System level root of trust (rot) binding and trust establishment
US-2024303339-A1 · Sep 12, 2024 · US
Out-of-band (OOB) remote attestation
US12353605B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-12353605-B1 |
| Application number | US-202318186925-A |
| Country | US |
| Kind code | B1 |
| Filing date | Mar 20, 2023 |
| Priority date | Mar 20, 2023 |
| Publication date | Jul 8, 2025 |
| Grant date | Jul 8, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A computing system includes a baseboard management controller (“BMC”) that receives a security token from a management system. The computing system also executes a firmware that collects measurements from components of the computing system. The measurements include data describing the components for use in attestation. The firmware provides the measurements to the BMC, which generates a digital signature of the measurements and the security token. The BMC provides the measurements and the digital signature to the management system, which attempts to verify the digital signature utilizing a public key associated with the BMC. If the management system can verify the digital signature, then the BMC utilized the correct security key to generate the digital signature and the measurements were not tampered with after collection by the firmware. The measurements can then be utilized to attest the computing system.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method, comprising: receiving a security token from a remote attestation service at a computing system; storing the security token at a baseboard management controller (BMC) of the computing system; collecting, by way of a firmware executing on the computing system, one or more measurements, the one or more measurements comprising data describing a component of the computing system; providing the one or more measurements from the firmware to the BMC of the computing system; generating a digital signature of the one or more measurements and the security token by way of the BMC; and providing the one or more measurements and the digital signature to the remote attestation service, whereby the remote attestation service attempts to verify the digital signature, and if the digital signature can be verified, compares the one or more measurements to golden measurements for the component of the computing system to attest the component. 2. The computer-implemented method of claim 1 , wherein collecting the one or more measurements comprises: collecting the one or more measurements by way of a boot process executing in the firmware; storing the one or more measurements in a trusted platform module (TPM) of the computing system; and executing a data collector in the firmware to retrieve the one or more measurements from the TPM and provide the one or more measurements to the BMC of the computing system. 3. The computer-implemented method of claim 2 , wherein the data collector provides the one or more measurements to the BMC by way of a Security Protocol and Data Model (SPDM) interface. 4. The computer-implemented method of claim 3 , wherein the remote attestation service periodically updates the security token. 5. The computer-implemented method of claim 4 , wherein the remote attestation service attests the component by generating an attestation report that indicates a trust status of the component. 6. The computer-implemented method of claim 5 , wherein the one or more measurements and the digital signature are provided to the remote attestation service by way of a REDFISH interface. 7. The computer-implemented method of claim 1 , wherein no operating system is installed on the computing system. 8. At least one non-transitory computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by a computing system, cause the computing system to: receive a security token from a remote attestation service at the computing system; store the security token at a baseboard management controller (BMC) of the computing system; collect, by way of a firmware executing on the computing system, one or more measurements, the one or more measurements comprising data describing a component of the computing system; provide the one or more measurements from the firmware to the BMC of the computing system; generate a digital signature of the one or more measurements and the security token by way of the BMC; and provide the one or more measurements and the digital signature to the remote attestation service, whereby the remote attestation service attempts to verify the digital signature, and if the digital signature is verified, compares the one or more measurements to golden measurements for the component of the computing system to attest the component. 9. The non-transitory computer-readable storage medium of claim 8 , wherein collecting the one or more measurements comprises: collecting the one or more measurements by way of a boot process executing in the firmware; storing the one or more measurements in a trusted platform module (TPM) of the computing system; and executing a data collector in the firmware to retrieve the one or more measurements from the TPM and provide the one or more measurements to the BMC of the computing system. 10. The non-transitory computer-readable storage medium of claim 9 , wherein the data collector provides the one or more measurements to the BMC by way of a Security Protocol and Data Model (SPDM) interface. 11. The non-transitory computer-readable storage medium of claim 10 , wherein the remote attestation service periodically updates the security token. 12. The non-transitory computer-readable storage medium of claim 11 , wherein the remote attestation service attests the component by generating an attestation report that indicates a trust status of the component. 13. The non-transitory computer-readable storage medium of claim 12 , wherein the one or more measurements and the digital signature are provided to the remote attestation service by way of a REDFISH interface. 14. The non-transitory computer-readable storage medium of claim 8 , wherein no operating system is installed on the computing system. 15. A computing system, comprising: one or more processors; a baseboard management controller (BMC); and at least one non-transitory computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by the one or more processors, cause the computing system to: receive a security token from a remote attestation service at the computing system; store the security token at the BMC; collect, by way of a firmware executing on the computing system, one or more measurements, the one or more measurements comprising data describing a component of the computing system; provide the one or more measurements from the firmware to the BMC of the computing system; generate a digital signature of the one or more measurements and the security token by way of the BMC; and provide the one or more measurements and the digital signature to the remote attestation service, whereby the remote attestation service attempt to verify the digital signature; and if the digital signature is verified, compare the one or more measurements to golden measurements for the component of the computing system to attest the component. 16. The computing system of claim 15 , wherein collecting the one or more measurements comprises: collecting the one or more measurements by way of a boot process executing in the firmware; storing the one or more measurements in a trusted platform module (TPM) of the computing system; and executing a data collector in the firmware to retrieve the one or more measurements from the TPM and provide the one or more measurements to the BMC of the computing system. 17. The computing system of claim 16 , wherein the data collector provides the one or more measurements to the BMC by way of a Security Protocol and Data Model (SPDM) interface. 18. The computing system of claim 17 , wherein the remote attestation service periodically updates the security token. 19. The computing system of claim 18 , wherein the remote attestation service attests the component by generating an attestation report that indicates a trust status of the component. 20. The computing system of claim 19 , wherein the one or more measurements and the digital signature are provided to the remote attestation service by way of a REDFISH interface.
Assignees
Inventors
Classifications
Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities · CPC title
Secure boot · CPC title
- G06F21/64Primary
Protecting data integrity, e.g. using checksums, certificates or signatures · CPC title
- G06F21/31Primary
User authentication · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12353605B1 cover?
- A computing system includes a baseboard management controller (“BMC”) that receives a security token from a management system. The computing system also executes a firmware that collects measurements from components of the computing system. The measurements include data describing the components for use in attestation. The firmware provides the measurements to the BMC, which generates a digital…
- Who is the assignee on this patent?
- American Megatrends Int Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/64. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jul 08 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).