Enhancing security of a system via access by an embedded controller to a secure storage device

US 7,917,741 B2
Filed: 04/10/2007
Issued: 03/29/2011
Est. Priority Date: 04/10/2007
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a host processor and memory;

an embedded microcontroller coupled to the host processor;

an auxiliary memory coupled to the embedded microcontroller, wherein the auxiliary memory stores program instructions for verifying system security; and

one or more pre-boot security components coupled to the embedded microcontroller;

wherein upon power-up, but before host processor boot-up, the embedded microcontroller is operable to;

execute the program instructions to verify system security using the one or more pre-boot security components; and

if system security is verified, permit the host processor to be booted;

wherein the embedded microcontroller is further configured to execute the program instructions to;

invoke one or more defensive measures if system security cannot be verified; and

control access to one or more devices coupled to the system, and wherein the one or more defensive measures comprises blocking access to the one or more devices; and

wherein at least one of the one or more pre-boot security components comprises a trusted platform module (TPM), wherein the one or more devices comprises at least one other of the one or more pre-boot security components, and wherein, to verify system security using the one or more pre-boot security components, the embedded microcontroller is configured to execute the program instructions to verify access rights using the TPM.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and method for performing pre-boot security verification in a system that includes a host processor and memory, an embedded microcontroller with an auxiliary memory, e.g., an on-chip ROM, or memory controlled to prohibit user-tampering with the contents of the memory, and one or more pre-boot security components coupled to the embedded microcontroller. Upon power-up, but before host processor boot-up, the embedded microcontroller accesses the auxiliary memory and executes the program instructions to verify system security using the one or more pre-boot security components. The one or more pre-boot security components includes at least one identity verification component, e.g., a smart card, or a biometric sensor, e.g., a fingerprint sensor, a retinal scanner, and/or a voiceprint sensor, etc., and/or at least one system verification component, e.g., TPM, to query the system for system state information, and verify that the system has not been compromised.

37 Citations

View as Search Results

14 Claims

1. A system, comprising:
- a host processor and memory;
  
  an embedded microcontroller coupled to the host processor;
  
  an auxiliary memory coupled to the embedded microcontroller, wherein the auxiliary memory stores program instructions for verifying system security; and
  
  one or more pre-boot security components coupled to the embedded microcontroller;
  
  wherein upon power-up, but before host processor boot-up, the embedded microcontroller is operable to;
  
  execute the program instructions to verify system security using the one or more pre-boot security components; and
  
  if system security is verified, permit the host processor to be booted;
  
  wherein the embedded microcontroller is further configured to execute the program instructions to;
  
  invoke one or more defensive measures if system security cannot be verified; and
  
  control access to one or more devices coupled to the system, and wherein the one or more defensive measures comprises blocking access to the one or more devices; and
  
  wherein at least one of the one or more pre-boot security components comprises a trusted platform module (TPM), wherein the one or more devices comprises at least one other of the one or more pre-boot security components, and wherein, to verify system security using the one or more pre-boot security components, the embedded microcontroller is configured to execute the program instructions to verify access rights using the TPM.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1,wherein the one or more pre-boot security components comprise at least one identity verification component;
    - wherein, to verify system security using the one or more pre-boot security components, the program instructions are executable by the embedded microcontroller to invoke the at least one identity verification component to;
      
      receive identification information from a user; and
      
      verify that the user is authorized to use the system.
  - 3. The system of claim 2, wherein the at least one identity verification component comprises one or more of:
    - a smart card;
      
      a TPM (Trusted Platform Module);
      
      orat least one biometric sensor.
  - 4. The system of claim 3, wherein the at least one biometric sensor comprises one or more of:
    - a fingerprint sensor;
      
      a retinal scanner;
      
      ora voiceprint sensor.
  - 5. The system of claim 1, wherein the one or more pre-boot security components comprise at least one system verification component;
    - wherein, to verify system security using the one or more pre-boot security components, the program instructions are executable by the embedded microcontroller to invoke the at least one system verification component to;
      
      query the system for system state information; and
      
      verify that the system has not been compromised.
  - 6. The system of claim 5, wherein to verify that the system has not been compromised, the program instructions are executable by the embedded microcontroller to compare the system state information queried by the at least one system verification component with reference system state information.
  - 7. The system of claim 5, wherein the at least one system verification component comprises a TPM (Trusted Platform Module).
  - 8. The system of claim 1, wherein the auxiliary memory comprises a ROM.
  - 9. The system of claim 1, wherein the auxiliary memory comprises a memory protected by hardware to implement one-time writable memory.
  - 10. The system of claim 1, wherein the one or more defensive measures comprises:
    - preventing user access to the system.
  - 11. The system of claim 10, wherein said preventing user access to the system comprises one or more of:
    - preventing the host processor from booting by blocking access to a BIOS;
      
      shutting down a power supply to the system.
  - 12. The system of claim 1, wherein the one or more defensive measures comprises:
    - alerting an external system coupled to the system.
  - 13. The system of claim 1,wherein the one or more pre-boot security components comprise a global positioning system (GPS);
    - andwherein, to verify system security using the one or more pre-boot security components, the program instructions are executable by the embedded microcontroller to;
      
      invoke the GPS to determine the location of the system; and
      
      verify that the system is at an authorized location.

14. A method for verifying security in a computer system comprising a host processor and memory, the method comprising:
- upon power-up, but before host processor boot-up, an embedded microcontroller coupled to the host processor and memory accessing an auxiliary memory that stores program instructions for verifying system security, and executing the program instructions to verify system security using one or more pre-boot security components coupled to the embedded microcontroller;
  
  if system security is verified, invoking boot-up of the host processor;
  
  if system security cannot be verified, invoking one or more defensive measures; and
  
  controlling access to one or more devices coupled to the system, wherein the one or more defensive measures comprises blocking access to the one or more devices;
  
  wherein at least one of the one or more pre-boot security components comprises a trusted platform module (TPM), wherein the one or more devices comprises at least one other of the one or more pre-boot security components, and wherein executing the program instructions to verify system security using the one or more pre-boot security components comprises executing the program instructions verify access rights using the TPM.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microchip Technology Incorporated
Original Assignee
Standard Microsystems Corporation (Microchip Technology Incorporated)
Inventors
Weiss, Raphael, Wahler, Richard E., Berenbaum, Alan D., Dutton, Drew J.
Primary Examiner(s)
Bae, Ji H

Application Number

US11/733,599
Publication Number

US 20090327678A1
Time in Patent Office

1,449 Days
Field of Search

713/1, 713/2, 713/100, 713/186, 713/194, 726/2, 726/28, 726/34
US Class Current

713/1
CPC Class Codes

G06F 21/575 Secure boot

Enhancing security of a system via access by an embedded controller to a secure storage device

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Enhancing security of a system via access by an embedded controller to a secure storage device

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links