Having people be able to trust computers has become an increasingly important goal. This trust generally focuses on the ability to trust the computer to use the information it stores or receives correctly. Exactly what this trust entails can vary based on the circumstances. For example, multimedia content providers would like to be able to trust computers to not improperly copy their content. By way of another example, users would like to be able to trust their computers to forward confidential financial information (e.g., bank account numbers) only to appropriate destinations (e.g., allow the information to be passed to their bank, but nowhere else). Unfortunately, given the generally open nature of most computers, a wide range of applications can be run on most current computers without the user's knowledge, and these applications can compromise this trust (e.g., forward the user's financial information to some other destination for malicious use).
To address these trust issues, different mechanisms have been proposed (and new mechanisms are being developed) that allow a computer or portions thereof to be trusted. Generally, these mechanisms entail some sort of authentication procedure where the computer can authenticate or certify that at least a portion of it (e.g., certain areas of memory, certain applications, etc.) are at least as trustworthy as they present themselves to be (e.g., that the computer or application actually is what it claims to be). In other words, these mechanisms prevent a malicious application from impersonating another application (or allowing a computer to impersonate another computer). Once such a mechanism can be established, the user or others (e.g., content providers) can make a judgment as to whether or not to accept a particular application as trustworthy (e.g., a multimedia content provider may accept a particular application as being trustworthy, once the computer can certify to the content provider's satisfaction that the particular application is the application it claims to be).
Computers typically operate using an operating system that controls the execution of other applications on the computer as well as access to the hardware of the computer. Using mechanisms on a computer that allow the computer, or portions thereof, to be trusted involves the operating system itself, or portions thereof, being trustworthy. The operating system is typically involved in the process of managing secrets necessary to maintain the trust of the computer. This operating system involvement, however, can be problematic upgrading the operating system. Users oftentimes are interested in upgrading their operating system to a new version in order to obtain increased functionality, reliability, interoperability, and so forth. However, given the involvement of the operating system in managing secrets for the computer, the upgrading of the operating system should not allow the secrets to be accessible to unauthorized parties or components either during the upgrading process or via the upgraded operating system.
The operating system upgrades in a trusted operating system environment described herein solves these problems.