Method for ensuring boot source integrity of a computing system

US 7,769,993 B2
Filed: 03/09/2007
Issued: 08/03/2010
Est. Priority Date: 03/09/2007
Status: Active Grant

First Claim

Patent Images

1. A boot module for use in enforcing booting from a designated memory, the boot module comprising:

a processor;

a memory storing instructions executable by the processor and data corresponding to an authorized boot sequence;

a plurality ports coupled to the processor for monitoring a corresponding plurality of communication busses including a first bus for carrying signals related to a boot operation from an authorized location, and one or more additional busses capable of carrying signals related to a boot operation from an unauthorized location; and

an output operable to disrupt operation of a computer when a boot operation from the unauthorized location is detected.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security circuit in a computer monitors data busses that support memory capable of booting the computer during the computer reset/boot cycle. When activity oil one of the data busses indicates the computer is booting from a non-authorized memory location, the security circuit disrupts the computer, for example, by causing a reset. Execution from the non-authorized memory location may occur when an initial jump address at a known location, such as the top of memory, is re-programmed to a memory location having a rogue BIOS program.

Citations

19 Claims

1. A boot module for use in enforcing booting from a designated memory, the boot module comprising:
- a processor;
  
  a memory storing instructions executable by the processor and data corresponding to an authorized boot sequence;
  
  a plurality ports coupled to the processor for monitoring a corresponding plurality of communication busses including a first bus for carrying signals related to a boot operation from an authorized location, and one or more additional busses capable of carrying signals related to a boot operation from an unauthorized location; and
  
  an output operable to disrupt operation of a computer when a boot operation from the unauthorized location is detected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The boot module of claim 1, wherein the data corresponding to an authorized boot sequence is basic input/output system software.
  - 3. The boot module of claim 1, further comprising a serial peripheral interface (SPI) bus interface coupled to the memory.
  - 4. The boot module of claim 3, further comprising a coupling allowing the processor to monitor the SPI bus interface.
  - 5. The boot module of claim 1, wherein at least one port of said plurality of ports is coupled to a serial peripheral interface (SPI) bus.
  - 6. The boot module of claim 1, wherein at least one port of said plurality of ports is coupled to a low pin count (LPC) bus.
  - 7. The boot module of claim 1, wherein at least one port of said plurality of ports is coupled to a peripheral component interconnect (PCI/PCIe/PCI-X) bus.
  - 8. The boot module of claim 1, wherein at least one port of said plurality of ports is coupled to a general purpose input/output (GPIO) bus.

9. A method of preventing a boot cycle in a computer from other than a designated memory comprising:
- designating a first memory to support an authorized boot cycle;
  
  monitoring a data bus coupled to a second memory capable of supporting the boot cycle but unauthorized to execute the boot cycle;
  
  determining when the boot cycle is being executed from the second memory; and
  
  interrupting the boot cycle when the boot cycle is being executed from the second memory.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, wherein monitoring the data bus comprises monitoring a low pin count (LPC) bus.
  - 11. The method of claim 9, wherein monitoring the data bus comprises monitoring a serial peripheral interface (SPI) bus.
  - 12. The method of claim 9, wherein monitoring the data bus comprises monitoring a peripheral component interconnect (PCI/PCIe/PCI-X) bus.
  - 13. The method of claim 9, wherein monitoring the data bus comprises monitoring a serial peripheral interface (SPI) bus.
  - 14. The method of claim 9, wherein interrupting the computer boot cycle comprises causing the computer to reset.

15. A computer arranged and adapted to support booting from a known memory containing an authorized basic input/output system (BIOS) code, the computer comprising:
- a first processor;
  
  a plurality memory devices, each coupled to a respective data bus; and
  
  a security circuit coupled to at least one of the respective data busses, the security circuit comprising;
  
  a second processor;
  
  a memory coupled to the second processor;
  
  a plurality of ports coupled to the second processor and the respective data busses whereby the second processor monitors the respective data busses; and
  
  an output that causes a disruption in an operation of the computer responsive to a signal from the second processor when the second processor detects signals on one of the data busses relating to a boot operation from a non-authorized one of the plurality of memory devices.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer of claim 15, wherein the security circuit further comprises one of the plurality of memory devices that stores an authorized basic input/output system (BIOS) program.
  - 17. The computer of claim 15, wherein the security circuit is coupled to a serial peripheral interface (SPI) bus.
  - 18. The computer of claim 15, wherein the respective data busses comprise a low pin count (LPC) bus, serial peripheral interface (SPI) bus, a peripheral component interconnect (PCI/PCIe/PCI-X) bus, and a a general purpose input/output (GPIO) bus.
  - 19. The computer of claim 15, wherein the output of the security circuit forces the computer into a reset cycle to cause a disruption in the operation of the computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Carpenter, Todd L., Westerinen, William J.
Primary Examiner(s)
Cao; Chun

Application Number

US11/684,312
Publication Number

US 20080222407A1
Time in Patent Office

1,243 Days
Field of Search

713/2, 713/194, 726/4, 726/23, 726/21
US Class Current

713/2
CPC Class Codes

G06F 21/575 Secure boot

Method for ensuring boot source integrity of a computing system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method for ensuring boot source integrity of a computing system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links