Providing a protected volume on a data storage device
First Claim
1. A method for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without proper authorization, operating system data representing the operating system of the computational device being stored on the data storage device, the method comprising the steps of:
- monitoring access to operating system data by the computational device after a reset of the computational device and until predetermined functionality of the operating system becomes available;
recording an identification of the operating system data accessed during the step of monitoring; and
establishing protected and unprotected regions of the data storage device, the step or establishing further comprising the steps of;
storing a copy of operating system data accessed during the step of monitoring in the unprotected region of the data storage device; and
storing protected data in the protected region of the data storage device, wherein the protected data comprises the operating system data, including a copy of operating system data accessed during the step of monitoring, and any other data to which it is desired to prevent access without proper authorization.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention establishes a protected volume on a data storage device associated with a computational device by allowing an operating system of the computational device to boot up to a point (the volume conversion crossover point) at which predetermined functionality of the operating system becomes available, then establishing the protected volume. A copy of the operating system data (cleartext operating system data) that is accessed during boot up prior to the volume conversion crossover point (which can be known by monitoring and recording access to operating system data during boot-up) is stored in an unprotected region of the data storage device. A copy of the cleartext operating system data is also stored in the protected volume. After the protected volume is established, the computational device is reset, causing the operating system to boot up again. During each boot-up of the operating system after the protected volume has been established, the cleartext operating system data is used until the volume conversion crossover point, at which time operation of the computational device converts to a secure mode (if authorized) in which data stored on the data storage device can be accessed from the protected volume (including the copy of the cleartext operating system data that is stored in the protected volume).
-
Citations
48 Claims
-
1. A method for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without proper authorization, operating system data representing the operating system of the computational device being stored on the data storage device, the method comprising the steps of:
-
monitoring access to operating system data by the computational device after a reset of the computational device and until predetermined functionality of the operating system becomes available; recording an identification of the operating system data accessed during the step of monitoring; and establishing protected and unprotected regions of the data storage device, the step or establishing further comprising the steps of; storing a copy of operating system data accessed during the step of monitoring in the unprotected region of the data storage device; and storing protected data in the protected region of the data storage device, wherein the protected data comprises the operating system data, including a copy of operating system data accessed during the step of monitoring, and any other data to which it is desired to prevent access without proper authorization. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without proper authorization, operating system data representing the operating system of the computational device being stored on the data storage device, the method comprising the steps of:
-
maintaining a record of operating system data accessed by the computational device after a reset of the computational device and until predetermined functionality of the operating system becomes available; establishing protected and unprotected regions of the data storage device, the step of establishing further comprising the steps of; storing operating system data recorded during the step of maintaining in the unprotected region of the data storage device; and storing protected data in the protected region of the data storage device, wherein the protected data comprises the operating system data and any other data to which it is desired to prevent access without proper authorization; and further comprising the steps of, subsequent to a reset of the computational device after establishment of the protected and unprotected regions of the data storage device; until predetermined functionality of the operating system becomes available; allowing access to operating system data stored in the unprotected region; and preventing access to protected data stored in the protected region; and after predetermined functionality of the operating system becomes available; allowing restricted access to protected data stored in the protected region; and preventing access to operating system data stored in the unprotected region. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. Apparatus for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without proper authorization, operating system data representing the operating system of the computational device being stored on the data storage device, the apparatus comprising:
-
means for monitoring access to operating system data by the computational device after a reset of the computational device and until predetermined functionality of the operating system becomes available; means for recording an identification of the operating system data accessed during the monitoring; and means for establishing protected and unprotected regions of the data storage device, the means for establishing further comprising; means for storing a copy of operating system data accessed during the monitoring in the unprotected region of the data storage device; and means for storing protected data in the protected region of the data storage device, wherein the protected data comprises the operating system data, including a copy of operating system data accessed during the monitoring, and any other data to which it is desired to prevent access without proper authorization. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A computer readable medium or media encoded with one or more computer programs and/or data structures for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without proper authorization, operating system data representing the operating system of the computational device being stored on the data storage device, the one or more computer programs and/or data structures comprising:
-
instructions and/or data for monitoring access to operating system data by the computational device after a reset of the computational device and until predetermined functionality of the operating system becomes available; instructions and/or data for recording an identification of the operating system data accessed during the monitoring; and instructions and/or data for establishing protected and unprotected regions of the data storage device, the instructions and/or data for establishing further comprising; instructions and/or data for storing a copy of operating system data accessed during the monitoring in the unprotected region of the data storage device; and instructions and/or data for storing protected data in the protected region of the data storage device, wherein the protected data comprises the operating system data, including a copy of operating system data accessed during the monitoring, and any other data to which it is desired to prevent access without proper authorization. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. Apparatus for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without proper authorization, operating system data representing the operating system of the computational device being stored on the data storage device, the apparatus comprising:
-
means for maintaining a record of operating system data accessed by the computational device after a reset of the computational device and until predetermined functionality of the operating system becomes available; means for establishing protected and unprotected regions of the data storage device, the means for establishing further comprising; means for storing operating system data recorded by the means for maintaining in the unprotected region of the data storage device; and means for storing protected data in the protected region of the data storage device, wherein the protected data comprises the operating system data and any other data to which it is desired to prevent access without proper authorization; means for, subsequent to a reset of the computational device after establishment of the protected and unprotected regions of the data storage device and until predetermined functionality of the operating system becomes available, allowing access to operating system data stored in the unprotected region and preventing access to protected data stored in the protected region; and means for, subsequent to a reset of the computational device after establishment of the protected and unprotected regions of the data storage device and after predetermined functionality of the operating system becomes available, allowing restricted access to protected data stored in the protected region and preventing access to operating system data stored in the unprotected region. - View Dependent Claims (36, 37, 38, 39, 40, 41)
-
-
42. A computer readable medium or media encoded with one or more computer programs and/or data structures for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without proper authorization, operating system data representing the operating system of the computational device being stored on the data storage device, the one or more computer programs and/or data structures comprising:
-
instructions and/or data for maintaining a record of operating system data accessed by the computational device after a reset of the computational device and until predetermined functionality of the operating system becomes available; instructions and/or data for establishing protected and unprotected regions of the data storage device, the instructions and/or data for establishing further comprising; instructions and/or data for storing operating system data recorded by the instructions and/or data for maintaining in the unprotected region of the data storage device; and instructions and/or data for storing protected data in the protected region of the data storage device, wherein the protected data comprises the operating system data and any other data to which it is desired to prevent access without proper authorization; instructions and/or data for, subsequent to a reset of the computational device after establishment of the protected and unprotected regions of the data storage device and until predetermined functionality of the operating system becomes available, allowing access to operating system data stored in the unprotected region and preventing access to protected data stored in the protected region; and instructions and/or data for, subsequent to a reset of the computational device after establishment of the protected and unprotected regions of the data storage device and after predetermined functionality of the operating system becomes available, allowing restricted access to protected data stored in the protected region and preventing access to operating system data stored in the unprotected region. - View Dependent Claims (43, 44, 45, 46, 47, 48)
-
Specification