Computer with a modified north bridge, security engine and smart card having a secure boot capability and method for secure booting a computer

US 20030018892A1
Filed: 07/19/2001
Published: 01/23/2003
Est. Priority Date: 07/19/2001
Status: Abandoned Application

First Claim

Patent Images

1. A system for securely booting a computer including a main central processing unit, main random access memory, peripheral devices controllers and a bus coupled to said peripheral devices controllers, said system comprising:

a) a memory controller hub coupled to said central processing unit, said random access memory and said bus;

b) a security engine including a security kernel stored in a second memory coupled to said memory controller;

c) a smart card coupled to said security engine.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system to provide secure boot process for a personal computer. A security kernel forming part of the invention typically resides in the upper area in memory for encrypting/decrypting data from any application that is running under the operating system. The invention allows two operating systems to work separately using the same hardware. The method and system also provides real time encryption for any peripheral that has been selected for which encryption is required during run time operations such as while receiving or sending confidential information over the Internet using a modem or network connection. In place of a standard BIOS, the invention utilizes a security engine including a kernel stored in a flash memory, a modified north bridge and a smart card for auto burning the flash memory portion of the security engine and key generation.

260 Citations

24 Claims

1. A system for securely booting a computer including a main central processing unit, main random access memory, peripheral devices controllers and a bus coupled to said peripheral devices controllers, said system comprising:
- a) a memory controller hub coupled to said central processing unit, said random access memory and said bus;
  
  b) a security engine including a security kernel stored in a second memory coupled to said memory controller;
  
  c) a smart card coupled to said security engine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 24)
- - 2. The system defined by claim 1 wherein the security engine comprises:
    - a) a central processing unit bus controller interface coupled to the memory controller hub;
      
      b) a security engine processor coupled to the central processing unit bus controller interface;
      
      c) an address decode unit coupled to the central processing unit bus controller interface;
      
      d) a flash memory controller coupled to the address decode unit;
      
      e) a flash memory coupled to the flash memory controller;
      
      f) a general purpose bus controller coupled to the address decode unit;
      
      g) a general purpose bus coupled to the general purpose bus controller;
      
      h) a programmable input/output controller coupled to the general purpose bus;
      
      i) programmable interrupt controller coupled to the general purpose bus.
  - 3. The system defined by claim 2 wherein the memory controller hub comprises:
    - a) a host bus controller coupled to the main central processing unit through a security bus interface;
      
      b) a high speed bridge controller coupled to the host bus controller, the security engine processor and main random access memory;
      
      c) a security kernel memory area which includes lock circuit logic which operates so that only the security engine can access the security kernel memory area;
      
      d) logic to support concurrent main central processing unit, security engine, and bus transactions in the main random access memory, and concurrent operations of the main central processing unit and security engine buses.
  - 4. The system defined by claim 1 wherein the smart card comprises:
    - a) a central processing unit;
      
      b) a read only memory storing code for auto burning electrically erasable read only memory, digital signature creation and checking, cyclical redundancy checking, key generation and communications;
      
      c) an electrically erasable read only memory for storing a user'"'"'s digital signature and encryption keys, d) digital inputs/outputs for controlling auto burning, address IRQ lines from the security engine and communications between the security engine and the smart card.
  - 5. The system defined by claim 1 wherein the security kernel comprises software which when executed by the security engine central processing unit:
    - a) initializes the memory hub controller;
      
      b) disables the main central processing unit;
      
      c) partitions the main random access memory;
      
      d) creates and checks digital signatures;
      
      e) interfaces with the smart card.
  - 6. The system defined by claim 1 wherein said security engine further comprises a one time pad system to enable secure communications over unsecured connections.
  - 7. The system defined by claim 6 wherein said one time pad system uses a single key to encrypt/decrypt messages and communication between parties over an unsecured connection is terminated, the security kernel operates to destroy all the data concerning the key.
  - 8. The system defined by claim 7 wherein to create a key for the one time pad system, each of the parties involved in the communication generates a seed for a true random number generator, each of which seeds is used in order to create a random key.
  - 9. The system defined by claim 8 wherein prior to initiation of a unrestricted communication between at least two computers, each computer checks a digital signature of each other computer using an arbiter computer to start and finish sending credentials and the security kernel of each computer independently checks the digital signature of the other computers and if the digital signature of any one computer fails, communication between each of computers is prevented.
  - 10. The system defined by claim 1 wherein said security kernel is configured to allow a kernel of a second operating system to reside in the main random access memory concurrently with said security kernel.
  - 11. The system defined by claim 1 wherein security kernel provides an interrupt vector to the main central processing unit after a digital signature has been verified to enable the main central processing unit to boot an operating system.
  - 12. The system defined by claim 2 wherein the security kernel is configured to allow loading of a driver for any peripheral device during a booting process into said flash memory.
  - 13. The system defined by claim 1 wherein the security kernel is loaded to a secure memory area within said main random access memory, such that a memory map of said main random access memory map includes within said secure memory area a security kernel interrupt vector table, a security kernel stack, a security kernel data segment.
  - 14. The system defined by claim 1 wherein said main central processing unit is disabled until completion of a boot procedure by said security engine and said main random access memory is partitioned to provide an interrupt table for the main central processing unit and a second interrupt table for said security kernel.
  - 15. The system defined by claim 1 wherein said security kernel is configured to create and check a digital signature to enable said secure boot of said computer.
  - 16. The system defined by claim 4 wherein said auto burning configures a flash memory to store keys to provide security for peripheral device controllers.
  - 17. The system defined by claim 1 wherein after the computer has been personalized for a particular user, the security kernel selectively connects the computer to a remote server, download an operating system and install necessary drivers.
  - 18. The system defined by claim 3 wherein the host bus controller includes a state machine which is configured to disable the main central processing unit and said host bus after a cold or warm restart.
  - 19. The system defined by claim 1 said security engine includes a peer host/PCI security to start security engine initialization after a hardware reset or power on and disable a host bus and main central processing unit cache.
  - 20. The system defined by claim 1 wherein said smart card operates to create security folders within which any application can store its own encrypted data representing credentials of a user of the application.
  - 21. The system defined by claim 1 wherein said smart card includes logic for verifying a digital signature over a network.
  - 22. The system defined by claim 20 wherein said smart card includes a locked digital signature to protect and secure the data stored into the folders.
  - 24. The method defined by claim 23 wherein during said attempting to verify step, a smart card and a security kernel independently calculate an authentication number based on said digital signature previously stored in separate secure memory areas during an initialization process.

23. A method for securely booting a computer including a main central processing unit, main random access memory, peripheral devices controllers and a bus coupled said peripheral devices controllers, said method comprising the steps of:
- a) sending a command to initiate a verification for a digital signature;
  
  b) attempting to verify said digital signature using a predetermined algorithm;
  
  c) if said digital signature is verified, enabling a main central processing unit and allowing a boot of an operating system;
  
  d) if said digital signature is not verified, display a predetermined message and disable said peripheral device controllers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Coder Technologies Incorporated
Original Assignee
Coder Technologies Incorporated
Inventors
Tello, Jose

Application Number

US09/908,769
Publication Number

US 20030018892A1
Time in Patent Office

Days
Field of Search
US Class Current

713/164
CPC Class Codes

G06F 21/109   by using specially-adapted ...

G06F 21/123   by using dedicated hardware...

G06F 21/575   Secure boot

G06F 21/85   interconnection devices, e....

Computer with a modified north bridge, security engine and smart card having a secure boot capability and method for secure booting a computer

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

260 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Computer with a modified north bridge, security engine and smart card having a secure boot capability and method for secure booting a computer

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

260 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others