Dual Memory Introspection for Securing Multiple Network Endpoints
US-2017180318-A1 · Jun 22, 2017 · US
System and method for booting processors with encrypted boot image
US11423150B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11423150-B2 |
| Application number | US-201916371191-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 1, 2019 |
| Priority date | Sep 7, 2018 |
| Publication date | Aug 23, 2022 |
| Grant date | Aug 23, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The concepts, systems and methods described herein are directed towards a method for secure booting. The method is provided to including: loading and executing a firmware in a Management Engine (ME) of a system; establishing, by the ME, a communication channel to a security device; receiving, by the ME, an encrypted boot image from the security device; decrypting, by the ME, the encrypted boot image; storing, by the ME, the decrypted boot image in a secured storage medium; and resetting the system using the decrypted boot image in the secured storage medium.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for secure booting of a system comprising a processor, a management engine (ME) and a secured storage medium, the method comprising: loading and executing a firmware in the ME; establishing, by the ME, a communication channel to a security device, the security device comprises a Hardware Root of Trust (HRoT) device, wherein the HRoT device and the system that is being booted are respective independent systems; receiving, by the ME, an encrypted boot image from the security device; decrypting, by the ME, the encrypted boot image; storing, by the ME, the decrypted boot image in the secured storage medium; and resetting the system using the decrypted boot image in the secured storage medium; loading, by the ME, an unencrypted boot image; encrypting, by the ME, the unencrypted boot image using a unique key; storing, by the ME, the encrypted boot image in the security device; generating, by the ME, an Advanced Encryption Standard (AES) key; encrypting, by the ME, the unencrypted boot image using the AES key; encrypting, by the ME, the AES key; and storing, by the ME, the encrypted boot image and the encrypted AES key in the security device; wherein the encrypted boot image is generated using the unique key that is generated by the ME. 2. The method of claim 1 , wherein the unique key comprises a unique-per-processor key that is generated based upon unique key material of the processor, wherein the unique key material of the processor is accessible by the ME. 3. The method of claim 1 , further comprising: transferring data to and from the security device via the communication channel. 4. A system comprising: a processor and memory; a management engine (ME); and a secured storage medium; wherein the ME is configured to: load and execute a firmware; establish a communication channel to a security device, the security device comprises a Hardware Root of Trust (HRoT) device wherein the HRoT device and the system that is being booted are respective independent systems; receive an encrypted boot image from the security device; decrypt the encrypted boot image; store the decrypted boot image in the secured storage medium, wherein the system resets using the decrypted boot image in the secured storage medium; load, by the ME, an unencrypted boot image; encrypt, by the ME, the unencrypted boot image using a unique key; store, by the ME, the encrypted boot image in the security device; generate, by the ME, an Advanced Encryption Standard (AES) key; encrypt, by the ME, the unencrypted boot image using the AES key; encrypt, by the ME, the AES key; and store, by the ME, the encrypted boot image and the encrypted AES key in the security device; wherein the encrypted boot image is generated using the unique key that is generated by the ME. 5. The system of claim 4 , wherein the security device comprises a network server. 6. The system of claim 4 , wherein the comprises a System-on-a-Chip (SoC). 7. The system of claim 4 , wherein the communication channel to the security, device comprises an encrypted communication channel. 8. The system of claim 4 , wherein the ME is located in a Platform Controller Hub (PCH) of the system. 9. A method for secure booting of a system comprising a processor, a management engine (ME) and a secured storage medium, the method comprising: loading and executing a firmware in the ME; establishing, by the ME, a communication channel to a security device, the security device comprises a Hardware Root of Trust (HRoT) device; loading, by the ME, an unencrypted boot image; encrypting, by the ME, the unencrypted boot image using a unique key that is generated by the ME; storing, by the ME, the encrypted boot image in the security device; loading, by the ME, an unencrypted boot image; encrypting, by the ME, the unencrypted boot image using the unique key; storing, by the ME, the encrypted boot image in the security device; generating, by the ME, an Advanced Encryption Standard (AES) key; encrypting, by the ME, the unencrypted boot image using the AES key; encrypting, by the ME, the AES key; and storing, by the ME, the encrypted boot image and the encrypted AES key in the security device; wherein the encrypted boot image is generated using the unique key that is generated by the ME. 10. The method of claim 9 , wherein the unencrypted boot image is fetched from the HRoT device. 11. The method of claim 9 , wherein the unencrypted boot image is retrieved from storage that is accessible by the ME. 12. The method of claim 9 , further comprising: receiving, by the ME, the encrypted boot image from the security device; decrypting, by the ME, the encrypted boot image; storing, by the ME, the decrypted boot image in the secured storage medium; and resetting the system using the decrypted boot image in the secured storage medium.
Assignees
Inventors
Classifications
by securing the transmission between two devices or processes · CPC title
involving additional devices, e.g. trusted platform module [TPM], smartcard or USB · CPC title
Cryptography, encrypt, access, authorize with key, code, password · CPC title
- G06F21/575Primary
Secure boot · CPC title
Test or assess software · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11423150B2 cover?
- The concepts, systems and methods described herein are directed towards a method for secure booting. The method is provided to including: loading and executing a firmware in a Management Engine (ME) of a system; establishing, by the ME, a communication channel to a security device; receiving, by the ME, an encrypted boot image from the security device; decrypting, by the ME, the encrypted boot …
- Who is the assignee on this patent?
- Raytheon Co
- What technology area does this patent fall under?
- Primary CPC classification G06F21/575. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Aug 23 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).