BIOS based secure execution environment

US 7,987,512 B2
Filed: 05/19/2006
Issued: 07/26/2011
Est. Priority Date: 05/19/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

initiating a hardware interrupt, at regular intervals, by an embedded controller of a computing device;

in response to the interrupt, executing a lower provisioning module at the regular intervals, the lower provisioning module stored in a basic input/output system (BIOS), the lower provisioning module configured to enforce one or more policies that describe how a functionality of the computing device is controlled, the lower provisioning module further configured to;

determine whether to constrain functionality of the computing device based on a balance stored in the BIOS, the balance comprises an amount of time the computing device is available to a user, wherein an adjustment to the balance results in the computing device entering one or more operating modes comprising;

a full function mode enabling the computing device to execute one or more application modules using full resources of the computing device,a reduced function mode permitting limited execution of the one or more application modules, ora hardware lock mode preventing execution of the operating system;

detect and counter, using a tampering module, attempts to tamper with the balance stored in the BIOS;

in response to the attempts to tamper with the balance, output, using the tampering module, an identification code to remove the hardware lock mode; and

receiving at the lower provisioning module a provisioning packet to regain access to a functionality of the computing device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques to provide a secure execution environment are described. In an implementation, a method includes initiating a hardware interrupt by an embedded controller of a computing device. In response to the interrupt, a module is executed that is stored in a basic input/output system (BIOS). The module, when executed, determines whether constrain functionality of the computing device based on a balance.

80 Citations

15 Claims

1. A method comprising:
- initiating a hardware interrupt, at regular intervals, by an embedded controller of a computing device;
  
  in response to the interrupt, executing a lower provisioning module at the regular intervals, the lower provisioning module stored in a basic input/output system (BIOS), the lower provisioning module configured to enforce one or more policies that describe how a functionality of the computing device is controlled, the lower provisioning module further configured to;
  
  determine whether to constrain functionality of the computing device based on a balance stored in the BIOS, the balance comprises an amount of time the computing device is available to a user, wherein an adjustment to the balance results in the computing device entering one or more operating modes comprising;
  
  a full function mode enabling the computing device to execute one or more application modules using full resources of the computing device,a reduced function mode permitting limited execution of the one or more application modules, ora hardware lock mode preventing execution of the operating system;
  
  detect and counter, using a tampering module, attempts to tamper with the balance stored in the BIOS;
  
  in response to the attempts to tamper with the balance, output, using the tampering module, an identification code to remove the hardware lock mode; and
  
  receiving at the lower provisioning module a provisioning packet to regain access to a functionality of the computing device.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A method as described in claim 1, wherein the the operating system is executable by a processor that is separate from the embedded controller.
  - 3. A method as described in claim 1, wherein the lower provisioning module is executed in a secure execution environment that is not accessible by the operating system.
  - 4. A method as described in claim 1, wherein the balance is stored in the lower provisioning module of the BIOS.
  - 5. A method as described in claim 1, wherein when the computing device is placed in the hardware lock mode, the lower provisioning module causes output of a user interface that describes information that is usable, at least in part, to remove the hardware lock mode and an identifier particular to the computing device.

6. A computer-implemented method comprising:
- receiving by a computing device a hardware interrupt at regular intervals;
  
  applying, by the computing device, a policy to manage functionality of the computing device at the regular intervals based on a balance stored in a basic input/output system (BIOS) of the computing device that indicates an amount of time that one or more services of the computing device are available to a user, wherein the balance is maintained locally by the computing device, wherein the policy specifies that when the balance reaches a first amount, a lower provisioning module reduces the functionality of the computing device, and when the balance reaches a second amount, the lower provisioning module further reduces the functionality of the computing device such that execution of an operating system by the computing device is prevented;
  
  the computing device entering into a hardware lock mode in response to detection, by a tampering module of the computing device, of attempts to tamper with the lower provisioning module, wherein the attempts to tamper comprise an unauthorized attempt to increase the balance stored in the BIOS; and
  
  outputting, by the computing device in response to the detection, an identification code usable to remove the hardware lock mode.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
- - 7. A computer-implemented method as described in claim 6, wherein the hardware interrupt is caused by an embedded controller of the computing device that is separate from a processor of the computing device that is configured to execute the operating system.
  - 8. A computer-implemented method as described in claim 6, wherein the hardware interrupt is caused by software that is executable by an embedded controller.
  - 9. A computer-implemented method as described in claim 6, wherein the policy is maintained in secure storage that is inaccessible by the operating system.
  - 10. A computer-implemented method as described in claim 9, wherein the secure storage is part of the BIOS.
  - 11. A computer-implemented method as described in claim 6, wherein the reduced functionality specified when the balance reaches the first amount:
    - permits execution of the operating system; and
      
      limits execution of one or more application modules in conjunction with the operating system.
  - 12. A computer-implemented method as described in claim 6, further comprising outputting, by the computing device in response to the detection, a user interface having information that indicates that the hardware lock mode was entered due to the detection of tampering.
  - 13. The computer-implemented method as described in claim 6, wherein the policy specifies that when the balance reaches the first amount:
    - the operation system is authorized to transfer data; and
      
      one or more application modules of the operating system are not executable.

14. A computing device, comprising:
- a processor;
  
  a basic input/output system (BIOS) configured to maintain a module and a balance, wherein the balance comprises an amount of time the computing device is available to a user;
  
  an embedded controller configured to cause a hardware interrupt of the processor to apply a policy, through execution of the module from the BIOS, to manage functionality of the computing device based on the balance, wherein the policy specifies that;
  
  the module reduces a functionality of the computing device in response to the balance reaching a first amount; and
  
  the module further reduces the functionality of the computing device to prevent execution of an operating system in response to the balance reaching a second amount,wherein the balance is adjustable through interaction with another computing device over a network through payment of a fee, the interaction comprising receiving a provisioning packet over the network from the other computing device; and
  
  a tamper module configured to detect and counter attempts to tamper with an amount of the balance maintained on the BIOS.
- View Dependent Claims (15)
- - 15. A computing device as described in claim 14, wherein the embedded controller is configured to initiate the hardware interrupt at predetermined intervals.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Venkatachalam, Raja, Xu, Zhangwei, Lopez-Barquilla, Ricardo, Steeb, Curt A.
Primary Examiner(s)
COLIN, CARL G

Application Number

US11/419,402
Publication Number

US 20070271597A1
Time in Patent Office

1,894 Days
Field of Search

713/2, 713/194, 726/26, 726/27, 726/34
US Class Current

726/27
CPC Class Codes

G06F 21/53 by executing in a restricte...

BIOS based secure execution environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

80 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

BIOS based secure execution environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

80 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links