PARTITION-BASED APPARATUS AND METHOD FOR SECURING BIOS IN A TRUSTED COMPUTING SYSTEM DURING EXECUTION

摘要

An apparatus including a ROM, a selector, and a detector. The ROM has partitions and encrypted digests. Each of the partitions is stored as plaintext, and each of the encrypted digests includes an encrypted version of a first digest associated with a corresponding one of the partitions. The selector selects one or more of the partitions responsive to an interrupt. The detector accesses the one or more of the partitions and corresponding one or more of the encrypted digests upon assertion of the interrupt, and directs a microprocessor to generate one or more of second digests corresponding to the one or more of the partitions and one or more of decrypted digests corresponding to the one or more of encrypted digests using the same algorithms and key that were employed to generate the first digest and the encrypted digests, and compares the one or more of the second digests with the one or more of the decrypted digests, and precludes operation of the microprocessor if the one or more of the second digests and the one or more of the decrypted digests are not pair wise equal.

主权项

1. An apparatus for protecting a basic input/output system (BIOS) in a computing system, the apparatus comprising:
a BIOS read only memory (ROM), comprising:
a plurality of BIOS content partitions, wherein each of said plurality of BIOS content partitions is stored as plaintext; anda plurality of encrypted message digests, wherein each of said plurality of encrypted message digests comprises an encrypted version of a first message digest that is associated with a corresponding one of said plurality of BIOS content partitions; a partition selector, configured to select one or more of said plurality of BIOS content partitions responsive to a BIOS check interrupt that interrupts normal operation of the computing system; and a tamper detector, operatively coupled to said BIOS ROM and said partition selector, configured to access said one or more of said plurality of BIOS content partitions and corresponding one or more of said plurality of encrypted message digests upon assertion of said BIOS check interrupt, and configured to direct a microprocessor to generate corresponding one or more of a plurality of second message digests corresponding to said one or more of said plurality of BIOS content partitions and corresponding one or more of a plurality of decrypted message digests corresponding to said one or more of said plurality of encrypted message digests using the same algorithms and key that were employed to generate said first message digest and said plurality of encrypted message digests, and configured to compare said one or more of said plurality of second message digests with said one or more of said plurality of decrypted message digests, and configured to preclude said operation of said microprocessor if said one or more of said plurality of second message digests and said one or more of said plurality of decrypted message digests are not pair wise equal.