In a number of computing scenarios, there are reasons for keeping information securely secret. The most typical example is that of a cryptographic key, used either for encrypting data for privacy or for digitally signing data or for computing a Message Authentication Code (MAC).
Because software solutions do not provide a particularly secure way to keep such secrets, contemporary computing devices are turning to hardware solutions to keep secrets. To this end, some modern computing machines include hardware devices such as a trusted platform module (TPM) or like device; (for purposes of simplicity herein, a TPM or TPM-like device will be referred to as a TPM-like device, regardless of whether it is an actual TPM device). A TPM-like device maintains a tamper-resistant memory of a measurement of system state, used to measure the boot process for the machine (in order to detect tampering with the machine's system code). Measurements of system state are tamper-resistant and not secret but a TPM-like device may hold or prepare secrets, by a process known as “sealing,” which preserves sealed secrets for release only to future instantiations of the system that are running code that is authorized to have access to the sealed secrets where that code is identified by measurements of system state. A TPM-like device also may be able to function to an extent as a cryptographic processor, which in general is a hardware device that holds cryptographic keys and can apply them on demand, when the system it supports requests that application.
Typically, the sealing of secrets is bound to a chain of measurements and eventually to physical tamper resistance of a physical TPM-like device, so that it can enforce the typical policy of releasing such a secret only to a tamper-free version of the software that sealed the secret. Any modification of any portion of measured code changes the measurement of that code, causing the failure to match the typical access control policy for that sealed secret and the TPM-like device's refusal to release the sealed secret. This is the desired security effect when protecting against software tampering.
However, there are situations in which this security effect is not desirable. By way of example, consider the concept of virtual machines. A virtual machine is meant to act like a physical machine, but may run with other virtual machines on the same physical machine, such as for purposes of server consolidation. For various reasons, including maintenance, load balancing and so forth, it is sometimes desirable to migrate a virtual machine to a different physical machine. However, when secrets are bound by hardware to a certain physical machine, the above-described security effect prevents such virtual machine migration if the functioning of that virtual machine requires use of a sealed secret. This problem also occurs in other computing scenarios, such as exchanging secrets between nodes of clustered servers. It also occurs when needing to restore backed up secrets to a new physical computer when the original physical computer ceases to function. The TPM-like device referenced herein can be a hardware device, like a TPM, or a software functionality that performs the same functions.