Trusted computing platforms may rely on hardware isolation to create a trusted execution environment (TEE) in which to perform security sensitive operations such as backing up sensitive data with a cloud backup service, sharing sensitive information such as photos, meeting minutes, documents, etc., with individuals via a social networking site, etc. Alternatively, or additionally, such platforms may integrate a security co-processor (e.g., manageability engine, converged security engine (CSE) for secure processing needs. TEE environments may be used to perform cryptographic operations, e.g., using trusted platform module (TPM) technology, platform trust technology (PTT), identity protection technology (IPT), and the like.
In some instances it may be desirable to leverage distributed computing to perform trusted tasks. In this regard, systems and methods have been proposed to export trusted tasks from one computer (client) to another computer (service provider) for execution, e.g., over the internet, an enterprise network, a mesh network, etc. While such systems and methods can allow execution of a trusted task on the service provider, the code and/or data associated with the trusted task may only be protected during transmission between the client and service provider, and not while it is resident on the service provider. As a result, the data and/or code may be subject to attack by other (potentially malicious) software on the service provider, e.g., as the trusted task is executed and/or while the results of the executed task are retrieved.
Furthermore, real-world trusted computing applications often operate on data that has varying degrees of sensitivity (security). For example, a single trusted computing task may operate on a data set that includes data that is designated as unclassified, secret, top-secret, top-secret secure compartmentalized, combinations thereof, and the like. Likewise, the data associated with a trusted task may be organized into various compartments. For example, a single trusted task may operate on data and/or code that is/are organized by business division such as finance, human resources, engineering, and the like. When the trusted task is executed on a distributed computer system, the data set/code may be sealed by the client with a single key. In such instances, applicable security and/or compartmentalization context may be lost when the service provider unseals the data/code.
Although the following Detailed Description will proceed with reference being made to illustrative embodiments, many alternatives, modifications, and variations thereof will be apparent to those skilled in the art.