Abstract: An apparatus, system and method for protecting the confidentiality and integrity of a secure object running on a computer system by protecting the memory pages owned by the secure object, including assigning a secure object an ID, labeling the memory pages owned by a secure object with the ID of the secure object, maintaining an Access Control Monitor (ACM) table for the memory pages on the system, controlling access to memory pages by monitoring load and store instructions and comparing information in the ACM table with the ID of the software that is executing these instructions; and limiting access to a memory page to the owner of the memory page.

Abstract: A method, system and apparatus for provisioning a computation into a trusted execution environment, including verifying the trusted execution environment, generating integrity information of the computation, generating sealed data, sending information of the computation, the sealed data, and integrity information to the trusted execution environment, confirming the sealed data, and verifying integrity of the computation information from the integrity information and the computation information.

Abstract: A method, system and apparatus for generating a computation such that it will execute in a target trusted execution environment (TEE), including selecting the target TEE, generating an authorization that is satisfied by a TEE, associating the authorization with the computation that executes in the TEE that is authorized, and generating the computation with the associated authorization.

Abstract: According to one or more embodiments of the present invention, an example computer-implemented method for measuring concurrent updates in a security coprocessor includes using a first set of platform configuration registers of the security coprocessor to store and extend measurement of a code-load used during a boot sequence of a computing device. The method further includes using a second set of platform configuration registers of the security coprocessor to store and extend measurement of configuration parameters of the code-load used during the boot sequence. The method further includes using a third set of platform configuration registers of the security coprocessor to store and extend measurements of a concurrent update that changes the code-load that was used during the boot sequence.

Abstract: An apparatus, system and method for protecting the confidentiality and integrity of a secure object running on a computer system by protecting the memory pages owned by the secure object, including assigning a secure object an ID, labeling the memory pages owned by a secure object with the ID of the secure object, maintaining an Access Control Monitor (ACM) table for the memory pages on the system, controlling access to memory pages by monitoring load and store instructions and comparing information in the ACM table with the ID of the software that is executing these instructions; and limiting access to a memory page to the owner of the memory page.

Abstract: According to one or more embodiments of the present invention, an example computer-implemented method for measuring concurrent updates in a security coprocessor includes using a first set of platform configuration registers of the security coprocessor to store and extend measurement of a code-load used during a boot sequence of a computing device. The method further includes using a second set of platform configuration registers of the security coprocessor to store and extend measurement of configuration parameters of the code-load used during the boot sequence. The method further includes using a third set of platform configuration registers of the security coprocessor to store and extend measurements of a concurrent update that changes the code-load that was used during the boot sequence.

Abstract: A processor in a computer system, the processor including a mechanism supporting a Secure Object that comprises information that is protected so that other software on said computer system cannot access or undetectably tamper with said information, thereby protecting both a confidentiality and an integrity of the Secure Object information while making the Secure Object information available to the Secure Object itself during execution of the Secure Object. The mechanism includes a crypto mechanism that decrypts and integrity-checks Secure Object information as said Secure Object information moves into the computer system from an external storage system, and encrypts and updates an integrity value for Secure Object information as said Secure Object information moves out of the computer system to the external storage system, and a memory protection mechanism that protects the confidentiality and integrity of Secure Object information when that information is in the memory of the computer system.

Abstract: A processor in a computer system, the processor including a mechanism supporting a Secure Object that comprises information that is protected so that other software on said computer system cannot access or undetectably tamper with said information, thereby protecting both a confidentiality and an integrity of the Secure Object information while making the Secure Object information available to the Secure Object itself during execution of the Secure Object. The mechanism includes a crypto mechanism that decrypts and integrity-checks Secure Object information as said Secure Object information moves into the computer system from an external storage system, and encrypts and updates an integrity value for Secure Object information as said Secure Object information moves out of the computer system to the external storage system, and a memory protection mechanism that protects the confidentiality and integrity of Secure Object information when that information is in the memory of the computer system.

Abstract: A computer implemented method for logging extensions to platform configuration registers inside a trusted platform module instance is provided. A request to extend the current state of at least one of a plurality of platform configuration register is received. At least one platform configuration register within the trusted platform module instance is extended. The extension of the at least one platform configuration register is logged inside the trusted platform module instance as a logged entry by storing at least a tuple of platform configuration register indexes and hash values used for extending the platform configuration register. Information about new entries in the consolidated logs can be retrieved by polling or by subscribing to events that are automatically generated. A report of an extend operation and its logged hash value is sent to subscribers interested in receiving notifications of extend operations on a set of PCR registers.

Abstract: A trusted platform module is presented that is capable of creating, dynamically, multiple virtual trusted platform modules in a hierarchical organization. A trusted platform module domain is created. The trusted platform module creates virtual trusted platform modules, as needed, in the trusted platform module domain. The virtual trusted platform modules can inherit the permissions of a parent trusted platform module to have the ability to create virtual trusted platform modules themselves. Each virtual trusted platform module is associated with a specific partition. Each partition is associated with an individual operating system. The hierarchy of created operating systems and their privilege of spawning new operating systems is reflected in the hierarchy of trusted platform modules and the privileges each of the trusted platform modules has.

Abstract: A computer implemented method for logging extensions to platform configuration registers inside a trusted platform module instance is provided. A request to extend the current state of at least one of a plurality of platform configuration register is received. At least one platform configuration register within the trusted platform module instance is extended. The extension of the at least one platform configuration register is logged inside the trusted platform module instance as a logged entry by storing at least a tuple of platform configuration register indexes and hash values used for extending the platform configuration register. Information about new entries in the consolidated logs can be retrieved by polling or by subscribing to events that are automatically generated. A report of an extend operation and its logged hash value is sent to subscribers interested in receiving notifications of extend operations on a set of PCR registers.

Abstract: A Write Broadcast system and method uses a base station to write sent data to all or some selected number (sub group) of tags in a base station field simultaneously. By unselecting the tags that have been successfully written to, and requesting a response from the remaining tags in the field (or sub group), the system determines, by receiving a response to the request, that there are tags in the field (sub group) that were unsuccessfully written to. Another Write Broadcast signal is sent to these tags. The system is useful for quickly (simultaneously) “stamping” information on the tag memory of a large number of tags in the field of the base station.

Abstract: A trusted platform module is presented that is capable of creating, dynamically, multiple virtual trusted platform modules in a hierarchical organization. A trusted platform module domain is created. The trusted platform module creates virtual trusted platform modules, as needed, in the trusted platform module domain. The virtual trusted platform modules can inherit the permissions of a parent trusted platform module to have the ability to create virtual trusted platform modules themselves. Each virtual trusted platform module is associated with a specific partition. Each partition is associated with an individual operating system. The hierarchy of created operating systems and their privilege of spawning new operating systems is reflected in the hierarchy of trusted platform modules and the privileges each of the trusted platform modules has.

Abstract: A master entity is capable of broadcasting commands to slaves which move to another state when they satisfy a primitive condition specified in the command. By moving slaves among three sets, a desired subset of slaves can be isolated in one of the sets. This desired subset of slaves ten can be moved to one of the states that is unaffected by commands that cause the selection of other desirable subsets of slaves. In the incorporated U.S. Pat. Nos. 5,550,547 and 5,673,037, certain subgroups of radio frequency tags are selected for querying, communicating, and/or identifying by commands from a base station.

Abstract: A Write Broadcast system and method uses a base station to write sent data to all or some selected number (sub group) of tags in a base station field simultaneously. By unselecting the tags that have been successfully written to, and requesting a response from the remaining tags in the field (or sub group), the system determines, by receiving a response to the request, that there are tags in the field (sub group) that were unsuccessfully written to. Another Write Broadcast signal is sent to these tags. The system is useful for quickly (simultaneously) “stamping” information on the tag memory of a large number of tags in the field of the base station.

Abstract: A Write Broadcast system and method uses a base station to write sent data to all or some selected number (sub group) of tags in a base station field simultaneously. By unselecting the tags that have been successfully written to, and requesting a response from the remaining tags in the field (or sub group), the system determines, by receiving a response to the request, that there are tags in the field (sub group) that were unsuccessfully written to. Another Write Broadcast signal is sent to these tags. The system is useful for quickly (simultaneously) “stamping” information on the tag memory of a large number of tags in the field of the base station.

Abstract: A Write Broadcast system and method uses a base station to write sent data to all or some selected number (sub group) of tags in a base station field simultaneously. By unselecting the tags that have been successfully written to, and requesting a response from the remaining tags in the field (or sub group), the system determines, by receiving a response to the request, that there are tags in the field (sub group) that were unsuccessfully written to. Another Write Broadcast signal is sent to these tags. The system is useful for quickly (simultaneously) “stamping” information on the tag memory of a large number of tags in the field of the base station.

Abstract: A method, article of manufacture and computer product is presented for a vehicle customization, restriction, and data logging capability. The invention leverages the increasing electronic content in vehicles by interconnecting these electronic devices with a controller. It further uses a storage device in the vehicle, to store vehicle customizations and/or restrictions, and to provide capability for defining and logging significant vehicle events. Combining the electronic vehicle components with a storage device (sometimes in the form of a smart card or floppy disk, etc.) and a controller in a vehicle network enables providing operator specific settings for each of a set of vehicle operators. These customizations add to operator and passenger comfort and safety. It also enables application of setting restrictions to and logging the vehicles use parameters.

Abstract: An apparatus, a system, and a method for communication between multiple base stations and radio frequency (RF) transponders (RF Tags) is disclosed. A first radio frequency (RF) base station for communicating RF signals with an RF tag communicates external trigger signals with at least a second RF base station, which causes the second RF base station to begin transmission.

Abstract: A method of sending data from a base station to a passive RF tag and writing the data to a tag non-volatile memory which detects a “partial write”, where the tag voltage falls during the write process under the voltage sufficient to reliably write the tag non-volatile memory, is presented. The tag voltage is compared to a stable reference voltage during the time the tag memory is being written, and if the tag voltage falls below an acceptable level, a flag in the tag non-volatile memory is cleared.