SYSTEM WIDE ROOT OF TRUST CHAINING VIA SIGNED APPLICATIONS

US 20140380031A1
Filed: 06/24/2013
Published: 12/25/2014
Est. Priority Date: 06/24/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

searching, by a boot loader running on a processing device having an enabled secure boot mode, for an extensible firmware interface (EFI) binary object;

responsive to finding a first EFI binary object, verifying, by the boot loader, that a first signature associated with the first EFI binary object is valid using a platform key; and

responsive to verifying that the first signature for the first EFI binary object is valid, performing the following comprising;

identifying a first public key encapsulated in the first EFI binary object, wherein the first public key is associated with a non-EFI certificate authority;

extracting the first public key from the first EFI binary object; and

passing the first public key to a kernel of an operating system (OS).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processing device searches executing at least one of a boot loader or a kernel for the operating system searches for an extensible firmware interface (EFI) binary object. Responsive to finding a first EFI binary object, the processing device verifies that a first signature associated with the first EFI binary object is valid using a platform key. Responsive to verifying that the first signature for the first EFI binary object is valid, the processing device performs the following comprising: identifying a first public key encapsulated in the first EFI binary object, wherein the first public key is associated with a non-EFI certificate authority; extracting the first public key from the first EFI binary object; and performing at least one of a) passing the first public key to a kernel of an operating system (OS) or b) exposing the first public key to a user space of the OS.

60 Citations

View as Search Results

20 Claims

1. A method comprising:
- searching, by a boot loader running on a processing device having an enabled secure boot mode, for an extensible firmware interface (EFI) binary object;
  
  responsive to finding a first EFI binary object, verifying, by the boot loader, that a first signature associated with the first EFI binary object is valid using a platform key; and
  
  responsive to verifying that the first signature for the first EFI binary object is valid, performing the following comprising;
  
  identifying a first public key encapsulated in the first EFI binary object, wherein the first public key is associated with a non-EFI certificate authority;
  
  extracting the first public key from the first EFI binary object; and
  
  passing the first public key to a kernel of an operating system (OS).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - identifying at least one additional public key encapsulated in the first EFI binary object;
      
      extracting the at least one additional public key from the first EFI binary object; and
      
      passing the at least one additional public key to the kernel of the OS.
  - 3. The method of claim 1, further comprising:
    - responsive to finding a second EFI binary object, verifying, by the boot loader, that a second signature associated with the second EFI binary object is valid using the platform key; and
      
      responsive to verifying that the second signature for the second EFI binary object is valid, performing the following comprising;
      
      identifying a second public key encapsulated in the second EFI binary object, wherein the second public key is associated with an additional non-EFI certificate authority (CA);
      
      extracting the second public key from the second EFI binary object; and
      
      passing the second public key to the kernel of the OS.
  - 4. The method of claim 1, wherein the first public key is a component of a first digital certificate encapsulated in the EFI binary object, and wherein the first public key is usable to sign at least one of packages or kernel modules that are not compliant with an EFI standard.
  - 5. The method of claim 1, wherein the EFI binary object comprises a universal extensible firmware interface (UEFI) application that is trivially auditable.
  - 6. The method of claim 1, further comprising:
    - exposing the first public key to a user space of the OS by placing the first public key in at least one of a system key ring or a system file.
  - 7. The method of claim 6, further comprising:
    - loading a package manager in the user space of the OS, wherein responsive to a request to install or load a package signed by the non-EFI CA, the package manager verifies a digital signature associated with the package using the exposed first public key.
  - 8. The method of claim 1, wherein the platform key complies with a first public key cryptography standard, and the first public key complies with a second, different, public key cryptography standard.
  - 9. The method of claim 1, further comprising:
    - exposing the first public key to a module loading mechanism of the OS to enable the module loading mechanism to verify device drivers prior to loading the device drivers.

10. A non-transitory computer readable medium having instructions that, when executed by a processing device having an enabled secure boot mode, cause the processing device to perform operations comprising:
- searching, by the processing device, for an extensible firmware interface (EFI) binary object;
  
  responsive to finding a first EFI binary object, verifying that a first signature associated with the first EFI binary object is valid using a platform key; and
  
  responsive to verifying that the first signature for the first EFI binary object is valid, performing the following comprising;
  
  identifying a first public key encapsulated in the first EFI binary object, wherein the first public key is associated with a non-EFI certificate authority;
  
  extracting the first public key from the first EFI binary object; and
  
  performing at least one of a) passing the first public key to a kernel of an operating system (OS) or b) exposing the first public key to a user space of the OS.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer readable storage medium of claim 10, the operations further comprising:
    - identifying at least one additional public key encapsulated in the first EFI binary object;
      
      extracting the at least one additional public key from the first EFI binary object; and
      
      passing the at least one additional public key to the kernel of the OS.
  - 12. The computer readable storage of claim 10, the operations further comprising:
    - responsive to finding a second EFI binary object, verifying, by the Boot loader, that a second signature associated with the second EFI binary object is valid using the platform key; and
      
      responsive to verifying that the second signature for the second EFI binary object is valid, performing the following comprising;
      
      identifying a second public key encapsulated in the second EFI binary object, wherein the second public key is associated with an additional non-EFI certificate authority (CA);
      
      extracting the second public key from the second EFI binary object; and
      
      passing the second public key to the kernel of the OS.
  - 13. The computer readable storage medium of claim 10, wherein the first public key is a component of a first digital certificate encapsulated in the EFI binary object, and wherein the first public key is usable to sign at least one of packages or kernel modules that are not compliant with an EFI standard.
  - 14. The computer readable storage medium of claim 10, wherein the EFI binary object comprises a universal extensible firmware interface (UEFI) application that is trivially auditable.
  - 15. The computer readable storage medium of claim 10, the operations further comprising:
    - exposing the first public key to the user space of the OS by placing the first public key in at least one of a system key ring or a system file.
  - 16. The computer readable storage medium of claim 15, the operations further comprising:
    - loading a package manager in the user space of the OS, wherein responsive to a request to install or load a package signed by the non-EFI CA, the package manager verifies a digital signature associated with the package using the exposed first public key.
  - 17. The computer readable storage medium of claim 10, wherein the platform key complies with a first public key cryptography standard, and the first public key complies with a second, different, public key cryptography standard.
  - 18. The computer readable storage medium of claim 10, the operations further comprising:
    - exposing the first public key to a module loading mechanism of the OS to enable the module loading mechanism to verify device drivers prior to loading the device drivers.

19. A computing device comprising:
- a memory having instructions for a boot loader and for a kernel of an operating system (OS); and
  
  a processing device coupled to the memory, wherein the processing device is to perform the following in association with the boot loader loading the OS;
  
  search for an extensible firmware interface (EFI) binary object;
  
  responsive to finding a first EFI binary object, verify that a first signature associated with the first EFI binary object is valid using a platform key; and
  
  perform the following comprising responsive to verifying that the first signature for the first EFI binary object is valid;
  
  identify a first public key encapsulated in the first EFI binary object, wherein the first public key is associated with a non-EFI certificate authority;
  
  extract the first public key from the first EFI binary object; and
  
  expose the first public key to a user space of the OS.
- View Dependent Claims (20)
- - 20. The computing device of claim 19, wherein the first public key is a component of a first digital certificate encapsulated in the EFI binary object, and wherein the first public key is usable to sign at least one of packages or kernel modules that are not compliant with an EFI standard.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Jones, Peter M., Jackson, Adam D.

Granted Patent

US 9,721,101 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/2
CPC Class Codes

G06F 21/572 Secure firmware programming...

SYSTEM WIDE ROOT OF TRUST CHAINING VIA SIGNED APPLICATIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

60 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM WIDE ROOT OF TRUST CHAINING VIA SIGNED APPLICATIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links