Secure BIOS

US 5,844,986 A
Filed: 09/30/1996
Issued: 12/01/1998
Est. Priority Date: 09/30/1996
Status: Expired due to Term

First Claim

Patent Images

1. A system for securely updating an executable code, comprising:

first storage means for storing a code update;

second storage means for storing said executable code; and

first processing means for authenticating and validating said code update, said first processing means being coupled to said second storage means.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A subsystem prevents unauthorized modification of BIOS program code embedded in modifiable non-volatile memory devices such as flash memory. A cryptographic coprocessor containing the BIOS memory device performs authentication and validation on the BIOS upgrade based on a public/private key protocol. The authentication is performed by verifying the digital signature embedded in the BIOS upgrade.

516 Citations

43 Claims

1. A system for securely updating an executable code, comprising:
- first storage means for storing a code update;
  
  second storage means for storing said executable code; and
  
  first processing means for authenticating and validating said code update, said first processing means being coupled to said second storage means.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1 wherein the executable code includes a Basic Input and Output System (BIOS).
  - 3. The system of claim 1 wherein the first storage means is one of a mass storage device and a file capable of being sent electronically in a computer network.
  - 4. The system of claim 1 wherein the second storage means includes a modifiable non-volatile memory device.
  - 5. The system of claim 1 wherein the first processing means includes a cryptographic processor.
  - 6. The system of claim 1 wherein the first processing means uses at least one digital certificate to authenticate the code update and a digital signature to validate the code update.
  - 7. The system of claim 1 wherein said executable code is encrypted to produce an encrypted code.
  - 8. The system of claim 1 further comprising:
    - second processing means for communicating with said first processing means in order to execute said executable code.
  - 9. The system of claim 7 wherein said encrypted code is decrypted to produce a decrypted code.

10. A system for securely updating an executable code, comprising:
- a first storage element for containing a code update;
  
  a second storage element that contains said executable code; and
  
  a security processor coupled to said second storage element, said security processor for authenticating said code update based on at least one certificate and validating said code update based on a digital signature.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10 wherein the executable code includes a Basic Input and Output System (BIOS).
  - 12. The system of claim 10 wherein the digital signature is part of the code update.
  - 13. The system of claim 10 wherein the second storage element includes a modifiable non-volatile memory device.
  - 14. The system of claim 10 wherein the security processor is mounted on a removable card.
  - 15. The system of claim 11 wherein said at least one certificate includes an encrypted version of a public key of a vendor of the BIOS.
  - 16. The system of claim 10 wherein said executable code is contained in an encrypted format.
  - 17. The system of claim 10 further comprising:
    - a host processor for communicating with said security processor in order to execute said executable code.
  - 18. The system of claim 16 wherein said encrypted code is decrypted before execution.

19. A method for securely updating an executable code, the method comprising:
- providing a first storage element for storing a code update;
  
  providing a second storage element for storing said executable code;
  
  configuring said first storage element to contain at least one certificate;
  
  providing a security processor for accessing said second storage element;
  
  authenticating said code update based on said at least one digital certificate by said security processor; and
  
  updating said executable code with said code update if said code update is authenticated.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The method of claim 19, wherein before said updating step, the method further comprises a step of validating said code update.
  - 21. The method of claim 19 wherein the executable code includes a Basic Input and Output System (BIOS).
  - 22. The method of claim 19, wherein said executable code provided in the second storage element is in an encrypted format.
  - 23. The method of claim 19 further comprising:
    - providing a host processor for communicating with said security processor in order to execute said executable code.

24. A system comprising:
- a first storage element for containing a code update;
  
  a second storage element that contains an executable code; and
  
  a security processor coupled to said second storage element, the security processor for authenticating the code update based on at least one certificate.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32)
- - 25. The system of claim 24 wherein the executable code includes a Basic Input and Output System (BIOS).
  - 26. The system of claim 24 wherein the at least one certificate includes an encrypted version of a public key of a vendor of the BIOS.
  - 27. The system of claim 24 wherein the second storage element includes a modifiable non-volatile memory device.
  - 28. The system of claim 24 wherein the security processor further validating the code update through a digital signature being part of the code update.
  - 29. The system of claim 28 wherein the security processor further loading the code update into the second memory element after the code update has been authenticated and validated.
  - 30. The system of claim 24 wherein the security processor is mounted on a removable card.
  - 31. The system of claim 24 wherein the executable code is in an encrypted format when contained in the second storage element.
  - 32. The system of claim 24 further comprising:
    - a host processor for communicating with said security processor in order to execute the executable code.

33. A system comprising:
- a first storage element for containing a code update;
  
  a second storage element that contains an executable code; and
  
  a security processor coupled to the second storage element, the security processor for validating said code update.
- View Dependent Claims (34, 35, 36, 37, 38)
- - 34. The system of claim 33 wherein the security processor substituting the code update for the executable code when the code update is validate.
  - 35. The system of claim 33 wherein the executable code includes a Basic Input and Output System (BIOS).
  - 36. The system of claim 33 wherein the digital signature is part of the code date.
  - 37. The system of claim 33 wherein the second storage element includes a modifiable non-volatile memory device.
  - 38. The system of claim 33 wherein the security processor further authenticating the code update with at least one certificate including a public key of a vendor of the BIOS.

39. A system comprising:
- a first storage element that contains information;
  
  a second storage element for containing update information; and
  
  a security processor coupled to the first storage element, the security processor validating the update information to determine whether the update information is to be subsequently loaded into the first storage element.
- View Dependent Claims (40, 41, 42, 43)
- - 40. The system of claim 39, wherein the security processor further authenticating the update information to determine that the update information originated from a predetermined source.
  - 41. The system of claim 40 wherein the information includes an executable code.
  - 42. The system of claim 41, wherein the executable code includes Basic Input and Output System (BIOS).
  - 43. The system of claim 42, wherein the predetermined source includes a selected BIOS vendor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Davis, Derek L.
Primary Examiner(s)
CAIN, DAVID C

Application Number

US08/724,176
Time in Patent Office

792 Days
Field of Search

380/23, 380/25, 380/3, 380/4, 380/49
US Class Current

713/187
CPC Class Codes

G06F 21/572   Secure firmware programming...

G06F 21/575   Secure boot

G06F 21/71   to assure secure computing ...

G06F 2211/008   Public Key, Asymmetric Key,...

G06F 2211/1097   Boot, Start, Initialise, Power

H04L 9/3247   involving digital signatures

Secure BIOS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

516 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Secure BIOS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

516 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links