SYSTEM WIDE ROOT OF TRUST CHAINING VIA SIGNED APPLICATIONS
First Claim
1. A method comprising:
- searching, by a boot loader running on a processing device having an enabled secure boot mode, for an extensible firmware interface (EFI) binary object;
responsive to finding a first EFI binary object, verifying, by the boot loader, that a first signature associated with the first EFI binary object is valid using a platform key; and
responsive to verifying that the first signature for the first EFI binary object is valid, performing the following comprising;
identifying a first public key encapsulated in the first EFI binary object, wherein the first public key is associated with a non-EFI certificate authority;
extracting the first public key from the first EFI binary object; and
passing the first public key to a kernel of an operating system (OS).
1 Assignment
0 Petitions
Accused Products
Abstract
A processing device searches executing at least one of a boot loader or a kernel for the operating system searches for an extensible firmware interface (EFI) binary object. Responsive to finding a first EFI binary object, the processing device verifies that a first signature associated with the first EFI binary object is valid using a platform key. Responsive to verifying that the first signature for the first EFI binary object is valid, the processing device performs the following comprising: identifying a first public key encapsulated in the first EFI binary object, wherein the first public key is associated with a non-EFI certificate authority; extracting the first public key from the first EFI binary object; and performing at least one of a) passing the first public key to a kernel of an operating system (OS) or b) exposing the first public key to a user space of the OS.
60 Citations
20 Claims
-
1. A method comprising:
-
searching, by a boot loader running on a processing device having an enabled secure boot mode, for an extensible firmware interface (EFI) binary object; responsive to finding a first EFI binary object, verifying, by the boot loader, that a first signature associated with the first EFI binary object is valid using a platform key; and responsive to verifying that the first signature for the first EFI binary object is valid, performing the following comprising; identifying a first public key encapsulated in the first EFI binary object, wherein the first public key is associated with a non-EFI certificate authority; extracting the first public key from the first EFI binary object; and passing the first public key to a kernel of an operating system (OS). - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer readable medium having instructions that, when executed by a processing device having an enabled secure boot mode, cause the processing device to perform operations comprising:
-
searching, by the processing device, for an extensible firmware interface (EFI) binary object; responsive to finding a first EFI binary object, verifying that a first signature associated with the first EFI binary object is valid using a platform key; and responsive to verifying that the first signature for the first EFI binary object is valid, performing the following comprising; identifying a first public key encapsulated in the first EFI binary object, wherein the first public key is associated with a non-EFI certificate authority; extracting the first public key from the first EFI binary object; and performing at least one of a) passing the first public key to a kernel of an operating system (OS) or b) exposing the first public key to a user space of the OS. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computing device comprising:
-
a memory having instructions for a boot loader and for a kernel of an operating system (OS); and a processing device coupled to the memory, wherein the processing device is to perform the following in association with the boot loader loading the OS; search for an extensible firmware interface (EFI) binary object; responsive to finding a first EFI binary object, verify that a first signature associated with the first EFI binary object is valid using a platform key; and perform the following comprising responsive to verifying that the first signature for the first EFI binary object is valid; identify a first public key encapsulated in the first EFI binary object, wherein the first public key is associated with a non-EFI certificate authority; extract the first public key from the first EFI binary object; and expose the first public key to a user space of the OS. - View Dependent Claims (20)
-
Specification