Methods and apparatus for secure collection and display of user interface information in a pre-boot environment

US 20040268135A1
Filed: 06/25/2003
Published: 12/30/2004
Est. Priority Date: 06/25/2003
Status: Active Grant

First Claim

Patent Images

1. A method of receiving a password, the method comprising:

receiving a password routine, the password routine being digitally signed using a private key;

authenticating the password routine using a public key associated with the private key;

storing the password routine in a first area of a memory device, the first area of the memory device being unavailable to a memory management unit, the memory device including a second area, the second area being available to the memory management unit; and

executing the password routine in a pre-boot environment to receive the password.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for secure collection and display of user interface information in a pre-boot environment are disclosed. A disclosed system executes trusted software under a secure mode of a processor. In the secure mode, the processor may directly access an area of memory that normally cannot be accessed. One or more software routines, device drivers, digital certificates, hash codes, encryption keys, and/or any other data may be stored in the secure area of memory. Software routines and device drivers stored in the secure area of memory and/or certified by data in the secure area of memory may be “trusted.” Preferably, trusted software routines and/or device drivers are digitally signed by a trusted source (e.g., Microsoft). In addition to trusted interface objects, the pre-boot environment may include non-trusted interface objects. These non-trusted interface objects may use third party software routines and/or device drivers. Accordingly, both trusted and non-trusted interface objects may be used in the same pre-boot interface.

Citations

28 Claims

1. A method of receiving a password, the method comprising:
- receiving a password routine, the password routine being digitally signed using a private key;
  
  authenticating the password routine using a public key associated with the private key;
  
  storing the password routine in a first area of a memory device, the first area of the memory device being unavailable to a memory management unit, the memory device including a second area, the second area being available to the memory management unit; and
  
  executing the password routine in a pre-boot environment to receive the password.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method as defined in claim 1, further comprising executing a non-trusted device driver in the pre-boot environment.
  - 3. A method as defined in claim 2, wherein the non-trusted device driver is only executed if the password matches a password stored in the first area of the memory device.
  - 4. A method as defined in claim 3, wherein the non-trusted device driver is stored in the second area of the memory device.
  - 5. A method as defined in claim 1, wherein executing the password routine comprises executing the password routine using a processor in a secure mode, the secure mode being a hardware feature of the processor.
  - 6. A method as defined in claim 5, wherein the secure mode limits the use of input hardware.
  - 7. A method as defined in claim 6, wherein the secure mode limits the use of output hardware.
  - 8. A method as defined in claim 1, wherein the password routine calls a trusted graphics routine, the trusted graphics routine being digitally signed.
  - 9. A method as defined in claim 8, wherein the trusted graphics routine calls a trusted display driver, the trusted display driver being digitally signed.
  - 10. A method as defined in claim 1, wherein the password routine calls a trusted keyboard driver, the trusted keyboard driver being digitally signed.
  - 11. A method as defined in claim 1, wherein the password comprises a basic input output system (BIOS) password.

12. An apparatus to execute a trusted software program in a pre-boot environment, the apparatus comprising:
- a memory device including a first memory portion and a second memory portion, the first memory portion storing the trusted software program;
  
  a memory management unit operatively coupled to the memory device, the memory management unit being unable to access the first memory portion, the memory management unit being able to access the second memory portion; and
  
  a processor operatively coupled to the memory device, the processor to execute the trusted software program in the pre-boot environment.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. An apparatus as defined in claim 12, further comprising a non-trusted software program stored in the second memory portion.
  - 14. An apparatus as defined in claim 13, wherein the processor executes the non-trusted software program in the pre-boot environment.
  - 15. An apparatus as defined in claim 12, wherein the trusted software program comprises a hardware driver.
  - 16. An apparatus as defined in claim 15, wherein the hardware driver comprises a keyboard driver.
  - 17. An apparatus as defined in claim 15, wherein the hardware driver comprises a display driver.
  - 18. An apparatus as defined in claim 12, wherein the trusted software program comprises a graphical user interface display routine.
  - 19. An apparatus as defined in claim 12, wherein the trusted software program comprises a password collection routine.
  - 20. An apparatus as defined in claim 12, wherein the processor includes a secure mode that limits the use of input hardware and output hardware connected to the processor.
  - 21. An apparatus as defined in claim 20, wherein the processor executes the trusted software program in the pre-boot environment while the processor is in the secure mode.

22. An apparatus to collect a password in a pre-boot environment, the apparatus comprising:
- a memory device including a first memory portion and a second memory portion, the second memory portion storing a keyboard driver, a display driver, graphics routine, and a password collection routine;
  
  a memory management unit operatively coupled to the memory device, the memory management unit being able to access the first memory portion, the memory management unit being unable to access the second memory portion; and
  
  a processor operatively coupled to the memory device, the processor to execute the keyboard driver, the display driver, the graphics routine, and the password collection routine in the pre-boot environment to collect the password in the pre-boot environment.
- View Dependent Claims (23, 24, 25)
- - 23. An apparatus as defined in claim 22, wherein the keyboard driver, the display driver, the graphics routine, and the password collection routine are each authenticated using a digital signature.
  - 24. An apparatus as defined in claim 22, wherein the processor includes a secure mode that limits the use of input hardware and output hardware connected to the processor.
  - 25. An apparatus as defined in claim 24, wherein the processor executes the keyboard driver, the display driver, the graphics routine, and the password collection routine in the pre-boot environment while the processor is in the secure mode.

26. A machine readable medium storing instructions structured to cause a machine to:
- receive a password routine, the password routine being digitally signed using a private key;
  
  authenticate the password routine using a public key associated with the private key;
  
  store the password routine in a first area of a memory device, the first area of the memory device being unavailable to a memory management unit, the memory device including a second area, the second area being available to the memory management unit; and
  
  execute the password routine in a pre-boot environment to receive the password.
- View Dependent Claims (27, 28)
- - 27. A machine readable medium as defined in claim 26, wherein the instructions are structured to cause the machine to executing a non-trusted software routine in the pre-boot environment, the non-trusted software routine being stored in the second area of the memory device.
  - 28. A machine readable medium as defined in claim 27, wherein the non-trusted software routine comprises a legacy driver.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Zimmer, Vincent J., Rothman, Michael A.

Granted Patent

US 7,380,136 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

G06F 21/575   Secure boot

G06F 21/74   operating in dual or compar...

G06F 2221/2105   Dual mode as a secondary as...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/3226   using a predetermined code,...

Methods and apparatus for secure collection and display of user interface information in a pre-boot environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for secure collection and display of user interface information in a pre-boot environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links