System and method for verifying changes to UEFI authenticated variables

US 9,660,807 B2
Filed: 09/22/2014
Issued: 05/23/2017
Est. Priority Date: 09/20/2013
Status: Active Grant

First Claim

Patent Images

1. A computing device-implemented method for trusting an operating system application attempting to change a Unified Extensible Firmware Interface (UEFI) authenticated variable comprising:

receiving, with an operating system application, a user-supplied password;

using the user-supplied password to create a hash of configuration data for a request to alter a UEFI authenticated variable;

clearing, the user-supplied password from a memory of the computing device following the creating of the hash of configuration data for the request;

receiving with system firmware the request to alter the UEFI authenticated variable from the operating system application, the request accompanied by the hash of configuration data and the configuration data;

examining the request with the system firmware, the examining verifying that a portion of an authentication header is set to a pre-determined Globally Unique Identifier (GUID) and that the request contains a timestamp value later than a current timestamp value associated with the UEFI authenticated variable for which alteration is requested, the pre-determined GUID indicating that the operating system application request used a password-based mechanism for authentication;

calculating with the firmware a new hash of the configuration data contained in the request based on a password known to the firmware;

comparing the new hash to the hash contained in the request; and

allowing alteration of the UEFI authenticated variable in event of a match between the new hash and the hash contained in the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism for certifying that an operating system-based application has authorization to change a UEFI authenticated variable held in the system firmware is discussed. Embodiments of the present invention receive with the system firmware a request from an operating system-based application to change a UEFI authenticated variable. The request includes an authentication descriptor header with a timestamp and pre-determined GUID. The request also includes a hash calculated using a password known to the firmware. The system firmware certifies that the caller has authorization to change an authenticated variable by first verifying the information in the header and then creating a new hash using the password. The new hash is compared to the received hash and must match in order for the system firmware to allow the alteration of the UEFI authenticated variable. In one embodiment, the password is the system firmware password.

Citations

18 Claims

1. A computing device-implemented method for trusting an operating system application attempting to change a Unified Extensible Firmware Interface (UEFI) authenticated variable comprising:
- receiving, with an operating system application, a user-supplied password;
  
  using the user-supplied password to create a hash of configuration data for a request to alter a UEFI authenticated variable;
  
  clearing, the user-supplied password from a memory of the computing device following the creating of the hash of configuration data for the request;
  
  receiving with system firmware the request to alter the UEFI authenticated variable from the operating system application, the request accompanied by the hash of configuration data and the configuration data;
  
  examining the request with the system firmware, the examining verifying that a portion of an authentication header is set to a pre-determined Globally Unique Identifier (GUID) and that the request contains a timestamp value later than a current timestamp value associated with the UEFI authenticated variable for which alteration is requested, the pre-determined GUID indicating that the operating system application request used a password-based mechanism for authentication;
  
  calculating with the firmware a new hash of the configuration data contained in the request based on a password known to the firmware;
  
  comparing the new hash to the hash contained in the request; and
  
  allowing alteration of the UEFI authenticated variable in event of a match between the new hash and the hash contained in the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the user-supplied password and the password know to the firmware is a system firmware password.
  - 3. The method of claim 1 wherein the calculating of the new hash is also based on a name of the UEFI authenticated variable.
  - 4. The method of claim 1 wherein the calculating of the new hash is also based on the GUID pointed to by a VendorGuid parameter of SetVariable( ).
  - 5. The method of claim 1 wherein the calculating of the new hash is also based on a structure of the time stamp.
  - 6. The method of claim 1 wherein the password used to generate the new hash is selected by the firmware based on a UEFI authenticated variable name contained in the request.
  - 7. The method of claim 1 wherein a plurality of new hashes are created based on a plurality of passwords and compared to the hash contained in the request.

8. A non-transitory medium holding computer-executable instructions for trusting an operating system application attempting to change a Unified Extensible Firmware Interface (UEFI) authenticated variable, the instructions when executed causing at least one computing device to:
- receive, with an operating system application, a user-supplied password;
  
  use the user-supplied password to create a hash of configuration data for a request to alter a UEFI authenticated variable;
  
  clear, the user-supplied password from a memory of the at least one computing device following the creating of the hash of configuration data for the request;
  
  receive with system firmware the request to alter the UEFI authenticated variable from the operating system application, the request accompanied by the hash of configuration data and the configuration data;
  
  examine the request with the system firmware, the examining varifying that a portion of an authentication header is set to a pre-determined Globally Unique Identifier (GUID) and the request contains a timestamp value later than a current timestamp value associated with the UEFI authenticated variable for which alteration is requested, the pre-determined GUID indicating that the operating system application request used a password-based mechanism for authentication;
  
  calculate with the firmware a new hash of the configuration data contained in the request based on a password known to the firmware;
  
  compare the new hash to the hash contained in the request; and
  
  allow alteration of the UEFI authenticated variable in event of a match between the new hash and the hash contained in the request.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The medium of claim 8 wherein the user-supplied password and the password known to the firmware is a system firmware password.
  - 10. The medium of claim 8 wherein the calculating of the new hash is also based on a name of the UEFI authenticated variable.
  - 11. The medium of claim 8 wherein the calculating of the new hash is also based on the GUID pointed to by a vendorGuid parameter of SetVariable( ).
  - 12. The medium of claim 8 wherein the calculating of the new hash is also based on a structure of the time stamp.
  - 13. The medium of claim 8 wherein the password used to generate the new hash is selected by the firmware based on a UEFI authenticated variable name contained in the request.
  - 14. The medium of claim 8 wherein a plurality of new hashes are created based on a plurality of passwords and compared to the hash contained in the request.

15. A computing device, comprising:
- a processor;
  
  an operating system;
  
  an operating system-based application executed while the computing device is under control of the operating system, the operating system application configured to;
  
  receive a user-supplied password;
  
  use the user-supplied password to create a hash of configuration data for a request to alter a UEFI authenticated variable;
  
  clear, the user-supplied password from a memory of the at least one computing device following the creating of the hash of configuration data for the request;
  
  system firmware held in Read Only Memory, the system firmware configured to;
  
  receive the request to alter the UEFI authentication variable from the operating system-based application, the request accompanied by the hash of configuration data and the configuration data;
  
  examine the request, the examining verifying that a portion of an authentication header is set to a pre-determined Globally Unique Identifier (GUID) and the request contains a timestamp value later than a current timestamp value associated with the UEFI authenticated variable for which alteration is requested, the pre-determined GUID indicating that the operating system application request used a password-based mechanism for authentication;
  
  calculate a new hash of the configuration data contained in the request based on a password known to the system firmware;
  
  compare the new hash to the hash contained in the request; and
  
  allow alteration of the UEFI authenticated variable in event of a match between the new hash and the hash contained in the request.
- View Dependent Claims (16, 17, 18)
- - 16. The computing device of claim 15 wherein the user-supplied password and the password know to the system firmware is a system firmware password.
  - 17. The computing device of claim 15 wherein the password used to generate the new hash is selected by the firmware based on a UEFI authenticated variable name contained in the request.
  - 18. The computing device of claim 15 wherein a plurality of passwords are stored in the ROM and a plurality of new hashes are created based on the plurality of passwords and compared to the hash contained in the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Insyde Software Corp
Original Assignee
Insyde Software Corp
Inventors
Lewis, Timothy Andrew
Primary Examiner(s)
ZAIDI, SYED A

Application Number

US14/492,916
Publication Number

US 20150089238A1
Time in Patent Office

974 Days
Field of Search

713183
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/572   Secure firmware programming...

H04L 9/0891   Revocation or update of sec...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3297   involving time stamps, e.g....

System and method for verifying changes to UEFI authenticated variables

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for verifying changes to UEFI authenticated variables

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links