| CPC G06F 21/53 (2013.01) [G06F 9/45558 (2013.01); G06F 21/604 (2013.01); G06F 2009/45591 (2013.01); G06F 2221/033 (2013.01)] | 16 Claims |
|
1. A computer-implemented method for creating and managing trusted execution environments (TEEs) based on different hardware TEE mechanisms using a virtual secure enclave device running in a virtualized environment in a computer system, the method comprising:
transmitting an enclave command using a universal application programming interface (API) to the virtual secure enclave device from a software process running in the computer system, including inserting the enclave command into a command queue in the virtual secure enclave device;
in response to the enclave command received at the virtual secure enclave device, retrieving the enclave command from the virtual secure device, including emulating the command queue in the virtual secure enclave device to retrieve the enclave command in the command queue of the virtual secure enclave device;
parsing the retrieved enclave command to extract a description of an enclave operation to be executed from the retrieved enclave command;
requesting a TEE backend module to interact with a particular hardware TEE mechanism among the different hardware TEE mechanisms that is included in the computer system so that the enclave operation for the software process is executed by the particular hardware TEE mechanism, wherein the TEE backend module is configured to interact with each of the different hardware TEE mechanisms using commands specific to each of the different hardware TEE mechanisms; and
translating the retrieved enclave command from the universal API to a particular API selected from a plurality of APIs depending on the particular hardware TEE mechanism in the computer system so that the enclave operation for the software process is executed by the particular hardware TEE mechanism.
|