Secure and automatic provisioning of computer systems having embedded network devices

US 7,831,997 B2
Filed: 06/22/2006
Issued: 11/09/2010
Est. Priority Date: 06/22/2006
Status: Active Grant

First Claim

Patent Images

1. A provisioning mechanism for computer systems comprising:

a computer platform having an in-band platform processor and an out-of-band (OOB) controller, a storage media, and a network interface, the storage media having a protected area only accessible to the controller, wherein initially booting up the computer platform causes the controller to;

automatically connect to a corporate DHCP (Dynamic Host Configuration Protocol) server to obtain an IP (Internet Protocol) address and a domain name;

concatenate the domain name with a pre-defined host name to obtain a FQDN (Fully Qualified Domain Name) for a provisioning server;

establish a TCP connection to the provisioning server using the FQDN to open a secure session;

validate a server certificate chain received from the provisioning server; and

if the server certificate chain is validated,open a secure and encrypted session and attempt to login to the provisioning server, wherein if corporate security policy grants access to the computer platform, receive provisioning configuration data over a secured and encrypted channel,wherein the OOB controller is able to communicate when the in-band platform processor is not active.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A provisioning method and mechanism for computer systems having embedded network devices. After an initial boot-up of a computer platform, an out-of-band (OOB) controller automatically connects to a corporate DHCP (Dynamic Host Configuration Protocol) server to obtain an IP (Internet Protocol) address and a domain name in which the computer platform is running. The domain name is concatenated with a pre-defined host name to obtain a FQDN (Fully Qualified Domain Name) for a provisioning server. The OOB controller then establishes a TCP connection to the provisioning server. A server certificate chain received from the provisioning server is validated. An attempt to login to the provisioning server is made. If corporate security policy dictates granting access to the computer platform, then provisioning configuration data is received over a secure and encrypted channel.

79 Citations

View as Search Results

54 Claims

1. A provisioning mechanism for computer systems comprising:
- a computer platform having an in-band platform processor and an out-of-band (OOB) controller, a storage media, and a network interface, the storage media having a protected area only accessible to the controller, wherein initially booting up the computer platform causes the controller to;
  
  automatically connect to a corporate DHCP (Dynamic Host Configuration Protocol) server to obtain an IP (Internet Protocol) address and a domain name;
  
  concatenate the domain name with a pre-defined host name to obtain a FQDN (Fully Qualified Domain Name) for a provisioning server;
  
  establish a TCP connection to the provisioning server using the FQDN to open a secure session;
  
  validate a server certificate chain received from the provisioning server; and
  
  if the server certificate chain is validated,open a secure and encrypted session and attempt to login to the provisioning server, wherein if corporate security policy grants access to the computer platform, receive provisioning configuration data over a secured and encrypted channel,wherein the OOB controller is able to communicate when the in-band platform processor is not active.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The provisioning mechanism of claim 1, wherein to automatically connect to a corporate DHCP server to obtain an IP address and domain name includes to automatically send a request to the DHCP server for the IP address;
    - to sniff for additional information, and to receive a reply from the DHCP server containing the IP address and additional information, including the domain name.
  - 3. The provisioning mechanism of claim 1, wherein a 3^rd-Party Root of Trust vendor list is incorporated into the protected area of the storage media prior to the initial boot-up of the computer platform, wherein to validate a server certificate chain comprises to check the server certificate chain'"'"'s root certificate for an internal match with one of the 3^rdParty Root of Trust vendors from the 3^rdParty Root of Trust vendor list incorporated on the storage media and to determine that a leaf certificate of the certificate chain has been issued to the provisioning server.
  - 4. The provisioning mechanism of claim 1, wherein to open a secure session comprises to open a TLS (Transport Layer security) session and wherein to validate a server certificate chain comprises to validate a TLS server certificate chain signed by a 3^rdParty Root of Trust.
  - 5. The provisioning mechanism of claim 1, wherein to open a secure and encrypted session comprises to open an HTTPS (Secure HTTP (HyperText Transport Protocol)) session.
  - 6. The provisioning mechanism of claim 1, further comprising a corporate asset database, wherein an IT technician or end-user to register unique information about the computer platform in the corporate asset database prior to the initial boot-up of the computer platform, the unique information comprising a serial number and a platform universally unique identifier (UUID).
  - 7. The provisioning mechanism of claim 6, wherein to attempt to login to the provisioning server comprises to attempt to login to the provisioning server using the UUID of the computer platform as an identification user password pair.
  - 8. The provisioning mechanism of claim 7, wherein the corporate security policy to grant access to the computer platform comprises to grant access to the computer platform when the UUID received at login matches the UUID in the corporate asset database when the computer platform was registered.
  - 9. The provisioning mechanism of claim 1, further comprising an isolated network to perform provisioning of the computer platform, wherein the corporate security policy to grant immediate access to the computer platform to receive the provisioning configuration data over the isolated network.
  - 10. The provisioning mechanism of claim 1, wherein the corporate security policy to grant access to the computer platform comprises to deny immediate access to the provisioning server until login with the shared secret information is entered manually.
  - 11. The provisioning mechanism of claim 1, wherein if the server certificate chain was unable to be validated, the controller to disconnect from the provisioning server, wherein the computer platform to be manually provisioned.
  - 12. The provisioning mechanism of claim 1, wherein the storage media comprises a flash memory or any other non-volatile storage media.
  - 13. The provisioning mechanism of claim 1, wherein to validate a server certificate chain received from the provisioning server includes to verify that the certificate chain is issued to the owner of the FQDN.
  - 14. The provisioning mechanism of claim 1, wherein the storage media further comprising a protected area only accessible to the controller.

15. A provisioning method for computer systems having embedded networked devices comprising:
- on initial boot-up of a computer platform,connecting, via an out-of-band controller that is in the platform and distinct from man in-band platform processor, to a corporate DHCP (Dynamic Host Configuration Protocol) server to obtain an IP (Internet Protocol) address and a domain name in which the computer platform is running;
  
  concatenating the domain name with a predefined host name to obtain a FQDN (Fully Qualified Domain Name) for a provisioning server;
  
  establishing, via the controller, a TCP connection to the provisioning server;
  
  validating a server certificate chain received from the provisioning server; and
  
  attempting to login to the provisioning server, wherein if corporate security policy dictates granting access to the computer platform, receiving provisioning configuration data over a secure and encrypted channel, wherein the OOB controller is able to communicate when the in-band platform processor is not active.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The provisioning method of claim 15, wherein connecting to a corporate DHCP server to obtain an IP address and domain name comprises:
    - sending a request for an IP address to the DHCP server;
      
      receiving a reply containing the IP address; and
      
      sniffing for additional information; and
      
      receiving additional information, including the domain name.
  - 17. The provisioning method of claim 15, wherein a 3^rdParty Root of Trust vendor list is incorporated into a protected area of the storage media in communication with the controller prior to the initial boot-up of the computer platform, wherein validating a server certificate chain comprises checking the server certificate chain'"'"'s root certificate for an internal match with one of the 3^rdParty Root of Trust vendors from the 3^rdParty Root of Trust vendor list incorporated on the storage media.
  - 18. The provisioning method of claim 17, wherein the storage media comprises a flash memory or any other non-volatile storage device.
  - 19. The provisioning method of claim 15, wherein establishing a connection to the provisioning server further comprises opening a secure session.
  - 20. The provisioning method of claim 19, wherein opening a secure session comprises opening a TLS (Transport Layer Security) session and wherein validating a server certificate comprises validating a TLS server certificate.
  - 21. The provisioning method of claim 15, wherein validating a server certificate comprises validating the certificate chain'"'"'s root certificate against a 3^rdParty Root of Trust vendor list that was incorporated into a system flash of the computer platform prior to the initial boot-up and determining that a leaf certificate of the certificate chain has been issued to the provisioning server.
  - 22. The provisioning method of claim 15, wherein attempting to login to the provisioning server comprises opening and HTTPS (Secure HTTP (HyperText Transport Protocol)) session and trying to login to provisioning server.
  - 23. The provisioning method of claim 15, further comprising registering the computer platform and storing unique information about the computer platform and a corporate asset database, wherein the unique information comprises a serial number and a platform universally unique identifier (UUID).
  - 24. The provisioning method of claim 23, wherein attempting to login to the provisioning server comprises attempting to login to the provisioning server using the UUID of the computer platform as an identification user password pair.
  - 25. The provisioning method of claim 23, wherein corporate security policy dictates granting access to the computer platform if the incoming UUID is validated with a value of the UUID in the corporate asset database.
  - 26. The provisioning method of claim 15, wherein corporate security policy dictates immediately granting access to the computer platform when an isolated network is used for provisioning.
  - 27. The provisioning method of claim 15, wherein corporate security policy granting access to the computer platform comprises denying immediate access to the provisioning server until login with shared secret information is entered manually.
  - 28. The provisioning method of claim 15, wherein if the provisioning server is unable to be validated, disconnecting from the provisioning server and manually performing provisioning of the computer platform.

29. A method for provisioning a computer system having an embedded networked devices comprising:
- after a TCP connection has been established with an out-of-band (OOB) controller of a computer platform for provisioning, sending a server certificate chain to be validated;
  
  if the server certificate chain is validated, receiving a login request over a secure and encrypted channel from the OOB controller;
  
  determining whether to grant access to the OOB controller based on corporate security-based policy; and
  
  if access is granted, automatically sending provisioning data to the OOB controller over the secure and encrypted channel,wherein the OOB controller is able to communicate when an in-band platform processor in the computer platform is inactive.
- View Dependent Claims (30, 31, 32, 33, 34)
- - 30. The method of claim 29, wherein corporate security-based policy dictates that access be immediately granted to the OOB controller when an isolated network is used for provisioning.
  - 31. The method of claim 29, wherein corporate security-based policy dictates that access be granted to the OOB controller when a UUID (universally unique identifier), received from the OOB controller during the login, is validated against a value for the UUID placed in a corporate asset database during registration of the computer platform.
  - 32. The method of claim 29, wherein corporate security policy granting access to the computer platform comprises denying immediate access to the provisioning server until login with shared secret information is entered manually.
  - 33. The method of claim 29, wherein sending a server certificate chain to be validated comprises sending a TLS (Transport Layer Security) server certificate during a TLS session.
  - 34. The method of claim 29, wherein a secure and encrypted session comprises and HTTPS (Secure HTTP (HyperText Transport Protocol)) session, and a secure and encrypted channel comprises an HTTPS channel.

35. An article comprising:
- a storage device having a plurality of machine accessible instructions, wherein when the instructions are executed by a processor, the instructions provided for on initial boot-up of a computer platform,connecting, via an out-of-band controller, distinct from an in-band platform processor in the computer platform, to a corporate DHCP (Dynamic Host Configuration Protocol) server to obtain an IP (Internet Protocol) address and a domain name in which the computer platform is running;
  
  concatenating the domain name with a pre-defined host name to obtain a FQDN (Fully Qualified Domain Name) for a provisioning server;
  
  establishing, via the OOB controller, a TCP connection to the provisioning server;
  
  validating a server certificate chain received from the provisioning server; and
  
  attempting to login to the provisioning server, wherein if corporate security policy dictates granting access to the computer platform, receiving provisioning configuration data over a secure and encrypted channel, wherein the OOB controller is able to communicate when the in-band platform processor is inactive.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 36. The article of claim 35, wherein the instructions for connecting to a corporate DHCP server to obtain an IP address and domain name comprises instructions for:
    - sending a request for an IP address to the DHCP server;
      
      receiving a reply containing the IP address; and
      
      sniffing for additional information; and
      
      receiving additional information, including the domain name.
  - 37. The article of claim 35, wherein a 3^rdParty Root of Trust vendor list is incorporated into a protected area of the storage media in communication with the controller prior to the initial boot-up of the computer platform, wherein validating a server certificate chain comprises instructions for checking the server certificate chain'"'"'s root certificate for an internal match with one of the 3^rdParty Root of Trust vendors from the 3^rdParty Root of Trust vendor list incorporated on the storage media.
  - 38. The article of claim 37, wherein the storage media comprises a flash memory or any other non-volatile memory device.
  - 39. The article of claim 35, wherein the instructions for establishing a connection to the provisioning server further comprises instructions for opening a secure session.
  - 40. The article of claim 39, wherein the instructions for opening a secure session comprises instructions for opening a TLS (Transport Layer Security) session and wherein instructions for validating a server certificate comprises instructions for validating a TLS server certificate.
  - 41. The article of claim 35, wherein the instructions for validating a server certificate comprises instructions for validating the certificate chain'"'"'s root certificate against a 3^rdParty Root of Trust vendor list that was incorporated into a system flash of the computer platform prior to the initial boot-up and determining that a leaf certificate of the certificate chain has been issued to the provisioning server.
  - 42. The article of claim 35, wherein the instructions for attempting to login to the provisioning server comprises instructions for opening an HTTPS (Secure HTTP (HyperText Transport Protocol)) session and trying to login to provisioning server.
  - 43. The article of claim 35, further comprising instructions for registering the computer platform and storing unique information about the computer platform and a corporate asset database, wherein the unique information comprises a serial number and a platform universally unique identifier (UUID).
  - 44. The article of claim 43, wherein instructions for attempting to login to the provisioning server comprises instructions for attempting to login to the provisioning server using the UUID of the computer platform as an identification user password pair.
  - 45. The article of claim 43, wherein corporate security policy dictates granting access to the computer platform if the incoming UUID is validated with a value of the UUID in the corporate asset database.
  - 46. The article of claim 35, wherein corporate security policy dictates immediately granting access to the computer platform when an isolated network is used for provisioning.
  - 47. The article of claim 35, wherein corporate security policy granting access to the computer platform comprises instructions for denying immediate access to the provisioning server until login with shared secret information is entered manually.
  - 48. The article of claim 35, wherein if the provisioning server is unable to be validated, further comprising instructions for disconnecting from the provisioning server and manually performing provisioning of the computer platform.

49. An article comprising:
- a storage device having a plurality of machine accessible instructions, wherein the instructions are executed by a processor, the instructions provide for after a TCP connection has been established with an out-of-band (OOB) controller of the computer platform for provisioning, sending a server certificate chain to be validated;
  
  if the server certificate chain is validated, receiving a login request over secure and encrypted channel from the OOB controller;
  
  determining whether to grant access to the OOB controller based on corporate security-based policy; and
  
  if access is granted, automatically sending provisioning data to the OOB controller over the secure and encrypted channel, wherein the processor is able to communicate with the OOB controller when an in-band platform processor on the computer platform is inactive.
- View Dependent Claims (50, 51, 52, 53, 54)
- - 50. The article of claim 49, wherein corporate security-based policy dictates that access be immediately granted to the OB controller when an isolated network is used for provisioning.
  - 51. The article of claim 49, wherein corporate security-based policy dictates that access be granted to the OOB controller when a UUID (universally unique identifier), received from the OOB controller during the login, is validated against a value for the UUID placed in a corporate asset database during registration of the computer platform.
  - 52. The article of claim 49, wherein corporate security policy granting access to the computer platform comprises instructions for denying immediate access to the provisioning server until login with shared secret information is entered manually.
  - 53. The article of claim 49, wherein the instructions for sending a server certificate chain to be validated comprises instructions for sending a TLS (Transport Layer Security) server certificate during a TLS session.
  - 54. The article of claim 49, wherein a secure and encrypted session comprises an HTTPS (Secure HTTP (HyperText Transport Protocol)) session, and a secure and encrypted channel comprises an HTTPS channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Valenci, Moshe, Eldar, Avigdor
Primary Examiner(s)
Revak; Christopher A
Assistant Examiner(s)
Almamun; Abdullah

Application Number

US11/473,593
Publication Number

US 20070297396A1
Time in Patent Office

1,601 Days
Field of Search

713/201, 726/4, 726/5
US Class Current

726/3
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/168 above the transport layer

Secure and automatic provisioning of computer systems having embedded network devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

79 Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Secure and automatic provisioning of computer systems having embedded network devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links