System and method for authenticating an operating system
First Claim
1. In a computer system having a processor, an operating system (OS), and a software identity register that holds an identity of the operating system, the processor having a private key, a method comprising:
- forming an OS certificate containing the identity from the software identity register, the identity having been set to a first value if a boot block of the OS was atomically executed, and the identity having been set to a second value if the boot block of the OS was not atomically executed; and
signing the OS certificate using the private key.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for authenticating an operating system includes, in accordance with one aspect, a method in a computer system having a processor, an operating system (OS), and a software identity register that holds an identity of the operating system, the processor having a private key. The method comprises forming an OS certificate containing the identity from the software identity register and signing the OS certificate using the private key. In accordance with another aspect, the signed identity is submitted to a recipient to prove an identity of the operating system to the recipient.
-
Citations
39 Claims
-
1. In a computer system having a processor, an operating system (OS), and a software identity register that holds an identity of the operating system, the processor having a private key, a method comprising:
-
forming an OS certificate containing the identity from the software identity register, the identity having been set to a first value if a boot block of the OS was atomically executed, and the identity having been set to a second value if the boot block of the OS was not atomically executed; and signing the OS certificate using the private key. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
a client having a processor and an operating system (OS), the processor having a private key, a manufacturer certificate supplied by a manufacturer of the processor, and a software identity register that holds an identity of the operating system if a boot block of the OS was atomically executed, and that otherwise holds a value indicating that atomic execution of the boot block failed, the client being configured to submit a request over a network; a computer system having a server to serve content to the client, the computer system being configured to receive the request over the network, generate a challenge nonce, and return the challenge nonce to the client; and the client being further configured to form an OS certificate containing both the identity from the software identity register and the challenge nonce, and to sign the OS certificate using the private key, the client returning the OS certificate and the processor manufacturer certificate to the computer system for evaluation to determine whether to reject or fulfill the request. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. For execution on a computer system having a processor, an operating system (OS), and a software identity register that holds an identity of the operating system, the processor having a private key, a computer program stored on one or more computer-readable storage media of the computer system, the program comprising:
-
forming an OS certificate containing the identity from the software identity register, the identity being a cryptographic digest of an initial boot block of the operating system and an identity of each of one or more operating system components that have been loaded in the computer system; and signing the OS certificate using the processor private key. - View Dependent Claims (20, 21, 22, 23, 24)
-
-
25. In a client, a computer program stored on one or more computer-readable storage media resident at the client for establishing a chain of trust between the client and a computer, the program comprising:
-
submitting a request from the client to the computer, the request specifying a particular content, the client including a processor and an operating system (OS) and the processor further including a private key, a manufacturer certificate supplied by a manufacturer of the processor, and a software identity register (SIR) that holds an identity of the operating system the identity being a digest of both an initial boot block of the operating system and an identity of each of one or more loaded operating system components indicated in a boot log of the client, wherein each time one of the one or more loaded operating system components is loaded a current SIR value is replaced with a new SIR value that is a hash of a concatenation of the current SIR value and the identity of the one operating system component being loaded, the new SIR value then becoming the current SIR value; receiving, from the computer, a challenge nonce generated at the computer; forming an OS certificate containing the identity from the software identity register and signing the OS certificate using the private key; passing the OS certificate and the processor manufacturer certificate from the client to the computer so that the OS certificate and the processor manufacturer certificate can be evaluated to determine whether the computer is to reject or fulfill the request. - View Dependent Claims (26, 27, 28)
-
-
29. In a computer system having a cryptographic mechanism, an operating system (OS), and a software identity register that holds an identity of the operating system, the cryptographic mechanism having a private key of a pair of private and public keys, a method comprising:
-
obtaining the identity of the operating system, the identity having been set to a first value if a boot block of the OS was atomically executed, and the identity having been set to a second value if atomic execution of the boot block failed; and signing the identity using the private key of the cryptographic mechanism. - View Dependent Claims (30, 31, 32, 33, 34, 35)
-
-
36. A system comprising:
-
a first processor, wherein the first processor comprises a central processing unit (CPU); and a second processor having a key pair including a private key and a public key, wherein the private key is to be used by the second processor to sign an identity of an operating system being executed by the first processor, the identity having been set to a first value if a boot block of the operating system was atomically executed, and the identity having been set to a second value if the boot block of the operating system was not atomically executed. - View Dependent Claims (37, 38, 39)
-
Specification