In the latter half of the twentieth century, there began a phenomenon known as the information revolution. While the information revolution is a historical development broader in scope than any one event or machine, no single device has come to represent the information revolution more than the digital electronic computer. The development of computer systems has surely been a revolution. Each year, computer systems grow faster, store more data, and provide more applications to their users.
A modern computer system typically comprises one or more central processing units (CPU) and supporting hardware necessary to store, retrieve and transfer information, such as communication buses and memory. It also includes hardware necessary to communicate with the outside world, such as input/output controllers or storage controllers, and devices attached thereto such as keyboards, monitors, tape drives, disk drives, communication lines coupled to a network, etc. The CPU or CPUs are the heart of the system. They execute the instructions which form a computer program and directs the operation of the other system components.
From the standpoint of the computer's hardware, most systems operate in fundamentally the same manner. Processors are capable of performing a limited set of very simple operations, such as arithmetic, logical comparisons, and movement of data from one location to another. But each operation is performed very quickly. Sophisticated software at multiple levels directs a computer to perform massive numbers of these simple operations, enabling the computer to perform complex tasks. What is perceived by the user as a new or improved capability of a computer system is made possible by performing essentially the same set of very simple operations, but using software with enhanced function, along with faster hardware.
Almost all modern general purpose computer systems support some form of sharing of information with other computer systems, as via the Internet or some other network, and almost all large systems support multi-tasking on behalf of multiple users, in which multiple processes are simultaneously active, and computer system resources, such as processor and memory resources, are allocated among the different processes. Often, the actual users are physically remote from the computer system itself, communicating with it across a network. In the case of the Internet, the actual users may communicate with the computer through multiple intermediate computer systems and routers, and be so remote that they are difficult to identify.
Making the capabilities of computer systems widely available provides great benefits, but there are also risks which must be addressed. In such an environment of multiple users, some of them remote, sharing resources on a computer system, and communicating with other computer systems which may similarly share resources, data security and integrity are a significant concern.
If the capabilities of a system are to be made widely available, it is impractical to vet all persons using the system's capabilities. It must be assumed that it will be possible for unscrupulous persons to use the system, and the system should therefore be designed so that those who use it can not compromise its data integrity or access unauthorized data. Widely available systems therefore have various protection mechanisms, whereby the operations a user can perform are limited, data is isolated, and users are protected from one another. However, it is generally necessary to allow some individual or relatively small group of individuals greater access to the system for purposes of performing maintenance operations, administering system access by others, and so forth. Special access mechanisms exist for this purpose. Thus, an entire hierarchy of access mechanisms may exist for accessing different capabilities of a system by different classes of users.
In theory, these various access mechanisms for different users and associated security and protection measures protect the system and its data. However, these mechanisms are enormously complex. It is difficult to design systems of such complexity which are foolproof. Human ingenuity being what it is, unscrupulous persons all too often find ways to defeat the protection mechanisms. Those skilled in the art of computer security and data integrity therefore seek new and improved mechanisms for system protection. As these new and improved mechanisms are developed, interlopers likewise seek ways to thwart the improved protection mechanisms. Thus, an arms race of sorts exists between those who seek to protect computer systems and those who seek to defeat that protection, requiring continuing improvements to computer system protection mechanisms. Often, it is the anticipation of the security exposure which requires the greatest skill on the part of those who protect computer systems; the fix may be relatively straightforward once the exposure is understood and appreciated. It can not be expected that any single new development will, once and for all, put an end to attempts to defeat computer system protection mechanisms, but any development which makes it more difficult for the interloper has potential value.
One form of protection mechanism is the encryption of data stored in a digital data system or transmitted from one system to another over a network. Encryption is often accomplished with any of various techniques. Examples of encryption algorithms include symmetric algorithms which use a common key for encryption and decryption, such as the Advanced Encryption Standard (AES) algorithm or the Triple Data Encryption Standard (TDES) algorithm; and various public/private key encryption algorithms, which use a pair of keys, one for encryption and one for decryption. In general, encryption transforms data into an unintelligible form, from which it can be restored to its original form by decrypting with a key, which is itself data. Since the encryption/decryption algorithm itself is typically known, anyone possessing the key can restore the encrypted data to its original form.
It is theoretically possible to encrypt all sensitive data stored in a computer system and thus protect it from being viewed and understood by interlopers, even if the data can be accessed. But this merely raises another problem. For the data, to be of any use, must be capable of decryption, meaning that the applicable key must be stored somewhere. Anyone who could access the key could decrypt the data. It is possible to encrypt the key as well, using another key. But at some level, there must exist at least one key which is stored in unencrypted form, from which data can be restored. This key or keys, referred to herein as a “master key”, should be protected to a high degree, and stored in such a manner as to be inaccessible to potential interlopers.
A recent development in the management of complex computer system resources is the logical partitioning of system resources. Conceptually, logical partitioning means that multiple discrete partitions are established, and the system resources of certain types are assigned to respective partitions. For example, processor resources of a multi-processor system may be partitioned by assigning different processors to different partitions, by sharing processors among some partitions and not others, by specifying the amount of processing resource measure available to each partition which is sharing a set of processors, and so forth. Tasks executing within a logical partition can use only the resources assigned to that partition, and not resources assigned to other partitions. Memory resources may be partitioned by defining memory address ranges for each respective logical partition, these address ranges not necessarily coinciding with physical memory devices.
A logical partition virtualizes a complete computer system. Within any logical partition, the partition appears to be a complete computer system to tasks executing at a high level. Each logical partition has its own operating system (which might be its own copy of the same operating system, or might be a different operating system from that of other partitions). The operating system appears to dispatch tasks, manage memory paging, and perform typical operating system tasks, but in reality is confined to the resources of the logical partition. Thus, the external behavior of the logical partition (as far as the task is concerned) should be the same as a complete computer system, and should produce the same results when executing the task.
Logical partitions are generally regulated by a partition manager, which is specially privileged low-level software, although some hardware support such as special registers and recognition of a partition manager privilege may also be required. The partition manager maintains certain global state data regarding system resource allocations, as well as other state data necessary to enforce logical partitioning of the resources. Naturally, user access to the partition manager is normally restricted to a highly trusted user, such as a system administrator or user with similar authority.
Because a logical partition virtualizes an independent computer system, multiple partitions executing on the same computer system hardware are isolated from one another. State data of one partition is not directly accessible to a task executing in another partition. Among other things, this provides some degree of protection for tasks executing in one partition, against a rogue task in another partition.
Isolation of logical partitions typically means that, if encryption is used, each partition has its own master encryption key or keys, which is used only by it. Each partition typically has its own mechanism for protecting the master encryption key
Although various conventional mechanisms exist for storing master encryption keys, the arms race continues, and it must be assumed that interlopers will attempt to circumvent these mechanisms and obtain access to encryption keys. Continued secure and correct operation of computer systems requires constant vigilance, and in particular, requires that potential avenues of attack be anticipated in advance, and appropriate countermeasures taken. Anticipating such potential avenues of attack is a difficult and demanding art.