Systems and methods for flexible motherboard supporting flexible processor utilization for optimized design
US-2022121259-A1 · Apr 21, 2022 · US
Secure boot policy for platform security using neutral processors in an information handling system
US11615190B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11615190-B2 |
| Application number | US-202117443101-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 20, 2021 |
| Priority date | Jul 20, 2021 |
| Publication date | Mar 28, 2023 |
| Grant date | Mar 28, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A secure boot policy may be stored in the information handling system and used to create a trusted relationship with a CPU, including a neutral CPU that has not been fused with an OEM key. The secure boot policy may be a data blob including platform-specific identification information (e.g., one or more of flash memory unique ID, motherboard ePPID), a boot policy (e.g., specifying to enable or disable neutral CPU fusing), and a signature. The secure boot policy may be stored in a one-time-programmable (OTP) storage of the information handling system, such as an OTP region in the serial peripheral interface (SPI) flash memory part storing the basic input/output system (BIOS). The BIOS may verify the secure boot policy using a public key and check if the boot policy is bound to current BIOS flash part and/or system configuration, and then apply the boot policy if the verification is passed.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: determining, by a processor executing a Basic Input/Output System (BIOS) system firmware stored in a non-volatile memory after initiating a power-on self-test (POST), that a processor coupled to the non-volatile memory is a neutral processor; determining, by the BIOS in response to the processor being determined to be a neutral processor, whether a secure boot policy is present in the non-volatile memory; in response to determining that the secure boot policy is present in the non-volatile memory: determining whether the secure boot policy is authentic; assigning a default boot policy to the neutral processor in response to the determining whether the secure boot policy is authentic indicates the secure boot policy is not authentic; and assigning the secure boot policy to the neutral processor in response to the determining whether the secure boot policy is authentic indicates the secure boot policy is authentic. 2. The method of claim 1 , further comprising: in response to determining that the secure boot policy is not present in the non-volatile memory, assigning the default boot policy to the neutral processor. 3. The method of claim 1 , further comprising: after assigning the default boot policy, receiving a user input indicating whether to fuse the neutral processor; and booting an operating system without fusing the neutral processor based on the user input. 4. The method of claim 1 , further comprising: after assigning the default boot policy, receiving a user input indicating whether to fuse the neutral processor; fusing the neutral processor with an original equipment manufacturer (OEM) key based on the user input to configure the neutral processor to establish a chain of trust from a root of trust of the neutral processor to the BIOS and from the BIOS to an operating system; and booting the operating system after fusing the neutral processor. 5. The method of claim 1 , wherein determining whether the secure boot policy is authentic comprises determining whether a signature on the secure boot policy is valid based on a public key. 6. The method of claim 5 , wherein determining whether the secure boot policy is authentic further comprises determining whether platform-specific identification information of the secure boot policy matches identification information associated with an information handling system in which the neutral CPU is installed. 7. The method of claim 6 , wherein determining whether platform-specific identification information matches the information handling system comprises determining whether a motherboard electronic piece part identification (ePPID) of the secure boot policy matches identification information associated with a motherboard of the information handling system. 8. The method of claim 1 , wherein determining whether a secure boot policy is present in a non-volatile memory comprises determining whether the secure boot policy is present in a one-time-programmable (OTP) storage of the non-volatile memory. 9. An information handling system, comprising: a processor; and a non-volatile memory coupled to the processor, wherein the processor is configured to execute a system firmware stored in the non-volatile memory to configure the processor to perform steps comprising: determining that the processor is a neutral processor; determining, in response to the processor being determined to be a neutral processor, whether a secure boot policy is present in the non-volatile memory; in response to determining the secure boot policy is present in the non-volatile memory: determining whether the secure boot policy is authentic; assigning a default boot policy to the neutral processor when the determining indicates the secure boot policy is not authentic; and assigning the secure boot policy to the neutral processor when the determining indicates the secure boot policy is authentic. 10. The information handling system of claim 9 , wherein the processor is further configured by the system firmware to assign the default boot policy to the neutral processor in response to determining that the secure boot policy is not present in the non-volatile memory. 11. The information handling system of claim 9 , wherein the processor is further configured by the system firmware to: receive a user input indicating whether to fuse the neutral processor; fuse the neutral processor with an original equipment manufacturer (OEM) key based on the user input to configure the neutral processor to establish a chain of trust from a root of trust of the neutral processor to the BIOS and from the BIOS to an operating system; and booting the operating system after fusing the neutral processor. 12. The information handling system of claim 9 , wherein determining whether the secure boot policy is authentic comprises determining whether a signature on the secure boot policy is valid based on a public key. 13. The information handling system of claim 12 , wherein determining whether the secure boot policy is authentic further comprises determining whether platform-specific identification information of the secure boot policy matches identification information associated with the information handling system in which the neutral processor is installed. 14. The information handling system of claim 13 , wherein determining whether platform-specific identification information matches identification information associated with the information handling system comprises determining whether a motherboard electronic piece part identification (ePPID) of the secure boot policy matches a motherboard of the information handling system. 15. The information handling system of claim 9 , wherein determining whether a secure boot policy is present in a non-volatile memory comprises determining whether the secure boot policy is present in a one-time-programmable (OTP) storage of a BIOS flash part. 16. A computer program product, comprising: a non-transitory computer readable medium comprising instructions that, when executed by a processor of an information handling system, causes the processor to perform steps comprising: determining that the processor is a neutral processor; determining, in response to the processor being determined to be a neutral processor, whether a secure boot policy is present in a non-volatile memory; in response to determining the secure boot policy is present in the non-volatile memory: determining whether the secure boot policy is authentic; assigning a default boot policy to the neutral processor when the determining indicates the secure boot policy is not authentic; and assigning the secure boot policy to the neutral processor when the determining indicates the secure boot policy is authentic. 17. The computer program product of claim 16 , wherein the instructions further configure the processor to assign the default boot policy to the neutral processor in response to determining that the secure boot policy is not present in the non-volatile memory. 18. The computer program product of claim 16 , wherein the instructions further configure the processor to perform steps comprising: after assigning the default boot policy, receiving a user input indicating whether to fuse the neutral processor; and booting an operating system without fusing the neutral processor based on the user input. 19. The computer program product of claim 16 , wherein determining whether the secure boot policy is authentic comprises determining whether a signature on the sec
Assignees
Inventors
Classifications
by power-on test, e.g. power-on self test [POST] · CPC title
Protecting data integrity, e.g. using checksums, certificates or signatures · CPC title
- G06F21/575Primary
Secure boot · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11615190B2 cover?
- A secure boot policy may be stored in the information handling system and used to create a trusted relationship with a CPU, including a neutral CPU that has not been fused with an OEM key. The secure boot policy may be a data blob including platform-specific identification information (e.g., one or more of flash memory unique ID, motherboard ePPID), a boot policy (e.g., specifying to enable or …
- Who is the assignee on this patent?
- Dell Products Lp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/575. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 28 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).