Secure firmware updates

摘要

A firmware update system is described that collectively handles secure firmware updates for hardware resources in a defined and consistent manner. The firmware update system may be configured to manage at least some firmware updates in a pre-boot environment (e.g., before an operating system is loaded). By doing so, the firmware update system exercises control over the updates and reduce entry points exposed to attackers. In one approach, update states are defined for hardware resources that are managed by the firmware update system. In a pre-boot environment, the update states for the managed hardware resources are set to enable firmware updates. The firmware update system may then detect and apply firmware updates available for the managed hardware resources. Update states may be set to disable before loading the operating so that firmware updates for managed resources are disabled outside of the secure pre-boot environment.

主权项

1. A computing device comprising:
one or more hardware resources having updateable firmware; and memory storing a secure update module configured to:
establish a secure pre-boot environment for start-up of the computing device;set a timer that enables firmware updates for a defined duration of time during a boot sequence of the computing device and effective to disable firmware updates prior to loading an operating system of the computing device;enable firmware updates via a firmware system for the one or more hardware resources within the secure pre-boot environment; anddisable firmware updates for the one or more hardware resources responsive to expiration of the timer to restrict additional firmware updates from occurring outside of the secure pre-boot environment.