Method to protect BIOS NVRAM from malicious code injection by encrypting NVRAM variables and system therefor
First Claim
Patent Images
1. A method to protect non-volatile random access memory (NVRAM) from malicious code, the method comprising:
- allocating, by a hardware processor of an information handling system, a first region at the NVRAM to store firmware instructions;
allocating, by the hardware processor of the information handling system, a second region to store data that is not the firmware instructions; and
receiving, by the hardware processor of the information handling system, the data to be stored at the second region, the receiving of the data in response to servicing a system management interrupt, the data received at a software function configured to store the data at the second region, the software function including operations for;
generating a random symmetric encryption key;
encrypting the data using the random symmetric encryption key to provide encrypted data, the random symmetric encryption key to only be associated with the data; and
storing the encrypted data and the random symmetric encryption key at the second region at the NVRAM;
wherein the encrypted data protects the second region at the NVRAM from executing the malicious code.
14 Assignments
0 Petitions
Accused Products
Abstract
Data to be stored at a firmware memory is received. A random symmetric encryption key is generated. The data is encrypted using the generated key to provide encrypted data. The encrypted data and the encryption key are both stored at the firmware memory.
33 Citations
19 Claims
-
1. A method to protect non-volatile random access memory (NVRAM) from malicious code, the method comprising:
-
allocating, by a hardware processor of an information handling system, a first region at the NVRAM to store firmware instructions; allocating, by the hardware processor of the information handling system, a second region to store data that is not the firmware instructions; and receiving, by the hardware processor of the information handling system, the data to be stored at the second region, the receiving of the data in response to servicing a system management interrupt, the data received at a software function configured to store the data at the second region, the software function including operations for; generating a random symmetric encryption key; encrypting the data using the random symmetric encryption key to provide encrypted data, the random symmetric encryption key to only be associated with the data; and storing the encrypted data and the random symmetric encryption key at the second region at the NVRAM; wherein the encrypted data protects the second region at the NVRAM from executing the malicious code. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An information handling system comprising:
-
a processor; a system memory device; and a non-volatile firmware memory device including a first region for storing basic input/output system (BIOSE code and a second region for storing data that is not the BIOS code, the BIOS code executing store operations to the second region, the store operations to further; receive the data to be stored at the second region of the non-volatile firmware memory device, the data received in response to servicing a system management interrupt; generate a random symmetric encryption key for each different store operation of the store operations executed by the BIOS code; encrypt the data using the random symmetric encryption key to provide encrypted data that corresponds to the each different store operation; and store the encrypted data and the generated random symmetric encryption key at the second region of the non-volatile firmware memory device. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A non-transitory data storage medium storing instructions executable by a processor to cause the processor to:
-
allocate a first region of a non-volatile firmware memory to store BIOS code; allocate a second region of the non-volatile firmware memory to store data that is not the BIOS code; and implement a function for write operations to the second region of the non-volatile firmware memory, the function for the write operations configured to; receive the data in response to servicing a system management interrupt at the processor; generate a different random symmetric encryption key for each corresponding one of the write operations to the second region of the non-volatile firmware memory; encrypt the data using the different random symmetric encryption key to provide encrypted data for the corresponding one of the write operations to the second region of the non-volatile firmware memory; and store the encrypted data and the different random symmetric encryption key at the second region of the non-volatile firmware memory for the corresponding one of the write operations. - View Dependent Claims (18, 19)
-
Specification