Method to protect BIOS NVRAM from malicious code injection by encrypting NVRAM variables and system therefor

US 10,146,942 B2
Filed: 02/24/2015
Issued: 12/04/2018
Est. Priority Date: 02/24/2015
Status: Active Grant

First Claim

Patent Images

1. A method to protect non-volatile random access memory (NVRAM) from malicious code, the method comprising:

allocating, by a hardware processor of an information handling system, a first region at the NVRAM to store firmware instructions;

allocating, by the hardware processor of the information handling system, a second region to store data that is not the firmware instructions; and

receiving, by the hardware processor of the information handling system, the data to be stored at the second region, the receiving of the data in response to servicing a system management interrupt, the data received at a software function configured to store the data at the second region, the software function including operations for;

generating a random symmetric encryption key;

encrypting the data using the random symmetric encryption key to provide encrypted data, the random symmetric encryption key to only be associated with the data; and

storing the encrypted data and the random symmetric encryption key at the second region at the NVRAM;

wherein the encrypted data protects the second region at the NVRAM from executing the malicious code.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data to be stored at a firmware memory is received. A random symmetric encryption key is generated. The data is encrypted using the generated key to provide encrypted data. The encrypted data and the encryption key are both stored at the firmware memory.

33 Citations

View as Search Results

19 Claims

1. A method to protect non-volatile random access memory (NVRAM) from malicious code, the method comprising:
- allocating, by a hardware processor of an information handling system, a first region at the NVRAM to store firmware instructions;
  
  allocating, by the hardware processor of the information handling system, a second region to store data that is not the firmware instructions; and
  
  receiving, by the hardware processor of the information handling system, the data to be stored at the second region, the receiving of the data in response to servicing a system management interrupt, the data received at a software function configured to store the data at the second region, the software function including operations for;
  
  generating a random symmetric encryption key;
  
  encrypting the data using the random symmetric encryption key to provide encrypted data, the random symmetric encryption key to only be associated with the data; and
  
  storing the encrypted data and the random symmetric encryption key at the second region at the NVRAM;
  
  wherein the encrypted data protects the second region at the NVRAM from executing the malicious code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the random symmetric encryption key is stored at the second region as plain text.
  - 3. The method of claim 1, wherein the encrypted data and the random symmetric encryption key are linked by reference by a single globally unique identifier.
  - 4. The method of claim 1, further comprising decrypting the encrypted data using the random symmetric encryption key in response to receiving a request to retrieve the data from the second region at the NVRAM.
  - 5. The method of claim 1, further comprising receiving the data from a Windows library function after initialization of an operating system.
  - 6. The method of claim 1, further comprising receiving the data from a unified extensible firmware interface protocol.
  - 7. The method of claim 1, further comprising receiving the data during a driver initialization phase of a boot process at the information handling system.
  - 8. The method of claim 1, wherein the encrypted data and the random symmetric encryption key are referenced at the NVRAM by a single memory address.
  - 9. The method of claim 1, further comprising:
    - receiving a request to retrieve the data from the second region at the NVRAM;
      
      retrieving the encrypted data from the second region at the NVRAM;
      
      retrieving the random symmetric encryption key from the second region at the NVRAM;
      
      decrypting the encrypted data using the random symmetric encryption key to unencrypt the data; and
      
      providing the data to fulfill the request.
  - 10. The method of claim 1, wherein the data is an environment variable.
  - 11. The method of claim 1, wherein the function for the write operations is configured to prevent execution of malicious code stored at the second region.

12. An information handling system comprising:
- a processor;
  
  a system memory device; and
  
  a non-volatile firmware memory device including a first region for storing basic input/output system (BIOSE code and a second region for storing data that is not the BIOS code, the BIOS code executing store operations to the second region, the store operations to further;
  
  receive the data to be stored at the second region of the non-volatile firmware memory device, the data received in response to servicing a system management interrupt;
  
  generate a random symmetric encryption key for each different store operation of the store operations executed by the BIOS code;
  
  encrypt the data using the random symmetric encryption key to provide encrypted data that corresponds to the each different store operation; and
  
  store the encrypted data and the generated random symmetric encryption key at the second region of the non-volatile firmware memory device.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The information handling system of claim 12, further comprising instructions to decrypt the encrypted data using the random symmetric encryption key in response to receiving a request to retrieve the data from the second region.
  - 14. The information handling system of claim 12, wherein the encrypted data and the random symmetric encryption key are linked by reference by a single identifier.
  - 15. The information handling system of claim 12, wherein the random symmetric encryption key is stored as plain text.
  - 16. The information handling system of claim 12, wherein the store operations are configured to prevent execution of malicious code stored at the second region.

17. A non-transitory data storage medium storing instructions executable by a processor to cause the processor to:
- allocate a first region of a non-volatile firmware memory to store BIOS code;
  
  allocate a second region of the non-volatile firmware memory to store data that is not the BIOS code; and
  
  implement a function for write operations to the second region of the non-volatile firmware memory, the function for the write operations configured to;
  
  receive the data in response to servicing a system management interrupt at the processor;
  
  generate a different random symmetric encryption key for each corresponding one of the write operations to the second region of the non-volatile firmware memory;
  
  encrypt the data using the different random symmetric encryption key to provide encrypted data for the corresponding one of the write operations to the second region of the non-volatile firmware memory; and
  
  store the encrypted data and the different random symmetric encryption key at the second region of the non-volatile firmware memory for the corresponding one of the write operations.
- View Dependent Claims (18, 19)
- - 18. The non-transitory data storage medium of claim 17, further comprising instructions to:
    - receive a request to retrieve the data from the second region;
      
      retrieve the encrypted data;
      
      retrieve the different random symmetric encryption key;
      
      decrypt the encrypted data using the different random symmetric encryption key to unencrypt the data; and
      
      provide the unencrypted data to fulfill the request.
  - 19. The non-transitory data storage medium of claim 17, wherein the different random symmetric encryption key is stored as plain text.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Products LP (Dell Technologies Inc.)
Original Assignee
Dell Products LP (Dell Technologies Inc.)
Inventors
Martinez, Ricardo L., Wynn, Allen C., Tonry, Richard M.
Primary Examiner(s)
Doan, Trang T

Application Number

US14/630,413
Publication Number

US 20160246964A1
Time in Patent Office

1,379 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 13/4282   on a serial bus, e.g. I2C b...

G06F 21/572   Secure firmware programming...

G06F 2212/1052   Security improvement

G06F 2212/7201   Logical to physical mapping...

H04L 9/0897   involving additional device...

Method to protect BIOS NVRAM from malicious code injection by encrypting NVRAM variables and system therefor

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method to protect BIOS NVRAM from malicious code injection by encrypting NVRAM variables and system therefor

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links