Providing a secure execution mode in a pre-boot environment
First Claim
Patent Images
1. A method comprising:
- providing control to firmware responsive to a power-up event in a computer system;
establishing a secure pre-boot environment in response to a determination that a processor in said system is security enabled;
generating a digest including information about the computer system in the secure pre-boot environment;
initializing said processor before a trusted operating system is loaded in said system;
generating a secret in the form of a root key, sealing the root key using a key accessible only to a fixed token secured to a motherboard of the computer system, storing the secret in the fixed token secured to the motherboard of the computer system while in the pre-boot environment and releasing the root key to the computer system only while in the secure pre-boot environment;
transferring the computer system from the secure pre-boot environment including a secure mode to an operating system environment and maintaining the secure mode of the secure pre-boot environment in a background of the operating system environment to maintain platform integrity; and
receiving system management interrupts in a secure virtual machine monitor in the secure pre-boot environment and in the operating system environment if the operating system environment is not a secure environment, otherwise receiving the system management interrupts in the secure virtual machine monitor of the operating system environment.
0 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment, the present invention includes a method to establish a secure pre-boot environment in a computer system and performs at least one secure operation in the secure environment. In one embodiment, the secure operation may be storage of a secret in the secure pre-boot environment.
64 Citations
12 Claims
-
1. A method comprising:
-
providing control to firmware responsive to a power-up event in a computer system; establishing a secure pre-boot environment in response to a determination that a processor in said system is security enabled; generating a digest including information about the computer system in the secure pre-boot environment; initializing said processor before a trusted operating system is loaded in said system; generating a secret in the form of a root key, sealing the root key using a key accessible only to a fixed token secured to a motherboard of the computer system, storing the secret in the fixed token secured to the motherboard of the computer system while in the pre-boot environment and releasing the root key to the computer system only while in the secure pre-boot environment; transferring the computer system from the secure pre-boot environment including a secure mode to an operating system environment and maintaining the secure mode of the secure pre-boot environment in a background of the operating system environment to maintain platform integrity; and receiving system management interrupts in a secure virtual machine monitor in the secure pre-boot environment and in the operating system environment if the operating system environment is not a secure environment, otherwise receiving the system management interrupts in the secure virtual machine monitor of the operating system environment. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer readable medium storing instructions to cause a computer system to:
-
provide control to firmware responsive to a power-up event; establish a secure pre-boot environment in response to a determination that a processor in said system is security enabled, said secure pre-boot environment to store code to perform cryptographic computations before booting; generate a digest including information about the computer system in the secure pre-boot environment; initialize said processor before a trusted operating system is loaded in said system; storing instructions to generate a secret in the form of a root key, seal the root key using a key accessible only to a fixed token secured to a motherboard of the computer system, store the secret in the fixed token secured to the motherboard of the computer system while in the pre-boot environment and release the root key to the computer system only while in the secure pre-boot environment; storing instructions to transfer the computer system from the secure pre-boot environment including a secure mode to an operating system environment and maintain the secure mode of the secure pre-boot environment in a background of the operating system environment to maintain platform integrity; and storing instructions to receive system management interrupts in a secure virtual machine monitor in the secure pre-boot environment and in the operating system environment if the operating system environment is not a secure environment, otherwise receive the system management interrupts in the secure virtual machine monitor of the operating system environment. - View Dependent Claims (8, 9, 10, 11, 12)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeIntel Corporation
-
Original AssigneeIntel Corporation
-
InventorsZimmer, Vincent J., Bigbee, Bryant E., Fish, Andrew J., Doran, Mark S.
-
Primary Examiner(s)Najjar, Saleh
-
Assistant Examiner(s)Pan, Peiliang
-
Application NumberUS14/679,145Publication NumberTime in Patent Office1,485 DaysField of Search713 1, 713 2US Class CurrentCPC Class CodesG06F 21/57 Certifying or maintaining t...G06F 21/575 Secure bootG06F 2221/034 Test or assess a computer o...G06F 9/4401 Bootstrapping security arra...G06F 9/4406 Loading of operating systemG06F 9/4416 Network booting; Remote ini...
