Field of the Invention
The present invention generally relates to security on a computer. More specifically, in a system based on secure objects that protect software code and data from other software within a system, a method for constructing such secure objects permits a build machine to construct a secure object for a target machine without having the target machine's system key that is used in decrypting the secure object for execution on the target machine.
Description of the Related Art
The first patent application introduced the concept of a ‘Secure Object’ comprising code and data for a computer system that is cryptographically protected from other software on the system, and a computer architecture for supporting such Secure Objects. The patent application also defined the notion of a handle for a Secure Object containing information that is specific to the Secure Object that is encrypted under the ‘System Key’ of the system on which the Secure Object will run. The patent application additionally described a method for building and distributing Secure Object-based software with these encrypted handles.
FIG. 1 shows the system 100 described in this application, in which a crypto engine 102 associated with a microprocessor 101 decrypts an encrypted secure object retrieved from memory 103 by the CPU 104 for execution of the secure object. When Secure Object information is returned to memory, the secure object information is again encrypted by the crypto engine 102 prior to storage in memory 103. The decryption/encryption in the crypto engine 102 uses keys 105 retrieved from a protected area 106 in the CPU 104.
In the method described in the application, the machine on which the software is built, i.e., the build machine, ‘knows’ the System Key of the target machine, meaning that the System Key of the target machine has been stored in the build machine, and encrypts Secure Object handles under that System Key. This method has two disadvantages. First, it requires the build machine to know the System Key of the target machine—which is not desirable. Second, it implies that either all the target machines must have the same system key or the build machine must send a slightly different version of the Secure Object-based software to each of the target machines.
The present inventors have recognized that a need exists to improve the method of enhancing security on a computer using the previously-described secure object mechanism and, more particularly, the need to securely permit one machine, the “build machine”, to construct a secure object for another machine, the “target machine” in such a way that the build machine does not need to know the System Key of the target machine.