Securely recovering a computing device
First Claim
Patent Images
1. A computer implemented method, comprising:
- verifying if a first code image is certified in a first booting state of a device for booting the device, the first code image stored in a storage of the device, wherein the device transitions from the first booting state to a second booting state for booting the device if the first code image is certified;
if the first code image is not certified, sending, in a third booting state of the device, to a host over a communication link a status indicating the third booting state of the device, wherein the device transitions from the first booting state to the third booting state for booting the device if the first code image is not certified;
loading, subsequent to the sending of the status, a code image from the host into the device over the communication link in the third booting state of the device, the code image digitally signed by a first signature;
in response to receiving a command to execute the code image from the host over the communication link in the third booting state of the device, determining if the code image is certified by verifying the first signature using a fingerprint embedded within a memory of the device, wherein the device in the third booting state is controlled by the host and wherein the device transitions from the third booting state to the second booting state without reentering the first booting state for booting the device if the code image is certified;
signing a second signature derived from the code image into a header of the code image if the code image is certified according to the first signature;
storing the certified code image including the header signed with the second signature in the storage of the device, the certified code image replacing the first code image in the storage; and
executing the certified code image in the second booting state of the device to establish an operating environment of the device without reentering the first booting state of the device.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and an apparatus for establishing an operating environment by certifying a code image received from a host over a communication link are described. The code image may be digitally signed through a central authority server. Certification of the code image may be determined by a fingerprint embedded within a secure storage area such as a ROM (read only memory) of the portable device based on a public key certification process. A certified code image may be assigned a hash signature to be stored in a storage of the portable device. An operating environment of the portable device may be established after executing the certified code.
-
Citations
20 Claims
-
1. A computer implemented method, comprising:
-
verifying if a first code image is certified in a first booting state of a device for booting the device, the first code image stored in a storage of the device, wherein the device transitions from the first booting state to a second booting state for booting the device if the first code image is certified; if the first code image is not certified, sending, in a third booting state of the device, to a host over a communication link a status indicating the third booting state of the device, wherein the device transitions from the first booting state to the third booting state for booting the device if the first code image is not certified; loading, subsequent to the sending of the status, a code image from the host into the device over the communication link in the third booting state of the device, the code image digitally signed by a first signature; in response to receiving a command to execute the code image from the host over the communication link in the third booting state of the device, determining if the code image is certified by verifying the first signature using a fingerprint embedded within a memory of the device, wherein the device in the third booting state is controlled by the host and wherein the device transitions from the third booting state to the second booting state without reentering the first booting state for booting the device if the code image is certified; signing a second signature derived from the code image into a header of the code image if the code image is certified according to the first signature; storing the certified code image including the header signed with the second signature in the storage of the device, the certified code image replacing the first code image in the storage; and executing the certified code image in the second booting state of the device to establish an operating environment of the device without reentering the first booting state of the device. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A machine-readable non-transitory storage medium having instructions stored therein, which when executed by a machine, cause the machine to perform a method, the method comprising:
-
verifying if a first code image is certified in a first booting state of a device for booting the device, the first code image stored in a storage of the device, wherein the device transitions from the first booting state to a second booting state for booting the device if the first code image is certified; if the first code image is not certified, sending, in a third booting state of the device, to a host over a communication link a status indicating the third booting state of the device, wherein the device transitions from the first booting state to the third booting state for booting the device if the first code image is not certified; loading, subsequent to the sending of the status, a code image from the host into the device over the communication link in the third booting state of the device, the code image digitally signed by a first signature; in response to receiving a command to execute the code image from the host over the communication link in the third booting state of the device, determining if the code image is certified by verifying the first signature using a fingerprint embedded within a memory of the device, wherein the device in the third booting state is controlled by the host and wherein the device transitions from the third booting state to the second booting state without reentering the first booting state for booting the device if the code image is certified; signing a second signature derived from the code image into a header of the code image if the code image is certified according to the first signature; storing the certified code image including the header signed with the second signature in a storage of the device, the certified code image replacing the first code image in the storage; and executing the certified code image in the second booting state of the device to establish an operating environment of the device without reentering the first booting state of the device. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A digital processing system, comprising:
-
a memory to store a fingerprint embedded therein; a mass storage; a main memory loaded with a code image received from a host over a communication link, the code image digitally signed by a first signature; and a processor coupled to the memory, the mass storage, and the main memory, the processor being configured to verify if a first code image is certified in a first booting state of the system for booting the system, the first code image stored in the mass storage, wherein the system transitions from the first booting state to a second booting state for booting the system if the first code image is certified; if the first code image is not certified, send to the host over the communication link a status indicating a third booting state of the system, wherein the system transitions from the first booting state to the third booting state for booting the system if the first code image is not certified, determine, in response to receiving a command from the host over the communication link in the third booting state of the system, if the code image is certified according to the first signature using the fingerprint, wherein the system is controlled by the host in the third booting state and wherein the system transitions from the third booting state to the second booting state without reentering the first booting state for booting the system if the code image is certified, sign a second signature derived from the code image into a header of the code image upon successfully verifying the code image according to the first signature, store the certified code image including the header signed with the second signature in the mass storage, the certified code image replacing the first code image in the mass storage, and execute, in the second booting state of the system, the verified code image in the main memory to establish an operating environment of the digital processing system without reentering the first booting state of the system.
-
-
14. An apparatus, comprising:
-
means for verifying if a first code image is certified in a first booting state of a device for booting the device, the first code image stored in a storage of the device, wherein the device transitions from the first booting state to a second booting state for booting the device if the first code image is certified; if the first code image is not certified, means for sending, in a third booting state of the device, to a host over a communication link a status indicating the third booting state of the device, wherein the device transitions from the first booting state to the third booting state for booting the device if the first code image is not certified; means for loading, subsequent to the sending of the status, a code image from the host into the device over the communication link in the third booting state of the device, the code image digitally signed by a first signature; means for, in response to receiving a command to execute the code image from the host over the communication link in the third booting state of the device, determining if the code image is certified by verifying the first signature using a fingerprint embedded within ROM (read only memory) of the device, wherein the device in the third booting state is controlled by the host and wherein the device transitions from the third booting state to the second booting state without reentering the first booting state for booting the device if the code image is certified; means for signing a second signature derived from the code image into a header of the code image if the code image is certified according to the first signature; means for storing the certified code image including the header signed with the second signature in the storage of the device, the certified code image replacing the first code image in the storage; and means for executing the certified code image in the second booting state of the device to establish an operating environment of the device without reentering the first booting state of the device.
-
-
15. A computer implemented method, comprising:
-
in response to a failure of loading an executable image of a portable device in a first booting state of the portable device to boot the portable device, transitioning the device from the first booting state to a second booting state as a recovery mode, wherein the device transitions from the first booting state to a third booting state of the portable device if the executable image is successfully loaded and wherein the portable device in the second booting state is controlled by a host coupled to the portable device over a communication link; communicating with the host via the communication link to signal that the device is in the recovery mode to receive from the host a new executable image corresponding to the failed executable image; in response to receiving a command at the portable device in the second booting state from the host over the communication link, verifying the new executable image using a digital certificate embedded within a secure ROM of the portable device; upon successfully verifying the new executable image, transitioning the portable device from the second booting state to the third booting state without reentering the first booting state for booting the portable device; signing a signature derived from the verified new executable image into a header of the verified new executable image; executing the verified new executable image in the third booting state of the portable device for booting the portable device without reentering the first booting state of the portable device; and storing the verified new executable image including the derived signature as the header of the verified new executable image in a mass storage of the portable device, replacing the failed executable image. - View Dependent Claims (16)
-
-
17. A computer implemented method, comprising:
-
in response to successfully authenticating a portable device over a communication link based in part on a unique identifier (ID) embedded within a secure ROM (read-only memory) of the portable device, determining whether the portable device is in a recovery mode as a result of a failure to certify a local code image for initializing an operating environment of the portable device, wherein the determination is based on a status received from the portable device over the communication link, the status indicating a booting state of the portable device for the initialization, wherein the portable device certified the local code image in a previous booting state of the portable device for the initialization, wherein the portable device transitioned from the previous booting state to the booting state via the failure of the certification of the local code image, wherein the portable device includes a next booting state for the initialization, and wherein the portable device is capable of transitioning from the previous booting state to the next booting state if the local code image was successfully certified; retrieving an executable image from a server over a network, the executable image corresponding to the booting state of the portable device indicated in the status, the executable image being digitally signed by a signature if it is determined that the portable device is in the recovery mode; delivering the retrieved executable image to the portable device in the booting state for the initialization over the communication link for controlling the portable device; and sending, subsequent to the delivery of the executable image, a command to execute the executable image over the communication link to the portable device in the booting state, wherein the portable device verifies the signature of the executable image using a digital certificate embedded with the secure ROM, wherein the portable device transitions from the booting state to the next booting state without reentering the previous booting state for the initialization of the operating environment if the executable image is successfully verified, wherein the portable device signs a signature derived from the verified executable image in a header of the verified executable image, wherein the portable device stores the verified executable image including the header signed with the derived signature in a storage of the portable device to replace the local code image in the storage, and wherein the verified executable image is loaded in a main memory of the portable device to establish the operating environment via the booting state of the portable device without reentering the previous booting state of the portable device. - View Dependent Claims (18)
-
-
19. A machine-readable non-transitory storage medium having instructions stored therein, which when executed by a machine, cause the machine to perform a method, the method comprising:
-
in response to successfully authenticating a portable device over a communication link based in part on a unique identifier (ID) embedded within a secure ROM (read-only memory) of the portable device, determining whether the portable device is in a recovery mode as a result of a failure to certify a local code image for initializing an operating environment of the portable device wherein the determination is based on a status received from the portable device over the communication link, the status indicating a booting state of the portable device for the initialization, wherein the portable device certified the local code image in a previous booting state of the portable device for the initialization, wherein the portable device transitioned from the previous booting state to the booting state via the failure of the certification of the local code image, wherein the portable device includes a next booting state for the initialization, and wherein the portable device is capable of transitioning from the previous booting state to the next booting state if the local code image was successfully certified; retrieving an executable image from a server over a network, the executable image corresponding to the booting state of the portable device indicated in the status, the executable image being digitally signed by a signature if it is determined that the portable device is in the recovery mode; delivering the retrieved executable image to the portable device in the booting state for the initialization over the communication link for controlling the portable device; and sending, subsequent to the delivery of the executable image, a command to execute the executable image over the communication link to the portable device in the booting state, wherein the portable device verifies the signature of the executable image using a digital certificate embedded with the secure ROM, wherein the portable device transitions from the booting state to the next booting state without reentering the previous booting state for the initialization of the operating environment if the executable image is successfully verified, wherein the portable device signs a signature derived from the verified executable image in a header of the verified executable image, wherein the portable device stores the verified executable image including the header signed with the derived signature in a storage of the portable device to replace the local code image in the storage, and wherein the verified executable image is loaded in a main memory of the portable device to establish the operating environment for the portable device via the booting state of the portable device without reentering the previous booting state of the portable device. - View Dependent Claims (20)
-
Specification