U.S. patent application number 15/482226 was filed with the patent office on 2017-09-28 for secure control of self-encrypting storage devices.
This patent application is currently assigned to Intel Corporation. The applicant listed for this patent is Intel Corporation. Invention is credited to JASON R. COX, CHARLES B. FOSTER, SHANKAR NATARAJAN, HINESH K. SHAH.
Application Number | 20170277916 15/482226 |
Document ID | / |
Family ID | 55961971 |
Filed Date | 2017-09-28 |
United States Patent
Application |
20170277916 |
Kind Code |
A1 |
NATARAJAN; SHANKAR ; et
al. |
September 28, 2017 |
SECURE CONTROL OF SELF-ENCRYPTING STORAGE DEVICES
Abstract
Generally, this disclosure provides systems, devices, methods
and computer readable media for secure control of access control
enablement and activation on self-encrypting storage devices. In
some embodiments, the device may include a non-volatile memory
(NVM) and a secure access control module. The secure access control
module may include a command processor module configured to receive
a request to enable access controls of the NVM from a user, and to
enable the access controls. The secure access control module may
also include a verification module configured to verify a physical
presence of the user. The secure access control module may further
include an encryption module to encrypt at least a portion of the
NVM in response to an indication of success from the verification
module.
Inventors: |
NATARAJAN; SHANKAR; (Santa
Clara, CA) ; COX; JASON R.; (Longmont, CO) ;
FOSTER; CHARLES B.; (Roseville, CA) ; SHAH; HINESH
K.; (Folsom, CA) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Intel Corporation |
SANTA CLARA |
CA |
US |
|
|
Assignee: |
Intel Corporation
SANTA CLARA
CA
|
Family ID: |
55961971 |
Appl. No.: |
15/482226 |
Filed: |
April 7, 2017 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
14543935 |
Nov 18, 2014 |
9626531 |
|
|
15482226 |
|
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
G06F 21/78 20130101;
G06F 2212/402 20130101; G06F 2221/2111 20130101; G11B 20/0021
20130101; G06F 21/6245 20130101; G06F 21/604 20130101 |
International
Class: |
G06F 21/78 20060101
G06F021/78; G06F 21/62 20060101 G06F021/62; G11B 20/00 20060101
G11B020/00; G06F 21/60 20060101 G06F021/60 |
Claims
1-27. (canceled)
28. A storage device comprising: a non-volatile memory (NVM); and
secure access control circuitry to: store a Security Identifier
(SID) having a first SID value; receive a request to enable access
controls of the NVM; responsive to the received request to enable
the access controls, set the SID to a second SID value; receive a
request to revert the SID to the first SID value; responsive to the
received request to revert the SID to the first SID value, verify a
physical presence of a user using a Physical Security Identifier
(PSID); responsive to a successful verification of the physical
presence of the user: set the SID to the first SID value; and
enable the access controls of the NVM; and responsive to an
unsuccessful verification of the physical presence of the user,
deny the received request to revert the SID to the first SID value,
wherein the SID remains the second SID value.
29. The storage device of claim 28, wherein the secure access
control module implements Opal Storage Specification access
controls.
30. The storage device of claim 28, wherein the second SID value is
a randomly generated value.
31. The storage device of claim 30, further comprising a random
number generator to generate the randomly generated value.
32. The storage device of claim 28, wherein the PSID is associated
with the storage device.
33. The storage device of claim 32, wherein the PSID is displayed
on a housing of the storage device.
34. The storage device of claim 28, wherein the access controls of
the NVM enable encryption of at least part of the NVM.
35. The storage device of claim 28, wherein the NVM is a solid
state drive (SSD).
36. The storage device of claim 28, wherein: the secure access
control circuitry is further to store a Manufacturer Security
Identifier (MSID) having a MSID value; and the first SID value is
the MSID value.
37. The storage device of claim 28, wherein the secure access
control circuitry communicates with a host system via interface
circuitry and a storage bus, the interface circuitry to implement
one of: a Serial Advanced Technology Attachment (SATA) interface; a
Serial Attached Small Computer System (SAS) Interface; a Peripheral
Component Interconnect Express (PCIe) interface; a Universal Flash
Storage (UFS) interface; or an embedded Multimedia Controller
interface (eMMC).
38. A method for secure control of a storage device, the method
comprising: receiving a request to enable access controls of a
non-volatile memory (NVM) of the storage device; responsive to the
received request to enable access controls of the NVM, setting a
Security Identifier (SID) to a first SID value; receiving a request
to revert the SID to a second SID value; responsive to the received
request to revert the SID to the second SID value, verifying a
physical presence of a user using a Physical Security Identifier
(PSID); responsive to the verification of the physical presence of
the user being successful: setting the SID to the second SID value;
and enabling the access controls of the NVM; and responsive to the
verification of the physical presence of the user not being
successful, denying the received request to revert the SID to the
second SID value, wherein the SID remains the first SID value.
39. The method of claim 38, wherein the storage device implements
Opal Storage Specification access controls.
40. The method of claim 38, further comprising generating, via a
random number generator, a randomly generated value, wherein the
first SID value is the randomly generated value.
41. The method of claim 38, wherein the PSID is displayed on a
housing of the storage device.
42. The method of claim 38, wherein the access controls of the NVM
enable encryption of at least part of the NVM.
43. A mobile platform, comprising: a processor; a display element
coupled to the processor; and a solid state drive (SSD) storage
device coupled to the processor, the SSD comprising: a non-volatile
memory (NVM); and secure access control circuitry to: store a
Security Identifier (SID) having a first SID value; receive a
request to enable access controls of the NVM; responsive to the
received request to enable the access controls, set the SID to a
second SID value; receive a request to revert the SID to the first
SID value; responsive to the received request to revert the SID to
the first SID value, verify a physical presence of a user using a
Physical Security Identifier (PSID); responsive to the verification
of the physical presence of the user being successful: set the SID
to the first SID value; and enable the access controls of the NVM;
and responsive to the verification of the physical presence of the
user not being successful, deny the received request to revert the
SID to the first SID value, wherein the SID remains the second SID
value.
44. The mobile platform of claim 43, wherein the secure access
control circuitry implements Opal Storage Specification access
controls.
45. The mobile platform of claim 43, further comprising a random
number generator to generate a randomly generated value, wherein
the second SID value is the randomly generated value.
46. The mobile platform of claim 43, wherein the access controls of
the NVM enable encryption of at least part of the NVM.
47. The mobile platform of claim 43, wherein the secure access
control circuitry communicates with the processor via interface
circuitry and a storage bus, the interface circuitry to implement
one of: a Serial Advanced Technology Attachment (SATA) interface; a
Serial Attached Small Computer System (SAS) Interface; a Peripheral
Component Interconnect Express (PCIe) interface; a Universal Flash
Storage (UFS) interface; or an embedded Multimedia Controller
interface (eMMC).
Description
CROSS-REFERENCE TO RELATED APPLICATION
[0001] The present application is a continuation of U.S. patent
application Ser. No. 14/543,935 filed Nov. 18, 2014, the entire
disclosure of which is incorporated herein by reference.
FIELD
[0002] The present disclosure relates to self-encrypting storage
devices, and more particularly, to self-encrypting storage devices
with secure control of access control enablement and
activation.
BACKGROUND
[0003] Storage drives, for example solid state drives (SSDs) or
hard disk drives (HDDs), are often configured to provide security
features including self-encryption and access control. These
security features are designed to prevent a data breach in the
event of physical loss or theft of the storage drive or the device
containing the drive.
BRIEF DESCRIPTION OF THE DRAWINGS
[0004] Features and advantages of embodiments of the claimed
subject matter will become apparent as the following Detailed
Description proceeds, and upon reference to the Drawings, wherein
like numerals depict like parts, and in which:
[0005] FIG. 1 illustrates a top level system diagram of an example
embodiment consistent with the present disclosure;
[0006] FIG. 2 illustrates a block diagram of one example embodiment
consistent with the present disclosure;
[0007] FIG. 3 illustrates a flowchart of operations of one example
embodiment consistent with the present disclosure;
[0008] FIG. 4 illustrates a flowchart of operations of another
example embodiment consistent with the present disclosure; and
[0009] FIG. 5 illustrates a system diagram of a platform of another
example embodiment consistent with the present disclosure.
[0010] Although the following Detailed Description will proceed
with reference being made to illustrative embodiments, many
alternatives, modifications, and variations thereof will be
apparent to those skilled in the art.
DETAILED DESCRIPTION
[0011] Security features provided by storage devices may typically
be enabled or disabled by the manufacturer in a fixed manner. It
would generally be desirable, however, to provide a capability that
allows the end user to enable or disable these types of security
features, for example through a software configurable device
setting, without compromising the integrity of the drive. This
would avoid the requirement for a user to purchase different
devices depending on their security needs and simplify the
logistics for manufacturers and suppliers who would otherwise need
to manage separate product lines. Providing a user enable/disable
capability, however, may present a security threat since a
malicious attacker could potentially enable the security feature
remotely and take ownership of the drive by setting new access
control authentication credentials. This would lock out the
legitimate user, who may not even be aware that security is enabled
on the drive.
[0012] Generally, this disclosure provides systems, devices,
methods and computer readable media for secure control of access
control enablement and activation on self-encrypting storage
devices. In one embodiment, the storage device may include a
non-volatile memory (NVM) and a secure access control module. The
secure access control module may be configured to process commands
received from a user or host system including a request to enable
access controls of the NVM. The secure access control module may
further be configured to verify a physical presence of the user.
Physical presence of the user may be verified by requiring the user
to provide the Physical Security Identifier (PSID) associated with
the storage device, which can generally be obtained in a limited
manner, such as, for example, by reading a physical label on the
storage device. The secure access control module may further be
configured to allow the user to activate and provision access
controls if the physical presence verification is successful and
after a revert operation is performed.
[0013] The secure access control module may further include an
encryption module configured to encrypt at least a portion of the
NVM when access controls have been activated. The NVM may include
or otherwise be configured as a Solid State Drive (SSD) or magnetic
disk in a Hard Disk Drives (HDD). Any suitable method of encryption
may be used including, for example, the Advanced Encryption
Standard (AES), the Data Encryption Standard (DES) and the
International Data Encryption Algorithm (IDEA). In some
embodiments, the enablement of access controls may be considered an
initialization or set-up activity of the storage device, to be
performed by the user/owner of the storage device during an initial
phase of deployment.
[0014] As used herein, the terms "enablement," "activation," and
"provisioning," with respect to access controls, are defined as
follows. Regarding "enablement," the access control capabilities of
the device may be supported (embedded in hardware or software of
the device, by the manufacturer) but remain in a disabled or hidden
state until enablement is performed. After a successful enablement,
activation may be performed to turn on the access controls so that
portions of the NVM are encrypted or otherwise locked for security.
Activation may also be accompanied by provisioning which is an
operation to configure the access controls (e.g., provide
additional authentication credentials for administrators and/or
users and specify regions of the NVM for encryption, etc.).
[0015] FIG. 1 illustrates a top level system diagram 100 of one
example embodiment consistent with the present disclosure. A host
system 104 is shown coupled to a self-encrypting storage device
with secure control capability 110. The secure control capability
of the storage device will be described in greater detail below. In
some embodiments, the host system 104 may be, for example, a
desktop computer, workstation, laptop computer, convertible tablet,
notebook, smart phone, smart tablet, personal digital assistant
(PDA) or mobile Internet device (MID).
[0016] The host system 104 may be coupled to the storage device 110
through interface modules 108a, 108b and storage bus 130, which may
be configured as a Serial Advanced Technology Attachment (SATA)
interface, a Serial Attached Small Computer System (SAS) Interface
or a Peripheral Component Interconnect Express (PCIe) interface, a
Universal Flash Storage (UFS) interface, an embedded Multimedia
Controller interface (eMMC) or any other suitable type of
interface. The SATA and SAS interfaces may comply with ANSI
standards managed by T13 (www.t13.org) and T10 (www.t10.org)
technical committees. The PCIe interface may comply with the PCISIG
standard (www.pcisig.com). The UFS and eMMC may comply with the
JEDEC standards (www.jedec.org). The storage device 110 described
in this disclosure may be configured as a solid state drive (SSD).
In some embodiments, the storage device 110 may include hard disk
drive (HDD).
[0017] An intended or legitimate user 102 may access the storage
device 110 through the host system 104 and interface 108 and bus
130. Similarly, a remote attacker or malicious user 106 may attempt
to access the storage device 110 and attempt to enable access
controls (and self-encryption of the device) to the detriment of
the intended user 102. The secure control capability of the storage
device 110 may be configured, however, to defeat such attempts, as
will be described below.
[0018] FIG. 2 illustrates a block diagram 200 of one example
embodiment consistent with the present disclosure. The storage
device 110 is shown to include a secure access control module 204,
a storage device side interface module 108b and an NVM 220.
[0019] The storage device 110 and/or the secure access control
module 204 may be configured to implement, comply with, or
otherwise be compatible with the Opal Storage Specification: "TCG
Storage Security Subsystem Class: Opal," Specification Version
1.00, Feb. 4, 2010 of the Trusted Computing Group (TCG), including
current, previous and future versions of that specification. The
storage device 110 may also be referred to as a "Trusted
Peripheral" in Opal terminology. Although operations will be
described here in the context of Opal, it will be appreciated that
these techniques may be applied to other similarly purposed storage
device security systems.
[0020] The secure access control module 204 is shown to include a
command processor module 212, a verification module 214, an
encryption module 216, a random number generator 218 and storage
for a Security Identifier (SID) 206, PSID 208 and a Manufacturer
Security Identifier (MSID) 210.
[0021] The command processor module 212 may be configured to
receive requests from a user or host system including a request to
enable or disable the secure access control features of the NVM
220. Any required encryption or decryption of one or more portions
(e.g., address ranges) of the NVM 220 may be performed by
encryption module 216 as appropriate. The command processor module
212 may also be configured to receive the associated verification
credentials (SID, PSID, etc.) that may be required from the user
for these operations. Verification module 214 may be configured to
perform the verification operations, as will be described below, to
verify the credentials and physical presence of the user.
[0022] In some embodiments, a software application is provided by
the manufacturer or an independent software vendor to send the
appropriate configuration commands as specified in the TCG Opal
spec to the storage device. In an embodiment, the software
application issues a sequence of commands, called methods in the
TCG specifications, to perform configuration and provisioning
operations. Prior to initiating a session, the software application
invokes the Level 0 discovery command and Properties method to
determine the capabilities of the secure access control module 204
(e.g., the OPAL security subsystem).
[0023] The StartSession method is used by the software application
to initiate a communications session between the host system 104
and the storage device 110. This method can also pass a credential,
such as the PSID or SID, to the storage device for authentication.
The storage device is configured to authenticate the credential and
responds with success if the credential is successfully
authenticated.
[0024] After successful authentication of the SID credential and
initiation of a session, the software application invokes the
Activate method, which is used to activate the locking and
encryption management functionality supplied by the Opal subsystem
in the storage device. The session is then ended by the software
application.
[0025] Once locking and encryption management have been activated,
the software application invokes StartSession to initiate a new
session and authenticate an Admins credential, in order to satisfy
access control requirements necessary to perform configuration and
provisioning operations, such as setting User passwords and access
controls.
[0026] The software application invokes the Get method in a
session, in order to retrieve metadata from tables in the
subsystem, which are data structures employed to store
configurations and metadata. The software application invokes the
Set method in a session to configure Users and Admins passwords,
and configure the device to lock when the device power cycles.
[0027] The MSID 210 is an identifier, for example an alphanumeric
value, which is used as a default credential for the storage
device. The MSID 210 is encoded or otherwise stored in a reserved
location in non-volatile memory that is outside of the region of
encrypted data of the non-volatile memory of the storage device
110. The MSID is accessed by a user/host system through the
interface 108 through an appropriate set of commands Generally, the
MSID, once set by the manufacturer, cannot be changed by the
user.
[0028] The SID 206 is a security identifier, for example an
alphanumeric value, or credential that is associated with the owner
or legitimate user of the storage device 110. The SID 206 is
typically initialized by the manufacturer to a default value that
is set to the MSID 210 and can subsequently be changed by the user
to enforce access controls on the device 110. The SID 206 can also
be stored in a non-volatile memory of the storage device, for
example, outside of the region of encrypted data.
[0029] The PSID 208 is a physical security identifier, for example
an alphanumeric value, or credential that is associated with and
unique to the storage device 110. In an embodiment, the PSID 208
can be generated by the manufacturer and stored in a non-volatile
memory of the storage device that is inaccessible through the
interface 108.
[0030] In other words, the PSID 208 cannot be read or otherwise
discovered by any entity external to the device 110 through any
electronic method. The PSID 208 can, however, be printed on a label
attached to the device 110, or otherwise made available, for
example through some visual method, to a user located in physical
proximity to the device 110. In some embodiments, the PSID is
printed or otherwise visually accessible on the housing of the
storage device 110 or on a housing of a system within which storage
device 100 is incorporated. A remote attacker 106 can therefore be
prevented from obtaining the PSID 208. The PSID is thus used to
verify a physical presence of the device owner or legitimate user
102, for example prior to enablement of the self-encryption
feature.
[0031] It will be appreciated that the term "physical presence"
does not necessarily require that the intended or legitimate user
102 need always be locally present in the proximity of the storage
device 110. For example, physical presence may indicate a one-time
presence by the user 102 to visually obtain the PSID which may
later be used during a verification process from a remote
location.
[0032] FIG. 3 illustrates a flowchart of operations 300 of another
example embodiment consistent with the present disclosure. The
operations provide a method for secure enablement and activation of
access controls on a self-encrypting storage device. At operation
310, a request is received to enable self-encryption (e.g., as
implemented through Opal). At operation 320, Opal is enabled for
the device and a random number or string (generated for example by
random number generator 218) is assigned to the SID for the device,
which will no longer be the same as the MSID. This may prevent any
further attempts to alter access control settings until the current
operation is successfully completed (e.g., by the intended user
102). The random number generator 218 may implement a
non-deterministic random number generation algorithm to reduce the
probability that a remote attacker might predict the random number
value.
[0033] At operation 330, a request is received for a revert
operation, via the TCG Opal Revert method. The requester's physical
presence is verified at operation 340, by supplying a valid PSID
associated with the device, via a TCG method such as StartSession
or Authenticate. Because access to the PSID is limited to visual
observation of some portion of the device, such as a printed label
as described previously, knowledge of the PSID may be used to
verify the physical presence of the requester. If the verification
fails, then at operation 350 the Revert method invocation will
subsequently be denied and the SID remains set to the random value.
In some embodiments, an alert may be generated to log the event
and/or notify the legitimate user (e.g., intended user 102) of a
failed attempt to enable access controls (Opal).
[0034] If the verification succeeds, however, then at operation 360
the revert operation is performed. At operation 370, as part of the
revert, the SID is reset back to the MSID associated with the
device and Opal is left in an enabled state. At this point the user
may optionally, activate and provision Opal, at operation 380, for
example through the Activate method executed by the software
application.
[0035] FIG. 4 illustrates a flowchart of operations 400 of another
example embodiment consistent with the present disclosure. The
operations provide a method for secure control of access control
enablement and activation on a self-encrypting storage device. At
operation 410, a request is received to enable access controls of
the storage device. The request is received from a user of a host
system of the storage device, for example through a software
application that requests the storage device to enable OPAL
security by sending an appropriate sequence of commands. The
StartSession method is used to initiate a communications session
and authenticate the SID credential. The Activate method is used to
activate the locking functionality provided by the Opal subsystem
implemented in the storage device. At operation 420, access
controls (e.g., OPAL security) are enabled in response to the
request. At operation 430, the physical presence of the user is
verified, for example by supplying a valid PSID associated with the
device as printed on the storage device label. The software
application may be configured to prompt the user to enter the PSID.
The user may then enter the PSID through the software application.
The software application may send the PSID to the storage device,
for example by using the StartSession method or using the
Authenticate method in a session that has already been initiated.
The storage device verifies the submitted PSID and responds with
the verification result. Because access to the PSID is limited to
visual observation of some portion of the device, such as a printed
label as described previously, knowledge of the PSID may be used to
verify the physical presence of the requester. At operation 440, if
the physical presence verification succeeds, the software
application invokes the "Revert" command which resets the SID to
MSID and activation of self-encryption of the storage device is
then possible, via execution of the Activate method. If the
physical presence verification fails, access controls (e.g., OPAL
security) may remain in their existing state and the SID remains
set to the random value.
[0036] FIG. 5 illustrates a system diagram 500 of one example
embodiment consistent with the present disclosure. The system 500
may be a mobile platform 510 or computing device such as, for
example, a smart phone, smart tablet, personal digital assistant
(PDA), mobile Internet device (MID), convertible tablet, notebook
or laptop computer, or any other suitable device. It will be
appreciated, however, that embodiments of the system described
herein are not limited to mobile platforms, and in some
embodiments, the system 500 may be a workstation or desktop
computer. The device may generally present various interfaces to a
user via a display element 560 such as, for example, a touch
screen, liquid crystal display (LCD) or any other suitable display
type.
[0037] The system 500 is shown to include a host system 104 that
may further include any number of processors 520 and memory modules
530. In some embodiments, the processors 520 may be implemented as
any number of processor cores. The processor (or processor cores)
may be any type of processor, such as, for example, a
micro-processor, an embedded processor, a digital signal processor
(DSP), a graphics processor (GPU), a network processor, a field
programmable gate array or other device configured to execute code.
The processors may be multithreaded cores in that they may include
more than one hardware thread context (or "logical processor") per
core. The memory 530 may be coupled to the processors. The memory
530 may be any of a wide variety of memories (including various
layers of memory hierarchy and/or memory caches) as are known or
otherwise available to those of skill in the art. It will be
appreciated that the processors and memory may be configured to
store, host and/or execute one or more user applications or other
software modules. These applications may include, but not be
limited to, for example, any type of computation, communication,
data management, data storage and/or user interface task. In some
embodiments, these applications may employ or interact with any
other components of the mobile platform 510.
[0038] System 500 is also shown to include network interface module
540 which may include wireless communication capabilities, such as,
for example, cellular communications, Wireless Fidelity (WiFi),
Bluetooth.RTM., and/or Near Field Communication (NFC). The wireless
communications may conform to or otherwise be compatible with any
existing or yet to be developed communication standards including
past, current and future version of Bluetooth.RTM., Wi-Fi and
mobile phone communication standards.
[0039] System 500 is also shown to include an input/output (IO)
system or controller 550 which may be configured to enable or
manage data communication between processor 520 and other elements
of system 500 or other elements (not shown) external to system
500.
[0040] System 500 is also shown to include a self-encrypting
storage device with secure control 110, as described previously.
Storage device 110 may further include a secure access control
module (e.g., Opal) and an NVM as illustrated in FIG. 2. Interface
modules 108a, 108b may also be provided to couple the storage
device 110 to the host system 104 over a storage bus.
[0041] It will be appreciated that in some embodiments, the various
components of the system 500 may be combined in a system-on-a-chip
(SoC) architecture. In some embodiments, the components may be
hardware components, firmware components, software components or
any suitable combination of hardware, firmware or software.
[0042] Embodiments of the methods described herein may be
implemented in a system that includes one or more storage mediums
having stored thereon, individually or in combination, instructions
that when executed by one or more processors perform the methods.
Here, the processor may include, for example, a system CPU (e.g.,
core processor) and/or programmable circuitry. Thus, it is intended
that operations according to the methods described herein may be
distributed across a plurality of physical devices, such as, for
example, processing structures at several different physical
locations. Also, it is intended that the method operations may be
performed individually or in a subcombination, as would be
understood by one skilled in the art. Thus, not all of the
operations of each of the flow charts need to be performed, and the
present disclosure expressly intends that all subcombinations of
such operations are enabled as would be understood by one of
ordinary skill in the art.
[0043] The storage medium may include any type of tangible medium,
for example, any type of disk including floppy disks, optical
disks, compact disk read-only memories (CD-ROMs), compact disk
rewritables (CD-RWs), digital versatile disks (DVDs) and
magneto-optical disks, semiconductor devices such as read-only
memories (ROMs), random access memories (RAMs) such as dynamic and
static RAMs, erasable programmable read-only memories (EPROMs),
electrically erasable programmable read-only memories (EEPROMs),
flash memories, magnetic or optical cards, or any type of media
suitable for storing electronic instructions.
[0044] "Circuitry", as used in any embodiment herein, may include,
for example, singly or in any combination, hardwired circuitry,
programmable circuitry, state machine circuitry, and/or firmware
that stores instructions executed by programmable circuitry. An
application or "app" may be embodied as code or instructions which
may be executed on programmable circuitry such as a host processor
or other programmable circuitry. A module, as used in any
embodiment herein, may be embodied as circuitry. The circuitry may
be embodied as an integrated circuit, such as an integrated circuit
chip.
[0045] Thus, the present disclosure provides systems, devices,
methods and computer readable media for secure control of access
control enablement and activation on self-encrypting storage
devices. The following examples pertain to further embodiments.
[0046] According to Example 1 there is provided a storage device.
The device may include a non-volatile memory (NVM) and a secure
access control module. The secure access control module of this
example may include a command processor module to receive a request
to enable access controls of the NVM, from a user, and to enable
the access controls; a verification module to verify a physical
presence of the user; and an encryption module to allow encryption
of at least a portion of the NVM in response to an indication of
success from the verification module.
[0047] Example 2 may include the subject matter of Example 1, and
the secure access control module implements Opal Storage
Specification access controls.
[0048] Example 3 may include the subject matter of Examples 1 and
2, further including a random number generator to generate a random
number and update a Security Identifier (SID) associated with the
access controls to the random number.
[0049] Example 4 may include the subject matter of Examples 1-3,
and the verification of the physical presence of the user is based
on receiving a Physical Security Identifier (PSID) from the user,
the PSID associated with the storage device.
[0050] Example 5 may include the subject matter of Examples 1-4,
and the PSID is displayed on a housing of the storage device.
[0051] Example 6 may include the subject matter of Examples 1-5,
and the PSID is provided in a visually observable manner in
association with the storage device.
[0052] Example 7 may include the subject matter of Examples 1-6,
and the secure access control module is further to perform a revert
operation of the storage device, if the verification of the
physical presence is successful.
[0053] Example 8 may include the subject matter of Examples 1-7,
and the revert operation restores the SID to a Manufacturer
Security Identifier (MSID).
[0054] Example 9 may include the subject matter of Examples 1-8,
and the secure access control module is further to allow
configuration of the access controls of the NVM if the verification
of the physical presence is successful.
[0055] Example 10 may include the subject matter of Examples 1-9,
and the NVM is a solid state drive (SSD).
[0056] Example 11 may include the subject matter of Examples 1-10,
and the secure access control module is further to communicate with
a host system through an interface module and a storage bus, the
interface module to implement one of a Serial Advanced Technology
Attachment (SATA) interface, a Serial Attached Small Computer
System (SAS) Interface, a Peripheral Component Interconnect Express
(PCIe) interface, a Universal Flash Storage (UFS) interface and/or
an embedded Multimedia Controller interface (eMMC).
[0057] According to Example 12 there is provided a method for
secure control of a storage device. The method may include
receiving a request, from a user, to enable access controls of an
NVM; enabling the access controls in response to the request;
verifying a physical presence of the user; and allowing activation
of self-encryption of the NVM in response to success of the
verifying.
[0058] Example 13 may include the subject matter of Example 12, and
the storage device implements Opal Storage Specification access
controls.
[0059] Example 14 may include the subject matter of Examples 12 and
13, and the enabling of the access controls further includes
generating a random number and updating a Security Identifier (SID)
associated with the access controls to the random number.
[0060] Example 15 may include the subject matter of Examples 12-14,
and the verifying of the physical presence of the user further
includes receiving a Physical Security Identifier (PSID) from the
user, the PSID associated with the storage device.
[0061] Example 16 may include the subject matter of Examples 12-15,
and the PSID is displayed on a housing of the storage device.
[0062] Example 17 may include the subject matter of Examples 12-16,
and the PSID is provided in a visually observable manner in
association with the storage device.
[0063] Example 18 may include the subject matter of Examples 12-17,
further including performing a revert operation of the storage
device, in response to success of the verifying.
[0064] Example 19 may include the subject matter of Examples 12-18,
and the revert operation further includes restoring the SID to a
Manufacturer Security Identifier (MSID).
[0065] Example 20 may include the subject matter of Examples 12-19,
further including allowing configuration of the access controls of
the NVM in response to success of the verifying.
[0066] According to Example 21 there is provided a mobile platform.
The mobile platform may include a processor; a display element
coupled to the processor; and an SSD storage device coupled to the
processor. The SSD of this example may include a non-volatile
memory (NVM) and a secure access control module. The secure access
control module of this example may include a command processor
module to enable access controls of the NVM in response to a
request from the processor; a verification module to verify a
physical presence of a user; and an encryption module to allow
encryption of at least a portion of the NVM in response to an
indication of success from the verification module.
[0067] Example 22 may include the subject matter of Example 21, and
the secure access control module implements Opal Storage
Specification access controls.
[0068] Example 23 may include the subject matter of Examples 21-22,
and the verification of the physical presence of the user is based
on receiving a Physical Security Identifier (PSID) from the user,
the PSID associated with the storage device.
[0069] Example 24 may include the subject matter of Examples 21-23,
and the PSID is displayed on a housing of the storage device.
[0070] Example 25 may include the subject matter of Examples 21-24,
and the secure access control module is further to perform a revert
operation of the storage device, if the verification of the
physical presence is successful.
[0071] Example 26 may include the subject matter of Examples 21-25,
and the revert operation restores the SID to a Manufacturer
Security Identifier (MSID).
[0072] Example 27 may include the subject matter of Examples 21-26,
and the secure access control module is further to allow
configuration of the access controls of the NVM if the verification
of the physical presence is successful.
[0073] Example 28 may include the subject matter of Examples 21-27,
and the secure access control module is further to communicate with
a host system through an interface module and a storage bus, the
interface module to implement one of a Serial Advanced Technology
Attachment (SATA) interface, a Serial Attached Small Computer
System (SAS) Interface, a Peripheral Component Interconnect Express
(PCIe) interface, a Universal Flash Storage (UFS) interface and/or
an embedded Multimedia Controller interface (eMMC).
[0074] Example 29 may include the subject matter of Examples 21-28,
and the mobile platform is a smart phone, smart tablet, notebook or
laptop computer.
[0075] According to Example 30 there is provided at least one
computer-readable storage medium having instructions stored thereon
which when executed by a processor result in the following
operations for secure control of a storage device. The operations
may include receiving a request, from a user, to enable access
controls of an NVM; enabling the access controls in response to the
request; verifying a physical presence of the user; and allowing
activation of self-encryption of the NVM in response to success of
the verifying.
[0076] Example 31 may include the subject matter of Example 30, and
the storage device implements Opal Storage Specification access
controls.
[0077] Example 32 may include the subject matter of Examples 30 and
31, and the enabling of the access controls further includes the
operations of generating a random number and updating a Security
Identifier (SID) associated with the access controls to the random
number.
[0078] Example 33 may include the subject matter of Examples 30-32,
and the verifying of the physical presence of the user further
includes the operation of receiving a Physical Security Identifier
(PSID) from the user, the PSID associated with the storage
device.
[0079] Example 34 may include the subject matter of Examples 30-33,
and the PSID is displayed on a housing of the storage device.
[0080] Example 35 may include the subject matter of Examples 30-34,
and the PSID is provided in a visually observable manner in
association with the storage device.
[0081] Example 36 may include the subject matter of Examples 30-35,
further including the operation of performing a revert operation of
the storage device, in response to success of the verifying.
[0082] Example 37 may include the subject matter of Examples 30-36,
and the revert operation further includes the operation of
restoring the SID to a Manufacturer Security Identifier (MSID).
[0083] Example 38 may include the subject matter of Examples 30-37,
further including allowing configuration of the access controls of
the NVM in response to success of the verifying.
[0084] According to Example 39 there is provided a system for
secure control of a storage device. The system may include means
for receiving a request, from a user, to enable access controls of
an NVM; means for enabling the access controls in response to the
request; means for verifying a physical presence of the user; and
means for allowing activation of self-encryption of the NVM in
response to success of the verifying.
[0085] Example 40 may include the subject matter of Example 39, and
the storage device implements Opal Storage Specification access
controls.
[0086] Example 41 may include the subject matter of Examples 39 and
40, and the enabling of the access controls further includes means
for generating a random number and updating a Security Identifier
(SID) associated with the access controls to the random number.
[0087] Example 42 may include the subject matter of Examples 39-41,
and the verifying of the physical presence of the user further
includes means for receiving a Physical Security Identifier (PSID)
from the user, the PSID associated with the storage device.
[0088] Example 43 may include the subject matter of Examples 39-42,
and the PSID is displayed on a housing of the storage device.
[0089] Example 44 may include the subject matter of Examples 39-43,
and the PSID is provided in a visually observable manner in
association with the storage device.
[0090] Example 45 may include the subject matter of Examples 39-44,
further including means for performing a revert operation of the
storage device, in response to success of the verifying.
[0091] Example 46 may include the subject matter of Examples 39-45,
and the revert operation further includes means for restoring the
SID to a Manufacturer Security Identifier (MSID).
[0092] Example 47 may include the subject matter of Examples 39-46,
further including means for allowing configuration of the access
controls of the NVM in response to success of the verifying.
[0093] The terms and expressions which have been employed herein
are used as terms of description and not of limitation, and there
is no intention, in the use of such terms and expressions, of
excluding any equivalents of the features shown and described (or
portions thereof), and it is recognized that various modifications
are possible within the scope of the claims. Accordingly, the
claims are intended to cover all such equivalents. Various
features, aspects, and embodiments have been described herein. The
features, aspects, and embodiments are susceptible to combination
with one another as well as to variation and modification, as will
be understood by those having skill in the art. The present
disclosure should, therefore, be considered to encompass such
combinations, variations, and modifications.
* * * * *