Platform and method of creating a secure boot that enforces proper user authentication and enforces hardware configurations

US 7,117,376 B2
Filed: 12/27/2000
Issued: 10/03/2006
Est. Priority Date: 12/28/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

loading a Basic Input/Output System (BIOS) code including a first BIOS area and a second BIOS area, the first BIOS area being a first segment of the BIOS code encrypted with a keying material stored within an internal memory of a trusted platform module of a platform and the second BIOS area being a second segment of the BIOS code encrypted with a combination key;

loading an integrity metric including a hash value of an identification information of the platform;

authenticating a user of the platform during a BIOS boot process;

releasing a first keying material from a token communicatively coupled to the platform after authenticating the user during the BIOS boot process;

combining the first keying material with a second keying material internally stored within the platform in order to produce a combination key during the BIOS boot process; and

using the combination key to decrypt a second BIOS area to recover a second segment of BIOS code during the BIOS boot process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, a method of securely transmitting data features an operation of authenticating a user of a platform during a Basic Input/Output System (BIOS) boot process. In response to authenticating the user, a first keying material is released from a token communicatively coupled to the platform. The first keying material is combined with a second keying material internally stored within the platform in order to produce a combination key. This combination key is used to decrypt a second BIOS area to recover a second segment of BIOS code.

264 Citations

16 Claims

1. A method comprising:
- loading a Basic Input/Output System (BIOS) code including a first BIOS area and a second BIOS area, the first BIOS area being a first segment of the BIOS code encrypted with a keying material stored within an internal memory of a trusted platform module of a platform and the second BIOS area being a second segment of the BIOS code encrypted with a combination key;
  
  loading an integrity metric including a hash value of an identification information of the platform;
  
  authenticating a user of the platform during a BIOS boot process;
  
  releasing a first keying material from a token communicatively coupled to the platform after authenticating the user during the BIOS boot process;
  
  combining the first keying material with a second keying material internally stored within the platform in order to produce a combination key during the BIOS boot process; and
  
  using the combination key to decrypt a second BIOS area to recover a second segment of BIOS code during the BIOS boot process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising:
    - continuing the BIOS boot process.
  - 3. The method of claim 1, wherein after loading of the BIOS code, the method further comprises:
    - decrypting the first BIOS area to recover the first segment of the BIOS code.
  - 4. The method of claim 1, wherein the first segment of the BIOS is encrypted with the keying material and static information pertaining to the platform, the static information including the integrity metric.
  - 5. The method of claim 4, wherein the static information is a serial number or a hash value of the serial number associated with hardware within the platform.
  - 6. The method of claim 1 wherein the combination key is a value formed by performing an exclusive OR operation on both the first keying material and the second keying material.
  - 7. The method of claim 1, wherein authentication of the user is performed through biometrics.
  - 8. The method of claim 1, wherein the second keying material is stored within internal memory of a trusted platform module.
  - 9. The method of claim 1, wherein the second keying material is stored within a section of access-controlled system memory of the platform.
  - 10. The method of claim 1, wherein the identification information includes a serial number of an integrated circuit device employed within the platform.

11. A platform comprising:
- an input/output control hub (ICH);
  
  a non-volatile memory unit coupled to the ICH, the non-volatile memory unit including an integrity metric including a hash value of an identification information of a platform and a Basic Input/Output System (BIOS) code including a first BIOS area and a second BIOS area, the first BIOS area being a first segment of the BIOS code encrypted with a second keying material and the second BIOS area being a second segment of the BIOS code encrypted with a combination key; and
  
  a trusted platform module coupled to the ICH, the trusted platform module to produce a combination key during a BIOS boot process by combining a first incoming keying material released after authentication of a user of the platform with the second keying material internally stored within the platform and to decrypt the second BIOS area using the combination key to recover the second segment of BIOS code.
- View Dependent Claims (12, 13, 14)
- - 12. The platform of claim 11, wherein the trusted platform module to further decrypt the first BIOS area to recover the first segment of the BIOS code in an non-encrypted format.
  - 13. The platform of claim 11 further comprising a hard disk drive coupled to the ICH.
  - 14. The platform of claim 13, wherein the trusted platform module to further unbind keying material associated with the hard disk drive to access contents stored within the hard disk drive.

15. A program loaded into computer readable memory, including at least one of a non-volatile memory and a volatile memory, for execution by a trusted platform module of a platform, the program comprising:
- code to decrypt a first Basic Input/Output System (BIOS) area of a BIOS code during a BIOS boot process to recover a first segment of BIOS code, the first BIOS area being the first segment of the BIOS code encrypted with a keying material and an integrity metric including a hash value of an identification information of the platform;
  
  code to produce a combination key during the BIOS boot process by combining a first incoming keying material released after authentication of a user of the platform with a second keying material internally stored within the trusted platform module; and
  
  code to decrypt a second BIOS area of the BIOS code using the combination key to recover a second segment of the BIOS code during the BIOS boot process, the second BIOS area being the second segment of the BIOS code encrypted with the combination key.
- View Dependent Claims (16)
- - 16. The program of claim 15 further comprising:
    - code to unbind keying material associated with a non-volatile storage device for accessing contents stored within the non-volatile storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Grawrock, David W.
Primary Examiner(s)
Gaffin, Jeffrey
Assistant Examiner(s)
Mahmoudi, Hassan

Application Number

US09/751,899
Publication Number

US 20020087877A1
Time in Patent Office

2,106 Days
Field of Search

713/164, 713/200, 713/201, 713/165, 713/2, 713/186, 713/182, 713/166, 713/185, 715/64, 715/80, 715/54, 380/277
US Class Current

380/277
CPC Class Codes

G06F 21/34 involving the use of extern...

G06F 21/575 Secure boot

Platform and method of creating a secure boot that enforces proper user authentication and enforces hardware configurations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

264 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Platform and method of creating a secure boot that enforces proper user authentication and enforces hardware configurations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

264 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others