SYSTEM AND METHOD FOR AUTO-ENROLLING OPTION ROMS IN A UEFI SECURE BOOT DATABASE
First Claim
1. A computing device-implemented method for auto-enrolling option ROM drivers in a system security database used to perform a Unified Extensible Firmware Interface (UEFI) Secure Boot, comprising:
- receiving a request to auto-enroll a signature for at least one option ROM driver in the system security database of the computing device;
changing an indicator of an auto-enroll mode stored in non-volatile storage from an inactive mode to an active mode based on the request;
resetting or shutting down the computing device subsequent to the changing of the indicator;
beginning a boot sequence for the computing device following the resetting or shutting down of the computing device;
identifying at least one device having an option ROM driver whose signature is not present in the system security database;
detecting the active auto-enroll mode;
automatically enrolling the signature for the at least one device in the system security database based on the detection of the active auto-enroll mode without user interaction; and
changing the indicator of the auto-enroll mode from the active mode to the inactive mode before exiting the boot sequence,wherein the option Rom driver for the at least one device is loaded into memory for execution based on the presence of the enrolled signature in the system security database.
1 Assignment
0 Petitions
Accused Products
Abstract
A mechanism for automatically enrolling option ROMs into the system security database used for a UEFI Secure Boot is discussed. A request is received by a computing device to auto-enroll one or more option ROMs for one or more respective devices on the next boot of the system. Upon receiving the request, a flag or other type of indicator indicative of an auto-enroll status is changed to an active mode. The indicator is stored in non-volatile memory and may be stored as a UEFI Authenticated Variable. Following the changing of the indicator, the system is either reset or shut down. During the next boot only, after identifying the indicator indicative of an active mode auto-enroll status, the signatures for the option ROMs of all discovered devices whose signatures do not exist in the system security database are calculated(hashed) and added to the UEFI Secure Boot database without user interaction.
38 Citations
18 Claims
-
1. A computing device-implemented method for auto-enrolling option ROM drivers in a system security database used to perform a Unified Extensible Firmware Interface (UEFI) Secure Boot, comprising:
-
receiving a request to auto-enroll a signature for at least one option ROM driver in the system security database of the computing device; changing an indicator of an auto-enroll mode stored in non-volatile storage from an inactive mode to an active mode based on the request; resetting or shutting down the computing device subsequent to the changing of the indicator; beginning a boot sequence for the computing device following the resetting or shutting down of the computing device; identifying at least one device having an option ROM driver whose signature is not present in the system security database; detecting the active auto-enroll mode; automatically enrolling the signature for the at least one device in the system security database based on the detection of the active auto-enroll mode without user interaction; and changing the indicator of the auto-enroll mode from the active mode to the inactive mode before exiting the boot sequence, wherein the option Rom driver for the at least one device is loaded into memory for execution based on the presence of the enrolled signature in the system security database. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory medium holding computer-executable instructions for auto-enrolling option ROM drivers in a system security database used to perform a Unified Extensible Firmware Interface (UEFI) Secure Boot, the instructions when executed causing the computing device to:
-
receive a request to auto-enroll a signature for at least one option ROM driver in the system security database of the computing device; change an indicator of an auto-enroll mode stored in non-volatile storage from an inactive mode to an active mode based on the request; reset or shut down the computing device subsequent to the changing of the indicator; begin a boot sequence for the computing device following the reset or shut down of the computing device; identify at least one device having an option ROM driver whose signature is not present in the system security database; detect the active auto-enroll mode; automatically enroll the signature for the at least one device in the system security database based on the detection of the active auto-enroll mode without user interaction; and change the indicator of the auto-enroll mode from the active mode to the inactive mode before exiting the boot sequence, wherein the option Rom driver for the at least one device is loaded into memory for execution based on the presence of the enrolled signature in the system security database. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computing device, comprising:
-
at least one expansion device; at least one option ROM driver for the at least one expansion device; non-volatile storage holding a system security database used in performing a Unified Extensible Firmware Interface (UEFI) Secure Boot and an indicator of an auto-enroll mode for option ROM drivers in the computing device, the indicator set to an active mode; firmware configured to perform a boot sequence for the computing device, wherein the boot sequence; identifies that a signature for the at least one option ROM driver is not present in the system security database; detects the indicator of the auto-enroll mode set to the active mode; and automatically enrolls the signature for the at least one option ROM driver for the at least one expansion device in the system security database based on the detection of the active mode without user interaction; wherein the at least one option Rom driver for the at least one expansion device is loaded into memory for execution based on the presence of the enrolled signature in the system security database. - View Dependent Claims (16, 17, 18)
-
Specification