SYSTEMS AND METHODS FOR ENFORCING SECURE BOOT CREDENTIAL ISOLATION AMONG MULTIPLE OPERATING SYSTEMS

US 20140149730A1
Filed: 11/26/2012
Published: 05/29/2014
Est. Priority Date: 11/26/2012
Status: Abandoned Application

First Claim

Patent Images

1. An information handling system comprising:

a processor;

a basic input/output system (BIOS) comprising a program of instructions executable by the processor and configured to cause the processor to;

during a boot of the information handling system, authenticate an operating system for execution on the information handling system based on a key exchange key associated with the operating system;

designate the key exchange key as an active key exchange key for a boot session of the information handling system; and

during the boot session, in response to a call for updating a value of an authorized database of keys associated with executable code permitted to execute on the information handling system or an authorized database of keys associated with executable code forbidden to execute on the information handling system;

determine whether the value is digitally signed with the active key exchange key;

determine whether the update is to a database or database entry associated with the active key exchange key; and

process the update in response to determinations that the value is digitally signed with the active key exchange key and that the update is to a database or database entry associated with the active key exchange key.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method may include designating a key exchange key as an active key exchange key for a boot session of the information handling system. The method may further include during the boot session, in response to a call for updating a value of an authorized database of keys associated with executable code permitted to execute on the information handling system or an authorized database of keys associated with executable code forbidden to execute on the information handling system: determining whether the value is digitally signed with the active key exchange key, determining whether the update is to a database or database entry associated with the active key exchange key, and processing the update in response to determinations that the value is digitally signed with the active key exchange key and that the update is to a database or database entry associated with the active key exchange key.

Citations

12 Claims

1. An information handling system comprising:
- a processor;
  
  a basic input/output system (BIOS) comprising a program of instructions executable by the processor and configured to cause the processor to;
  
  during a boot of the information handling system, authenticate an operating system for execution on the information handling system based on a key exchange key associated with the operating system;
  
  designate the key exchange key as an active key exchange key for a boot session of the information handling system; and
  
  during the boot session, in response to a call for updating a value of an authorized database of keys associated with executable code permitted to execute on the information handling system or an authorized database of keys associated with executable code forbidden to execute on the information handling system;
  
  determine whether the value is digitally signed with the active key exchange key;
  
  determine whether the update is to a database or database entry associated with the active key exchange key; and
  
  process the update in response to determinations that the value is digitally signed with the active key exchange key and that the update is to a database or database entry associated with the active key exchange key.
- View Dependent Claims (2, 3, 4)
- - 2. The information handling system of claim 1, wherein the authorized database is a DB as defined by the Unified Extensible Firmware Interface.
  - 3. The information handling system of claim 1, wherein the unauthorized database is a DBX as defined by the Unified Extensible Firmware Interface.
  - 4. The information handling system of claim 1, the BIOS further configured to cause the processor to prevent the update in response to at least one of:
    - a determination that the value is not digitally signed with the active key exchange key; and
      
      a determination that the update is not to a database or database entry associated with the active key exchange key.

5. A method comprising:
- during a boot of the information handling system, authenticating an operating system for execution on an information handling system based on a key exchange key associated with the operating system;
  
  designating the key exchange key as an active key exchange key for a boot session of the information handling system; and
  
  during the boot session, in response to a call for updating a value of an authorized database of keys associated with executable code permitted to execute on the information handling system or an authorized database of keys associated with executable code forbidden to execute on the information handling system;
  
  determining whether the value is digitally signed with the active key exchange key;
  
  determining whether the update is to a database or database entry associated with the active key exchange key; and
  
  processing the update in response to determinations that the value is digitally signed with the active key exchange key and that the update is to a database or database entry associated with the active key exchange key.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5, wherein the authorized database is a DB as defined by the Unified Extensible Firmware Interface.
  - 7. The method of claim 5, wherein the unauthorized database is a DBX as defined by the Unified Extensible Firmware Interface.
  - 8. The method of claim 5, further comprising preventing the update in response to at least one of:
    - a determination that the value is not digitally signed with the active key exchange key; and
      
      a determination that the update is not to a database or database entry associated with the active key exchange key.

9. An article of manufacture comprising:
- a computer readable medium; and
  
  computer-executable instructions carried on the computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to;
  
  during a boot of the information handling system, authenticate an operating system for execution on an information handling system based on a key exchange key associated with the operating system;
  
  designate the key exchange key as an active key exchange key for a boot session of the information handling system; and
  
  during the boot session, in response to a call for updating a value of an authorized database of keys associated with executable code permitted to execute on the information handling system or an authorized database of keys associated with executable code forbidden to execute on the information handling system;
  
  determine whether the value is digitally signed with the active key exchange key;
  
  determine whether the update is to a database or database entry associated with the active key exchange key; and
  
  process the update in response to determinations that the value is digitally signed with the active key exchange key and that the update is to a database or database entry associated with the active key exchange key.
- View Dependent Claims (10, 11, 12)
- - 10. The article of claim 9, wherein the authorized database is a DB as defined by the Unified Extensible Firmware Interface.
  - 11. The article of claim 9, wherein the unauthorized database is a DBX as defined by the Unified Extensible Firmware Interface.
  - 12. The article of claim 9, the instructions for further causing the processor to prevent the update in response to at least one of:
    - a determination that the value is not digitally signed with the active key exchange key; and
      
      a determination that the update is not to a database or database entry associated with the active key exchange key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Products LP (Dell Technologies Inc.)
Original Assignee
Dell Products LP (Dell Technologies Inc.)
Inventors
Joshi, Anand, Anson, Douglas M., Martinez, Ricardo L.

Application Number

US13/685,054
Publication Number

US 20140149730A1
Time in Patent Office

Days
Field of Search
US Class Current

713/2
CPC Class Codes

G06F 21/572 Secure firmware programming...

SYSTEMS AND METHODS FOR ENFORCING SECURE BOOT CREDENTIAL ISOLATION AMONG MULTIPLE OPERATING SYSTEMS

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR ENFORCING SECURE BOOT CREDENTIAL ISOLATION AMONG MULTIPLE OPERATING SYSTEMS

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links