Method and apparatus for loading a trustable operating system

US 7,631,196 B2
Filed: 02/25/2002
Issued: 12/08/2009
Est. Priority Date: 02/25/2002
Status: Active Grant

First Claim

Patent Images

1. A method of loading a trustable operating system comprising:

performing a start secure operation by a first processor of a plurality of processors;

performing a join secure operation by remaining processors of the plurality of processors excluding the first processor, the join secure operation performed from the start secure operation and forces the remaining processors of the plurality of processors to enter into a halted state that prevents the remaining processors from interfering with the operations of the first processor;

receiving signals by the first processor from the remaining processors that the remaining processors have entered the halted state;

identifying a secure region in a memory of a computer;

loading a content into the identified region under control by the first processor after receiving the signals that the remaining processors have entered the halted state;

registering an identity of the content after the content is loaded into the identified region, the registering comprises;

recording a hash digest of the content of the identified region, andsigning the hash digest with a hash signing engine having a secure channel to access the hash digest, the signed hash digest being stored in a register in the memory of the computer that is accessible by an outside entity to verify whether the content can be trusted;

causing the first processor to jump to a known entry point in the identified region in the memory; and

completing the start secure operation by the first processor and signaling the remaining processors to resume activity by exiting the halted state and jumping to the known entry point in the identified region in the memory.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus is provided in which a trustable operating system is loaded into a region in memory. A start secure operation (SSO) triggers a join secure operation (JSO) to halt all but one central processing unit (CPU) in a multi-processor computer. The SSO causes the active CPU to load a component of an operating system into a specified region in memory, register the identity of the loaded operating system by recording a cryptographic hash of the contents of the specified region in memory, begin executing at a known entry point in the specified region and trigger the JSO to cause the halted CPUs to do the same.

242 Citations

36 Claims

1. A method of loading a trustable operating system comprising:
- performing a start secure operation by a first processor of a plurality of processors;
  
  performing a join secure operation by remaining processors of the plurality of processors excluding the first processor, the join secure operation performed from the start secure operation and forces the remaining processors of the plurality of processors to enter into a halted state that prevents the remaining processors from interfering with the operations of the first processor;
  
  receiving signals by the first processor from the remaining processors that the remaining processors have entered the halted state;
  
  identifying a secure region in a memory of a computer;
  
  loading a content into the identified region under control by the first processor after receiving the signals that the remaining processors have entered the halted state;
  
  registering an identity of the content after the content is loaded into the identified region, the registering comprises;
  
  recording a hash digest of the content of the identified region, andsigning the hash digest with a hash signing engine having a secure channel to access the hash digest, the signed hash digest being stored in a register in the memory of the computer that is accessible by an outside entity to verify whether the content can be trusted;
  
  causing the first processor to jump to a known entry point in the identified region in the memory; and
  
  completing the start secure operation by the first processor and signaling the remaining processors to resume activity by exiting the halted state and jumping to the known entry point in the identified region in the memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - preventing interference with the identifying, loading, and registering by at least a second processor of the plurality of processors while the first processor is loading the content into the identified region.
  - 3. The method of claim 2, wherein preventing interference comprises halting at least the second processor of the plurality of processors until the identifying, loading, and registering is complete.
  - 4. The method of claim 1, further comprising:
    - blocking access to the secure region of the memory for a duration of the start secure operation even after receiving the signals that the remaining processors have entered the halted state when the plurality of processors are implemented within a computer system that supports direct memory access (DMA).
  - 5. The method of claim 1, wherein identifying comprises receiving a region parameter, the region parameter specifying a location of the region.
  - 6. The method of claim 5, wherein the location comprises a range of addresses in the memory of the computer within which the region is located.
  - 7. The method of claim 5, wherein the location comprises a start address and a length of the memory of the computer within which the region is located.
  - 8. The method of claim 1 wherein the content is a component of an operating system to operate the computer.
  - 9. The method of claim 8, wherein the component of the operating system is a one of a virtual machine monitor, and a privileged software nucleus.
  - 10. The method of claim 1 wherein identifying, loading and registering are uninterruptible.
  - 11. The method of claim 1, wherein the join secure operation is performed atomically from the start secure operation.

12. An article of manufacture comprising:
- a machine-accessible medium including a data that, when accessed by a machine cause the machine to,halt all but one of a plurality of central processing units (CPUs) in a computer;
  
  identify a region in a memory of the computer;
  
  block access to the identified region by all resources except the non-halted CPU only after receiving signals by the one of the plurality of CPUs that a remainder of the plurality of CPUs have entered into a halted state;
  
  load a content into the identified region;
  
  register an identity of the content of the identified region, the registering comprises;
  
  computing the cryptographic hash of the identified region, recording the computed cryptographic hash of the content in the identified region, andsigning the computed cryptographic hash with a hash signing engine having a secure channel to access the cryptographic hash, the signed cryptographic hash being stored in a register in the memory of the computer that is accessible by an outside entity to verify whether the content can be trusted; and
  
  cause the non-halted CPU to begin executing at a known entry point in the identified region after the identity of the content has been registered.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The article of manufacture of claim 12, wherein the data that causes the machine to halt the all but one of a plurality of CPUs comprises data causing the all but one of a plurality of CPUs to enter a halted state.
  - 14. The article of manufacture of claim 13, wherein the data further causes the halted CPUs to exit the halted state after the one of the plurality of CPUs has begun executing at the known entry point in the identified region.
  - 15. The article of manufacture of claim 14, wherein the data further causes the previously halted CPUs to begin executing at the known entry point in the identified region upon exiting the halted state.
  - 16. The article of manufacture of claim 13, wherein the data that causes the machine to record the cryptographic hash includes data that further causes the machine to,erase a hash digest area in the memory of the computer;
    - andrecord a platform information in the hash digest area;
      
      the platform information includes a version number of the one of the plurality of CPUs.
  - 17. The article of manufacture of claim 13, wherein the data that causes the machine to identify the region in memory of the computer includes data that further causes the machine to receive at least one region parameter containing a location of the identified region.
  - 18. The article of manufacture of claim 13, wherein the location includes an address of the identified region.
  - 19. The article of manufacture of claim 13, wherein the location includes a length of the identified region.

20. A method of securing a region in a memory of a computer comprising:
- halting all but one of a plurality of processors in a computer, the halted processors entering into a special halted state;
  
  identifying a region in a memory of a computer;
  
  loading content into the region only after the halting of all but the one of the plurality of processors;
  
  blocking access to the region in a memory of the computer by all resources except the non-halted processor;
  
  registering an identity of the content of the region in the memory, the registering comprises;
  
  recording a cryptographic hash of the region, and;
  
  signing the cryptographic hash with a digest signing engine coupled to the memory of the computer having a secure channel to access the cryptographic hash, the signed cryptographic hash being stored in a register in the memory of the computer that is accessible by an outside entity to verify whether the content can be trusted; and
  
  placing the non-halted processor into a known privileged state;
  
  releasing the halted processors after the non-halted processor has been placed into the known privileged state.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The method of claim 20, further comprising causing the non-halted processor to jump to a known entry point in the region.
  - 22. The method of claim 21, further comprising causing the halted processors to exit the special halted state so as to release the halted processors after the non-halted processor has been placed into the known privileged state.
  - 23. The method of claim 20, further comprising causing the previously halted processors to begin executing at a known entry point in the region upon exiting the special halted state.
  - 24. The method of claim 20, wherein recording the cryptographic hash comprises:
    - erasing a hash digest area in the memory of the computer;
      
      recording a platform information in the hash digest area, the platform information including a version number of the non-halted processor;
      
      computing the cryptographic hash of the content of the region; and
      
      recording the computed cryptographic hash in the hash digest area.
  - 25. The method claim 24, wherein the hash digest area is a register in the memory of the computer.
  - 26. The method of claim 20, wherein the region is specified in at least one region parameter.
  - 27. The method of claim 26, wherein the at least one region parameter is an address of the region in the memory of the computer that is to be secured.
  - 28. The method of claim 26, wherein the at least one region parameter is a length of the region in the memory of the computer that is to be secured.

29. A method of loading a trustable operating system comprising:
- selecting an area in a memory accessible to a first processor of a plurality of processors the plurality of processors including the first processor and at least one processor;
  
  halting all processors of the plurality of processors except for the first processor from accessing the memory;
  
  loading data into the selected area after the first processor receiving signaling from the at least one processor to indicate that the at least one processor is in a halted state;
  
  registering an identity of the data loaded in the selected area byrecording a unique cryptographic function of the data loaded in the selected area, andsigning the unique cryptographic function with a hash signing engine having a secure channel to access the unique cryptographic function, the signed unique cryptographic function being stored in a register in memory and accessible by an outside entity to verify whether the data is trustworthy;
  
  directing the first processor to commence processing at an entry point in the selected area; and
  
  releasing all of the halted processors and directing the released processors to commence processing at the entry point of the selected area.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36)
- - 30. The method of claim 29, wherein preventing interruption comprises halting any other processors having access to the memory until the selecting, loading, and directing is complete.
  - 31. The method of claim 30, further comprising:
    - causing the other processors to commence processing at an entry point in the selected area.
  - 32. The method of claim 29, wherein selecting comprises receiving a parameter specifying a location of the selected area.
  - 33. The method of claim 32, wherein the location is a range of addresses in memory within which the selected area is located.
  - 34. The method of claim 32, wherein the location comprises a start address and a length of memory within which the area is located.
  - 35. The method of claim 29 wherein the data is a component of an operating system to operate a device in which the memory resides.
  - 36. The method of claim 35, wherein the operating system has a graphical user interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tahoe Research Limited (f/k/a Learndale Limited) (Vector Capital Corporation)
Original Assignee
Intel Corporation
Inventors
Kozuch, Michael A., Grawrock, David, Sutton, James A.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
GEE, JASON KAI YIN

Application Number

US10/085,839
Publication Number

US 20030163723A1
Time in Patent Office

2,843 Days
Field of Search

713/193
US Class Current

713/193
CPC Class Codes

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 21/57   Certifying or maintaining t...

G06F 21/575   Secure boot

G06F 9/445   Program loading or initiati...

G06F 9/45533   Hypervisors; Virtual machin...

Method and apparatus for loading a trustable operating system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

242 Citations

36 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for loading a trustable operating system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

242 Citations

36 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others