| CPC H04L 9/088 (2013.01) [H04L 9/3213 (2013.01)] | 22 Claims |
|
1. A computing system comprising:
a processor system; and
a memory that stores computer-executable instructions that are executable by the processor system to at least:
based at least on initiation of a cold boot of a host, receive attestation artifacts from the host, at least a portion of the attestation artifacts gathered from a trusted platform module in the host, the attestation artifacts proving trust in a trusted execution environment that runs on the host, wherein a time instance at which the cold boot of the host is initiated defines a start of a cold boot session, the attestation artifacts comprising:
a public portion of an ephemeral cryptographic key that is generated by the trusted execution environment, the ephemeral cryptographic key configured to expire at a time at which the cold boot session ends;
a public portion of a signing key that is owned by the trusted execution environment; and
a key claim indicating that the ephemeral cryptographic key is generated by the trusted execution environment, the key claim signed by a private portion of the signing key;
validate the attestation artifacts;
based at least on the attestation artifacts being validated, generate a signed attestation artifact, which comprises the public portion of the ephemeral cryptographic key and the public portion of the signing key;
provide the signed attestation artifact, which comprises the public portion of the ephemeral cryptographic key and the public portion of the signing key, to the host, the signed attestation artifact attesting to health of the host;
receive a request to renew the signed attestation artifact during the cold boot session, the request comprising the signed attestation artifact, which comprises the public portion of the ephemeral cryptographic key and the public portion of the signing key; and
based at least on the request comprising the signed attestation artifact, which comprises the public portion of the ephemeral cryptographic key and the public portion of the signing key, and further based at least on the trusted execution environment possessing the ephemeral cryptographic key, renew the signed attestation artifact during the cold boot session.
|