Firmware verification system and firmware verification method
US-2023214491-A1 · Jul 6, 2023 · US
Identity-based verification of software code layers
US12216765B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12216765-B2 |
| Application number | US-202217973793-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 26, 2022 |
| Priority date | Oct 26, 2022 |
| Publication date | Feb 4, 2025 |
| Grant date | Feb 4, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques are provided for identity-based verification of software code layers. One method comprises obtaining, by a current layer of software code executing on a security processor of a security sub-system, in connection with a boot of the security sub-system, an identity key of the current layer, wherein the identity key of the current layer is based on a value generated during a provisioning of the security sub-system, wherein the value is based on a firmware image of at least one layer of the software code; obtaining an encrypted secure boot public key of a next layer; decrypting the encrypted secure boot public key of the next layer using the obtained identity key of the current layer; verifying the next layer using the decrypted secure boot public key of the next layer; and executing the next layer based at least in part on a result of the verifying.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: obtaining, by a current layer of a plurality of layers of software code executing on a security processor of a security sub-system, in connection with a boot of the security sub-system, an identity key of the current layer of software code, wherein the identity key of the current layer of software code is based at least in part on at least one value generated during a provisioning of the security sub-system, wherein the at least one value is based at least in part on a firmware image of at least one layer of the plurality of layers of software code; obtaining an encrypted secure boot public key of a next layer of software code; decrypting the encrypted secure boot public key of the next layer of software code using the obtained identity key of the current layer of software code; verifying the next layer of software code using the decrypted secure boot public key of the next layer of software code; and initiating execution of the next layer of software code based at least in part on a result of the verifying; wherein the method is performed by at least one processing device comprising a processor coupled to a memory. 2. The method of claim 1 , wherein the identity key of the current layer of software code is based at least in part on one or more of (i) a first value generated by applying at least one function to one or more values stored in a secure memory of the security sub-system, and (ii) a second value generated by applying at least one function to the firmware image of the at least one layer of the plurality of layers of software code. 3. The method of claim 2 , wherein the identity key of the current layer of software code is generated by applying a key derivation function to the first value and the second value. 4. The method of claim 1 , wherein the at least one value generated during the provisioning of the security sub-system comprises a substantially unique identifier of the security sub-system. 5. The method of claim 1 , further comprising preventing an execution of the next layer of software code responsive to the next layer of software code failing to verify. 6. The method of claim 1 , wherein the identity key of the current layer of software code is obtained from a vault, in a protected storage of the security sub-system, associated with the current layer of software code. 7. The method of claim 1 , wherein the verifying the next layer of software code comprises verifying a signature associated with the next layer of software code. 8. The method of claim 1 , wherein the decrypting the encrypted secure boot public key of the next layer of software code using the obtained identity key of the current layer of software code requires the identity key of the current layer of software code that is based at least in part on the at least one value generated during the provisioning of the security sub-system. 9. An apparatus comprising: at least one processing device comprising a processor coupled to a memory; the at least one processing device being configured to implement the following steps: obtaining, by a current layer of a plurality of layers of software code executing on a security processor of a security sub-system, in connection with a boot of the security sub-system, an identity key of the current layer of software code, wherein the identity key of the current layer of software code is based at least in part on at least one value generated during a provisioning of the security sub-system, wherein the at least one value is based at least in part on a firmware image of at least one layer of the plurality of layers of software code; obtaining an encrypted secure boot public key of a next layer of software code; decrypting the encrypted secure boot public key of the next layer of software code using the obtained identity key of the current layer of software code; verifying the next layer of software code using the decrypted secure boot public key of the next layer of software code; and initiating execution of the next layer of software code based at least in part on a result of the verifying. 10. The apparatus of claim 9 , wherein the identity key of the current layer of software code is based at least in part on one or more of (i) a first value generated by applying at least one function to one or more values stored in a secure memory of the security sub-system, and (ii) a second value generated by applying at least one function to the firmware image of the at least one layer of the plurality of layers of software code. 11. The apparatus of claim 10 , wherein the identity key of the current layer of software code is generated by applying a key derivation function to the first value and the second value. 12. The apparatus of claim 9 , further comprising preventing an execution of the next layer of software code responsive to the next layer of software code failing to verify. 13. The apparatus of claim 9 , wherein the verifying the next layer of software code comprises verifying a signature associated with the next layer of software code. 14. The apparatus of claim 9 , wherein the decrypting the encrypted secure boot public key of the next layer of software code using the obtained identity key of the current layer of software code requires the identity key of the current layer of software code that is based at least in part on the at least one value generated during the provisioning of the security sub-system. 15. A non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing device causes the at least one processing device to perform the following steps: obtaining, by a current layer of a plurality of layers of software code executing on a security processor of a security sub-system, in connection with a boot of the security sub-system, an identity key of the current layer of software code, wherein the identity key of the current layer of software code is based at least in part on at least one value generated during a provisioning of the security sub-system, wherein the at least one value is based at least in part on a firmware image of at least one layer of the plurality of layers of software code; obtaining an encrypted secure boot public key of a next layer of software code; decrypting the encrypted secure boot public key of the next layer of software code using the obtained identity key of the current layer of software code; verifying the next layer of software code using the decrypted secure boot public key of the next layer of software code; and initiating execution of the next layer of software code based at least in part on a result of the verifying. 16. The non-transitory processor-readable storage medium of claim 15 , wherein the identity key of the current layer of software code is based at least in part on one or more of (i) a first value generated by applying at least one function to one or more values stored in a secure memory of the security sub-system, and (ii) a second value generated by applying at least one function to the firmware image of the at least one layer of the plurality of layers of software code. 17. The non-transitory processor-readable storage medium of claim 16 , wherein the identity key of the current layer of software code is generated by applying a key derivation function to the first value and the second value. 18. The non-transitory processor-readable storage medium of claim 15 , further comprising preventing an execution of the next l
Assignees
Inventors
Classifications
Providing cryptographic facilities or services · CPC title
involving digital signatures · CPC title
- G06F21/575Primary
Secure boot · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12216765B2 cover?
- Techniques are provided for identity-based verification of software code layers. One method comprises obtaining, by a current layer of software code executing on a security processor of a security sub-system, in connection with a boot of the security sub-system, an identity key of the current layer, wherein the identity key of the current layer is based on a value generated during a provisionin…
- Who is the assignee on this patent?
- Dell Products Lp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/575. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Feb 04 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).