System and method for securely storing firmware
First Claim
1. A method of providing secure storage for firmware in a computing device that executes from a ROM prior to the loading of the operating system, comprising:
- providing a designated secure storage container holding firmware, the firmware being executed prior to the loading of the operating system for the computing device;
encrypting the designated secure storage container using a secure storage encryption key;
including a reference to the encrypted storage container in a build of firmware placed in a ROM image, writing the encrypted secure storage container to secondary storage outside the ROM using at least one unique identifier;
using the reference in the ROM image to retrieve the encrypted secure storage container prior to the loading of the operating system for the computing device.
1 Assignment
0 Petitions
Accused Products
Abstract
A mechanism for creating and accessing a secure storage area for firmware that stores a “Virtual ROM” module reference or pointer in the actual ROM that includes a unique identifier for the virtual ROM module to be retrieved is discussed. The actual ROM image also contains a generated unique identifier for the whole machine. In retrieving a Virtual ROM module, both the module identifier and the machine identifier are used. Once retrieved, the module is validated using a message digest stored in the Virtual ROM module reference. If required, the Virtual ROM module is then decrypted using a secret key that is stored elsewhere in the actual ROM. Updates to the Virtual ROM module are made in memory by pre-boot code. At a point in time when these updates are complete, the Virtual ROM module is written back out to the location from which it was retrieved. The Virtual ROM module reference that is in the actual ROM is updated to reflect the new message digest value and the module reference and the machine identifier used for the PC are write-disabled. Additionally, if the storage has been encrypted, and a secret key is being used, the region of the actual ROM that contains the secret key is read-disabled.
-
Citations
20 Claims
-
1. A method of providing secure storage for firmware in a computing device that executes from a ROM prior to the loading of the operating system, comprising:
-
providing a designated secure storage container holding firmware, the firmware being executed prior to the loading of the operating system for the computing device;
encrypting the designated secure storage container using a secure storage encryption key;
including a reference to the encrypted storage container in a build of firmware placed in a ROM image, writing the encrypted secure storage container to secondary storage outside the ROM using at least one unique identifier;
using the reference in the ROM image to retrieve the encrypted secure storage container prior to the loading of the operating system for the computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for providing secure storage of firmware for a computing device that executes from a ROM pre-boot, comprising:
-
a firmware ROM image, the firmware ROM image including a reference for at least one encrypted designated secure storage container holding firmware to be executed before the loading of the operating system, the reference to the at least one encrypted designated secure storage container including a message digest for the encrypted designated secure storage container that is used to verify the authenticity of the encrypted designated secure storage container prior to executing the firmware from the encrypted designated secure storage container;
the designated secure storage container, the designated secure storage container encrypted with a secure storage encryption key and stored in secondary storage separately from the ROM; and
the secure storage encryption key used to initially encrypt the designated secure storage container and then subsequently decrypt the designated secure storage container following its retrieval from secondary storage, the secure storage container located in a portion of the ROM image marked as read-disabled at a point prior to the loading of the operating system. - View Dependent Claims (15, 16)
-
-
17. A medium holding computer-executables instructions for providing secure storage for firmware in a computing device that executes from a ROM prior to the loading of the operating system, the instructions comprising:
-
instructions for providing a designated secure storage container holding firmware, the firmware being executed prior to the loading of the operating system for the computing device;
instructions for encrypting the designated secure storage container using a secure storage encryption key;
instructions for including a reference to the encrypted storage container in a build of firmware placed in a ROM image, instructions for writing the encrypted secure storage container to secondary storage outside the ROM using at least one unique identifier; and
instructions for using the reference in the ROM image to retrieve the encrypted secure storage container prior to the loading of the operating system for the computing device. - View Dependent Claims (18, 19, 20)
-
Specification