USO08099789B2
`
`(12) United States Patent
`Challener et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 8,099,789 B2
`Jan. 17, 2012
`
`(54)
`
`(75)
`
`(73)
`
`(*)
`
`(21)
`(22)
`(65)
`
`(51)
`
`(52)
`(58)
`
`(56)
`
`APPARATUS AND METHOD FORENABLING
`APPLICATIONS ON A SECURITY
`PROCESSOR
`
`Inventors: David C. Challener, Raleigh, NC (US);
`John H. Nicholson, III, Durham, NC
`(US); Joseph Pennisi, Apex, NC (US);
`Rod D. Waltermann, Rougemont, NC
`(US)
`Assignee: Lenovo (Singapore) Pte. Ltd.,
`Singapore (SG)
`
`Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 1007 days.
`Appl. No.: 11/529,795
`Filed:
`Sep. 29, 2006
`
`Prior Publication Data
`US 2008/O104416A1
`May 1, 2008
`
`Int. C.
`(2006.01)
`G06F2L/00
`U.S. Cl. ................. 726/30; 726/27; 726/28; 726/29
`Field of Classification Search ..................... 726/30
`See application file for complete search history.
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`7,526,654 B2*
`4/2009 Charbonneau ................ T13, 188
`2/2003 Lawman et al. .............. T13 201
`2003/0O28807 A1*
`2/2003 Newton
`2003.0035547 A1
`
`2/2003 Abgrall et al.
`2003/OO37237 A1
`3/2003 McCanny et al.
`2003.0053623 A1
`5/2003 Kallahalla et al.
`2003/0081784 A1
`1/2004 Canter et al. .................. 717/178
`2004/0003390 A1
`2/2004 Baldwin et al.
`2004/00399.24 A1
`2004/0243835 A1 12/2004 Terzis et al.
`2005, 0071645 A1
`3/2005 Girouard et al.
`2005/0O86509 A1
`4/2005 Ranganathan
`2005/0097343 A1* 5/2005 Altenhofen ................... T13, 191
`2005/013 1900 A1* 6/2005 Palliyll et al. .............. 707/10
`2005, 0132182 A1* 6/2005 Challener et al. ............. T13,150
`2005, 0132203 A1
`6/2005 Dharmarajan
`2005, 0138393 A1
`6/2005 Challener et al.
`2005, 0166051 A1* 7/2005 Buer ............................. 713,173
`* cited by examiner
`
`Primary Examiner — Nasser Moazzami
`Assistant Examiner — Ghazal Shehni
`(74) Attorney, Agent, or Firm — Sawyer Law Group, P.C.
`
`(57)
`ABSTRACT
`Method and apparatus for enabling applications on security
`processors of computer systems. In one aspect, a security
`processor apparatus includes a processor and a memory
`coupled to the processor and operative to store a secure table.
`The secure table stores different certified endorsement keys
`and different values, each value associated with one of the
`endorsement keys. Each stored value is derived from a differ
`ent application that is certified by the associated endorsement
`key to be executed on the processor.
`
`30 Claims, 4 Drawing Sheets
`
`MEMORY
`
`-10
`
`16
`
`OUTPUT
`DEVICES
`
`STORAGE
`DEVICE
`
`
`
`SMARTCARD
`READER
`
`KEYBOARD
`
`FINGERPRINT
`READER
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`PROCESSOR
`
`NONVOLATILE
`MEMORY
`
`APPL-1007
`APPLE INC. / Page 1 of 14
`
`

`

`U.S. Patent
`
`Jan. 17, 2012
`
`Sheet 1 of 4
`
`US 8,099,789 B2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`}-}OSSE OORHCH
`
`9||yižið= = = = = = = ~ • • • • • • • •
`
`APPL-1007
`APPLE INC. / Page 2 of 14
`
`

`

`U.S. Patent
`
`Jan. 17, 2012
`
`Sheet 2 of 4
`
`US 8,099,789 B2
`
`SECURE TABLE
`
`HASH
`
`ENDORSEMENT
`KEY
`
`HASH VALUE
`
`KEY VALUE
`
`HASH VALUE
`
`KEY VALUE
`
`HASHVALUE
`
`KEY VALUE
`
`-50
`
`FIG. 2
`
`-70
`
`
`
`RECEIVE HASHVALUES
`FROM USERS FOR SECURITY
`APPLICATION TO RUN ON
`PROCESSOR
`
`74
`
`ASSOCATE EACH HASHVALUE
`WITH A SIGNED ENDORSEMENT
`KEY AND STORE IN ASSOCATED
`SECURE MEMORY
`
`
`
`76
`
`
`
`
`
`
`
`
`
`F.G. 3
`
`PROVIDE PROCESSOR
`TO USERS
`
`Coone)--80
`
`APPL-1007
`APPLE INC. / Page 3 of 14
`
`

`

`U.S. Patent
`
`Jan. 17, 2012
`
`Sheet 3 of 4
`
`US 8,099,789 B2
`
`g-
`
`RECEIVE REGUEST
`TO LOAD AN APP
`LICATION ON CHIP
`
`104
`
`-100
`FIG. 4
`
`SWAP OUT
`LOADED APPLIC
`ATION?
`
`
`
`
`
`DENTIFY
`USER
`
`
`
`
`
`
`
`
`
`110
`
`HASH LOADED APPLIC
`ATION AND STORE HASH
`INSECURE TABLE WITH EK
`
`ENCRYPT LOADED APP
`LICATION AND UNLOAD TO
`STORAGE DEVICE
`
`REFUSE
`APPLICATION
`
`120
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`LOAD, DECRYPT, AND
`HASH SELECTED
`APPLICATION
`
`
`
`COMPARE HASH OF
`SELECTED APPLICATION
`TO STORED HASHE
`VALUES IN TABLE
`
`ACTIVATE APPLICATION,
`GENERATE DATA
`
`NEED TO
`LOAD REGUESTED
`APPLICATIO
`
`APPL-1007
`APPLE INC. / Page 4 of 14
`
`

`

`U.S. Patent
`
`Jan. 17, 2012
`
`Sheet 4 of 4
`
`US 8,099,789 B2
`
`(STARD-20?
`
`RECEIVE REGUEST
`TO INSTALL NEW
`APPLICATION
`
`204
`
`IDENTIFY
`US
`
`1206
`
`208
`
`UNLOAD
`SECURITY ARCH
`TECTUREP
`
`YES
`
`NO
`
`
`
`
`
`
`
`
`
`LOAD, DECRYPT, HASH
`NEW APPLICATION AND
`REGISTER HASHVALUE
`INSECURE TABLE WITH EK
`
`214
`
`2OO
`
`?
`
`210
`
`ENCRYPT AND UNLOAD
`LOADED SECURITY
`ARCHITECTURE
`APPLICATION TO
`STORAGE DEVICE
`
`
`
`
`
`LOAD AND ACTIVATE
`REGUIRED SECURITY
`ARCHITECTURE IF HASH
`VALUE MATCHES TABLE
`
`212
`
`218-Goone)
`
`FG. 5
`
`APPL-1007
`APPLE INC. / Page 5 of 14
`
`

`

`US 8,099,789 B2
`
`1.
`APPARATUS AND METHOD FOR ENABLING
`APPLICATIONS ON A SECURITY
`PROCESSOR
`
`FIELD OF THE INVENTION
`
`The present invention relates to securely protecting com
`puter data, and more particularly to security processors pro
`vided in computer systems to implement security features.
`
`10
`
`BACKGROUND OF THE INVENTION
`
`2
`Accordingly, what is needed is a flexible and secure
`approach to use a secure programmable microcontroller to
`Support various security architectures and their encryption
`algorithms and incorporate these into the emulation of differ
`ent instances of TPM hardware. The present invention
`addresses Such a need.
`
`SUMMARY OF THE INVENTION
`
`The invention of the present application relates to applica
`tions provided on security processors provided in computer
`systems. In one aspect of the invention, a method for provid
`ing a security processor includes receiving a plurality of
`values, each value identifying a different application that can
`be executed on the security processor. A different certified
`endorsement key is associated with each received value by
`storing the endorsement keys and values in memory acces
`sible by the security processor, where at least one of the stored
`endorsement keys and associated values is used to allow one
`of the different applications to execute on the security pro
`CSSO.
`In another aspect of the invention, a security processor
`apparatus includes a processor and a memory coupled to the
`processor and operative to store a secure table. The Secure
`table stores a plurality of different certified endorsement keys
`and a plurality of different values, each value associated with
`one of the endorsement keys. Each stored value is derived
`from a different application that is certified by the associated
`endorsement key to be executed on the processor.
`In another aspect of the invention, a method for securely
`providing applications on a security processor includes
`receiving a request to load a requested application on the
`security processor, and comparing a value obtained from
`processing the requested application to at least one of a plu
`rality of stored values stored in a memory of the security
`processor. A match between a stored value and the value
`indicates that the requested application is certified to execute
`on the security processor. The requested application is
`executed on the security processor if a match is found
`between the value and a stored value.
`In another aspect of the invention, a computer system
`includes an input device operative to provide input received
`from a user to the computer system, the input device including
`a security input device identifying the user. A security pro
`cessor is coupled to the input device and operative to receive
`the input from the user and to run applications certified for the
`processor. A memory coupled to the security processor is
`operative to store a secure table, the secure table storing a
`plurality of different certified endorsement keys and a plural
`ity of different hash values. Each hash value associated with
`one of the endorsement keys, where each hash value is
`derived from a different application that is certified by the
`associated endorsement key to be loaded on the processor.
`The different applications include different security architec
`ture applications that each can implement a different security
`architecture on the security processor.
`The present invention provides a security processor that
`provides flexibility in supporting various certified security
`architectures and their algorithms, and allows a user to select
`the applications to execute on the processor. This allows a
`provider to produce one kind of processor that can satisfy the
`needs of many different users who may wish to use different
`architectures and algorithms. The present invention also
`allows an application to be unloaded from and loaded to a
`
`15
`
`25
`
`30
`
`35
`
`40
`
`Security of information stored on computer systems is a
`primary concern. Many different techniques have been imple
`mented to secure Such information, from security application
`Software installed on computer systems, to hardware keys
`required for access to information.
`Another way to secure information is known as the Trusted
`Platform Module (TPM) specification from the Trusted Com
`puting Group (TCG). In this specification, a standard chipset
`including a programmable microcontroller is provided on a
`computer's circuitboard during manufacturing, and is used to
`store and secure information of the computer system that is
`desired to be protected, i.e., enable effective trusted comput
`ing features. The security architecture (i.e., the functions and
`the application program interface (API)) that runs on the
`microcontroller, can be referred to as a TPM. ATPM can offer
`a variety of features, including a random number generator,
`facilities for secure generation of cryptographic keys, and
`abilities to limit the use of keys, e.g., to signing and Verifica
`tion, and/or encryption and decryption.
`As e-commerce, e-government and e-business grows with
`the increasing threat of cybercrime, there is a tradeoff emerg
`ing in the use of security technologies for protecting data and
`authenticating identities and transactions. Information tech
`nology owners of processes involving these identities and
`transactions desire to use specific encryption algorithms tai
`lored to their own circumstances and risk profiles. They want
`to use specific, feature set implementations of TPMs associ
`ated with desired encryption algorithms to Support the
`required assurance level of their end-to-end systems and
`operational models. For example, a standard general purpose
`TPM may use a particular set of encryption algorithms
`including the Advanced Encryption Standard (AES). How
`ever, particular governmental organizations may use different
`45
`algorithms than AES, Such as the government of Russia using
`GOST (Gosudarstvennyi Standart) encryption or the govern
`ment of China using SMS4 encryption. Others, such as the
`National Security Agency of the United States, may use their
`own algorithms which they do not wish to publicly disclose.
`Such different requirements by different entities would
`typically require that each TPM chipset be specifically tai
`lored for the security architecture and algorithms desired by
`its particular end-user. Thus, a different security architecture
`implementing particular hashing and encryption algorithms
`and other functionality will have to be loaded on different
`TPM chipsets before delivery to the end user. This requires
`that a different TPM chip be made for each different user
`specification, which can greatly increase the cost of manu
`facture of TPMs and thus the cost for the user to install this
`type of security on their systems.
`In addition, prior implementations of TPM chips have not
`allowed a TPMarchitecture to be securely unloaded from the
`microcontroller to allow the loading of other applications on
`the chip, nor have they allowed the most recent version of an
`unloaded TPM architecture to be securely reloaded into the
`chip.
`
`50
`
`55
`
`60
`
`65
`
`APPL-1007
`APPLE INC. / Page 6 of 14
`
`

`

`US 8,099,789 B2
`
`3
`security processor, and installed for a security processor,
`while maintaining security and recent updates to the applica
`tion.
`
`BRIEF DESCRIPTION OF THE FIGURES
`
`FIG. 1 is a block diagram illustrating a computer system 10
`suitable for use with the present invention;
`FIG. 2 is a diagrammatic illustration of a secure table of the
`present invention that can be stored in nonvolatile memory
`connected to the security processor of FIG. 1;
`FIG.3 is a flow diagram illustrating a method of the present
`invention for preparing and providing a security processor for
`users;
`FIG. 4 is a flow diagram illustrating a method of the present
`invention for loading an application into a security processor;
`and
`FIG.5 is a flow diagram illustrating a method of the present
`invention for installing a new application for use by a security
`processor.
`
`10
`
`15
`
`DETAILED DESCRIPTION
`
`4
`pattern of a user to identify the user. These input devices thus
`can be used for user authorization purposes, allowing access
`to secured data of system 10 to authorized users. Herein, the
`term “user' is meant to refer to any user of the system 10,
`whether authorized or not. The term “owner in the TPM
`standard is used to refer to a user who loaded a particular TPM
`architecture and has the highest authorization to access that
`architecture.
`Security portion 14 of system 10 is used to secure the data
`and applications of the system for access and use only by
`authorized users. In the described embodiment, a program
`mable security processor 26 included in the system is dedi
`cated to security functions (and in some embodiments also
`may be used for other functions). The processor can execute
`various applications loaded onto the processor. The processor
`26 typically implements a “security architecture' which, as
`used herein, refers to the particular security features and
`functions (e.g. API functions, algorithms) implemented for
`the system 10 as determined by a security architecture appli
`cation loaded on the processor 26. An instance of a security
`architecture, normally implemented inhardware, can be emu
`lated in software in the present invention to allow different
`architectures to be Supported on processor 26.
`For example, processor 26 can implement a TPM security
`architecture, which is a well-known standard for securing
`computer data. A TPM architecture is implemented on a
`secure, dedicated chipset incorporated into a motherboard or
`other circuitry of a computer by the manufacturer. In other
`embodiments, the TPM architecture can be implemented in
`another existing chip of the computer system 10. Other
`embodiments may use a different standard or proprietary
`security architecture to implement security features. The typi
`cal security functions of a TPM include random number
`generation, secure generation of cryptographic keys, secure
`storage, abilities to limit the use of keys (such as for signing
`and Verification), and/or encryption and decryption. For
`example, in one embodiment the processor 26 can be an H8
`processor that runs a Java Card Open Platform (JCOP) oper
`ating system from IBM Corporation, a well-known operating
`system implementing many security features suitable for use
`with the present invention. ATPM application can be loaded
`into the processor 26 and implemented by the JCOP operating
`system to enable the security architecture.
`Processor 26 can typically be loaded with different security
`architectures, where each architecture may use different Secu
`rity algorithms and keys associated with that architecture, and
`may implement a different set of security functions. In the
`present invention, different security architectures can be
`loaded on the processor 26 from the portion 16 of the system
`10 (or other secure source).
`In addition, other applications not implementing a security
`architecture can be loaded and run on processor 26. These
`applications may be “bound to a particular security archi
`tecture, referring to the dependency of an application on a
`particular security architecture being loaded in the processor
`26. Such features are described in greater detail below.
`A nonvolatile memory 28 is included in security portion 14
`and is connected to the processor 26. For example, memory
`28 can be Flash memory, Electrically Erasable Programmable
`Read Only Memory (EEPROM), or other type of memory. In
`the described embodiment, memory 28 is a secure memory
`which cannot be easily tampered with to read its data con
`tents. In some embodiments, the nonvolatile memory 28 can
`be included on the same integrated circuit chip, or package, of
`the processor 26.
`In the present invention, nonvolatile memory 28 stores a
`secure table of hash values and endorsement keys which are
`
`30
`
`35
`
`45
`
`The present invention relates to securely protecting com
`puter data, and more particularly to security processors pro
`25
`vided in computer systems to implement security features.
`The following description is presented to enable one of ordi
`nary skill in the art to make and use the invention and is
`provided in the context of a patent application and its require
`ments. Various modifications to the preferred embodiment
`and the generic principles and features described herein will
`be readily apparent to those skilled in the art. Thus, the
`present invention is not intended to be limited to the embodi
`ment shown but is to be accorded the widest scope consistent
`with the principles and features described herein.
`The present invention is mainly described in terms of par
`ticular systems and methods provided in particular imple
`mentations. However, one of ordinary skill in the art will
`readily recognize that these methods and systems will operate
`effectively in other implementations. For example, the com
`40
`puter system implementations usable with the present inven
`tion can take a number of different forms.
`To more particularly describe the features of the present
`invention, please refer to FIGS. 1-5 in conjunction with the
`discussion below.
`FIG. 1 is a block diagram illustrating a computer system 10
`suitable for use with the present invention. System 10 is a
`computer system having any of a variety of forms. For
`example, the computer system 10 can be a mainframe com
`puter, desktop computer, workstation, portable computer, or
`50
`electronic device. System 10 includes a security architecture
`such as a Trusted Platform Module (TPM) from the Trusted
`Computing Group (TCG), or other security system suitable
`for use with the present invention, for securing data and
`functions of the system 10 from unauthorized access and
`manipulation. System 10 includes an input portion 12, a secu
`rity portion 14, and a standard portion 16.
`Input portion 12 can include a variety of different input
`devices which allow a user to input data to the system 10 and
`authenticate the user's identity to the system. For example, in
`the embodiment shown, a card reader 20, keyboard 22, and/or
`fingerprint reader 24 can be included in the system 10. Card
`reader 20 can read magnetic or processor cards such as Smart
`cards, which can include secure information identifying the
`user and storing associated information for the user. Key
`board 22 can be used to input a password that identifies the
`user. The fingerprint reader 24 can read the unique fingerprint
`
`55
`
`60
`
`65
`
`APPL-1007
`APPLE INC. / Page 7 of 14
`
`

`

`US 8,099,789 B2
`
`10
`
`15
`
`5
`used to determine whether applications to be loaded on the
`processor 26 are authorized, and enables flexible and secure
`Support of various different security architectures and pro
`grams on processor 26, as described in greater detail below.
`The memory 28 also stores an other secure data pertinent to
`performing the security functions of the processor's security
`architecture. The non-volatile memory can also in some
`embodiments be used to store a loaded security architecture
`and/or application loaded in processor 26.
`In other embodiments, additional memory (not shown) can
`be connected to the processor 26 to store a loaded security
`architecture, loaded applications, or other programs. For
`example, secured random access memory (RAM), additional
`nonvolatile memory, etc., can be connected.
`A standard portion 16 of system 10 is connected to the
`processor 26 and includes remaining standard components of
`the system. Such components typically include a micropro
`cessor or CPU 30, memory 32 (random access memory
`(RAM), read-only memory (ROM), etc.), output devices 34
`(video monitor, audio speakers, printer, etc.) and other typical
`computer components. The microprocessor can interface
`with memory devices and other components to control the
`operation of the system 10, including performing data
`manipulation, computation, input/output, and other typical
`functions.
`A storage device 36, Such as a hard disk drive, is also
`typically included to store data and applications to be used by
`the system 10. In the present invention, applications such as
`security applications to be loaded into processor 26, as well as
`other applications used by the processor 26 and microproces
`sor 30, can be stored securely on storage device 36 using
`encryption and other security methods. In other embodi
`ments, a different storage device 36 can be used instead of
`hard disk drive. Such as memory, magnetic tape, optical Stor
`age (CD-ROM, DVD-ROM), etc. In the described embodi
`ment, the standard portion 16 of system 10 is connected to the
`processor 26, and the input portion 12 is connected to the
`processor 26, so that input provided to the portion 16 can first
`be examined by security portion 14 for authentication and
`security.
`40
`FIG. 2 is a diagrammatic illustration of a secure table 50 of
`the present invention that can be stored in nonvolatile
`memory 28 connected to security processor 26. Table 50 can
`store information related to allowing certified applications to
`execute on the processor 26 and determining which type of
`45
`security architecture is to be loaded and executed.
`In the described embodiment, table 50 includes a number
`of endorsement key (EK) values 52. For example, in the TPM
`standard, an endorsement key (e.g., generated randomly for a
`TPM architecture at manufacture time) is used to allow the
`execution of secure transactions and to recognize a genuine
`TPM architecture to be loaded into the processor 26. The
`endorsement key is a key pair including a public key and a
`private key; the private portion of the endorsement key can be
`stored in the table 50. Alternatively, the public and private
`portions of the endorsement keys can be stored in table 50.
`Although the term “endorsement key” is used in the TPM
`standard for use with TPM architectures, this term is used
`generically herein for similar use in any standard and can be
`used with any application.
`After generating an endorsement key for an application,
`the provider (or other authorized entity) publishes a certifi
`cate that includes the public portion of the endorsement key
`and provides information identifying the application that is
`associated with the endorsement key. For example, this infor
`mation can be a hash value of the application, or can other
`wise describe the application (e.g., for a security architecture
`
`50
`
`6
`application, specifying the algorithms used, etc.) The pro
`vider signs the certificate using a private portion of a provider
`key, which allows a public portion of that provider key to be
`used to verify that the certificate information is authentic and
`from that provider. Thus, for example, the certificate can
`testify that an identified TPM architecture is a particular type
`of TPM architecture using an associated set of encryption and
`decryption algorithms.
`In the present invention, multiple endorsement key values
`52 for multiple endorsement keys are stored in the table 50 to
`allow any of multiple different security architectures or appli
`cations to be loaded on the processor 26. Each endorsement
`key in table 50 is unique and is associated for use with a
`particular application as specified in a published certificate.
`The table 50 also stores hash values 54, where each hash
`value is associated with a corresponding stored endorsement
`key value 52. A hash value 54 is the result of a cryptographic
`hash function applied to a particular application and/or data
`and uniquely identifies the hashed application/data. The asso
`ciation of the hash value with an endorsement key value 52 by
`the provider indicates that the application/data has been
`authorized and certified for use on this processor 26. The
`particular hash algorithm(s) used to generate the hash values
`in column 54 are associated with and depend on the particular
`security architecture used.
`For example, the provider of the processor 26 of the present
`invention can store the endorsement key values in the table
`50, each of which are associated with a certificate authorizing
`and specifying a different type of security architecture for use
`on processor 26. The provider can also store the hash values
`of the applications that the manufacturer has authorized and
`certified for use with the stored endorsement keys on this
`processor 26. In addition, a user may be able to store new hash
`values in table 50, and/or new endorsement keys associated
`with a certificate signed by the user. These features are
`described in greater detail below.
`FIG. 3 is a flow diagram illustrating a method 70 of the
`present invention for preparing and providing a security pro
`cessor 26 for users. The method 70 is for use by a manufac
`turer of the processor 26, or an authorizing entity which can
`provide certified endorsement keys in a processor 26; all Such
`manufacturers or authorizingentities are generally referred to
`herein as “providers' of the security processor 26.
`The method starts at 72, and in step 74, the provider
`receives hash values from the users (e.g., customers) who
`wish to use the processor 26. Each hash value represents the
`particular application (such as a security architecture appli
`cation like a TPM application), and any associated data, that
`is desired to be loaded and run on the security processor 26.
`Each hash value has been obtained usingahash algorithm that
`can remain unknown to the provider; thus, the implementa
`tion of the application and the algorithms used by the appli
`cation can remain unknown to the provider, as desired by
`Some users. Alternatively, the provider can apply hash algo
`rithms to applications desired to be Supported by the proces
`sor 26 to obtain some or all of the hash values.
`In step 76, the provider associates each different hash value
`with an endorsement key generated on the processor 26 for
`that hash value (e.g., a random number can be signed by the
`processor 26 to form the endorsement key pair), and the
`endorsement key and hash value are stored. The public por
`tion of the endorsement key can be provided in a certificate
`that is published by a certifying authority. For each different
`hash value, an endorsement key value and the associated hash
`value are stored in the secure table 50 of the secure nonvolatile
`memory 28 that is connected to the processor 26. The
`endorsement key value stored can be the private portion of the
`
`25
`
`30
`
`35
`
`55
`
`60
`
`65
`
`APPL-1007
`APPLE INC. / Page 8 of 14
`
`

`

`7
`endorsement key (or alternatively the public portion or both
`portions). Each endorsement key can be different for hash
`value; or, in alternate embodiments, the same endorsement
`key can be used for multiple hash value entries. Each stored
`hash value identifies a different application desired by the
`user; if two or more users have provided the same hash values
`in step 74, then only one hash value and endorsement key
`need be stored in the table 50 for that application. In some
`embodiments, different instances of the same application
`may provide different hash values (e.g., when having differ
`ent settings, data, etc.), so that each different instance can
`have a corresponding different hash value and endorsement
`key entry stored in the secure table 50. Applications that are
`bound to a particular security architecture can be indicated as
`having that relationship in the security table 50 by any of
`various methods, e.g., the bound application has a hash value
`that includes a link or pointer to the required security archi
`tecture application, other status indicator or pointer, etc. In
`Some embodiments, an additional identifier can be stored in
`each entry of the secure table 50, used to match the entry to a
`requested application as described below.
`In step 78, the provider provides the processor 26 to the
`users (or causes the processor 26 to be provided to the users).
`The processor 26 can be included in a computer system 10
`that is provided to the users. The user can then load his or her
`desired application(s) on the processor 26, as described in
`greater detail with respect to FIG. 4. The process is then
`complete at 80.
`In some embodiments, the provider can also store addi
`tional certified endorsement key values in the table 50 which
`are not yet associated with any hash values. This allows a user
`to load his or her own hash value and associate it with a stored,
`certified endorsement key. In some embodiments, the pro
`vider can also allow a user to store his or her ownendorsement
`keys and hash values in the table 50.
`With the method of FIG. 3, the present invention allows a
`provider to provide a security processor in a computer system
`without the provider knowing the particular implementation
`and/or algorithms of an application to be loaded on the pro
`cessor 26. A user need not have given out any of the actual
`applications or algorithms that the user wishes to implement
`in or use with the desired security architecture, and need only
`give the hash values to the provider. This allows the provider
`to authenticate applications authorized for use with the pro
`cessor 26 by associating each application hash values with an
`endorsement key.
`The present invention allows the provider to save the manu
`facturing costs of providing a different processor 26 for each
`type of security architecture desired by the provider's cus
`tomers. The provider can store a hash value and endorsement
`key for multiple different types of security architectures (or
`other applications), where the user will select his or her
`desired architecture by hashing a security architecture appli
`cation upon load, which will match with the proper hash value
`and endorsement key in the table 50. The provider can thus
`provide identical processors 26 to all users and let the user
`select the desired security architecture or application and thus
`the particular algorithms that are associated with that appli
`cation.
`FIG. 4 is a flow diagram illustrating a method 100 of the
`present invention for loading an application into a security
`processor 26. Method 100 (and method 200, below) can be
`implemented by the processor 26 using an application run
`ning under an operating system of the processor 26. Alterna
`tively, methods 100 and/or 200 can be implemented using
`hardware (circuitry, logic gates, etc.), or a combination of
`hardware and software. Program instructions implementing
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`US 8,099,789 B2
`
`5
`
`10
`
`15
`
`8
`all or part of the present invention can be stored on and be
`accessible from a computer readable medium, Such as an
`electronic, magnetic, optical, electromagnetic, infrared, or
`semiconductor medium, and examples of which include
`memory (random access memory (RAM), a read-only
`memory (ROM), etc.), hard disk drive, optical disk (CD
`ROM, DVD-ROM, etc.).
`The method begins at 102, and in step 104, the processor 26
`receives a request to load an application into the processor 26.
`This application is typically securely stored in a storage
`device such as the hard disk drive 36 or other device, e.g., in
`encrypted form, or may be provided from Some other source,
`Such as a connected computer network. This request can
`include an identification of the application desired to be
`loaded and the size of the application. For example, an exist
`inghash value of the encrypted application can be provided as
`a signature in the application file, and/or another identifier or
`reference to a particular file that holds the application can be
`used. For example, the request may be to load a TPM appli
`cation into the processor 26 which currently has no TPM
`architecture loaded. In another example, the request may be to
`load a TPM application on the processor 26 to install a