Pre-boot recovery of a locked computer system

US 8,296,554 B2
Filed: 12/30/2008
Issued: 10/23/2012
Est. Priority Date: 12/30/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining, by a basic input/output system (BIOS) of a computer system, on pre-boot, whether a removable storage device is attached to the computer system, wherein the computer system comprises a host operating environment and a manageability engine (ME) that operates independent of the host operating environment to recover the computer system on authentication;

determining, by the BIOS, whether the computer system is in a locked state;

if the removable storage device is detected, transferring, by the BIOS, control to a pre-boot authentication (PBA) module stored on the removable storage device to interact with the ME to restore the computer system from the locked state to an unlocked state; and

if the removable storage device is not detected, shutting down the computer system by the BIOS if the computer system is determined by the BIOS to be in the locked state by querying the ME and no other PBA module to restore the computer system from the locked state to the unlocked state is detected by the BIOS.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present disclosure provide methods, apparatuses, articles, and removable storage devices for pre-boot recovery of a locked computer system. In one instance, the method includes determining on pre-boot whether a removable storage device is attached to a computer system, determining whether the computer system is in a locked state and, if the removable storage device is detected, transferring control to a pre-boot authentication module (PBA) stored on the removable storage device to interact with a manageability engine to restore the computer system from the locked state to an unlocked state. If the removable storage device is not detected, the computer system shuts down if the system is determined to be in the locked state and no other PBA is detected. The computer system comprises a host operating environment and a manageability engine that operates independent of the host operating environment. Other embodiments may also be described and claimed.

13 Citations

View as Search Results

25 Claims

1. A method comprising:
- determining, by a basic input/output system (BIOS) of a computer system, on pre-boot, whether a removable storage device is attached to the computer system, wherein the computer system comprises a host operating environment and a manageability engine (ME) that operates independent of the host operating environment to recover the computer system on authentication;
  
  determining, by the BIOS, whether the computer system is in a locked state;
  
  if the removable storage device is detected, transferring, by the BIOS, control to a pre-boot authentication (PBA) module stored on the removable storage device to interact with the ME to restore the computer system from the locked state to an unlocked state; and
  
  if the removable storage device is not detected, shutting down the computer system by the BIOS if the computer system is determined by the BIOS to be in the locked state by querying the ME and no other PBA module to restore the computer system from the locked state to the unlocked state is detected by the BIOS.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - determining, by the PBA module, upon being transferred control, whether the computer system is in the locked state.
  - 3. The method of claim 2, further comprising:
    - on determining that the computer system is in the locked state, restoring, by the ME and the PBA module, the computer system from the locked state to the unlocked state.
  - 4. The method of claim 3, wherein restoring the computer system from the locked state to the unlocked state comprises:
    - prompting a user to provide authentication credentials to the ME via the PBA module.
  - 5. The method of claim 4, wherein the ME requires a public or private key for communication and wherein the PBA module comprises the public key or the private key to communicate with the ME.
  - 6. The method of claim 4, wherein prompting the user to provide the authentication credentials comprises:
    - prompting the user for a server-generated pass phrase to restore the computer system from the locked state to the unlocked state.
  - 7. The method of claim 1, wherein the BIOS transferring control to the PBA module stored on the removable storage device further comprises the BIOS booting the computer system from a bootable environment stored on the removable storage device.

8. An apparatus comprising:
- a host operating environment;
  
  a manageability engine (ME) coupled to the host operating environment, but configured to operate independent of the host operating environment, the ME equipped to disable the apparatus on detection of a condition, and to re-enable the apparatus on authentication;
  
  a peripheral interface configured to enable a removable storage device to be attached to the apparatus; and
  
  a basic input/output system (BIOS) operatively coupled to the host operating environment, the ME, and the peripheral interface, and configured to determine, on pre-boot, whether a removable storage device is attached to the peripheral interface, to transfer control, on detection of a removable storage device attached to the peripheral interface, to a pre-boot authentication (PBA) module stored on the removable storage device to interact with the ME to restore the apparatus from a disabled state to a re-enabled state, and to shut clown the apparatus when the apparatus is disabled by the ME and no PBA module is detected by the BIOS.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The apparatus of claim 8, wherein the peripheral interface comprises a universal serial bus (USB).
  - 10. The apparatus of claim 8, further comprising:
    - a central processing unit (CPU) configured to run the host operating environment and the BIOS; and
      
      an embedded processor configured to run the ME.
  - 11. The apparatus of claim 8, further comprising:
    - another pre-boot authentication (PBA) module locally disposed on the apparatus and operatively coupled with the BIOS, the host environment, and the ME, to interact with the ME to restore the apparatus from the disabled state to the re-enabled state.
  - 12. The apparatus of claim 8, wherein the BIOS is further configured to determine whether the apparatus is disabled by the ME.
  - 13. The apparatus of claim 8, wherein the BIOS is further configured to boot the apparatus from a bootable environment of the removable storage device.
  - 14. The apparatus of claim 8, wherein the ME is configured to authenticate credentials via the PBA module to restore the apparatus from the disabled state to the re-enabled state.
  - 15. The apparatus of claim 8, wherein the PBA module is configured to prompt a user to provide authentication credentials to the ME to restore the apparatus from the disabled state to the re-enabled state.
  - 16. The apparatus of claim 8, wherein the ME requires a public key or private key for communication and wherein the PBA module comprises the public key or the private key to communicate with the ME.

17. An article of manufacture comprising:
- a non-transitory computer-readable storage medium; and
  
  a plurality of instructions stored in the storage medium configured to implement a basic input/output system (BIOS) for a digital device having a host operating environment and a manageability engine (ME) that operates independent of the host operating environment, the BIOS configured to detect, on pre-boot, whether a removable storage device is attached to the digital device, and to transfer control, on detection, to a pre-boot authentication (PBA) module stored on the removable storage device to interact with the ME to recover and return the digital device to a normal operating state from a stolen state, wherein the BIOS is further configured to determine whether the digital device is in the stolen state by querying the ME and to shut down the digital device if the digital device is in the stolen state and no PBA module is detected by the BIOS,wherein the ME is configured to authenticate credentials via the PBA module to recover and return the digital device to the normal operating state from the stolen state.
- View Dependent Claims (18, 19, 20)
- - 18. The article of manufacture of claim 17, wherein the storage medium comprises non-volatile memory.
  - 19. The article of manufacture of claim 17, further comprising another plurality of instructions stored in the storage medium configured to implement the ME.
  - 20. The article of manufacture of claim 17, wherein the BIOS is further configured to boot the digital device from a bootable environment of the removable storage device.

21. A removable storage device comprising:
- a peripheral interface to attach the removable storage device to an electronic device, the electronic device including a central processing unit (CPU) configured to run a host operating environment and a pre-boot firmware and an embedded processor, other than the CPU, configured to run a manageability engine (ME);
  
  non-volatile storage coupled to the peripheral interface; and
  
  a pre-boot authentication (PBA) module stored in the non-volatile storage, configured to transfer control from the pre-boot firmware of the electronic device, when the pre-boot firmware detects, on pre-boot, attachment of the removable storage device to the electronic device, and to interact with the ME of the electronic device to restore the electronic device to an unprotected state from a protected state, wherein the pre-boot firmware is configured to determine whether the electronic device is in the protected state by querying the ME and to shut down the electronic device if the electronic device is in the protected state and no PBA module is detected by the pre-boot firmware.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The removable storage device of claim 21, wherein the peripheral interface comprises a universal serial bus (USB) and wherein the non-volatile storage comprises flash memory.
  - 23. The removable storage device of claim 21, wherein the PBA module is configured to prompt a user to provide authentication credentials to the ME to restore the electronic device from the protected state to the unprotected state.
  - 24. The removable storage device of claim 21, wherein the ME requires a public key or private key for communication and wherein the PBA module comprises the public key or the private key to communicate with the ME.
  - 25. The removable storage device of claim 21, wherein the pre-boot firmware is configured to hoot the electronic device from a bootable environment of the removable storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tahoe Research Limited (f/k/a Learndale Limited) (Vector Capital Corporation)
Original Assignee
Intel Corporation
Inventors
Mirashrafi, Mojtaba, Hazra, Mousumi, Prakash, Gyan, Dadu, Saurabh
Primary Examiner(s)
Rahman, Fahmida

Application Number

US12/346,078
Publication Number

US 20100169630A1
Time in Patent Office

1,393 Days
Field of Search

713/1, 713/2, 713/100, 713150-152, 713182-184, 711/100, 711/115, 711/E12.091, 711/E12.092, 726/2, 726 17- 19, 726/21
US Class Current

713/1
CPC Class Codes

G06F 21/575 Secure boot

G06F 9/4406 Loading of operating system

Pre-boot recovery of a locked computer system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Pre-boot recovery of a locked computer system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links