Managing booting of secure devices with untrusted software
First Claim
1. On a device having a collection of hardware resources designated as a security block, a method of executing an untrusted operating system, said method comprising:
- performing a transition from an unprovisioned state into a first operational mode, said first operational mode allowing execution of untrusted operating systems;
storing an indication that said device is in said first operational mode;
loading said untrusted operating system;
subsequent to said loading, determining that said untrusted operating system has not been signed by a trusted entity;
subsequent to said loading, determining, upon review of said indication, that said device is in said first operational mode;
responsive to determining that said device is in said first operational mode, determining that a counter of allowed insecure boots exceeds zero;
responsive to the determining that the counter exceeds zero;
decrementing the counter of allowed insecure boots;
disabling untrusted operating system access to said security block; and
executing said untrusted operating system;
responsive to the determining that the counter equals zero;
deactivate said first operational mode; and
restart the device.
6 Assignments
0 Petitions
Accused Products
Abstract
Normally, at the time of manufacturing, security may be provided to a device being manufactured through the loading of an operating system that has been cryptographically signed. The present application discloses a “factory mode” for the device. The “factory mode” allows the device to execute untrusted operating system code, such as unsigned operating system code and operating system code that has been signed, but the certificate authority is not trusted. To support execution of untrusted operating system code in a secure manner, the device may be adapted to prevent data of predetermined type from being loaded on the device while the device is in the “factory mode”. In contrast to the “factory mode”, the secure mode of the device is referred to herein as a “product mode”. There develops a need to manage, in a secure manner, transitions between the “product mode” and the “factory mode”.
-
Citations
25 Claims
-
1. On a device having a collection of hardware resources designated as a security block, a method of executing an untrusted operating system, said method comprising:
-
performing a transition from an unprovisioned state into a first operational mode, said first operational mode allowing execution of untrusted operating systems; storing an indication that said device is in said first operational mode; loading said untrusted operating system; subsequent to said loading, determining that said untrusted operating system has not been signed by a trusted entity; subsequent to said loading, determining, upon review of said indication, that said device is in said first operational mode; responsive to determining that said device is in said first operational mode, determining that a counter of allowed insecure boots exceeds zero; responsive to the determining that the counter exceeds zero; decrementing the counter of allowed insecure boots; disabling untrusted operating system access to said security block; and executing said untrusted operating system; responsive to the determining that the counter equals zero; deactivate said first operational mode; and restart the device. - View Dependent Claims (2, 3, 4, 5, 24, 25)
-
-
6. A secure device comprising:
-
a security block; and a processor adapted to; perform a transition from an unprovisioned state into a first operational mode, said first operational mode allowing execution of untrusted operating systems; store an indication that said device is in said first operational mode; load an untrusted operating system; determine, subsequent to said loading, that said untrusted operating system has not been signed by a trusted entity; determine, subsequent to said loading and upon review of said indication, that said device is in said first operational mode; determine that a counter of allowed insecure boots exceeds zero; decrement the counter of allowed insecure boots; disable untrusted operating system access to said security block; execute said untrusted operating system; determine that the counter of allowed insecure boots equals zero; deactivate said first operational mode; and restart the secure device. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer readable medium containing computer-executable instructions that, when performed by a processor in a secure device, wherein the secure device includes a security block, cause said processor to:
-
perform a transition from an unprovisioned state into a first operational mode, said first operational mode allowing execution of untrusted operating systems; store an indication that said device is in said first operational mode; load an untrusted operating system; determine, subsequent to said loading, that said untrusted operating system has not been signed by a trusted entity; determine, subsequent to said loading and upon review of said indication, that said device is in said first operational mode; determine that a counter of allowed insecure boots exceeds zero; decrement the counter of allowed insecure boots; disable untrusted operating system access to said security block; and execute said untrusted operating system; determine that the counter of allowed insecure boots equals zero; deactivate said first operational mode; and restart the secure device. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
Specification