System and method for auto-enrolling option ROMS in a UEFI secure boot database

US 9,881,162 B2
Filed: 09/12/2014
Issued: 01/30/2018
Est. Priority Date: 09/12/2013
Status: Active Grant

First Claim

Patent Images

1. A computing device-implemented method for auto-enrolling option ROM drivers in a system security database used by firmware to perform a Unified Extensible Firmware Interface (UEFI) Secure Boot process, comprising:

receiving a request to auto-enroll a signature for at least one option ROM driver in the system security database of the computing device, the computing device configured to execute a UEFI Secure Boot process during a boot sequence;

changing an indicator of an auto-enroll mode stored in non-volatile storage from an inactive mode to an active mode based on the request;

resetting or shutting down the computing device subsequent to the changing of the indicator;

beginning the boot sequence for the computing device following the resetting or shutting down of the computing device;

identifying at least one device having an option ROM driver whose signature is not present in the system security database during the boot sequence following the resetting or shutting down of the computing device;

detecting the active mode of the indicator;

bypassing the UEFI Secure Boot process based on the detecting;

automatically enrolling, with the firmware, the signature for the at least one device in the system security database, the enrolling triggered by the detection of the active mode by the firmware without requiring a subsequent user selection associated with enrollment of the signature; and

changing the indicator of the auto-enroll mode from the active mode to the inactive mode before exiting the boot sequence,wherein the option ROM driver for the at least one device is loaded into memory for execution based on the presence of the enrolled signature in the system security database.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism for automatically enrolling option ROMs into the system security database used for a UEFI Secure Boot is discussed. A request is received by a computing device to auto-enroll one or more option ROMs for one or more respective devices on the next boot of the system. Upon receiving the request, a flag or other type of indicator indicative of an auto-enroll status is changed to an active mode. The indicator is stored in non-volatile memory and may be stored as a UEFI Authenticated Variable. Following the changing of the indicator, the system is either reset or shut down. During the next boot only, after identifying the indicator indicative of an active mode auto-enroll status, the signatures for the option ROMs of all discovered devices whose signatures do not exist in the system security database are calculated (hashed) and added to the UEFI Secure Boot database without user interaction.

7 Citations

View as Search Results

18 Claims

1. A computing device-implemented method for auto-enrolling option ROM drivers in a system security database used by firmware to perform a Unified Extensible Firmware Interface (UEFI) Secure Boot process, comprising:
- receiving a request to auto-enroll a signature for at least one option ROM driver in the system security database of the computing device, the computing device configured to execute a UEFI Secure Boot process during a boot sequence;
  
  changing an indicator of an auto-enroll mode stored in non-volatile storage from an inactive mode to an active mode based on the request;
  
  resetting or shutting down the computing device subsequent to the changing of the indicator;
  
  beginning the boot sequence for the computing device following the resetting or shutting down of the computing device;
  
  identifying at least one device having an option ROM driver whose signature is not present in the system security database during the boot sequence following the resetting or shutting down of the computing device;
  
  detecting the active mode of the indicator;
  
  bypassing the UEFI Secure Boot process based on the detecting;
  
  automatically enrolling, with the firmware, the signature for the at least one device in the system security database, the enrolling triggered by the detection of the active mode by the firmware without requiring a subsequent user selection associated with enrollment of the signature; and
  
  changing the indicator of the auto-enroll mode from the active mode to the inactive mode before exiting the boot sequence,wherein the option ROM driver for the at least one device is loaded into memory for execution based on the presence of the enrolled signature in the system security database.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the indicator of the auto-enroll mode in non-volatile storage is stored in a UEFI authenticated variable and the change to the indicator is written to the authenticated variable.
  - 3. The method of claim 1 wherein the computing device is configured to allow only code running before a loading of the operating system by the boot sequence to change the indicator.
  - 4. The method of claim 1 wherein the computing device is configured to change the auto-enroll mode only following receipt of a command from a user in possession of a token.
  - 5. The method of claim 1 wherein the computing device is reset subsequent to the changing of the indicator and the automatically enrolled signature is for a device already installed in the computing device at the time of reset.
  - 6. The method of claim 1 wherein the computing device is shut down subsequent to the changing of the indicator and the automatically enrolled signature is for a device installed in the computing device following the shut down and before the boot sequence begins.
  - 7. The method of claim 1, further comprising:
    - storing information in the non-volatile storage indicating that the automatically enrolled signature for the at least one device is only valid for a single boot sequence or a pre-determined number of boot sequences.

8. A non-transitory medium holding computer-executable instructions for auto-enrolling option ROM drivers in a system security database used by firmware to perform a Unified Extensible Firmware Interface (UEFI) Secure Boot process, the instructions when executed causing the computing device to:
- receive a request to auto-enroll a signature for at least one option ROM driver in the system security database of the computing device, the computing device configured to execute a UEFI Secure Boot process during a boot sequence;
  
  change an indicator of an auto-enroll mode stored in non-volatile storage from an inactive mode to an active mode based on the request;
  
  reset or shut down the computing device subsequent to the changing of the indicator;
  
  begin the boot sequence for the computing device following the reset or shut down of the computing device;
  
  identify at least one device having an option ROM driver whose signature is not present in the system security database during the boot sequence following the resetting or shutting down of the computing device;
  
  detect the active mode of the indicator;
  
  bypass the UEFI Secure Boot process based on the detecting;
  
  automatically enroll, with the firmware, the signature for the at least one device in the system security database, the enrolling triggered by the detection of the active mode by the firmware without requiring a subsequent user selection associated with enrollment of the signature; and
  
  change the indicator of the auto-enroll mode from the active mode to the inactive mode before exiting the boot sequence,wherein the option ROM driver for the at least one device is loaded into memory for execution based on the presence of the enrolled signature in the system security database.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The medium of claim 8 wherein the indicator of the auto-enroll mode in non-volatile storage is stored in a UEFI authenticated variable and the change to the indicator is written to the authenticated variable.
  - 10. The medium of claim 8 wherein the computing device is configured to allow only code running before a loading of the operating system by the boot sequence to change the indicator.
  - 11. The medium of claim 8 wherein the computing device is configured to change the auto-enroll mode only following receipt of a command from a user in possession of a token.
  - 12. The medium of claim 8 wherein the computing device is reset subsequent to the changing of the indicator and the automatically enrolled signature is for a device already installed in the computing device at the time of reset.
  - 13. The medium of claim 12 wherein the computing device is shut down subsequent to the changing of the indicator and the automatically enrolled signature is for a device installed in the computing device following the shut down and before the boot sequence begins.
  - 14. The medium of claim 8 wherein the instructions when executed further cause the computing device to:
    - store information in the non-volatile storage indicating that the automatically enrolled signature for the at least one device is only valid for a single boot sequence or a pre-determined number of boot sequences.

15. A computing device configured to execute a UEFI Secure Boot process during a boot sequence, comprising:
- at least one expansion device;
  
  at least one option ROM driver for the at least one expansion device;
  
  non-volatile storage holding a system security database used in performing a Unified Extensible Firmware Interface (UEFI) Secure Boot process and an indicator of an auto-enroll mode for option ROM drivers in the computing device;
  
  firmware configured to perform the boot sequence for the computing device, wherein the firmware;
  
  receives a request to auto-enroll a signature for at least one option ROM driver in the system security database of the computing device;
  
  changes an indicator of an auto-enroll mode stored in non-volatile storage from an inactive mode to an active mode based on the request;
  
  resets or shuts down the computing device subsequent to the changing of the indicator;
  
  begins the boot sequence for the computing device following the reset or shut down of the computing device;
  
  identifies that a signature for the at least one option ROM driver is not present in the system security database during the boot sequence following the reset or shut down of the computing device;
  
  detects the indicator of the auto-enroll mode set to the active mode;
  
  bypasses the UEFI Secure Boot process based on the detecting; and
  
  automatically enrolls the signature for the at least one option ROM driver for the at least one expansion device in the system security database, the enrolling triggered by the detection of the active mode by the firmware without requiring a subsequent user selection associated with enrollment of the signature;
  
  wherein the at least one option ROM driver for the at least one expansion device is loaded into memory for execution based on the presence of the enrolled signature in the system security database.
- View Dependent Claims (16, 17, 18)
- - 16. The computing device of claim 15 wherein the indicator of the auto-enroll mode in non-volatile storage is stored in a UEFI authenticated variable.
  - 17. The computing device of claim 15 wherein the indicator of the auto-enroll mode is changed from the active mode to an inactive mode before a subsequent boot sequence.
  - 18. The computing device of claim 15 wherein the non-volatile storage holds information indicating that the automatically enrolled signature for the at least one device is only valid for a single boot sequence or a pre-determined number of boot sequences.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Insyde Software Corp
Original Assignee
Insyde Software Corp
Inventors
Lewis, Timothy Andrew
Primary Examiner(s)
Lee, Thomas
Assistant Examiner(s)
POUDEL, SANTOSH RAJ

Application Number

US14/484,819
Publication Number

US 20150074387A1
Time in Patent Office

1,236 Days
Field of Search

713 1, 713 2
US Class Current
CPC Class Codes

G06F 21/575   Secure boot

G06F 9/4401   Bootstrapping security arra...

G06F 9/4418   Suspend and resume; Hiberna...

System and method for auto-enrolling option ROMS in a UEFI secure boot database

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

7 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for auto-enrolling option ROMS in a UEFI secure boot database

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links