Firmware authentication

US 9,189,631 B2
Filed: 06/07/2013
Issued: 11/17/2015
Est. Priority Date: 06/07/2013
Status: Active Grant

First Claim

Patent Images

1. An Information Handling System (IHS), comprising:

a controller including a memory configured to store a plurality of firmware volumes, wherein each of the plurality of firmware volumes includes a plurality of firmware files, wherein all of the plurality of firmware volumes are encapsulated into a header file, wherein the header file includes a table that lists a plurality of digital signatures, wherein the table associates each digital signature with a different set of firmware file(s) within each firmware volume, and wherein each set of firmware file(s) can be authenticated its associated digital signature; and

a Basic Input/Output System (BIOS) operably coupled to the controller, the BIOS having program instructions stored thereon that, upon execution, cause the BIOS to authenticate two or more firmware files using a single digital signature, wherein a first one of the two or more firmware files belongs to a first firmware volume and a second one of the two of more firmware files belongs to a second firmware volume distinct from the first firmware volume, and wherein at least one of the first or second firmware volumes includes at least one firmware file that cannot be authenticated using the digital signature.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Firmware authentication in Information Handling Systems (IHSs) are disclosed. In some embodiments, an IHS may include a controller having a memory, the memory configured to store a plurality of firmware volumes, each of the plurality of firmware volumes including a plurality of firmware files. The IHS may also include a Basic Input/Output System (BIOS) operably coupled to the controller, the BIOS having program instructions stored thereon that, upon execution, cause the BIOS to authenticate two or more firmware files within a given one of the plurality of firmware volumes using a single digital signature. In another embodiment, a method may include creating a firmware volume, adding a plurality of firmware files to the firmware volume, and creating a digital signature based upon at least one of the plurality of firmware files, where the digital signature, upon being authenticated, allows a BIOS to load any of the plurality of firmware files.

21 Citations

View as Search Results

20 Claims

1. An Information Handling System (IHS), comprising:
- a controller including a memory configured to store a plurality of firmware volumes, wherein each of the plurality of firmware volumes includes a plurality of firmware files, wherein all of the plurality of firmware volumes are encapsulated into a header file, wherein the header file includes a table that lists a plurality of digital signatures, wherein the table associates each digital signature with a different set of firmware file(s) within each firmware volume, and wherein each set of firmware file(s) can be authenticated its associated digital signature; and
  
  a Basic Input/Output System (BIOS) operably coupled to the controller, the BIOS having program instructions stored thereon that, upon execution, cause the BIOS to authenticate two or more firmware files using a single digital signature, wherein a first one of the two or more firmware files belongs to a first firmware volume and a second one of the two of more firmware files belongs to a second firmware volume distinct from the first firmware volume, and wherein at least one of the first or second firmware volumes includes at least one firmware file that cannot be authenticated using the digital signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The IHS of claim 1, wherein the BIOS is Unified Extensible Firmware Interface (UEFI) compliant.
  - 3. The IHS of claim 1, wherein the BIOS is operably coupled to the controller via a southbridge chipset.
  - 4. The IHS of claim 3, wherein a given one of the plurality of firmware volumes is exposed to the BIOS as a virtual mass storage device.
  - 5. The IHS of claim 1, wherein the firmware files include at least one of:
    - a firmware driver, an UEFI application, an Operating System (OS) loader, or an Option Read-Only-Memory (OPROM) file.
  - 6. The IHS of claim 1, wherein the digital signature is included in a separate file outside the given one of the plurality of firmware volumes.
  - 7. The IHS of claim 1, wherein the header file includes the given digital signature.
  - 8. The IHS of claim 1, wherein to authenticate the two or more firmware files, the program instructions, upon execution, further cause the BIOS to create a hash based upon one of the two or more firmware files, decode the digital signature using a public key stored in the BIOS, and compare the hash to the decoded digital signature.
  - 9. The IHS of claim 8, wherein the BIOS is configured to authenticate the two or more firmware files in response to the hash matching the decoded digital signature.

10. A method, comprising:
- creating a header file including a table and a plurality of firmware volumes, wherein each firmware volume includes a plurality of firmware files, wherein the table lists a plurality of digital signatures, wherein each digital signature is associated with a different set of firmware file(s) within each firmware volume, and wherein each set of firmware file(s) can be authenticated its associated digital signature;
  
  adding firmware file to a given firmware volume; and
  
  creating a digital signature based upon the firmware file, wherein the digital signature, upon being authenticated, allows a Basic Input/Output System (BIOS) to load two or more firmware files, wherein a first one of the two or more firmware files belongs to a first firmware volume and a second one of the two of more firmware files belongs to a second firmware volume distinct from the first firmware volume, and wherein at least one of the first or second firmware volumes includes at least one firmware file that cannot be authenticated using the digital signature.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, wherein the firmware files include at least one of:
    - a firmware driver, a Unified Extensible Firmware Interface (UEFI) application, an Operating System (OS) loader, or an Option Read-Only-Memory (OPROM) file.
  - 12. The method of claim 10, wherein the digital signature is created based upon a hash of a single one of the plurality of firmware files, and wherein the hash is signed with an authorized private key.
  - 13. The method of claim 10, wherein the digital signature is created based upon a hash of two or more but fewer than all of the plurality of firmware files, and wherein the hash is signed with an authorized private key.
  - 14. The method of claim 10, further comprising:
    - adding the digital signature to the given firmware volume;
      
      orstoring the digital signature as a distinct file separately from the given firmware volume.
  - 15. The method of claim 14, wherein adding the digital signature to the firmware volume includes adding the digital signature to the header file.

16. A Basic Input/Output System (BIOS) having program instructions stored thereon that, upon execution, cause an Information Handling System (IHS) to:
- access a header file external to the BIOS, the header file including a table and a plurality of firmware volumes, wherein each firmware volume includes a plurality of firmware files, wherein the table lists a plurality of digital signatures, wherein each digital signature is associated with a different set of firmware files, and wherein each set of firmware files can be authenticated using its associated digital signature;
  
  receive a digital signature;
  
  authenticate two or more firmware files using the digital signature, wherein a first one of the two or more firmware files belongs to a first firmware volume and a second one of the two of more firmware files belongs to a second firmware volume distinct from the first firmware volume, and wherein at least one of the first or second firmware volumes includes at least one firmware file that cannot be authenticated using the digital signature; and
  
  load the two or more firmware files during a booting process.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The BIOS of claim 16, wherein the first firmware volume is stored in a memory device external to the BIOS and accessible to the BIOS via a southbridge chipset as a virtual mass storage device.
  - 18. The BIOS of claim 16, wherein the two or more firmware files include at least one of:
    - a firmware driver, a Unified Extensible Firmware Interface (UEFI) application, an Operating System (OS) loader, or an Option Read-Only-Memory (OPROM) file.
  - 19. The BIOS of claim 16, wherein to authenticate the two or more firmware files, the program instructions, upon execution, further cause the IHS to:
    - create a hash based upon one of the two or more firmware files using a same algorithm used in the creation of the digital signature;
      
      decode the digital signature using a public key; and
      
      compare the hash to the decoded digital signature.
  - 20. The BIOS of claim 19, wherein the program instructions, upon execution, further cause the IHS to authenticate the two or more firmware files in response to the hash matching the decoded digital signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Products LP (Dell Technologies Inc.)
Original Assignee
Dell Inc. (Dell Technologies Inc.)
Inventors
Liu, Wei G., Shutt, Mark W.
Primary Examiner(s)
Stoynov, Stefan

Application Number

US13/912,330
Publication Number

US 20140365755A1
Time in Patent Office

893 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/572 Secure firmware programming...

Firmware authentication

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Firmware authentication

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others