System wide root of trust chaining via signed applications
First Claim
1. A method comprising:
- searching, by a processing device having an enabled secure boot mode, for a key container comprising no executable code;
responsive to finding a first key container encapsulating a first signature and a first public key, verifying that the first signature is valid using a platform key, the platform key comprising a public key that is a counterpart to a private key associated with an extensible firmware interface (EFI) certificate authority and used to generate the first signature; and
responsive to verifying that the first signature for the first key container is valid, performing, by the processing device, the following comprising;
identifying the first public key encapsulated in the first key container, wherein the first public key is different than the platform key and is associated with a non-EFI certificate authority;
extracting the first public key from the first key container; and
passing the first public key to a kernel of an operating system (OS) of the processing device.
1 Assignment
0 Petitions
Accused Products
Abstract
A processing device searches executing at least one of a boot loader or a kernel for the operating system searches for an extensible firmware interface (EFI) binary object. Responsive to finding a first EFI binary object, the processing device verifies that a first signature associated with the first EFI binary object is valid using a platform key. Responsive to verifying that the first signature for the first EFI binary object is valid, the processing device performs the following operations: identifying a first public key encapsulated in the first EFI binary object, wherein the first public key is associated with a non-EFI certificate authority; extracting the first public key from the first EFI binary object; and performing at least one of a) passing the first public key to a kernel of an operating system (OS) or b) exposing the first public key to a user space of the OS.
-
Citations
20 Claims
-
1. A method comprising:
-
searching, by a processing device having an enabled secure boot mode, for a key container comprising no executable code; responsive to finding a first key container encapsulating a first signature and a first public key, verifying that the first signature is valid using a platform key, the platform key comprising a public key that is a counterpart to a private key associated with an extensible firmware interface (EFI) certificate authority and used to generate the first signature; and responsive to verifying that the first signature for the first key container is valid, performing, by the processing device, the following comprising; identifying the first public key encapsulated in the first key container, wherein the first public key is different than the platform key and is associated with a non-EFI certificate authority; extracting the first public key from the first key container; and passing the first public key to a kernel of an operating system (OS) of the processing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer readable medium comprising instructions that, when executed by a processing device having an enabled secure boot mode, cause the processing device to:
-
search, by the processing device, for an extensible firmware interface (EFI) binary object comprising no executable code; responsive to finding a first EFI binary object encapsulating a first signature and a first public key, verify that the first signature is valid using a platform key, the platform key comprising a public key that is a counterpart to a private key associated with an extensible firmware interface (EFI) certificate authority and used to generate the first signature; and responsive to verifying that the first signature for the first EFI binary object is valid, the processing device further to; identify the first public key encapsulated in the first EFI binary object, wherein the first public key is different than the platform key and is associated with a non-EFI certificate authority; extract the first public key from the first EFI binary object; and perform at least one of a) passing the first public key to a kernel of an operating system (OS) of the processing device or b) exposing the first public key to a user space of an OS of the processing device. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computing device comprising:
-
a memory; and a processing device operatively coupled to the memory, wherein the processing device is to; search for an extensible firmware interface (EFI) binary object comprising no executable code; responsive to finding a first EFI binary object encapsulating a first signature and a first public key, verify that the first signature is valid using a platform key, the platform key comprising a public key that is a counterpart to a private key associated with an extensible firmware interface (EFI) certificate authority and used to generate the first signature; and perform the following comprising responsive to verifying that the first signature for the first EFI binary object is valid; identify the first public key encapsulated in the first EFI binary object, wherein the first public key is different than the platform key and is associated with a non-EFI certificate authority; extract the first public key from the first EFI binary object; and expose the first public key to a user space of an operating system of the processing device. - View Dependent Claims (20)
-
Specification