Secure booting a computing device
First Claim
Patent Images
1. A computer implemented method, comprising:
- receiving, by a device, a first code image from a host;
in response to receiving the first code image, executing code stored in a read only memory (ROM) of the device to certify the first code image according to a chain of certificates and based upon a fingerprint of a root certificate stored in the ROM;
deriving, by the device, a signature from the first code image using a key stored within the ROM when the first code image is certified;
signing, by the device, the signature into a first header of the first code image;
loading the first code image into a main memory of the device;
verifying, at the device, the signature in the first header of the loaded first code image using the key stored within the ROM and without using the certificates; and
in response to successfully verifying the signature of the loaded first code image, executing the verified first code image from the main memory of the device.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and an apparatus for executing codes embedded inside a device to verify a code image loaded in a memory of the device are described. A code image may be executed after being verified as a trusted code image. The embedded codes may be stored in a secure ROM (read only memory) chip of the device. In one embodiment, the verification of the code image is based on a key stored within the secure ROM chip. The key may be unique to each device. Access to the key may be controlled by the associated secure ROM chip. The device may complete establishing an operating environment subsequent to executing the verified code image.
-
Citations
24 Claims
-
1. A computer implemented method, comprising:
-
receiving, by a device, a first code image from a host; in response to receiving the first code image, executing code stored in a read only memory (ROM) of the device to certify the first code image according to a chain of certificates and based upon a fingerprint of a root certificate stored in the ROM; deriving, by the device, a signature from the first code image using a key stored within the ROM when the first code image is certified; signing, by the device, the signature into a first header of the first code image; loading the first code image into a main memory of the device; verifying, at the device, the signature in the first header of the loaded first code image using the key stored within the ROM and without using the certificates; and in response to successfully verifying the signature of the loaded first code image, executing the verified first code image from the main memory of the device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A machine-readable non-transitory storage medium having instructions, which when executed by a machine, cause a machine to perform a method, the method comprising:
-
receiving, by a device, a first code image from a host; in response to receiving the first code image, executing code stored in a read only memory (ROM) of the device to certify the first code image according to a chain of certificates and based upon a fingerprint of a root certificate stored in the ROM; deriving, by the device, a signature from the first code image using a key stored within the ROM when the first code image is certified; signing, by the device, the signature as a first header of the first code image; loading the first code image into a main memory of the device; verifying, at the device, the signature in the first header of the loaded first code image using a key stored within the ROM and without using the certificates; and in response to successfully verifying the signature of the loaded first code image, executing the verified first code image from the main memory of the device to establish an operating environment for the device. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 24)
-
-
17. An electronic device, comprising:
-
a read only memory (ROM) to store executable code, a key identifying the electronic device, and a fingerprint of a root certificate; a mass storage; a main memory; and a processor coupled to the ROM, the mass storage, and the main memory, wherein the processor is configured to cause the electronic device to receive a first code image from a host, to execute, in response to receiving a first code image, the executable code stored in the ROM to certify the first code image according to a chain of certificates and based upon the fingerprint of the root certificate in the ROM, to derive a signature from the first code image using the key stored within the ROM when the first code image is certified; to sign the signature into a first header of the first code image, to load the first code image from the mass storage into the main memory, to verify the signature in the first header of the loaded first code image using the key, and upon successfully verifying the signature of the first code image according to the first header of the first code image without using the certificates, to execute the verified first code image from the main memory to establish an operating environment of the electronic device. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
Specification