US 12,271,469 B2
Extending secure guest metadata to bind the secure guest to a hardware security module
Reinhard Theodor Buendgen, Tuebingen (DE); and Jonathan D. Bradbury, Poughkeepsie, NY (US)
Assigned to International Business Machines Corporation, Armonk, NY (US)
Filed by International Business Machines Corporation, Armonk, NY (US)
Filed on Jan. 25, 2023, as Appl. No. 18/159,263.
Claims priority of application No. 2217870 (GB), filed on Nov. 29, 2022.
Prior Publication US 2024/0176870 A1, May 30, 2024
Int. Cl. G06F 21/53 (2013.01); G06F 21/31 (2013.01); G06F 21/60 (2013.01)
CPC G06F 21/53 (2013.01) [G06F 21/31 (2013.01); G06F 21/602 (2013.01)] 25 Claims
OG exemplary drawing
 
1. A computer-implemented method for implementing a three-factor authorization in a trusted computing environment, the method comprising:
triggering, by a hypervisor, a start of a secure guest by passing control regarding an image of the secure guest and metadata of the secure guest to a trusted firmware, wherein the secure guest is designed to access a hardware security module;
upon a successful integrity check of the metadata of the secure guest by the trusted firmware:
starting the secure guest using the hypervisor; and
blocking any sensitive request from the secure guest to the hardware security module;
submitting, by the secure guest, a request comprising a request structure including a third authorization secret and a characterization of a requested hardware security module to the trusted firmware; and
binding, by the trusted firmware, each hardware security module protected key generated in the requested hardware security module in response to the request to the third authorization secret.