Platform and method of creating a secure boot that enforces proper user authentication and enforces hardware configurations
First Claim
Patent Images
1. A method comprising:
- loading a Basic Input/Output System (BIOS) code including a first BIOS area and a second BIOS area, the first BIOS area being a first segment of the BIOS code encrypted with a keying material stored within an internal memory of a trusted platform module of a platform and the second BIOS area being a second segment of the BIOS code encrypted with a combination key;
loading an integrity metric including a hash value of an identification information of the platform;
authenticating a user of the platform during a BIOS boot process;
releasing a first keying material from a token communicatively coupled to the platform after authenticating the user during the BIOS boot process;
combining the first keying material with a second keying material internally stored within the platform in order to produce a combination key during the BIOS boot process; and
using the combination key to decrypt a second BIOS area to recover a second segment of BIOS code during the BIOS boot process.
1 Assignment
0 Petitions
Accused Products
Abstract
In general, a method of securely transmitting data features an operation of authenticating a user of a platform during a Basic Input/Output System (BIOS) boot process. In response to authenticating the user, a first keying material is released from a token communicatively coupled to the platform. The first keying material is combined with a second keying material internally stored within the platform in order to produce a combination key. This combination key is used to decrypt a second BIOS area to recover a second segment of BIOS code.
264 Citations
16 Claims
-
1. A method comprising:
-
loading a Basic Input/Output System (BIOS) code including a first BIOS area and a second BIOS area, the first BIOS area being a first segment of the BIOS code encrypted with a keying material stored within an internal memory of a trusted platform module of a platform and the second BIOS area being a second segment of the BIOS code encrypted with a combination key; loading an integrity metric including a hash value of an identification information of the platform; authenticating a user of the platform during a BIOS boot process; releasing a first keying material from a token communicatively coupled to the platform after authenticating the user during the BIOS boot process; combining the first keying material with a second keying material internally stored within the platform in order to produce a combination key during the BIOS boot process; and using the combination key to decrypt a second BIOS area to recover a second segment of BIOS code during the BIOS boot process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A platform comprising:
-
an input/output control hub (ICH); a non-volatile memory unit coupled to the ICH, the non-volatile memory unit including an integrity metric including a hash value of an identification information of a platform and a Basic Input/Output System (BIOS) code including a first BIOS area and a second BIOS area, the first BIOS area being a first segment of the BIOS code encrypted with a second keying material and the second BIOS area being a second segment of the BIOS code encrypted with a combination key; and a trusted platform module coupled to the ICH, the trusted platform module to produce a combination key during a BIOS boot process by combining a first incoming keying material released after authentication of a user of the platform with the second keying material internally stored within the platform and to decrypt the second BIOS area using the combination key to recover the second segment of BIOS code. - View Dependent Claims (12, 13, 14)
-
-
15. A program loaded into computer readable memory, including at least one of a non-volatile memory and a volatile memory, for execution by a trusted platform module of a platform, the program comprising:
-
code to decrypt a first Basic Input/Output System (BIOS) area of a BIOS code during a BIOS boot process to recover a first segment of BIOS code, the first BIOS area being the first segment of the BIOS code encrypted with a keying material and an integrity metric including a hash value of an identification information of the platform; code to produce a combination key during the BIOS boot process by combining a first incoming keying material released after authentication of a user of the platform with a second keying material internally stored within the trusted platform module; and code to decrypt a second BIOS area of the BIOS code using the combination key to recover a second segment of the BIOS code during the BIOS boot process, the second BIOS area being the second segment of the BIOS code encrypted with the combination key. - View Dependent Claims (16)
-
Specification