This invention relates to a verifiable secure and trusted boot process for computing devices, and more particularly to a new and improved electronic gaming machine and method which facilitates quickly verifying the integrity of system firmware, the operating system and game software within the machine without limiting the upgradability of the system firmware, the operating system or game software.
Electronic Gaming Machines (EGMs), otherwise known as slot machines, constitute the most profitable form of gambling in casinos today. EGMs are a combination of specialized hardware and software which present a wagering game of chance to a player. Typical EGM hardware includes a bill acceptor for receiving money, a button panel for receiving player input, a display device for presenting the game, a credit meter for displaying to the player an amount of money or credits available for wagering, a ticket printer for dispensing money vouchers, and a master game controller for interacting with the other hardware components and executing EGM software. Typical EGM software includes system firmware, an operating system and game software for controlling the outcome and presentation of the game to the player.
Nearly every gaming jurisdiction in the world has some set of regulations regarding EGMs. EGMs are heavily regulated because they have the potential to award players substantial amounts of real money, thereby making EGMs enticing targets for crime. The regulations protect both the casinos and the players from fraud perpetrated by unscrupulous actors. Since the software controls the functionality of the EGM, and since the hardware is easily verifiable and under constant surveillance, unauthorized modifications to the software represent the most likely method of altering the payout of the EGM. Therefore, it is a very common regulatory requirement for the casino, or manufacturer, to have some mechanism for verifying the integrity of the software stored on the EGM.
Many gaming authorities require that each version of new EGM software be approved by the authority before the software is released on EGMs available to the public. The gaming authority typically subjects each new game to a rigorous testing process to ensure that the payout percentage of the game is controllable and accurate and to ensure that there are no backdoors or hidden commands for changing the payouts, among other things. Once approved, the gaming authority typically requires that the manufacturer have some method of proving, on demand, that the EGM software in a particular EGM is authentic and identical to the version the authority had previously approved. Additionally, the casino or multiplayer progressive contractor (typically the EGM manufacturer) wishes to verify the integrity of the EGM software when a large monetary award is won prior to paying the award to the player.
The early EGM's were all physical reel slot machines. When the player activated the game, the EGM software randomly picked a particular game outcome out of several thousand possibilities. The software then instructed the game controller to activate stepper motors connected to each reel, in a coordinated manner, to cause the reels to spin and then stop one at a time (simulating the much older mechanical slot machines) so that symbols on the reels lined up, or were intentionally misaligned, on one or more paylines, in accordance with the selected game outcome. The credit meter was then credited by an amount corresponding to the game outcome minus the amount wagered.
The early physical reel EGMs did not require a large amount of memory storage to store the EGM software. Since the EGM software was relatively small in size it was feasible to store the software on a removable read only memory (ROM) chip. Casinos were given a reference ROM chip for each version of EGM software so that the casinos could verify the ROM chip in the EGM was authentic. The verification of the EGM ROM chip involved interrupting the play of the EGM, removing the EGM ROM chip from the EGM and inserting both the EGM ROM chip and the reference ROM chip into a comparator device which compared each bit of the EGM ROM chip with each bit of the reference ROM chip to determine if software stored on both chips was identical.
The early physical reel EGMs were succeeded, though not entirely replaced by video slot EGMs. Video slot EGMs incorporate a display screen, such as an LCD screen, on which video images are displayed to present the game of chance to the player instead of using physical reels to present the game. The data storage requirements of video slot EGMs was and is vastly greater than the data storage requirements of the early physical reel EGMs. Video slot EGMs require a relatively large amount of data storage space largely because the artwork and images displayed on the display screen require large amounts of data storage space. As video display technology improves over time, the data storage requirements of EGMs (video slot EGMs, in particular) likewise increases to take advantage of that improved technology. For example, new higher resolution display screens allow for the display of more detailed and higher resolution graphics and animations, which require more data storage space.
As the software storage requirements of EGMs increased over the years it has become impractical to store the entire EGM software on a single ROM chip. This is partly because ROM chips become an impractical storage medium for software as large as EGM software has become compared to other storage mediums. It is also impractical because the ROM chips must be physically replaced if the EGM software is to be updated. Another consequence of the increasing size of EGM software is a corresponding increase in the length of time it would take to compare the EGM software bit for bit with a reference version of the EGM software when it is desired to authenticate the EGM software. The length of time it would take to conduct such a bit by bit comparison of the entire EGM software makes it impractical to do so for the purpose of authenticating the EGM software of modern EGMs.
Alternative methods of authenticating EGM software have also been devised. One such method is described in U.S. Pat. No. 5,643,086 to Alcorn et al., and which is hereby incorporated by reference herein. The method described in Alcorn involves the use of both hash functions and public key cryptography.
A hash function is a computational procedure that produces a hash value from a data set. The hash function produces the hash value with a predetermined number of bits, or fixed size. The data set that the hash function operates on may be of any size. A particular hash function will produce a unique hash value from a particular data set. Hash values are often used as indexes in a table to speed up searching a list for a particular item. In most practical uses, the fixed-size of the hash value is much smaller than the average size of the data set. Hash values are often used as part of a computer security protocol for verifying the authenticity of a data set. For example, two hash values can be created from a particular data set at a two different points in time. It may be assumed that the data set has not been modified or corrupted if the two hash values are compared and found to be identical. However, it is possible to modify the data set such that the hash value of the modified data set is identical to a hash value of the unmodified data set, thus defeating the purpose of using the hash function as an authentication mechanism. Hash functions which are particularly difficult to reverse engineer in this manner are known as one-way hash functions and the hash values produced therefrom are called message digests.
Public key cryptography is an encryption/decryption technique for securely exchanging or storing data. Public key cryptography involves the creation of a paired private key and public key from a key generating program. The private key is kept in the custody of a single entity and the public key is distributed to those who wish to securely send messages to the single entity or to those who wish to authenticate data or messages as being from the single entity. For example, a sending party uses the public key to encrypt a data set, the sending party sends the encrypted data set to a receiving party, and the receiving party uses the private key to decrypt the encrypted data set. A third party without a copy of the private key who gains access to the encrypted data set cannot easily decrypt the encrypted data set.
In situations where the ability to authenticate a data set is desired and there is no concern about keeping the data set secret, public key cryptography can be combined with the hash function described above. The technique involves using a hash function to create a hash value from the data set and then encrypting the hash value with a private key to produce what is referred to as a signature. At a later point in time, the data set is authenticated by (1) decrypting the signature to produce the original hash value, (2) using the original hash function on the data set to create a recent hash value, and (3) comparing the original hash value to the recent hash value. If the original hash value and the recent hash value are identical, then the data set is assumed to be authentic.
Alcorn's method of authenticating EGM software involved storing both an authentication program and the operating system on a removable boot ROM. The authentication program contained a message digest program for creating hash values, or message digests, a decryption program and a public decryption key. Game software was stored on a separate hard drive accessible by the game controller. Also stored on the hard drive was one or more signatures of the game software. When the EGM was started, the authentication program verified the authenticity of the game software using the supplied signature(s). If the authentication program determined the game software to be authentic then the controller was allowed to execute the game software, otherwise the game software was not allowed to execute. The authenticity of the operating system and authentication program was verifiable by removing the boot ROM chip and comparing the data of the boot ROM chip with that of a reference boot ROM chip kept in the custody of the casino. Thus, the boot ROM chip verified the authenticity of the software stored on the hard drive and a comparison of the EGM boot ROM chip with a reference boot ROM chip verified the authenticity of the EGM boot ROM chip.
Alcorn's authentication method was accepted by gaming regulatory authorities and helped facilitate the spread of high definition video slot EGMs. Speeding up the authentication process was not the only benefit of Alcorn's method. The method also freed the game software from being coded in non-rewritable media such as the removable ROM chip. Since the game software was now stored in a medium that was writable, the game software could potentially be updated in a manner which did not disrupt the operation of the EGM, for example by updating the game software from a server connected to the EGM by a network. However, storing the operating system or portions of the operating system on the removable ROM chip also requires replacing the ROM chip when upgrading the operating system. Game manufacturers have met resistance from casino operators when offering even free operating system upgrades when those upgrades require down time of the EGM, as is necessary when the operating system is stored on a ROM chip.