As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is information handling systems. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
Peripheral devices and other information handling resources of information handling systems often include firmware stored on or accessible to such information handling resources which may be executed by control logic of the information handling resources to carry out functionality of the information handling resource. Oftentimes, a manufacturer of a device may provide an update or upgrade to firmware for a device, in order to add or improve functionality to remedy a bug in a previous firmware version.
In order to provide assurance that a firmware update is genuine and from the manufacturer or other trusted source, a firmware image often has embedded therein a public key. Firmware updates are often embedded with the same public key and signed with a private key of the public-private key pair including the public key. When a manufacturer pushes a firmware update, the existing firmware may verify the authenticity of the update by authenticating the signature of the update with the public key embedded in the existing firmware.
However, one disadvantage to this approach is that a private key may be compromised if a hacker comes into possession of the private key, if a disgruntled employee of the manufacturer absconds with the private key, and/or another person with harmful intent obtains the private key. Such a person with harmful intent could then use the private key to sign malicious code purporting to be a genuine firmware update. Because an existing firmware of a device may perceive the purported firmware update as genuine, such device may be updated with the malicious code. In some instances, the malicious code may also prevent an administrator or other user of the device from issuing further updates to the device.