Programmable secure bios mechanism in a trusted computing system
First Claim
1. An apparatus for protecting a basic input/output system (BIOS) in a computing system, the apparatus comprising:
- a BIOS read only memory (ROM), comprising;
BIOS contents, wherein said BIOS contents are stored as plaintext; and
an encrypted message digest, wherein said encrypted message digest comprises an encrypted version of a first message digest that corresponds to said BIOS contents;
a tamper detector, operatively coupled to said BIOS ROM, configured to generate a BIOS check interrupt at a combination of prescribed intervals and event occurrences, and configured to access said BIOS contents and said encrypted message digest upon assertion of said BIOS check interrupt, and configured to direct a microprocessor to generate a second message digest corresponding to said BIOS contents and a decrypted message digest corresponding to said encrypted message digest, and configured to compare said second message digest with said decrypted message digest, and configured to preclude said operation of said microprocessor if said second message digest and said decrypted message digest are not equal;
a random number generator disposed within said microprocessor, wherein said random number generator generates a random number at completion of a current BIOS check, which is employed to set a following prescribed interval, whereby said prescribed intervals are randomly varied; and
a JTAG control chain, configured to program said combination of prescribed intervals and event occurrences within tamper detection microcode storage.
1 Assignment
0 Petitions
Accused Products
Abstract
An apparatus is provided for protecting a basic input/output system (BIOS) in a computing system. The apparatus includes a BIOS read only memory (ROM), a tamper detector, a random number generator, and a JTAG control chain. The BIOS ROM includes BIOS contents stored as plaintext, and an encrypted message digest, where the encrypted message digest has an encrypted version of a first message digest that corresponds to the BIOS contents. The tamper detector is operatively coupled to the BIOS ROM, and is configured to generate a BIOS check interrupt at a combination of prescribed intervals and event occurrences, and is configured to access the BIOS contents and the encrypted message digest upon assertion of the BIOS check interrupt, and is configured to direct a microprocessor to generate a second message digest corresponding to the BIOS contents and a decrypted message digest corresponding to the encrypted message digest, and is configured to compare the second message digest with the decrypted message digest, and is configured to preclude the operation of the microprocessor if the second message digest and the decrypted message digest are not equal. The random number generator disposed within the microprocessor, and generates a random number at completion of a current BIOS check, which is employed to set a following prescribed interval, whereby the prescribed intervals are randomly varied. The JTAG control chain is configured to program the combination of prescribed intervals and event occurrences within tamper detection microcode storage.
-
Citations
21 Claims
-
1. An apparatus for protecting a basic input/output system (BIOS) in a computing system, the apparatus comprising:
-
a BIOS read only memory (ROM), comprising; BIOS contents, wherein said BIOS contents are stored as plaintext; and an encrypted message digest, wherein said encrypted message digest comprises an encrypted version of a first message digest that corresponds to said BIOS contents; a tamper detector, operatively coupled to said BIOS ROM, configured to generate a BIOS check interrupt at a combination of prescribed intervals and event occurrences, and configured to access said BIOS contents and said encrypted message digest upon assertion of said BIOS check interrupt, and configured to direct a microprocessor to generate a second message digest corresponding to said BIOS contents and a decrypted message digest corresponding to said encrypted message digest, and configured to compare said second message digest with said decrypted message digest, and configured to preclude said operation of said microprocessor if said second message digest and said decrypted message digest are not equal; a random number generator disposed within said microprocessor, wherein said random number generator generates a random number at completion of a current BIOS check, which is employed to set a following prescribed interval, whereby said prescribed intervals are randomly varied; and a JTAG control chain, configured to program said combination of prescribed intervals and event occurrences within tamper detection microcode storage. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus for protecting a basic input/output system (BIOS) in a computing system, the apparatus comprising:
-
a BIOS read only memory (ROM), comprising; BIOS contents, wherein said BIOS contents are stored as plaintext; and an encrypted message digest, wherein said encrypted message digest comprises an encrypted version of a first message digest that corresponds to said BIOS contents; and a microprocessor, coupled to said BIOS ROM, said microprocessor comprising; a tamper detector, operatively coupled to said BIOS ROM, configured to generate a BIOS check interrupt at a combination of prescribed intervals and event occurrences, and configured to access said BIOS contents and said encrypted message digest upon assertion of said BIOS check interrupt, and configured to direct said microprocessor to generate a second message digest corresponding to said BIOS contents and a decrypted message digest corresponding to said encrypted message digest, and configured to compare said second message digest with said decrypted message digest, and configured to preclude said operation of said microprocessor if said second message digest and said decrypted message digest are not equal; a random number generator disposed within said microprocessor, wherein said random number generator generates a random number at completion of a current BIOS check, which is employed to set a following prescribed interval, whereby said prescribed intervals are randomly varied; and a JTAG control chain, configured to program said combination of prescribed intervals and event occurrences within tamper detection microcode storage. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method for protecting a basic input/output system (BIOS) in a computing system, the method comprising:
-
storing BIOS contents as plaintext in a BIOS ROM along with an encrypted message digest that comprises an encrypted version of first message digest that corresponds to the BIOS contents; programming a combination of prescribed intervals and event occurrences in tamper detection microcode storage; generating a BIOS check interrupt that interrupts normal operation of the computing system at the combination of prescribed intervals and event occurrences; upon assertion of the BIOS check interrupt, accessing the BIOS contents and the encrypted message digest, and generating a second message digest corresponding to the BIOS contents and a decrypted message digest corresponding to the first encrypted message digest using the same algorithms and key that were employed to generate the first message digest and the encrypted message digest; comparing the second message digest with the decrypted message digest; precluding operation of the microprocessor if the second message digest and the decrypted message digest are not equal; and employing a random number generator within the microprocessor to generate a random number at completion of a current BIOS check, which is employed to set a following prescribed interval, whereby the prescribed intervals are randomly varied. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification