System and method for auto-enrolling option ROMS in a UEFI secure boot database
First Claim
1. A computing device-implemented method for auto-enrolling option ROM drivers in a system security database used by firmware to perform a Unified Extensible Firmware Interface (UEFI) Secure Boot process, comprising:
- receiving a request to auto-enroll a signature for at least one option ROM driver in the system security database of the computing device, the computing device configured to execute a UEFI Secure Boot process during a boot sequence;
changing an indicator of an auto-enroll mode stored in non-volatile storage from an inactive mode to an active mode based on the request;
resetting or shutting down the computing device subsequent to the changing of the indicator;
beginning the boot sequence for the computing device following the resetting or shutting down of the computing device;
identifying at least one device having an option ROM driver whose signature is not present in the system security database during the boot sequence following the resetting or shutting down of the computing device;
detecting the active mode of the indicator;
bypassing the UEFI Secure Boot process based on the detecting;
automatically enrolling, with the firmware, the signature for the at least one device in the system security database, the enrolling triggered by the detection of the active mode by the firmware without requiring a subsequent user selection associated with enrollment of the signature; and
changing the indicator of the auto-enroll mode from the active mode to the inactive mode before exiting the boot sequence,wherein the option ROM driver for the at least one device is loaded into memory for execution based on the presence of the enrolled signature in the system security database.
1 Assignment
0 Petitions
Accused Products
Abstract
A mechanism for automatically enrolling option ROMs into the system security database used for a UEFI Secure Boot is discussed. A request is received by a computing device to auto-enroll one or more option ROMs for one or more respective devices on the next boot of the system. Upon receiving the request, a flag or other type of indicator indicative of an auto-enroll status is changed to an active mode. The indicator is stored in non-volatile memory and may be stored as a UEFI Authenticated Variable. Following the changing of the indicator, the system is either reset or shut down. During the next boot only, after identifying the indicator indicative of an active mode auto-enroll status, the signatures for the option ROMs of all discovered devices whose signatures do not exist in the system security database are calculated (hashed) and added to the UEFI Secure Boot database without user interaction.
7 Citations
18 Claims
-
1. A computing device-implemented method for auto-enrolling option ROM drivers in a system security database used by firmware to perform a Unified Extensible Firmware Interface (UEFI) Secure Boot process, comprising:
-
receiving a request to auto-enroll a signature for at least one option ROM driver in the system security database of the computing device, the computing device configured to execute a UEFI Secure Boot process during a boot sequence; changing an indicator of an auto-enroll mode stored in non-volatile storage from an inactive mode to an active mode based on the request; resetting or shutting down the computing device subsequent to the changing of the indicator; beginning the boot sequence for the computing device following the resetting or shutting down of the computing device; identifying at least one device having an option ROM driver whose signature is not present in the system security database during the boot sequence following the resetting or shutting down of the computing device; detecting the active mode of the indicator; bypassing the UEFI Secure Boot process based on the detecting; automatically enrolling, with the firmware, the signature for the at least one device in the system security database, the enrolling triggered by the detection of the active mode by the firmware without requiring a subsequent user selection associated with enrollment of the signature; and changing the indicator of the auto-enroll mode from the active mode to the inactive mode before exiting the boot sequence, wherein the option ROM driver for the at least one device is loaded into memory for execution based on the presence of the enrolled signature in the system security database. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory medium holding computer-executable instructions for auto-enrolling option ROM drivers in a system security database used by firmware to perform a Unified Extensible Firmware Interface (UEFI) Secure Boot process, the instructions when executed causing the computing device to:
-
receive a request to auto-enroll a signature for at least one option ROM driver in the system security database of the computing device, the computing device configured to execute a UEFI Secure Boot process during a boot sequence; change an indicator of an auto-enroll mode stored in non-volatile storage from an inactive mode to an active mode based on the request; reset or shut down the computing device subsequent to the changing of the indicator; begin the boot sequence for the computing device following the reset or shut down of the computing device; identify at least one device having an option ROM driver whose signature is not present in the system security database during the boot sequence following the resetting or shutting down of the computing device; detect the active mode of the indicator; bypass the UEFI Secure Boot process based on the detecting; automatically enroll, with the firmware, the signature for the at least one device in the system security database, the enrolling triggered by the detection of the active mode by the firmware without requiring a subsequent user selection associated with enrollment of the signature; and change the indicator of the auto-enroll mode from the active mode to the inactive mode before exiting the boot sequence, wherein the option ROM driver for the at least one device is loaded into memory for execution based on the presence of the enrolled signature in the system security database. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computing device configured to execute a UEFI Secure Boot process during a boot sequence, comprising:
-
at least one expansion device; at least one option ROM driver for the at least one expansion device; non-volatile storage holding a system security database used in performing a Unified Extensible Firmware Interface (UEFI) Secure Boot process and an indicator of an auto-enroll mode for option ROM drivers in the computing device; firmware configured to perform the boot sequence for the computing device, wherein the firmware; receives a request to auto-enroll a signature for at least one option ROM driver in the system security database of the computing device; changes an indicator of an auto-enroll mode stored in non-volatile storage from an inactive mode to an active mode based on the request; resets or shuts down the computing device subsequent to the changing of the indicator; begins the boot sequence for the computing device following the reset or shut down of the computing device; identifies that a signature for the at least one option ROM driver is not present in the system security database during the boot sequence following the reset or shut down of the computing device; detects the indicator of the auto-enroll mode set to the active mode; bypasses the UEFI Secure Boot process based on the detecting; and automatically enrolls the signature for the at least one option ROM driver for the at least one expansion device in the system security database, the enrolling triggered by the detection of the active mode by the firmware without requiring a subsequent user selection associated with enrollment of the signature; wherein the at least one option ROM driver for the at least one expansion device is loaded into memory for execution based on the presence of the enrolled signature in the system security database. - View Dependent Claims (16, 17, 18)
-
Specification