Information handling system boot pre-validation

US 9,916,451 B2
Filed: 10/07/2015
Issued: 03/13/2018
Est. Priority Date: 02/09/2015
Status: Active Grant

First Claim

Patent Images

1. An information handling system comprising:

a processor executing instructions that process information;

memory interfaced with the processor, the memory storing the instructions and information;

a display interfaced with the processor and presenting the information as visual images;

plural components interfaced with the processor and performing functions with firmware instructions loaded at boot of an operating system on the processor;

initiation firmware stored in the memory and initiating boot of the operating system at power on of the processor;

a secure boot module associated with the initiation firmware and comparing bootloader certificates for bootloaders of firmware instructions for the plural components with valid certificates to validate the firmware instructions, the secure boot module further preventing execution of firmware that lacks a valid certificate; and

a pre-validation module associated with the initiation firmware and performing a pre-validation by comparing the bootloader certificates with the valid certificates before the comparison performed by the secure boot module, presenting the pre-validation at the display during a setup routine of the initiation firmware, initiating transition to a boot mode of the initiation firmware if the bootloader certificates are valid, and initiating transition to a modified boot mode of the initiation firmware if the bootloader certificates are not valid, the modified boot mode launching a firmware update function of the operating system to update the invalid firmware.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Pre-validation of bootloader certificates for firmware bootloaders of an operating system boot list during a setup mode of BIOS boot initiation provides the end user with a tool to address boot certification problems associated with the firmware bootloaders before the operating system boot precludes execution of bootloaders that lack a valid certificate. For example, re-configuration of a boot list to address certification problems before exit of boot setup prevents boot to an inoperative state caused by lack of firmware execution during boot due to a failed certificate, such as a failure to load an unsigned option ROM.

Citations

18 Claims

1. An information handling system comprising:
- a processor executing instructions that process information;
  
  memory interfaced with the processor, the memory storing the instructions and information;
  
  a display interfaced with the processor and presenting the information as visual images;
  
  plural components interfaced with the processor and performing functions with firmware instructions loaded at boot of an operating system on the processor;
  
  initiation firmware stored in the memory and initiating boot of the operating system at power on of the processor;
  
  a secure boot module associated with the initiation firmware and comparing bootloader certificates for bootloaders of firmware instructions for the plural components with valid certificates to validate the firmware instructions, the secure boot module further preventing execution of firmware that lacks a valid certificate; and
  
  a pre-validation module associated with the initiation firmware and performing a pre-validation by comparing the bootloader certificates with the valid certificates before the comparison performed by the secure boot module, presenting the pre-validation at the display during a setup routine of the initiation firmware, initiating transition to a boot mode of the initiation firmware if the bootloader certificates are valid, and initiating transition to a modified boot mode of the initiation firmware if the bootloader certificates are not valid, the modified boot mode launching a firmware update function of the operating system to update the invalid firmware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The information handling system of claim 1 wherein the plural components comprise a graphics subsystem and the firmware instructions comprise an option ROM to execute on the graphics subsystem.
  - 3. The information handling system of claim 2 wherein the pre-validation module presents an alternative graphics subsystem to use at boot instead of a graphics subsystem having an invalid certificate, the alternative graphics subsystem selectable by an end user for use in boot through the display.
  - 4. The information handling system of claim 3 wherein the graphics system is a graphics card and the alternative graphics system is a chipset-based graphics system.
  - 5. The information handling system of claim 1 wherein the pre-validation module performs pre-validation during an initiation firmware set-up state to accept end user setting inputs to the initiation firmware based upon the pre-validation.
  - 6. The information handling system of claim 5 wherein the secure boot module validates firmware instructions for the plural components after completion of boot services performed by the initiation firmware.
  - 7. The information handling system of claim 1 wherein the pre-validation module further:
    - initiates transition to a boot mode of the initiation firmware if the bootloader certificates are valid; and
      
      establishes a network interface to update the bootloader certificates if the bootloader certificates are not valid.
  - 8. The system of claim 1 wherein the firmware loaded on the components at boot of the information handling system comprises option ROMs.

9. A method for booting an information handling system, the method comprising:
- initiating firmware instructions to bring an operating system from persistent memory to an operational state;
  
  executing a set-up state of the firmware instructions, the set-up state accepting end user inputs;
  
  while in the set-up state, validating certificates of option ROM bootloaders in a boot list of the firmware; and
  
  applying corrective action for invalid certificates in the set-up state before transition to a boot state, the corrective actions including at least presenting invalid certificates at a display while in the set-up state, and accepting end user inputs in response to the presenting invalid certificates.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9 further comprising:
    - transitioning to the boot state to prepare execution of the operating system;
      
      exiting the boot state to initiate execution of the operating system; and
      
      in response to exiting the boot state, validating the certificates of the option ROM bootloaders before executing the option ROM bootloaders.
  - 11. The method of claim 9 wherein accepting end user inputs in response to the presenting invalid certificates further comprises accepting an end user selection of an alternative option ROM to execute instead of an option ROM having an invalid certificate.
  - 12. The method of claim 9 wherein accepting end user inputs in response to the presenting invalid certificates further comprises accepting an end user selection of an alternative component to use on boot from a component having an invalid certificate.
  - 13. The method of claim 12 wherein the component having an invalid certificate is a graphics card and the alternative component to use on boot is a chipset-based graphics system.
  - 14. The method of claim 9 wherein accepting end user inputs in response to the presenting invalid certificates further comprises establishing a network interface to retrieve an option ROM having a valid certificate to replace the option ROM having the invalid certificate.
  - 15. The method of claim 14 wherein accepting end user inputs in response to the presenting invalid certificates further comprises accepting an end user override of the invalid certificate to permit operating system use of the bootloader associated with the invalid certificate.

16. A system for booting an information handling system, the system comprising:
- non-transitory memory storing;
  
  an operating system having instructions that execute on a processor to coordinate execution of applications on the information handling system, the operating system having a secure boot mode that validates bootloader certificates and precludes execution of bootloaders that lack a valid bootloader certificate;
  
  initiation firmware having instructions that coordinate boot of the operating system, the initiation firmware having a setup mode, a boot mode and an exit boot services that transitions control of the information handling system from the initiation firmware to the operating system; and
  
  a pre-validation module having instructions that determine the validity of the bootloader certificates during the initiation firmware setup mode, present invalid bootloader certificates at a display while in the set-up state, and accept end user inputs in response to the presenting invalid certificates to alter the operating system boot based on the invalid bootloader certificates.
- View Dependent Claims (17)
- - 17. The system of claim 16 wherein the end user input comprises a change to a boot list of bootloaders to replace the invalid bootloader with a valid bootloader.

18. An information handling system comprising:
- a processor executing instructions that process information;
  
  memory interfaced with the processor, the memory storing the instructions and information;
  
  a display interfaced with the processor and presenting the information as visual images;
  
  plural components interfaced with the processor and performing functions with firmware instructions loaded at boot of an operating system on the processor;
  
  initiation firmware stored in the memory and initiating boot of the operating system at power on of the processor;
  
  a secure boot module associated with the initiation firmware and comparing bootloader certificates for bootloaders of firmware instructions for the plural components with valid certificates to validate the firmware instructions, the secure boot module further preventing execution of firmware that lacks a valid certificate; and
  
  a pre-validation module associated with the initiation firmware and performing a pre-validation by comparing the bootloader certificates with the valid certificates before the comparison performed by the secure boot module, presenting the pre-validation at the display during a setup routine of the initiation firmware;
  
  wherein the plural components comprise a graphics subsystem and the firmware instructions comprise an option ROM to execute on the graphics subsystem; and
  
  wherein the pre-validation module presents an alternative graphics subsystem to use at boot instead of a graphics subsystem having an invalid certificate, the alternative graphics subsystem selectable by an end user for use in boot through the display.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Products LP (Dell Technologies Inc.)
Original Assignee
Dell Products LP (Dell Technologies Inc.)
Inventors
Barkelew, Jonathan B., Gillespie, Kurt D.
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US14/877,242
Publication Number

US 20160232356A1
Time in Patent Office

888 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/572   Secure firmware programming...

G06F 21/575   Secure boot

G06F 2221/031   Protect user input by softw...

G06F 9/4401   Bootstrapping security arra...

H04L 9/3268   using certificate validatio...

Information handling system boot pre-validation

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Information handling system boot pre-validation

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links