System and method for trusted early boot flow
First Claim
1. A platform comprising:
- a processor having a private key, the processor to communicatively couple to firmware comprising a first authenticated code (AC) module that includes a header, instruction code, data, and a public key,wherein the public and private key allow (i) the first AC module to be trusted in execution during initialization prior to launch of an operating system, (ii) replacing a first hardware component, coupled to the platform, with a second hardware component via hot plugging after initialization of the platform; and
(iii) authenticating and loading a second AC module, corresponding to the hot plugged component, without rebooting the platform,wherein the processor architecture comprises an extensible firmware interface (EFI).
1 Assignment
0 Petitions
Accused Products
Abstract
In some embodiments, the invention involves extending trusted computing environments to the boot firmware. In at least one embodiment, the present invention is intended to enable the trusted environment to be extended forward to the pre-boot environment in addition to post-OS load environment. Embodiments of the present invention enable the trusted environment to extend to the firmware at power-on. The firmware is integrated within the secure perimeter which was previously only available to the OS. In other words, the BIOS is made to be a trusted entity, as well as the OS. Extensible firmware interface (EFI) modules are signed with a public key. The processor has an embedded private key. EFI modules are verified using the keys to ensure a trusted environment from boot to OS launch. Other embodiments are described and claimed.
26 Citations
18 Claims
-
1. A platform comprising:
-
a processor having a private key, the processor to communicatively couple to firmware comprising a first authenticated code (AC) module that includes a header, instruction code, data, and a public key, wherein the public and private key allow (i) the first AC module to be trusted in execution during initialization prior to launch of an operating system, (ii) replacing a first hardware component, coupled to the platform, with a second hardware component via hot plugging after initialization of the platform; and
(iii) authenticating and loading a second AC module, corresponding to the hot plugged component, without rebooting the platform,wherein the processor architecture comprises an extensible firmware interface (EFI). - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for enabling a trusted environment in a platform comprising:
-
authenticating a first authenticated code (AC) module, during initialization of a platform prior to launch of an operating system, using a private key embedded in a processor on the platform and a public key encoded within the first AC module, wherein the first authenticated AC module ensures trusted platform firmware services are available to a trusted operating system; loading the first authenticated AC module to perform an initialization task; replacing a first hardware component, coupled to the platform, with a second hardware component via hot plugging after initialization of the platform; authenticating and loading a second AC module, corresponding to the hot plugged component, without rebooting the platform; and initializing the hot plugged component without rebooting the platform;
wherein the platform comprises an extensible firmware interface (EFI) architecture. - View Dependent Claims (12, 13, 17, 18)
-
-
14. A non-transitory machine accessible medium having instructions that when executed cause the machine to:
-
authenticate a first authenticated code (AC) module, during initialization of a platform prior to launch of an operating system, using a private key embedded in a processor on the machine and a public key encoded within the first AC module; load the first authenticated AC module to perform an initialization task, authenticate and load a second AC module without rebooting the platform, the second AC module corresponding to a second hardware component that is to replace a first hardware component, coupled to the platform, via a hot plug procedure to be performed after initialization of the platform; wherein the machine comprises an extensible firmware interface (EFI) architecture. - View Dependent Claims (15, 16)
-
Specification