-
公开(公告)号:US11138315B2
公开(公告)日:2021-10-05
申请号:US15873419
申请日:2018-01-17
Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP
Inventor: Geoffrey Ndu , Ludovic Emmanuel Paul Noel Jacquin , Nigel Edwards
Abstract: A system comprising an inner kernel of an operating system (OS) running at a higher privilege level than an outer kernel of the OS, the inner kernel to measure a data structure in a memory; a device including a measurement engine to measure the data structure in the memory, wherein the device operates independently of the OS; and a trusted execution environment including an application to compare measurements from the inner kernel and the measurement engine.
-
公开(公告)号:US10261919B2
公开(公告)日:2019-04-16
申请号:US15205326
申请日:2016-07-08
Applicant: Hewlett Packard Enterprise Development LP
Inventor: Geoffrey Ndu , Fraser John Dickin
Abstract: In one example in accordance with the present disclosure, a method may include receiving, by a processor on a system on a chip (SoC), a request to encrypt a subset of data accessed by a process. The method may also include receiving, at a page encryption hardware unit of the SoC, a system call from an operating system on behalf of the process, to generate an encrypted memory page corresponding to the subset of data. The method may also include generating, by the page encryption hardware unit, an encryption/decryption key for the first physical memory address. The encryption/decryption key may not be accessible by the operating system. The method may also include encrypting, by the page encryption hardware unit, the subset of data to the physical memory address using the encryption/decryption key and storing, by the page encryption hardware unit, the encryption/decryption key in a key store.
-
公开(公告)号:US20180211064A1
公开(公告)日:2018-07-26
申请号:US15415450
申请日:2017-01-25
Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP
Inventor: Geoffrey Ndu , Adrian Shaw , Brian Quentin Monahan
CPC classification number: G06F21/64 , G06F21/602 , H04L9/0643 , H04L9/3236
Abstract: In one example in accordance with the present disclosure, a system comprises a first memory module and a first memory integrity monitoring processor, embedded to the first memory module, to receive a second hash corresponding to a second memory module. The second hash includes a second sequence number for reconstruction of a final hash value and the second hash is not sequentially a first number in a sequence for reconstruction of the final hash value. The first processor may receive a third hash corresponding to a third memory module. The third hash includes a third sequence number for reconstruction of the final hash value and the third hash is received after the second hash. The first processor may determine if the second hash can be combined with the third hash, combine the second hash and third hash into a partial hash reconstruct the final hash value using the partial hash.
-
公开(公告)号:US20240119155A1
公开(公告)日:2024-04-11
申请号:US18045228
申请日:2022-10-10
Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP
Inventor: Geoffrey Ndu , Gustavo Knüppe
CPC classification number: G06F21/572 , H04L9/0643 , H04L9/0825 , H04L9/3213
Abstract: A process includes, responsive to a request to load a kernel module, determining, by an operating system kernel, a hash digest for the kernel module. The kernel module is associated with a name. The process includes determining, by the operating system kernel, whether an expected kernel module list contains an entry that contains the name and associates the name with the hash digest. The process includes, responsive to the determination of whether the expected kernel module list contains the entry, generating, by the operating system kernel, an alert that is associated with the kernel module.
-
公开(公告)号:US11636214B2
公开(公告)日:2023-04-25
申请号:US17118698
申请日:2020-12-11
Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP
Inventor: Geoffrey Ndu , Nigel John Edwards
Abstract: A technique includes an operating system agent of a computer system monitoring a process to detect whether an integrity of the process has been compromised. The monitoring includes the operating system agent scanning a data structure. The process executes in a user space, and the data structure is part of an operating system kernel space. The technique includes a hardware controller of the computer system listening for a heartbeat that is generated by the operating system agent. The hardware controller takes a corrective action in response to at least one of the hardware controller detecting an interruption of the heartbeat, or the operating system agent communicating to the hardware controller a security alert for the process.
-
Patent Agency Ranking
公开(公告)号:US11017080B2
公开(公告)日:2021-05-25
申请号:US16007683
申请日:2018-06-13
Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP
Inventor: Geoffrey Ndu , Theofrastos Koulouris , Nigel Edwards
Abstract: Examples disclosed herein relate to integrity monitoring of a computing system using a kernel that can update its own code. Trust of state information is verified. Kernel code and module code are loaded into memory that is accessible to a device separate from a processor that loads the kernel code and module code. A measurement module is verified and loaded into memory. The state information can correspond to multiple symbols. The measurement module can measure the state information corresponding to each of the respective symbols to generate a set of initial measurements. The set of initial measurements can be provided to a device for integrity monitoring. The device is to compare a current measurement with an initial measurement to determine if a potential violation occurred. The device is to use a representation of a jump table to determine whether the potential violation is a violation.
-
公开(公告)号:US10592437B2
公开(公告)日:2020-03-17
申请号:US15664101
申请日:2017-07-31
Applicant: Hewlett Packard Enterprise Development LP
Inventor: Geoffrey Ndu , Dejan S. Milojicic , Paolo Faraboschi , Chris I. Dalton
Abstract: Memory blocks are associated with each memory level of a hierarchy of memory levels. Each memory block has a matching key capability (MaKC). The MaKC of a memory block governs access to the memory block, in accordance with permissions specified by the MaKC. The MaKC of a memory block can uniquely identify the memory block across the hierarchy of memory levels, and can be globally unique across the memory blocks. An MaKC of a memory block includes a block protection key (BPK) stored with the memory block, and an execution protection key (EPK). If a provided EPK for a memory block matches the memory block's BPK upon comparison, access to the memory block is allowed according to the permissions specified by the MaKC.
-
公开(公告)号:US20190278913A1
公开(公告)日:2019-09-12
申请号:US15915381
申请日:2018-03-08
Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP
Inventor: Geoffrey Ndu , Ludovic Emmanuel Paul Noel Jacquin , Nigel Edwards
Abstract: A method comprising: launching, by a pre-boot environment, a pre-boot launch enclave (LE); creating, by the pre-boot LE, a launch token for a pre-boot quoting enclave (QE); authenticating, by the pre-boot LE, the launch token; launching, by the pre-boot environment with the launch token in response to the authentication, the pre-boot QE; generating, by the pre-boot QE, a public provisioning key, a private provisioning key, and an attestation key; verifying, by the pre-boot QE with a public key, authenticity of a device; securing, by the pre-boot QE with the public provisioning key, private provisioning key, and the public key, a communication channel with the device; encrypting, by the pre-boot QE with a system specific seal key, the public provisioning key, the private provisioning key, and the attestation key; and storing, by the pre-boot QE, the encrypted public provisioning key, the encrypted private provisioning key, and the encrypted attestation key in the device.
-
公开(公告)号:US20190034359A1
公开(公告)日:2019-01-31
申请号:US15664101
申请日:2017-07-31
Applicant: Hewlett Packard Enterprise Development LP
Inventor: Geoffrey Ndu , Dejan S. Milojicic , Paola Faraboschi , Chris I. Dalton
IPC: G06F12/14
CPC classification number: G06F12/1475 , G06F12/1466 , G06F12/1491 , G06F2212/1052 , G06F2212/657
Abstract: Memory blocks are associated with each memory level of a hierarchy of memory levels. Each memory block has a matching key capability (MaKC). The MaKC of a memory block governs access to the memory block, in accordance with permissions specified by the MaKC. The MaKC of a memory block can uniquely identify the memory block across the hierarchy of memory levels, and can be globally unique across the memory blocks. An MaKC of a memory block includes a block protection key (BPK) stored with the memory block, and an execution protection key (EPK). If a provided EPK for a memory block matches the memory block's BPK upon comparison, access to the memory block is allowed according to the permissions specified by the MaKC.
-
公开(公告)号:US20170371808A1
公开(公告)日:2017-12-28
申请号:US15192493
申请日:2016-06-24
Applicant: Hewlett Packard Enterprise Development LP
Inventor: Adrian Shaw , Geoffrey Ndu , Fraser John Dickin
CPC classification number: G06F12/1408 , G06F12/1466 , G06F13/28 , G06F2212/1052 , G06F2212/402
Abstract: In one example in accordance with the present disclosure, a method may include retrieving, at a memory management unit (MMU), encrypted data from a memory via direct memory access and determining, at the MMU, a peripheral that is the intended recipient of the encrypted data. The method may also include accessing an application key used for transmission between an application and the peripheral, wherein the application key originates from the application and decrypting, at the MMU, the encrypted data using the application key and transmitting the decrypted data to the peripheral.
-
-
-
-
-
-
-
-
-
Search Results
39
records
(took 0.018 seconds)
