Apparatus and method for securing BIOS in a trusted computing system

US 9,367,689 B2
Filed: 11/13/2013
Issued: 06/14/2016
Est. Priority Date: 11/13/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus for protecting a basic input/output system (BIOS) in a computing system, the apparatus comprising:

a BIOS read only memory (ROM), comprising;

BIOS contents, wherein said BIOS contents are stored as plaintext; and

an encrypted message digest, wherein said encrypted message digest comprises an encrypted version of a first message digest that corresponds to said BIOS contents, and wherein said encrypted version is generated via a symmetric key algorithm and a key;

a tamper detector, disposed within a microprocessor and operatively coupled to said BIOS ROM, configured to access said BIOS contents and said encrypted message digest upon reset of said microprocessor, and configured to direct a crypto/hash unit within said microprocessor to generate a second message digest corresponding to said BIOS contents and a decrypted message digest corresponding to said encrypted message digest using said symmetric key algorithm and said key, and configured to compare said second message digest with said decrypted message digest, and configured to preclude operation of said microprocessor when said second message digest and said decrypted message digest are not equal, and configured to allow operation of said microprocessor when said second message digest and said decrypted message digest are equal; and

a random number generator, configured to generate a random number for entry into a tamper at completion of a periodic BIOS hack check to set a following interval for a next BIOS hack check.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus including a BIOS read only memory (ROM) and a tamper detector. The BIOS ROM includes BIOS contents stored as plaintext, and an encrypted message digest comprising an encrypted version of a first message digest that corresponds to the BIOS contents. The tamper detector is coupled to the BIOS ROM, and accesses the BIOS contents and the encrypted message digest upon reset of a microprocessor, and directs the microprocessor to generate a second message digest corresponding to the BIOS contents and a decrypted message digest corresponding to the encrypted message digest using the same algorithms and key that were employed to generate the first message digest and the encrypted message digest, and compares the second message digest with the decrypted message digest, and precludes the operation of the microprocessor if the second message digest and the decrypted message digest are not equal.

66 Citations

View as Search Results

21 Claims

1. An apparatus for protecting a basic input/output system (BIOS) in a computing system, the apparatus comprising:
- a BIOS read only memory (ROM), comprising;
  
  BIOS contents, wherein said BIOS contents are stored as plaintext; and
  
  an encrypted message digest, wherein said encrypted message digest comprises an encrypted version of a first message digest that corresponds to said BIOS contents, and wherein said encrypted version is generated via a symmetric key algorithm and a key;
  
  a tamper detector, disposed within a microprocessor and operatively coupled to said BIOS ROM, configured to access said BIOS contents and said encrypted message digest upon reset of said microprocessor, and configured to direct a crypto/hash unit within said microprocessor to generate a second message digest corresponding to said BIOS contents and a decrypted message digest corresponding to said encrypted message digest using said symmetric key algorithm and said key, and configured to compare said second message digest with said decrypted message digest, and configured to preclude operation of said microprocessor when said second message digest and said decrypted message digest are not equal, and configured to allow operation of said microprocessor when said second message digest and said decrypted message digest are equal; and
  
  a random number generator, configured to generate a random number for entry into a tamper at completion of a periodic BIOS hack check to set a following interval for a next BIOS hack check.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus as recited in claim 1, wherein said BIOS ROM and said tamper detector are disposed separately on a system board of the computing system.
  - 3. The apparatus as recited in claim 1, wherein said crypto/hash unit employs the Secure Hash Algorithm to generate said second message digest.
  - 4. The apparatus as recited in claim 1, wherein said crypto/hash unit employs the Advanced Encryption Standard algorithm to generate said decrypted message digest.
  - 5. The apparatus as recited in claim 1, wherein said crypto/hash unit disposed within execution logic, and wherein said key is exclusively accessed by said crypto/hash unit.
  - 6. The apparatus as recited in claim 5, wherein said key cannot be accessed by program instructions that are executed by said microprocessor.
  - 7. The apparatus as recited in claim 1, wherein said microprocessor comprises an x86-compatible microprocessor.

8. An apparatus for protecting a basic input/output system (BIOS) in a computing system, the apparatus comprising:
- a BIOS read only memory (ROM), comprising;
  
  BIOS contents, wherein said BIOS contents are stored as plaintext; and
  
  an encrypted message digest, wherein said encrypted message digest comprises an encrypted version of a first message digest that corresponds to said BIOS contents, and wherein said encrypted version is generated via a symmetric key algorithm and a key; and
  
  a microprocessor, coupled to said BIOS ROM, said microprocessor comprising;
  
  a tamper detector, configured to access said BIOS contents and said encrypted message digest upon reset of said microprocessor, and configured to direct a crypto/hash unit within said microprocessor to generate a second message digest corresponding to said BIOS contents and a decrypted message digest corresponding to said encrypted message digest using said symmetric key algorithm and said key, and configured to compare said second message digest with said decrypted message digest, and configured to preclude operation of said microprocessor when said second message digest and said decrypted message digest are not equal, and configured to allow operation of said microprocessor when said second message digest and said decrypted message digest are equal; and
  
  a random number generator, configured to generate a random number for entry into a tamper at completion of a periodic BIOS hack check to set a following interval for a next BIOS hack check.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as recited in claim 8, wherein said BIOS ROM and said microprocessor are disposed separately on a system board of the computing system.
  - 10. The apparatus as recited in claim 8, wherein said crypto/hash unit employs the Secure Hash Algorithm to generate said second message digest.
  - 11. The apparatus as recited in claim 8, wherein said crypto/hash unit employs the Advanced Encryption Standard algorithm to generate said decrypted message digest.
  - 12. The apparatus as recited in claim 8, wherein said crypto/hash unit disposed within execution logic, and wherein said key is exclusively accessed by said crypto/hash unit.
  - 13. The apparatus as recited in claim 12, wherein said key cannot be accessed by program instructions that are executed by said microprocessor.
  - 14. The apparatus as recited in claim 8, wherein said microprocessor comprises an x86-compatible microprocessor.

15. A method for protecting a basic input/output system (BIOS) in a computing system, the method comprising:
- storing BIOS contents as plaintext in a BIOS ROM along with an encrypted message digest that comprises an encrypted version of first message digest that corresponds to the BIOS contents, wherein the encrypted version is generated via a symmetric key algorithm and a key;
  
  upon reset of a microprocessor, accessing the BIOS contents and the encrypted message digest, and generating a second message digest corresponding to the BIOS contents and a decrypted message digest corresponding to the first encrypted message digest using the symmetric key algorithm and the key;
  
  comparing the second message digest with the decrypted message digest;
  
  precluding operation of the microprocessor when the second message digest and the decrypted message digest are not equal;
  
  allowing operation of the microprocessor when the second message digest and the decrypted message digest are equal; and
  
  generating a random number for entry into a tamper timer at completion of a periodic BIOS hack check to set a following interval for a next BIOS hack check.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The method as recited in claim 15, further comprising:
    - separately disposing the BIOS ROM and the microprocessor on a system board of the computing system.
  - 17. The method as recited in claim 15, wherein said accessing comprises:
    - employing the Secure Hash Algorithm to generate the second message digest.
  - 18. The apparatus as recited in claim 15, wherein said accessing further comprises:
    - employing the Advanced Encryption Standard algorithm to generate the decrypted message digest.
  - 19. The method as recited in claim 15, wherein the microprocessor comprises a dedicated crypto/hash unit disposed within execution logic, and wherein the crypto/hash unit generates the second message digest and the decrypted message digest, and wherein the key is exclusively accessed by the crypto/hash unit.
  - 20. The method as recited in claim 19, wherein the key cannot be accessed by program instructions that are executed by the microprocessor.
  - 21. The method as recited in claim 15, wherein the microprocessor comprises an x86-compatible microprocessor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VIA Technologies Incorporated (VIA Technologies)
Original Assignee
VIA Technologies Incorporated (VIA Technologies)
Inventors
Henry, G. Glenn
Primary Examiner(s)
SHOLEMAN, ABU S

Application Number

US14/079,021
Publication Number

US 20150134974A1
Time in Patent Office

944 Days
Field of Search

713/2, 713/176, 713/1, 713/179, 713/193, 713/194, 726/26
US Class Current

1/1
CPC Class Codes

G06F 21/572 Secure firmware programming...

G06F 2221/2107 File encryption

Apparatus and method for securing BIOS in a trusted computing system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

66 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for securing BIOS in a trusted computing system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links