US 11,917,080 B2
Secure attestation of endpoint capability
Tirumaleswar Reddy Konda, Bangalore (IN); Shashank Jain, Bangalore (IN); Piyush Pramod Joshi, Aurangabad (IN); and Himanshu Srivastava, Bangalore (IN)
Assigned to McAfee, LLC, San Jose, CA (US)
Filed by McAfee, LLC, San Jose, CA (US)
Filed on Mar. 31, 2021, as Appl. No. 17/219,411.
Prior Publication US 2022/0321362 A1, Oct. 6, 2022
Int. Cl. G06F 21/57 (2013.01); H04L 9/32 (2006.01); H04L 9/40 (2022.01); H04L 12/66 (2006.01); H04L 9/08 (2006.01); H04W 12/069 (2021.01)
CPC H04L 9/3268 (2013.01) [G06F 21/57 (2013.01); H04L 9/0891 (2013.01); H04L 12/66 (2013.01); H04L 63/20 (2013.01); H04W 12/069 (2021.01); H04L 63/0823 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A network gateway device, comprising:
a hardware platform comprising a processor and a memory;
a network interface, including network interface hardware; and
instructions encoded within the memory to instruct the processor to:
provide a set of services, including security services, to endpoint devices on a network;
determine that a first endpoint device, being an untrusted device, lacks a trusted execution environment (TEE), and assign the first endpoint device a first network security policy comprises providing in full the set of services to the untrusted device;
receive from a second endpoint device having a TEE, via the network interface, a signed security posture data structure, the signed security posture data structure attesting that the endpoint device includes a trusted agent that provides at least one security service from the set of available services;
cryptographically verify the signed security posture data structure; and
according to the signed security posture data structure, assign a second network security policy to the endpoint device, wherein the second network security policy omits the at least one security service from the set of services.