Managing booting of secure devices with untrusted software

US 9,117,083 B2
Filed: 02/14/2011
Issued: 08/25/2015
Est. Priority Date: 02/14/2011
Status: Active Grant

First Claim

Patent Images

1. On a device having a collection of hardware resources designated as a security block, a method of executing an untrusted operating system, said method comprising:

performing a transition from an unprovisioned state into a first operational mode, said first operational mode allowing execution of untrusted operating systems;

storing an indication that said device is in said first operational mode;

loading said untrusted operating system;

subsequent to said loading, determining that said untrusted operating system has not been signed by a trusted entity;

subsequent to said loading, determining, upon review of said indication, that said device is in said first operational mode;

responsive to determining that said device is in said first operational mode, determining that a counter of allowed insecure boots exceeds zero;

responsive to the determining that the counter exceeds zero;

decrementing the counter of allowed insecure boots;

disabling untrusted operating system access to said security block; and

executing said untrusted operating system;

responsive to the determining that the counter equals zero;

deactivate said first operational mode; and

restart the device.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Normally, at the time of manufacturing, security may be provided to a device being manufactured through the loading of an operating system that has been cryptographically signed. The present application discloses a “factory mode” for the device. The “factory mode” allows the device to execute untrusted operating system code, such as unsigned operating system code and operating system code that has been signed, but the certificate authority is not trusted. To support execution of untrusted operating system code in a secure manner, the device may be adapted to prevent data of predetermined type from being loaded on the device while the device is in the “factory mode”. In contrast to the “factory mode”, the secure mode of the device is referred to herein as a “product mode”. There develops a need to manage, in a secure manner, transitions between the “product mode” and the “factory mode”.

Citations

25 Claims

1. On a device having a collection of hardware resources designated as a security block, a method of executing an untrusted operating system, said method comprising:
- performing a transition from an unprovisioned state into a first operational mode, said first operational mode allowing execution of untrusted operating systems;
  
  storing an indication that said device is in said first operational mode;
  
  loading said untrusted operating system;
  
  subsequent to said loading, determining that said untrusted operating system has not been signed by a trusted entity;
  
  subsequent to said loading, determining, upon review of said indication, that said device is in said first operational mode;
  
  responsive to determining that said device is in said first operational mode, determining that a counter of allowed insecure boots exceeds zero;
  
  responsive to the determining that the counter exceeds zero;
  
  decrementing the counter of allowed insecure boots;
  
  disabling untrusted operating system access to said security block; and
  
  executing said untrusted operating system;
  
  responsive to the determining that the counter equals zero;
  
  deactivate said first operational mode; and
  
  restart the device.
- View Dependent Claims (2, 3, 4, 5, 24, 25)
- - 2. The method of claim 1 wherein said security block stores processor fuse settings.
  - 3. The method of claim 1 wherein said security block stores device provisioning data.
  - 4. The method of claim 1 wherein said security block stores authentication keys.
  - 5. The method of claim 1 further comprising erasing stored user data.
  - 24. The method of claim 1 wherein the untrusted operating system comprises an unsigned operating system.
  - 25. The method of claim 1 wherein the untrusted operating system comprises an operating system signed with a digital signature that identifies a certificate authority that is not among a set of trusted certificate authorities.

6. A secure device comprising:
- a security block; and
  
  a processor adapted to;
  
  perform a transition from an unprovisioned state into a first operational mode, said first operational mode allowing execution of untrusted operating systems;
  
  store an indication that said device is in said first operational mode;
  
  load an untrusted operating system;
  
  determine, subsequent to said loading, that said untrusted operating system has not been signed by a trusted entity;
  
  determine, subsequent to said loading and upon review of said indication, that said device is in said first operational mode;
  
  determine that a counter of allowed insecure boots exceeds zero;
  
  decrement the counter of allowed insecure boots;
  
  disable untrusted operating system access to said security block;
  
  execute said untrusted operating system;
  
  determine that the counter of allowed insecure boots equals zero;
  
  deactivate said first operational mode; and
  
  restart the secure device.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 7. The secure device of claim 6 further comprising a write-protected read only memory storing a boot loader.
  - 8. The secure device of claim 6 wherein said memory comprises embedded multi media card memory.
  - 9. The secure device of claim 8 wherein said security block comprises secure persistent storage.
  - 10. The secure device of claim 9 wherein said secure persistent storage comprises a relay protected memory block.
  - 11. The secure device of claim 6 wherein said security block stores processor fuse settings.
  - 12. The secure device of claim 6 wherein said security block stores a device specific cryptographic key.
  - 13. The secure device of claim 6 wherein said security block stores device provisioning data.
  - 14. The secure device of claim 6 wherein said processor is adapted to erase stored user data.
  - 15. The secure device of claim 6 wherein said security block stores an authentication key.
  - 16. The secure device of claim 6 further comprising a write-protected read only memory storing a boot loader and wherein the processor is further adapted to:
    - load said boot loader; and
      
      under instructions from said boot loader, load said operating system.

17. A non-transitory computer readable medium containing computer-executable instructions that, when performed by a processor in a secure device, wherein the secure device includes a security block, cause said processor to:
- perform a transition from an unprovisioned state into a first operational mode, said first operational mode allowing execution of untrusted operating systems;
  
  store an indication that said device is in said first operational mode;
  
  load an untrusted operating system;
  
  determine, subsequent to said loading, that said untrusted operating system has not been signed by a trusted entity;
  
  determine, subsequent to said loading and upon review of said indication, that said device is in said first operational mode;
  
  determine that a counter of allowed insecure boots exceeds zero;
  
  decrement the counter of allowed insecure boots;
  
  disable untrusted operating system access to said security block; and
  
  execute said untrusted operating system;
  
  determine that the counter of allowed insecure boots equals zero;
  
  deactivate said first operational mode; and
  
  restart the secure device.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The computer readable medium of claim 17 wherein said security block stores processor fuse settings.
  - 19. The computer readable medium of claim 17 wherein said security block stores a device-specific cryptographic key.
  - 20. The computer readable medium of claim 17 wherein said security block stores a relay protected memory block.
  - 21. The computer readable medium of claim 17 wherein said security block stores device provisioning data.
  - 22. The computer readable medium of claim 17 wherein said computer executable instructions cause said processor to erase stored user data.
  - 23. The computer readable medium of claim 17 wherein said security block stores an authentication key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Blackberry Limited
Inventors
Wood, Robert Henderson, Bowman, Roger Paul, Whitehouse, Oliver
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Torres-Diaz, Lizbeth

Application Number

US13/026,968
Publication Number

US 20120210113A1
Time in Patent Office

1,653 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/575   Secure boot

G06F 2221/033   Test or assess software

G06F 2221/2105   Dual mode as a secondary as...

Managing booting of secure devices with untrusted software

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Managing booting of secure devices with untrusted software

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links