Attesting use of an interactive component during a boot process

US 9,342,696 B2
Filed: 08/31/2011
Issued: 05/17/2016
Est. Priority Date: 09/22/2010
Status: Active Grant

First Claim

Patent Images

1. A method for attesting a boot process of a managed system, said managed system having an interactive component for receiving an optional interactive user input as part of the boot process, the method comprising the computer-executed steps of:

retrieving a record of events occurring during said boot process, the record of events being generated in said managed system during said boot process;

determining, using said record of events, whether an interactive user input was received in said managed system using said interactive component as part of said boot process;

in response to determining that an interactive user input was received in said managed system using said interactive component;

comparing a cryptographic value derived from the interactive user input with a record of any trusted cryptographic values to determine whether the interactive user input which was received using said interactive component as part of said boot process should be trusted;

if the cryptographic value derived from the interactive user input matches a trusted cryptographic value in the record of any trusted cryptographic values, then determining that the interactive user input should be trusted;

if the cryptographic value derived from the interactive user input does not match any trusted cryptographic value in the record of any trusted cryptographic values, then parsing an event log containing the interactive user input to determine whether the interactive user input should be trusted; and

in response to determining that the interactive user input should be trusted as a result of parsing the event log containing the interactive user input to determine whether the interactive user input should be trusted, processing the interactive user input to create a first trusted cryptographic value and adding the first trusted cryptographic value to the record of any trusted cryptographic values.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for attesting use of an interactive component during a boot process, comprising the steps of: reading, in response to determining use of the interactive component, associated interactive input; determining whether the input should be trusted; and in response to determining that the input should be trusted, processing the input to create a trusted cryptographic value, further comprising: matching, in response to a subsequent interactive input being read, the subsequent interactive input with one or more of the trusted cryptographic values in order to determine whether the subsequent interactive input is trusted.

68 Citations

View as Search Results

9 Claims

1. A method for attesting a boot process of a managed system, said managed system having an interactive component for receiving an optional interactive user input as part of the boot process, the method comprising the computer-executed steps of:
- retrieving a record of events occurring during said boot process, the record of events being generated in said managed system during said boot process;
  
  determining, using said record of events, whether an interactive user input was received in said managed system using said interactive component as part of said boot process;
  
  in response to determining that an interactive user input was received in said managed system using said interactive component;
  
  comparing a cryptographic value derived from the interactive user input with a record of any trusted cryptographic values to determine whether the interactive user input which was received using said interactive component as part of said boot process should be trusted;
  
  if the cryptographic value derived from the interactive user input matches a trusted cryptographic value in the record of any trusted cryptographic values, then determining that the interactive user input should be trusted;
  
  if the cryptographic value derived from the interactive user input does not match any trusted cryptographic value in the record of any trusted cryptographic values, then parsing an event log containing the interactive user input to determine whether the interactive user input should be trusted; and
  
  in response to determining that the interactive user input should be trusted as a result of parsing the event log containing the interactive user input to determine whether the interactive user input should be trusted, processing the interactive user input to create a first trusted cryptographic value and adding the first trusted cryptographic value to the record of any trusted cryptographic values.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as claimed in claim 1, further comprising the steps of:
    - assigning a platform configuration register (PCR) to the interactive user input; and
      
      extending the assigned PCR with the interactive user input.
  - 3. A method as claimed in claim 1, further comprising the step of:
    - generating metadata associated with the trusted cryptographic value.
  - 4. A method as claimed in claim 1, further comprising the step of:
    - determining, in response to the subsequent interactive user input matching a trusted cryptographic value, that a system associated with the interactive component is trusted.
  - 5. A method as claimed in claim 1,wherein parsing an event log containing the interactive user input to determine whether the interactive user input should be trusted comprises:
    - matching an event log entry in the event log with a data structure of known input.
  - 6. A method as claimed in claim 5, further comprising the step of:
    - determining, in response to the event log entry not matching the data structure of known input, that a system associated with the interactive component is not trusted.
  - 7. A method as claimed in claim 1, wherein the method is performed in a managing computer system separate from said managed computer system.

8. A computer program comprising computer program code stored on a non-transitory computer readable medium to, when loaded into a computer system and executed thereon, cause said computer system to perform the steps of:
- retrieving a record of events occurring during a boot process of a managed system, said managed system having an interactive component for receiving an optional interactive user input as part of the boot process, the record of events being generated in said managed system during said boot process;
  
  determining, using said record of events whether an interactive user in gut was received in said managed system using said interactive component as part of said boot process;
  
  in response to determining that an interactive user input was received in said managed system using said interactive component;
  
  comparing a cryptographic value derived from the interactive user input with a record of any trusted cryptographic values to determine whether the interactive user input which was received using said interactive component as part of said boot process should be trusted;
  
  if the cryptographic value derived from the interactive user input matches a trusted cryptographic value in the record of any trusted cryptographic values, then determining that the interactive user input should be trusted;
  
  if the cryptographic value derived from the interactive user input does not match any trusted cryptographic value in the record of any trusted cryptographic values, then parsing an event log containing the interactive user input to determine whether the interactive user input should be trusted; and
  
  in response to determining that the interactive user input should be trusted as a result of parsing the event log containing the interactive user input to determine whether the interactive user input should be trusted, processing the interactive user input to create a first trusted cryptographic value and adding the first trusted cryptographic value to the record of any trusted cryptographic values.
- View Dependent Claims (9)
- - 9. The computer program as claimed in claim 8, wherein the computer program code is executed in a managing computer system separate from said managed computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Imtiaz, Imran, Mackintosh, David Nigel, Walker, James William
Primary Examiner(s)
Mehedi, Morshed
Assistant Examiner(s)
Naghdali, Khalil

Application Number

US13/820,039
Publication Number

US 20130212369A1
Time in Patent Office

1,721 Days
Field of Search

726/22, 726/30, 711/130
US Class Current

1/1
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

G06F 21/575 Secure boot

Attesting use of an interactive component during a boot process

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Attesting use of an interactive component during a boot process

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links