System and method for verifying changes to UEFI authenticated variables
First Claim
1. A computing device-implemented method for trusting an operating system application attempting to change a Unified Extensible Firmware Interface (UEFI) authenticated variable comprising:
- receiving, with an operating system application, a user-supplied password;
using the user-supplied password to create a hash of configuration data for a request to alter a UEFI authenticated variable;
clearing, the user-supplied password from a memory of the computing device following the creating of the hash of configuration data for the request;
receiving with system firmware the request to alter the UEFI authenticated variable from the operating system application, the request accompanied by the hash of configuration data and the configuration data;
examining the request with the system firmware, the examining verifying that a portion of an authentication header is set to a pre-determined Globally Unique Identifier (GUID) and that the request contains a timestamp value later than a current timestamp value associated with the UEFI authenticated variable for which alteration is requested, the pre-determined GUID indicating that the operating system application request used a password-based mechanism for authentication;
calculating with the firmware a new hash of the configuration data contained in the request based on a password known to the firmware;
comparing the new hash to the hash contained in the request; and
allowing alteration of the UEFI authenticated variable in event of a match between the new hash and the hash contained in the request.
1 Assignment
0 Petitions
Accused Products
Abstract
A mechanism for certifying that an operating system-based application has authorization to change a UEFI authenticated variable held in the system firmware is discussed. Embodiments of the present invention receive with the system firmware a request from an operating system-based application to change a UEFI authenticated variable. The request includes an authentication descriptor header with a timestamp and pre-determined GUID. The request also includes a hash calculated using a password known to the firmware. The system firmware certifies that the caller has authorization to change an authenticated variable by first verifying the information in the header and then creating a new hash using the password. The new hash is compared to the received hash and must match in order for the system firmware to allow the alteration of the UEFI authenticated variable. In one embodiment, the password is the system firmware password.
-
Citations
18 Claims
-
1. A computing device-implemented method for trusting an operating system application attempting to change a Unified Extensible Firmware Interface (UEFI) authenticated variable comprising:
-
receiving, with an operating system application, a user-supplied password; using the user-supplied password to create a hash of configuration data for a request to alter a UEFI authenticated variable; clearing, the user-supplied password from a memory of the computing device following the creating of the hash of configuration data for the request; receiving with system firmware the request to alter the UEFI authenticated variable from the operating system application, the request accompanied by the hash of configuration data and the configuration data; examining the request with the system firmware, the examining verifying that a portion of an authentication header is set to a pre-determined Globally Unique Identifier (GUID) and that the request contains a timestamp value later than a current timestamp value associated with the UEFI authenticated variable for which alteration is requested, the pre-determined GUID indicating that the operating system application request used a password-based mechanism for authentication; calculating with the firmware a new hash of the configuration data contained in the request based on a password known to the firmware; comparing the new hash to the hash contained in the request; and allowing alteration of the UEFI authenticated variable in event of a match between the new hash and the hash contained in the request. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory medium holding computer-executable instructions for trusting an operating system application attempting to change a Unified Extensible Firmware Interface (UEFI) authenticated variable, the instructions when executed causing at least one computing device to:
-
receive, with an operating system application, a user-supplied password; use the user-supplied password to create a hash of configuration data for a request to alter a UEFI authenticated variable; clear, the user-supplied password from a memory of the at least one computing device following the creating of the hash of configuration data for the request; receive with system firmware the request to alter the UEFI authenticated variable from the operating system application, the request accompanied by the hash of configuration data and the configuration data; examine the request with the system firmware, the examining varifying that a portion of an authentication header is set to a pre-determined Globally Unique Identifier (GUID) and the request contains a timestamp value later than a current timestamp value associated with the UEFI authenticated variable for which alteration is requested, the pre-determined GUID indicating that the operating system application request used a password-based mechanism for authentication; calculate with the firmware a new hash of the configuration data contained in the request based on a password known to the firmware; compare the new hash to the hash contained in the request; and allow alteration of the UEFI authenticated variable in event of a match between the new hash and the hash contained in the request. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computing device, comprising:
-
a processor; an operating system; an operating system-based application executed while the computing device is under control of the operating system, the operating system application configured to; receive a user-supplied password; use the user-supplied password to create a hash of configuration data for a request to alter a UEFI authenticated variable; clear, the user-supplied password from a memory of the at least one computing device following the creating of the hash of configuration data for the request; system firmware held in Read Only Memory, the system firmware configured to; receive the request to alter the UEFI authentication variable from the operating system-based application, the request accompanied by the hash of configuration data and the configuration data; examine the request, the examining verifying that a portion of an authentication header is set to a pre-determined Globally Unique Identifier (GUID) and the request contains a timestamp value later than a current timestamp value associated with the UEFI authenticated variable for which alteration is requested, the pre-determined GUID indicating that the operating system application request used a password-based mechanism for authentication; calculate a new hash of the configuration data contained in the request based on a password known to the system firmware; compare the new hash to the hash contained in the request; and allow alteration of the UEFI authenticated variable in event of a match between the new hash and the hash contained in the request. - View Dependent Claims (16, 17, 18)
-
Specification