Extensible Pre-Boot Authentication

US 20110138166A1
Filed: 12/21/2010
Published: 06/09/2011
Est. Priority Date: 06/23/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining a pre-boot authentication (PBA) image from a non-volatile storage of a system in a pre-boot environment, wherein the non-volatile storage is configured with full disk encryption (FDE), and storing the PBA image in a system memory;

performing a callback protocol between a loader executing on an engine of a chipset and an integrity checker of a third party that provided the PBA image to confirm integrity of the PBA image; and

executing the PBA image if the integrity is confirmed, and otherwise deleting the PBA image from the system memory.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, the present invention includes a method for obtaining a pre-boot authentication (PBA) image from a non-volatile storage that is configured with full disk encryption (FDE), and storing the PBA image in a memory. Then a callback protocol can be performed between a loader executing on an engine of a chipset and an integrity checker of a third party that provided the PBA image to confirm integrity of the PBA image, the PBA image is executed if the integrity is confirmed, and otherwise it is deleted. Other embodiments are described and claimed.

Citations

19 Claims

1. A method comprising:
- obtaining a pre-boot authentication (PBA) image from a non-volatile storage of a system in a pre-boot environment, wherein the non-volatile storage is configured with full disk encryption (FDE), and storing the PBA image in a system memory;
  
  performing a callback protocol between a loader executing on an engine of a chipset and an integrity checker of a third party that provided the PBA image to confirm integrity of the PBA image; and
  
  executing the PBA image if the integrity is confirmed, and otherwise deleting the PBA image from the system memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising receiving an updated PBA image from a location remote to the system via the third party.
  - 3. The method of claim 2, further comprising storing the updated PBA image in a hidden partition of the non-volatile storage, the hidden partition accessible only to the engine of the chipset.
  - 4. The method of claim 3, further comprising storing the updated PBA image in the hidden partition via an out-of-band interface and without access to a host driver for the non-volatile storage.
  - 5. The method of claim 4, further comprising storing the updated PBA image in the hidden partition during operating system (OS) control of the system using a host controller interface (HCI) having an administrative privilege.
  - 6. The method of claim 1, wherein performing the callback protocol includes:
    - registering an intent to export integrity checking from the loader to the integrity checker;
      
      obtaining a pointer to the PBA image and integrity credentials associated with the PBA image; and
      
      providing the pointer to the integrity checker.
  - 7. The method of claim 6, wherein performing the callback protocol further includes:
    - establishing a binding between the integrity checker and the loader responsive to the registering; and
      
      checking the PBA image using the integrity credentials and an embedded secret accessible to the integrity checker.
  - 8. The method of claim 6, further comprising updating the integrity credentials in the non-volatile system from a location remote to the system via the third party.
  - 9. The method of claim 1, wherein the integrity checker communicates with a common PBA identity manager that selects one of a plurality of authentication devices of the system for performing an authentication procedure for a user of the system, the selection based on an unlock protocol of the third party.

10. An article comprising a machine-accessible storage medium including instructions that when executed cause a system to:
- obtain a pre-boot authentication (PBA) image from a storage device coupled to a chipset of the system in a pre-boot environment, wherein the storage device is configured with full disk encryption (FDE), and store the PBA image in a memory of the system;
  
  perform a callback protocol between a loader executing on an engine of the chipset and an integrity checker of a third party that provided the PBA image to confirm integrity of the PBA image; and
  
  execute the PBA image if the integrity is confirmed, and otherwise delete the PBA image from the memory.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The article of claim 10, further comprising instructions that when executed cause the system to store an updated PBA image in a hidden partition of the storage device, the hidden partition accessible only to the engine of the chipset, via an out-of-band interface and without access to a host driver for the storage device.
  - 12. The article of claim 10, further comprising instructions that when executed enable the system to:
    - register an intent to export integrity checking from the loader to the integrity checker;
      
      obtain a pointer to the PBA image and integrity credentials associated with the PBA image; and
      
      provide the pointer to the integrity checker.
  - 13. The article of claim 12, further comprising instructions that when executed enable the system to:
    - establish a binding between the integrity checker and the loader responsive to the registration; and
      
      check the PBA image using the integrity credentials and an embedded secret accessible to the integrity checker.
  - 14. The article of claim 10, further comprising instructions that when executed enable the system to communicate with a common PBA identity manager that selects one of a plurality of authentication devices of the system for performing an authentication procedure for a user of the system, the selection based on an unlock protocol of the third party.

15. A system comprising:
- a processor;
  
  a chipset coupled to the processor and including a first engine to execute a pre-boot loader; and
  
  a mass storage coupled to the chipset, the mass storage configured for full disk encryption, wherein the mass storage has an encrypted region and a hidden region to store a pre-boot authentication (PBA) image of a third party and integrity credentials associated with the PBA image, wherein the first engine is to access, via a loader, the hidden region in a pre-boot environment and to load the PBA image to a memory and to execute a callback protocol between the loader and an integrity checker of the third party.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The system of claim 15, wherein the first engine is to store an updated PBA image in the hidden region via an out-of-band interface and without access to a host driver for the mass storage.
  - 17. The system of claim 15, wherein the first engine is to register an intent to export integrity checking from the loader to the integrity checker, obtain a pointer to the PBA image and integrity credentials associated with the PBA image, and provide the pointer to the integrity checker.
  - 18. The system of claim 17, wherein the first engine is to establish a binding between the integrity checker and the loader responsive to the registering, and check the PBA image using the integrity credentials and an embedded secret accessible to the integrity checker.
  - 19. The system of claim 15, wherein the first engine is to communicate with a common PBA identity manager that selects one of a plurality of authentication devices of the system for performing an authentication procedure for a user of the system, the selection based on an unlock protocol of the third party.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Peszek, Jacek, Zimmer, Vincent J., Moore, Victoria C., Smith, Ned M., Martinez, Alberto J.

Granted Patent

US 8,909,940 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/2
CPC Class Codes

G06F 21/575 Secure boot

Extensible Pre-Boot Authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Extensible Pre-Boot Authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links