and secured key is bound to an associated session. 2 . The method of claim 1 , further comprising: transmitting a challenge of the challenge-response protocol via the communication channel from the HSM to the guest system. 3 . The method of claim 1 , wherein the establishing the communication channel is based on a public/private key pair of the HSM and a transmitted code allowing a symmetrical encryption/decryption key to be derived. 4 . The method of claim 3 , wherein the deriving the symmetrical encryption/decryption key is based on a Diffie-Hellman algorithm. 5 . The method of claim 1 , further comprising: using the communication channel to configure a new session to be a child session of an existing session such that the child session is cryptographically dependent on the parent session. 6 . The method of claim 1 , wherein the guest system is executed on a hypervisor. 7 . The method of claim 1 , wherein a function of a firmware of a computer system facilitates a communication between the guest system and the HSM. 8 . The method of claim 1 , further comprising: deallocating the communication channel and an associated state of the guest system and/or a related session. 9 . The method of claim 1 , further comprising: deallocating the session and an associated state of the guest system; and/or deallocating one or more child sessions that have been associated with a parent session upon deallocation of the parent session. 10 . The method of claim 1 , further comprising: marking a session as a supervisor session; and/or a separate interface for deallocating one or more sessions and their child sessions that have been marked as supervisor sessions. 11 . The method of claim 1 , further comprising: upon determining that a child session has a lower security level than its targeted parent session, rejecting a request to open the child session. 12 . A session management system for establishing identity-based hierarchical sessions on a hardware security module (HSM) for binding secure keys to a guest system, the session management system comprising: one or more processors and a memory operatively coupled to the one or more processors, wherein the memory stores program code portions which, when executed by the one or more processors, enable the one or more processors to: establish a communication channel between the guest system and the HSM, wherein the communication channel is identity-based, end-to-end and encrypted, thereby establishing a session; transfer login information of the guest system through the communication channel to the HSM; maintain a predefined security level throughout a hierarchy of sessions, wherein each child session does not have a higher security level than its parent session; and perform a challenge-response protocol based on a session ownership verification with the guest, such that an HSM-generated and secured key is bound to an associated session. 13 . The session management system of claim 12 , wherein the one or more processors are further enabled to: transmit a challenge of the challenge-response protocol via the communication channel from the HSM to the guest system. 14 . The session management system of claim 12 , wherein the establishing the communication channel is based on a public/private key pair of the HSM and a transmitted code allowing a symmetrical encryption/decryption key to be derived. 15 . The session management system of claim 14 , wherein the deriving the symmetrical encryption/decryption key is based on a Diffie-Hellman algorithm. 16 . The session management system of claim 12 , wherein the one or more processors are further enabled to use the communication channel to configure a new session to be a child session of an existing session such that the child session is cryptographically dependent on the parent session. 17 . The session management system of claim 12 , further comprising: a hypervisor on which the guest system is executed. 18 . The session management system of claim 12 , wherein a function of a firmware of a computer system facilitates a communication between the guest system and the HSM. 19 . The session management system of claim 12 , wherein the one or more processors are further enabled to deallocate the communication channel and a related state of the guest system and/or a related session. 20 . A computer program product for establishing identity-based hierarchical sessions on a hardware security module (HSM) for binding secure keys to a guest system, program instructions being executable by one or more computing systems or controllers to cause the one or more computing systems to: establish a communication channel between the guest system and the HSM, wherein the communication channel is identity-based, end-to-end, and encrypted, thereby establishing a session: transfer login information of the guest system through the communication channel to the HSM: maintain a predefined security level throughout a hierarchy of sessions, wherein each child session does not have a higher security level than its parent session; and perform a challenge-response protocol based on a session ownership verification with the guest, such that an HSM-generated and secured key is bound to an associated session.