CONTINUATION OF TRUST FOR PLATFORM BOOT FIRMWARE

US 20140250291A1
Filed: 03/01/2013
Published: 09/04/2014
Est. Priority Date: 03/01/2013
Status: Active Grant

First Claim

Patent Images

1. A device, comprising:

a memory module including at least platform boot firmware; and

a processing module to load the platform boot firmware when the device is activated, the platform boot firmware causing the processing module to load a hash table, to calculate hashes for platform boot firmware files loaded subsequent to the hash table and to determine whether the calculated platform boot firmware file hashes are in the hash table.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure is directed to continuation of trust for platform boot firmware. A device may comprise a processing module and a memory module including read-only memory (ROM) on which is stored platform boot firmware. On activation, the processing module may load the platform boot firmware. The platform boot firmware may cause the processing module to first load a trusted pre-verifier file to load and verify the signature of a hash table loaded from the platform boot firmware. The processing module may then load firmware program files from the platform boot firmware, calculate a hash for each file, and verify whether each program hash is in the hash table. Firmware program files with hashes in the hash table may be allowed to execute. If any firmware program file hash is not in the hash table, the processing module may perform platform specific security actions to prevent the device from being compromised.

Citations

21 Claims

1. A device, comprising:
- a memory module including at least platform boot firmware; and
  
  a processing module to load the platform boot firmware when the device is activated, the platform boot firmware causing the processing module to load a hash table, to calculate hashes for platform boot firmware files loaded subsequent to the hash table and to determine whether the calculated platform boot firmware file hashes are in the hash table.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The device of claim 1, wherein the memory module includes read-only memory to store the platform boot firmware.
  - 3. The device of claim 2, wherein the read-only memory stores platform boot firmware based on a Basic Input/Output System (BIOS), a Unified Extensible Firmware Interface (UEFI) or a coreboot system.
  - 4. The device of claim 1, wherein the loading of the platform boot firmware further comprises causing the processing module to load a pre-verifier file to verify a signature of the hash table prior to determining whether the calculated platform boot firmware file hashes are in the hash table.
  - 5. The device of claim 4, wherein the pre-verifier file is not to verify signatures for any of the platform boot firmware files.
  - 6. The device of claim 1, wherein the loading of the platform boot firmware further comprises causing the processing module to execute platform boot firmware files that are determined to have hashes in the hash table.
  - 7. The device of claim 1, wherein the boot process further comprises causing the processing module to perform a security action if any of the platform boot firmware file hashes are determined not to be in the hash table.

8. A method, comprising:
- loading a hash table and platform boot firmware files when a device is activated;
  
  calculating hashes for each of the platform boot firmware files; and
  
  determining whether each of the calculated platform boot firmware file hashes are in the hash table.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the hash table and platform boot firmware files are loaded from a memory module in the device, the memory module including read-only memory.
  - 10. The method of claim 9, wherein the read-only memory stores platform boot firmware based on a Basic Input/Output System (BIOS), a Unified Extensible Firmware Interface (UEFI) or a coreboot system.
  - 11. The method of claim 8, further comprising:
    - loading a pre-verifier file; and
      
      verifying a signature of the hash table with the pre-verifier file prior to determining whether the calculated platform boot firmware file hashes are in the hash table.
  - 12. The method of claim 11, wherein signatures are not verified for the platform boot firmware files with the pre-verifier file.
  - 13. The method of claim 8, further comprising executing platform boot firmware files that are determined to have hashes in the hash table.
  - 14. The method of claim 8, further comprising performing a security action if any of the platform boot firmware file hashes are determined not to be in the hash table.

15. At least one machine-readable storage medium having stored thereon, individually or in combination, instructions that when executed by one or more processors result in the following operations comprising:
- loading a hash table and platform boot firmware files when a device is activated;
  
  calculating hashes for each of the platform boot firmware files; and
  
  determining whether each of the calculated platform boot firmware file hashes are in the hash table.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The medium of claim 15, wherein the hash table and platform boot firmware files are loaded from a memory module in the device, the memory module including read-only memory.
  - 17. The medium of claim 16, wherein the read-only memory stores platform boot firmware based on a Basic Input/Output System (BIOS), a Unified Extensible Firmware Interface (UEFI) or a coreboot system.
  - 18. The medium of claim 15, further comprising instructions that when executed by one or more processors result in the following operations comprising:
    - loading a pre-verifier file; and
      
      verifying a signature of the hash table with the pre-verifier file prior to determining whether the calculated platform boot firmware file hashes are in the hash table.
  - 19. The medium of claim 18, wherein signatures are not verified for the platform boot firmware files with the pre-verifier file.
  - 20. The medium of claim 15, further comprising instructions that when executed by one or more processors result in the following operations comprising:
    - executing platform boot firmware files that are determined to have hashes in the hash table.
  - 21. The medium of claim 15, further comprising instructions that when executed by one or more processors result in the following operations comprising:
    - performing a security action if any of the platform boot firmware file hashes are determined not to be in the hash table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Nicholas J. Adams, Willard M. Wiseman
Inventors
ADAMS, Nicholas J., WISEMAN, Willard M.

Granted Patent

US 9,223,982 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/2
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

G06F 21/575 Secure boot

CONTINUATION OF TRUST FOR PLATFORM BOOT FIRMWARE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

CONTINUATION OF TRUST FOR PLATFORM BOOT FIRMWARE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links