公开(公告)号：GB2594225A

公开(公告)日：2021-10-20

申请号：GB202112113

申请日：2020-01-31

Applicant: IBM

Inventor： UTZ BACHER ,  REINHARD BUENDGEN ,  PETER MORJAN ,  JANOSCH FRANK

IPC: G06F9/455 ,  G06F21/53

Abstract: A computer-implemented method for creating a secure software container may be provided. The method comprises providing a first layered software container image,transforming all files, except corresponding metadata, of each layer of the first layered software container image into a volume, the volume comprises a set of blocks, wherein each layer comprises an incremental difference to a next lower layer, encrypting each block of the set of blocks of a portion of the layers, and storing each encrypted set of the blocks as a layer of an encrypted container image along with unencrypted metadata for rebuilding an order of the set of blocks equal to an order of the first layered software container image, so that a secure encrypted software container is created.

公开(公告)号：GB2607794A

公开(公告)日：2022-12-14

申请号：GB202212344

申请日：2020-12-10

Applicant: IBM

Inventor： REINHARD BUENDGEN ,  VOLKER URBAN ,  RICHARD KISLEY

IPC: G06F21/57

Abstract: At least one secure object of a security module is bound to a secure guest. A trusted component determines whether metadata of the secure guest includes a confidential binding attribute for the security module. Based on determining that the metadata includes the confidential binding attribute, the trusted component configures the security module for the secure guest in a select mode. The select mode prevents certain operations from being intercepted by a hypervisor associated with the secure guest. The trusted component intercepts a security module communication and performs a cryptographic operation on one or more secure objects of the security module communication using the confidential binding attribute to provide a cryptographic result. An outcome of the security module communication, which includes the cryptographic result, is provided to a receiver.

公开(公告)号：GB2596024A

公开(公告)日：2021-12-15

申请号：GB202113906

申请日：2020-03-06

Applicant: IBM

Inventor： UTZ BACHER ,  REINHARD BUENDGEN ,  JONATHAN BRADBURY ,  LISA HELLER ,  FADI BUSABA

IPC: G06F9/455

Abstract: A computer implemented method is disclosed, which includes receiving a query for an amount of storage in memory of a computer system to be donated to a secure interface control of the computer system (1505). The secure interface control can determine the amount of storage to be donated based on a plurality of secure entities supported by the secure interface control as a plurality of predetermined values (1510). The secure interface control can return a response to the query indicative of the amount of storage as a response to the query (1515). A donation of storage to secure for use by the secure interface control can be received based on the response to the query (1520).

公开(公告)号：GB2530225B

公开(公告)日：2016-10-19

申请号：GB201600172

申请日：2014-03-14

Applicant: IBM

Inventor： UTZ BACHER ,  REINHARD BUENDGEN ,  EINAR LUECK

IPC: G06F9/455 ,  G06F21/57

公开(公告)号：GB2532415A

公开(公告)日：2016-05-25

申请号：GB201420046

申请日：2014-11-11

Applicant: IBM

Inventor： REINHARD BUENDGEN ,  UTZ BACHER

IPC: G06F9/455 ,  G06F12/14 ,  G06F21/71

Abstract: The invention relates to a method of processing guest events in a hypervisor controlled system (10), comprising the steps of triggering a first firmware service on a guest event, it being associated with a guest (20) and with a guest state (52) and a protected guest memory (22) accessible only by the guest (20) and the firmware (70), and a guest key (24). The firmware (70) processes information associated with the guest event, comprising information of the guest state (52) and the protected guest memory (22), and presents only a subset of the information of the guest state (52) and the protected guest memory (22) to a hypervisor (30), wherein the subset of the information is selected to suffice for the hypervisor (30) to process the guest event. Note that the firmware (70) retains part of the information of the guest state (52) and the protected guest memory (22) that is not sent to the hypervisor (30). The hypervisor (30) processes the guest event based on the received subset of the information and sends a process result to the firmware (70) triggering a second firmware service being specific for the guest event. The firmware (70) processes the result together with the part of the information of the guest state (52) and the protected guest memory (22) that was not sent to the hypervisor (30), generating a state and/or memory modification. Then the firmware (70) performs the state and/or memory modification associated with the guest event at the protected guest memory (22).

公开(公告)号：GB2630336A

公开(公告)日：2024-11-27

申请号：GB202307761

申请日：2023-05-24

Applicant: IBM

Inventor： VOLKER URBAN ,  TAMAS VISEGRADY ,  REINHARD BUENDGEN ,  MICHAEL HOCKER ,  ERIC DAVID ROSSMAN

IPC: H04L9/08

Abstract: A computer-implemented method, for establishing identity-based hierarchical sessions on a hardware security module (HSM) for binding secure keys to a guest system, comprises: establishing a communication channel between the guest system and the HSM 102, wherein the communication channel is identity-based, end-to-end and encrypted, thereby establishing a session; transferring login information of the guest system through the communication channel to the HSM 104; maintaining a predefined security level throughout a hierarchy of the sessions 106, wherein no child session has a higher security level than its parent session; and performing a challenge-response protocol based on a session ownership verification with the guest 108, such that an HSM generated and secured key is bound to an associated session. The guest system may be executed on a hypervisor. Establishing the communication session may be based on a public/private key pair of said HSM and a transmitted code allowing the derivation of a symmetrical encryption/decryption key based on a Diffie-Hellman algorithm.

公开(公告)号：GB2531248B

公开(公告)日：2017-02-22

申请号：GB201417784

申请日：2014-10-08

Applicant: IBM

Inventor： ANGEL NUNEZ MENCIAS ,  JAKOB LANG ,  FRANZISKA GEISERT ,  MAREIKE LATTERMANN ,  REINHARD BUENDGEN ,  VOLKER BOENISCH

IPC: G06F21/34 ,  G06F21/62 ,  G06F21/78

公开(公告)号：GB2607793A

公开(公告)日：2022-12-14

申请号：GB202212343

申请日：2020-12-10

Applicant: IBM

Inventor： REINHARD BUENDGEN ,  VOLKER URBAN ,  RICHARD KISLEY ,  JONATHAN BRADBURY ,  TORSTEN HENDEL ,  HARALD FREUDENBERGER ,  BENEDIKT KLOTZ ,  KLAUS WERNER ,  MARKUS SELVE

IPC: G06F21/60

Abstract: A security module, such as a cryptographic adapter, is reserved for a secure guest of a computing environment. The reserving includes binding one or more queues of the security module to the secure guest. The one or more queues are then managed based on one or more actions relating to the reservation.

公开(公告)号：GB2596024B

公开(公告)日：2022-04-27

申请号：GB202113906

申请日：2020-03-06

Applicant: IBM

Inventor： UTZ BACHER ,  REINHARD BUENDGEN ,  JONATHAN BRADBURY ,  LISA HELLER ,  FADI BUSABA

IPC: G06F9/455

Abstract: According to one or more embodiments of the present invention, a computer implemented method includes receiving a query for an amount of storage in memory of a computer system to be donated to a secure interface control of the computer system. The secure interface control can determine the amount of storage to be donated based on a plurality of secure entities supported by the secure interface control as a plurality of predetermined values. The secure interface control can return a response to the query indicative of the amount of storage as a response to the query. A donation of storage to secure for use by the secure interface control can be received based on the response to the query.

公开(公告)号：GB2594225B

公开(公告)日：2022-03-02

申请号：GB202112113

申请日：2020-01-31

Applicant: IBM

Inventor： UTZ BACHER ,  REINHARD BUENDGEN ,  PETER MORJAN ,  JANOSCH FRANK

IPC: G06F9/455 ,  G06F21/53

Abstract: A computer-implemented method for creating a secure software container. The method comprises providing a first layered software container image, transforming all files, except corresponding metadata, of each layer of the first layered software container image into a volume, the volume comprises a set of blocks, wherein each layer comprises an incremental difference to a next lower layer, encrypting each block of the set of blocks of a portion of the layers, and storing each encrypted set of the blocks as a layer of an encrypted container image along with unencrypted metadata for rebuilding an order of the set of blocks equal to an order of the first layered software container image, so that a secure encrypted software container is created.