Boot blocks for software

US 20030196110A1
Filed: 05/07/2003
Published: 10/16/2003
Est. Priority Date: 10/26/1998
Status: Active Grant

First Claim

Patent Images

1. In a computer system having a central processing unit and a software identity register, a method comprising:

executing an atomic operation to set an identity of a piece of software into the software identity register, wherein if the atomic operation completes correctly, the software identity register contains the identity of the piece of software and if the atomic operation fails to complete correctly, the software identity register contains a value other than the identity of the piece of software; and

examining the software identity register to verify the identity of the piece of software.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with one aspect of boot blocks for software, in a computer system that has a central processing unit and a software identity register, an atomic operation is executed to set an identity of a piece of software into the software identity register. If the atomic operation completes correctly, then the software identity register contains the identity of the piece of software; otherwise, the software identity register contains a value other than the identity of the piece of software.

169 Citations

View as Search Results

65 Claims

1. In a computer system having a central processing unit and a software identity register, a method comprising:
- executing an atomic operation to set an identity of a piece of software into the software identity register, wherein if the atomic operation completes correctly, the software identity register contains the identity of the piece of software and if the atomic operation fails to complete correctly, the software identity register contains a value other than the identity of the piece of software; and
  
  examining the software identity register to verify the identity of the piece of software.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. A method as recited in claim 1, wherein the piece of software comprises the operating system.
  - 3. A method as recited in claim 1, wherein the piece of software comprises an operating system loader.
  - 4. A method as recited in claim 1, wherein executing the atomic operation comprises executing the atomic operation at the start of an operating system loader.
  - 5. A method as recited in claim 1, wherein executing the atomic operation comprises executing a BeginAuthenticatedBoot instruction.
  - 6. A method as recited in claim 1, wherein the piece of software includes a boot block that includes a block of code.
  - 7. A method as recited in claim 6, wherein the boot block further includes a BeginAuthenticatedBoot opcode.
  - 8. A method as recited in claim 6, wherein the boot block further includes a length specifying a number of bytes in the block of code.
  - 9. A method as recited in claim 6, wherein the boot block further includes:
    - a signature obtained from signing the block of code; and
      
      a public key from a key pair.
  - 10. A method as recited in claim 6, wherein the boot block further includes one or more constants to be used to validate subsequent operating system components.
  - 11. A method as recited in claim 1, wherein the identity comprises a public key of a correctly signed block of code from the piece of software, and the examining comprises verifying a signature of the signed block of code against the public key.
  - 12. A method as recited in claim 1, wherein the identity comprises a hash digest of a block of code from the piece of software, and the examining comprises hashing the block of code.
  - 13. A method as recited in claim 1, further comprising appending at least a portion of the identity to a boot log.
  - 14. A method as recited in claim 1, further comprising authenticating additional blocks of code.
  - 15. A method as recited in claim 1, further comprising:
    - appending at least a portion of the identity to a boot log;
      
      authenticating additional blocks of code; and
      
      appending identities of the additional blocks of code to the boot log.

16. In a computer system having a central processing unit (CPU), a piece of software, and a software identity register, a method comprising:
- identifying a boot block of code associated with the piece of software that uniquely describes the piece of software;
  
  creating an identity of the piece of software from the boot block; and
  
  executing an atomic operation to set the identity of the piece of software into the software identity register, wherein if the atomic operation completes correctly, the software identity register contains the identity of the piece of software.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. A method as recited in claim 16, wherein the piece of software comprises an operating system.
  - 18. A method as recited in claim 16, wherein the piece of software comprises an operating system loader.
  - 19. A method as recited in claim 16, wherein executing the atomic operation comprises executing the atomic operation at the start of an operating system loader.
  - 20. A method as recited in claim 16, wherein the creating comprises signing the boot block using a private key from a key pair to form a signature, and wherein the signature and a corresponding public key from the key pair together form the identity of the piece of software.
  - 21. A method as recited in claim 16, wherein the creating comprises hashing the boot block to form a digest, the digest forming the identity of the piece of software.
  - 22. A method as recited in claim 16, further comprising appending at least a portion of the identity to a boot log.
  - 23. A method as recited in claim 16, further comprising authenticating additional blocks of code.
  - 24. A method as recited in claim 16, further comprising:
    - appending at least a portion of the identity to a boot log;
      
      authenticating additional blocks of code; and
      
      appending identities of the additional blocks of code to the boot log.
  - 25. A method as recited in claim 16, wherein executing the atomic operation comprises executing a BeginAuthenticatedBoot instruction.

26. A computer comprising:
- a nonvolatile memory having a piece of software stored therein, wherein the piece of software has a block of code;
  
  a software identity register;
  
  a central processing unit (CPU) coupled to the memory; and
  
  the piece of software being booted for execution on the CPU according to a sequence that begins with an atomic operation, wherein if the atomic operation completes correctly, the software identity register is set to the identity of the piece of software.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34)
- - 27. A computer as recited in claim 26, wherein the software identity register is included in the CPU.
  - 28. A computer as recited in claim 26, wherein the piece of software comprises an operating system.
  - 29. A computer as recited in claim 26, wherein the piece of software comprises an operating system loader.
  - 30. A method as recited in claim 26, wherein the sequence includes an operating system loader.
  - 31. A computer as recited in claim 26, wherein the identity comprises a digital signature on a block of code from the piece of software.
  - 32. A computer as recited in claim 26, wherein the identity comprises a hash digest of a block of code from the piece of software.
  - 33. A computer as recited in claim 26, wherein the CPU holds a manufacturer certificate signed by a manufacturer of the CPU.
  - 34. A computer as recited in claim 26, further comprising a boot log, wherein the CPU appends the identity of the piece of software to the boot log in the event that the atomic operation completes correctly.

35. One or more computer readable memories having stored thereon a plurality of instructions that, when executed by one or more processors of a device, causes the one or more processors to:
- execute an atomic operation to set an identity of a piece of software into a software identity register of one of the one or more processors, wherein if the atomic operation completes correctly, the software identity register contains the identity of the piece of software and if the atomic operation fails to complete correctly, the software identity register contains a value other than the identity of the piece of software; and
  
  examining the software identity register to verify the identity of the piece of software.
- View Dependent Claims (36, 37, 38, 39, 40, 41)
- - 36. One or more computer readable memories as recited in claim 35, wherein the piece of software comprises an operating system.
  - 37. One or more computer readable memories as recited in claim 35, wherein the piece of software comprises an operating system loader.
  - 38. One or more computer readable memories as recited in claim 35, wherein the instructions that cause the one or more processors to execute the atomic operation comprises instructions that cause the one or more processors to execute the atomic operation at the start of an operating system loader.
  - 39. One or more computer readable memories as recited in claim 35, wherein the plurality of instructions comprises an operating system loader.
  - 40. One or more computer readable memories as recited in claim 35, wherein execution of the plurality of instructions that causes the one or more processors to execute the atomic operation is initiated by a BeginAuthenticatedBoot instruction.
  - 41. One or more computer readable memories as recited in claim 35, wherein the identity of the piece of software comprises a hash digest of a block of code of the piece of software.

42. A method of generating a signed boot block for a piece of software, the method comprising:
- signing, using a private key from a key pair, a block of code; and
  
  generating a signed boot block that includes;
  
  a BeginAuthenticatedBoot opcode, a length specifying a number of bytes in the block of code, the block of code, the signature obtained from signing the block of code, and a public key from the key pair to be used to verify the signature.
- View Dependent Claims (43, 44, 45, 46)
- - 43. A method as recited in claim 42, wherein the piece of software comprises an operating system.
  - 44. A method as recited in claim 42, wherein the piece of software comprises an operating system loader.
  - 45. A method as recited in claim 42, wherein the signed boot block further includes information to be used to validate subsequent operating system components.
  - 46. A method as recited in claim 45, wherein the information comprises one or more keys.

47. One or more computer readable memories having stored thereon a plurality of instructions that, when executed by one or more processors of a device, causes the one or more processors to:
- load a signed boot block for a piece of software, wherein the signed boot block includes, a BeginAuthenticatedBoot opcode, a length specifying a number of bytes in a block of code, the block of code, a signature obtained from signing the block of code, and a public key from a key pair; and
  
  verify, using the public key, the signature of the boot block.
- View Dependent Claims (48, 49, 50, 51)
- - 48. A method as recited in claim 47, wherein the piece of software comprises an operating system.
  - 49. A method as recited in claim 47, wherein the piece of software comprises an operating system loader.
  - 50. A method as recited in claim 47, wherein the instructions further cause the one or more processors to set the public key into a software identity register of one of the one or more processors if the signature of the boot block is verified, and otherwise set a predetermined false value into the software identity register.
  - 51. A method as recited in claim 47, wherein a private key of the key pair was used to generate the signature.

52. A method comprising generating a boot block for a piece of software, wherein the boot block includes a block of code and a number specifying a length of the block of code.
- View Dependent Claims (53, 54, 55, 56, 57)
- - 53. A method as recited in claim 52, wherein the number specifies a number of bytes in the block of code.
  - 54. A method as recited in claim 52, wherein the boot block further includes a BeginAuthenticatedBoot opcode.
  - 55. A method as recited in claim 52, wherein the boot block further includes one or more constants to be used to validate subsequent operating system components.
  - 56. A method as recited in claim 52, wherein the piece of software comprises an operating system.
  - 57. A method as recited in claim 52, wherein each of the one or more constants comprises one or more keys.

58. One or more computer readable memories having stored thereon a plurality of instructions that, when executed by one or more processors of a device, causes the one or more processors to:
- load a boot block for a piece of software, wherein the boot block includes a block of code;
  
  generate a value based on the block of code and the one or more constants; and
  
  set the value into a software identity register of one of the one or more processors.
- View Dependent Claims (59, 60, 61, 62, 63, 64, 65)
- - 59. One or more computer readable memories as recited in claim 58, wherein the boot block further includes a BeginAuthenticatedBoot opcode.
  - 60. One or more computer readable memories as recited in claim 58, wherein the boot block further includes a length specifying a number of bytes in the block of code.
  - 61. One or more computer readable memories as recited in claim 58, wherein the boot block further includes one or more constants to be used to validate subsequent operating system components.
  - 62. One or more computer readable memories as recited in claim 58, wherein the piece of software comprises an operating system.
  - 63. One or more computer readable memories as recited in claim 58, wherein the piece of software comprises an operating system loader.
  - 64. One or more computer readable memories method as recited in claim 58, wherein the value comprises a cryptographic hash of the block of code and the one or more constants.
  - 65. One or more computer readable memories method as recited in claim 58, wherein the value comprises a digest of the block of code and the one or more constants.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
England, Paul, Lampson, Butler W., DeTreville, John D.

Granted Patent

US 7,529,919 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/30
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/575   Secure boot

G06F 2221/2113   Multi-level security, e.g. ...

G06F 9/4406   Loading of operating system

G06F 9/468   Specific access rights for ...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/166   at the transport layer

Boot blocks for software

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

169 Citations

65 Claims

Specification

Solutions

Use Cases

Quick Links

Boot blocks for software

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

169 Citations

65 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links