SYSTEMS AND METHODS FOR ENFORCING SECURE BOOT CREDENTIAL ISOLATION AMONG MULTIPLE OPERATING SYSTEMS
First Claim
1. An information handling system comprising:
- a processor;
a basic input/output system (BIOS) comprising a program of instructions executable by the processor and configured to cause the processor to;
during a boot of the information handling system, authenticate an operating system for execution on the information handling system based on a key exchange key associated with the operating system;
designate the key exchange key as an active key exchange key for a boot session of the information handling system; and
during the boot session, in response to a call for updating a value of an authorized database of keys associated with executable code permitted to execute on the information handling system or an authorized database of keys associated with executable code forbidden to execute on the information handling system;
determine whether the value is digitally signed with the active key exchange key;
determine whether the update is to a database or database entry associated with the active key exchange key; and
process the update in response to determinations that the value is digitally signed with the active key exchange key and that the update is to a database or database entry associated with the active key exchange key.
9 Assignments
0 Petitions
Accused Products
Abstract
A method may include designating a key exchange key as an active key exchange key for a boot session of the information handling system. The method may further include during the boot session, in response to a call for updating a value of an authorized database of keys associated with executable code permitted to execute on the information handling system or an authorized database of keys associated with executable code forbidden to execute on the information handling system: determining whether the value is digitally signed with the active key exchange key, determining whether the update is to a database or database entry associated with the active key exchange key, and processing the update in response to determinations that the value is digitally signed with the active key exchange key and that the update is to a database or database entry associated with the active key exchange key.
-
Citations
12 Claims
-
1. An information handling system comprising:
-
a processor; a basic input/output system (BIOS) comprising a program of instructions executable by the processor and configured to cause the processor to; during a boot of the information handling system, authenticate an operating system for execution on the information handling system based on a key exchange key associated with the operating system; designate the key exchange key as an active key exchange key for a boot session of the information handling system; and during the boot session, in response to a call for updating a value of an authorized database of keys associated with executable code permitted to execute on the information handling system or an authorized database of keys associated with executable code forbidden to execute on the information handling system; determine whether the value is digitally signed with the active key exchange key; determine whether the update is to a database or database entry associated with the active key exchange key; and process the update in response to determinations that the value is digitally signed with the active key exchange key and that the update is to a database or database entry associated with the active key exchange key. - View Dependent Claims (2, 3, 4)
-
-
5. A method comprising:
-
during a boot of the information handling system, authenticating an operating system for execution on an information handling system based on a key exchange key associated with the operating system; designating the key exchange key as an active key exchange key for a boot session of the information handling system; and during the boot session, in response to a call for updating a value of an authorized database of keys associated with executable code permitted to execute on the information handling system or an authorized database of keys associated with executable code forbidden to execute on the information handling system; determining whether the value is digitally signed with the active key exchange key; determining whether the update is to a database or database entry associated with the active key exchange key; and processing the update in response to determinations that the value is digitally signed with the active key exchange key and that the update is to a database or database entry associated with the active key exchange key. - View Dependent Claims (6, 7, 8)
-
-
9. An article of manufacture comprising:
-
a computer readable medium; and computer-executable instructions carried on the computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to; during a boot of the information handling system, authenticate an operating system for execution on an information handling system based on a key exchange key associated with the operating system; designate the key exchange key as an active key exchange key for a boot session of the information handling system; and during the boot session, in response to a call for updating a value of an authorized database of keys associated with executable code permitted to execute on the information handling system or an authorized database of keys associated with executable code forbidden to execute on the information handling system; determine whether the value is digitally signed with the active key exchange key; determine whether the update is to a database or database entry associated with the active key exchange key; and process the update in response to determinations that the value is digitally signed with the active key exchange key and that the update is to a database or database entry associated with the active key exchange key. - View Dependent Claims (10, 11, 12)
-
Specification