Providing a secure execution mode in a pre-boot environment
First Claim
Patent Images
1. A method comprising:
- providing control to firmware responsive to a power-up event in a computer system;
establishing a secure pre-boot environment in response to a determination that a processor in said system is security enabled;
generating a digest including information about the computer system in the secure pre-boot environment;
initializing said processor before a trusted operating system is loaded in said system;
generating a secret in the form of a root key, sealing the root key using a key accessible only to a fixed token secured to a motherboard of the computer system, storing the secret in the fixed token secured to the motherboard of the computer system while in the pre-boot environment and releasing the root key to the computer system only while in the secure pre-boot environment;
transferring the computer system from the secure pre-boot environment including a secure mode to an operating system environment and maintaining the secure mode of the secure pre-boot environment in a background of the operating system environment to maintain platform integrity; and
receiving system management interrupts in a secure virtual machine monitor in the secure pre-boot environment and in the operating system environment if the operating system environment is not a secure environment, otherwise receiving the system management interrupts in the secure virtual machine monitor of the operating system environment.
0 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment, the present invention includes a method to establish a secure pre-boot environment in a computer system and performs at least one secure operation in the secure environment. In one embodiment, the secure operation may be storage of a secret in the secure pre-boot environment.
64 Citations
12 Claims
-
1. A method comprising:
-
providing control to firmware responsive to a power-up event in a computer system; establishing a secure pre-boot environment in response to a determination that a processor in said system is security enabled; generating a digest including information about the computer system in the secure pre-boot environment; initializing said processor before a trusted operating system is loaded in said system; generating a secret in the form of a root key, sealing the root key using a key accessible only to a fixed token secured to a motherboard of the computer system, storing the secret in the fixed token secured to the motherboard of the computer system while in the pre-boot environment and releasing the root key to the computer system only while in the secure pre-boot environment; transferring the computer system from the secure pre-boot environment including a secure mode to an operating system environment and maintaining the secure mode of the secure pre-boot environment in a background of the operating system environment to maintain platform integrity; and receiving system management interrupts in a secure virtual machine monitor in the secure pre-boot environment and in the operating system environment if the operating system environment is not a secure environment, otherwise receiving the system management interrupts in the secure virtual machine monitor of the operating system environment. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer readable medium storing instructions to cause a computer system to:
-
provide control to firmware responsive to a power-up event; establish a secure pre-boot environment in response to a determination that a processor in said system is security enabled, said secure pre-boot environment to store code to perform cryptographic computations before booting; generate a digest including information about the computer system in the secure pre-boot environment; initialize said processor before a trusted operating system is loaded in said system; storing instructions to generate a secret in the form of a root key, seal the root key using a key accessible only to a fixed token secured to a motherboard of the computer system, store the secret in the fixed token secured to the motherboard of the computer system while in the pre-boot environment and release the root key to the computer system only while in the secure pre-boot environment; storing instructions to transfer the computer system from the secure pre-boot environment including a secure mode to an operating system environment and maintain the secure mode of the secure pre-boot environment in a background of the operating system environment to maintain platform integrity; and storing instructions to receive system management interrupts in a secure virtual machine monitor in the secure pre-boot environment and in the operating system environment if the operating system environment is not a secure environment, otherwise receive the system management interrupts in the secure virtual machine monitor of the operating system environment. - View Dependent Claims (8, 9, 10, 11, 12)
-
Specification