Method to use secure passwords in an unsecure program environment
First Claim
1. A method of enabling use of a secure password, comprising:
- during power up initialization before an operating system is started, copying security data from an unsecure memory device in a computer to a restricted portion of the computer'"'"'s system memory which is invisible to the operating system, wherein the restricted portion of the computer'"'"'s system memory contains code and data needed for low level system control functions that are independent of the operating system, and wherein a writing a data into the restricted portion of the computer'"'"'s system memory is authorized only for a trusted software entity that has been authenticated as having permission to access the restricted portion of the computer'"'"'s system memory, wherein the trusted software entity is a trusted routine that is part of a Basic Input/Output System (BIOS) Power-On Self Test (POST) program that is stored in the computer; and
before starting the operating system, hard locking the memory device against direct access so that a reset signal is required to unlock the memory device.
1 Assignment
0 Petitions
Accused Products
Abstract
During power up initialization, security data such as passwords and other sensitive data which are stored in a lockable memory device are read and copied to protected system management interrupt (SMI) memory space, subject to verification by code running in the SMI memory space that the call to write the security data originates with a trusted entity. Once copied to SMI memory space, the security data is erased from regular system memory and the lockable storage device is hard locked (requiring a reset to unlock) against direct access prior to starting the operating system. The copy of the security data within the SMI memory space is invisible to the operating system. However, the operating system may initiate a call to code running in the SMI memory space to check a password entered by the user, with the SMI code returning a “match” or “no match” indication. The security data may thus be employed after the lockable memory device is hard locked and the operating system is started.
-
Citations
33 Claims
-
1. A method of enabling use of a secure password, comprising:
-
during power up initialization before an operating system is started, copying security data from an unsecure memory device in a computer to a restricted portion of the computer'"'"'s system memory which is invisible to the operating system, wherein the restricted portion of the computer'"'"'s system memory contains code and data needed for low level system control functions that are independent of the operating system, and wherein a writing a data into the restricted portion of the computer'"'"'s system memory is authorized only for a trusted software entity that has been authenticated as having permission to access the restricted portion of the computer'"'"'s system memory, wherein the trusted software entity is a trusted routine that is part of a Basic Input/Output System (BIOS) Power-On Self Test (POST) program that is stored in the computer; and before starting the operating system, hard locking the memory device against direct access so that a reset signal is required to unlock the memory device. - View Dependent Claims (2, 3, 4, 5, 6, 28)
-
-
7. A method of enabling use of a secure password, comprising:
-
responsive to receiving an entered password under an operating system, calling a routine executing within a restricted portion of system memory to verify the password, wherein the restricted portion of system memory is invisible to the operating system and wherein the operating system and routine executing within the restricted portion of system memory communication through a calling convention, and wherein the restricted portion of the system memory contains code and data needed for low level system control functions that are independent of the operating system, and wherein a writing of data into the restricted portion of the system memory is authorized only for a trusted software entity that has been authenticated as having permission to access the restricted portion of the system memory, wherein the trusted software entity is a trusted routine in a Basic Input/Output System (BIOS) Power-On Self Test (POST) program that is stored in the computer; and receiving only an indication from the routine executing within the restricted portion of memory regarding whether the entered password matched a password stored within the restricted portion of system memory. - View Dependent Claims (8, 9, 10, 11, 29)
-
-
12. A data processing system, comprising:
-
a memory device which may be hard locked against direct access so that a reset signal is required to unlock the memory device; and a power up initialization routine executing within the data processing system, wherein the power up initialization routine, before starting an operating system, copies security data from the memory device in a computer to a restricted portion of the computer'"'"'s system memory which is invisible to the operating system and hard locks the computer'"'"'s memory device, wherein the restricted portion of the computer'"'"'s system memory contains code and data needed for low level system control functions that are independent of the operating system, and wherein a writing of data into the restricted portion of the computer'"'"'s system memory is authorized only for a trusted software entity that has been authenticated as having permission to access the restricted portion of the computer'"'"'s system memory. - View Dependent Claims (13, 14, 15, 16, 17, 30)
-
-
18. A data processing system, comprising:
-
an operating system; a memory device which may be hard locked against direct access so that a reset signal is required to unlock the memory device; a system memory including a restricted portion invisible to the operating system, wherein the operating system and routines executing within the restricted portion of system memory communicate through a calling convention; and a power up initialization routine executing within the data processing system, wherein the power up initialization routine, responsive to receiving an entered password under an operating system, calls a routine executing within a restricted portion of system memory to verify the password, and receives an indication from the routine executing within the restricted portion of memory regarding whether the entered password matched a password stored within the restricted portion of system memory, wherein the restricted portion of the system memory contains code and data needed for low level system control functions that are independent of the operating system, and wherein a writing of data into the restricted portion of the system memory is authorized only for a trusted software entity that has been authenticated as having permission to access the restricted portion of the system memory. - View Dependent Claims (19, 20, 21, 22)
-
-
23. A computer program product within a computer usable medium for enabling use of a secure password, comprising:
-
instructions for copying security data from a memory device in a computer to a restricted portion of the computer'"'"'s system memory which is invisible to the operating system during power up initialization before an operating system is started, wherein the restricted portion of the computer'"'"'s system memory contains code and data needed for low level system control functions that are independent of the operating system, and wherein a writing of data into the restricted portion of the computer'"'"'s system memory is authorized only for a trusted software entity that has been authenticated as having permission to access the restricted portion of the computer'"'"'s system memory; and instructions for hard locking the memory device against direct access so that a reset signal is required to unlock the memory device before starting the operating system. - View Dependent Claims (24, 25, 26, 27)
-
-
31. A method comprising:
-
asserting a Power-On Self Test (POST) Basic Input/Output System (BIOS) program in a computer; in response to the POST BIOS program being asserted, setting a hard lock state on a non-volatile memory that contains sensitive data; in response to the POST BIOS program being asserted, permitting an execution of a reading of the sensitive data in the non-volatile memory; loading the sensitive data from the non-volatile memory into a non-protected system memory in the computer; and in response to a call to code in a System Memory Interrupt (SMI) memory space, using the code in the SMI memory space to move the sensitive data from the non-protected system memory to the SMI memory space. - View Dependent Claims (32, 33)
-
Specification