Method for authenticating firmware volume and system therefor

US 9,524,390 B2
Filed: 09/09/2014
Issued: 12/20/2016
Est. Priority Date: 09/09/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

accessing a first firmware volume of a Unified Extensible Firmware Interface (UEFI) compliant information handling system;

retrieving, using a computer, authentication information from the first firmware volume using a UEFI Secure Architecture Protocol (SAP);

determining, based on the authentication information, if the first firmware volume is a first type of firmware volume;

if the first firmware volume is the first type of firmware volume, then authenticating the first firmware volume using the first authentication information and an authentication procedure other than Secure Boot authentication; and

if the first firmware volume is a second type of firmware volume, the second type different than the first type, then authenticating the first firmware volume using the first authentication information and the Secure Boot authentication.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first firmware volume of a Unified Extensible Firmware Interface (UEFI) compliant information handling system is accessed. Authentication information is retrieved from the first firmware volume using a UEFI Secure Architecture Protocol. Based on the authentication information, it is determined if the first firmware volume is a first type of firmware volume. If the first firmware volume is the first type of firmware volume, the first firmware volume is authenticated using the first authentication information and an authentication procedure other than Secure Boot authentication. If the first firmware volume is a second type of firmware volume, the second type different than the first type, the first firmware volume is authenticated using the first authentication information and the Secure Boot authentication.

Citations

20 Claims

1. A method comprising:
- accessing a first firmware volume of a Unified Extensible Firmware Interface (UEFI) compliant information handling system;
  
  retrieving, using a computer, authentication information from the first firmware volume using a UEFI Secure Architecture Protocol (SAP);
  
  determining, based on the authentication information, if the first firmware volume is a first type of firmware volume;
  
  if the first firmware volume is the first type of firmware volume, then authenticating the first firmware volume using the first authentication information and an authentication procedure other than Secure Boot authentication; and
  
  if the first firmware volume is a second type of firmware volume, the second type different than the first type, then authenticating the first firmware volume using the first authentication information and the Secure Boot authentication.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the first type of firmware volume is a firmware volume provided by an original equipment manufacturer (OEM) of the information handling system.
  - 3. The method of claim 1, wherein the second type of firmware volume is a firmware volume provided by an original design manufacture (ODM), the ODM associated with a component of the information handling system.
  - 4. The method of claim 1, further comprising:
    - executing a plurality of images at the first firmware volume, without conducting further authentication of the images, in response to successful authentication of the first firmware volume.
  - 5. The method of claim 1, wherein a section at the first firmware volume includes a proprietary secure architecture policy and the authentication information, the policy accessed using the SAP.
  - 6. The method of claim 5, wherein the proprietary secure architecture policy identifies a subset of images included at the first firmware volume, the subset including a plurality of images, the subset of images authenticated using only one Secure Boot certificate.
  - 7. The method of claim 1, wherein prior to retrieving the authentication information, a UEFI platform initialization process is not aware of whether the first firmware volume is the first type of firmware volume.

8. A method comprising:
- determining, using a Unified Extensible Firmware Interface (UEFI) Secure Architecture Protocol (SAP), that a first firmware volume is provided by an original equipment manufacturer (OEM) of an information handling system;
  
  authenticating the first firmware volume using a computer and a first authentication procedure, the first authentication procedure other than Secure Boot authentication;
  
  determining, using the UEFI SAP, that a second firmware volume is provided by an original design manufacture (ODM), the ODM associated with a component of the information handling system; and
  
  authenticating the second firmware volume using Secure Boot authentication.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8, wherein authenticating the first firmware volume comprises:
    - retrieving first authentication information from the first firmware volume using the UEFI SAP;
      
      authenticating the first firmware volume using the first authentication information; and
      
      executing a plurality of images included at the first firmware volume, without performing further authentication of the images, in response to determining that the authenticating was successful.
  - 10. The method of claim 8, wherein authenticating the second firmware volume comprises:
    - retrieving a Secure Boot certificate from the second firmware volume using the UEFI SAP;
      
      authenticating the second firmware volume using the Secure Boot certificate; and
      
      executing a plurality of images included at the second firmware volume without performing further authentication of the images.
  - 11. The method of claim 8, wherein authenticating the second firmware volume comprises:
    - retrieving authentication information from the second firmware volume using the UEFI SAP;
      
      failing to authenticate the second firmware volume using the first authentication procedure; and
      
      determining that the second firmware volume is not an OEM firmware volume based on the failing to authenticate.
  - 12. The method of claim 8, wherein a section at the first firmware volume includes a proprietary secure architecture policy and the first authentication information, the policy accessed using the UEFI SAP.

13. An information handling system comprising:
- a Unified Extensible Firmware Interface (UEFI) compliant basic input-output system (BIOS);
  
  a data storage device for storing a first firmware volume and a second firmware volume; and
  
  a processor to;
  
  access the first firmware volume;
  
  retrieve authentication information from the first firmware volume using a UEFI Secure Architecture Protocol (SAP); and
  
  classify the first firmware volume as one of two distinct types of firmware volumes based on the authentication information, the two distinct types including a first type and a second type.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The information handling system of claim 13, wherein:
    - if the first firmware volume is the first type of firmware volume, the processor is further to authenticate the first firmware volume using the authentication information and an authentication procedure other than Secure Boot authentication; and
      
      if the first firmware volume is the second type of firmware volume, the processor is further to authenticate the first firmware volume using the authentication information and Secure Boot authentication.
  - 15. The information handling system of claim 13, wherein a first type of firmware volume is a firmware volume provided by an original equipment manufacturer (OEM) of the information handling system.
  - 16. The information handling system of claim 13, wherein the second type of firmware volume is a firmware volume provided by an original design manufacture (ODM), the ODM associated with a component of the information handling system.
  - 17. The information handling system of claim 13, wherein the processor is further to:
    - execute a plurality of images at the first firmware volume, without conducting further authentication of the images, in response to successful authentication of the first firmware volume.
  - 18. The information handling system of claim 13, wherein a section at the first firmware volume includes a proprietary secure architecture policy and the authentication information, the policy accessed using the SAP.
  - 19. The information handling system of claim 18, wherein the proprietary secure architecture policy identifies a subset of images included at the first firmware volume, the subset including a plurality of images, the subset of images authenticated using only one Secure Boot certificate.
  - 20. The information handling system of claim 13, wherein prior to retrieving the authentication information, a UEFI platform initialization process is not aware of whether the first firmware volume is the first type of firmware volume or the second type of firmware volume.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Products LP (Dell Technologies Inc.)
Original Assignee
Dell Products LP (Dell Technologies Inc.)
Inventors
Kulkarni, Yogesh P., Dasar, Sundar, Vidyadhara, Sumanth
Primary Examiner(s)
WANG, ALBERT C

Application Number

US14/481,111
Publication Number

US 20160070913A1
Time in Patent Office

833 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/572   Secure firmware programming...

G06F 21/575   Secure boot

G06F 9/4401   Bootstrapping security arra...

H04L 63/0823   using certificates cryptogr...

H04L 63/20   for managing network securi...

Method for authenticating firmware volume and system therefor

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method for authenticating firmware volume and system therefor

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links