SYSTEM AND METHOD TO SECURE BOOT UEFI FIRMWARE AND UEFI-AWARE OPERATING SYSTEMS ON A MOBILE INTERNET DEVICE (MID)

US 20090327741A1
Filed: 06/30/2008
Published: 12/31/2009
Est. Priority Date: 06/30/2008
Status: Abandoned Application

First Claim

Patent Images

1. A system for secure boot on a mobile platform, comprising:

a host processor configured to execute a host operating system and host applications;

firmware for booting the host processor, the firmware to utilize one or more signature keys during boot, each signature key associated with a software image to be loaded on the platform during boot; and

a security processor on the platform, the security processor communicatively coupled to a secure memory store, the secure memory store being inaccessible to the firmware and other host processor applications;

the security processor configured to manage the one or more signature keys to control image loading during boot.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, the invention involves adding a capability for a platform owner or administrator to ensure that the firmware is only executed in an owner-authorized fashion, such as with signed components managed by a security processor. Embodiments may extend the Core Root of Trust for Measurement (CRTM), via use of a cryptographic unit coupled to the security processor in a mobile Internet device (MID) as a Root-of-Trust for Storage (RTS) Storage Root Key (SRK), into a unified extensible firmware interface (UEFI) Platform Initialization (PI) image authorization and boot manager. Other embodiments are described and claimed.

Citations

22 Claims

1. A system for secure boot on a mobile platform, comprising:
- a host processor configured to execute a host operating system and host applications;
  
  firmware for booting the host processor, the firmware to utilize one or more signature keys during boot, each signature key associated with a software image to be loaded on the platform during boot; and
  
  a security processor on the platform, the security processor communicatively coupled to a secure memory store, the secure memory store being inaccessible to the firmware and other host processor applications;
  
  the security processor configured to manage the one or more signature keys to control image loading during boot.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system as recited in claim 1, wherein the secure memory store resides on a non-volatile memory (NVM) store coupled to the security processor.
  - 3. The system as recited in claim 1, wherein the security processor resides on a chipset coupled to a cryptographic core configured to assist in verifying digital signatures.
  - 4. The system as recited in claim 3, further comprising:
    - a public key coupled to a chipset on the platform; and
      
      a certificate database stored in the secure memory store, wherein the certificate database comprises a plurality of certificates where each certificate corresponds to one of a plurality of software images capable of being executed by the host processor, and wherein the security processor is configured to verify each software image to be loaded on the host processor against the corresponding certificate in the certificate database and a digital signature embedded in the software image, the verification to use the public key coupled to the chipset.
  - 5. The system as recited in claim 4, further comprising:
    - means for taking ownership of the mobile platform by a platform administrator; and
      
      means for enrolling credentials in the certificate database, wherein credentials comprise at least one of a platform credential and a third party credential.
  - 6. The system as recited in claim 4, wherein the software image is compatible with unified extensible firmware interface (UEFI) architecture.
  - 7. The system as recited in claim 1, wherein the firmware will not load or launch the software image if the signature key associated with the software image fails validation.
  - 8. The system as recited in claim 7, wherein validation failure is a result of at least one of an expired certificate, missing certificate or a revoked certificate.
  - 9. The system as recited in claim 1, wherein a signature key comprises at least one of a platform key, protected variable key, or a public key.
  - 10. The system as recited in claim 9, wherein the one or more signature keys comprise a hierarchy of signature keys where a higher level key protects a lower level key.
  - 11. The system as recited in claim 10, wherein the platform key is a higher level than a protected variable key which is a higher level than a public key, wherein a public key is associated with each software image to be loaded during boot.
  - 12. The system as recited in claim 1, wherein the system has wireless communication capabilities configured to allow a remote platform administrator to update a certificate database coupled to the security processor.

13. A method for secure boot on a mobile platform, comprising:
- commencing a secure boot of a host processor on the platform;
  
  determining by a security processor on the platform whether a boot module is digitally signed and authorized to be loaded on the host processor;
  
  when the boot module is digitally signed and authorized, then loading and executing the boot module on the host processor; and
  
  determining by the security processor whether a plurality of software images to be loaded after the boot module are authorized to be loaded on the host processor, and when one of the plurality of software images is authorized, then loading the one of the plurality of software images on the host processor for execution; and
  
  when the digitally signed boot module is not authorized, then performing at least one of authorizing the boot image by a platform administrator or failing to boot the platform, and when the one of a plurality of software images is not authorized, then failing to load the one of the plurality of software images on the host processor.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method as recited in claim 13, wherein the security processor has wireless communication capabilities, the method further comprising managing, by the security processor, credentials in a certificate database stored in non-volatile memory accessible to the security processor, the non-volatile memory being inaccessible to the host processor, via wireless communication with a remote administrator having information relating to the credentials.
  - 15. The method as recited in claim 13, wherein the determining whether a boot module is digitally signed and authorized to be loaded on the host processor further comprises:
    - determining if the boot module has an image credential in the certificate database; and
      
      determining if the boot module image credential is verified against the image credential in the certificate database.
  - 16. The method as recited in claim 15, wherein determining by the security processor whether a plurality of software images to be loaded after the boot module are authorized to be loaded on the host processor comprises:
    - determining if each of the software images has a corresponding image credential in the certificate database; and
      
      determining if each of the software images credential is verified against the image credential in the certificate database.
  - 17. The method as recited in claim 13, further comprising:
    - verifying digital signatures in the boot module and software images by a cryptographic core residing on a same chipset as the security processor.

18. A machine accessible storage medium having instructions stored thereon for employing a secure boot on a mobile platform, the instructions when executed on the platform cause the platform to:
- commence a secure boot of a host processor on the platform;
  
  determine by a security processor on the platform whether a boot module is digitally signed and authorized to be loaded on the host processor;
  
  when the boot module is digitally signed and authorized, then load and execute the boot module on the host processor; and
  
  determine by the security processor whether a plurality of software images to be loaded after the boot module are authorized to be loaded on the host processor, and when one of the plurality of software images is authorized, then load the one of the plurality of software images on the host processor for execution; and
  
  when the digitally signed boot module is not authorized, then perform at least one of authorizing the boot image by a platform administrator or failing to boot the platform, and when the one of a plurality of software images is not authorized, then fail to load the one of the plurality of software images on the host processor.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The medium as recited in claim 18, wherein the security processor has wireless communication capabilities, the medium further comprising instructions to manage, by the security processor, credentials in a certificate database stored in non-volatile memory accessible to the security processor, the non-volatile memory being inaccessible to the host processor, via wireless communication with a remote administrator having information relating to the credentials.
  - 20. The medium as recited in claim 18, wherein instructions to determine whether a boot module is digitally signed and authorized to be loaded on the host processor further comprise instructions to:
    - determine if the boot module has an image credential in the certificate database; and
      
      determine if the boot module image credential is verified against the image credential in the certificate database.
  - 21. The medium as recited in claim 20, wherein instructions to determine by the security processor whether a plurality of software images to be loaded after the boot module are authorized to be loaded on the host processor comprise instructions to:
    - determine if each of the software images has a corresponding image credential in the certificate database; and
      
      determine if each of the software images credential is verified against the image credential in the certificate database.
  - 22. The medium as recited in claim 18, further comprising instructions to:
    - verify digital signatures in the boot module and software images by a cryptographic core residing on a same chipset as the security processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Zimmer, Vincent J., Rothman, Michael A.

Application Number

US12/165,593
Publication Number

US 20090327741A1
Time in Patent Office

Days
Field of Search
US Class Current

713/183
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/575   Secure boot

H04W 12/106   Packet or message integrity

SYSTEM AND METHOD TO SECURE BOOT UEFI FIRMWARE AND UEFI-AWARE OPERATING SYSTEMS ON A MOBILE INTERNET DEVICE (MID)

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD TO SECURE BOOT UEFI FIRMWARE AND UEFI-AWARE OPERATING SYSTEMS ON A MOBILE INTERNET DEVICE (MID)

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links