Browse Prior Art Database

Secure Bootbblock recovery

IP.com Disclosure Number: IPCOM000015134D
Original Publication Date: 2001-Aug-11
Included in the Prior Art Database: 2003-Jun-20
Document File: 1 page(s) / 37K

Publishing Venue

IBM

Abstract

Many PC systems today include a recovery mode that can be used to boot a flash utility and update the BIOS even when the main portion of BIOS is corrupt. This function, called the bootblock, resides at the system's reset vector and is the first code to execute following a system reset or power on. This function will examine some predetermined system status (GPIO, CRC check failure, etc.) and make a determination if the system should be booted normally, or if recovery mode should be entered. When recovery mode is entered, BIOS functions are usually limited to the bare minimum necessary to boot the system and load a standalone flash utility to update the corrputed portion of BIOS. Unfortunately, the boot block recovery function does not include support for user I/O (keyboard, mouse, video, etc.). This renders the usual methods for administrator authentication unusable (since they normally rely on user input). One method of solving this problem is to include the user authentication (usually a password) in a file on the media used for the flash utility and including the necessary BIOS security functions to verify the administrator authentication in the boot block. However, this method permits the compromise of the user's authentication by allowing the administrator's secret to be simply read from a file. What is needed is a method of protecting the administrator's authentication. This disclosure describes a method of protecting the administrator's secret while providing a way of verifying the update is being requested by an authorized authority.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 51% of the total text.

Page 1 of 1

Secure Bootbblock recovery

Many PC systems today include a recovery mode that can be used to boot a flash utility and update the BIOS even when the main portion of BIOS is corrupt. This function, called the bootblock, resides at the system's reset vector and is the first code to execute following a system reset or power on. This function will examine some predetermined system status (GPIO, CRC check failure, etc.) and make a determination if the system should be booted normally, or if recovery mode should be entered. When recovery mode is entered, BIOS functions are usually limited to the bare minimum necessary to boot the system and load a standalone flash utility to update the corrputed portion of BIOS. Unfortunately, the boot block recovery function does not include support for user I/O (keyboard, mouse, video, etc.). This renders the usual methods for administrator authentication unusable (since they normally rely on user input). One method of solving this problem is to include the user authentication (usually a password) in a file on the media used for the flash utility and including the necessary BIOS security functions to verify the administrator authentication in the boot block. However, this method permits the compromise of the user's authentication by allowing the administrator's secret to be simply read from a file. What is needed is a method of protecting the administrator's authentication. This disclosure describes a method of protecting the administrator's secret while providing a way of verifying the update is being requested by an authorized authority.

The idea described here places a file containing an encrypted adminstrato...