Interface for ensuring system boot image integrity and authenticity

US 6,560,706 B1
Filed: 01/21/1999
Issued: 05/06/2003
Est. Priority Date: 01/26/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method of performing remote boot operations, the method comprising:

receiving a first segment of a boot image from a remote device;

verifying integrity of the first segment of the boot image;

determining authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image; and

executing a sequence of instructions represented by the first segment of the boot image.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for ensuring system boot image integrity and authenticity is described. In one embodiment, the invention provides security from the end of Basic Input/Output System (BIOS) initialization to the point in time at which control is transferred to a high-level operating system (OS). The OS boot image is obtained via a network connection and is checked for integrity and authority to run on a particular platform. For this purpose, the invention provides a boot image security usage model that is simple and flexible enough to cover a variety of needs. Because receipt of boot images via a network connection can be subject to size constraints, the invention allows software to bootstrap more sophisticated security software if desired. In general, the invention utilizes one or more Remote-Boot Authorization Certificates for each group of platforms to be managed. The authorization certificate for a group of platforms is configured into each of the platforms in a group as the source of authority for allowing boot images to be executed. The authorization certificate is also the source of authority for allowing reconfiguration commands, including reconfiguration commands that transfer the source of authority to another authority. In one embodiment, IT organizations can create different authorization certificates for different groups to allow the different groups to be managed by different authorities. Authority can also be transferred between management groups. The Remote-Boot Authorization Certificates provide protection against remote-boot images that have been damaged and/or tampered with either in transit or on a server, the ability to designate and enforce which boot images are permitted, and a mechanism to limit the scope of management authorities having remote-boot authority.

Citations

34 Claims

1. A method of performing remote boot operations, the method comprising:
- receiving a first segment of a boot image from a remote device;
  
  verifying integrity of the first segment of the boot image;
  
  determining authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image; and
  
  executing a sequence of instructions represented by the first segment of the boot image.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 further comprising receiving a signed manifest associated with the first segment of the boot image, the signed manifest having a digital certificate and a hash value corresponding to the first segment of the boot image.
  - 3. The method of claim 2 wherein verifying integrity of the first segment of the boot image further comprises:
4. The method of claim 1 wherein receiving a first segment of a boot image from a remote device further comprises:
- determining an address of the remote device;
  
  determining a file name for the first segment of the boot image; and
  
  downloading the first segment of the boot image from the named file in the remote device.

5. A method of performing remote boot operations, the method comprising:
- receiving a first segment of a boot image from a remote device;
  
  verifying integrity of the first segment of the boot image;
  
  determining authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image and further wherein the Remote-Boot Authorization Certificate is configurable by the remote device by receiving a reconfiguration operation from the remote device, checking the integrity of the reconfiguration operation, determining whether the reconfiguration operation is authorized to be performed, and modifying a parameter set based;
  
  at least in part, on the reconfiguration operation; and
  
  executing a sequence of instructions represented by the first segment of the boot image.
- View Dependent Claims (6, 7, 8, 10, 11)
- - 6. The method of claim 5 further comprising receiving a signed manifest associated with the first segment of the boot image, the signed manifest having a digital certificate and a hash value corresponding to the first segment of the boot image.
  - 7. The method of claim 6 wherein verifying integrity of the first segment of the boot image further comprises:
8. The method of claim 5 wherein receiving a first segment of a boot image from a remote device further comprises:
- determining an address of the remote device;
  
  determining a file name for the first segment of the boot image; and
  
  downloading the first segment of the boot image from the named file in the remote device.
10. The method of claim 6 further comprising receiving a signed manifest associated with the first segment of the boot image, the signed manifest having a digital certificate and a hash value corresponding to the first segment of the boot image.
11. The method of claim 10 wherein verifying integrity of the first segment of the boot image further comprises:
- performing a hash function on the first segment of the boot image; and
  
  comparing a result of the hash function to the hash value from the signed manifest.

9. A method of performing remote boot operations, the method comprising:
- receiving a first segment of a boot image from a remote device;
  
  verifying integrity of the first segment of the boot image;
  
  determining authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image; and
  
  executing a sequence of instructions represented by the first segment of the boot image by receiving a second segment of the boot image from the remote device, verifying integrity of the second segment of the boot image, determining authorization of second segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the second segment of the boot image, and executing a sequence of instructions represented by the second segment of the boot image.
- View Dependent Claims (12)
- - 12. The method of claim 9 wherein receiving a first segment of a boot image from a remote device further comprises:

13. An article comprising a machine-readable medium having stored thereon sequences of instructions that when executed cause one or more processors to:
- receive a first segment of a boot image from a remote device;
  
  verify integrity of the first segment of the boot image;
  
  determine authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image; and
  
  execute a sequence of instructions represented by the first segment of the boot image.
- View Dependent Claims (14, 15, 16)
- - 14. The article of claim 13 further comprising sequences of instructions that when executed cause the one or more processors to receive a signed manifest associated with the first segment of the boot image, the signed manifest having a digital certificate and a hash value corresponding to the first segment of the boot image.
  - 15. The article of claim 14 wherein the sequences of instructions that cause the one or more processors to verify integrity of the first segment of the boot image further comprise sequences of instructions that cause the one or more processors to:
16. The article of claim 13 wherein the sequences of instructions that cause the one or more processors to receive a first segment of a boot image from a remote device further comprise sequences of instructions that cause the one or more processors to:
- determine an address of the remote device;
  
  determine a file name for the first segment of the boot image; and
  
  download the first segment of the boot image from the named file in the remote device.

17. An article comprising a machine-readable medium having stored thereon sequences of instructions that when executed cause one or more processors to:
- receive a first segment of a boot image from a remote device;
  
  verify integrity of the first segment of the boot image;
  
  determine authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image; and
  
  execute a sequence of instructions represented by the first segment of the boot image wherein the Remote-Boot Authorization Certificate is configurable by the remote device by receiving a reconfiguration operation from the remote device, checking the integrity of the reconfiguration operation, determining whether the reconfiguration operation is authorized to be performed, and modifying a parameter set based, at least in part, on the reconfiguration operation.
- View Dependent Claims (18, 19, 20)
- - 18. The article of claim 17 further comprising sequences of instructions that when executed cause the one or more processors to receive a signed manifest associated with the first segment of the boot image, the signed manifest having a digital certificate and a hash value corresponding to the first segment of the boot image.
  - 19. The article of claim 17 wherein the sequences of instructions that cause the one or more processors to verify integrity of the first segment of the boot image further comprise sequences of instructions that cause the one or more processors to:
20. The article of claim 17 wherein the sequences of instructions that cause the one or more processors to receive a first segment of a boot image from a remote device further comprise sequences of instructions that cause the one or more processors to:
- determine an address of the remote device;
  
  determine a file name for the first segment of the boot image; and
  
  download the first segment of the boot image from the named file in the remote device.

21. An article comprising a machine-readable medium having stored thereon sequences of instructions that when executed cause one or more processors to:
- receive a first segment of a boot image from a remote device;
  
  verify integrity of the first segment of the boot image;
  
  determine authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image; and
  
  execute a sequence of instructions represented by the first segment of the boot image by receiving a second segment of the boot image from the remote device, verifying integrity of the second segment of the boot image, determining authorization of second segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the second segment of the boot image, and executing a sequence of instructions represented by the second segment of the boot image.
- View Dependent Claims (22, 23, 24)
- - 22. The article of claim 21 further comprising sequences of instructions that when executed cause the one or more processors to receive a signed manifest associated with the first segment of the boot image, the signed manifest having a digital certificate and a hash value corresponding to the first segment of the boot image.
  - 23. The article of claim 21 wherein the sequences of instructions that cause the one or more processors to verify integrity of the first segment of the boot image further comprise sequences of instructions that cause the one or more processors to:
24. The article of claim 21 wherein the sequences of instructions that cause the one or more processors to receive a first segment of a boot image from a remote device further comprise sequences of instructions that cause the one or more processors to:
- determine an address of the remote device;
  
  determine a file name for the first segment of the boot image; and
  
  download the first segment of the boot image from the named file in the remote device.

25. An apparatus for performing remote boot operations, the apparatus comprising:
- means for receiving a first segment of a boot image from a remote device;
  
  means for verifying integrity of the first segment of the boot image;
  
  means for determining authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image; and
  
  means for executing a sequence of instructions represented by the first segment of the boot image.
- View Dependent Claims (26, 27, 28)
- - 26. The apparatus of claim 25 further comprising means for receiving a signed manifest associated with the first segment of the boot image, the signed manifest having a digital certificate and a hash value corresponding to the first segment of the boot image.
  - 27. The apparatus of claim 26 wherein the means for verifying integrity of the first segment of the boot image further comprises:
28. The apparatus of claim 25 wherein the means for receiving a first segment of a boot image from a remote device further comprises:
- means for determining an address of the remote device;
  
  means for determining a file name for the first segment of the boot image; and
  
  means for downloading the first segment of the boot image from the named file in the remote device.

29. A computer data signal embodied in a data communications medium shared among a plurality of network devices comprising sequences of instructions that, when executed, cause one or more electronic systems to:
- receive a first segment of a boot image from a remote device;
  
  verify integrity of the first segment of the boot image;
  
  determine authorization of the first segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the first segment of the boot image; and
  
  execute a sequence of instructions represented by the first segment of the boot image.
- View Dependent Claims (30, 31, 32, 33, 34)
- - 30. The computer data signal of claim 29 further comprising sequences of instructions that when executed cause the one or more processors to receive a signed manifest associated with the first segment of the boot image, the signed manifest having a digital certificate and a hash value corresponding to the first segment of the boot image.
  - 31. The computer data signal of claim 30 wherein the sequences of instructions that cause the one or more processors to verify integrity of the first segment of the boot image further comprise sequences of instructions that cause the one or more processors to:
32. The computer data signal of claim 29 wherein the sequences of instructions that cause the one or more processors to receive a first segment of a boot image from a remote device further comprise sequences of instructions that cause the one or more processors to:
- determine an address of the remote device;
  
  determine a file name for the first segment of the boot image; and
  
  download the first segment of the boot image from the named file in the remote device.
33. The computer data signal of claim 29 wherein the Remote-Boot Authorization Certificate is configurable by the remote device, configuration comprising sequences of instructions that when executed by the one or more processors cause the one or more processors to:
- receive a reconfiguration operation from the remote device;
  
  check the integrity of the reconfiguration operation determine whether the reconfiguration operation is authorized to be performed; and
  
  modify a parameter set based, at least in part, on the reconfiguration operation.
34. The computer data signal of claim 29 wherein the sequences of instructions that cause the one or more processors to execute the sequence of instructions of the first segment of the boot image comprise sequences of instructions that cause the one or more processors to:
- receive a second segment of the boot image from the remote device;
  
  verify integrity of the second segment of the boot image;
  
  determine authorization of second segment of the boot image, wherein authorization is determined, at least in part, by a Remote-Boot Authorization Certificate that indicates an authorized source for the second segment of the boot image; and
  
  execute a sequence of instructions represented by the second segment of the boot image.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Carbajal, John M., Dittert, Eric R., Drews, Paul C.
Primary Examiner(s)
Smithers, Matthew

Application Number

US09/234,757
Time in Patent Office

1,566 Days
Field of Search

713/1-2, 713/155-157, 713/187-201, 380/255
US Class Current

713/155
CPC Class Codes

G06F 21/572 Secure firmware programming...

G06F 9/4416 Network booting; Remote ini...

Interface for ensuring system boot image integrity and authenticity

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Interface for ensuring system boot image integrity and authenticity

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links