Browse Prior Art Database

Authorized Configuration Management and Change Notification

IP.com Disclosure Number: IPCOM000015057D
Original Publication Date: 2001-Aug-11
Included in the Prior Art Database: 2003-Jun-20
Document File: 2 page(s) / 41K

Publishing Venue

IBM

Abstract

Today's PCs present a problem to an IT organization in maintaining a consistent hardware configuration. Users can open boxes and move device adapters around in the PCI Bus, or change the configuration of attached USB devices by removing or adding devices as they are external to the system unit, or remove PC Cards from PC Card sockets without authorization. This invention describes a secure method for tracking any changes to the authorized configuration. In addition, the system administrator who authorizes the official configuration can select a method to be notified of a change.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 43% of the total text.

Page 1 of 2

Authorized Configuration Management and Change Notification

    Today's PCs present a problem to an IT organization in maintaining a consistent hardware configuration. Users can open boxes and move device adapters around in the PCI Bus, or change the configuration of attached USB devices by removing or adding devices as they are external to the system unit, or remove PC Cards from PC Card sockets without authorization. This invention describes a secure method for tracking any changes to the authorized configuration. In addition, the system administrator who authorizes the official configuration can select a method to be notified of a change.

*Main Idea

1. Describe your invention, stating the problem solved (if appropriate), and indicating the advantages of using the invention. Today's PCs present a problem to an IT organization in maintaining a consistent hardware configuration. Users can open boxes and move device adapters around in the PCI Bus, or change the configuration of attached USB devices by removing or adding devices as they are external to the system unit, or remove PC Cards from PC Card sockets without authorization. This invention discloses a secure method for tracking any changes to the authorized configuration. In addition, the system administrator who authorizes the official configuration can select a method to be notified of a change.

A new setup option is provided for the system administrator to create a digital signature which contains the "approved" configuration for the system. The approved configuration record consists of the all allowed IDs in the system appended to the setup password. The result is hashed and then signed using a public/private key digital signature algorithm. The signature is stored in non-volatile memory on the system board and write protected just prior to operating system boot time. Read access is allowed in order to provide inventory and asset management during normal operation.

POST, Power On Self Test, when invoked on power up, will interrogate and walk all the system buses in a prescribed manner. The order in which IDs are collected is the same order the IDs are collected while the system administrator enabled this feature. It will collect all the device IDs from all devices in the system, all the IDs of externally attached devices and any IDs from the PC Card sockets, if present. The IDs in the system include integrated PCI devices, such as host bridges, memory controllers, PCI adapters, etc. Externally attached IDs include all USB attached devices and any PC Cards present.

The IDs are stored in a record in memory in an predefined order. In other words, every time POST gets control it stores the IDs present in the system in the same order in the record. This record will be referred to as the ID record. POST now appends the setup password which is available to POST after power up, to the ID record. The ID record is then hashed using a well known hash algorithm. For example, SHA-1. The re...