Microcode patch authentication

US 20030196096A1
Filed: 04/12/2002
Published: 10/16/2003
Est. Priority Date: 04/12/2002
Status: Abandoned Application

First Claim

Patent Images

1. A machine-readable medium that provides instructions, which when executed by a set of one or more processors, cause said set of processors to perform operations comprising:

generating a hash digest for a microcode patch;

encrypting the hash digest to generate a digital signature; and

combining the digital signature and the microcode patch for delivery to a target processor to patch microcode in the target processor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Microcode patches are encoded before delivery to a target processor that is to install the microcode patches. The target processor validates the microcode patches before installation. The security of the process may be enhanced by one or more of: 1) performing the validation in a secure memory, 2) using a public/private key pair for encryption and decryption of the microcode patch, 3) using at least one key that is embedded in the target processor and that cannot be read by non-secure software, and 4) using a hash value that is embedded in the target processor to validate at least one non-embedded key.

223 Citations

30 Claims

1. A machine-readable medium that provides instructions, which when executed by a set of one or more processors, cause said set of processors to perform operations comprising:
- generating a hash digest for a microcode patch;
  
  encrypting the hash digest to generate a digital signature; and
  
  combining the digital signature and the microcode patch for delivery to a target processor to patch microcode in the target processor.
- View Dependent Claims (2, 3)
- - 2. The medium of claim 1, wherein:
    - said combining includes combing a key with the digital signature and the microcode patch for the delivery to the target processor.
  - 3. The medium of claim 1, wherein:
    - said combining includes combining a hash value of a key with the digital signature and the microcode patch for the delivery to the target processor.

4. A method, comprising:
- generating a hash digest for a microcode patch;
  
  encrypting the hash digest with a private key for an asymmetric cryptographic algorithm to generate a digital signature; and
  
  combining the digital signature and the microcode patch for delivery to a processor to patch microcode of the processor.
- View Dependent Claims (5, 6)
- - 5. The method of claim 4, further comprising:
    - encrypting the microcode patch;
      
      wherein said generating the hash digest includes generating the hash digest before said encrypting the microcode patch; and
      
      wherein said combining includes combining the digital signature with the encrypted microcode patch.
  - 6. The method of claim 4, further comprising:
    - encrypting the microcode patch;
      
      wherein said generating the hash digest includes generating the hash digest after said encrypting the microcode patch; and
      
      wherein said combining includes combining the digital signature with the encrypted microcode patch.

7. A machine-readable medium containing data comprising:
- a microcode patch to patch microcode in a target system; and
  
  a digital signature produced by encrypting a digest created by performing a hash operation on the microcode patch.
- View Dependent Claims (8, 9, 10)
- - 8. The medium of claim 7, wherein the data further comprises:
    - a key to decrypt the digital signature to produce the digest.
  - 9. The medium of claim 7, wherein the data further comprises:
    - a hash value of a key to validate the microcode patch.
  - 10. The medium of claim 7, wherein:
    - the microcode patch is encrypted.

11. An apparatus, comprising:
- a processor having microcode;
  
  a secure memory coupled to the processor to decode an encoded microcode patch; and
  
  a microcode patch memory coupled to the microcode to contain the decoded microcode patch.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus of claim 11, wherein:
    - the microcode includes microinstructions to decode the encoded microcode patch; and
      
      the secure memory is to contain at least one of the encoded microcode patch, the decoded microcode patch, and interim products during decoding of the microcode patch.
  - 13. The apparatus of claim 11, wherein:
    - the microcode includes microinstructions to decode the encoded microcode patch; and
      
      the secure memory is to simultaneously contain no more than a portion of at least one of the encoded microcode patch, the decoded microcode patch, and interim products during decoding of the microcode patch.
  - 14. The apparatus of claim 11, wherein:
    - the processor includes an embedded key to use to decode the encoded microcode patch.
  - 15. The apparatus of claim 14, wherein:
    - the embedded key is a public key in an asymmetric cryptographic algorithm.

16. A method, comprising:
- obtaining a microcode patch and an associated digital signature;
  
  decrypting the digital signature in a secure memory to obtain a first hash digest;
  
  calculating a second hash digest with the microcode patch;
  
  comparing the first hash digest with the second hash digest; and
  
  installing the microcode patch in a microcode patch memory responsive to a match between the first and second hash digests.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The method of claim 16, further comprising:
    - decrypting the microcode patch;
      
      wherein said calculating the second hash digest includes calculating the second hash digest with an encrypted version of the microcode patch.
  - 18. The method of claim 16, further comprising:
    - decrypting the microcode patch;
      
      wherein said calculating the second hash digest includes calculating the second hash digest with a decrypted version of the microcode patch.
  - 19. The method of claim 16, wherein:
    - said decrypting the digital signature includes performing an asymmetric decryption using a public key.
  - 20. The method of claim 16, wherein:
    - said decrypting the digital signature includes using an embedded key.
  - 21. The method of claim 16, wherein:
    - said decrypting the digital signature includes performing an asymmetric decryption using a key provided with the microcode patch.

22. A machine-readable medium that provides instructions, which when executed by a set of one or more processors, cause said set of processors to perform operations comprising:
- obtaining a microcode patch and an associated digital signature;
  
  decrypting the digital signature to obtain a first hash digest;
  
  calculating a second hash digest with the microcode patch;
  
  comparing the first hash digest with the second hash digest; and
  
  installing the microcode patch responsive to a match between the first hash digest and the second hash digest.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The medium of claim 22, further comprising:
    - decrypting the microcode patch;
      
      wherein said calculating the second hash digest includes calculating the second hash digest with an encrypted version of the microcode patch.
  - 24. The medium of claim 22, further comprising:
    - decrypting the microcode patch;
      
      wherein said calculating the second hash digest includes calculating the second hash digest with a decrypted version of the microcode patch.
  - 25. The medium of claim 22, wherein:
    - said decrypting the digital signature includes performing an asymmetric decryption using a public key.
  - 26. The medium of claim 22, wherein:
    - said decrypting the digital signature includes performing an asymmetric decryption using an embedded key.
  - 27. The method of claim 22, wherein:
    - said decrypting the digital signature includes performing an asymmetric decryption using a key provided with the microcode patch and the associated digital signature.

28. A system, comprising:
- a processor having microcode and an embedded key; and
  
  a microcode patch package residing in at least one of a storage device and a basic input-output system coupled with the processor, the microcode patch package including a microcode patch to patch the microcode and a digital signature to validate the microcode patch using the embedded key.
- View Dependent Claims (29, 30)
- - 29. The system of claim 28, wherein:
    - the microcode patch is in an encrypted form in the microcode patch package.
  - 30. The system of claim 28, further comprising:
    - a secure memory to contain the microcode patch during validation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Sutton, James A.

Application Number

US10/121,807
Publication Number

US 20030196096A1
Time in Patent Office

Days
Field of Search
US Class Current

713/181
CPC Class Codes

G06F 21/572 Secure firmware programming...

Microcode patch authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

223 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Microcode patch authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

223 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others