In computing, booting involves starting up a computing apparatus so that it can be used. The booting process can be initiated by hardware such as a button press or by command. After the power is switched on, the computer is relatively limited to part of its storage that performs power-on self-tests and allows access to other types of memory. Restarting a computer also is referred to as a reboot, which can be “hard” as in a “hard start” such as after electrical power to the computer is switched from off to on, or “soft” where the electrical power is not cut.
Various examples may be more completely understood in consideration of the following detailed description in connection with the accompanying drawings, in which:
Examples described herein are applicable to a variety of different systems and methods including, for example, a computing apparatus in which a first memory store an operating system (OS) for an associated computer processor of the computing apparatus. In an example, the computing apparatus may include a second memory to store firmware for initiating the computing apparatus, and a controller, where the controller is communicatively coupled to the first memory, the second memory, and a third memory. Responsive to powering on the computing apparatus, the OS may access an agent application in the first memory, provision a wireless network credential using the agent application, and encrypt the wireless network credential using the agent application. The firmware may, in response to receiving the encrypted wireless network credential from the first memory, store the encrypted wireless network credential in the third memory. In some examples, the computing apparatus may act to protect access to a set of encryption keys used to encrypt the wireless network credential.
Some examples described herein may allow for rapid system setup and increased ease of configuration. Access to a network may be protected with credentials which restricts access to a network based on identity or security posture. Such credentials can force user or machine authentication prior to granting access to the network. Moreover, wired and wireless networks may implement security processes and thereby limiting access to the network. Also, in some locations and/or with some computing devices access immediate or full access to such networks is limited, particularly during such initial or pre-boot operations. Examples described herein may overcome such issues, for example, by using a digitally signed firmware driver and an agent application which enable simplified and secure configuration of firmware.
For example, a non-transitory computer-readable storage medium may include instructions that, when executed, cause a computing apparatus to provision, using an agent application installed on the computing apparatus, a wireless network credential and to encrypt, using an agent application installed on the computing apparatus, a wireless network credential. Responsive to a reboot of the computing apparatus, the encrypted wireless network credential is transferred to firmware of the computing apparatus for initiating the computing apparatus, and the wireless network credential is stored during reboot of the computing apparatus and using the firmware.
As another example, a non-transitory computer-readable storage medium may include instructions that, when executed, cause a computing apparatus to store a wireless network credential for the computing apparatus, in a memory of the computing apparatus. Responsive to receipt of a request from an agent application installed on the OS of the computing apparatus to update the wireless network credential, the instructions cause the computing apparatus to access an encrypted wireless network credential stored in the memory. The processor decrypts the encrypted wireless network credential, and applies the decrypted wireless network credential to the OS of the computing apparatus for access to a wireless communications network.
The above and other examples are described herein with the understanding that these examples may be practiced without disclosing all the specific details and that features from among the various examples may be combined with one another. For ease of illustration, the same reference numerals may be used in different diagrams to refer to the same elements or additional instances of the same element.
Turning now to the figures,
In various examples, computing apparatus 100 may be, for example, a web-based server, a local area network server, a cloud-based server, a notebook computer, a desktop computer, an all-in-one system, a tablet computing device, a mobile phone, an electronic book reader, or any other electronic device suitable to execute an agent application 110 to monitor computing apparatus 100. Computing apparatus 100 may include a processor 102, a first memory 104, a second memory 106, and a controller 126. Processor 102 may be in communication with first memory 104 and/or second memory 106. Processor 102 may control operations of computing apparatus 100. The first memory 104 and the second memory 106 may store data. In some examples, first memory 104 and the second memory 106 may be implemented using non-volatile memory, such as hard disk drives, solid state storage, flash memory, and Electrically Erasable Programmable Read-Only Memory (EEPROM), among others. As used herein, a controller refers to or includes a chip, an expansion card, or a stand-alone device that interfaces with the processor 102. In some non-limiting examples, the controller 126 may refer to or include an embedded controller, though examples are not so limited.
Computing apparatus 100 may further include firmware 108 stored in second memory 106. As used herein, firmware refers to or includes instructions that can be configured for implementation in logic circuitry, with the instructions by way of code, and as may be stored in and accessible from a memory circuit. The firmware 108 may control low-level operations of computing apparatus 100, such as hardware initiations during boot up. In an example, firmware 108 may be implemented as a Basic Input/Output System (BIOS) of computing apparatus 100. Additionally and/or alternatively, the firmware 108 may be implemented as unified extensible firmware interface (UEFI). The firmware 108 may be implemented using instructions executable by processor 102.
In yet another example, the processor 102 is implemented as a multi-core processor or a processor circuit implemented as a set of processor circuits integrated as a chip set. In these and other examples, it is appreciated that such processor circuitry includes a single, or multiple computer circuits including memory circuitry for storing and accessing firmware or program code to be accessed or executed as instructions to perform the related operation(s).
During operation, when the computing apparatus 100 is booting up, a firmware interface may access an agent application 110 in the first memory 104 to obtain various network credentials. As used herein, the firmware interface refers to or includes instructions that allow the firmware to connect with the OS of the computing apparatus. Similarly, once the computing apparatus 100 boots up, the agent application 110 may be provisioned, locally via a user with administrative authority, and/or remotely by an administrator that may push configurations to the computing apparatus 100. The firmware interface may be installed at the time a computing apparatus is manufactured, and may be among the first programs that run when a computing apparatus is turned on. The firmware interface may perform a check to see what hardware components are included in the computing apparatus, wake the hardware components up, and interface the hardware components with the OS. During this ‘pre-boot’ phase, the computing apparatus has limited network capabilities.
In various examples, the installation data may also be stored in second memory 106. In some examples, the installation data may be included as part of the firmware 108, while in other examples, the installation data may be stored in another device that the firmware 108 may access to perform the installation. Where reference is made to a “first memory”, a “second memory”, etc., the adjectives “first” and “second” are not used to connote any description of the structure or to provide any substantive meaning; rather, such adjectives are merely used to differentiate one circuit from another similarly-named circuit.
In additional examples, the agent application 110 may be implemented using instructions executable by the processor 102. As described in more detail in
Further, in response to input of a personal identifier, the OS may execute instructions in the first memory to protect access to a subset of encryption keys used to encrypt the wireless network credential. For instance, a user may enroll a personal identification number (PIN) which is to be used to protect access to a sign key and an endorsement key, as discussed further herein. A subset of encryption keys and data indicative of the subset of encryption keys may be created on the first memory 104, and the data indicative of the subset of encryption keys may be sent to the second memory 106. In such examples, the OS may execute instructions in the first memory 104 to access the agent application upon boot-up of the OS. Also, in response to receipt of the subset of encryption keys from a storage location remote to the first memory, the OS may execute instructions in the first memory 104 to send data indicative of the subset of encryption keys to the second memory.
The apparatus of
In various examples, to ensure the computing apparatus 100 boots in a secure manner, the agent application 110 can implement a secure protocol to check if any of the binaries in the boot sequence fail cryptographic signature checks. In the event a binary does fail this cryptographic signature check, it is not allowed to run. By running from firmware and authenticating other code, such as the binaries, before it is executed, and through the execution of various techniques for provisioning wireless network credentials, a secure connection between the OS and the firmware can be created, thereby denying the launch of malicious code.
Once the OS starts, the agent application 110 may be provisioned in the system. The agent application may be provisioned locally or remotely. In the first case, a user with administrative privileges can configure the agent application 110. In the second case, the administrative user is to push the configuration remotely to the managed computing apparatus 100. As used herein, to remotely configure the managed computing apparatus refers to or includes a second computing apparatus that is different than the managed computing apparatus, sending processor executable instructions to the managed computing apparatus so as to configure the managed computing apparatus. Accordingly, the agent application 110 may be provisioned locally by a user with administrative privileges, and/or the agent application 110 may retrieve the wireless network credential(s) from a memory remote to the first memory 104.
In both scenarios, three encryption keys may be utilized. A first key is a sign key, which may be used to sign the provisioning commands to enable the agent application 110 to transmit data to the firmware 108. A second key is an endorsement key, which may be used to remove and deactivate the agent application 110 from the OS and deactivate the secure communication protocol from the computing apparatus 100. A third key may be a transport key, used to encrypt and/or decrypt the wireless network credential data that may be exchanged between the OS and the firmware.
In some examples, the wireless network credential may be encrypted using a first key to sign provisioning commands to enable the agent to transfer data to the firmware, a second key to remove and deactive the agent from the computing apparatus, and a third key to encrypt and decrypt a wireless network credential that is exchanged between an OS of the computing apparatus and the firmware. An activation command may be encrypted with the first key, and the encrypted activation command may be sent to the firmware to activate the agent application. Further, an authorization value may be sent to the agent application to protect the third key, and responsive to receipt, by the agent application, of the authorization value, the third key may be created to transfer the encrypted wireless network credential to the firmware.
In various examples, in response to input of a personal identifier at the computing apparatus 100, the first memory 104 included in the computing apparatus 100 may protect access to a subset of encryption keys used to encrypt the wireless network credential. For instance, access to the sign and endorsement keys may be protected. A subset of encryption keys and data indicative of the subset of encryption keys may be created (e.g., provisioned) on the first memory 104, and the data indicative of the subset of encryption keys may be sent to the second memory 106. For instance, the sign key and the endorsement key may be provisioned and sent to the second memory 106.
As illustrated and discussed above in connection with
Once the agent application 110 is installed, the agent application 110 may be dormant. To enable agent application 110 to enable computing apparatus 100 to boot, such as during a pre-boot operation or following a re-boot command, a plurality of secured protocols may be used. As used herein, a secured protocol may mean a system/method for encrypting data, such as public key cryptography. For examples, three cryptography keys are used to enable the agent application 110 to boot the computing apparatus 100: a sign key (not shown), an endorsement key (not shown), and a transport key 208.
The sign key may be used to sign commands issued to firmware 108 to control the agent application 110. The endorsement key may be used to sign a deactivate command sent to the firmware 108 to deactivate and/or remove the agent application 110 from the computing apparatus 100.
The sign key and the endorsement key may be generated locally at the computing apparatus 100, or remotely at, for instance, a server. In some examples, a sign key modulus 204 and an endorsement key modulus 206 may be sent to the firmware 108 when the firmware 108 already have exponents of the sign key and the endorsement key. The sign key modulus 204 and the endorsement key modulus 206 may be stored in the second memory 106. In other examples, the sign key modulus 204 and the endorsement key modulus 206 may be stored in another storage device of the computing apparatus 100 that the firmware 108 can access. In some examples, the sign key (i.e., modulus and exponent) and the endorsement key (i.e., modulus and exponent) may be sent to the firmware 108.
For a locally managed computing apparatus 100 and/or system, and in accordance with various examples presented herein, the technique(s) for provisioning the wireless network credential may include the user of the computing apparatus 100 entering a personal identifier, such as a passphrase or PIN, used to protect the access to the sign and endorsement keys (not shown). The sign and endorsement keys that are created and their encrypted blobs may be stored locally on the computing apparatus 100. Then, the public modulus of the sign key 204 and the public modulus of the endorsement key 206 may be sent to the firmware 108. For a remotely managed system, the technique(s) for provisioning the wireless network credential may include the IT administrator creating the sign and endorsement keys remotely. The public modulus of the sign key 204 and the public modulus of the endorsement key 206 may then be sent to the firmware 108 through the network.
The firmware 108 may receive an activation command 210 that instructs the firmware 108 to activate the agent application 110. The activation command 210 may also include configuration data 212 of the agent application 110. In response to receiving the activation command 210, the firmware 108 may transmit an activation message 214 that includes the configuration data 212 to activate the agent application 110. In response to receiving the activation message 214, the agent application 110 may configure settings of the agent application 110 based on the activation message 214.
Once the firmware 108 of the computing apparatus 100 receives the sign and endorsement keys, the boot instruction commands can be issued. The first command is to activate the agent application 110 in the operating system 202. By doing so, the activation command 210 and the configuration settings of the agent application 110 may be encrypted and sent to the firmware 108, causing the agent application 110 to enter in an active state. While in the active state, the agent application 110 may begin executing in operating system 202. The agent application 110 may also transmit a request 216 to the firmware 108 to request an authorization value 218. In response to receiving the request 216, the firmware 108 may also transmit the authorization value 218 to the agent application 110 to generate the transport key 208. The agent application 110 may use the transport key 208 to enable data to be exchanged between the agent application 110 and the firmware 108.
Additionally, upon provisioning the sign and endorsement keys and the agent application 110 entering the active state, the agent application 110 may request the authorization value 218 from the firmware 108, or from any other auxillary instructions and/or hardware included in the computing apparatus 100 holding that value, which is to be used to protect the transport key 208. Upon receiving the authorization value 218, the agent application 110 may create the transport key 208 and send the public modulus of the transport key 208 to the firmware 108, both in the locally and remotely managed scenarios described above. To create and provision the transport key 208, the agent application 110 receives the transport authorization value 218 from, for instance, the firmware 108, creates the transport key 208 by signing the authorization value 218 to protect that particular transport key, and sends the public modulus of the transport key 220 to the firmware 108. The firmware 108 may then use the transport key modulus 220 and authorization value 218 to create a copy of the transport key 208.
In additional examples, responsive to a reboot of the computing apparatus 100, the second memory 106 may send a request to access to a wireless network, retrieve the encrypted wireless network credential from the controller 226, and decrypt the wireless network credential using the plurality of decryption keys, as discussed further herein.
As described herein, the agent application 110 may get and/or set wireless network credentials, which are embedded in a network profile that has other metadata associated with network connections, from and/or to the file system at 305. The agent application 110 may get and/or set wireless network credentials, from and/or to, local media 228 including, as non-limiting examples, a hard disk drive (HDD), a solid state drive (SDD), and/or a self-encrypting hard drive (SED), among other types of local media.
As discussed herein, the agent application 110 encrypts the network credential data and sends it to firmware driver 303 in the firmware 108, such as at 307. In response, at 309, the firmware driver sends the encrypted network credential data to a controller 226 for secure storage, such as in third memory 103 illustrated in
From the level of the OS,
From the level of the OS,
The processor 502 may be a central processing unit (CPU), a semiconductor-based microprocessor, and/or other hardware devices suitable to control operations of the computing apparatus 500. Computer-readable storage medium 504 may be an electronic, magnetic, optical, or other physical storage device that contains or stores executable instructions. Thus, computer-readable storage medium 504 may be, for example, Random Access Memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage device, an optical disc, etc. In some examples, the computer-readable storage medium may be a non-transitory storage medium, where the term ‘non-transitory’ does not encompass transitory propagating signals. As described in detail below, the computer-readable storage medium 504 may be encoded with a series of executable instructions 504-514. In some examples, computer-readable storage medium 504 may implement a memory 506, such as the first memory 104 and/or the second memory 106 of
As illustrated, the computer-readable storage medium 504 may store instructions that, when executed, cause the computing apparatus 500 to store a wireless network credential for the computing apparatus in memory of the computing apparatus. Additionally, instructions 510 may cause the computing apparatus 500 to, responsive to receipt of a request from an agent application installed on an OS of the computing apparatus to update the wireless network credential, access an encrypted wireless network credential stored in the memory. Instructions 512 may cause the computing apparatus 500 to decrypt the encrypted wireless network credential, and instructions 514 may cause the computing apparatus 500 to apply the decrypted wireless network credential to the OS of the computing apparatus for access to a wireless communications network. In various examples, as discussed herein, the agent application may execute in the OS of the computing apparatus and firmware executes in a system management mode driver of the computing apparatus. In some examples, the computer-readable storage medium 504 may store instructions that, when executed, cause the processor 502 to, responsive to receipt by the system management mode driver of a request to update the wireless network credential, retrieve the wireless network credential, send the wireless network credential to the agent, and decrypt the wireless network credential using the agent (as discussed with regards to
The computer-readable storage medium 504 is not limited to the instructions illustrated in
As discussed herein, the computer-readable storage medium 504 may store instructions to encrypt the network credential using, a first key to sign provisioning commands to enable the agent to transfer data to the firmware, a second key to remove and deactivate the agent from the computing apparatus, and a third key to encrypt and decrypt a wireless network credential that is exchanged between an OS of the computing apparatus and the firmware. Moreover, the computer-readable storage medium 504 may store instructions that, when executed, cause the computing apparatus 500 to encrypt an activation command with the first key and send the encrypted activation command to the firmware to activate the agent, provide an authorization value to the agent to protect the third key, and responsive to receipt, by the agent, of the authorization value, create the third key to transfer the encrypted wireless network credential to the firmware. In some examples, the computer-readable storage medium 504 includes instructions that, when executed, cause the computing apparatus 500 to create the third key to include an authorization value as a signature to protect that third key, responsive to receipt by the agent of the authorization value.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/US2019/029788 | 4/30/2019 | WO | 00 |