Continuation of trust for platform boot firmware

US 9,223,982 B2
Filed: 03/01/2013
Issued: 12/29/2015
Est. Priority Date: 03/01/2013
Status: Active Grant

First Claim

Patent Images

1. A device, comprising:

a memory module including at least platform boot firmware including a plurality of platform boot firmware files; and

a processing module including a processor configured to load the platform boot firmware when the device is activated, the platform boot firmware causing the processing module to load a hash table, wherein the processing module calculates a hash value for a first platform boot firmware file of the plurality of platform boot firmware files and, upon determining the hash value is in the hash table, proceeding to execute the first platform boot firmware file prior to calculating a subsequent hash value for a subsequent platform boot firmware file of the plurality of platform boot firmware files and, responsive to determining at least one hash value is not in the hash table, denying execution of the respective platform boot firmware file on the processor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure is directed to continuation of trust for platform boot firmware. A device may comprise a processing module and a memory module including read-only memory (ROM) on which is stored platform boot firmware. On activation, the processing module may load the platform boot firmware. The platform boot firmware may cause the processing module to first load a trusted pre-verifier file to load and verify the signature of a hash table loaded from the platform boot firmware. The processing module may then load firmware program files from the platform boot firmware, calculate a hash for each file, and verify whether each program hash is in the hash table. Firmware program files with hashes in the hash table may be allowed to execute. If any firmware program file hash is not in the hash table, the processing module may perform platform specific security actions to prevent the device from being compromised.

22 Citations

View as Search Results

18 Claims

1. A device, comprising:
- a memory module including at least platform boot firmware including a plurality of platform boot firmware files; and
  
  a processing module including a processor configured to load the platform boot firmware when the device is activated, the platform boot firmware causing the processing module to load a hash table, wherein the processing module calculates a hash value for a first platform boot firmware file of the plurality of platform boot firmware files and, upon determining the hash value is in the hash table, proceeding to execute the first platform boot firmware file prior to calculating a subsequent hash value for a subsequent platform boot firmware file of the plurality of platform boot firmware files and, responsive to determining at least one hash value is not in the hash table, denying execution of the respective platform boot firmware file on the processor.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The device of claim 1, wherein the memory module includes read-only memory to store the platform boot firmware.
  - 3. The device of claim 2, wherein the read-only memory stores platform boot firmware based on a Basic Input/Output System (BIOS), a Unified Extensible Firmware Interface (UEFI) or a coreboot system.
  - 4. The device of claim 1, wherein the loading of the platform boot firmware further comprises causing the processing module to load a pre-verifier file to verify a signature of the hash table prior to determining whether the first platform boot firmware file hash is in the hash table.
  - 5. The device of claim 4, wherein the pre-verifier file is not to verify signatures for any of the plurality of platform boot firmware files.
  - 6. The device of claim 1, wherein the boot process further comprises causing the processing module to perform at least one of halting the boot of the device and presenting a notification at least one of the plurality of platform boot firmware files hash values are determined not to be in the hash table.

7. A method, comprising:
- loading a hash table and platform boot firmware files when a device is activated using a processor;
  
  calculating a hash value for a first platform boot firmware file;
  
  determining whether the hash value for the first platform boot firmware file in the hash table; and
  
  responsive to the hash value for the first platform boot firmware file being in the hash table, executing the first platform boot firmware file on the processor prior to calculating a subsequent hash value for a subsequent platform boot firmware file.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the hash table and platform boot firmware files are loaded from a memory module in the device, the memory module including read-only memory.
  - 9. The method of claim 8, wherein the read-only memory stores platform boot firmware based on a Basic Input/Output System (BIOS), a Unified Extensible Firmware Interface (UEFI) or a coreboot system.
  - 10. The method of claim 7, further comprising:
    - loading a pre-verifier file; and
      
      verifying a signature of the hash table with the pre-verifier file prior to determining whether the calculated hash value for the first platform boot firmware file is in the hash table.
  - 11. The method of claim 10, wherein signatures are not verified for the platform boot firmware files with the pre-verifier file.
  - 12. The method of claim 7, further comprising performing a security action if at least one of the platform boot firmware file hash values are determined not to be in the hash table.

13. One or more non-transitory machine-readable storage memories having stored thereon, individually or in combination, instructions that when executed by one or more processors result in the following operations comprising:
- loading a hash table and platform boot firmware files when a device is activated using at least one processor;
  
  calculating a hash value for a first platform boot firmware file;
  
  determining whether the hash value for the first platform boot firmware file is in the hash table; and
  
  responsive to the hash value for the first platform boot firmware file being in the hash table, executing the first platform boot firmware file on the processor prior to calculating a subsequent hash value for a subsequent platform boot firmware file.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The one or more non-transitory memories of claim 13, wherein the hash table and platform boot firmware files are loaded from a memory module in the device, the memory module including read-only memory.
  - 15. The one or more non-transitory memories of claim 14, wherein the read-only memory stores platform boot firmware based on a Basic Input/Output System (BIOS), a Unified Extensible Firmware Interface (UEFI) or a coreboot system.
  - 16. The one or more non-transitory memories of claim 13, further comprising instructions that when executed by one or more processors result in the following operations comprising:
    - loading a pre-verifier file; and
      
      verifying a signature of the hash table with the pre-verifier file prior to determining whether the calculated hash value for the first platform boot firmware file is in the hash table.
  - 17. The one or more non-transitory memories of claim 16, wherein signatures are not verified for the platform boot firmware files with the pre-verifier file.
  - 18. The one or more non-transitory memories of claim 13, further comprising instructions that when executed by one or more processors result in the following operations comprising:
    - performing a security action if at least one of the platform boot firmware file hash values are determined not to be in the hash table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Adams, Nicholas J., Wiseman, Willard M.
Primary Examiner(s)
BROWN, ANTHONY D

Application Number

US13/782,512
Publication Number

US 20140250291A1
Time in Patent Office

1,033 Days
Field of Search

713/150, 713187-189
US Class Current

1/1
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

G06F 21/575 Secure boot

Continuation of trust for platform boot firmware

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Continuation of trust for platform boot firmware

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others