USER TRUSTED DEVICE TO ATTEST TRUSTWORTHINESS OF INITIALIZATION FIRMWARE

US 20150317471A1
Filed: 11/26/2013
Published: 11/05/2015
Est. Priority Date: 12/14/2012
Status: Active Grant

First Claim

Patent Images

1. A user trusted device (10), comprising:

a connection interface (12) enabling connection (S2) with a computer (101); and

a persistent memory (14) storing modules (15, 16, 17), which are configured, upon connection of the user trusted device (10) with said computer (101) via said connection interface (12), to;

enable said computer (101) to start booting from the user trusted device (10);

map firmware data to a code, the firmware data comprising program code of an initialization firmware and/or data accessible by the initialization firmware (122) of the computer while starting to boot;

attest trustworthiness of the code; and

enable said computer (101) to complete booting from the user trusted device (10) if the code is attested.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is notably directed to a user trusted device (10), comprising: a connection interface (12) enabling connection (S2) with a computer (101); and a persistent memory (14) storing modules (15, 16, 17), which are configured, upon connection of the user trusted device (10) with said computer (101) via said connection interface (12), to: enable said computer (101) to start booting (S3, S3a) from the user trusted device (10); map (S6) firmware data to a code, the firmware data comprising program code of an initialization firmware and/or data accessible by the initialization firmware (122) of the computer while starting to boot; attest (S7-S12) trustworthiness of the code; and enable (S14) said computer (101) to complete booting from the user trusted device (10) if the code is attested. The present invention is further directed to related systems and methods.

21 Citations

View as Search Results

15 Claims

1. A user trusted device (10), comprising:
- a connection interface (12) enabling connection (S2) with a computer (101); and
  
  a persistent memory (14) storing modules (15, 16, 17), which are configured, upon connection of the user trusted device (10) with said computer (101) via said connection interface (12), to;
  
  enable said computer (101) to start booting from the user trusted device (10);
  
  map firmware data to a code, the firmware data comprising program code of an initialization firmware and/or data accessible by the initialization firmware (122) of the computer while starting to boot;
  
  attest trustworthiness of the code; and
  
  enable said computer (101) to complete booting from the user trusted device (10) if the code is attested.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The user trusted device (10) of claim 1, wherein said modules comprise:
    - a bootloader (16) enabling said computer (101) to start booting from the device (10);
      
      a data mapping module (15), executable at the computer (101) to map said data; and
      
      a verification module (17) configured to attest trustworthiness of the code, and wherein,the bootloader (16) is detectable by the initialization firmware (122) upon connection of the user trusted device (10) with said computer (101) and comprises instructions for the firmware (122) to initiate a transfer of said data mapping module (15) onto the computer (101) for subsequent execution at the computer (101).
  - 3. The user trusted device (10) of claim 2, whereinthe data mapping module (15) is further configured, upon execution at the computer (101), to transfer said code to the verification module (17) after mapping;
    - the verification module (17) is executable at the device and/or the computer and configured, upon execution, to attest trustworthiness of a code transferred by the data mapping module (15); and
      
      the bootloader (16) is further configured to interact with the firmware (122) to complete booting from the user trusted device (10) upon receiving confirmation that a code is attested from the verification module (17).
  - 4. The user trusted device (10) of claim 2, wherein the verification module (17) is configured to instruct, upon execution, to attest trustworthiness of the code by checking it against a list of codes attesting good states of the initialization firmware, which list of codes is preferably stored on the device (10).
  - 5. The user trusted device (10) of claim 2, wherein the verification module (17) is further configured to instruct to connect to a server, preferably via said computer (101), for checking the code at least partly at the server.
  - 6. The user trusted device (10) of claim 5, wherein the verification module (17) is further configured to interact with said firmware (122) of the computer to subsequently interact with a network card (124) of the computer (101), in order to initiate a communication over the network as enabled by said network card (124), to connect to the server.
  - 7. The user trusted device (10) of claim 5, wherein the verification module (17) is further configured to access network card drivers stored on the user trusted device to directly interact with a network card (124) of the computer (101), in order to initiate a communication over the network as enabled by said network card (124), to connect to the server.
  - 8. The user trusted device (10) of claim 5, wherein the verification module (17) is further configured to:
    - interact, preferably via the bootloader, with the firmware (122) to partly run an operating system of the computer, as necessary to instruct to connect to the server via said computer (101); and
      
      complete booting from the user trusted device (10) if the code is attested.

9. A method for enabling a computer (101) to boot from a user trusted device (10), the user trusted device (10) comprising a connection interface (12) enabling connection (S2) with said computer (101), the method comprising:
- enabling said computer (101) to start (S3, S3a) booting from the user trusted device (10) upon connection (S2) of the user trusted device with said computer (101) via said connection interface (12);
  
  mapping (S6) firmware data to a code, the firmware data comprising program code of an initialization firmware and/or data accessible by the initialization firmware (122) of the computer while starting to boot;
  
  attesting (S7-S12) trustworthiness of the code; and
  
  enabling (S14) said computer (101) to complete booting from the user trusted device (10) if the code is attested.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, further comprising interacting with an initialization firmware (122) of the computer (101), upon connection of the user trusted device (10) with said computer (101), toenable (S3a) said computer (101) to start booting from the user trusted device (10);
    - andinitiate (S4) a transfer of a data mapping module (15) onto the computer (101) for subsequent execution (S5-S6) at the computer (101), to map said firmware data to said code.
  - 11. The method of claim 9, wherein attesting trustworthiness of the code comprisesinstructing to attest trustworthiness of the code by checking it against a list of codes attesting good states of the initialization firmware, which list of codes is preferably accessed from a server (30).
  - 12. The method of claim 9, wherein attesting trustworthiness of the code comprisesconnecting (S7a-S7c) to a server via said computer (101) for checking the code at least partly at the server.
  - 13. The method of claim 12, wherein connecting to a server further comprises:
    - interacting (S7a) with said firmware (122) of the computer to subsequently interact (S7b) with a network card (124) of the computer (101), in order to initiate a communication (S7c) over the network as enabled by said network card (124), to connect to the server (30).
  - 14. The user trusted device (10) of claim 12, wherein connecting to a server further comprises either:
    - accessing network card drivers stored on the user trusted device to directly interact with a network card (124) of the computer (101), in order to initiate a communication over the network as enabled by said network card (124), to connect to the server;
      
      orinteracting with the initialization firmware (122) to start booting an operating system of the computer, to initiate a communication over the network through the operating system and thereby connect to the server, and to complete booting from the user trusted device (10) if the code is attested.

15. A computer program product for enabling a computer (101) to boot from a user trusted device (10), the computer program product comprising a computer-readable storage medium having modules (15, 16, 17) embodied therewith, the modules allowing for enabling a computer (101) to boot from a user trusted device (10), the user trusted device (10) comprising a connection interface (12) enabling connection (S2) with said computer (101), the method comprising:
- enabling said computer (101) to start (S3, S3a) booting from the user trusted device (10) upon connection (S2) of the user trusted device with said computer (101) via said connection interface (12);
  
  mapping (S6) firmware data to a code, the firmware data comprising program code of an initialization firmware and/or data accessible by the initialization firmware (122) of the computer while starting to boot;
  
  attesting (S7-S12) trustworthiness of the code; and
  
  enabling (S14) said computer (101) to complete booting from the user trusted device (10) if the code is attested.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Baentsch, Michael, Gschwind, Thomas, Schade, Andreas

Granted Patent

US 9,639,690 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/572   Secure firmware programming...

G06F 9/4401   Bootstrapping security arra...

G06F 9/4406   Loading of operating system

USER TRUSTED DEVICE TO ATTEST TRUSTWORTHINESS OF INITIALIZATION FIRMWARE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

USER TRUSTED DEVICE TO ATTEST TRUSTWORTHINESS OF INITIALIZATION FIRMWARE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links