1. Technical Field
The present invention relates generally to security in processing systems, and more particularly, to a methodology and apparatus for virtualizing storage in a trusted device.
2. Description of the Related Art
Data and code protection in present day secure computing systems increasingly calls for the integration of trusted computing mechanisms. In particular, in large-scale server systems, data accessible from a platform may include actual storage or pathways to storage that could compromise a very extensive and valuable information. Therefore, the server systems must be secured, so that not only are they protected for external attack via external networks, but the identity of each computing components is ideally assured prior to permitting the components access to the data and prior to execution of any code that requires a trusted platform.
The typical mechanism for implementing a trusted platform is to incorporate trusted devices, referred to as trusted platform modules (TPMs) in standards promulgated by the Trusted Computing Group (TCG), in each removable sub-system. The TPMs are used to verify that the subsystems' identity matches a particular trusted identity, and can also be used to verify that the TPM is installed in the correct subsystem. The uniqueness of a trusted device is assured by a device key that is unique to the particular device. The key is hardwired or installed during manufacture of the device and cannot be read from the device by any interface.
The TPM device key is used to perform various security checks using the trusted device. The trusted device includes processing elements and registers, as well as optional dedicated encryption circuits, so that verification, encryption and decryption performed with the device key are “sealed” to the device. A set of registers in the TPM known as platform control registers (PCRs) store information such as hash values representing software modules executing in the system, additional cryptographic keys and other information that must be securely maintained so that a query of the TPM can be trusted to accurately represent the state of the trusted platform.
However, since the storage in the TPM is sealed, storage space is necessarily limited, since the registers that represent the platform state are contained within the TPM. As applications of TPMs increase to include storage devices and other applications where a large number of registers are needed to describe the secured elements present in the platform, the cost of the TPM increases.
Therefore, it would be desirable to provide a trusted device having extensible registers and a method for securing the register extension, so that storage limitations within the trusted device can be overcome.