System and method for authenticating an operating system to a central processing unit, providing the CPU/OS with secure storage, and authenticating the CPU/OS to a third party

US 7,174,457 B1
Filed: 03/10/1999
Issued: 02/06/2007
Est. Priority Date: 03/10/1999
Status: Expired due to Term

First Claim

Patent Images

1. In a computer system having a central processing unit (CPU) and an operating system (OS), the CPU having a software identity register, a method for booting the operating system comprising:

executing an atomic operation to set an identity of the operating system into the software identity register of the CPU, wherein in an event that the atomic operation completes correctly, the software identity register contains the identity of the operating system and in an event that the atomic operation fails to complete correctly, the software identity register contains a value indicating that the atomic operation failed; and

examining a content of the software identity register to verify the identity of the operating system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A general-purpose processor (CPU) is configured with a new mechanism facilitating an authenticated boot sequence that provides building blocks for client-side rights management when the system is online, and provides continued protection of persistent data even when the system goes offline or is rebooted. The CPU includes a cryptographic key pair, and a manufacturer certificate testifying that the manufacturer built the CPU according to a known specification. The operating system (OS) includes a unique block of code, or “boot block” that can establish OS identity by extraction from a digitally signed boot block or by computing a hash digest of the boot block. During booting, the CPU executes a single opcode, followed by the boot block, as an atomic operation to set the identity of the OS into the software identity register. The subscriber unit then can establish a chain of trust to a content provider.

Citations

16 Claims

1. In a computer system having a central processing unit (CPU) and an operating system (OS), the CPU having a software identity register, a method for booting the operating system comprising:
- executing an atomic operation to set an identity of the operating system into the software identity register of the CPU, wherein in an event that the atomic operation completes correctly, the software identity register contains the identity of the operating system and in an event that the atomic operation fails to complete correctly, the software identity register contains a value indicating that the atomic operation failed; and
  
  examining a content of the software identity register to verify the identity of the operating system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as recited in claim 1, wherein the identity comprises a public key of a correctly signed block of code from the operating system, and examining a content of the software identity register comprises verifying a signature of the signed block of code against the public key.
  - 3. The method as recited in claim 1, wherein the identity comprises a hash digest of a block of code from the operating system, and examining a content of the software identity register comprises hashing the block of code.
  - 4. The method as recited in claim 1, further comprising appending at least a portion of the identity to a boot log.
  - 5. The method as recited in claim 1, further comprising authenticating additional blocks of code.
  - 6. The method as recited in claim 1, further comprising:
    - appending at least a portion of the identity to a boot log;
      
      authenticating additional blocks of code; and
      
      appending identities of the additional blocks of code to the boot log.
  - 7. The method as recited in claim 1, further comprising generating a storage key for encrypting data to be stored on the computer system from a seed based in part on the identity of the operating system.
  - 8. The method as recited in claim 7, further comprising encrypting data using the storage key and storing the encrypted data on the computer system.

9. In a computer system having a central processing unit (CPU) and an operating system (OS), the CPU having a software identity register, a method comprising:
- identifying a boot block of code in the OS that uniquely describes the OS;
  
  creating an identity of the OS from the boot block; and
  
  executing an atomic operation to set the identity of the operating system into the software identity register of the CPU, wherein in an event that the atomic operation completes correctly, the software identity register is set to contain the identity of the operating system, and in an event that the atomic operation does not complete correctly, the software identity register is set to contain a false value to indicate failure of the atomic operation.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method as recited in claim 9, wherein creating an identity of the OS comprises signing the boot block using a private key from a key pair to form a signature, the signature and a corresponding public key from the key pair forming the OS identity.
  - 11. The method as recited in claim 9, wherein creating an identity of the OS comprises hashing the boot block to form a digest, the digest forming the OS identity.
  - 12. The method as recited in claim 9, further comprising appending at least a portion of the identity to a boot log.
  - 13. The method as recited in claim 9, further comprising authenticating additional blocks of code.
  - 14. The method as recited in claim 9, further comprising:
    - appending at least a portion of the identity to a boot log;
      
      authenticating additional blocks of code; and
      
      appending identities of the additional blocks of code to the boot log.
  - 15. The method as recited in claim 9, further comprising generating a storage key for encrypting data to be stored on the computer system from a seed based in part on the identity of the OS.
  - 16. The method as recited in claim 15, further comprising encrypting data using the storage key and storing the encrypted data on the computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
England, Paul, Lampson, Butler W., DeTreville, John D.
Primary Examiner(s)
Song; Hosuk
Assistant Examiner(s)
KLIMACH, PAULA W

Application Number

US09/266,207
Time in Patent Office

2,890 Days
Field of Search

713/176, 713/155, 713/168, 713164-167, 713/2, 713/1, 713/181, 726/1, 726/22
US Class Current

713/168
CPC Class Codes

G06F 21/1011   to devices

G06F 21/445   by mutual authentication, e...

G06F 21/57   Certifying or maintaining t...

G06F 21/575   Secure boot

G06F 2221/2103   Challenge-response

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2129   Authenticate client device ...

G06F 9/4406   Loading of operating system

G06F 9/468   Specific access rights for ...

System and method for authenticating an operating system to a central processing unit, providing the CPU/OS with secure storage, and authenticating the CPU/OS to a third party

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for authenticating an operating system to a central processing unit, providing the CPU/OS with secure storage, and authenticating the CPU/OS to a third party

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links