System and method to provide added security to a platform using locality-based data
First Claim
Patent Images
1. A system for protecting a computing platform from unauthorized access, comprising:
- a host processor coupled to a first wireless communication device to receive location-based information from a positioning device;
an out-of-band processor different from and operating independently from the host processor, the out-of-band processor in communication with the host processor, coupled to the first wireless communication device to receive location-based information from the positioning device, and powered independently of the host processor to enable operation independent of the status of the host processor;
a firmware service configured to run during boot on the host processor to verify that the computing platform is authorized for operation, the authorization based at least on location-based information received from the positioning device and pre-defined platform policy; and
a runtime service configured to run after boot on the out-of-band processor independent of the status of the host processor, the runtime service configured to verify that the computing platform is authorized for operation, the authorization based at least on location-based information received from the positioning device and pre-defined platform policy;
wherein when the computing platform is out of range of a location defined in the pre-defined platform policy, the runtime service is configured to send a message to the host processor through a shared memory accessible to the host processor and the out-of-band processor, the message to cause the host processor to perform a security function to inhibit operation of the platform.
1 Assignment
0 Petitions
Accused Products
Abstract
In some embodiments, the invention involves protecting a platform using locality-based data and, more specifically, to using the locality-based data to ensure that the platform has not been stolen or subject to unauthorized access. In some embodiments, a second level of security, such as a key fob, badge or other source device having an identifying RFID is used for added security. Other embodiments are described and claimed.
-
Citations
40 Claims
-
1. A system for protecting a computing platform from unauthorized access, comprising:
-
a host processor coupled to a first wireless communication device to receive location-based information from a positioning device; an out-of-band processor different from and operating independently from the host processor, the out-of-band processor in communication with the host processor, coupled to the first wireless communication device to receive location-based information from the positioning device, and powered independently of the host processor to enable operation independent of the status of the host processor; a firmware service configured to run during boot on the host processor to verify that the computing platform is authorized for operation, the authorization based at least on location-based information received from the positioning device and pre-defined platform policy; and a runtime service configured to run after boot on the out-of-band processor independent of the status of the host processor, the runtime service configured to verify that the computing platform is authorized for operation, the authorization based at least on location-based information received from the positioning device and pre-defined platform policy; wherein when the computing platform is out of range of a location defined in the pre-defined platform policy, the runtime service is configured to send a message to the host processor through a shared memory accessible to the host processor and the out-of-band processor, the message to cause the host processor to perform a security function to inhibit operation of the platform. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 37, 38)
-
-
13. A method for protecting a computing platform from unauthorized access, comprising:
-
receiving location-based information from a positioning device during both boot and runtime; determining whether the computing platform is within range of a pre-defined location, based on the received location-based information and a platform policy; transmitting a platform identifier to an ID Authenticator on a network server; receiving one of an authentication confirmation or authentication failure from the ID Authenticator; determining whether the computing platform is authorized to operate at a current location determined by the received location-based information, authentication confirmation or authentication failure of the platform identifier, and platform policy; when the computing platform is authorized to operate, allowing normal boot and runtime operation; and when the computing platform is not authorized to operate, based on platform policy and whether the computing platform is in boot mode or runtime mode, performing a security function including at least one of; prohibiting the computing platform to boot, locking-up the computing platform when in runtime, shutting down the computing platform when in runtime, and sending an alert that identifies failure to authorize the computing platform to operate normally; wherein determining whether the computing platform is authorized to operate is (i) is performed by a firmware service executed on a host processor on the computing platform during boot, (ii) is performed by a system service executed on an out-of-band processor on the computing platform independent of the status of the host processor during runtime, the out-of-band processor powered independently of the host processor to enable operation independent of the status of the host processor, and (iii) includes sending a message by the system service to the host processor through a shared memory accessible to the host processor and the out-of-band processor when the computing platform is not authorized to operate, the message to cause the host processor to perform the security function. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 40)
-
-
25. A non-transitory computer readable storage medium having instructions stored therein for protecting a computing platform from unauthorized access, the instructions when executed on at least one processor on the computing platform, cause the computing platform to:
-
receive location-based information from a positioning device during both boot and runtime; determine whether the computing platform is within range of a pre-defined location, based on the received location-based information and a platform policy; transmit a platform identifier to an ID Authenticator on a network server; receive one of an authentication confirmation or authentication failure from the ID Authenticator; determine whether the computing platform is authorized to operate at a current location determined by the received location-based information, authentication confirmation or authentication failure of the platform identifier, and platform policy; when the computing platform is authorized to operate, allow normal boot and runtime operation; and when the computing platform is not authorized to operate, based on platform policy and whether the computing platform is in boot mode or runtime mode, perform a security function including at least one of; prohibit the computing platform to boot, lock-up the computing platform when in runtime, shut down the computing platform when in runtime, and send an alert that identifies failure to authorize the computing platform to operate normally; wherein to determine whether the computing platform is authorized to operate (i) is performed by a firmware service executed on a host processor on the computing platform during boot, (ii) is performed by a system service executed on an out-of-band processor on the computing platform independent of the status of the host processor during runtime, the out-of-band processor powered independently of the host processor to enable operation independent of the status of the host processor, and (iii) includes to send a message by the system service to the host processor through a shared memory accessible to the host processor and the out-of-band processor when the computing platform is not authorized to operate, the message to cause the host processor to perform the security function. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 39)
-
Specification