US2016283721A1PendingUtilityA1

Out-of-band host os boot sequence verification

50
Assignee: INTEL CORPPriority: Jun 28, 2012Filed: Jun 10, 2016Published: Sep 29, 2016
Est. expiryJun 28, 2032(~6 yrs left)· nominal 20-yr term from priority
G06F 21/64G06F 21/6218G06F 21/554H04L 9/3247G06F 2221/033G06F 9/4401G06F 21/561G06F 21/575G06F 21/577
50
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Embodiments of techniques and systems for out-of-band verification of host OS components are described. In embodiments, a out-of-band host OS boot sequence verification system (“BSVS”) may access system memory without detection by a host OS process, or “out of band.” The BSVS may access host OS components in the system memory and may generate signatures from memory footprints of the host OS components. These signatures may then be compared to trusted signatures to verify integrity of the host OS components. In embodiments, this verification may be performed during a boot of a host OS or on demand. In embodiments, the trusted signatures may be pre-stored by the BSVS before a boot; in some embodiments, the trusted signatures may be previously-computed and then stored by the BSVS. Other embodiments may be described and claimed.

Claims

exact text as granted — not AI-modified
1 .- 30 . (canceled) 
     
     
         31 . A system for verifying a host operating system, the system comprising:
 computer system memory;   a first computer processor, separate but coupled with the computer system memory to operate out-of-band of the host operating system, which is to be executed on a second computer processor, wherein the first computer processor is an embedded processor co-located with the second computer processor on a computing platform, and the first computer processor is to:
 access one or more components of the host operating system in the computer system memory; and 
 verify the one or more components. 
   
     
     
         32 . The system of  claim 31 , wherein the first computer processor is to access the computer system memory without detection by the second computer processor. 
     
     
         33 . The system of  claim 31 , wherein the first computer processor is to access the one or more components during a boot of the host operating system. 
     
     
         34 . The system of  claim 31 , wherein the first computer processor comprises a signature generation engine to access the one or more components and generate one or more signatures for the accessed one or more components. 
     
     
         35 . The system of  claim 34 , wherein the signature generation engine executes in hardware. 
     
     
         36 . The system of  claim 34 , wherein the first computer processor is to execute a signature verifier in software to compare the one or more generated signatures to one or more trusted signatures. 
     
     
         37 . The system of  claim 36 , wherein the one or more trusted signatures comprise first one or more trusted signatures, and the first computer processor is to store the one or more generated signatures as second one or more trusted signatures. 
     
     
         38 . The system of  claim 37 , wherein the first computer processor is further, during a subsequent boot of the host operating system, to repeat the access, generate, and compare with respect to the second one or more trusted signatures. 
     
     
         39 . The system of  claim 31 , wherein the first computer processor is further to receive a command to perform the verify. 
     
     
         40 . The system of  claim 39 , wherein the first computer processor is to receive the command from a trusted agent executing in the host operating system. 
     
     
         41 . The system of  claim 39 , wherein the first computer processor is to receive the command via a network connection. 
     
     
         42 . The system of  claim 31 , wherein the first computer processor is further to generate an alert if one or more of the components is not successfully verified. 
     
     
         43 . The system of  claim 31 , further comprising the second computer processor. 
     
     
         44 . A computer-implemented method for verifying a host operating system operating on a first computer processor, the method comprising:
 accessing, by a second computer processor, one or more components of the host operating system in a computer system memory, separate from at least the second computer processor, without detection by the host operating system; and   verifying, by the second computer processor, the one or more components, wherein the second computer processor is an embedded processor co-located with the first computer processor on a computing platform.   
     
     
         45 . The method of  claim 44 , wherein verifying the one or more components includes generating one or more signatures by a signature generation engine of the second computer processor. 
     
     
         46 . The method of  claim 44 , wherein accessing the one or more components includes accessing the one or more components during a boot of the host operating system. 
     
     
         47 . The method of  claim 44 , wherein verifying the one or more components is based at least in part on one or more trusted signatures known to the second computer processor prior to a first boot of the host operating system on the first computer processor. 
     
     
         48 . The method of  claim 47 , wherein:
 the one or more trusted signatures include first one or more trusted signatures, and   the method further comprises generating one or more signatures and storing the one or more generated signatures as second one or more trusted signatures.   
     
     
         49 . The method of  claim 48 , wherein the method further comprise repeating the verifying, during a subsequent boot of the host operating system, with respect to the second one or more trusted signatures. 
     
     
         50 . The method of  claim 44 , further comprising receiving a command to perform the verifying. 
     
     
         51 . The method of  claim 44 , further comprising generating an alert if one or more of the one or more components is not successfully verified. 
     
     
         52 . An embedded processor circuitry to verify a host operating system operating on a host central processing unit executing a host operating system, the embedded processor circuitry to operate to:
 access one or more components of the host operating system in a computer system memory, separate from the embedded processor circuitry, without detection by any processes executing on the host central processing unit; and   verify the one or more components,   wherein the embedded processor circuitry is to be co-located with the host central processing unit on a computing platform.   
     
     
         53 . The embedded processor circuitry of  claim 52 , wherein the embedded processor circuitry is to access the one or more components during a boot of the host operating system. 
     
     
         54 . The embedded processor circuitry of  claim 52 , wherein the embedded processor circuitry is to verify the one or more components based at least in part on one or more trusted signatures known to the embedded processor circuitry prior to a first boot of the host operating system. 
     
     
         55 . The embedded processor circuitry of  claim 54 , wherein:
 the one or more trusted signatures comprise first one or more trusted signatures, and   the embedded processor circuitry is further to generate one or more signatures and store the one or more generated signatures as second one or more trusted signatures.   
     
     
         56 . The embedded processor circuitry of  claim 52 , wherein the embedded processor circuitry is further to receive a command to perform the verify. 
     
     
         57 . The embedded processor circuitry of  claim 52 , wherein the embedded processor circuitry is further to generate an alert if one or more of the one or more components is not successfully verified.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.