Browse Prior Art Database

Method and Apparatus for preventing out of band access to secured disk partitions

IP.com Disclosure Number: IPCOM000240754D
Publication Date: 2015-Feb-25
Document File: 3 page(s) / 39K

Publishing Venue

The IP.com Prior Art Database

Abstract

Described here is a particular design that allows an Integrated Management Module (IMM) to directly read and write specific partitions on a pair of SD disks that are exposed, through a programmatic interface, to the host system.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 44% of the total text.

Page 01 of 3

Method and Apparatus for preventing out of band access to secured disk partitions

A particular design allows an Integrated Management Module (IMM) to directly read and write specific partitions on a pair of SD disks that are exposed, through a programmatic interface, to the host system. These disks can, and often do, contain a hypervisor. On a system which is running securely, this hypervisor is checked by the UEFI code at boot time to mark its signature as being valid. In such a way, the Unified Extensible Firmware Interface) (UEFI) code attempted to guard against modifications to the hypervisor and ensure security. The problem that is introduced with the particular design is that the IMM has the ability to take control of a LUN and modify contents after UEFI validates the secure signature. The fact that the IMM can, in an out-of-band manner, come in and replace these contents can provide a problem for the 'secure' notion of this design. What is needed is a way to lock out the IMM from accessing a secure partition once the system is up and running.

    The particular design has been developed to be placed on servers. The device allows both the host system and the on-board IMM to directly attach to a pair of SD disks. These devices can either be seen as separate storage devices or combined in a RAID configuration. A front-end chip on the device sits between the disks and the host processor and the disks themselves. This interface allows the IMM to control the presentation of these physical disks in a couple of different ways. First, it can control the actual visibility of the devices, and portions thereof, from the host processor. This means that the IMM can make particular partitions appear and disappear to the system. Second, the IMM can write/read to the device as well. This means that it can directly access the contents of the disks. Both the inclusion of this device and upcoming software to leverage its features is currently in plan.

    In the context of the problem noted above, the invention teaches a method to securely mark partitions exposed by the particular design as secure in such a way as to limit the IMM access once power has been applied and the system is running. This method utilizes the attributes of the storage device itself, along with the programmatic elements of the FX3, to implement this algorithm.

    This invention applies in situations where one entity (IMM) which normally controls ownership of a LUN (and thereby the ability to mount it and modify its contents) is not in the same root of trust as another entity (UEFI) that is responsible for validating the secure nature of the contents of the LUN. It teaches the use of a third independent entity (the particular design) to guarantee that once a LUN has been validated as secure in one trust domain (UEFI), it cannot be modified by an entity in another trust domain (IMM). This invention leverages existing SCSI protocols, along with the the particular design hardware prop...