OCP LOCK_Caliptra 2.1 和 MEK-MPA 用例.pdf

《OCP LOCK_Caliptra 2.1 和 MEK-MPA 用例.pdf》由会员分享，可在线阅读，更多相关《OCP LOCK_Caliptra 2.1 和 MEK-MPA 用例.pdf（20页珍藏版）》请在三个皮匠报告上搜索。

1、Lee Prewitt,Director Cloud Hardware Storage,MicrosoftJeff Andersen,Senior Staff Engineer,GoogleCharles Kunzman,Staff Engineer,GoogleTCG MEK Multiparty Authorizationwith OCP L.O.C.K.TCG MEK Multiparty Authorization with OCP L.O.C.K.Lee Prewitt,Director Cloud Hardware Storage,MicrosoftJeff Andersen,Se

2、nior Staff Engineer,GoogleCharles Kunzman,Staff Engineer,GoogleStoragePanel DiscussionLee PrewittDirector Cloud Hardware Storage,MicrosoftJeff AndersenSenior Staff Engineer,GoogleCharles KunzmanStaff Engineer,GoogleMultiparty Authorization Use CaseTCG Opal:MEK Multiparty Authorization Feature Set Co

3、ncepts(MEK MPA)Walkthrough of Provisioning TCG MEK MPA for Global RangeOCP L.O.C.K.Key Management Block OverviewProtection KeysMEK GenerationHow OCP L.O.C.K.Supports Implementation of TCG MEK MPAPanel Q&AAgendaModern software deployment stacks can include many system layers,and data security respons

4、ibilities may be split across those layers.As a hypothetical example,a Cloud Service Provider(CSP)may own security verification of hardware and firmware components on a machine hosting a customer Virtual Machine(VM),while the customer may have internal authentication and authorization services for d

5、ata access running in the VM.Each entity should be able to independently authorize data access without needing to entrust data security secrets to another party.Multiparty Authorization Use CaseMedia Encryption Keys(MEKs)encrypt all data in LBAs covered by a Locking range.MEKs are modeled as the Key

6、 column of the K_AES_256 object table.Data covered by a Locking range is only accessible when either the ReadLockedor WriteLocked columns of a Locking object are set to False.TCG Opal:MEK Management ConceptsMEK MPA adds a new AccessConditionscolumn to the K_AES_256 object table.AccessCondition objec