System wide root of trust chaining via signed applications

US 9,721,101 B2
Filed: 06/24/2013
Issued: 08/01/2017
Est. Priority Date: 06/24/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

searching, by a processing device having an enabled secure boot mode, for a key container comprising no executable code;

responsive to finding a first key container encapsulating a first signature and a first public key, verifying that the first signature is valid using a platform key, the platform key comprising a public key that is a counterpart to a private key associated with an extensible firmware interface (EFI) certificate authority and used to generate the first signature; and

responsive to verifying that the first signature for the first key container is valid, performing, by the processing device, the following comprising;

identifying the first public key encapsulated in the first key container, wherein the first public key is different than the platform key and is associated with a non-EFI certificate authority;

extracting the first public key from the first key container; and

passing the first public key to a kernel of an operating system (OS) of the processing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processing device searches executing at least one of a boot loader or a kernel for the operating system searches for an extensible firmware interface (EFI) binary object. Responsive to finding a first EFI binary object, the processing device verifies that a first signature associated with the first EFI binary object is valid using a platform key. Responsive to verifying that the first signature for the first EFI binary object is valid, the processing device performs the following operations: identifying a first public key encapsulated in the first EFI binary object, wherein the first public key is associated with a non-EFI certificate authority; extracting the first public key from the first EFI binary object; and performing at least one of a) passing the first public key to a kernel of an operating system (OS) or b) exposing the first public key to a user space of the OS.

Citations

20 Claims

1. A method comprising:
- searching, by a processing device having an enabled secure boot mode, for a key container comprising no executable code;
  
  responsive to finding a first key container encapsulating a first signature and a first public key, verifying that the first signature is valid using a platform key, the platform key comprising a public key that is a counterpart to a private key associated with an extensible firmware interface (EFI) certificate authority and used to generate the first signature; and
  
  responsive to verifying that the first signature for the first key container is valid, performing, by the processing device, the following comprising;
  
  identifying the first public key encapsulated in the first key container, wherein the first public key is different than the platform key and is associated with a non-EFI certificate authority;
  
  extracting the first public key from the first key container; and
  
  passing the first public key to a kernel of an operating system (OS) of the processing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - identifying at least one additional public key encapsulated in the first key container;
      
      extracting the at least one additional public key from the first key container; and
      
      passing the at least one additional public key to the kernel of the OS of the processing device.
  - 3. The method of claim 1, further comprising:
    - responsive to finding a second key container, verifying that a second signature associated with the second key container is valid using the platform key; and
      
      responsive to verifying that the second signature for the second key container is valid, performing the following comprising;
      
      identifying a second public key encapsulated in the second key container, wherein the second public key is associated with an additional non-EFI certificate authority (CA);
      
      extracting the second public key from the second key container; and
      
      passing the second public key to the kernel of the OS.
  - 4. The method of claim 1, wherein the first public key is a component of a first digital certificate encapsulated in the first key container, and wherein the first public key is usable to sign at least one of packages or kernel modules that are not compliant with an EFI standard.
  - 5. The method of claim 1, wherein the first key container comprises a universal extensible firmware interface (UEFI) application that is trivially auditable.
  - 6. The method of claim 1, further comprising:
    - exposing the first public key to a user space of the OS by placing the first public key in at least one of a system key ring or a system file.
  - 7. The method of claim 6, further comprising:
    - loading a package manager in the user space of the OS, wherein responsive to a request to install or load a package signed by the non-EFI CA, the package manager verifies a digital signature associated with the package using the exposed first public key.
  - 8. The method of claim 1, wherein the platform key complies with a first public key cryptography standard, and the first public key complies with a second, different, public key cryptography standard.
  - 9. The method of claim 1, further comprising:
    - exposing the first public key to a module loading component of the OS to enable the module loading component to verify device drivers prior to loading the device drivers.

10. A non-transitory computer readable medium comprising instructions that, when executed by a processing device having an enabled secure boot mode, cause the processing device to:
- search, by the processing device, for an extensible firmware interface (EFI) binary object comprising no executable code;
  
  responsive to finding a first EFI binary object encapsulating a first signature and a first public key, verify that the first signature is valid using a platform key, the platform key comprising a public key that is a counterpart to a private key associated with an extensible firmware interface (EFI) certificate authority and used to generate the first signature; and
  
  responsive to verifying that the first signature for the first EFI binary object is valid, the processing device further to;
  
  identify the first public key encapsulated in the first EFI binary object, wherein the first public key is different than the platform key and is associated with a non-EFI certificate authority;
  
  extract the first public key from the first EFI binary object; and
  
  perform at least one of a) passing the first public key to a kernel of an operating system (OS) of the processing device or b) exposing the first public key to a user space of an OS of the processing device.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer readable storage medium of claim 10, the processing device further to:
    - identify at least one additional public key encapsulated in the first EFI binary object;
      
      extract the at least one additional public key from the first EFI binary object; and
      
      pass the at least one additional public key to the kernel of the OS of the processing device.
  - 12. The computer readable storage of claim 10, the processing device further to:
    - responsive to finding a second EFI binary object, verify that a second signature associated with the second EFI binary object is valid using the platform key; and
      
      responsive to verifying that the second signature for the second EFI binary object is valid, the processing device further to;
      
      identify a second public key encapsulated in the second EFI binary object, wherein the second public key is associated with an additional non-EFI certificate authority (CA);
      
      extract the second public key from the second EFI binary object; and
      
      pass the second public key to the kernel of the OS of the processing device.
  - 13. The computer readable storage medium of claim 10, wherein the first public key is a component of a first digital certificate encapsulated in the EFI binary object, and wherein the first public key is usable to sign at least one of packages or kernel modules that are not compliant with an EFI standard.
  - 14. The computer readable storage medium of claim 10, wherein the EFI binary object comprises a universal extensible firmware interface (UEFI) application that is trivially auditable.
  - 15. The computer readable storage medium of claim 10, the processing device further to:
    - expose the first public key to the user space of the OS by placing the first public key in at least one of a system key ring or a system file.
  - 16. The computer readable storage medium of claim 15, the processing device further to:
    - load a package manager in the user space of the OS, wherein responsive to a request to install or load a package signed by the non-EFI CA, the package manager verifies a digital signature associated with the package using the exposed first public key.
  - 17. The computer readable storage medium of claim 10, wherein the platform key complies with a first public key cryptography standard, and the first public key complies with a second, different, public key cryptography standard.
  - 18. The computer readable storage medium of claim 10, the processing device further to:
    - expose the first public key to a module loading component of the OS to enable the module loading component to verify device drivers prior to loading the device drivers.

19. A computing device comprising:
- a memory; and
  
  a processing device operatively coupled to the memory, wherein the processing device is to;
  
  search for an extensible firmware interface (EFI) binary object comprising no executable code;
  
  responsive to finding a first EFI binary object encapsulating a first signature and a first public key, verify that the first signature is valid using a platform key, the platform key comprising a public key that is a counterpart to a private key associated with an extensible firmware interface (EFI) certificate authority and used to generate the first signature; and
  
  perform the following comprising responsive to verifying that the first signature for the first EFI binary object is valid;
  
  identify the first public key encapsulated in the first EFI binary object, wherein the first public key is different than the platform key and is associated with a non-EFI certificate authority;
  
  extract the first public key from the first EFI binary object; and
  
  expose the first public key to a user space of an operating system of the processing device.
- View Dependent Claims (20)
- - 20. The computing device of claim 19, wherein the first public key is a component of a first digital certificate encapsulated in the EFI binary object, and wherein the first public key is usable to sign at least one of packages or kernel modules that are not compliant with an EFI standard.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Jones, Peter M., Jackson, Adam D.
Primary Examiner(s)
LWIN, MAUNG T

Application Number

US13/925,552
Publication Number

US 20140380031A1
Time in Patent Office

1,499 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/572 Secure firmware programming...

System wide root of trust chaining via signed applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System wide root of trust chaining via signed applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links