| CPC H04L 63/20 (2013.01) [H04L 9/3268 (2013.01)] | 20 Claims |
|
1. A method for enforcing payload security policies in a data center, the method comprising:
a first attestation client: (1) collecting a first set of measurement logs, including a first artifact comprising a first policy attribute related to payload security in the data center, wherein the first policy attribute comprises a first firmware manifest, and (2) sending the first set of measurement logs to an attestation service associated with the data center;
a second attestation client: (1) collecting a second set of measurement logs, including a second artifact comprising a second policy attribute, different from the first policy attribute, related to the payload security in the data center, and (2) sending the second set of measurements to the attestation service associated with the data center;
the attestation service associated with the data center: (1) validating: the first set of measurement logs against a first policy associated with a first set of nodes in the data center by determining whether the first policy attribute is acceptable, and (2) validating the second set of measurement logs against a second policy, different from the first policy, associated with a second set of nodes in the data center by determining whether the second policy attribute is acceptable;
upon successful validation, the attestation service associated with the data center: (1) sending a first encrypted package including a first encrypted machine certificate to a certificate authority associated with the data center and (2) sending a second encrypted package including a second encrypted machine certificate to the certificate authority associated with the data center; and
the certificate authority: (1) sending the first encrypted package to the first attestation client and (2) sending the second encrypted package to the second attestation client.
|