Interface for ensuring system boot image integrity and authenticity
First Claim
1. A method of performing remote boot operations, the method comprising:
- receiving a first segment of a boot image from a remote device;
verifying integrity of the first segment of the boot image;
determining authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image; and
executing a sequence of instructions represented by the first segment of the boot image.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for ensuring system boot image integrity and authenticity is described. In one embodiment, the invention provides security from the end of Basic Input/Output System (BIOS) initialization to the point in time at which control is transferred to a high-level operating system (OS). The OS boot image is obtained via a network connection and is checked for integrity and authority to run on a particular platform. For this purpose, the invention provides a boot image security usage model that is simple and flexible enough to cover a variety of needs. Because receipt of boot images via a network connection can be subject to size constraints, the invention allows software to bootstrap more sophisticated security software if desired. In general, the invention utilizes one or more Remote-Boot Authorization Certificates for each group of platforms to be managed. The authorization certificate for a group of platforms is configured into each of the platforms in a group as the source of authority for allowing boot images to be executed. The authorization certificate is also the source of authority for allowing reconfiguration commands, including reconfiguration commands that transfer the source of authority to another authority. In one embodiment, IT organizations can create different authorization certificates for different groups to allow the different groups to be managed by different authorities. Authority can also be transferred between management groups. The Remote-Boot Authorization Certificates provide protection against remote-boot images that have been damaged and/or tampered with either in transit or on a server, the ability to designate and enforce which boot images are permitted, and a mechanism to limit the scope of management authorities having remote-boot authority.
-
Citations
34 Claims
-
1. A method of performing remote boot operations, the method comprising:
-
receiving a first segment of a boot image from a remote device;
verifying integrity of the first segment of the boot image;
determining authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image; and
executing a sequence of instructions represented by the first segment of the boot image. - View Dependent Claims (2, 3, 4)
performing a hash function on the first segment of the boot image; and
comparing a result of the hash function to the hash value from the signed manifest.
-
-
4. The method of claim 1 wherein receiving a first segment of a boot image from a remote device further comprises:
-
determining an address of the remote device;
determining a file name for the first segment of the boot image; and
downloading the first segment of the boot image from the named file in the remote device.
-
-
5. A method of performing remote boot operations, the method comprising:
-
receiving a first segment of a boot image from a remote device;
verifying integrity of the first segment of the boot image;
determining authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image and further wherein the Remote-Boot Authorization Certificate is configurable by the remote device by receiving a reconfiguration operation from the remote device, checking the integrity of the reconfiguration operation, determining whether the reconfiguration operation is authorized to be performed, and modifying a parameter set based;
at least in part, on the reconfiguration operation; and
executing a sequence of instructions represented by the first segment of the boot image. - View Dependent Claims (6, 7, 8, 10, 11)
performing a hash function on the first segment of the boot image; and
comparing a result of the hash function to the hash value from the signed manifest.
-
-
8. The method of claim 5 wherein receiving a first segment of a boot image from a remote device further comprises:
-
determining an address of the remote device;
determining a file name for the first segment of the boot image; and
downloading the first segment of the boot image from the named file in the remote device.
-
-
10. The method of claim 6 further comprising receiving a signed manifest associated with the first segment of the boot image, the signed manifest having a digital certificate and a hash value corresponding to the first segment of the boot image.
-
11. The method of claim 10 wherein verifying integrity of the first segment of the boot image further comprises:
-
performing a hash function on the first segment of the boot image; and
comparing a result of the hash function to the hash value from the signed manifest.
-
-
9. A method of performing remote boot operations, the method comprising:
-
receiving a first segment of a boot image from a remote device;
verifying integrity of the first segment of the boot image;
determining authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image; and
executing a sequence of instructions represented by the first segment of the boot image by receiving a second segment of the boot image from the remote device, verifying integrity of the second segment of the boot image, determining authorization of second segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the second segment of the boot image, and executing a sequence of instructions represented by the second segment of the boot image. - View Dependent Claims (12)
determining an address of the remote device;
determining a file name for the first segment of the boot image; and
downloading the first segment of the boot image from the named file in the remote device.
-
-
13. An article comprising a machine-readable medium having stored thereon sequences of instructions that when executed cause one or more processors to:
-
receive a first segment of a boot image from a remote device;
verify integrity of the first segment of the boot image;
determine authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image; and
execute a sequence of instructions represented by the first segment of the boot image. - View Dependent Claims (14, 15, 16)
perform a hash function on the first segment of the boot image; and
compare a result of the hash function to the hash value from the signed manifest.
-
-
16. The article of claim 13 wherein the sequences of instructions that cause the one or more processors to receive a first segment of a boot image from a remote device further comprise sequences of instructions that cause the one or more processors to:
-
determine an address of the remote device;
determine a file name for the first segment of the boot image; and
download the first segment of the boot image from the named file in the remote device.
-
-
17. An article comprising a machine-readable medium having stored thereon sequences of instructions that when executed cause one or more processors to:
-
receive a first segment of a boot image from a remote device;
verify integrity of the first segment of the boot image;
determine authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image; and
execute a sequence of instructions represented by the first segment of the boot image wherein the Remote-Boot Authorization Certificate is configurable by the remote device by receiving a reconfiguration operation from the remote device, checking the integrity of the reconfiguration operation, determining whether the reconfiguration operation is authorized to be performed, and modifying a parameter set based, at least in part, on the reconfiguration operation. - View Dependent Claims (18, 19, 20)
perform a hash function on the first segment of the boot image; and
compare a result of the hash function to the hash value from the signed manifest.
-
-
20. The article of claim 17 wherein the sequences of instructions that cause the one or more processors to receive a first segment of a boot image from a remote device further comprise sequences of instructions that cause the one or more processors to:
-
determine an address of the remote device;
determine a file name for the first segment of the boot image; and
download the first segment of the boot image from the named file in the remote device.
-
-
21. An article comprising a machine-readable medium having stored thereon sequences of instructions that when executed cause one or more processors to:
-
receive a first segment of a boot image from a remote device;
verify integrity of the first segment of the boot image;
determine authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image; and
execute a sequence of instructions represented by the first segment of the boot image by receiving a second segment of the boot image from the remote device, verifying integrity of the second segment of the boot image, determining authorization of second segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the second segment of the boot image, and executing a sequence of instructions represented by the second segment of the boot image. - View Dependent Claims (22, 23, 24)
perform a hash function on the first segment of the boot image; and
compare a result of the hash function to the hash value from the signed manifest.
-
-
24. The article of claim 21 wherein the sequences of instructions that cause the one or more processors to receive a first segment of a boot image from a remote device further comprise sequences of instructions that cause the one or more processors to:
-
determine an address of the remote device;
determine a file name for the first segment of the boot image; and
download the first segment of the boot image from the named file in the remote device.
-
-
25. An apparatus for performing remote boot operations, the apparatus comprising:
-
means for receiving a first segment of a boot image from a remote device;
means for verifying integrity of the first segment of the boot image;
means for determining authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image; and
means for executing a sequence of instructions represented by the first segment of the boot image. - View Dependent Claims (26, 27, 28)
means for performing a hash function on the first segment of the boot image; and
means for comparing a result of the hash function to the hash value from the signed manifest.
-
-
28. The apparatus of claim 25 wherein the means for receiving a first segment of a boot image from a remote device further comprises:
-
means for determining an address of the remote device;
means for determining a file name for the first segment of the boot image; and
means for downloading the first segment of the boot image from the named file in the remote device.
-
-
29. A computer data signal embodied in a data communications medium shared among a plurality of network devices comprising sequences of instructions that, when executed, cause one or more electronic systems to:
-
receive a first segment of a boot image from a remote device;
verify integrity of the first segment of the boot image;
determine authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image; and
execute a sequence of instructions represented by the first segment of the boot image. - View Dependent Claims (30, 31, 32, 33, 34)
perform a hash function on the first segment of the boot image; and
compare a result of the hash function to the hash value from the signed manifest.
-
-
32. The computer data signal of claim 29 wherein the sequences of instructions that cause the one or more processors to receive a first segment of a boot image from a remote device further comprise sequences of instructions that cause the one or more processors to:
-
determine an address of the remote device;
determine a file name for the first segment of the boot image; and
download the first segment of the boot image from the named file in the remote device.
-
-
33. The computer data signal of claim 29 wherein the Remote-Boot Authorization Certificate is configurable by the remote device, configuration comprising sequences of instructions that when executed by the one or more processors cause the one or more processors to:
-
receive a reconfiguration operation from the remote device;
check the integrity of the reconfiguration operation determine whether the reconfiguration operation is authorized to be performed; and
modify a parameter set based, at least in part, on the reconfiguration operation.
-
-
34. The computer data signal of claim 29 wherein the sequences of instructions that cause the one or more processors to execute the sequence of instructions of the first segment of the boot image comprise sequences of instructions that cause the one or more processors to:
-
receive a second segment of the boot image from the remote device;
verify integrity of the second segment of the boot image;
determine authorization of second segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the second segment of the boot image; and
execute a sequence of instructions represented by the second segment of the boot image.
-
Specification