Partition-based apparatus and method for securing bios in a trusted computing system during execution

US 9,129,113 B2
Filed: 11/13/2013
Issued: 09/08/2015
Est. Priority Date: 11/13/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus for protecting a basic input/output system (BIOS) in a computing system, the apparatus comprising:

a BIOS read only memory (ROM), comprising;

a plurality of BIOS content partitions, wherein each of said plurality of BIOS content partitions is stored as plaintext; and

a plurality of encrypted message digests, wherein each of said plurality of encrypted message digests comprises an encrypted version of a first message digest that is associated with a corresponding one of said plurality of BIOS content partitions;

a partition selector, configured to select one or more of said plurality of BIOS content partitions responsive to a BIOS check interrupt that interrupts normal operation of the computing system; and

a tamper detector, operatively coupled to said BIOS ROM and said partition selector, configured to access said one or more of said plurality of BIOS content partitions and corresponding one or more of said plurality of encrypted message digests upon assertion of said BIOS check interrupt, and configured to direct a general purpose microprocessor to generate corresponding one or more of a plurality of second message digests corresponding to said one or more of said plurality of BIOS content partitions and corresponding one or more of a plurality of decrypted message digests corresponding to said one or more of said plurality of encrypted message digests using the same algorithms and key that were employed to generate said first message digest and said plurality of encrypted message digests, and configured to compare said one or more of said plurality of second message digests with said one or more of said plurality of decrypted message digests, and configured to preclude said operation of said general purpose microprocessor if said one or more of said plurality of second message digests and said one or more of said plurality of decrypted message digests are not pair wise equal, wherein said general purpose microprocessor further comprises a random number generator disposed within said execution logic, and wherein said random number generator generates a random number at completion of a current BIOS check, which is employed by said partition selector to randomly designate a number of said plurality of BIOS content partitions to be checked during a following BIOS check.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus including a ROM, a selector, and a detector. The ROM has partitions and encrypted digests. Each of the partitions is stored as plaintext, and each of the encrypted digests includes an encrypted version of a first digest associated with a corresponding one of the partitions. The selector selects one or more of the partitions responsive to an interrupt. The detector accesses the one or more of the partitions and corresponding one or more of the encrypted digests upon assertion of the interrupt, and directs a microprocessor to generate one or more of second digests corresponding to the one or more of the partitions and one or more of decrypted digests corresponding to the one or more of encrypted digests using the same algorithms and key that were employed to generate the first digest and the encrypted digests, and compares the one or more of the second digests with the one or more of the decrypted digests, and precludes operation of the microprocessor if the one or more of the second digests and the one or more of the decrypted digests are not pair wise equal.

37 Citations

View as Search Results

18 Claims

1. An apparatus for protecting a basic input/output system (BIOS) in a computing system, the apparatus comprising:
- a BIOS read only memory (ROM), comprising;
  
  a plurality of BIOS content partitions, wherein each of said plurality of BIOS content partitions is stored as plaintext; and
  
  a plurality of encrypted message digests, wherein each of said plurality of encrypted message digests comprises an encrypted version of a first message digest that is associated with a corresponding one of said plurality of BIOS content partitions;
  
  a partition selector, configured to select one or more of said plurality of BIOS content partitions responsive to a BIOS check interrupt that interrupts normal operation of the computing system; and
  
  a tamper detector, operatively coupled to said BIOS ROM and said partition selector, configured to access said one or more of said plurality of BIOS content partitions and corresponding one or more of said plurality of encrypted message digests upon assertion of said BIOS check interrupt, and configured to direct a general purpose microprocessor to generate corresponding one or more of a plurality of second message digests corresponding to said one or more of said plurality of BIOS content partitions and corresponding one or more of a plurality of decrypted message digests corresponding to said one or more of said plurality of encrypted message digests using the same algorithms and key that were employed to generate said first message digest and said plurality of encrypted message digests, and configured to compare said one or more of said plurality of second message digests with said one or more of said plurality of decrypted message digests, and configured to preclude said operation of said general purpose microprocessor if said one or more of said plurality of second message digests and said one or more of said plurality of decrypted message digests are not pair wise equal, wherein said general purpose microprocessor further comprises a random number generator disposed within said execution logic, and wherein said random number generator generates a random number at completion of a current BIOS check, which is employed by said partition selector to randomly designate a number of said plurality of BIOS content partitions to be checked during a following BIOS check.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus as recited in claim 1, wherein said BIOS check interrupt is generated periodically at a prescribed interval.
  - 3. The apparatus as recited in claim 1, wherein said BIOS check interrupt is generated upon the occurrence of an event, wherein said event comprises one or more occurrences of a selected one of the following events:
    - an input/output access;
      
      a change in processor speed; and
      
      a change in virtual memory mapping.
  - 4. The apparatus as recited in claim 1, wherein said general purpose microprocessor employs the Secure Hash Algorithm to generate said one or more of said plurality of second message digests.
  - 5. The apparatus as recited in claim 1, wherein said general purpose microprocessor employs the Advanced Encryption Standard algorithm to generate said one or more of said plurality of decrypted message digests.
  - 6. The apparatus as recited in claim 1, wherein said general purpose microprocessor comprises a dedicated crypto/hash unit disposed within execution logic, and wherein said crypto/hash unit generates said one or more of said plurality of second message digests and said one or more of said plurality of decrypted message digests, and wherein said key is exclusively accessed by said crypto/hash unit.

7. An apparatus for protecting a basic input/output system (BIOS) in a computing system, the apparatus comprising:
- a BIOS read only memory (ROM), comprising;
  
  a plurality of BIOS content partitions, wherein each of said plurality of BIOS content partitions is stored as plaintext; and
  
  a plurality of encrypted message digests, wherein each of said plurality of encrypted message digests comprises an encrypted version of a first message digest that is associated with a corresponding one of said plurality of BIOS content partitions; and
  
  a general purpose microprocessor, coupled to said BIOS ROM, said general purpose microprocessor comprising;
  
  a partition selector, configured to select one or more of said plurality of BIOS content partitions responsive to a BIOS check interrupt that interrupts normal operation of the computing system; and
  
  a random number generator disposed within said execution logic, and wherein said random number generator generates a random number at completion of a current BIOS check, which is employed by said partition selector to randomly designate a number of said plurality of BIOS content partitions to be checked during a following BIOS check; and
  
  a tamper detector, operatively coupled to said BIOS ROM and said partition selector, configured to access said one or more of said plurality of BIOS content partitions and corresponding one or more of said plurality of encrypted message digests upon assertion of said BIOS check interrupt, and configured to direct said general purpose microprocessor to generate corresponding one or more of a plurality of second message digests corresponding to said one or more of said plurality of BIOS content partitions and corresponding one or more of a plurality of decrypted message digests corresponding to said one or more of said plurality of encrypted message digests using the same algorithms and key that were employed to generate said first message digest and said plurality of encrypted message digests, and configured to compare said one or more of said plurality of second message digests with said one or more of said plurality of decrypted message digests, and configured to preclude said operation of said general purpose microprocessor if said one or more of said plurality of second message digests and said one or more of said plurality of decrypted message digests are not pair wise equal.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus as recited in claim 7, wherein said BIOS check interrupt is generated periodically at a prescribed interval.
  - 9. The apparatus as recited in claim 7, wherein said BIOS check interrupt is generated upon the occurrence of an event, wherein said event comprises one or more occurrences of a selected one of the following events:
    - an input/output access;
      
      a change in processor speed; and
      
      a change in virtual memory mapping.
  - 10. The apparatus as recited in claim 7, wherein said general purpose microprocessor employs the Secure Hash Algorithm to generate said one or more of said plurality of second message digests.
  - 11. The apparatus as recited in claim 7, wherein said general purpose microprocessor employs the Advanced Encryption Standard algorithm to generate said one or more of said plurality of decrypted message digests.
  - 12. The apparatus as recited in claim 7, said general purpose microprocessor further comprising:
    - a dedicated crypto/hash unit disposed within execution logic, and wherein said crypto/hash unit generates said one or more of said plurality of second message digests and said one or more of said plurality of decrypted message digests, and wherein said key is exclusively accessed by said crypto/hash unit.

13. A method for protecting a basic input/output system (BIOS) in a computing system, the method comprising:
- storing a plurality of BIOS content partitions as plaintext in a BIOS ROM along with a plurality of encrypted message digests , wherein each of the plurality of encrypted message digests comprises an encrypted version of a first message digest that is associated with a corresponding one of the plurality of BIOS content partitions;
  
  selecting select one or more of the plurality of BIOS content partitions responsive to a BIOS check interrupt that interrupts normal operation of the computing system;
  
  upon assertion of the BIOS check interrupt, accessing one or more of the plurality of BIOS content partitions and corresponding one or more of the plurality of encrypted message digests, and generating using a general purpose microprocessor a corresponding one or more of a plurality of second message digests corresponding to the one or more of the plurality of BIOS content partitions and corresponding one or more of a plurality of decrypted message digests corresponding to the one or more of the plurality of encrypted message digests using the same algorithms and key that were employed to generate the first message digest and the plurality of encrypted message digests;
  
  comparing the one or more of the plurality of second message digests with the one or more of the plurality of decrypted message digests; and
  
  precluding operation of the general purpose microprocessor if the one or more of the plurality of second message digests and the one or more of the plurality of decrypted message digests are not pair wise equal, wherein the general purpose microprocessor further comprises a random number generator disposed within the execution logic, and wherein the random number generator generates a random number at completion of a current BIOS check, which is employed by the partition selector to randomly designate a number of the plurality of BIOS content partitions to be checked during a following BIOS check.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method as recited in claim 13, wherein the BIOS check interrupt is generated periodically at a prescribed interval.
  - 15. The method as recited in claim 13, wherein said BIOS check interrupt is generated upon the occurrence of an event, wherein said event comprises one or more occurrences of a selected one of the following events:
    - an input/output access;
      
      a change in processor speed; and
      
      a change in virtual memory mapping.
  - 16. The method as recited in claim 13, wherein said accessing comprises:
    - employing the Secure Hash Algorithm to generate the one or more of the plurality of second message digests.
  - 17. The apparatus as recited in claim 13, wherein said accessing further comprises:
    - employing the Advanced Encryption Standard algorithm to generate the one or more of the plurality of decrypted message digests.
  - 18. The method as recited in claim 13, wherein the general purpose microprocessor comprises a dedicated crypto/hash unit disposed within execution logic, and wherein the crypto/hash unit generates the one or more of the plurality of second message digests and the one or more of the plurality of decrypted message digests, and wherein the key is exclusively accessed by the crypto/hash unit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VIA Technologies Incorporated (VIA Technologies)
Original Assignee
VIA Technologies Incorporated (VIA Technologies)
Inventors
Henry, G. Glenn
Primary Examiner(s)
SHAW, BRIAN F

Application Number

US14/079,226
Publication Number

US 20150134977A1
Time in Patent Office

664 Days
Field of Search

713/2, 713/193, 713/194, 711/173
US Class Current

1/1
CPC Class Codes

G06F 21/572   Secure firmware programming...

G06F 21/575   Secure boot

G06F 21/64   Protecting data integrity, ...

Partition-based apparatus and method for securing bios in a trusted computing system during execution

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Partition-based apparatus and method for securing bios in a trusted computing system during execution

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links