Methods and apparatus to provide secure firmware storage and service access

US 20040268141A1
Filed: 06/27/2003
Published: 12/30/2004
Est. Priority Date: 06/27/2003
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to execution resources comprising:

receiving a request to execute an instruction in a pre-boot environment;

determining an identity of the instruction;

determining if an access control list includes an entry corresponding to the instruction; and

selectively allowing the execution of the instruction if the access control list includes an entry corresponding to the instruction.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus to provide secure firmware storage and service access are disclosed. One example method may include receiving a request to execute an instruction in a pre-boot environment, determining an identity of the instruction, determining if an access control list includes an entry corresponding to the instruction, and selectively allowing the execution of the instruction if the access control list includes an entry corresponding to the instruction.

34 Citations

View as Search Results

23 Claims

1. A method of controlling access to execution resources comprising:
- receiving a request to execute an instruction in a pre-boot environment;
  
  determining an identity of the instruction;
  
  determining if an access control list includes an entry corresponding to the instruction; and
  
  selectively allowing the execution of the instruction if the access control list includes an entry corresponding to the instruction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as defined by claim 1, further including allowing the execution of the instruction if a signature in the access control list matches a signature of the instruction.
  - 3. A method as defined by claim 1, including selectively allowing the execution of the instruction if the access control list does not include an entry corresponding to the instruction if the instruction is signed.
  - 4. A method as defined by claim 1, wherein the instruction is requested by a service call to be executed.
  - 5. A method as defined by claim 4, including determining from the access control list system resources that may be used by the instruction.
  - 6. A method as defined by claim 4, including determining an identity of an entity making the service call.
  - 7. A method as defined by claim 4, including determining if the instruction to be executed is within a predefined area of memory.
  - 8. A method as defined by claim 1, wherein the instruction is an operating system loader that dictates a secure boot and wherein a recovery mode of operation is entered if the access control list does not include an entry corresponding to the instruction.

9. An article of manufacture comprising a machine-accessible medium having a plurality of machine accessible instructions that, when executed, cause a machine to:
- receive a request to execute an instruction in a pre-boot environment;
  
  determine an identity of the instruction;
  
  determine if an access control list includes an entry corresponding to the instruction; and
  
  selectively allow the execution of the instruction if the access control list includes an entry corresponding to the instruction.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. A machine-accessible medium as defined by claim 9, wherein the plurality of machine accessible instructions, when executed, cause a machine to allow the execution of the instruction if a signature in the access control list matches a signature of the instruction.
  - 11. A machine-accessible medium as defined by claim 9, wherein the plurality of machine accessible instructions, when executed, cause a machine to selectively allow the execution of the instruction if the access control list does not include an entry corresponding to the instruction if the instruction is signed.
  - 12. A machine-accessible medium as defined by claim 9, wherein the instruction is requested to be executed by a service call.
  - 13. A machine-accessible medium as defined by claim 9, wherein the plurality of machine accessible instructions, when executed, cause a machine to determine from the access control list system resources that may be used by the instruction.
  - 14. A machine-accessible medium as defined by claim 13, wherein the plurality of machine accessible instructions, when executed, cause a machine to determine an identity of an entity making the service call.
  - 15. A machine-accessible medium as defined by claim 13, wherein the plurality of machine accessible instructions, when executed, cause a machine to determine if the instruction to be executed is within a predefined area of memory.
  - 16. A machine-accessible medium as defined by claim 9, wherein the instruction is an operating system loader that dictates a secure boot and wherein a recovery mode of operation is entered if the access control list does not include an entry corresponding to the instruction.

17. A system comprising:
- an execution environment configured to execute code;
  
  a instruction to be executed;
  
  a platform security unit coupled to the execution environment and receiving a request to execute the instruction in a pre-boot environment, wherein the platform security unit is configured to;
  
  determine an identity of the instruction, determine if an access control list includes an entry corresponding to the instruction, and selectively allow the execution of the instruction by the execution environment if the access control list includes an entry corresponding to the instruction.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. A system as defined by claim 17, wherein the platform security unit allows the execution of the instruction by the execution environment if a signature in the access control list matches a signature of the instruction.
  - 19. A system as defined by claim 17, wherein the platform security unit selectively allows the execution of the instruction by the execution environment if the access control list does not include an entry corresponding to the instruction if the instruction is signed.
  - 20. A system as defined by claim 17, wherein the instruction is requested by a service call to be executed.
  - 21. A system as defined by claim 20, wherein the platform security unit determines from the access control list system resources that may be used by the instruction.
  - 22. A system as defined by claim 20, wherein the platform security unit determines an identity of an entity making the service call.
  - 23. A system as defined by claim 20, wherein the platform security unit determines if the instruction to be executed is within a predefined area of memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Zimmer, Vincent J., Rothman, Michael A., Ellison, Carl M., Doran, Mark S., Fish, Andrew J.

Granted Patent

US 7,328,340 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/17
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/575   Secure boot

G06F 21/608   Secure printing

G06F 2221/2141   Access rights, e.g. capabil...

Methods and apparatus to provide secure firmware storage and service access

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus to provide secure firmware storage and service access

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links