Browse Prior Art Database

Method to Implement Secure Boot in a organization with Diverse Hardware

IP.com Disclosure Number: IPCOM000016053D
Original Publication Date: 2002-Jun-11
Included in the Prior Art Database: 2003-Jun-21
Document File: 1 page(s) / 41K

Publishing Venue

IBM

Abstract

A method to allow customers to provide validation (signing) of BIOS extensions on feature cards to support the clean boot process is disclosed.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 56% of the total text.

Page 1 of 1

Method to Implement Secure Boot in a organization with Diverse Hardware

    A method to allow customers to provide validation (signing) of BIOS extensions on feature cards to support the clean boot process is disclosed.

With the coming of TCPA subsystem, the concept of secure boot is on the horizon. In a secure boot environment, the BIOS will validate all code prior to booting and if the code does not equal an expected value, the system will fail to boot. In theory, this creates an environment where an IT organization can insure that all of their systems are running equivalent system. Unfortunately, the theory falls apart when put to practice. An organization is likely to have more than one level of a particular card (i.e. ROM level) and each card can be qualified. Also, various cards (such as video cards) can be in use in the organization. A method needs to be developed which will allow the customer to manage their systems.

To solve this problem, the following will be added to the BIOS

      1. Allow the customer to flash in a public key into the boot block, TPM, or NVRAM. To date , no BIOS has this capability. This will open up secure communications between the preboot environment and the customer applications (defined as applications not released by the OEM mfg).

      2. Carve out an area , either in Flash or in the Parties partition, which can be used to save a table of valid Hashes for an organization.

      3. As a system boots, the system must , by TCPA spec., hash and extend...