ACTIVE VERIFICATION OF BOOT FIRMWARE
First Claim
1. A method comprising:
- upon power-up of a computer, retrieving boot code and a certificate from a peripheral device coupled to the computer, the certificate describing operation of the boot code for initializing the peripheral device, wherein the boot code is generated from a first programming language, and wherein the certificate includes an annotation defining a proof of security and safety for both (i) one or more blocks of code generated from a second programming language different from the first programming language and (ii) one or more corresponding blocks of the boot code resulting from translation of the one or more blocks of the code of the second programming language into the first programming language;
verifying, with the computer, security of the boot code associated with the peripheral device by performing a security check on the boot code in accordance with the certificate; and
executing the boot code with the computer to (i) initialize the peripheral device based on a result of the security check and (ii) provide, subsequent to the initialization, an interface by which the computer controls operation of the peripheral device.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are described for generating and actively verifying a boot code associated with a peripheral device of a computer system to prevent potential security threats the boot code may introduce into the computer system. The techniques for generating boot code entail generating the boot code from a high-level programming language using a verification application program interface (API). The API aids in generating a certificate, which is associated with the boot code in that the certificate describes operation of the boot code. After generating the boot code and associated certificate, the two are loaded onto a memory module of the peripheral device. Once the peripheral device is connected to the computer system, the computer system may retrieve the boot code and certificate. The computer system utilizes techniques to actively verify the boot code by performing a security check on the boot code in accordance with the associated certificate. Finally, the computer system executes the boot code based on a result of the security check.
-
Citations
69 Claims
-
1. A method comprising:
-
upon power-up of a computer, retrieving boot code and a certificate from a peripheral device coupled to the computer, the certificate describing operation of the boot code for initializing the peripheral device, wherein the boot code is generated from a first programming language, and wherein the certificate includes an annotation defining a proof of security and safety for both (i) one or more blocks of code generated from a second programming language different from the first programming language and (ii) one or more corresponding blocks of the boot code resulting from translation of the one or more blocks of the code of the second programming language into the first programming language; verifying, with the computer, security of the boot code associated with the peripheral device by performing a security check on the boot code in accordance with the certificate; and executing the boot code with the computer to (i) initialize the peripheral device based on a result of the security check and (ii) provide, subsequent to the initialization, an interface by which the computer controls operation of the peripheral device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 65)
-
-
9. A method comprising:
-
generating a boot code for a peripheral device from a program written in a high-level programming language; gathering information while generating the boot code; and generating a certificate from information gathered while generating the boot code, wherein the certificate describes operation of the boot code. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A device comprising:
-
an interface to retrieve boot code and a certificate from a peripheral device upon power-up of the device, wherein the boot code is generated from a first programming language, and wherein the certificate includes annotation information defining independently verifiable proofs of security and safety of one or more blocks of code generated from a second programming language different from the first programming language; a memory module to store the boot code from the peripheral device; and a control unit to verify security of the boot code associated with the peripheral device by performing a security check on one or more blocks of the boot code in accordance with the annotation information of the certificate, the control unit configured to execute the boot code to (i) initialize the peripheral device based on a result of the security check and (ii) provide, subsequent to the initialization, an interface by which the control unit controls operation of the peripheral device. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 66)
-
- 26. A device comprising a control unit to generate a boot code for a peripheral device from a program written in a high-level programming language and generate a certificate from information gathered while generating the boot code, wherein the certificate describes operation of the boot code.
-
35. A system comprising:
-
a peripheral device having a memory module, wherein the memory module stores a boot code and a certificate, wherein the boot code is generated from a first programming language, and wherein the certificate includes an annotation defining a proof of security and safety for both (i) one or more blocks of code generated from a second programming language different from the first programming language and (ii) one or more corresponding blocks of the boot code, and a computer having an interface to retrieve the boot code and the certificate from the peripheral device, a second memory module and a control unit, wherein the control unit uses, the interface to retrieve the boot code and the certificate from the peripheral device and executes a verification module that verifies security of the boot code by performing a security check on the boot code to independently verify the proof represented by the annotation information of the certificate, and wherein the control unit further executes the boot code based on a result of the security check to (i) initialize the peripheral device and (ii) provide, subsequent to the initialization, an interface by which the control unit controls operation of the peripheral device. - View Dependent Claims (36, 37, 38, 39, 40, 41, 67, 68)
-
-
42. A system comprising:
-
a peripheral device having a memory module; and a control unit to generate a boot code from a program written in a high-level programming language, generate a certificate from information gathered while generating the boot code, and load the boot code and the certificate into the memory module, wherein the certificate describes operation of the boot code. - View Dependent Claims (43, 44, 45, 46)
-
-
47. A computer-readable medium comprising instructions for causing a programmable processor to:
-
retrieve boot code from a peripheral device, wherein the boot code is generated from a first programming language; store the boot code on a computer coupled to the peripheral device; verify security of the boot code associated with the peripheral device by performing a security check on the boot code in accordance with a certificate that describes operation of the boot code, wherein the certificate includes an annotation defining a proof of security and safety for both (i) one or more blocks of code generated from a second programming language different from the first programming language and (ii) one or more corresponding blocks of the boot code resulting from translation of the one or more blocks of the code of the second programming language into the first programming language; and execute the boot code based on a result of the security check to (i) initialize the peripheral device and (ii) provide, subsequent to the initialization, an interface by which the programmable-processor controls operation of the peripheral device. - View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 69)
-
-
55. A computer-readable medium comprising instructions for causing a programmable processor to:
-
generate a boot code for a peripheral device from a program written in a high-level programming language; and generate a certificate that describes operation of the boot code from information gathered while generating the boot code. - View Dependent Claims (56, 57, 58, 59, 60, 61, 62, 63)
-
-
64. A method comprising:
-
generating a boot code in the fcode programming language for a peripheral device from a program written in the Java programming language; and generating a certificate from information gathered while generating the boot code, wherein the certificate describes operation of the boot code.
-
Specification