Methods and apparatus for providing seamless file system encryption and redundant array of independent disks from a pre-boot environment into a firmware interface aware operating system

US 20040158711A1
Filed: 02/10/2003
Published: 08/12/2004
Est. Priority Date: 02/10/2003
Status: Active Grant

First Claim

Patent Images

1. A method of providing seamless Redundant Array of Independent Disks (RAID) in a computer comprising:

launching a firmware interface with a host processor in the computer prior to loading an operating system;

identifying a plurality of disks coupled to the host processor;

retrieving a global variable from a nonvolatile memory coupled to the host processor to obtain a specific RAID technique for the computer;

using the firmware interface to map the plurality of disks according to the specific RAID technique and publish a virtual disk interface for the plurality of disks;

enabling the firmware interface to perform a read operation from two or more of the plurality of disks using the specific RAID technique designated in the virtual disk interface if the operating system has not fully loaded; and

providing the virtual disk interface to the operating system to enable a commensurate software RAID to be utilized after the operating system is loaded that matches the specific RAID technique used by the firmware interface.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for providing seamless functionality in a computer are disclosed. For example, a Redundant Array of Independent Disks (RAID) configuration manager provides an operating system with a content of a virtual disk interface to enable a commensurate software RAID to be utilized after the operating system is loaded, loads a driver to abstract a plurality of disk interfaces for a plurality of disks, publishes a physical access abstraction interface and a device path protocol for each disk, obtains a global variable to obtain a specific RAID technique, publishes a virtual disk interface for the plurality of disks and maps the plurality of disks according to the specific RAID technique. An encrypted file system manager is also included to layer an encoded File Allocation Table on top of a disk and to pass to the operating system an Embedded Root Key to provide access to an encrypted Firmware Interface System Partition.

48 Citations

View as Search Results

45 Claims

1. A method of providing seamless Redundant Array of Independent Disks (RAID) in a computer comprising:
- launching a firmware interface with a host processor in the computer prior to loading an operating system;
  
  identifying a plurality of disks coupled to the host processor;
  
  retrieving a global variable from a nonvolatile memory coupled to the host processor to obtain a specific RAID technique for the computer;
  
  using the firmware interface to map the plurality of disks according to the specific RAID technique and publish a virtual disk interface for the plurality of disks;
  
  enabling the firmware interface to perform a read operation from two or more of the plurality of disks using the specific RAID technique designated in the virtual disk interface if the operating system has not fully loaded; and
  
  providing the virtual disk interface to the operating system to enable a commensurate software RAID to be utilized after the operating system is loaded that matches the specific RAID technique used by the firmware interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as defined in claim 1, wherein identifying the plurality of disks comprises initiating a query across a bus coupled to the host processor.
  - 3. A method as defined in claim 1, further comprising publishing a physical access abstraction interface for each disk in the plurality of disks.
  - 4. A method as defined in claim 3, wherein publishing the physical access abstraction interfaces comprises providing information corresponding to a read operation, a write operation, a reset operation, and a physical location for each of the plurality of disks.
  - 5. A method as defined in claim 1, further comprising obtaining a device path for each of the disks in the plurality of disks.
  - 6. A method as defined in claim 1, further comprising monitoring the computer with the firmware interface for a request from an operating system loader for a set of data corresponding to the virtual disk interface.
  - 7. A method as defined in claim 1, further comprising monitoring the computer with the firmware interface prior to fully loading the operating system for a read command and a write command.
  - 8. A method as defined in claim 1, comprising performing the read operation and enabling the commensurate software RAID with the host processor.

9. A method of providing seamless Redundant Array of Independent Disks (RAID) in a computer comprising:
- launching a firmware interface with a host processor in the computer prior to loading an operating system;
  
  identifying a plurality of disks coupled to the host processor;
  
  obtaining a device path for each of the disks in the plurality of disks;
  
  retrieving a global variable from a nonvolatile memory coupled to the processor to obtain a specific RAID technique for the computer;
  
  using the firmware interface to map the plurality of disks according to the specific RAID technique and publish a virtual disk interface for the plurality of disks;
  
  enabling the firmware interface and the host processor to perform a read operation from two or more of the plurality of disks using the specific RAID technique designated in the virtual disk interface if the operating system has not fully loaded;
  
  monitoring the computer with the firmware interface for a request from an operating system loader for a set of data corresponding to the virtual disk interface; and
  
  providing the virtual disk interface to the operating system to enable a commensurate software RAID to be utilized by the host processor after the operating system is loaded that matches the specific RAID technique.
- View Dependent Claims (10, 11, 12, 13)
- - 10. A method as defined in claim 9, wherein identifying the plurality of disks comprises initiating a query across a bus coupled to the host processor.
  - 11. A method as defined in claim 9, further comprising publishing a physical access abstraction interface for each disk in the plurality of disks.
  - 12. A method as defined in claim 11, wherein publishing the physical access abstraction interfaces comprises providing information corresponding to a read operation, a write operation, a reset operation, and a physical location for each of the plurality of disks.
  - 13. A method as defined in claim 9, further comprising monitoring the computer with the firmware interface prior to fully loading the operating system for a read command and a write command.

14. For use in a computer having a processor, a Redundant Array of Independent Disks (RAID) configuration management apparatus comprising:
- a controller to provide an operating system with a content of a virtual disk interface to enable a commensurate software RAID to be utilized after the operating system is loaded;
  
  a driver loader in communication with the controller to load a driver to abstract a plurality of disk interfaces for a plurality of disks coupled to the processor, before the operating system is loaded on the computer;
  
  a driver manager in communication with the controller to aggregate a set of data corresponding to the plurality of disks and to publish a physical access abstraction interface and a device path protocol for each disk in the plurality of disks, before the operating system is loaded;
  
  a RAID I/O driver manager in communication with the controller to retrieve a global variable from a nonvolatile memory coupled to the processor to obtain a specific RAID technique for the computer and to publish a virtual disk interface for the plurality of disks, before the operating system is loaded; and
  
  a RAID mapper in communication with the controller to map the plurality of disks according to the specific RAID technique before the operating system is loaded.
- View Dependent Claims (15, 16, 17)
- - 15. An apparatus as defined in claim 14 further comprising a monitoring agent, in communication with the controller to monitor the computer for a request from the operating system for the virtual disk interface, before the operating system is fully loaded.
  - 16. An apparatus as defined in claim 15 wherein the monitoring agent is further configured to monitor the computer for a read command and a write command before the operating system is fully loaded.
  - 17. An apparatus as defined in claim 14 further comprising an operating system loader, in communication with the controller to parse a device path of the virtual disk interface.

18. An article comprising a machine-accessible medium having stored thereon instructions that, when executed by a machine, cause the machine to:
- launch a firmware interface on a host processor in the machine prior to loading an operating system;
  
  identify a plurality of disks coupled to the host processor;
  
  retrieve a global variable from a nonvolatile memory coupled to the processor to obtain a specific RAID technique for the machine;
  
  use the firmware interface to map the plurality of disks according to the specific RAID technique and publish a virtual disk interface for the plurality of disks;
  
  enable the firmware interface to perform a read operation from two or more of the plurality of disks using the specific RAID technique designated in the virtual disk interface if the operating system has not fully loaded; and
  
  provide the virtual disk interface to the operating system to enable a commensurate software RAID to be utilized by the host processor after the operating system is loaded that matches the specific RAID technique.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The article of claim 18 having further instructions that, when executed by the machine, cause the machine to initiate a query across a bus coupled to the host processor for the plurality of disks.
  - 20. The article of claim 18 having further instructions that, when executed by the machine, cause the machine to publish a physical access abstraction interface for each disk in the plurality of disks.
  - 21. The article of claim 20 having further instructions that, when executed by the machine, cause the machine to provide information corresponding to a read operation, a write operation, a reset operation, and a physical location for each of the plurality of disks.
  - 22. The article of claim 18 having further instructions that, when executed by the machine, cause the machine to obtain a device path for each of the disks in the plurality of disks.
  - 23. The article of claim 18 having further instructions that, when executed by the machine, cause the machine to monitor the machine with the firmware interface for a request from an operating system loader for a set of data corresponding to the virtual disk interface.
  - 24. The article of claim 18 having further instructions that, when executed by the machine, cause the firmware interface to monitor the machine for a read command and a write command, prior to fully loading the operating system.
  - 25. The article of claim 18 having further instructions that, when executed by the machine, cause the machine to perform the read operation with the host processor.

26. A method of providing seamless file system encryption comprising:
- launching a firmware interface in a computer prior to loading an operating system (OS);
  
  publishing a physical access abstraction interface for a disk coupled to the computer;
  
  the disk having a Firmware Interface System Partition (FISP);
  
  determining if the FISP is encrypted and layering an encoded File Allocation Table (FAT) driver on top of the disk;
  
  allowing the firmware interface to use an Embedded Root Key (ERK) to decrypt a set of data from the FISP corresponding to a read request prior to loading the OS, if the read request is from a trusted source;
  
  passing the ERK from the firmware interface to the OS; and
  
  allowing the OS to use the ERK to decrypt a second set of data from the FISP corresponding to a second read request, if the second read request is from a trusted source.
- View Dependent Claims (27, 28, 29, 30, 31)
- - 27. A method as defined in claim 26, comprising allowing the OS to use the ERK to decrypt the second set of data in response to the second read request without the occurrence of the first read request.
  - 28. A method as defined in claim 26, further comprising retrieving a variable from a nonvolatile memory coupled to the computer to obtain the ERK.
  - 29. A method as defined in claim 26, comprising identifying the disk by initiating a query across a bus coupled to the computer.
  - 30. A method as defined in claim 26, further comprising monitoring the computer with the firmware interface for the second read request from the FISP by the OS.
  - 31. A method as defined in claim 26, further comprising monitoring the computer with the firmware interface for an access request to write to the FISP by the OS;
    - and allowing the OS to use the ERK to encrypt a third set of data that is written to the FISP corresponding to the access request, if the access request is from a trusted source.

32. A method of providing seamless file system encryption comprising:
- launching a firmware interface in a computer prior to loading an operating system (OS);
  
  publishing a physical access abstraction interface for a disk coupled to the computer;
  
  the disk having a Firmware Interface System Partition (FISP);
  
  determining if the FISP is encrypted and layering an encoded File Allocation Table (FAT) driver on top of the disk;
  
  retrieving a variable from a nonvolatile memory coupled to the computer to obtain an Embedded Root Key (ERK);
  
  allowing the firmware interface to use the ERK to decrypt a set of data from the FISP corresponding to a read request prior to loading the OS, if the read request is from a trusted source;
  
  passing the ERK from the firmware interface to the OS;
  
  monitoring the computer with the firmware interface for an access request to write to the FISP by the OS; and
  
  allowing the OS to use the ERK to encrypt a second set of data that is written to the FISP corresponding to the access request, if the access request is from a trusted source.
- View Dependent Claims (33, 34, 35, 36)
- - 33. A method as defined in claim 32, comprising allowing the OS to use the ERK to encrypt the second set of data in response to the access request without the occurrence of the first read request.
  - 34. A method as defined in claim 32, comprising identifying the disk by initiating a query across a bus coupled to the computer.
  - 35. A method as defined in claim 32, further comprising monitoring the computer with the firmware interface for a second read request from the FISP by the OS.
  - 36. A method as defined in claim 32, further comprising publishing a device path protocol for the disk.

37. For use in a computer having a processor, an encrypted file system management apparatus comprising:
- a controller to pass to an operating system an Embedded Root Key (ERK) to provide access to an encrypted Firmware Interface System Partition (FISP) after the operating system is loaded;
  
  a driver loader in communication with the controller to load a driver to abstract an interface for a disk coupled to the processor, before the operating system is loaded on the computer;
  
  a driver manager in communication with the controller to publish a physical access abstraction interface and a device path protocol for the disk, before the operating system is loaded;
  
  a File Allocation Table (FAT) file system manager in communication with the controller to layer an encoded FAT on top of the disk, before the operating system is loaded on the computer;
  
  an encryption agent in communication with the controller to use the ERK to encrypt data written to the FISP and to decrypt data read from the FISP; and
  
  a monitoring agent in communication with the controller to monitor the computer for an access request to the FISP.
- View Dependent Claims (38, 39, 40)
- - 38. An apparatus as defined in claim 37 wherein the controller and the FAT file system manager retrieve a variable from a nonvolatile memory coupled to the processor to obtain the ERK.
  - 39. An apparatus as defined in claim 37 wherein the monitoring agent is accessed by the firmware interface and the OS.
  - 40. An apparatus as defined in claim 37 wherein the controller and the encryption agent use the ERK to update the FAT when a file is created or deleted.

41. An article comprising a machine-accessible medium having stored thereon instructions that, when executed by a machine, cause the machine to:
- launch a firmware interface in the machine prior to loading an operating system (OS);
  
  publish a physical access abstraction interface for a disk coupled to the machine;
  
  the disk having a Firmware Interface System Partition (FISP);
  
  determine if the FISP is encrypted and publish a device path protocol for the disk if the disk is encrypted;
  
  enable the firmware interface to use an Embedded Root Key (ERK) to decrypt a set of data from the FISP corresponding to a read request prior to loading the OS, if the read request is from a trusted source;
  
  pass the ERK from the firmware interface to the OS; and
  
  enable the OS to use the ERK to decrypt a second set of data from the FISP corresponding to a second read request, if the second read request is from a trusted source.
- View Dependent Claims (42, 43, 44, 45)
- - 42. The article of claim 41 having further instructions that, when executed by the machine, cause the machine to enable the OS to use the ERK to decrypt the second set of data in response to the second read request without the occurrence of the first read request.
  - 43. The article of claim 41 having further instructions that, when executed by the machine, cause the machine to retrieve a variable from a nonvolatile memory coupled to the machine to obtain the ERK.
  - 44. The article of claim 41 having further instructions that, when executed by the machine, cause the machine to monitor the machine with the firmware interface for the second read request from the FISP by the OS.
  - 45. The article of claim 41 having further instructions that, when executed by the machine, cause the machine to monitor the machine with the firmware interface for an access request to write to the FISP by the OS;
    - and allow the OS to use the ERK to encrypt a third set of data that is written to the FISP corresponding to the access request, if the access request is from a trusted source.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Zimmer, Vincent J.

Granted Patent

US 7,320,052 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/575   Secure boot

G06F 21/78   to assure secure storage of...

G06F 21/85   interconnection devices, e....

G06F 3/0607   by facilitating the process...

G06F 3/0623   in relation to content

G06F 3/0632   by initialisation or re-ini...

G06F 3/0664   at device level, e.g. emula...

G06F 3/0689   Disk arrays, e.g. RAID, JBOD

G06F 9/4406   Loading of operating system

Methods and apparatus for providing seamless file system encryption and redundant array of independent disks from a pre-boot environment into a firmware interface aware operating system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

48 Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for providing seamless file system encryption and redundant array of independent disks from a pre-boot environment into a firmware interface aware operating system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links