Patent Grant
8909940
To improve security of computer systems, various efforts have been made in both hardware and software to lock down a system and ensure that unauthorized access is not permitted. One such effort is full disk encryption (FDE), in which virtually all data stored on a disk is encrypted.
In a pre-boot environment, Unified Extensible Firmware Interface (UEFI) code in accordance with the UEFI Specification Version 2.0 (dated Feb. 21, 2006) or later revision, which calls for the separation of pre-boot and boot environments into a variety of phases, may execute before handoff to an OS. Many FDE schemes require some pre-operating system (OS) user authentication. But this user-authentication cannot wholly occur in the OS since the OS image is itself encrypted. As such, a rich plurality of authentication tokens/credentials and credential providers need to be hosted in this pre-OS regime. In some systems, a different OS, e.g., Linux™, is launched in the pre-OS space to perform the user authentication. However, this pre-OS launch of a different OS is typically outside of the UEFI specification. Further, this pre-OS launch then needs to return to the platform basic input/output system (BIOS) (UEFI or legacy) and continue to the main OS boot. This is a huge impediment to boot time, is a large storage overhead, and effectively entails duplication of many platform BIOS capabilities.
Embodiments may enable a platform to provide an extensible pre-boot authenticator (PBA) that can interact with security enhancements, such as a full disk encryption (FDE) scheme. Embodiments allow for conjoining chipset-hooks and capabilities with UEFI pre-OS and runtime flows to have a high-assurance implementation of FDE.
In one embodiment, security firmware, which may be present within a chipset or other system component, can perform isolated, access-controlled storage for provisioning UEFI PBA executables in-band and out-of-band via a manageability engine (ME), and a remote web-services networking capability. A virtualization engine (VE) in the chipset provides for a trusted path via console input virtualization and output via a trusted sprite.
Various devices and other ingredients may contribute to enable different embodiments. First a user identity manager or other UEFI driver may be used to manage the process of determining the user's identity and storing information about the user. A user enrollment manager is an application that adds or enrolls new users, gathering the necessary information to ascertain their identity in the future. A credential provider driver manages a single class of credentials. Examples include a Universal Serial Bus (USB) fingerprint sensor, a smart card or a password.
The implementation of these drivers can have defaults which use platform resources, such as flash memory, to store pre-shared keys (PSK's), such as hashes of passwords, and can include standard USB tokens that adhere to profiles, such as USB mapping for smart cards. The same holds true for consoles. A simple input protocol can be implemented on top of a standard USB interface, a keyboard, or other device, and the text output can be sent to a video graphics adaptor (VGA) or to another console, such as an integrated graphics frame buffer. In other implementations, the same application programming interfaces (APIs) can be published on top of accessors to a virtualization engine controller interface (VECI) in order to have access to integrated credential providers and a trusted path for the input and output console.
Referring now to
As will be discussed further below, user input such as credential information, e.g., passwords, fingerprints, other codes and so forth, may be input via these user interfaces and provided via trusted path 35 to chipset 20, e.g., during pre-boot authorization activities.
After such operations one or more option read-only memories (ROMs) 130 may be enabled which may execute various EFI drivers and extensions, including a UEFI security extension 132. As shown, this code may obtain PBA image 38 and execute a PBA module (PBAM) 133 to obtain the user input such as authorization information, credential information and so forth. The image may compare this information to stored credential information to determine whether to authorize the user. Further, the received user credential information may be stored in a given storage, such as metadata storage 36. PBAM 133 may thus act as a collector to collect authentication values via an interface to a user (e.g., fingerprint, password, or so forth), and to pass the same to, e.g., secure firmware present in the chipset, which then evaluates the data based on an expected value. Upon successful authentication, the firmware can decrypt the metadata which essentially wraps the disencryption keys to allow communication between the chipset and a given device such that normal advanced host controller interface (AHCI) processing can occur. When the PBA image is read from the disk, the security firmware will verify an integrity check value. In this way, a threat of a drive being inserted into another platform can be prevented.
Then the normal PBA code can run to authenticate the user and pass that information to security firmware. Then a secure exit can be performed to return to the regular environment to continue a bootstrap to the OS loader. Additional operations such as various UEFI block input/output (IO) operations 134 may be performed and a flush of non-volatile random access memory (NVRAM) 136 may be performed. After successful initiation of option ROMs, control passes to block 140 for further pre-OS operations such as enabling of a system management BIOS (SMB) and an Advanced Configuration and Power Interface (ACPI), and preparing for an OS load. Finally, if all such events are successful, a normal boot may occur via an EFI OS loader 150. While shown with this particular implementation in the embodiment of
Referring now to
The above blocks 210-240 represent the conjunction of the UEFI-hosted PBA and a trusted path. Note that the drivers can be provisioned into the file allocation table (FAT) partition of the metadata with protected UEFI driver load list variables. This will allow for addition of successive credential providers and PBA's after an original equipment manufacturer (OEM) ships the system (i.e., under information technology (IT) authority). This hosted driver store will also allow for out-of-band (OOB) provisioning of these drivers by IT remotely, as will be described below. Driver provisioning from a hidden disk range controlled by firmware in a manageability engine (ME) as well as driver context sharing is described in more detail below.
At runtime after booting, a single-sign on (SSO) usage model can be realized. Therein, some of the pre-OS user information can be passed into the OS runtime. The UEFI standard for user identification only stipulates the pre-OS API's (i.e., “protocols” in UEFI parlance). The passing of proof information beyond pre-OS is not treated. As such, the ability to proxy this information into an OS runtime and have an OS driver that opaquely accesses either the proof information via UEFI protected variables or via access to protected metadata via a VECI is possible.
Thus as shown in
As shown in the embodiment of
The layer above the device layer is the service driver layer 320. Service layer 320 contains PBA building blocks components that may be called by a controlling PBA module. However, flexibility exists in the architecture for a service driver to operate independently of a controlling PBA application. For example, a complete authentication challenge protocol can be performed stand-alone. Service driver layer 320 modules necessarily can call into a ME of chipset 305 via a host embedded controller interface (HECI) 304 or control channel side of chipset 305 where embedded capabilities can be leveraged. For example, user account metadata can become active only when a given service driver (or other PBA) successfully produces authentication credentials that unlocks account data. Still other ME firmware can manage enterprise user account state; having the ability to interact with enterprise identity management servers (especially over ME Common Services out-of-band (OOB) channel) such that enterprise-managed users can maintain up-to-date account metadata within the ME. An EFI PBA module therefore does not need to be updated in order to respond to remotely applied user account changes.
Service driver modules can be highly specialized modules that focus on a particular class of authentication or recovery protocol. Other service drivers or a controlling PBA module can leverage this specialized behavior by invoking specific interfaces (that may be proprietary or standard). In some embodiments, server drivers may be called from an OS-present mode (see
Thus in various ME platforms with security technology, a portion of unprotected but hidden metadata can be exposed to the EFI. This metadata is not directly accessible via the VE or EFI drivers. It can only be accessed via a secure host controller interface. Embodiments thus can enforce an access control policy that is specific to pre-boot authentication requirements. For example, a third party PBA vendor can use this metadata area to store a copy of their PBA and have it be called from the pre-boot PBA environment even through the third party module was not included in the BIOS flash region by the OEM.
Referring now to
After the platform transitions to post-boot, a non-EFI aware OS 465 is launched. EFI facilities are not available post-boot either because EFI was dismantled as part of a BIOS legacy compatibility mode operation or because the OS is not able to invoke EFI post-boot interfaces. During runtime, a security aware application 460 is able to obtain the pre-boot PBA context by issuing a call, which may be performed after a re-authorization of the user. The call may generate a read command that produces the pre-boot context previously saved by the security-aware PBA module 410. Thus the post-boot PBA may perform administrative or operational tasks based on the PBA context even though the OS is not EFI aware.
It is also possible for a post-boot agent to affect the state and operation of the PBA (i.e., next time the system boots) by reversing the direction of the steps outlined above, which may store revised or updated policy metadata in a policy metadata region 456 of hard drive 450. Hence, the PBA can read context from a previously executed post-boot agent. This may be useful when post-boot authentication is performed that results in the user credentials being modified or policy affecting how the user is authenticated impacts PBA logic. For example, a password strength policy can be provided by a remote agent to provision both a PBA image and the password policy, e.g., via an OOB channel to a chipset ME. In this way, the security firmware can apply the policies and write the policies into the storage area of the drive for a host environment to access the policies, and understand what policies were applied. Thus ME, PBA and the post-boot authentication environment all know what the policies have been provisioned, e.g., dynamically through a network. In run time, the system can authenticate the user and update authentication state using EFI variables, and so the EFI has variable storage. A HECI driver can communicate with the security firmware and provide the authentication information back to the metadata store in the disk drive. Thus via a runtime environment updated metadata can be stored into the metadata area, such that at a next pre-boot environment, that updated metadata can be discovered in the pre-boot module to ascertain that a user logged in during runtime, changed credentials or so forth.
Referring now to
Still further as shown in
As shown in
By providing the hidden metadata area, rich features of pre-boot authentication can be made available even when legacy OSs are used that do not support EFI. For example, a third party vendor of authentication solutions can provide a pre-boot EFI capability and a post-boot agent can synchronize state between pre- and post-boot by using this metadata storage area to pass synchronization variables. This allows more consistent authentication behavior on platforms even when PBA architecture is limited to EFI compatibility or legacy BIOS implementations and where post-boot environments are limited to non-EFI aware OSs. Thus the PBA image itself can be provisioned out of band, the integrity policy for the PBA can be provisioned and authentication policies such as password strength can be provisioned. Those policies can either be consumed locally by the ME, and they can be forwarded to the pre-boot or the post boot environment by storing it in a hidden metadata region of the drive.
Embodiments thus allow IT personnel to use the user/administrative capability of an implementation of UEFI (e.g., UEFI2.2) and authenticode-signed UEFI system partition on the larger, open disk or into the FAT partition of the protected, hidden metadata region.
Other embodiments may be used in connection with systems that have OSs configured for UEFI operation. In such embodiments, various third parties may be able to provision updated drivers in a secure manner, even where the third parties have differing security protocols. This is so, as embodiments may provide a common PBA identity manager protocol to allow multiple third parties to implement their desired credential operations, via a selected one of multiple credentialing mechanisms available on the platform.
In this way, embodiments can be used to enable third party-provided EFI BIOS (or other) drivers to be loaded from a hidden partition of a serial advanced attachment (SATA) device such as a hard drive. Accordingly, IT personnel and independent software vendors (ISVs) can update drivers in the hidden partition remotely or by a local management application. Prior to loading/executing such EFI drivers contained in the hidden partition, they can be integrity verified. In various embodiments, verification credentials can be controlled by the user/ISV who provisioned the stored drivers. In this way, a third party provided credential provider driver can dynamically extend PBA functionality.
As discussed above, at least a portion of a storage device (e.g., a hard drive) can be hidden to all of the platform but a chipset agent. In one embodiment, a VE can virtualize a storage device such that a portion of the storage device is held in reserve for use by the chipset. As one example, a hidden range can be made visible only to the VE and ME via a virtualization logic in the chipset. This hidden partition may be used to store BIOS extensions/drivers that can be accessed by a BIOS module such as a PBA loader. This loader may be used to access the hidden partition through a dedicated block storage interface based on DHCI (which is an authenticated interface into the ME).
Referring now to
For further details of a hidden partition, reference can be made to
In various embodiments, the image and integrity credential are copied into host memory from the hidden partition. Before the image is scheduled for execution by the BIOS driver scheduler, it may be integrity checked by a BIOS or ISV-provided integrity checker. In one embodiment, the integrity checker uses BIOS native policies for describing integrity such as a whitelist, digital certificate or trusted anchor key. Once the integrity check is complete, DHCI services may be used to schedule the driver for execution.
As further seen in
If the image is ready for checking, control passes to block 780 (after the pointer is obtained from loader 630). More specifically, the image can be checked using integrity credentials and an embedded secret (e.g., an anchor key). Accordingly, the checker may determine whether the integrity is verified. If so, control passes to block 730, discussed above where the loader may pass control to the PBA image. Otherwise, control passes to block 740 discussed above, where the image may be deleted and an error condition identified. Thus using method 700, the combination of the loader and checker may ensure that only authorized modules are loaded and able to execute. While shown with this particular implementation in the embodiment of
In one embodiment, ISV updates to drivers may be facilitated using the hidden partition interface during OS-present operation. As an example, a driver update utility may use the DHCI interface to provision a new version of the driver image and integrity credential. The DHCI interface may require an administrative privilege which prevents arbitrary clobbering of the image while in the hidden range.
Referring now to
As seen in
In the embodiment of
As further seen, common PBA identity manager 810 may select one of multiple credential mechanisms available in a platform. While the scope of the present invention is not limited in this regard, such credential mechanisms may include a password credential provider 870, a fingerprint credential provider 875, and a smart card credential provider 880, all of which may be of one or more third parties. Other similar credential providers may be associated with an OEM, including, for example, in the embodiment of
Referring now to
As seen, PCH 915 may include a VE 920 and a ME 925. In the embodiment of
Thus embodiments may, via a chipset, expose the hidden partition to the BIOS using an AHCI interface such that both the hidden and non-hidden partitions can be accessed at the same time. An EFI driver loader may be invoked from the BDS can fetch EFI drivers from the hidden partition, which remains hidden after boot. However, an application may use an authenticated interface (DHCI) to access the hidden area to perform local update and provisioning. Accordingly, the hidden partition can be updated remotely using the chipset ME via an out-of-band (OOB) interface without the use of a host SATA driver.
As a result, platforms in accordance with an embodiment of the present invention can be extended by ISV products to provide highly differentiated features and capabilities directly in BIOS. Furthermore, such updates can occur at a customer site without OEM involvement.
Embodiments may be implemented in code and may be stored on a storage medium having stored thereon instructions which can be used to program a system to perform the instructions. The storage medium may include, but is not limited to, any type of disk including floppy disks, optical disks, compact disk read-only memories (CD-ROMs), compact disk rewritables (CD-RWs), and magneto-optical disks, semiconductor devices such as read-only memories (ROMs), random access memories (RAMs) such as dynamic random access memories (DRAMs), static random access memories (SRAMs), erasable programmable read-only memories (EPROMs), flash memories, electrically erasable programmable read-only memories (EEPROMs), magnetic or optical cards, or any other type of media suitable for storing electronic instructions.
While the present invention has been described with respect to a limited number of embodiments, those skilled in the art will appreciate numerous modifications and variations therefrom. It is intended that the appended claims cover all such modifications and variations as fall within the true spirit and scope of this present invention.
This application is a continuation-in-part of U.S. patent application Ser. No. 12/214,830, filed Jun. 23, 2008 now U.S. Pat. No. 8,201,239, entitled “Extensible Pre-Boot Authentication,” the content of which is hereby incorporated by reference.
| Number | Name | Date | Kind |
|---|---|---|---|
| 7103529 | Zimmer | Sep 2006 | B2 |
| 7320052 | Zimmer et al. | Jan 2008 | B2 |
| 8130960 | Zimmer et al. | Mar 2012 | B2 |
| 8332653 | Buer | Dec 2012 | B2 |
| 8510570 | Smith et al. | Aug 2013 | B2 |
| 8588422 | Beachem et al. | Nov 2013 | B2 |
| 8667273 | Billstrom et al. | Mar 2014 | B1 |
| 20040064457 | Zimmer et al. | Apr 2004 | A1 |
| 20040158711 | Zimmer | Aug 2004 | A1 |
| 20050071677 | Khanna et al. | Mar 2005 | A1 |
| 20060090084 | Buer | Apr 2006 | A1 |
| 20080120499 | Zimmer et al. | May 2008 | A1 |
| 20080222423 | Rodriguez et al. | Sep 2008 | A1 |
| 20090070593 | Boshra et al. | Mar 2009 | A1 |
| 20090319806 | Smith et al. | Dec 2009 | A1 |
| 20100011350 | Zayas | Jan 2010 | A1 |
| 20100303240 | Beachem et al. | Dec 2010 | A1 |
| 20100306399 | Khosravi et al. | Dec 2010 | A1 |
| 20110138166 | Peszek et al. | Jun 2011 | A1 |
| 20120017271 | Smith et al. | Jan 2012 | A1 |
| 20120131322 | Smith et al. | May 2012 | A1 |
| 20120163602 | Zimmer et al. | Jun 2012 | A1 |
| 20120179904 | Dunn et al. | Jul 2012 | A1 |
| 20130275747 | Brumback et al. | Oct 2013 | A1 |
| 20140025941 | Bulusu et al. | Jan 2014 | A1 |
| Entry |
|---|
| U.S. Appl. No. 11/897,355, filed Aug. 30, 2007, entitled “Method for Firmware Isolation,” by Jiewen Yao, et al. |
| U.S. Appl. No. 12/156,223, filed May 30, 2008, entitled “Enabling Byte-Code Based Image Isolation,” by Jiewen Yao, et al. |
| Number | Date | Country | |
|---|---|---|---|
| 20110138166 A1 | Jun 2011 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 12214830 | Jun 2008 | US |
| Child | 12974244 | US |
