Bi-directional chain of trust network
US-11157626-B1 · Oct 26, 2021 · US
Securing computing devices during transit
US12393652B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-12393652-B1 |
| Application number | US-202318319393-A |
| Country | US |
| Kind code | B1 |
| Filing date | May 17, 2023 |
| Priority date | May 17, 2023 |
| Publication date | Aug 19, 2025 |
| Grant date | Aug 19, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A computing device is configured with a hardware root of trust (“HRoT”). The HRoT and a remote registration server exchange public keys while the device is in a trusted environment. The device is then locked by setting a lock status in the HRoT. The device can then be shipped to a recipient. When the device is powered on following transit, the HRoT pauses booting of the device. If a request to unlock the device is received, the HRoT provides an encrypted one-time password to the registration server. The registration server decrypts the one-time password and provides the decrypted one-time password to the HRoT. If the HRoT determines that one-time password received from the registration server is identical to the one-time password it generated, the HRoT sets the lock status of the device to unlocked and allows the device to boot.
First claim
Opening claim text (preview).
What is claimed is: 1. A computing device, comprising: a processor; and a hardware root of trust (HRoT) configured to determine if a lock status of the computing device is locked, responsive to determining the lock status of the computing device is locked, pause booting of the computing device, determining if a request has been received to unlock the computing device, and responsive to determining that a request has been received to unlock the computing device, generate an encrypted one-time password by encrypting a one-time password using a symmetric key, provide the encrypted one-time password to a registration server, receive a decrypted one-time password generated by the registration server, and set the lock status of the computing device to unlocked responsive to determining that the one-time password and the decrypted one-time password are identical, wherein the HRoT allows the computing device to boot when the lock status of the computing device is unlocked. 2. The computing device of claim 1 , wherein the request to unlock the computing device is received at the HRoT by way of a firmware setup user interface. 3. The computing device of claim 1 , wherein the request to unlock the computing device is received at the HRoT by way of a baseboard management controller (BMC) communicatively coupled to the HRoT. 4. The computing device of claim 1 , wherein the HRoT generates the symmetric key based, at least in part, on the public key associated with the registration server and a private key associated with the computing device. 5. The computing device of claim 1 , wherein booting of the computing device comprises executing a host firmware and a baseboard management controller (BMC) firmware, and wherein pausing booting of the computing device comprises pausing execution of the host firmware and the BMC firmware by way of the HRoT. 6. The computing device of claim 5 , wherein the HRoT pauses execution of the host firmware and the BMC firmware at locations defined by a policy. 7. The computing device of claim 6 , wherein the HRoT initiates one or more corrective actions responsive to determining that the host firmware or the BMC firmware have executed beyond the locations defined by the policy. 8. A computer-implemented method, comprising: prior to transit of a computing device, receiving a public key associated with a registration server at a hardware root of trust (HRoT) of the computing device, transmitting a public key associated with the computing device from the HRoT to the registration server, and setting a lock status of the computing device to locked, wherein the HRoT prevents the computing device from booting when the lock status of the computing device is locked; and following transit of the computing device, determining following power on of the computing device if the lock status of the computing device is locked, responsive to determining the lock status of the computing device is locked, pause booting of the computing device by way of the HRoT, determining if a request has been received at the HRoT to unlock the computing device, and responsive to determining that a request has been received at the HRoT to unlock the computing device, generating an encrypted one-time password, by way of the HRoT, by encrypting a one-time password using a symmetric key, providing the encrypted one-time password to the registration server, receiving a decrypted one-time password generated by the registration server at the HRoT, and setting the lock status of the computing device to unlocked responsive to determining, by way of the HRoT, that the one-time password and the decrypted one-time password are identical, wherein the HRoT allows the computing device to boot when the lock status of the computing device is unlocked. 9. The computer-implemented method of claim 8 , wherein the request to unlock the computing device is received at the HRoT by way of a firmware setup user interface. 10. The computer-implemented method of claim 8 , wherein the request to unlock the computing device is received at the HRoT by way of a baseboard management controller (BMC) communicatively coupled to the HRoT. 11. The computer-implemented method of claim 8 , wherein the HRoT generates the symmetric key based, at least in part, on the public key associated with the registration server and a private key associated with the computing device. 12. The computer-implemented method of claim 8 , wherein booting of the computing device comprises executing a host firmware and a baseboard management controller (BMC) firmware, and wherein pausing booting of the computing device by way of the HRoT comprises pausing execution of the host firmware and the BMC firmware by way of the HRoT. 13. The computer-implemented method of claim 12 , wherein the HRoT pauses execution of the host firmware and the BMC firmware at locations defined by a policy. 14. The computer-implemented method of claim 13 , wherein the HRoT initiates one or more corrective actions responsive to determining that the host firmware or the BMC firmware have executed beyond the locations defined by the policy. 15. A hardware root of trust (HRoT), configured to: determine if a lock status of a computing device is locked; responsive to determining the lock status of the computing device is locked, pause booting of the computing device; determine if a request has been received to unlock the computing device; and responsive to determining that a request has been received to unlock the computing device, generate an encrypted one-time password by encrypting a one-time password using a symmetric key, provide the encrypted one-time password to a registration server, receive a decrypted one-time password generated by the registration server, and set the lock status of the computing device to unlocked responsive to determining that the one-time password and the decrypted one-time password are identical, wherein the HRoT permits the computing device to boot when the lock status of the computing device is unlocked. 16. The HRoT of claim 15 , wherein the HRoT receives the request to unlock the computing device by way of a firmware setup user interface. 17. The HRoT of claim 15 , wherein the HRoT receives the request to unlock the computing device by way of a baseboard management controller (BMC) communicatively coupled to the HRoT. 18. The HRoT of claim 15 , wherein booting of the computing device comprises executing a host firmware and a baseboard management controller (BMC) firmware, and wherein pausing booting of the computing device comprises pausing execution of the host firmware and the BMC firmware by way of the HRoT. 19. The HRoT of claim 18 , wherein the HRoT pauses execution of the host firmware and the BMC firmware at locations defined by a policy. 20. The HRoT of claim 19 , further configured to initiate one or more corrective actions responsive to determining that the host firmware or the BMC firmware have executed beyond the locations defined by the policy.
Assignees
Inventors
Classifications
Secure boot · CPC title
Providing cryptographic facilities or services · CPC title
Program or device authentication · CPC title
- G06F21/31Primary
User authentication · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12393652B1 cover?
- A computing device is configured with a hardware root of trust (“HRoT”). The HRoT and a remote registration server exchange public keys while the device is in a trusted environment. The device is then locked by setting a lock status in the HRoT. The device can then be shipped to a recipient. When the device is powered on following transit, the HRoT pauses booting of the device. If a request to …
- Who is the assignee on this patent?
- American Megatrends Int Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/31. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Aug 19 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).