Method to Implement Secure Boot in a organization with Diverse Hardware
Original Publication Date: 2002-Jun-11
Included in the Prior Art Database: 2003-Jun-21
A method to allow customers to provide validation (signing) of BIOS extensions on feature cards to support the clean boot process is disclosed. With the coming of TCPA subsystem, the concept of secure boot is on the horizon. In a secure boot environment, the BIOS will validate all code prior to booting and if the code does not equal an expected value, the system will fail to boot. In theory, this creates an environment where an IT organization can insure that all of their systems are running equivalent system. Unfortunately, the theory falls apart when put to practice. An organization is likely to have more than one level of a particular card (i.e. ROM level) and each card can be qualified. Also, various cards (such as video cards) can be in use in the organization. A method needs to be developed which will allow the customer to manage their systems. To solve this problem, the following will be added to the BIOS 1. Allow the customer to flash in a public key into the boot block, TPM, or NVRAM. To date , no BIOS has this capability. This will open up secure communications between the preboot environment and the customer applications (defined as applications not released by the OEM mfg).