Method and apparatus for providing enhanced data verification in a computer system

US 5,379,342 A
Filed: 01/07/1993
Issued: 01/03/1995
Est. Priority Date: 01/07/1993
Status: Expired due to Fees

First Claim

Patent Images

1. A personal computer system compatible with application programs and operating system software, the personal computer system comprising:

a microprocessor;

non-volatile memory electrically coupled to said microprocessor, said non-volatile memory storing a first portion of system microcode that is retrieved and executed by said microprocessor when said computer system is initially powered on,volatile memory electrically coupled to said microprocessor;

a direct access storage device electrically coupled to said microprocessor, said direct access storage device storing a second portion of operating system microcode that is retrieved and executed by said microprocessor after said microprocessor has executed said first portion of microcode,said second portion of operating system microcode including a boot program which, during power on initialization of said system, receives control of said system from said first portion of system microcode, andmeans contained at least in part in said first portion of system microcode for enabling said microprocessor to verify that said boot program has not undergone unauthorized modification since said computer system was previously powered off, said last-mentioned means operating before control of said system is transferred from said first portion to said boot program.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A personal computer system compatible with application programs and operating system software. The personal computer system includes a microprocessor electrically coupled to a data bus, non-volatile memory electrically coupled to the data bus, volatile memory electrically responsive to the data bus and a direct access storage device electrically responsive to the data bus, the direct access storage device storing a second portion of operating system microcode. The non-volatile memory stores a first portion of operating system microcode and the direct access storage device stores a second portion of operating system microcode. The second portion of operating system microcode includes a boot program. The first portion of operating system microcode verifies the integrity of the boot program prior to loading the boot program into the volatile memory.

Citations

15 Claims

1. A personal computer system compatible with application programs and operating system software, the personal computer system comprising:
- a microprocessor;
  
  non-volatile memory electrically coupled to said microprocessor, said non-volatile memory storing a first portion of system microcode that is retrieved and executed by said microprocessor when said computer system is initially powered on,volatile memory electrically coupled to said microprocessor;
  
  a direct access storage device electrically coupled to said microprocessor, said direct access storage device storing a second portion of operating system microcode that is retrieved and executed by said microprocessor after said microprocessor has executed said first portion of microcode,said second portion of operating system microcode including a boot program which, during power on initialization of said system, receives control of said system from said first portion of system microcode, andmeans contained at least in part in said first portion of system microcode for enabling said microprocessor to verify that said boot program has not undergone unauthorized modification since said computer system was previously powered off, said last-mentioned means operating before control of said system is transferred from said first portion to said boot program.

2. A personal computer system comprising:
- a microprocessor;
  
  non-volatile memory electrically coupled to said microprocessor, said non-volatile memory storing a first portion of system microcode that is executed by said microprocessor when said computer system is initially powered on,volatile memory electrically coupled to said microprocessor,a direct access storage device electrically coupled to said microprocessor, said direct access storage device storing a second portion of system microcode associated with an operating system currently installed in said computer system, said second portion of microcode including a boot program which, during power on initialization of said system, is executed by said microprocessor after said microprocessor has finished executing said first portion of microcode, andmeans contained at least in part in said first portion of microcode for enabling said microprocessor to verify, prior to execution of said boot program, that said boot program has not undergone an unauthorized change since the system was previously powered on, whereinsaid means for enabling said microprocessor to verify includes means for generating an initial modification detection code, based upon information contained in said boot program, during an initial setup of said computer system, and means operative during subsequent power on executions of said first microcode portion for enabling said microprocessor to use said initial modification detection code as a reference in verifying that said boot program has not undergone a said unauthorized change since said system was previously powered on.
- View Dependent Claims (3, 4, 5, 6, 7)
- - 3. The apparatus of claim 2 whereinsaid means for generating includes a cryptographic one-way function which calculates a multi-byte value from a given input series of bytes of said boot program.
  - 4. The apparatus of claim 2 whereinsaid non-volatile memory includes a check code portion, andsaid means for verifying stores said initial modification detection code in said check code portion.
  - 5. The apparatus of claim 4 whereinsaid check code portion of said non-volatile memory is disabled to prevent writing to said check code portion after said initial modification detection code is stored in said check code portion.
  - 6. The apparatus of claim 4 whereinsaid means for verifying compares a present modification detection code upon power-up of the computer system with said initial modification detection code,said means for verifying including means for taking corrective action if said present modification detection code does not correspond to said initial modification code,said means for verifying transferring control to said boot record if said present modification detection code corresponds to said initial modification detection code.
  - 7. The apparatus of claim 4 whereinsaid non-volatile memory includes a flag portion, andsaid means for verifying stores in said flag portion a flag to indicate the presence of said modification detection code.

8. A personal computer system compatible with application programs and operating system software, the personal computer system comprising:
- a microprocessor,non-volatile memory electrically coupled to said microprocessor, said non-volatile memory storing a first portion of operating system microcode to be executed by said microprocessor when said computer system is initially powered on,volatile memory electrically coupled to said microprocessor,a direct access storage device electrically coupled to said microprocessor, said direct access storage device storing, in separate pads thereof, a second portion of operating system microcode and operating system software for an operating system installed in said computer system,said second portion of operating system microcode including a boot program to be executed by said microprocessor after said first portion of microcode has been executed,first verifying means for verifying, prior to execution of said boot program by said microprocessor, that said boot program has not been changed in an unauthorized manner since a previous execution of said boot program by said microprocessor, andsecond verifying means for verifying that the part of said direct access storage device containing said operating system software has not been changed in an unauthorized manner since the previous power on initialization of said system, said second verifying means operating while said microprocessor is under control of said boot program, and prior to loading of said operating system software from said direct access storage device into said volatile memory, to prepare said computer system for operating under control of said operating system software.
- View Dependent Claims (9)
- - 9. The apparatus of claim 8 wherein said boot program includes said second verifying means.

10. A personal computer system comprising:
- a microprocessor;
  
  non-volatile memory electrically coupled to said microprocessor, said non-volatile memory storing a first portion of microcode to be executed by said microprocessor for controlling said computer system when said computer system is initially powered on;
  
  volatile memory electrically coupled to said microprocessor;
  
  direct access storage means electrically coupled to said microprocessor, said direct access storage means storing, in separate parts thereof, a second portion of microcode, for controlling said computer system after execution of said first portion of microcode, and software of an operating system installed in said computer system;
  
  said second portion of microcode including a boot program;
  
  first verifying means for verifying during execution of said first portion of microcode that said boot program has not been changed in an unauthorized manner since said system was previously powered on; and
  
  second verifying means for verifying during execution of said boot program that said operating system software has not been changed in an unauthorized manner since said computer system was previously powered on; and
  
  whereinsaid first verifying means includes means for generating an initial modification detection code based upon said boot program during an initial setup of said computer system.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The apparatus of claim 10 whereinsaid means for generating includes a cryptographic one-way function which calculates a multi-byte value from a given input series of bytes of said boot program.
  - 12. The apparatus of claim 10 whereinsaid non-volatile memory includes a check code portion, andsaid first verifying means stores said initial modification detection code in said check code portion.
  - 13. The apparatus of claim 12 whereinsaid check code portion of said non-volatile memory is disabled to prevent writing to said check code portion after said initial modification detection code is stored in said check code portion.
  - 14. The apparatus of claim 12 whereinsaid first verifying means compares a present modification detection code upon power-up of the computer system with said initial modification detection code,said first verifying means including means for taking corrective action if said present modification detection code does not correspond to said initial modification code,said first verifying means transferring control to said boot record if said present modification detection code corresponds to said initial modification detection code.
  - 15. The apparatus of claim 12 whereinsaid non-volatile memory includes a flag portion, andsaid first verifying means stores in said flag portion a flag to indicate the presence of said modification detection code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Arnold, William C., Bealkowski, Richard
Primary Examiner(s)
Gregory, Bernarr E.

Application Number

US08/001,354
Time in Patent Office

726 Days
Field of Search

380/2, 380/4, 380/23, 380/25, 380/30, 380/49, 380/50
US Class Current

380/2
CPC Class Codes

G06F 11/22   Detection or location of de...

G06F 21/565   by checking file integrity

G06F 21/575   Secure boot

G06F 9/4403   Processor initialisation

Method and apparatus for providing enhanced data verification in a computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing enhanced data verification in a computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links