SYSTEM AND METHOD FOR AUTO-ENROLLING OPTION ROMS IN A UEFI SECURE BOOT DATABASE

US 20150074387A1
Filed: 09/12/2014
Published: 03/12/2015
Est. Priority Date: 09/12/2013
Status: Active Grant

First Claim

Patent Images

1. A computing device-implemented method for auto-enrolling option ROM drivers in a system security database used to perform a Unified Extensible Firmware Interface (UEFI) Secure Boot, comprising:

receiving a request to auto-enroll a signature for at least one option ROM driver in the system security database of the computing device;

changing an indicator of an auto-enroll mode stored in non-volatile storage from an inactive mode to an active mode based on the request;

resetting or shutting down the computing device subsequent to the changing of the indicator;

beginning a boot sequence for the computing device following the resetting or shutting down of the computing device;

identifying at least one device having an option ROM driver whose signature is not present in the system security database;

detecting the active auto-enroll mode;

automatically enrolling the signature for the at least one device in the system security database based on the detection of the active auto-enroll mode without user interaction; and

changing the indicator of the auto-enroll mode from the active mode to the inactive mode before exiting the boot sequence,wherein the option Rom driver for the at least one device is loaded into memory for execution based on the presence of the enrolled signature in the system security database.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism for automatically enrolling option ROMs into the system security database used for a UEFI Secure Boot is discussed. A request is received by a computing device to auto-enroll one or more option ROMs for one or more respective devices on the next boot of the system. Upon receiving the request, a flag or other type of indicator indicative of an auto-enroll status is changed to an active mode. The indicator is stored in non-volatile memory and may be stored as a UEFI Authenticated Variable. Following the changing of the indicator, the system is either reset or shut down. During the next boot only, after identifying the indicator indicative of an active mode auto-enroll status, the signatures for the option ROMs of all discovered devices whose signatures do not exist in the system security database are calculated(hashed) and added to the UEFI Secure Boot database without user interaction.

38 Citations

View as Search Results

18 Claims

1. A computing device-implemented method for auto-enrolling option ROM drivers in a system security database used to perform a Unified Extensible Firmware Interface (UEFI) Secure Boot, comprising:
- receiving a request to auto-enroll a signature for at least one option ROM driver in the system security database of the computing device;
  
  changing an indicator of an auto-enroll mode stored in non-volatile storage from an inactive mode to an active mode based on the request;
  
  resetting or shutting down the computing device subsequent to the changing of the indicator;
  
  beginning a boot sequence for the computing device following the resetting or shutting down of the computing device;
  
  identifying at least one device having an option ROM driver whose signature is not present in the system security database;
  
  detecting the active auto-enroll mode;
  
  automatically enrolling the signature for the at least one device in the system security database based on the detection of the active auto-enroll mode without user interaction; and
  
  changing the indicator of the auto-enroll mode from the active mode to the inactive mode before exiting the boot sequence,wherein the option Rom driver for the at least one device is loaded into memory for execution based on the presence of the enrolled signature in the system security database.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the indicator of the auto-enroll mode in non-volatile storage is stored in a UEFI authenticated variable and the change to the indicator is written to the authenticated variable.
  - 3. The method of claim 1 wherein the computing device is configured to allow only code running before a loading of the operating system by the boot sequence to change the indicator.
  - 4. The method of claim 1 wherein the computing device is configured to change the auto-enroll mode only following receipt of a command from a user in possession of a token.
  - 5. The method of claim 1 wherein the computing device is reset subsequent to the changing of the indicator and the automatically enrolled signature is for a device already installed in the computing device at the time of reset.
  - 6. The method of claim 1 wherein the computing device is shut down subsequent to the changing of the indicator and the automatically enrolled signature is for a device installed in the computing device following the shut down and before the boot sequence begins.
  - 7. The method of claim 1, further comprising:
    - storing information in the non-volatile storage indicating that the automatically enrolled signature for the at least one device is only valid for a single boot sequence or a pre-determined number of boot sequences.

8. A non-transitory medium holding computer-executable instructions for auto-enrolling option ROM drivers in a system security database used to perform a Unified Extensible Firmware Interface (UEFI) Secure Boot, the instructions when executed causing the computing device to:
- receive a request to auto-enroll a signature for at least one option ROM driver in the system security database of the computing device;
  
  change an indicator of an auto-enroll mode stored in non-volatile storage from an inactive mode to an active mode based on the request;
  
  reset or shut down the computing device subsequent to the changing of the indicator;
  
  begin a boot sequence for the computing device following the reset or shut down of the computing device;
  
  identify at least one device having an option ROM driver whose signature is not present in the system security database;
  
  detect the active auto-enroll mode;
  
  automatically enroll the signature for the at least one device in the system security database based on the detection of the active auto-enroll mode without user interaction; and
  
  change the indicator of the auto-enroll mode from the active mode to the inactive mode before exiting the boot sequence,wherein the option Rom driver for the at least one device is loaded into memory for execution based on the presence of the enrolled signature in the system security database.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The medium of claim 8 wherein the indicator of the auto-enroll mode in non-volatile storage is stored in a UEFI authenticated variable and the change to the indicator is written to the authenticated variable.
  - 10. The medium of claim 8 wherein the computing device is configured to allow only code running before a loading of the operating system by the boot sequence to change the indicator.
  - 11. The medium of claim 8 wherein the computing device is configured to change the auto-enroll mode only following receipt of a command from a user in possession of a token.
  - 12. The medium of claim 8 wherein the computing device is reset subsequent to the changing of the indicator and the automatically enrolled signature is for a device already installed in the computing device at the time of reset.
  - 13. The medium of claim 12 wherein the computing device is shut down subsequent to the changing of the indicator and the automatically enrolled signature is for a device installed in the computing device following the shut down and before the boot sequence begins.
  - 14. The medium of claim 8 wherein the instructions when executed further cause the computing device to:
    - store information in the non-volatile storage indicating that the automatically enrolled signature for the at least one device is only valid for a single boot sequence or a pre-determined number of boot sequences.

15. A computing device, comprising:
- at least one expansion device;
  
  at least one option ROM driver for the at least one expansion device;
  
  non-volatile storage holding a system security database used in performing a Unified Extensible Firmware Interface (UEFI) Secure Boot and an indicator of an auto-enroll mode for option ROM drivers in the computing device, the indicator set to an active mode;
  
  firmware configured to perform a boot sequence for the computing device, wherein the boot sequence;
  
  identifies that a signature for the at least one option ROM driver is not present in the system security database;
  
  detects the indicator of the auto-enroll mode set to the active mode; and
  
  automatically enrolls the signature for the at least one option ROM driver for the at least one expansion device in the system security database based on the detection of the active mode without user interaction;
  
  wherein the at least one option Rom driver for the at least one expansion device is loaded into memory for execution based on the presence of the enrolled signature in the system security database.
- View Dependent Claims (16, 17, 18)
- - 16. The computing device of claim 15 wherein the indicator of the auto-enroll mode in non-volatile storage is stored in a UEFI authenticated variable.
  - 17. The computing device of claim 15 wherein the indicator of the auto-enroll mode is changed from the active mode to an inactive mode before a subsequent boot sequence.
  - 18. The computing device of claim 15 wherein the non-volatile storage holds information indicating that the automatically enrolled signature for the at least one device is only valid for a single boot sequence or a pre-determined number of boot sequences.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Insyde Software Corp
Original Assignee
Insyde Software Corp
Inventors
LEWIS, Timothy Andrew

Granted Patent

US 9,881,162 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/2
CPC Class Codes

G06F 21/575   Secure boot

G06F 9/4401   Bootstrapping security arra...

G06F 9/4418   Suspend and resume; Hiberna...

SYSTEM AND METHOD FOR AUTO-ENROLLING OPTION ROMS IN A UEFI SECURE BOOT DATABASE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR AUTO-ENROLLING OPTION ROMS IN A UEFI SECURE BOOT DATABASE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links