Automatic UEFI ROM Recovery
Publication Date: 2013-Mar-25
The IP.com Prior Art Database
Disclosed is a method to automatically recover Unified Extensible Firmware Interface (UEFI) Read Only Memory (ROM) without customer intervention when the UEFI ROM is corrupted.
Page 01 of 3
Automatic UEFI ROM Recovery
Unified Extensible Firmware Interface (UEFI) Read Only Memory (ROM) corruption is a problem that may lead to board replacement in the field. It could be caused by flash update failure or program defect. If UEFI ROM is corrupted, it needs to be recovered manually by service personnel or the customer, or returned to manufacturer.
This invention describes a method to automatically recover UEFI ROM without customer intervention when UEFI ROM is corrupted. It saves cost and operations.
The invention is comprised of many novel features and functions. The method recovers both primary and backup banks to maintain redundancy, whereas, other systems recover only the primary bank. The method caches the UEFI image, while others copy the image from the backup to the primary, download it from the Trivial File Transfer Protocol (TFTP), or synchronize it from other servers. Caching the image has an advantage over other solutions because it does not have network dependency and the image can be trusted, as it worked on the same server before. The invented method marks an image as trusted only when the system boots successfully with the newly updated UEFI image. Otherwise, it can revert to the original version if the system fails to boot with new image. The method also introduces secure recovery, which leverages the advantage of Core Root for Trust of Measurement (CRTM) protection.
In this invention, the baseboard management controller (BMC) saves the UEFI image to its non-volatile storage when updating UEFI image every time. It is convenient and fast for the BMC to use it to recover the UEFI image. The BMC only marks it as a trusted UEFI image if the system can successfully post with this new image. It prevents the BMC from using a failed UEFI image for UEFI ROM recovery. The BMC uses a Two Way Register (TWR) to detect integrity check failure (UEFI Non-CRTM Corruption) and a watchdog to detect CRTM timeout (UEFI CRTM Corruption). This invention recovers the system from both primary and backup UEFI banks corruption, except if both of UEFI primary and backup CRTM secure sections are corrupted.
Figure: BMC in a server system
Page 02 of 3
The BMC [E] is connected to server system [A] with a Low Pin Count (LPC) interface
[B]. The LPC interface [B] is used to implement the TWR. The TWR is used to issue requests and gather responses for UEFI ROM Recovery command from the server system to BMC [E]. Other interfaces can also be used, depending on system design.
UEFI Image[C] is the image that the user uses to update the system by an Intelligent Platform Management Interface (IPMI)/Local Area Network (LAN) interface [D]. It includes a UEFI Non-CRTM and Staging Capsule. When updating the UEFI Image[C], BMC [E] saves it to Non-Volatile storage [L] via eMMC [K] interface as a backup UEFI Image [M] for UEFI ROM recovery. BMC also updates it to a UEFI ROM primary bank
[G] or backup bank [H] by a Serial Peripheral Interface (SPI) [F]....