Browse Prior Art Database

System and Method for Firmware and Configuration Control

IP.com Disclosure Number: IPCOM000099028D
Original Publication Date: 2005-Mar-09
Included in the Prior Art Database: 2005-Mar-09
Document File: 2 page(s) / 23K

Publishing Venue

IBM

Abstract

PC systems consist of both hardware and firmware. Configuration control of the PC System based upon hardware present is well known in the art. However, firmware content and configuration information is rarely if ever used to maintain strict control of the configuration of the system. Disclosed is an invention to allow an IT organization insure that strict control is maintained over the firmware and configuration of a system attached and used in a network.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 1 of 2

System and Method for Firmware and Configuration Control

     PC Systems are being introduced that provide a Trusted Platform Module (TPM). This is a digital signature engine with additional features to insure that the system as designed is booted and control is turned over to a trusted operating system. This is accomplished by incorporating a Trusted Building Block in a PC system as defined by the industry standard specification by the Trusted Computing Group (TCG).

     The Trusted Build Block consists of a TPM and a Core Root of Trusted Measurement (CRTM). The CRTM provides a system that guarantees that only the system manufacturer or an authorized agent can upgrade the BIOS of a system. In addition, if a customer wishes to include additional optional adapters that contain option ROMs, the CRTM insures that the adapter code is measured along with the base system firmware or BIOS. Additionally, the contents of configuration information for the PC system can be included in the measurement. Measurement is well known as defined in the TCG industry specifications.

     This invention introduces a new security feature for those systems supporting a privileged access password (PAP) or setup password as it is known in the art. If a PAP is installed and the TPM subsystem is enabled, a new security feature is introduced into the PC system. This new feature will be known as the firmware configuration change management feature.

     The administrator or an authorized agent will use the setup utility of the PC system to enable this feature. The PAP and TPM subsystem must be enabled first. When enabling this feature, the authorized user will be presented a menu. On this menu, the user will select what feature to include in the measurement of the firmware configuration of the system. For example, the following items can be included in the measurement.

POST and BIOS Diagnostics feature or option ROMs (adding during the well known ROM Scan process)

CMOS contents - contains basic sys...