In some environments, a host device (such as a mobile phone or other device) is used with an embedded or removable storage device (such as a Secure Digital (SD) card or a MultiMedia Card (MMC)) that stores the operating system code for the host device, as well as boot loader code. To boot the host device, the host device instructs the storage device to initiate a boot mode, in response to which the storage device provides the host device with the boot loader code. Executing the boot loader code enables the host device to load the operating system code from the storage device. In some mobile device environments, the instruction to initiate the boot mode is not a standard command that the host device would send in its typical read/write communications with the storage device. For example, under the Joint Electron Devices Engineering Council's (JEDEC's) JESD84-A44 standard and under Micron's TN-29-18 specification, a host device can instruct the storage device to initiate a boot mode by holding a command line to the storage device low for 74 clock cycles or by sending a CMD 0 command with the argument 0xFFFFFFFA.
Because the operating system code is stored on the storage device, it is possible that a hacker can alter the operating system code without knowledge of the host device to introduce malware. Accordingly, in some environments, it is desired to verify the integrity of the operating system code before it is executed by the host device. To perform such a “secure boot,” the host device's controller can include secure read-only memory (ROM) code or other features to verify the operating system code before it is executed. However, provisioning a controller with such verification code increases the controller's cost, and controllers that are initially manufactured without the verification code usually cannot be retrofitted to include the verification code after manufacturing.
Embodiments of the present invention are defined by the claims, and nothing in this section should be taken as a limitation on those claims.
By way of introduction, the below embodiments relate to a host device and method for securely booting the host device with operating system code loaded from a storage device. In one embodiment, a host device is in communication with a storage device having a private memory area storing boot loader code and a public memory area storing operating system code. The host device instructs the storage device to initiate a boot mode and receives the boot loader code from the storage device. The host device executes the boot loader code which performs a security check and executes the operating system code loaded from the storage device only if the security check is successful.
Other embodiments are possible, and each of the embodiments can be used alone or together in combination. Accordingly, various embodiments will now be described with reference to the attached drawings.
In general, the below embodiments relate to a host device and method for securely booting the host device with operating system code loaded from a storage device. With the embodiments described below, boot loader code stored in a storage device is configured to not only enable a host device to load the operating system code, but also to perform a security check. In this way, the boat loader can enable the host device to execute the operating system code loaded from the storage device only if the security check is successful. The security check can take any suitable form. For example, the security check can attempt to verify the integrity of the operating system code to ensure that the operating system code was not altered by a hacker to introduce malware. This provides a “secure boot” without the expense or inflexibility associated with provisioning the host device's controller with such functionally. Other examples of security checks that can be performed include, but are not limited to, attempting to authenticate a user of the host device, attempting to authenticate the host device, and attempting to authenticate a Subscriber Identity Module (SIM) card used with the host device. Before turning to these security checks, the following section describes exemplary host and storage devices.
Exemplary Host and Storage Devices
Turning now to the drawings,
As shown in
The memory 120 can take any suitable form. In one embodiment, the memory 120 takes the form of a solid-state (e.g., flash) memory and can be one-time programmable, few-time programmable, or many-time programmable. However, other forms of memory, such as optical memory and magnetic memory, can be used. In this embodiment, the memory 120 comprises a public memory area 125 that is managed by a file system on the host 50 and a private memory area 135 that is internally managed by the controller 110. The private memory area 135 can store boot loader code (as will be described below), as well as other data, including, but not limited to, content encryption keys (CEKs) and firmware (FW) code. The public memory area 125 can store operating system code for the host device 50 (as will be described below), as well as user data and other data. The public memory area 125 and the private memory area 135 can be different partitions of the same memory unit or can be different memory units. The private memory area 136 is “private” (or “hidden”) because it is internally managed by the controller 110 (and not by the host's controller 160). In one embodiment, the private memory area 136 is read only or not accessible after the boot process in order to prevent someone from overwriting or modifying the boot loader code. In addition to storing operating system code, the public memory area 125 can be used to store user data. Further, in one embodiment, the operating system code is stored in re-writable memory to allow updates to be written to the operating system code.
Turning now to the host 50, the host 50 comprises a controller 160 that has a storage device interface 161 for interfacing with the storage device 100. The controller 160 also comprises a central processing unit (CPU) 163, a crypto-engine 164 operative to provide encryption and/or decryption operations, read access memory (RAM) 165, read only memory (ROM) 166, a security module 171, and storage 172. The storage device 100 and the host 150 communicate with each other via a storage device interface 161 and a host interface 112. For operations that involve the secure transfer of data, it is preferred that the crypto-engines 114, 164 in the storage device 100 and host 150 be used to mutually authenticate each other and provide a key exchange. After mutual authentication is complete, it is preferred that a session key be used to establish a secure channel for communication between the storage device 150 and host 100. The host 50 can contain other components (e.g., a display device, a speaker, a headphone jack, a video output connection, etc.), which are not shown in
Overview of the Booting Process of the Host Device
Returning to the drawings,
As mentioned above, in this embodiment, the boot loader code is stored in the private memory area 136 of the storage device 100 (preferably, in a read-only manner to ensure the integrity of the boot loader code against tampering). As also mentioned above, the private memory area 136 is managed internally by the storage device 100 and not by the host device 50. Accordingly, the instruction to the storage device 100 to initiate a boot mode is not a standard command to read from an address in the storage device 100. This is in contrast to some personal computer (PC) and other environments, which send a standard read command of logical address zero to read boot loader code stored in the PC's hard drive. Further, sending of the boot loader code to the host device 50 is in response to receiving the special instruction from the host device 50 and being in a boot mode—it is not in response to a standard read command of a logical address from the host device 50, as in some PC environments.
The instruction to the storage device 100 to initiate the boot mode can take any suitable form. For example, the Joint Electron Devices Engineering Council's (JEDEC's) JESD84-A44 standard and Micron's TN-29-18 specification define an MultiMediaCard (MMC) embedded memory interface/protocol for a host device to load boot loader code from a storage device directly without the need for issuing read/write storage commands (e.g., standard MultiMediaCard commands). The JEDEC standard and the Micron specification describe two suitable instructions to initiate the boot mode in a storage device. These exemplary instructions will be discussed in conjunction with
In one embodiment (shown in
In another embodiment (shown in
As mentioned above, these instructions are not commands to read data stored at an address. Rather, they are special instructions that cause the storage device 100 to initiate a boot mode to send the boot loader code to the host device 50. After the boot loader code is sent to the host device 50, the host device 50 executes the boot loader code to load the operating system code from the public memory area 125 of the storage device 100. In this embodiment, the process of loading the operating system code from the public memory area 125 of the storage device 100 can be performed using standard read commands.
Exemplary Security Features of the Boot Loader Code
As mentioned in the background section above, because the operating system code is stored in the storage device 100, it is possible that a hacker can alter the operating system code without knowledge of the host device 50 to introduce malware. Accordingly, in some environments, it is desired to verify the integrity of the operating system code before it is executed by the host device 50. While the host device's ROM can be provisioned with code to verify the integrity of the operating system code, this increases the controller's cost. Also, because such provisioning must be done at the manufacturing stage, host device controllers that are initially manufactured without the verification code cannot be retrofitted to include the verification code after manufacturing. To overcome these problems, in one embodiment, the boot loader code stored in the storage device 100 is configured to attempt to verify the integrity of the operating system code and only enable the host device 50 to load and execute the operating system code only if the attempt to verify the integrity of the operating system code is successful. This embodiment will be illustrated in conjunction with
As shown diagrammatically in
While the security check in the above example attempted to verify the integrity of the operating system, it should be noted that the boot loader can be configured to provide additional or alternative security checks. For example, because the operating system code is stored in the public memory area 125, it may be desirable to implement some form of access control over the public memory area 125, so that the operating system code cannot be executed unless a successful security check is performed by the boot loader. Accordingly, the storage device 100 can be designed to allow access to the operating system code only if the host device 100 presents the proper credentials to the storage device 100, and those proper credentials can be generated by the boot loader upon completion of a successful security check. In such an embodiment, the boot loader can contain an application program interface (API) to enable communication with a special security software stack in the storage device 100 that is responsible for authentication and access control functions. This embodiment is illustrated in the flow diagram of
As shown in
In one embodiment, the boot loader is configured to attempt to authenticate a user of the host device 50. In this embodiment, the user can be required to enter a password that will be provided to the storage device 100 in order to enable access to data stored on the storage device 100. This password authentication can be implemented using proprietary techniques defined by specific applications or can be implemented using other techniques such as those used by TrustedFlash™ memory products by SanDisk Corporation and by PCs operating in the Trusted Computing Group (TCG) environment. If a user is authenticated by the boot loader running on the host device 50, the appropriate credential is sent to the storage device 100 to unlock the public memory area 25 and provide access to the operating system code stored therein, so that the operating system code can be loaded and executed.
In another embodiment, the boot loader code is configured to attempt to authenticate the host device 50, which, in effect, binds the operating system code to a particular host device. In this embodiment, the boot loader code collects various hardware parameters of the host device 50 can calculate a digest. Examples of hardware parameters include, but are not limited to, a unique hardware identifier, a memory size, a Media Access Control (MAC) address, and a controller version. The calculated digest is then compared to a digest value stored in the boot loader. If the calculated digest matches the stored digest, the security check is successful, and the appropriate instruction is sent to the storage device 100 to unlock the public memory area 25 and provide access to the operating system code stored therein, so that the operating system code can be loaded and executed. In yet another embodiment, the boot loader code can be configured to attempt to authenticate a Subscriber Identity Module (SIM) card used with the host device 50. This embodiment is similar to the one discussed above, but the hardware parameters are of the SIM card (e.g., an International Mobile Subscriber Identity (IMSI) identifier and an International Mobile Equipment Identity (IMEI) identifier). In this way, the operating system code would be bound to the SIM card—and not to the host device 50. Of course, if the digest is calculated from hardware parameters of both the host device 50 and the SIM card, the operating system code would be bound to both the host device 50 and the SIM card. The host device 50 can also perform SIM card—host device authentication to generate authentication code for unlocking the storage device 100 (e.g., using a challenge response PKI scheme or using symmetric or password authentication).
There are several alternatives that can be used with these embodiments. For example, instead of a single operating system code, the storage device 100 can store a plurality of operating system codes, and the user can be asked which of these codes to upload during the boot process. As another alternative, the boot loader can run a purchasing application that allows the user to purchase a particular operating system code or other content. As yet another alternative, the boot loader can allow an operating system upgrade at a lower level via a boot loader upgrade.
It is intended that the foregoing detailed description be understood as an illustration of selected forms that the invention can take and not as a definition of the invention. It is only the following claims, including all equivalents, that are intended to define the scope of the claimed invention. Finally, it should be noted that any aspect of any of the preferred embodiments described herein can be used alone or in combination with one another.
Number | Name | Date | Kind |
---|---|---|---|
5379431 | Lemon et al. | Jan 1995 | A |
5475839 | Watson et al. | Dec 1995 | A |
5701477 | Chejlava, Jr. | Dec 1997 | A |
5870520 | Lee et al. | Feb 1999 | A |
6185678 | Arbaugh et al. | Feb 2001 | B1 |
6425079 | Mahmoud | Jul 2002 | B1 |
6601166 | Ayyar et al. | Jul 2003 | B1 |
6625729 | Angelo et al. | Sep 2003 | B1 |
6748544 | Challener et al. | Jun 2004 | B1 |
7017038 | LaChance et al. | Mar 2006 | B1 |
7065654 | Gulick et al. | Jun 2006 | B1 |
7111050 | McAdams | Sep 2006 | B2 |
7234052 | Lee et al. | Jun 2007 | B2 |
7251725 | Loison et al. | Jul 2007 | B2 |
7266849 | Gregory et al. | Sep 2007 | B1 |
7634648 | Koyama et al. | Dec 2009 | B2 |
7711941 | Henry et al. | May 2010 | B2 |
7779273 | Dale et al. | Aug 2010 | B2 |
7865740 | Rudelic et al. | Jan 2011 | B2 |
8032181 | Hauck et al. | Oct 2011 | B2 |
8135945 | Gehrmann | Mar 2012 | B2 |
8683212 | Rodgers et al. | Mar 2014 | B2 |
8856544 | Bosch et al. | Oct 2014 | B2 |
20030009657 | French et al. | Jan 2003 | A1 |
20030018892 | Tello | Jan 2003 | A1 |
20040003288 | Wiseman et al. | Jan 2004 | A1 |
20050044348 | O'Connell | Feb 2005 | A1 |
20050081071 | Huang et al. | Apr 2005 | A1 |
20050138423 | Ranganathan | Jun 2005 | A1 |
20060015717 | Liu et al. | Jan 2006 | A1 |
20060064752 | Wang et al. | Mar 2006 | A1 |
20060155837 | Kobayashi et al. | Jul 2006 | A1 |
20060184794 | Desselle et al. | Aug 2006 | A1 |
20070061561 | Hashiguchi | Mar 2007 | A1 |
20070067617 | Tarkkala | Mar 2007 | A1 |
20070192610 | Chun et al. | Aug 2007 | A1 |
20070235517 | O'Connor et al. | Oct 2007 | A1 |
20070239996 | Cromer et al. | Oct 2007 | A1 |
20080022134 | Wang | Jan 2008 | A1 |
20080065875 | Thompson | Mar 2008 | A1 |
20080077592 | Brodie et al. | Mar 2008 | A1 |
20080104381 | Peacock et al. | May 2008 | A1 |
20080162917 | McAvoy | Jul 2008 | A1 |
20090049295 | Erickson et al. | Feb 2009 | A1 |
20090112823 | Aharonov et al. | Apr 2009 | A1 |
20090193507 | Ibrahim | Jul 2009 | A1 |
20090204964 | Foley et al. | Aug 2009 | A1 |
20090282232 | Ugokwe | Nov 2009 | A1 |
20090300415 | Zhang et al. | Dec 2009 | A1 |
20100011200 | Rosenan | Jan 2010 | A1 |
20100011350 | Zayas | Jan 2010 | A1 |
20100023743 | Sastry et al. | Jan 2010 | A1 |
20100070749 | Tsai | Mar 2010 | A1 |
20100106953 | Morad et al. | Apr 2010 | A1 |
20100122076 | Witty | May 2010 | A1 |
20100306399 | Khosravi et al. | Dec 2010 | A1 |
20110083006 | Maruyama et al. | Apr 2011 | A1 |
20110131447 | Prakash et al. | Jun 2011 | A1 |
Number | Date | Country |
---|---|---|
WO 0021238 | Apr 2000 | WO |
Entry |
---|
Intel Corporation, “Mechanism for remapping post virtual machine memory pages”, 2002. |
“TCG Storage Application Note: Encrypting Drives Compliant with Opal SSC”, Specification Version 1.00, Final Revision 1.00, Feb. 19, 2010, pp. ii-92. |
International Search Report and Written Opinion for PCT/IB2011/001748, dated Nov. 29, 2011, 9 pages. |
JEDEC Standard, Mar. 2009, pp. 33-40, retrieved from http://www.jedec.org/sites/default/files/docs/JESD84-A441—0.pdf, retrieved on Nov. 9, 2011. |
Micron Technical Note: Booting from Embedded MMC, TN-29-18, 16 pages, 2006. |
SanDisk iNAND™ eSD/eMMC Embedded Flash Drive, 2 pages, 2008. |
Trusted Boot: Verifying the Xen Launch, Joseph Cihula, Intel Corp., Fall 2007 Xen Summit, 12 pages, 2007. |
CE Linux Forum, Trusted Boot Loader, Steve Johnson, 37 pages, Apr. 12, 2006. |
Number | Date | Country | |
---|---|---|---|
20120042376 A1 | Feb 2012 | US |