SYSTEMS AND METHODS FOR MULTI-LAYERED AUTHENTICATION/VERIFICATION OF TRUSTED PLATFORM UPDATES

US 20130185564A1
Filed: 01/17/2012
Published: 07/18/2013
Est. Priority Date: 01/17/2012
Status: Active Grant

First Claim

Patent Images

1. A system incorporating multilayered authentication of trusted platform updates, comprising:

a processor;

at least one firmware component coupled to the processor; and

a personality module coupled to the processor, wherein the personality module is operable to store first cryptographic data, wherein the first cryptographic data corresponds to a previously verified firmware component;

wherein the processor is operable to;

retrieve the first cryptographic data,determine second cryptographic data, wherein the second cryptographic data corresponds to an unverified firmware component,determine if the first cryptographic data matches the second cryptographic data, andallow an update of the at least one firmware component with the unverified firmware component if;

the first cryptographic data matches the second cryptographic data, andthe unverified firmware component includes a digital signature of a manufacturer.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with the present disclosure, a system and method for multilayered authentication of trusted platform updates is described. The method may include storing first cryptographic data in a personality module of an information handling system, with the first cryptographic data corresponding to a verified firmware component. A second cryptographic data may also be determined, with the second cryptographic data corresponding to an unverified firmware component. The unverified firmware component may be stored in a memory element of the information handling system, and the second cryptographic data may be determined using a processor of the information handling system. The method may further include determining if the first cryptographic data matches the second cryptographic data and updating firmware in the information handling system with the unverified firmware component if the first cryptographic data matches the second cryptographic data, and the unverified firmware component includes a digital signature of a manufacturer.

32 Citations

View as Search Results

20 Claims

1. A system incorporating multilayered authentication of trusted platform updates, comprising:
- a processor;
  
  at least one firmware component coupled to the processor; and
  
  a personality module coupled to the processor, wherein the personality module is operable to store first cryptographic data, wherein the first cryptographic data corresponds to a previously verified firmware component;
  
  wherein the processor is operable to;
  
  retrieve the first cryptographic data,determine second cryptographic data, wherein the second cryptographic data corresponds to an unverified firmware component,determine if the first cryptographic data matches the second cryptographic data, andallow an update of the at least one firmware component with the unverified firmware component if;
  
  the first cryptographic data matches the second cryptographic data, andthe unverified firmware component includes a digital signature of a manufacturer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the first cryptographic data comprises:
    - a hash algorithm;
      
      a digital signature value, wherein the digital signature value comprises a first hash value encrypted with a private key, and wherein the first hash value is determined by applying the hash algorithm to the verified firmware component; and
      
      a public key corresponding to the private key.
  - 3. The system of claim 2, wherein the second cryptographic data comprises a second hash value, wherein the second hash value is determined by applying the hash algorithm to the unverified firmware component.
  - 4. The system of claim 3, wherein the first cryptographic data matches the second cryptographic data if the first hash value matches the second hash value,
  - 5. The system of claim 4, wherein the at least one firmware component comprises a first basic input/output system (“
    - BIOS”
      
      ), the previously verified firmware component comprises a second BIOS, and unverified firmware component comprises a third BIOS.
  - 6. The system of claim 5, wherein the first hash value is determined by applying the hash algorithm to at least part of the second BIOS payload, and wherein the second hash value is determined by applying the hash algorithm to at least part of the third BIOS payload.
  - 7. The system of claim 4, wherein the at least one firmware component comprises a first baseboard management controller (“
    - BMC”
      
      ) firmware, the previously verified firmware component comprises a second BMC firmware, and the unverified firmware component comprises a third BMC firmware.
  - 8. The system of claim 5, wherein the first hash value is determined by applying the hash algorithm to at least part of the second BMC firmware payload, and wherein the second hash value is determined by applying the hash algorithm to at least part of the third BMC firmware payload.

9. A method for multilayered authentication of trusted platform updates, comprising:
- storing first cryptographic data in a personality module of an information handling system, wherein the first cryptographic data corresponds to a previously verified firmware component;
  
  determining second cryptographic data, wherein the second cryptographic data corresponds to an unverified firmware component, wherein the unverified firmware component is stored in a memory element of the information handling system, and wherein the second cryptographic data is determined using a processor of the information handling system;
  
  determining if the first cryptographic data matches the second cryptographic data; and
  
  updating firmware in the information handling system with the unverified firmware component if;
  
  the first cryptographic data matches the second cryptographic data, andthe unverified firmware component includes a digital signature of a manufacturer.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9, further comprising the step of determining the first cryptographic data, wherein determining the first cryptographic data comprises the steps of:
    - applying a hash algorithm to the verified firmware component to obtain a first hash value; and
      
      generating a digital signature value by encrypting the first hash value with a private key.
  - 11. The method of claim 10, wherein the first cryptographic data comprises the hash algorithm, the digital signature value, and a public key corresponding to the private key.
  - 12. The method of claim 11, wherein determining the second cryptographic data the cryptographic data comprises the steps of:
    - retrieving the hash algorithm from the personality module, and applying the hash algorithm to the unverified firmware component to determine a second hash value.
  - 13. The method of claim 12, wherein determining if the first cryptographic data matches the second cryptographic data comprises the steps of:
    - retrieving the digital signature value and the public key from the personality module;
      
      decrypting the digital signature value using the public key to determine the first hash value; and
      
      comparing the first hash value to the second hash value.
  - 14. The method of claim 13, wherein the verified firmware component comprises a first basic input/output system (“
    - BIOS”
      
      ), and the unverified firmware component comprises a second BIOS.
  - 15. The method of claim 14, wherein applying the hash algorithm to the verified firmware component comprises applying the hash algorithm to a header file of the first BIOS, and wherein applying the hash algorithm to the unverified firmware component comprises applying the hash algorithm to a header file of the second BIOS.
  - 16. The method of claim 13, wherein the verified firmware component comprises a first baseboard management controller (“
    - BMC”
      
      ) firmware, and wherein the unverified firmware component comprises a second BMC firmware.
  - 17. The method of claim 14, wherein applying the hash algorithm to the verified firmware component comprises applying the hash algorithm to a header file of the first BMC firmware, and wherein applying the hash algorithm to the unverified firmware component comprises applying the hash algorithm to a header file of the second BMC firmware.

18. A method for multilayered authentication of trusted platform updates, comprising:
- determining first cryptographic data, wherein the first cryptographic data comprises a digital signature value corresponding to a verified firmware component;
  
  storing the first cryptographic data and an update policy in a personality module of an information handling system;
  
  determining second cryptographic data using a processor in the information handling system, wherein the second cryptographic data comprises a hash value corresponding to an unverified firmware component, wherein the unverified firmware component comprises a firmware version;
  
  determining if the first cryptographic data matches the second cryptographic data, wherein determining if the first cryptographic data matches the second cryptographic data comprises the steps of;
  
  decrypting the digital signal value using a public key to obtain a hash value corresponding to the verified firmware component, andcomparing the hash value corresponding to the verified firmware component to the hash value corresponding to the unverified firmware component; and
  
  updating firmware in the information handling system with the unverified firmware component if;
  
  the first cryptographic data matches the second cryptographic data,the unverified firmware component includes a digital signature of a manufacturer, andthe update policy allows an update to the firmware version of the unverified firmware component.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, wherein determining first cryptographic data comprises applying a hash algorithm to at least a portion of the verified firmware component.
  - 20. The method of claim 19, wherein determining the second cryptographic data comprises applying the hash algorithm to at least a portion of the unverified firmware component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Products LP (Dell Technologies Inc.)
Original Assignee
Dell Products LP (Dell Technologies Inc.)
Inventors
Jaber, Muhammed, Khatri, Mukund

Granted Patent

US 8,874,922 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

G06F 21/572 Secure firmware programming...

SYSTEMS AND METHODS FOR MULTI-LAYERED AUTHENTICATION/VERIFICATION OF TRUSTED PLATFORM UPDATES

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR MULTI-LAYERED AUTHENTICATION/VERIFICATION OF TRUSTED PLATFORM UPDATES

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links