SECURE OPTION ROM CONTROL

US 20130104188A1
Filed: 10/22/2012
Published: 04/25/2013
Est. Priority Date: 10/21/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for enforcing a security policy on a Unified Extensible Firmware Interface (UEFI)-compliant computing device, comprising:

detecting a presence of an expansion card in an expansion card slot on the UEFI-compliant computing device, the detecting occurring during a boot phase before loading of an operating system for the computing device;

identifying at least one Option ROM driver for the expansion card, the at least one Option ROM driver not being an authorized signed UEFI driver;

consulting a security policy for the computing device regarding Option ROM driver execution; and

enforcing the security policy based on an identified characteristic of the at least one Option ROM driver.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism for controlling the execution of Option ROM code on a Unified Extensible Firmware Interface (UEFI)-compliant computing device is discussed. A security policy enforced by the firmware may be configured by the computing platform designer/IT administrator to take different actions for different types of detected expansion cards or other devices due to the security characteristics of Option ROM drivers associated with the expansion card or device. The security policy may specify whether authorized signed UEFI Option ROM drivers, unauthorized but signed UEFI Option ROM drivers, unsigned UEFI Option ROM drivers and legacy Option ROM drivers are allowed to execute on the UEFI-compliant computing device.

20 Citations

View as Search Results

30 Claims

1. A computer-implemented method for enforcing a security policy on a Unified Extensible Firmware Interface (UEFI)-compliant computing device, comprising:
- detecting a presence of an expansion card in an expansion card slot on the UEFI-compliant computing device, the detecting occurring during a boot phase before loading of an operating system for the computing device;
  
  identifying at least one Option ROM driver for the expansion card, the at least one Option ROM driver not being an authorized signed UEFI driver;
  
  consulting a security policy for the computing device regarding Option ROM driver execution; and
  
  enforcing the security policy based on an identified characteristic of the at least one Option ROM driver.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the identified characteristic is that the at least one Option ROM driver is an unauthorized signed UEFI Option ROM driver.
  - 3. The method of claim 1 wherein the identified characteristic is that the at least one Option ROM driver is an unsigned UEFI Option ROM driver.
  - 4. The method of claim 1 wherein the identified characteristic is that the at least one Option ROM driver is legacy Option ROM driver.
  - 5. The method of claim 1 further comprising:
    - allowing, based on the security policy, an unauthorized signed UEFI Option ROM driver to be executed on the UEFI-compliant computing device.
  - 6. The method of claim 1 further comprising:
    - allowing, based on the security policy, an unsigned UEFI Option ROM driver to be executed on the UEFI-compliant computing device.
  - 7. The method of claim 1 further comprising:
    - allowing, based on the security policy, a legacy Option ROM driver to be executed on the UEFI-compliant computing device.
  - 8. The method of claim 1 wherein the identified at least one Option ROM driver is located at a location other than a flash memory store on the expansion card.

9. A non-transitory medium holding computer-executable instructions for enforcing a security policy on a Unified Extensible Firmware Interface (UEFI)-compliant computing device, the instructions when executed causing a UEFI-compliant computing device to:
- detect a presence of an expansion card in an expansion card slot on the UEFI-compliant computing device, the detecting occurring during a boot phase before loading of an operating system for the computing device;
  
  identify at least one Option ROM driver for the expansion card, the at least one Option ROM driver not being an authorized signed UEFI driver;
  
  consult a security policy for the computing device regarding Option ROM driver execution; and
  
  enforce the security policy based on an identified characteristic of the at least one Option ROM driver.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The medium of claim 9 wherein the identified characteristic is that the at least one Option ROM driver is an unauthorized signed UEFI Option ROM driver.
  - 11. The medium of claim 9 wherein the identified characteristic is that the at least one Option ROM driver is an unsigned UEFI Option ROM driver.
  - 12. The medium of claim 9 wherein the identified characteristic is that the at least one Option ROM driver is legacy Option ROM driver.
  - 13. The medium of claim 9 wherein the instructions when executed further cause the UEFI-compliant computing device to:
    - allow, based on the security policy, an unauthorized signed UEFI Option ROM driver to be executed on the UEFI-compliant computing device.
  - 14. The medium of claim 9 wherein the instructions when executed further cause the UEFI-compliant computing device to:
    - allow, based on the security policy, an unsigned UEFI Option ROM driver to be executed on the UEFI-compliant computing device.
  - 15. The medium of claim 9 wherein the instructions when executed further cause the UEFI-compliant computing device to:
    - allow, based on the security policy, a legacy Option ROM driver to be executed on the UEFI-compliant computing device.
  - 16. The medium of claim 9 wherein the identified at least one Option ROM driver is located at a location other than a flash memory store on the expansion card.

17. A Unified Extensible Firmware Interface (UEFI)-compliant computing device, comprising:
- a Read Only Memory (ROM) holding firmware;
  
  at least one expansion card slot holding an expansion card;
  
  at least one Option ROM driver associated with the expansion card and accessible by the firmware, anda processor configured to execute the firmware during a boot sequence following an identification of the expansion card and before operating system loading, the execution of the firmware;
  
  identifying the at least one Option ROM driver associated with the expansion card as not being an authorized signed UEFI driver, andenforcing a security policy regarding Option ROM driver execution based on a characteristic of the identified at least one Option Rom driver.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The UEFI-compliant device of claim 17, further comprising:
    - a display surface in communication with the UEFI-compliant computing device, the display surface displaying a setup user interface (UI), the setup user interface displaying information regarding the security policy.
  - 19. The UEFI-compliant computing device of claim 18 wherein the setup UI provides a graphical indicator related to a characteristic of the at least one Option ROM driver.
  - 20. The UEFI-compliant computing device of claim 18 wherein the setup UI enables a user to designate a listed Option ROM for execution.
  - 21. The UEFI-compliant computing device of claim 18 wherein the setup UI provides a graphical indicator regarding at least one Option ROM driver that is authorized to execute on the UEFI-compliant computing device.
  - 22. The UEFI-compliant computing device of claim 18 wherein the setup UI enables a user to change the security policy regarding Option ROM driver execution.
  - 23. The UEFI-compliant computing device of claim 18 wherein the characteristics of the displayed security policy regarding Option ROM driver execution are not changeable by a user.
  - 24. The UEFI-compliant computing device of claim 18 wherein the setup UI enables a user to designate a security policy controlling the execution of future discovered Option ROM drivers.

25. A computer-implemented method for enforcing a security policy on a Unified Extensible Firmware Interface (UEFI)-compliant computing device, comprising:
- detecting a device on a UEFI-compliant computing device that requires an Option ROM driver for initialization, the detecting occurring during a boot phase before loading of an operating system for the computing device;
  
  identifying at least one Option ROM driver for the detected device, the at least one Option ROM driver not being an authorized signed UEFI driver;
  
  consulting a security policy for the computing device regarding Option ROM driver execution; and
  
  enforcing the security policy based on an identified characteristic of the at least one Option ROM driver.
- View Dependent Claims (26, 27)
- - 26. The method of claim 25 wherein the identified characteristic is an that the at least one Option ROM driver is an unauthorized signed UEFI Option ROM driver, an unsigned UEFI Option ROM driver or a legacy Option ROM driver.
  - 27. The method of claim 26, further comprising:
    - allowing, based on the security policy, at least one of an unauthorized signed UEFI Option ROM driver, an unsigned UEFI Option ROM driver or a legacy Option ROM driver to be executed on the UEFI-compliant computing device.

28. A non-transitory medium holding computer-executable instructions for enforcing a security policy on a Unified Extensible Firmware Interface (UEFI)-compliant computing device, the instructions when executed causing a UEFI-compliant computing device to:
- detect a device on the UEFI-compliant computing device that requires an Option ROM driver for initialization, the detecting occurring during a boot phase before loading of an operating system for the UEFI-compliant computing device;
  
  identify at least one Option ROM driver for the detected device, the at least one Option ROM driver not being an authorized signed UEFI driver;
  
  consult a security policy for the computing device regarding Option ROM driver execution; and
  
  enforce the security policy based on an identified characteristic of the at least one Option ROM driver.
- View Dependent Claims (29, 30)
- - 29. The medium of claim 28 wherein the identified characteristic is an that the at least one Option ROM driver is an unauthorized signed UEFI Option ROM driver, an unsigned UEFI Option ROM driver or a legacy Option ROM driver.
  - 30. The medium of claim 29 wherein the instructions when executed further cause the UEFI-compliant computing device to:
    - allow, based on the security policy, at least one of an unauthorized signed UEFI Option ROM driver, an unsigned UEFI Option ROM driver or a legacy Option ROM driver to be executed on the UEFI-compliant computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Insyde Software Corp
Original Assignee
Insyde Software Corp
Inventors
BOBZIN, Jeffery Jay, WESTERN, Trevor

Granted Patent

US 9,881,158 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

SECURE OPTION ROM CONTROL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE OPTION ROM CONTROL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links