Automatic provisioning and onboarding of offline or disconnected machines
US-12182236-B2 · Dec 31, 2024 · US
System and method for verifying integrity of platform object using locally stored measurement
US9262637B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9262637-B2 |
| Application number | US-201213434535-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 29, 2012 |
| Priority date | Mar 29, 2012 |
| Publication date | Feb 16, 2016 |
| Grant date | Feb 16, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method is provided in one example embodiment that includes storing a reference measurement of an object in a trusted storage and retrieving the reference measurement from the trusted storage before an operating system is loaded. In a pre-operating system environment, the reference measurement can be compared with a golden measurement and a policy action can be applied if a variance is detected between the reference measurement and the golden measurement. In more particular embodiments, the reference measurement is a measurement of firmware, and yet more particularly, the measurement is a hash of the firmware.
First claim
Opening claim text (preview).
What is claimed is: 1. A method to be performed by a baseboard management controller (BMC) for verifying firmware integrity in a computing system, the method comprising: receiving a run-time reference measurement of a firmware object from a basic input/output system (BIOS), wherein the reference measurement is stored in a trusted platform module and the reference measurement is retrieved by the BIOS during a power-on self-test (POST); querying a system manager to locate a golden measurement, wherein the golden measurement is associated with the firmware in a guaranteed trust state; accessing the golden measurement of the firmware object based on the query, wherein the BMC can bypass the querying the system manager when the BMC is configured with the location of the golden measurement; and comparing the reference measurement with the golden measurement during a pre-operating system environment, wherein a policy action is applied when a variance is detected between the reference measurement and the golden measurement. 2. The method of claim 1 , wherein the computing system is associated with a datacenter environment, and the BMC access the golden measurement in the datacenter environment without an external network connection. 3. The method of claim 2 , wherein the golden measurement is stored in a storage element of the computing system, the computing system includes the trusted platform module, and the BMC accesses the golden measurement without any network connection. 4. The method of claim 2 , wherein the computing system includes the trusted platform module, the golden measurement is stored in a storage element of the system manager linked to the computing system via a local area network connection, and the BMC accesses the golden measurement over the local area network connection. 5. The method of claim 1 , wherein the querying includes determining whether the golden measurement is stored in a system manager storage element of the system manager, or a storage element of the computing system linked to the system manager, or a storage element of an attestation server, wherein the computing system includes the trusted platform module. 6. The method of claim 1 , wherein the BMC is collocated with the trusted platform module in the computing system. 7. A non-transitory media encoded with logic that includes code for execution and when executed by a processor associated with a baseboard management controller (BMC) for verifying firmware integrity in a computing system is operable to perform operations comprising: receiving a run-time reference measurement of a firmware object from a basic input/output system (BIOS), wherein the reference measurement is stored in a trusted platform module and the reference measurement is retrieved by the BIOS during a power-on self-test (POST); querying a system manager to locate a golden measurement, wherein the golden measurement is associated with the firmware in a guaranteed trust state; accessing the golden measurement of the firmware object based on the query, wherein the BMC can bypass the querying the system manager when the BMC is configured with the location of the golden measurement; and comparing the reference measurement with the golden measurement during a pre-operating system environment, wherein a policy action is applied when a variance is detected between the reference measurement and the golden measurement. 8. The non-transitory media of claim 7 , wherein the computing system is associated with a datacenter environment, and the golden measurement is accessed in the datacenter environment without an external network connection. 9. The non-transitory media of claim 8 , wherein the golden measurement is stored in a storage element of the computing system that includes the trusted platform module, and the golden measurement is accessed without any network connection. 10. The non-transitory media of claim 8 , wherein the golden measurement is stored in a storage element of the system manager, and the golden measurement is accessed over a local area network connection. 11. The non-transitory media logic of claim 7 , wherein the querying includes determining whether the golden measurement is stored in a system manager storage element of the system manager, a storage element of the computing system linked to the system manager, or a storage element of an attestation server, wherein the computing system includes the trusted platform module storage. 12. The non-transitory media logic of claim 7 , wherein the BMC is collocated with the trusted platform module in the computing system. 13. A computing system comprising: a basic input/output system (BIOS); a trusted platform module configured to communicate with the BIOS; and a baseboard management controller (BMC) configured to communicate with the BIOS to verify firmware integrity in the computing system, the BMC configured to: receive a run-time reference measurement of a firmware object from the BIOS, wherein the reference measurement is stored in the trusted platform module and the reference measurement is retrieved by the BIOS during a power-on self-test (POST); query a system manager to locate a golden measurement, wherein the golden measurement is associated with the firmware in a guaranteed trust state; access the golden measurement of the firmware object based on the query, wherein the BMC can bypass the querying the system manager when the BMC is configured with the location of the golden measurement; and compare the reference measurement with the golden measurement during a pre-operating system environment, wherein a policy action is applied when a variance is detected between the reference measurement and the golden measurement. 14. The apparatus of claim 13 , wherein the computing system is associated with a datacenter environment, and the golden measurement is accessed in the datacenter environment without an external network connection. 15. The computing system of claim 14 , further comprising a storage element where the golden measurement is stored, wherein the BMC accesses the golden measurement is without any network connection. 16. The computing system of claim 14 , wherein the golden measurement is stored in a storage element of the system manager, and the BMC accesses the golden measurement over a local area network connection. 17. The computing system of claim 13 , wherein the query includes receiving a determination that the golden measurement is stored in a system manager storage element of the system manager, a storage element of the computing system linked to the system manager, or a storage element of an attestation server.
Assignees
Inventors
Classifications
Special purpose registers · CPC title
using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM] · CPC title
- G06F21/57Primary
Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9262637B2 cover?
- A method is provided in one example embodiment that includes storing a reference measurement of an object in a trusted storage and retrieving the reference measurement from the trusted storage before an operating system is loaded. In a pre-operating system environment, the reference measurement can be compared with a golden measurement and a policy action can be applied if a variance is detecte…
- Who is the assignee on this patent?
- Jacobs William E, Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/57. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Feb 16 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).