COMPUTER SYSTEM COMPRISING A SECURE BOOT MECHANISM
First Claim
1. A method for starting a computer system, the method comprising:
- accessing a first set of data stored in a non-volatile memory area of a central processing unit, said first set of data including first instructions causing a core circuit of said central processing unit to initialize a random access memory of said central processing unit;
loading an image of a second set of data from a non-volatile memory into said initialized random access memory, said second set of data comprising a signature for verifying integrity of said second set of data, said second set of data further comprising second instructions causing said central processing unit to initialize a system memory of said computer system;
verifying said integrity of said second set of data by using said signature and a decryption key included in said first set of data; and
initializing said system memory using said second instructions when verification of said second set of data is successful.
6 Assignments
0 Petitions
Accused Products
Abstract
A secure boot processing may be accomplished on the basis of a non-volatile memory that is an integral part of the CPU and which may not be modified once a pre-boot information may be programmed into the non-volatile memory. During a reset event or a power-on event, execution may be started from the internal non-volatile memory, which may also include public decryption keys for verifying a signature of a portion of a boot routine. The verification of the respective portion of the boot routine may be accomplished by using internal random access memories, thereby avoiding external access during verification of the boot routine. Hence, a high degree of tamper resistance may be obtained, for instance, with respect to BIOS modification by exchanging BIOS chips.
-
Citations
20 Claims
-
1. A method for starting a computer system, the method comprising:
-
accessing a first set of data stored in a non-volatile memory area of a central processing unit, said first set of data including first instructions causing a core circuit of said central processing unit to initialize a random access memory of said central processing unit; loading an image of a second set of data from a non-volatile memory into said initialized random access memory, said second set of data comprising a signature for verifying integrity of said second set of data, said second set of data further comprising second instructions causing said central processing unit to initialize a system memory of said computer system; verifying said integrity of said second set of data by using said signature and a decryption key included in said first set of data; and initializing said system memory using said second instructions when verification of said second set of data is successful. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for starting a computer system, the method comprising:
-
upon at least one of a power up event and a reset event, accessing an internal non-volatile memory of a central processing unit, said non-volatile memory containing pre-boot instructions and data values for initializing an internal volatile memory of said central processing unit and verifying an integrity of at least a portion of boot instructions and boot data values stored in a non-volatile memory; loading said at least a portion of said boot instructions and boot data values from the non-volatile memory into said internal volatile memory by executing said pre-boot instructions; verifying integrity of said at least a portion of said boot instructions and boot data values by executing said pre-boot instructions; and after successfully verifying integrity of said at least a portion of said boot instructions and boot data values, executing said boot instructions. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A central processing unit (CPU), comprising:
-
a substrate having formed thereon circuit elements defining a CPU core, a volatile random access memory, a non-volatile memory and a bus system for connecting said CPU core, said volatile random access memory and said non-volatile memory; and pre-boot information stored in said non-volatile memory, said pre-boot information including instructions executable by said CPU core and data values for initializing said volatile random access memory and verifying at least a portion of a boot routine. - View Dependent Claims (20)
-
Specification