SECURE FACTORY DATA GENERATION AND RESTORATION

US 20150261966A1
Filed: 03/12/2014
Published: 09/17/2015
Est. Priority Date: 03/12/2014
Status: Active Grant

First Claim

Patent Images

1. A system for managing factory-generated data for an electronic device, the system comprising:

a first factory server coupled to one or more storage systems, to store calibration data generated for one or more modules of the electronic device, the calibration data associated with the one or more modules via a module identifier that is unique to each of the modules, and to transmit the calibration data to the one or more storage systems;

a second factory server coupled to the one or more storage systems, to retrieve the calibration data associated with the one or more modules from the one or more storage systems, and to assemble a set of factory data for the electronic device, the factory data including the calibration data, the factory data associated with the electronic device via a device identifier that is unique to the electronic device; and

a sealing server coupled to the one or more storage systems, the sealing server to, in response to a request from the electronic device, authenticate the set of factory data for the electronic device via the module identifier of each module, and to create a cryptographic association between the set of factory data and the electronic device after the authentication, wherein a manifest of the cryptographic association is stored on the electronic device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In various embodiments, methods, devices and systems for securely generating, sealing, and restoring factory-generated calibration and provisioning data for an electronic device are described, in which calibration and provisioning data for an electronic device are generated in a distributed manner and stored on a storage system. The calibration data can be retrieved from the storage system during device assembly and finalized calibration and provisioning data for each electronic device can be stored to the storage system. In one embodiment, a sealing server, to attest to the authenticity of the factory-generated data, seals the finalized calibration data. In one embodiment, an electronic device can access a data store containing the factory-generated data and can update or restore calibration or provisioning data for the device from the data store.

39 Citations

View as Search Results

20 Claims

1. A system for managing factory-generated data for an electronic device, the system comprising:
- a first factory server coupled to one or more storage systems, to store calibration data generated for one or more modules of the electronic device, the calibration data associated with the one or more modules via a module identifier that is unique to each of the modules, and to transmit the calibration data to the one or more storage systems;
  
  a second factory server coupled to the one or more storage systems, to retrieve the calibration data associated with the one or more modules from the one or more storage systems, and to assemble a set of factory data for the electronic device, the factory data including the calibration data, the factory data associated with the electronic device via a device identifier that is unique to the electronic device; and
  
  a sealing server coupled to the one or more storage systems, the sealing server to, in response to a request from the electronic device, authenticate the set of factory data for the electronic device via the module identifier of each module, and to create a cryptographic association between the set of factory data and the electronic device after the authentication, wherein a manifest of the cryptographic association is stored on the electronic device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system as in claim 1, further comprising a data store to store the set of factory data, wherein the set of factory data and the manifest of the cryptographic association between the set of factory data and the electronic device are received by the data store after the authentication and wherein the first factory server, the second factory server and the sealing server are implemented as one or more data processing systems executing software that stores the calibration data and assembles the set of factory data and authenticates the set of factory data.
  - 3. The system as in claim 2, further comprising a migration service, to facilitate transmission of the calibration data from the first factory server to the second factory server via the one or more storage systems, and to facilitate the transmission of the set of factory data to the data store.
  - 4. The system as in claim 1, wherein the first and second factory servers are each configured to couple with at least one test station.
  - 5. The system as in claim 4, wherein the first factory server is coupled with at least one test station, and wherein the at least one test station is within a data security domain that differs from the first factory server.
  - 6. The system as in claim 1, wherein the sealing server authenticates the set of factory data based on an authentication policy.
  - 7. The system as in claim 6, wherein the policy includes authenticating the set of factory data only if authentication is attempted while the electronic device is in a factory environment.
  - 8. The system as in claim 6, wherein the policy includes authenticating the set of factory data in response to receiving a user authentication token.
  - 9. The system as in claim 6, wherein the authentication of the set of factory data includes a validation of the set of factory data based on a validation policy.
  - 10. The system of claim 9, wherein the validation policy includes validating the set of factory data only if the set of factory data is complete.

11. A method of authenticating factory-generated data for an electronic device, the method comprising:
- receiving a request to cryptographically sign a set of factory-generated data associated with modules of the electronic device, the request including a certificate of the electronic device and signed with a cryptographic signature of the electronic device;
  
  verifying the authenticity of the signature of the request, and when the request is authentic, verifying each element in the set of factory data; and
  
  cryptographically signing the set of factory data when each element in the set of factory data is authentic.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, wherein receiving the request to cryptographically sign the set of factory-generated data associated with the electronic device comprises receiving a list of factory data objects, each factory data object associated with at least one module of the electronic device and wherein each module includes a hardware component of the electronic device.
  - 13. The method of claim 12, wherein each factory data object is associated with the respective module of the electronic device via an identifier that is unique to the module, and wherein each factory data object includes a data instance of the data object that identifies the data object.
  - 14. The method of claim 12, wherein each factory data object includes an object digest of the data object that is computed using a message digest algorithm.
  - 15. The method of claim 14, wherein verifying each element in the set of factory data includes comparing the object digest of each factory data object in the list of factory data objects with the object digest of the associated factory object in a factory data store.
  - 16. The method of claim 15, further comprising determining that each element in the set of factory data is authentic only in response to receiving and validating an authentication token from an authorized agent device.
  - 17. A non-transitory computer-readable medium with instructions stored therein, the instructions, when executed by a processor, cause the processor to perform operations comprising the method of claim 11.
  - 18. A non-transitory computer-readable medium with instructions stored therein, the instructions, when executed by a processor, cause the processor to perform operations comprising the method of claim 16.

19. An electronic device comprising:
- a storage module to store factory-generated data;
  
  at least one electronic module having factory-generated data stored on the storage module, the factory-generated data including calibration or provisioning data for the at least one electronic module; and
  
  one or more processors having one or more processor cores, each processor coupled to memory, the storage module, and the at least one electronic module, at least one of the one or more processors configured to perform a trust verification on the factory-generated data stored on the storage module before loading the factory-generated data into memory.
- View Dependent Claims (20)
- - 20. The electronic device as in claim 19, wherein the one or more processors are further configured to retrieve, via a network interface, updated factory data for the at least one electronic module responsive to a failed trust verification on the factory-generated data stored on the storage module, and wherein the storage module is a primary storage module for the electronic device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Gosnell, Jason D., Hauck, Jerrold V., Vempaty, Muralidhar S., De Atley, Dallas B., Mensch, Thomas P.

Granted Patent

US 9,542,558 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/572   Secure firmware programming...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

H04L 63/0428   wherein the data content is...

H04L 63/083   using passwords cryptograph...

H04L 63/0876   based on the identity of th...

H04L 9/3247   involving digital signatures

SECURE FACTORY DATA GENERATION AND RESTORATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE FACTORY DATA GENERATION AND RESTORATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links