TRUSTED SUPPORT PROCESSOR AUTHENTICATION OF HOST BIOS/UEFI

US 20170085383A1
Filed: 09/23/2015
Published: 03/23/2017
Est. Priority Date: 09/23/2015
Status: Active Grant

First Claim

Patent Images

1. An information handling system (IHS) for preventing execution of corrupted boot up instructions in flash memory, the IHS comprising:

a system interconnect;

a memory component containing basic input/output system (BIOS) instructions to execute during boot up of the IHS;

a host processor in communication with the memory component via the system interconnect and which executes the BIOS instructions to configure the IHS;

a support processor in communication via the system interconnection with the memory component and comprising an embedded memory containing a unique key that is assigned to the support processor and executing instructions to configure the IHS to;

calculate a current hash value for the BIOS instructions;

access a trusted encrypted hash value and the unique key from a secure storage;

decrypt the trusted encrypted hash value using the unique key to obtain a trusted hash value;

determine whether the current hash value is identical to the trusted hash value; and

allow execution of the BIOS instructions by the host processor in response to determining that the encrypted current hash value is identical to the trusted hash value.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An information handling system (IHS) prevents execution of corrupted bootup instructions in flash memory. A memory component contains basic input/output system (BIOS) instructions to execute during boot up of the IHS. A host processor is in communication with the memory component via the system interconnect to execute the BIOS instructions to configure the IHS. A support processor executes instructions to configure the IHS to: (a) calculate a current hash value for the BIOS instructions; (b) access a trusted encrypted hash value and the unique key from a secure storage; (c) decrypt the trusted encrypted hash value using the unique key to obtain a trusted hash value; (d) determine whether the current hash value is identical to the trusted hash value; and (e) allow execution of the BIOS instructions by the host processor in response to determining that the encrypted current hash value is identical to the trusted hash value.

Citations

20 Claims

1. An information handling system (IHS) for preventing execution of corrupted boot up instructions in flash memory, the IHS comprising:
- a system interconnect;
  
  a memory component containing basic input/output system (BIOS) instructions to execute during boot up of the IHS;
  
  a host processor in communication with the memory component via the system interconnect and which executes the BIOS instructions to configure the IHS;
  
  a support processor in communication via the system interconnection with the memory component and comprising an embedded memory containing a unique key that is assigned to the support processor and executing instructions to configure the IHS to;
  
  calculate a current hash value for the BIOS instructions;
  
  access a trusted encrypted hash value and the unique key from a secure storage;
  
  decrypt the trusted encrypted hash value using the unique key to obtain a trusted hash value;
  
  determine whether the current hash value is identical to the trusted hash value; and
  
  allow execution of the BIOS instructions by the host processor in response to determining that the encrypted current hash value is identical to the trusted hash value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The IHS of claim 1, wherein:
    - the system interconnect comprises a selected one of an inter-integrated circuit (I²C) bus, a Personal Computer Interconnect Express (PCIe) bus, and a Serial Peripheral Interface (SPI) bus, with selectively one of the host processor and the support processor in master communication control to read an entirety of the memory component.
  - 3. The IHS of claim 1, wherein the support processor executes instructions to configure the IHS to replace the BIOS instructions with trusted BIOS instructions in response to determining that the current hash value is not identical to the trusted hash value.
  - 4. The IHS of claim 1, wherein, in response to determining that the current hash value is not identical to the trusted hash value, the support processor executes instructions to configure the IHS to perform at least one of:
    - shut down the IHS;
      
      send an alert to an administrator; and
      
      invoke a BIOS recovery using a backup BIOS image.
  - 5. The IHS of claim 1, wherein the support processor executes instructions to configure the IHS during a first boot to:
    - determine whether the trusted hash value is stored in the secure storage;
      
      in response to determining that the trusted hash value is not stored in the secure storage;
      
      calculate a hash value from trusted BIOS instructions stored in the removable flash memory module;
      
      encrypt the hash value using the unique key to create the trusted hash value; and
      
      store the trusted hash value in the secure storage.
  - 6. The IHS of claim 1, wherein the support processor executes instructions to configure the IHS to:
    - receive an encrypted BIOS instruction update;
      
      determine, via the support processor, whether a digital signature of a source of the encrypted BIOS instruction update is a trusted source; and
      
      enable updating of the BIOS instructions in the removable flash memory module in response to determining that the digital signature of the source of the encrypted BIOS instruction update is a trusted source.
  - 7. The IHS of claim 1, wherein the IHS comprises a server and the support processor comprises a baseboard management controller.
  - 8. The IHS of claim 1, further comprising a controller of an array of replacement non-volatile storage devices, the controller executing instructions to:
    - calculate a current hash value for the memory content in the particular nonvolatile storage device;
      
      access, from a secure storage, the unique key and a trusted encrypted hash value for the particular nonvolatile storage device encrypted with the unique key assigned to the controller;
      
      decrypt the trusted encrypted hash value for the particular nonvolatile storage device using the unique key to obtain a trusted hash value;
      
      determine whether the current hash value is identical to the trusted hash value for the particular nonvolatile storage device; and
      
      allow access to the particular nonvolatile storage device in response to determining that the current hash value is identical to the trusted hash value for the particular nonvolatile storage device.
  - 9. The IHS of claim 1, further comprising a controller of an array of replacement non-volatile storage devices, the controller executing instructions to:
    - determine whether a trusted encrypted hash value for a particular nonvolatile storage device is stored in the secure storage;
      
      in response to determining that the trusted encrypted hash value for the particular nonvolatile storage device is not stored in the secure storage;
      
      calculate a hash value from trusted memory content stored in the particular nonvolatile storage device;
      
      encrypt the hash value using a unique key that is assigned to the controller to create a trusted hash value; and
      
      store the trusted encrypted hash value for the particular nonvolatile storage device in the secure storage.

10. A method of authenticating Basic Input/Output System (BIOS) of an information handling system (IHS) for preventing execution of corrupted boot up instructions, the method comprising:
- a support processor;
  
  calculating, by a support processor, a current hash value for the BIOS instructions;
  
  accessing, by the support processor, a trusted encrypted hash value and the unique key from a secure storage;
  
  decrypting, by the support processor, the trusted encrypted hash value using the unique key to obtain a trusted hash value;
  
  determining, by the support processor, whether the current hash value is identical to the trusted hash value; and
  
  allowing, by the support processor, execution of the BIOS instructions by the host processor in response to determining that the encrypted current hash value is identical to the trusted hash value.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, further comprising the support processor selectively communicating over a system interconnection shared with the host processor and comprising a selected one of an inter-integrated circuit (I²C) bus, a Personal Computer Interconnect Express (PCIe) bus, and a Serial Peripheral Interface (SPI) bus in master communication control to read an entirety of the memory component.
  - 12. The method of claim 10, further comprising replacing the BIOS instructions with trusted BIOS instructions in response to determining that the current hash value is not identical to the trusted hash value.
  - 13. The method of claim 10, wherein, in response to determining that the current hash value is not identical to the trusted hash value, the support processor performing at least one of:
    - shutting down the IHS;
      
      sending an alert to an administrator; and
      
      invoking a BIOS recovery using a backup BIOS image.
  - 14. The method of claim 10, further comprising configuring the IHS during a first boot by:
    - determining whether the trusted encrypted hash value is stored in the secure storage;
      
      in response to determining that the trusted hash value is not stored in the secure storage;
      
      calculating a hash value from trusted BIOS instructions stored in the removable flash memory module;
      
      encrypting the hash value using the unique key to create the trusted hash value; and
      
      storing the trusted hash value in the secure storage.
  - 15. The method of claim 10, further comprising:
    - receiving an encrypted BIOS instruction update;
      
      determining whether a digital signature of a source of the encrypted BIOS instruction update is a trusted source; and
      
      enabling update of the BIOS instructions in the removable flash memory module in response to determining that the digital signature of the source of the encrypted BIOS instruction update is a trusted source.
  - 16. The method of claim 10, further comprising:
    - a controller;
      
      determining whether a trusted encrypted hash value for a particular nonvolatile storage device of an array of replacement non-volatile storage devices is stored in the secure storage;
      
      in response to determining that the trusted encrypted hash value for the particular nonvolatile storage device is not stored in the secure storage;
      
      calculating a hash value from trusted memory content stored in the particular nonvolatile storage device;
      
      encrypting the hash value using a unique key that is assigned to the controller and stored in the secure storage to create a trusted encrypted hash value; and
      
      storing the trusted encrypted hash value for the particular nonvolatile storage device in the secure storage.

17. A method of authenticating a memory device of an information handling system (IHS), the method comprising:
- accessing, by a processor, current memory contents of a memory device;
  
  calculating, by the processor, a current hash value for the current memory content memory device;
  
  accessing, by the processor, a trusted encrypted hash value and the unique key from a secure storage;
  
  decrypting, by the processor, the trusted encrypted hash value using the unique key to obtain a trusted hash value;
  
  determining, by the processor, whether the current hash value is identical to the trusted hash value; and
  
  allowing, by the processor, access to the current memory contents of the memory device by another processor in response to determining that the encrypted current hash value is identical to the trusted hash value.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising the processor disabling access to the memory device in response to determining that the current hash value is not identical to the trusted hash value for the memory device.
  - 19. The method of claim 17, further comprising the processor preparing the memory device for use by:
    - calculating a hash value from memory content stored in the memory device;
      
      encrypting the hash value using a unique key that is assigned to the processor and stored in the secure storage to create the trusted encrypted hash value; and
      
      storing the trusted encrypted hash value for the memory device in the secure storage.
  - 20. The method of claim 17, further comprising:
    - the processor selecting master control of a system interconnect in slaved communication with the storage device to read the current memory contents; and
      
      the processor allowing another processor to select master control of the system interconnect in response to determining that the current hash value is identical to the trusted hash value for the memory device

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Products LP (Dell Technologies Inc.)
Original Assignee
Dell Products LP (Dell Technologies Inc.)
Inventors
RAO, BALAJI BAPU GURURAJA, Jreij, Elie Antoun, Hall, Richard Lynn, Khatri, Mukund P.

Granted Patent

US 9,742,568 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/1417   Boot up procedures

G06F 11/1433   during software upgrading

G06F 21/572   Secure firmware programming...

G06F 21/575   Secure boot

G06F 2221/2107   File encryption

G06F 3/0619   in relation to data integri...

G06F 3/0632   by initialisation or re-ini...

G06F 3/0679   Non-volatile semiconductor ...

G06F 8/654   using techniques specially ...

G06F 9/4401   Bootstrapping security arra...

H04L 9/3234   involving additional secure...

H04L 9/3242   involving keyed hash functi...

TRUSTED SUPPORT PROCESSOR AUTHENTICATION OF HOST BIOS/UEFI

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TRUSTED SUPPORT PROCESSOR AUTHENTICATION OF HOST BIOS/UEFI

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links