Secure boot administration in a Unified Extensible Firmware Interface (UEFI)-compliant computing device

US 9,021,244 B2
Filed: 11/05/2012
Issued: 04/28/2015
Est. Priority Date: 11/04/2011
Status: Active Grant

First Claim

Patent Images

1. A method for administering a secure boot in a Unified Extensible Firmware Interface (UEFI)-compliant computing device, comprising:

receiving an interrupt command during a boot process for the UEFI-compliant computing device from a user, the boot process interrupted in response to the command;

displaying to the user, following the interruption of the boot process, a listing of at least one task related to administering the boot process;

receiving a selection of a listed task;

invoking System Management Mode (SMM) in response to the selection of the listed task;

performing the selected task in SMM using a firmware module executable only within SMM;

resetting the computing device after the performance of the selected task; and

re-starting the boot process for the computing device after the resetting.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Firmware in a UEFI-compliant computing device is used to administer and alter a Secure Boot process for the computing device while continuing to provide protection from unauthorized third-party code.

28 Citations

View as Search Results

24 Claims

1. A method for administering a secure boot in a Unified Extensible Firmware Interface (UEFI)-compliant computing device, comprising:
- receiving an interrupt command during a boot process for the UEFI-compliant computing device from a user, the boot process interrupted in response to the command;
  
  displaying to the user, following the interruption of the boot process, a listing of at least one task related to administering the boot process;
  
  receiving a selection of a listed task;
  
  invoking System Management Mode (SMM) in response to the selection of the listed task;
  
  performing the selected task in SMM using a firmware module executable only within SMM;
  
  resetting the computing device after the performance of the selected task; and
  
  re-starting the boot process for the computing device after the resetting.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the performing of the selected task further comprises:
    - enrolling a hash of an unsigned application in a system security database.
  - 3. The method of claim 1 wherein the performing of the selected task further comprises:
    - turning off a requirement to enforce the secure boot so as to allow all code to run during the boot process.
  - 4. The method of claim 1 wherein the performing of the selected task further comprises:
    - clearing a system security database of all certificates and disabling the secure boot.
  - 5. The method of claim 1 wherein the performing of the selected task further comprises:
    - restoring a system security database from a backup location or resetting the system security database to a factory setting.
  - 6. The method of claim 1 wherein the interrupt command may only be received from a physically present user who is physically accessing the UEFI-compliant computing device.
  - 7. The method of claim 1 wherein the interrupt command may be received from a user who is accessing the UEFI-compliant computing device from a remote location via a secured platform firmware management tool.
  - 8. The method of claim 1 further comprisingresetting the computing device following the interruption and before the display of the listing of the at least one task.

9. A non-transitory computer-readable medium holding computer-executable instructions for administering a secure boot process in a Unified Extensible Firmware Interface (UEFI)-compliant computing device, the instructions when executed causing the UEFI-compliant computing device to:
- receive an interrupt command during a boot process for the UEFI-compliant computing device from a user, the boot process interrupted in response to the command;
  
  display to the user, following the interruption of the boot process, a listing of at least one task related to administering the boot process;
  
  receive a selection of a listed task;
  
  invoke System Management Mode (SMM) in response to the selection of the listed task;
  
  perform the selected task in SMM using a firmware module executable only within SMM;
  
  reset the computing device after the performance of the selected task; and
  
  re-start the boot process for the computing device after the resetting.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The medium of claim 9 wherein the performing of the selected task further causes the UEFI-compliant computing device to:
    - enroll a hash of an unsigned application in a system security database.
  - 11. The medium of claim 9 wherein the performing of the selected task further causes the UEFI-compliant computing device to:
    - turn off a requirement to enforce a secure boot so as to allow all code to run during the boot process.
  - 12. The medium of claim 9 wherein the performing of the selected task further causes the UEFI-compliant computing device to:
    - clear a system security database of all certificates and disabling the secure boot.
  - 13. The medium of claim 9 wherein the performing of the selected task further causes the UEFI-compliant computing device to:
    - restore a system security database from a backup location or resetting the system security database to a factory setting.
  - 14. The medium of claim 9 wherein the interrupt command may only be received from a physically present user who is physically accessing the UEFI-compliant computing device.
  - 15. The medium of claim 9 wherein the interrupt command may be received from a user who is accessing the UEFI-compliant computing device from a remote location via a secured platform firmware management tool.
  - 16. The medium of claim 9 wherein the execution of the instructions further causes the UEFI-compliant computing device to:
    - reset the computing device following the interruption and before the display of the listing of the at least one task.

17. A Unified Extensible Firmware Interface (UEFI)-compliant computing device, comprising:
- a processor, the processor supporting System Management Mode (SMM);
  
  a display surface in communication with the UEFI-compliant computing device;
  
  an input mechanism; and
  
  at least one firmware module, the firmware module when executed;
  
  receiving an interrupt command from a user via the input mechanism during a boot process for the UEFI-compliant computing device, the boot process interrupted in response to the command;
  
  displaying to the user on the display surface, following the interruption of the boot process, a listing of at least one task related to administering the boot process;
  
  receiving a selection of a listed task;
  
  invoking SMM in response to the selection of the listed task;
  
  performing the selected task in SMM; and
  
  resetting the computing device after the performance of the selected task; and
  
  re-start the boot process for the computing device after the resetting.
- View Dependent Claims (18, 19, 20)
- - 18. The device of claim 17 in which the task performed is to enroll a hash of an application be launched in the boot process into a system security database.
  - 19. The device of claim 17 wherein the interrupt command may only be received from a physically present user who is physically accessing the UEFI-compliant computing device via the input mechanism.
  - 20. The medium of claim 17 wherein the firmware module resets the computing device following the interruption and before the display of the listing of the at least one task.

21. A non-transitory computer-readable medium holding computer-executable instructions for administering a secure boot process in a Unified Extensible Firmware Interface (UEFI)-compliant computing device, the instructions when executed causing the UEFI-compliant computing device to:
- recognize a previously recorded request to administer a boot process during a boot process for the UEFI-compliant computing device from a user, the boot process interrupted in response to the recognition of the request;
  
  display to the user, following the interruption of the boot process, a listing of at least one task related to administering the boot process;
  
  receive a selection of a listed task;
  
  invoke System Management Mode (SMM) in response to the selection of the listed task;
  
  perform the selected task in SMM using a firmware module executable only within SMM;
  
  reset the computing device after the performance of the selected task; and
  
  re-start the boot process for the computing device after the resetting.
- View Dependent Claims (22)
- - 22. The medium of claim 21 wherein the request is recorded in a UEFI-defined variable set by the operating system.

23. A method for administering a secure boot in a Unified Extensible Firmware Interface (UEFI)-compliant computing device, comprising:
- recognizing a previously recorded request to administer a boot process during a boot process for the UEFI-compliant computing device from a user, the boot process interrupted in response to the recognition;
  
  displaying to the user, following the interruption of the boot process, a listing of at least one task related to administering the boot process;
  
  receiving a selection of a listed task;
  
  invoking System Management Mode (SMM) in response to the selection of the listed task;
  
  performing the selected task in SMM using a firmware module executable only within SMM;
  
  resetting the computing device after the performance of the selected task; and
  
  re-starting the boot process for the computing device after the resetting.
- View Dependent Claims (24)
- - 24. The method of claim 23 wherein the request is recorded in a UEFI-defined variable set by the operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Insyde Software Corp
Original Assignee
Insyde Software Corp
Inventors
Bobzin, Jeffery Jay
Primary Examiner(s)
Cao, Chun

Application Number

US13/668,757
Publication Number

US 20130124843A1
Time in Patent Office

904 Days
Field of Search

713/1, 713/2, 713/155, 713/176, 713/187
US Class Current

713/2
CPC Class Codes

G06F 15/177   Initialisation or configura...

G06F 21/575   Secure boot

G06F 2221/034   Test or assess a computer o...

G06F 2221/2105   Dual mode as a secondary as...

G06F 9/4401   Bootstrapping security arra...

Secure boot administration in a Unified Extensible Firmware Interface (UEFI)-compliant computing device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Secure boot administration in a Unified Extensible Firmware Interface (UEFI)-compliant computing device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links