SECURE OPTION ROM CONTROL
First Claim
1. A computer-implemented method for enforcing a security policy on a Unified Extensible Firmware Interface (UEFI)-compliant computing device, comprising:
- detecting a presence of an expansion card in an expansion card slot on the UEFI-compliant computing device, the detecting occurring during a boot phase before loading of an operating system for the computing device;
identifying at least one Option ROM driver for the expansion card, the at least one Option ROM driver not being an authorized signed UEFI driver;
consulting a security policy for the computing device regarding Option ROM driver execution; and
enforcing the security policy based on an identified characteristic of the at least one Option ROM driver.
1 Assignment
0 Petitions
Accused Products
Abstract
A mechanism for controlling the execution of Option ROM code on a Unified Extensible Firmware Interface (UEFI)-compliant computing device is discussed. A security policy enforced by the firmware may be configured by the computing platform designer/IT administrator to take different actions for different types of detected expansion cards or other devices due to the security characteristics of Option ROM drivers associated with the expansion card or device. The security policy may specify whether authorized signed UEFI Option ROM drivers, unauthorized but signed UEFI Option ROM drivers, unsigned UEFI Option ROM drivers and legacy Option ROM drivers are allowed to execute on the UEFI-compliant computing device.
20 Citations
30 Claims
-
1. A computer-implemented method for enforcing a security policy on a Unified Extensible Firmware Interface (UEFI)-compliant computing device, comprising:
-
detecting a presence of an expansion card in an expansion card slot on the UEFI-compliant computing device, the detecting occurring during a boot phase before loading of an operating system for the computing device; identifying at least one Option ROM driver for the expansion card, the at least one Option ROM driver not being an authorized signed UEFI driver; consulting a security policy for the computing device regarding Option ROM driver execution; and enforcing the security policy based on an identified characteristic of the at least one Option ROM driver. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory medium holding computer-executable instructions for enforcing a security policy on a Unified Extensible Firmware Interface (UEFI)-compliant computing device, the instructions when executed causing a UEFI-compliant computing device to:
-
detect a presence of an expansion card in an expansion card slot on the UEFI-compliant computing device, the detecting occurring during a boot phase before loading of an operating system for the computing device; identify at least one Option ROM driver for the expansion card, the at least one Option ROM driver not being an authorized signed UEFI driver; consult a security policy for the computing device regarding Option ROM driver execution; and enforce the security policy based on an identified characteristic of the at least one Option ROM driver. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A Unified Extensible Firmware Interface (UEFI)-compliant computing device, comprising:
-
a Read Only Memory (ROM) holding firmware; at least one expansion card slot holding an expansion card; at least one Option ROM driver associated with the expansion card and accessible by the firmware, and a processor configured to execute the firmware during a boot sequence following an identification of the expansion card and before operating system loading, the execution of the firmware; identifying the at least one Option ROM driver associated with the expansion card as not being an authorized signed UEFI driver, and enforcing a security policy regarding Option ROM driver execution based on a characteristic of the identified at least one Option Rom driver. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer-implemented method for enforcing a security policy on a Unified Extensible Firmware Interface (UEFI)-compliant computing device, comprising:
-
detecting a device on a UEFI-compliant computing device that requires an Option ROM driver for initialization, the detecting occurring during a boot phase before loading of an operating system for the computing device; identifying at least one Option ROM driver for the detected device, the at least one Option ROM driver not being an authorized signed UEFI driver; consulting a security policy for the computing device regarding Option ROM driver execution; and enforcing the security policy based on an identified characteristic of the at least one Option ROM driver. - View Dependent Claims (26, 27)
-
-
28. A non-transitory medium holding computer-executable instructions for enforcing a security policy on a Unified Extensible Firmware Interface (UEFI)-compliant computing device, the instructions when executed causing a UEFI-compliant computing device to:
-
detect a device on the UEFI-compliant computing device that requires an Option ROM driver for initialization, the detecting occurring during a boot phase before loading of an operating system for the UEFI-compliant computing device; identify at least one Option ROM driver for the detected device, the at least one Option ROM driver not being an authorized signed UEFI driver; consult a security policy for the computing device regarding Option ROM driver execution; and enforce the security policy based on an identified characteristic of the at least one Option ROM driver. - View Dependent Claims (29, 30)
-
Specification