US 11,809,568 B2
Hypervisor having local keystore
Joel Wolfrath, Rochester, MN (US); Christopher J. Engel, Rochester, MN (US); Matthew Vaught, Rochester, MN (US); Michael William Bowcutt, Rochester, MN (US); and Phillip Scramlin, Rochester, MN (US)
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION, Armonk, NY (US)
Filed by International Business Machines Corporation, Armonk, NY (US)
Filed on May 12, 2021, as Appl. No. 17/318,655.
Prior Publication US 2022/0366052 A1, Nov. 17, 2022
Int. Cl. G06F 21/57 (2013.01); G06F 21/53 (2013.01); G06F 9/455 (2018.01); G06F 21/60 (2013.01)
CPC G06F 21/575 (2013.01) [G06F 9/45558 (2013.01); G06F 21/53 (2013.01); G06F 21/602 (2013.01); G06F 2009/45587 (2013.01); G06F 2221/0751 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computer-implemented method comprising:
executing, by a hypervisor, a bootloader with access to a first logical partition of a non-volatile memory, the first logical partition storing a keystore;
loading, by the bootloader, a kernel with access to the first logical partition of the non-volatile memory associated with a first virtual machine;
enforcing, by the hypervisor, a first-tier isolation policy that prohibits the kernel from accessing a second logical partition of the memory associated with a second virtual machine;
enforcing, by the hypervisor, a second-tier isolation policy that prohibits the kernel from accessing a bootloader encryption key written to the keystore by the bootloader;
receiving, by the bootloader, an encryption key from the keystore;
performing, by the bootloader, a cryptographic algorithm using the encryption key on the kernel;
executing, by the bootloader in an event that the performing of the cryptographic algorithm produces a first result, the kernel with access to the first logical partition of the non-volatile memory; and
halting, by the bootloader in an event that the performing of the cryptographic algorithm fails to produce the first result, booting of the kernel and generating an error message.