公开(公告)号：US12204639B2

公开(公告)日：2025-01-21

申请号：US16523085

申请日：2019-07-26

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Geoffrey Ndu ,  Nigel Edwards

IPC: G06F21/54 ,  G06F9/455 ,  G06F11/30 ,  G06F21/12 ,  G06F21/56

Abstract: In some examples, a system executes a monitor separate from an operating system (OS) that uses mapping information in accessing data in a physical memory. The monitor identifies, using the mapping information, invariant information, that comprises program code, of the OS without suspending execution of the OS, the identifying comprising the monitor accessing the physical memory independently of the OS. The monitor determines, based on monitoring the invariant information of the OS, whether a security issue is present.

公开(公告)号：US12111937B2

公开(公告)日：2024-10-08

申请号：US18187332

申请日：2023-03-21

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Geoffrey Ndu ,  Nigel John Edwards

IPC: G06F21/54 ,  G06F21/55 ,  G06F21/56 ,  G06F21/57

CPC classification number: G06F21/577 ,  G06F21/54 ,  G06F21/552 ,  G06F21/566 ,  G06F21/572 ,  G06F2221/034

Abstract: A technique includes an operating system agent of a computer system monitoring a process to detect whether an integrity of the process has been compromised. The monitoring includes the operating system agent scanning a data structure. The process executes in a user space, and the data structure is part of an operating system kernel space. The technique includes a hardware controller of the computer system listening for a heartbeat that is generated by the operating system agent. The hardware controller takes a corrective action in response to at least one of the hardware controller detecting an interruption of the heartbeat, or the operating system agent communicating to the hardware controller a security alert for the process.

公开(公告)号：US11775649B2

公开(公告)日：2023-10-03

申请号：US17821553

申请日：2022-08-23

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Geoffrey Ndu ,  Nigel Edwards

IPC: G06F21/57 ,  G06F12/0815 ,  G06F21/50 ,  G06F12/1009 ,  G06F11/34 ,  G06F11/30 ,  G06F13/24

CPC classification number: G06F21/572 ,  G06F11/302 ,  G06F11/3466 ,  G06F12/0815 ,  G06F12/1009 ,  G06F13/24 ,  G06F21/50 ,  G06F21/57 ,  G06F21/575 ,  G06F2201/865 ,  G06F2212/1032 ,  G06F2221/033

Abstract: Examples disclosed herein relate to performing a verification check in response to receiving notification. A computing system includes a host processor, memory coupled to the host processor, and a device separate from the host processor capable of accessing the memory. The host processor has a page table base register. The host processor is configured to send a notification to the device when the page table base register changes. The device performs a verification check in response to receiving the notification.

公开(公告)号：US20230222226A1

公开(公告)日：2023-07-13

申请号：US18187332

申请日：2023-03-21

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Geoffrey Ndu ,  Nigel John Edwards

IPC: G06F21/56 ,  G06F21/57 ,  G06F21/55 ,  G06F21/54

CPC classification number: G06F21/566 ,  G06F21/577 ,  G06F21/552 ,  G06F21/572 ,  G06F21/54 ,  G06F2221/034

Abstract: A technique includes an operating system agent of a computer system monitoring a process to detect whether an integrity of the process has been compromised. The monitoring includes the operating system agent scanning a data structure. The process executes in a user space, and the data structure is part of an operating system kernel space. The technique includes a hardware controller of the computer system listening for a heartbeat that is generated by the operating system agent. The hardware controller takes a corrective action in response to at least one of the hardware controller detecting an interruption of the heartbeat, or the operating system agent communicating to the hardware controller a security alert for the process.

公开(公告)号：US11663017B2

公开(公告)日：2023-05-30

申请号：US17372978

申请日：2021-07-12

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Geoffrey Ndu ,  Nigel Edwards

IPC: G06F9/4401 ,  G06F9/30

CPC classification number: G06F9/4406 ,  G06F9/30098

Abstract: A method comprising: generating, with a device, a nonce; writing, with the device, the nonce to a memory location accessible to a kernel; initializing the kernel; in response to an end of initialization, measuring a specified kernel space to produce a first result; writing the first result to a register of a second device; writing a location and size of the specified kernel space to a buffer; measuring the buffer; writing a result of buffer measurement to a second register of the second device; requesting a quote from the second device, the quote to include the nonce, the contents of the register, and the contents of the second register; and passing the quote to the device.

公开(公告)号：US11455395B2

公开(公告)日：2022-09-27

申请号：US16903946

申请日：2020-06-17

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Geoffrey Ndu ,  Nigel Edwards

IPC: G06F21/57 ,  G06F13/24 ,  G06F12/0815 ,  G06F21/50 ,  G06F12/1009

Abstract: Examples disclosed herein relate to performing a verification check in response to receiving notification. A computing system includes a host processor, memory coupled to the host processor, and a device separate from the host processor capable of accessing the memory. The host processor has a page table base register. The host processor is configured to send a notification to the device when the page table base register changes. The device performs a verification check in response to receiving the notification.

公开(公告)号：US10726132B2

公开(公告)日：2020-07-28

申请号：US15915381

申请日：2018-03-08

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Geoffrey Ndu ,  Ludovic Emmanuel Paul Noel Jacquin ,  Nigel Edwards

IPC: G06F21/00 ,  G06F21/57 ,  G06F21/44 ,  H04L9/08 ,  H04L9/32 ,  G06F21/51

Abstract: A method comprising: launching, by a pre-boot environment, a pre-boot launch enclave (LE); creating, by the pre-boot LE, a launch token for a pre-boot quoting enclave (QE); authenticating, by the pre-boot LE, the launch token; launching, by the pre-boot environment with the launch token in response to the authentication, the pre-boot QE; generating, by the pre-boot QE, a public provisioning key, a private provisioning key, and an attestation key; verifying, by the pre-boot QE with a public key, authenticity of a device; securing, by the pre-boot QE with the public provisioning key, private provisioning key, and the public key, a communication channel with the device; encrypting, by the pre-boot QE with a system specific seal key, the public provisioning key, the private provisioning key, and the attestation key; and storing, by the pre-boot QE, the encrypted public provisioning key, the encrypted private provisioning key, and the encrypted attestation key in the device.

公开(公告)号：US20190220599A1

公开(公告)日：2019-07-18

申请号：US15873419

申请日：2018-01-17

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Geoffrey Ndu ,  Ludovic Emmanuel Paul Noel Jacquin ,  Nigel Edwards

IPC: G06F21/56 ,  G06F21/57

CPC classification number: G06F21/567 ,  G06F21/44 ,  G06F21/53 ,  G06F21/566 ,  G06F21/568 ,  G06F21/57

Abstract: A system comprising an inner kernel of an operating system (OS) running at a higher privilege level than an outer kernel of the OS, the inner kernel to measure a data structure in a memory; a device including a measurement engine to measure the data structure in the memory, wherein the device operates independently of the OS; and a trusted execution environment including an application to compare measurements from the inner kernel and the measurement engine.

公开(公告)号：US20180011802A1

公开(公告)日：2018-01-11

申请号：US15205326

申请日：2016-07-08

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Geoffrey Ndu ,  Fraser John Dickin

IPC: G06F12/14 ,  H04L9/08

CPC classification number: G06F12/1408 ,  G06F12/0891 ,  G06F12/1466 ,  G06F21/602 ,  G06F21/78 ,  G09C1/00 ,  H04L9/0894

Abstract: In one example in accordance with the present disclosure, a method may include receiving, by a processor on a system on a chip (SoC), a request to encrypt a subset of data accessed by a process. The method may also include receiving, at a page encryption hardware unit of the SoC, a system call from an operating system on behalf of the process, to generate an encrypted memory page corresponding to the subset of data. The method may also include generating, by the page encryption hardware unit, an encryption/decryption key for the first physical memory address. The encryption/decryption key may not be accessible by the operating system. The method may also include encrypting, by the page encryption hardware unit, the subset of data to the physical memory address using the encryption/decryption key and storing, by the page encryption hardware unit, the encryption/decryption key in a key store.

公开(公告)号：US20250111041A1

公开(公告)日：2025-04-03

申请号：US18980542

申请日：2024-12-13

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Geoffrey Ndu ,  Nigel Edwards

IPC: G06F21/54 ,  G06F9/455 ,  G06F11/30 ,  G06F21/12 ,  G06F21/56

Abstract: In some examples, a system executes a monitor separate from an operating system (OS) that uses mapping information in accessing data in a physical memory. The monitor identifies, using the mapping information, invariant information, that comprises program code, of the OS without suspending execution of the OS, the identifying comprising the monitor accessing the physical memory independently of the OS. The monitor determines, based on monitoring the invariant information of the OS, whether a security issue is present.