Caching is a technique used in computer systems to improve performance by temporarily storing frequently accessed data or resources. When a user requests a particular piece of data, the system first checks the cache to see if it already has a copy. If the data is found in the cache, it can be retrieved much faster than if it had to be fetched from the original source. This is because accessing data from cache is typically quicker due to its proximity to the processor.
There are various types of caches used in different computing scenarios. One common type is the web cache, which is implemented in web browsers to store web pages and assets like images and scripts. When a user revisits a website, the browser can retrieve the files from cache instead of downloading them again, resulting in faster page load times. Caching is also employed at different levels in computer systems, such as within CPUs and in databases. Another form of caching is used for remote attestation of trusted execution environments.
Caching has several advantages in addition to improving performance. It helps reduce network traffic and bandwidth usage, as data that is already cached does not need to be transmitted again. This can be particularly beneficial in scenarios where multiple users access the same data or resources. Caching can also minimize the load on servers and databases, as the cached data can be readily served without putting additional strain on these systems. Overall, caching plays a crucial role in improving system efficiency and enhancing user experience by accelerating data access and reducing resource consumption.
Some examples of apparatuses and/or methods will be described in the following by way of example only, and with reference to the accompanying figures, in which:
Some examples are now described in more detail with reference to the enclosed figures. However, other possible examples are not limited to the features of these embodiments described in detail. Other examples may include modifications of the features as well as equivalents and alternatives to the features. Furthermore, the terminology used herein to describe certain examples should not be restrictive of further possible examples.
Throughout the description of the figures same or similar reference numerals refer to same or similar elements and/or features, which may be identical or implemented in a modified form while providing the same or a similar function. The thickness of lines, layers and/or areas in the figures may also be exaggerated for clarification.
When two elements A and B are combined using an “or”, this is to be understood as disclosing all possible combinations, i.e., only A, only B as well as A and B, unless expressly defined otherwise in the individual case. As an alternative wording for the same combinations, “at least one of A and B” or “A and/or B” may be used. This applies equivalently to combinations of more than two elements.
If a singular form, such as “a”, “an” and “the” is used and the use of only a single element is not defined as mandatory either explicitly or implicitly, further examples may also use several elements to implement the same function. If a function is described below as implemented using multiple elements, further examples may implement the same function using a single element or a single processing entity. It is further understood that the terms “include”, “including”, “comprise” and/or “comprising”, when used, describe the presence of the specified features, integers, steps, operations, processes, elements, components and/or a group thereof, but do not exclude the presence or addition of one or more other features, integers, steps, operations, processes, elements, components and/or a group thereof.
In the following description, specific details are set forth, but examples of the technologies described herein may be practiced without these specific details. Well-known circuits, structures, and techniques have not been shown in detail to avoid obscuring an understanding of this description. “An example/example,” “various examples/examples,” “some examples/examples,” and the like may include features, structures, or characteristics, but not every example necessarily includes the particular features, structures, or characteristics.
Some examples may have some, all, or none of the features described for other examples. “First,” “second,” “third,” and the like describe a common element and indicate different instances of like elements being referred to. Such adjectives do not imply element item so described must be in a given sequence, either temporally or spatially, in ranking, or any other manner. “Connected” may indicate elements are in direct physical or electrical contact with each other and “coupled” may indicate elements co-operate or interact with each other, but they may or may not be in direct physical or electrical contact.
As used herein, the terms “operating”, “executing”, or “running” as they pertain to software or firmware in relation to a system, device, platform, or resource are used interchangeably and can refer to software or firmware stored in one or more computer-readable storage media accessible by the system, device, platform, or resource, even though the instructions contained in the software or firmware are not actively being executed by the system, device, platform, or resource.
The description may use the phrases “in an example/example,” “in examples/examples,” “in some examples/examples,” and/or “in various examples/examples,” each of which may refer to one or more of the same or different examples. Furthermore, the terms “comprising,” “including,” “having,” and the like, as used with respect to examples of the present disclosure, are synonymous.
The processor 14 or processing circuitry 14 is to obtain a request to perform remote attestation for a trusted execution environment 14a from an application running in the trusted execution environment of the processor. The processor 14 or processing circuitry 14 is to communicate with at least one remote attestation caching server 5 based on the request to perform remote attestation. The communication with the remote attestation caching server comprises providing a plurality of requests to the remote attestation server and obtaining a plurality of responses from the remote attestation caching server. The processor 14 or processing circuitry 14 is to provide a result of the remote attestation request to the application running in the trusted execution environment after having completed the communication with the remote attestation server.
In the following, the features of the apparatus 10, device 10, computer system 100, method and of a corresponding computer program are discussed in more detail with reference to the apparatus 10. Features discussed with reference to the apparatus 10 may likewise be included in the corresponding device 10, computer system 100, method and computer program.
Remote attestation is a security mechanism in which a computing device, such as a server, provides evidence of its software and/or hardware configuration to a remote entity, such as a client device. It allows the remote entity to verify and attest to the integrity and trustworthiness of the computing device. For example, the remote attestation may convince the remote entity to share confidential information with the computing device. In the present case, remote attestation is used to demonstrate that an application is running in a trusted execution environment, and that the trusted execution environment is trustworthy (i.e., is not compromised through lack of firmware updates or security holes). In many cases, the attestation process involves multiple computer systems—the user application requesting the so-called “Quote” (a data structure that is used to provide evidence to an off-platform entity that an application enclave runs with TEE protections in a TEE-enabled platform, e.g., with Intel® SGX protections on a trusted Intel® SGX enabled platform), an intermediary 10 (e.g., a driver or library) running on the computer system 100 (e.g., Intel® SGX DCAP (Data Center Attestation Primitives)), the remote attestation caching server 5 (e.g., Intel Provisioning certification caching service, PCCS), and the remote attestation server (not shown in
Various examples of the present disclosure are based on the finding, that the remote attestation of trustworthiness of a trusted execution environment via a caching server is often implemented as a multi-step process, with an application exchanging a number of messages with an intermediary (e.g., an API, or library), and with the intermediary again exchanging a number of messages with the remote attestation caching server. An example of such a message exchange is shown in
In the proposed concept, this is avoided by simplifying the requests, with the intermediary, implemented by the apparatus 10, taking over coordination of the operations previously explicitly triggered by the user application. An example of this simplification is discussed in connection with
The process starts with obtaining the request to perform remote attestation for the trusted execution environment 14a from an application running (at least partially) in the trusted execution environment of the processor. For example, as shown in
The processor is to communicate with the at least one remote attestation caching server 5 based on the request to perform remote attestation, with the communication with the remote attestation caching server comprising providing a plurality of requests to the remote attestation server and obtaining a plurality of responses from the remote attestation caching server. In
Accordingly, as further shown in
By including the identifier in (each of) the requests, the requests may even be provided to different remote attestation caching servers. For example, the processor may communicate with one of a plurality of remote attestation caching servers (at a time). Over time, one or more requests may be provided to a first remote attestation caching server, while one or more further requests may be provided to a second (or third) remote attestation caching server. For example, the processor may use an arbitrary number of remote attestation caching servers during the communication (e.g., 1 server up to the number of requests servers). In effect, the processor may communicate with at least one remote attestation caching server without a strong binding between the communication performed on behalf of the application and a remote attestation caching server. For example, the requests may be provided via a load-balancing mechanism or load-balancer and be provided to an arbitrary one of the plurality of remote attestation caching servers.
To simplify obtaining the result of the remote attestation request (i.e., the quote) for the application, the apparatus 10 may take over various tasks for the application. For example, as shown in
As is evident from
The functionality may be provided at different levels. As many applications need this functionality to attest to other entities that they run in a trustworthy manner, this functionality may be made available generally to different apps, to avoid apps having to re-implement this functionality themselves. For example, the processor may perform the acts of obtaining the request, communicating with the at least one remote attestation caching server and providing the result of the remote attestation as part of a driver (being accessible to the application), or as part of a software library (being accessible to the application).
The interface circuitry 12 or means for communicating 12 may correspond to one or more inputs and/or outputs for receiving and/or transmitting information, which may be in digital (bit) values according to a specified code, within a module, between modules or between modules of different entities. For example, the interface circuitry 12 or means for communicating 12 may comprise circuitry configured to receive and/or transmit information.
For example, the processor 14 or means for processing 14 may be implemented using one or more processing units, one or more processing devices, any means for processing, such as a processor, a computer or a programmable hardware component being operable with accordingly adapted software. In other words, the described function of the processor 14 or means for processing may as well be implemented in software, which is then executed on one or more programmable hardware components. Such hardware components may comprise a general-purpose processor, a Digital Signal Processor (DSP), a micro-controller, etc. The processor 14 or means for processing 14 comprises a trusted execution environment, such as Intel® SGX.
For example, the memory or storage circuitry 16 or means for storing information 16 may a volatile memory, e.g., random access memory, such as dynamic random-access memory (DRAM), and/or comprise at least one element of the group of a computer readable storage medium, such as a magnetic or optical storage medium, e.g., a hard disk drive, a flash memory, Floppy-Disk, Random Access Memory (RAM), Programmable Read Only Memory (PROM), Erasable Programmable Read Only Memory (EPROM), an Electronically Erasable Programmable Read Only Memory (EEPROM), or a network storage.
For example, the computer system 100 may be one of a workstation computer system, a server computer system, a personal computer system, a portable computer system, a mobile device, a smartphone, a tablet computer, or a laptop computer.
More details and aspects of the apparatus 10, device 10, method, a corresponding computer program and computer system 100 are mentioned in connection with the proposed concept or one or more examples described above or below (e.g.,
Various examples relate to a concept for improving or optimizing a provisioning certification caching service protocol for performance improvement and scalability.
The Intel® PCCS (Provisioning certification caching service) is an important caching service, which is one of the components when deploying a zero-trust service. Operators, such as Cloud Service Providers (CSPs) leverage PCCS when using Intel® SGX (Software Guard Extensions) or TDX (Trust Domain Extensions) Intel® SGX is a confidential computation technology that can ensure code and data security at runtime. Various Intel processors are equipped with this technology. Intel® SGX remote attestation is a mechanism used to attest the integrity of the code and the SGX capability of the platform. After successful attestation, the SGX user then trusts the remote SGX server and subsequently transfers sensitive data to the SGX server. Intel® PCS (Provisioning Certification Service) is a service hosted by Intel on the Internet that offers APIs (Application Programming Interfaces) for retrieving Provisioning Certification Key (PCK) certificates and other endorsements for generating and verifying SGX Quotes. A PCK certificate is a Provisioning Certification Key certificate, the x.509 Certificate chain that is signed and distributed by the Registration Service for every SGX enabled multi-package platform. PCCS is the Provisioning Certification Caching Service, a remote attestation caching server, which allows a CSP (Cloud Service Provider) or a datacenter to cache PCK Certificates and other endorsements from the Intel® PCS in their local network. A Quote is a data structure that is used to provide evidence to an off-platform entity that an application enclave runs with Intel® SGX protections on a trusted Intel® SGX enabled platform.
While the following description oftentimes relates to Intel® PCS and PCCS, the proposed concept is applicable to various implementations of remote attestation caching servers and attestation services.
In the CSP environment, multiple remote attestation caching servers (e.g., PCCSs) are desired as each remote attestation caching server has a limited capacity, but many remote attestation caching servers, such as PCCSs, cannot support multiple deployments because the requests to the remote attestation caching server are stateful, which means that a request handled by a remote attestation caching server cannot be transferred to another remote attestation caching server to handle, and this limits the scaling deployment of remote attestation caching servers. In the following, a typical deployment example is shown with respect to Intel® PCCS and PCS.
However, multiple PCCS may be desired in big CSP environments for performance reasons. A single PCCS works well for small-scale use, but one PCCS can only serve about 100 requests per second, so single PCCSs might fit the use scenario of big CSP, where dozens or even hundreds of PCCS are needed. However, multiple PCCS may not be workable in the design of the PCCS. In the remote attestation process, in some implementations, as shown in
The proposed concept addresses the PCCS, or more general the remote attestation caching server, scaling issue. In the proposed concept, the sub-requests are merged into a few requests, so that the resulting request to PCCS becomes stateless and can be sent to any PCCS regardless of the related PCK cert being cached or not.
Some operators avoid this failure by manually pre-caching the PCK cert in all the PCCS. However, when deploying a new PCCS, the CSP needs to pre-cache the PCCS manually. When a new machine (on which the SGX VM (Virtual Machines)) is added, the CSP needs to pre-cache all the PCCS for this newly added machine. Pre-caching may introduce increased complexity for SGX deployment.
In the proposed concept, the sub-requests are merged into a single request, so that the request to PCCS becomes stateless and can be sent to any PCCS regardless of whether the PCK certificate is cached or not. Thus, the protocol for communicating with the remote attestation caching server is redesigned, while retaining the same functionalities and maintaining compatibility with the existing protocols.
Multiple PCCS can work in a stateless manner so that CSPs can scale out or shrink PCCS dynamically based on their business needs using tools like an orchestration service (e.g., kubernetes).
The proposed concept is based on making the request to the emote attestation caching server (e.g., the PCCS) stateless, which enables scaling the number of emote attestation caching servers up and down in a convenient manner.
In
In summary, single remote attestation caching server deployment is the bottleneck when there are multiple concurrent requests at the same time. For example, if there is a large number of services deployed on the different servers to boot up at the same time, one remote attestation caching server becomes a bottleneck. To overcome the bottleneck, multiple remote attestation caching server are deployed, using the proposed concept to avoid failure due to stateful attestation requests. In the proposed concept, the requests are consolidated, resulting in a lower number of requests as well, which may further increase the efficiency. This improves the scalability of trusted execution environments in zero-trust settings, e.g., using SGX and TDX.
More details and aspects of the concept for improving or optimizing a provisioning certification caching service protocol are mentioned in connection with the proposed concept or one or more examples described above or below (e.g.,
An electronic assembly 510 as describe herein may be coupled to system bus 502. The electronic assembly 510 may include any circuit or combination of circuits. In one embodiment, the electronic assembly 510 includes a processor 512 which can be of any type. As used herein, “processor” means any type of computational circuit, such as but not limited to a microprocessor, a microcontroller, a complex instruction set computing (CISC) microprocessor, a reduced instruction set computing (RISC) microprocessor, a very long instruction word (VLIW) microprocessor, a graphics processor, a digital signal processor (DSP), multiple core processor, or any other type of processor or processing circuit.
Other types of circuits that may be included in electronic assembly 510 are a custom circuit, an application-specific integrated circuit (ASlC), or the like, such as, for example, one or more circuits (such as a communications circuit 514) for use in wireless devices like mobile telephones, tablet computers, laptop computers, two-way radios, and similar electronic systems. The IC can perform any other type of function.
The electronic apparatus 500 may also include an external memory 520, which in turn may include one or more memory elements suitable to the particular application, such as a main memory 522 in the form of random-access memory (RAM), one or more hard drives 524, and/or one or more drives that handle removable media 526 such as compact disks (CD), flash memory cards, digital video disk (DVD), and the like.
The electronic apparatus 500 may also include a display device 516, one or more speakers 518, and a keyboard and/or controller 530, which can include a mouse, trackball, touch screen, voice-recognition device, or any other device that permits a system user to input information into and receive information from the electronic apparatus 500.
In an embodiment, the processor 710 has one or more processing cores 712 and 712N, where 712N represents the Nth processor core inside processor 710 where N is a positive integer. In an embodiment, the electronic device system 700 using a MAA apparatus embodiment that includes multiple processors including 710 and 705, where the processor 705 has logic similar or identical to the logic of the processor 710. In an embodiment, the processing core 712 includes, but is not limited to, pre-fetch logic to fetch instructions, decode logic to decode the instructions, execution logic to execute instructions and the like. In an embodiment, the processor 710 has a cache memory 716 to cache at least one of instructions and data for the apparatus in the system 700. The cache memory 716 may be organized into a hierarchal structure including one or more levels of cache memory.
In an embodiment, the processor 710 includes a memory controller 714, which is operable to perform functions that enable the processor 710 to access and communicate with memory 730 that includes at least one of a volatile memory 732 and a non-volatile memory 734. In an embodiment, the processor 710 is coupled with memory 730 and chipset 720. The processor 710 may also be coupled to a wireless antenna 778 to communicate with any device configured to at least one of transmit and receive wireless signals. In an embodiment, the wireless antenna interface 778 operates in accordance with, but is not limited to, the IEEE 802.11 standard and its related family, Home Plug AV (HPAV), Ultra Wide Band (UWB), Bluetooth, WiMax, or any form of wireless communication protocol.
In an embodiment, the volatile memory 732 includes, but is not limited to, Synchronous Dynamic Random Access Memory (SDRAM), Dynamic Random Access Memory (DRAM), RAMBUS Dynamic Random Access Memory (RDRAM), and/or any other type of random-access memory device. The non-volatile memory 734 includes, but is not limited to, flash memory, phase change memory (PCM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), or any other type of non-volatile memory device.
The memory 730 stores information and instructions to be executed by the processor 710. In an embodiment, the memory 730 may also store temporary variables or other intermediate information while the processor 710 is executing instructions. In the illustrated embodiment, the chipset 720 connects with processor 710 via Point-to-Point (PtP or P-P) interfaces 717 and 722. Either of these PtP embodiments may be achieved using a MAA apparatus embodiment as set forth in this disclosure. The chipset 720 enables the processor 710 to connect to other elements in the MAA apparatus embodiments in a system 700. In an embodiment, interfaces 717 and 722 operate in accordance with a PtP communication protocol such as the Intel® QuickPath Interconnect (QPI) or the like. In other embodiments, a different interconnect may be used.
In an embodiment, the chipset 720 is operable to communicate with the processor 710, 705N, the display device 740, and other devices 772, 776, 774, 760, 762, 764, 766, 777, etc. The chipset 720 may also be coupled to a wireless antenna 778 to communicate with any device configured to at least do one of transmit and receive wireless signals.
The chipset 720 connects to the display device 740 via the interface 726. The display 740 may be, for example, a liquid crystal display (LCD), a plasma display, cathode ray tube (CRT) display, or any other form of visual display device. In and embodiment, the processor 710 and the chipset 720 are merged into a MAA apparatus in a system. Additionally, the chipset 720 connects to one or more buses 750 and 755 that interconnect various elements 774, 760, 762, 764, and 766. Buses 750 and 755 may be interconnected together via a bus bridge 772 such as at least one MAA apparatus embodiment. In an embodiment, the chipset 720 couples with a non-volatile memory 760, a mass storage device(s) 762, a keyboard/mouse 764, and a network interface 766 by way of at least one of the interface 724 and 774, the smart TV 776, and the consumer electronics 777, etc.
In an embodiment, the mass storage device 762 includes, but is not limited to, a solid-state drive, a hard disk drive, a universal serial bus flash memory drive, or any other form of computer data storage medium. In one embodiment, the network interface 766 is implemented by any type of well-known network interface standard including, but not limited to, an Ethernet interface, a universal serial bus (USB) interface, a Peripheral Component Interconnect (PCI) Express interface, a wireless interface and/or any other suitable type of interface. In one embodiment, the wireless interface operates in accordance with, but is not limited to, the IEEE 802.11 standard and its related family, Home Plug AV (HPAV), Ultra Wide Band (UWB), Bluetooth, WiMax, or any form of wireless communication protocol.
While the modules shown in
In the following, some examples of the proposed concept are presented:
An example (e.g., example 1) relates to an apparatus (10) for a computer system (100), the apparatus comprising interface circuitry (12), machine-readable instructions, and a processor (14) to execute the machine-readable instructions to obtain a request to perform remote attestation for a trusted execution environment (14a) from an application running in the trusted execution environment of the processor. The processor is to execute the machine-readable instructions to communicate with at least one remote attestation caching server (5) based on the request to perform remote attestation, wherein the communication with the remote attestation caching server comprises providing a plurality of requests to the remote attestation server and obtaining a plurality of responses from the remote attestation caching server. The processor is to execute the machine-readable instructions to provide a result of the remote attestation request to the application running in the trusted execution environment after having completed the communication with the remote attestation server.
Another example (e.g., example 2) relates to a previously described example (e.g., example 1) or to any of the examples described herein, further comprising that the processor is to execute the machine-readable instructions to communicate with one of a plurality of remote attestation caching servers.
Another example (e.g., example 3) relates to a previously described example (e.g., example 2) or to any of the examples described herein, further comprising that the processor is to execute the machine-readable instructions to use an arbitrary number of remote attestation caching servers during the communication.
Another example (e.g., example 4) relates to a previously described example (e.g., one of the examples 2 to 3) or to any of the examples described herein, further comprising that the processor is to execute the machine-readable instructions to communicate with the at least one remote attestation caching server without a binding between the communication performed on behalf of the application and a remote attestation caching server.
Another example (e.g., example 5) relates to a previously described example (e.g., one of the examples 2 to 4) or to any of the examples described herein, further comprising that the request for remote attestation comprises an identifier of a trusted computing platform of the computer system, wherein the processor is to include the identifier of the trusted computing platform in each of the plurality of requests.
Another example (e.g., example 6) relates to a previously described example (e.g., one of the examples 1 to 5) or to any of the examples described herein, further comprising that the processor is to execute the machine-readable instructions to perform the acts of obtaining the request, communicating with the at least one remote attestation caching server and providing the result of the remote attestation within a single session or a single contiguous function.
Another example (e.g., example 7) relates to a previously described example (e.g., one of the examples 1 to 6) or to any of the examples described herein, further comprising that the processor is to execute the machine-readable instructions to perform the acts of obtaining the request, communicating with the at least one remote attestation caching server and providing the result of the remote attestation as part of a driver.
Another example (e.g., example 8) relates to a previously described example (e.g., one of the examples 1 to 6) or to any of the examples described herein, further comprising that the processor is to execute the machine-readable instructions to perform the acts of obtaining the request, communicating with the at least one remote attestation caching server and providing the result of the remote attestation as part of a software library.
Another example (e.g., example 9) relates to a previously described example (e.g., one of the examples 1 to 8) or to any of the examples described herein, further comprising that the processor is to execute the machine-readable instructions to download a certificate chain from the remote attestation caching server as part of the communication, and to prepare the result based on the certificate chain.
Another example (e.g., example 10) relates to a previously described example (e.g., example 9) or to any of the examples described herein, further comprising that the certificate chain attests that the trusted execution environment of the processor is capable of performing confidential computations.
An example (e.g., example 11) relates to an apparatus (10) for a computer system (100), the apparatus comprising a processor (14) configured to obtain a request to perform remote attestation for a trusted execution environment (14a) from an application running in the trusted execution environment of the processor. The processor is configured to communicate with at least one remote attestation caching server (5) based on the request to perform remote attestation, wherein the communication with the remote attestation caching server comprises providing a plurality of requests to the remote attestation server and obtaining a plurality of responses from the remote attestation caching server. The processor is configured to provide a result of the remote attestation request to the application running in the trusted execution environment after having completed the communication with the remote attestation server.
An example (e.g., example 12) relates to a device (10) for a computer system (100), the device comprising means for processing (14) for obtaining a request to perform remote attestation for a trusted execution environment (14a) from an application running in the trusted execution environment of the means for processing. The means for processing is for communicating with at least one remote attestation caching server (5) based on the request to perform remote attestation, wherein the communication with the remote attestation caching server comprises providing a plurality of requests to the remote attestation server and obtaining a plurality of responses from the remote attestation caching server. The means for processing is for providing a result of the remote attestation request to the application running in the trusted execution environment after having completed the communication with the remote attestation server.
An example (e.g., example 13) relates to a computer system (100) comprising the apparatus (10) or device (10) according to one of the examples 1 to 12 (or according to any other example).
An example (e.g., example 14) relates to a method for a computer system (100), the method comprising obtaining (110) a request to perform remote attestation for a trusted execution environment from an application running in the trusted execution environment of a processor of the computer system. The method comprises communicating (120) with at least one remote attestation caching server (5) based on the request to perform remote attestation, wherein the communication with the remote attestation caching server comprises providing a plurality of requests to the remote attestation server and obtaining a plurality of responses from the remote attestation caching server. The method comprises providing (130) a result of the remote attestation request to the application running in the trusted execution environment after having completed the communication with the remote attestation server.
Another example (e.g., example 15) relates to a previously described example (e.g., example 14) or to any of the examples described herein, further comprising that the method comprises communicating (120) with one of a plurality of remote attestation caching servers.
Another example (e.g., example 16) relates to a previously described example (e.g., example 15) or to any of the examples described herein, further comprising that the method comprises using an arbitrary number of remote attestation caching servers during the communication (120).
Another example (e.g., example 17) relates to a previously described example (e.g., one of the examples 15 to 16) or to any of the examples described herein, further comprising that the method comprises communicating (120) with at least one remote attestation caching server without a binding between the communication performed on behalf of the application and a remote attestation caching server.
Another example (e.g., example 18) relates to a previously described example (e.g., one of the examples 15 to 17) or to any of the examples described herein, further comprising that the request for remote attestation comprises an identifier of a trusted computing platform of the computer system, wherein the method comprises including (122) the identifier of the trusted computing platform in each of the plurality of requests.
Another example (e.g., example 19) relates to a previously described example (e.g., one of the examples 14 to 18) or to any of the examples described herein, further comprising that the acts of obtaining the request, communicating with the at least one remote attestation caching server and providing the result of the remote attestation are performed within a single session or a single contiguous function.
Another example (e.g., example 20) relates to a previously described example (e.g., one of the examples 14 to 18) or to any of the examples described herein, further comprising that the acts of obtaining the request, communicating with the at least one remote attestation caching server and providing the result of the remote attestation are performed by a driver.
Another example (e.g., example 21) relates to a previously described example (e.g., one of the examples 14 to 20) or to any of the examples described herein, further comprising that the acts of obtaining the request, communicating with the at least one remote attestation caching server and providing the result of the remote attestation are performed by a software library.
Another example (e.g., example 22) relates to a previously described example (e.g., one of the examples 14 to 21) or to any of the examples described herein, further comprising that the method comprises downloading (124) a certificate chain from the remote attestation caching server as part of the communication and preparing (126) the result based on the certificate chain.
Another example (e.g., example 23) relates to a previously described example (e.g., example 22) or to any of the examples described herein, further comprising that the certificate chain attests that the trusted execution environment of the processor is capable of performing confidential computations.
An example (e.g., example 24) relates to a non-transitory, computer-readable medium comprising a program code that, when the program code is executed on a processor, a computer, or a programmable hardware component, causes the processor, computer, or programmable hardware component to perform the method according to one of the examples 14 to 23 (or according to any other example).
An example (e.g., example 25) relates to a computer system (100) being configured to perform the method according to one of the examples 14 to 23 (or according to any other example).
An example (e.g., example 26) relates to a non-transitory machine-readable storage medium including program code, when executed, to cause a machine to perform the method of one of the examples 14 to 23 (or according to any other example).
An example (e.g., example 27) relates to a computer program having a program code for performing the method of one of the examples 14 to 23 (or according to any other example) when the computer program is executed on a computer, a processor, or a programmable hardware component.
An example (e.g., example 28) relates to a machine-readable storage including machine readable instructions, when executed, to implement a method or realize an apparatus as claimed in any pending claim or shown in any example.
Example A1 relates to an apparatus for optimizing Provisioning Certification Caching Service protocol according to one of examples of the specification.
Example A2 relates to a method for optimizing Provisioning Certification Caching Service protocol according to one of examples of the specification.
Example A3 relates to a computer program for optimizing Provisioning Certification Caching Service protocol according to one of examples of the specification.
Example A4 relates to a machine-readable medium including code, when executed, to cause a machine to perform any of the methods for optimizing Provisioning Certification Caching Service protocol according to one of examples of the specification.
The aspects and features described in relation to a particular one of the previous examples may also be combined with one or more of the further examples to replace an identical or similar feature of that further example or to additionally introduce the features into the further example.
Examples may further be or relate to a (computer) program including a program code to execute one or more of the above methods when the program is executed on a computer, processor, or other programmable hardware component. Thus, steps, operations, or processes of different ones of the methods described above may also be executed by programmed computers, processors, or other programmable hardware components. Examples may also cover program storage devices, such as digital data storage media, which are machine-, processor- or computer-readable and encode and/or contain machine-executable, processor-executable, or computer-executable programs and instructions. Program storage devices may include or be digital storage devices, magnetic storage media such as magnetic disks and magnetic tapes, hard disk drives, or optically readable digital data storage media, for example.
Other examples may also include computers, processors, control units, (field) programmable logic arrays ((F)PLAs), (field) programmable gate arrays ((F)PGAs), graphics processor units (GPU), application-specific integrated circuits (ASICs), integrated circuits (ICs) or system-on-a-chip (SoCs) systems programmed to execute the steps of the methods described above.
It is further understood that the disclosure of several steps, processes, operations, or functions disclosed in the description or claims shall not be construed to imply that these operations are necessarily dependent on the order described, unless explicitly stated in the individual case or necessary for technical reasons. Therefore, the previous description does not limit the execution of several steps or functions to a certain order. Furthermore, in further examples, a single step, function, process, or operation may include and/or be broken up into several sub-steps, -functions, -processes or -operations.
If some aspects have been described in relation to a device or system, these aspects should also be understood as a description of the corresponding method. For example, a block, device or functional aspect of the device or system may correspond to a feature, such as a method step, of the corresponding method. Accordingly, aspects described in relation to a method shall also be understood as a description of a corresponding block, a corresponding element, a property or a functional feature of a corresponding device or a corresponding system.
As used herein, the term “module” refers to logic that may be implemented in a hardware component or device, software or firmware running on a processing unit, or a combination thereof, to perform one or more operations consistent with the present disclosure. Software and firmware may be embodied as instructions and/or data stored on non-transitory computer-readable storage media. As used herein, the term “circuitry” can comprise, singly or in any combination, non-programmable (hardwired) circuitry, programmable circuitry such as processing units, state machine circuitry, and/or firmware that stores instructions executable by programmable circuitry. Modules described herein may, collectively or individually, be embodied as circuitry that forms a part of a computing system. Thus, any of the modules can be implemented as circuitry. A computing system referred to as being programmed to perform a method can be programmed to perform the method via software, hardware, firmware, or combinations thereof.
Any of the disclosed methods (or a portion thereof) can be implemented as computer-executable instructions or a computer program product. Such instructions can cause a computing system or one or more processing units capable of executing computer-executable instructions to perform any of the disclosed methods. As used herein, the term “computer” refers to any computing system or device described or mentioned herein. Thus, the term “computer-executable instruction” refers to instructions that can be executed by any computing system or device described or mentioned herein.
The computer-executable instructions can be part of, for example, an operating system of the computing system, an application stored locally to the computing system, or a remote application accessible to the computing system (e.g., via a web browser). Any of the methods described herein can be performed by computer-executable instructions performed by a single computing system or by one or more networked computing systems operating in a network environment. Computer-executable instructions and updates to the computer-executable instructions can be downloaded to a computing system from a remote server.
Further, it is to be understood that implementation of the disclosed technologies is not limited to any specific computer language or program. For instance, the disclosed technologies can be implemented by software written in C++, C #, Java, Perl, Python, JavaScript, Adobe Flash, C #, assembly language, or any other programming language. Likewise, the disclosed technologies are not limited to any particular computer system or type of hardware.
Furthermore, any of the software-based examples (comprising, for example, computer-executable instructions for causing a computer to perform any of the disclosed methods) can be uploaded, downloaded, or remotely accessed through a suitable communication means. Such suitable communication means include, for example, the Internet, the World Wide Web, an intranet, cable (including fiber optic cable), magnetic communications, electromagnetic communications (including RF, microwave, ultrasonic, and infrared communications), electronic communications, or other such communication means.
The disclosed methods, apparatuses, and systems are not to be construed as limiting in any way. Instead, the present disclosure is directed toward all novel and nonobvious features and aspects of the various disclosed examples, alone and in various combinations and subcombinations with one another. The disclosed methods, apparatuses, and systems are not limited to any specific aspect or feature or combination thereof, nor do the disclosed examples require that any one or more specific advantages be present, or problems be solved.
Theories of operation, scientific principles, or other theoretical descriptions presented herein in reference to the apparatuses or methods of this disclosure have been provided for the purposes of better understanding and are not intended to be limiting in scope. The apparatuses and methods in the appended claims are not limited to those apparatuses and methods that function in the manner described by such theories of operation.
The following claims are hereby incorporated in the detailed description, wherein each claim may stand on its own as a separate example. It should also be noted that although in the claims a dependent claim refers to a particular combination with one or more other claims, other examples may also include a combination of the dependent claim with the subject matter of any other dependent or independent claim. Such combinations are hereby explicitly proposed, unless it is stated in the individual case that a particular combination is not intended. Furthermore, features of a claim should also be included for any other independent claim, even if that claim is not directly defined as dependent on that other independent claim.
Number | Date | Country | Kind |
---|---|---|---|
PCT/CN2023/076380 | Feb 2023 | WO | international |