Boot blocks for software

US 7,529,919 B2
Filed: 05/07/2003
Issued: 05/05/2009
Est. Priority Date: 10/26/1998
Status: Active Grant

First Claim

Patent Images

1. In a computer system having a central processing unit and a software identity register, a method comprising:

executing an atomic operation to set an identity of a piece of software into the software identity register, wherein if the atomic operation completes correctly, the software identity register contains the identity of the piece of software and if the atomic operation fails to complete correctly, the software identity register contains a value other than the identity of the piece of software; and

examining the software identity register to verify the identity of the piece of software;

wherein the identity comprises a public key of a correctly signed block of code from the piece of software, and the examining comprises verifying a signature of the signed block of code against the public key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with one aspect of boot blocks for software, in a computer system that has a central processing unit and a software identity register, an atomic operation is executed to set an identity of a piece of software into the software identity register. If the atomic operation completes correctly, then the software identity register contains the identity of the piece of software; otherwise, the software identity register contains a value other than the identity of the piece of software.

184 Citations

57 Claims

1. In a computer system having a central processing unit and a software identity register, a method comprising:
- executing an atomic operation to set an identity of a piece of software into the software identity register, wherein if the atomic operation completes correctly, the software identity register contains the identity of the piece of software and if the atomic operation fails to complete correctly, the software identity register contains a value other than the identity of the piece of software; and
  
  examining the software identity register to verify the identity of the piece of software;
  
  wherein the identity comprises a public key of a correctly signed block of code from the piece of software, and the examining comprises verifying a signature of the signed block of code against the public key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method as recited in claim 1, wherein the piece of software comprises the operating system.
  - 3. A method as recited in claim 1, wherein the piece of software comprises an operating system loader.
  - 4. A method as recited in claim 1, wherein executing the atomic operation comprises executing the atomic operation at the start of an operating system loader.
  - 5. A method as recited in claim 1, wherein executing the atomic operation comprises executing a BeginAuthenticatedBoot instruction.
  - 6. A method as recited in claim 1, wherein the piece of software includes a boot block that includes a block of code.
  - 7. A method as recited in claim 6, wherein the boot block further includes a BeginAuthenticatedBoot opcode.
  - 8. A method as recited in claim 6, wherein the boot block further includes a length specifying a number of bytes in the block of code.
  - 9. A method as recited in claim 6, wherein the boot block further includes one or more constants to be used to validate subsequent operating system components.
  - 10. A method as recited in claim 1, further comprising appending at least a portion of the identity to a boot log.
  - 11. A method as recited in claim 1, further comprising authenticating additional blocks of code.
  - 12. A method as recited in claim 1, further comprising:
    - appending at least a portion of the identity to a boot log;
      
      authenticating additional blocks of code; and
      
      appending identities of the additional blocks of code to the boot log.

13. In a computer system having a central processing unit and a software identity register, a method comprising:
- executing an atomic operation to set an identity of a piece of software into the software identity register, wherein if the atomic operation completes correctly, the software identity register contains the identity of the piece of software and if the atomic operation fails to complete correctly, the software identity register contains a value other than the identity of the piece of software; and
  
  examining the software identity register to verify the identity of the piece of software, wherein the piece of software includes a boot block that includes a block of code and, wherein the boot block further includes;
  
  a signature obtained from signing the block of code; and
  
  a public key from a key pair.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. A method as recited in claim 13, wherein the piece of software comprises the operating system.
  - 15. A method as recited in claim 13, wherein the piece of software comprises an operating system loader.
  - 16. A method as recited in claim 13, wherein executing the atomic operation comprises executing the atomic operation at the start of an operating system loader.
  - 17. A method as recited in claim 13, wherein executing the atomic operation comprises executing a BeginAuthenticatedBoot instruction.
  - 18. A method as recited in claim 13, wherein the boot block further includes a BeginAuthenticatedBoot opcode.
  - 19. A method as recited in claim 13, wherein the boot block further includes a length specifying a number of bytes in the block of code.
  - 20. A method as recited in claim 13, wherein the boot block further includes one or more constants to be used to validate subsequent operating system components.
  - 21. A method as recited in claim 13, further comprising appending at least a portion of the identity to a boot log.
  - 22. A method as recited in claim 13, further comprising authenticating additional blocks of code.
  - 23. A method as recited in claim 13, further comprising:
    - appending at least a portion of the identity to a boot log;
      
      authenticating additional blocks of code; and
      
      appending identities of the additional blocks of code to the boot log.

24. In a computer system having a central processing unit (CPU), a piece of software, and a software identity register, a method comprising:
- identifying a boot block of code associated with the piece of software that uniquely describes the piece of software;
  
  creating an identity of the piece of software from the boot block, wherein the creating comprises signing the boot block using a private key from a key pair to form a signature, and wherein the signature and a corresponding public key from the key pair together form the identity of the piece of software; and
  
  executing an atomic operation to set the identity of the piece of software into the software identity register, wherein if the atomic operation completes correctly, the software identity register contains the identity of the piece of software.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
- - 25. A method as recited in claim 24, wherein the piece of software comprises an operating system.
  - 26. A method as recited in claim 24, wherein the piece of software comprises an operating system loader.
  - 27. A method as recited in claim 24, wherein executing the atomic operation comprises executing the atomic operation at the start of an operating system loader.
  - 28. A method as recited in claim 24, further comprising appending at least a portion of the identity to a boot log.
  - 29. A method as recited in claim 24, further comprising authenticating additional blocks of code.
  - 30. A method as recited in claim 24, further comprising:
    - appending at least a portion of the identity to a boot log;
      
      authenticating additional blocks of code; and
      
      appending identities of the additional blocks of code to the boot log.
  - 31. A method as recited in claim 24, wherein executing the atomic operation comprises executing a BeginAuthenticatedBoot instruction.

32. A computer comprising:
- a nonvolatile memory having a piece of software stored therein, wherein the piece of software has a block of code;
  
  a software identity register;
  
  a central processing unit (CPU) coupled to the memory, wherein the CPU holds a manufacturer certificate signed by a manufacturer of the CPU; and
  
  the piece of software being booted for execution on the CPU according to a sequence that begins with an atomic operation, wherein if the atomic operation completes correctly, the software identity register is set to the identity of the piece of software.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39)
- - 33. A computer as recited in claim 32, wherein the software identity register is included in the CPU.
  - 34. A computer as recited in claim 32, wherein the piece of software comprises an operating system.
  - 35. A computer as recited in claim 32, wherein the piece of software comprises an operating system loader.
  - 36. A method as recited in claim 32, wherein the sequence includes an operating system loader.
  - 37. A computer as recited in claim 32, wherein the identity comprises a digital signature on a block of code from the piece of software.
  - 38. A computer as recited in claim 32, wherein the identity comprises a hash digest of a block of code from the piece of software.
  - 39. A computer as recited in claim 32, further comprising a boot log, wherein the CPU appends the identity of the piece of software to the boot log in the event that the atomic operation completes correctly.

40. One or more computer readable memories having stored thereon a plurality of instructions that, when executed by one or more processors of a device, causes the one or more processors to:
- load a boot block for a piece of software, wherein the boot block includes a block of code, and wherein the boot block further includes a length specifying a number of bytes in the block of code;
  
  generate a value based on the block of code and one or more constants; and
  
  set the value into a software identity register of one of the one or more processors.
- View Dependent Claims (41, 42, 43, 44, 45, 46)
- - 41. One or more computer readable memories as recited in claim 40, wherein the boot block further includes a BeginAuthenticatedBoot opcode.
  - 42. One or more computer readable memories as recited in claim 40, wherein the boot block further includes one or more constants to be used to validate subsequent operating system components.
  - 43. One or more computer readable memories as recited in claim 40, wherein the piece of software comprises an operating system.
  - 44. One or more computer readable memories as recited in claim 40, wherein the piece of software comprises an operating system loader.
  - 45. One or more computer readable memories as recited in claim 40, wherein the value comprises a cryptographic hash of the block of code and the one or more constants.
  - 46. One or more computer readable memories as recited in claim 40, wherein the value comprises a digest of the block of code and the one or more constants.

47. One or more computer readable memories having stored thereon a plurality of instructions that, when executed by one or more processors of a device, causes the one or more processors to:
- load a boot block for a piece of software, wherein the boot block includes a block of code, and wherein the boot block further includes one or more constants to be used to validate subsequent operating system components;
  
  generate a value based on the block of code and the one or more constants; and
  
  set the value into a software identity register of one of the one or more processors.
- View Dependent Claims (48, 49, 50, 51, 52)
- - 48. One or more computer readable memories as recited in claim 47, wherein the boot block further includes a BeginAuthenticatedBoot opcode.
  - 49. One or more computer readable memories as recited in claim 47, wherein the piece of software comprises an operating system.
  - 50. One or more computer readable memories as recited in claim 47, wherein the piece of software comprises an operating system loader.
  - 51. One or more computer readable memories as recited in claim 47, wherein the value comprises a cryptographic hash of the block of code and the one or more constants.
  - 52. One or more computer readable memories as recited in claim 47, wherein the value comprises a digest of the block of code and the one or more constants.

53. One or more computer readable memories having stored thereon a plurality of instructions that, when executed by one or more processors of a device, causes the one or more processors to:
- load a boot block for a piece of software, wherein the boot block includes a block of code;
  
  generate a value based on the block of code and one or more constants, wherein the value comprises a digest of the block of code and the one or more constants; and
  
  set the value into a software identity register of one of the one or more processors.
- View Dependent Claims (54, 55, 56, 57)
- - 54. One or more computer readable memories as recited in claim 53, wherein the boot block further includes a BeginAuthenticatedBoot opcode.
  - 55. One or more computer readable memories as recited in claim 53, wherein the boot block further includes one or more constants to be used to validate subsequent operating system components.
  - 56. One or more computer readable memories as recited in claim 53, wherein the piece of software comprises an operating system.
  - 57. One or more computer readable memories as recited in claim 53, wherein the piece of software comprises an operating system loader.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
England, Paul, Lampson, Butler W., DeTreville, John D.
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
CALLAHAN, PAUL E

Application Number

US10/431,012
Publication Number

US 20030196110A1
Time in Patent Office

2,190 Days
Field of Search

380/264, 713/193, 713/190, 713/191, 713/1, 705/57, 726/24
US Class Current

713/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/575   Secure boot

G06F 2221/2113   Multi-level security, e.g. ...

G06F 9/4406   Loading of operating system

G06F 9/468   Specific access rights for ...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/166   at the transport layer

Boot blocks for software

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

184 Citations

57 Claims

Specification

Solutions

Use Cases

Quick Links

Boot blocks for software

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

184 Citations

57 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links