Personal computer systems are well known in the art. Personal computer systems have attained widespread use for providing computer power to many segments of today's modern society. Personal computers can typically be defined as a desktop, floor standing, or portable microcomputer that is comprised of a system unit having a single central processing unit (CPU) and associated volatile and non-volatile memory, including random access memory (RAM) and basic input output system read only memory (BIOS ROM), a system monitor, a keyboard, one or more flexible diskette drives, a CD-ROM drive, DVD capability, a fixed disk storage drive (also known as a "hard drive"), an input device such as a keyboard or a so-called "mouse" pointing device, and an optional printer. One of the distinguishing characteristics of these systems is the use of a motherboard or system planar to electrically connect these components together. Examples of such personal computer systems are IBM's PC 300 series and IBM's Aptiva Series.
With the phenomenal growth and use of personal computers in the world in recent years, more and more data or information is being collected and retained or stored in such systems. A lot of this data is sensitive in nature. When such data becomes available to those for whom it was not intended, that data could be the subject of embarrassment to certain individuals, a company could lose a competitive edge, or sensitive data could be used to force payment for silence or lead to physical violence against individuals. As more users recognize the sensitive nature of data and its positive or negative value, the more it becomes desirable to protect against misappropriation and misuse of that data. To protect themselves and the persons associated with the stored data, users are requiring incorporation of security and integrity features into the personal computers that they purchase.
Users are not the only people to recognize the sensitivity of the data being collected and stored. Governments are also enacting laws to enforce protection of sensitive data. One such government is that of the United States. It has recognized and responded to the gravity of the situation. The United States federal government has defined security levels and the associated requirements it takes to meet those levels, and provides a certification agency for personal computer manufacturers to submit products in order to see if the products meet the security level claimed by the manufacturer. The source for the federal requirements is the Department of Defense, Trusted Computer System Evaluation Criteria, DOD 5200.28 STD, 12/85, generally referred to as "The Orange Book." The government has legislated that as of Jan. 1, 1992 all data related to the government must only be processed and stored on personal computers with at least a security level of C-2. For computer system hardware, the essence of the requirements is contained in the Assurance section of The Orange Book, at Requirement 6 whereat it states: "trusted mechanisms must be continuously protected against tampering and/or unauthorized changes. . . "
Beginning with the earliest personal computer systems, such as the IBM Personal Computer, it was recognized that software compatibility would be of utmost importance. In order to achieve this goal in an effective manner, an insulation layer of system resident code, also known as "firmware", was established between the hardware and software. This firmware provided an operational interface between a user's application program/operating system and the device to relieve the user of the concern about the characteristics of hardware devices. Eventually, the system resident code developed into a Basic Input/Output System (BIOS), for allowing new devices to be added to the system, while insulating the application program from the peculiarities of the hardware.
Included in the BIOS code is a Power-On-Self-Test (POST) code which performs a number of predefined tests on the system hardware and allows for the hardware to be configured by an end user to match the operational requirements needed. For example, the POST code generally tests the system memory and performs an adapter ROM scan to detect additional I/O adapter card hardware.
Once POST has initialized the base function for the system, the adapter ROM Scan is initiated. The percentage of POST code that is run to achieve an initial level of operation is variable, but generally amounts to over fifty percent. The adapter ROM Scan initialization is a sequence of events whereby the system level POST code will search the memory address space looking for adapter ROMs in the memory address space by looking for a particular ROM signature or identifier in memory. If the signature or identifier is located, POST will verify that the adapter ROM is valid by running various authentication mechanisms. Once the adapter ROM has been authenticated as a valid adapter ROM, POST will relinquish control to the adapter ROM and the adapter ROM code will begin execution. Once the adapter ROM code has completed execution, and the adapter ROM is following the proper adapter ROM architecture, the adapter ROM code will return control to the system level POST.
A user may invoke a BIOS Setup utility by entering a predefined input which, for example, allows the user to designate a boot storage device from which an operating system is loaded. During adapter ROM Scan, predefined system addresses are scanned for detecting and configuring I/O adapter cards. During adapter ROM Scan, POST code searches the system memory for predefined signatures and once detected, the system control is relinquished to the I/O adapter card. For example if an external video adapter card is installed, during adapter ROM scan the video card ROM code takes control of the system CPU to configure the system video features, such as allocating video memory space.
The importance of BIOS is readily evident. For example, it frees a device driver from depending on specific device hardware characteristics while providing the device driver with an intermediate interface to the device. Since BIOS is an integral part of the system and controls the movement of data in and out of the system processor, it is usual and expedient to make it resident on the system planar and it is generally shipped to the user in a flash memory.
Because of BIOS's role in controlling functionality and the configuration of computer systems, it is evident that it is necessary to protect system BIOS against unauthorized access. Various password protection methods have been devised prompting users to enter an authorization key prior to allowing access to BIOS configuration utilities.
With the advent of intelligent I/O adapter cards, I/O utilities stored in an adapter ROM are used to configure the I/O adapter card. If during POST initialization an adapter ROM is detected, control passes to the adapter ROM to setup the device associated with the adapter ROM (e.g., SCSCI hardfile, video, etc.), and afterwards control passes back to POST. These I/O utilities are executed during the adapter ROM scan which occurs during POST initialization code. The utilities executed during the adapter ROM scan are considered part of the configuration routines which come under the security protection such as C-2 scrutiny and integrity architecture.
One of the features of the C-2 security design is the detection of tamper evidence on the system. Preferable is a system whereby, the user will be able to detect whether a system has been physically tampered with or otherwise broken into. Upon detection of such tamper evidence, the POST may be programmed to display a tamper evident error code and force the user to enter an authorization key.
Some of the I/O adapter cards, such as shown in FIG. 3B as adapter card 51 and connected to the PCI bus 50, are structured to provide for their respective I/O utilities to be invoked during a specified time interval. This can be accomplished by entering a predefined external input, such as a predefined key sequence entered at the respective specified time or protocol sequence interval. It should be understood that any external or input device can be employed to invoke such an utility. Once the predefined key sequence is entered, the adapter ROM based utility takes control of the system CPU, giving the user the ability to change I/O related configuration. The condition provides for convenience of operation, however it also provides for a possible condition of violation of set security. Thus, potentially, an unauthorized user is able to program an adapter ROM based utility to control the CPU to access to the system level configuration. As a result, the unauthorized user may select a boot device for loading an operating system for accessing secured data.
Unfortunately, outside, for example, of efforts described in U.S. Pat. document Ser. No. 08/681,740, currently only the system level configuration utilities and not the adapter level utilities offer an unique password protection and offer a better situation for achieving full security protection. Further, even in such systems adequate security routines are not invoked because of utilities which allow for configuration changes during an adapter ROM Scan process. As such, an unauthorized user can take control of the system by invoking the predefined key sequence without entering an authorization key, which is a security violation. Under these circumstances adapter ROM code would accept, for example, KB (keyboard) input which would then go to setup which includes "FORMAT".
As previously stated, in start-up, a process is invoked as part of the power on initialization process which is well before the bootstrap process is initialized, that searches for adapter cards that have Read Only Memories (ROMs) fitted to them and that contain additional BIOS (Basic Input Output System) code that supports the unique requirements of the adapter card. If one of these adapter ROMs is found, control of the system is passed to the code within the ROM to perform necessary initialization works so that the adapter card can function. In the design of most personal computer BIOS, this function is performed before the bootstrap process is invoked, and before the security password is checked, as hereinbefore noted.
Notwithstanding, on occasion, the operation of these adapter ROMs can provide an opportunity to violate system security. An example is the Adaptec SCSI Adapter, Model 2940, that provides a utility that can be accessed during the period of time that the adapter ROM code has control during the adapter ROM scan process. Access can be, for example, by a simple keying sequence from the system keyboard. This particular undesirable feature of the utility, if used for clandestine purposes, provides the user with the ability to change the configuration of the attached devices, e.g., SCSI, and, to perform a destructive format to any of the attached SCSI hard drives. Under these circumstances if, for example, keyboard input occurs, instead of going to setup the system could function from other code that prompts for the password. If the password is correct it continues to setup, if not the system halts. However, the keyboard vector can be changed by the adapter ROM utility code, which circumvents any authorized user's password vector which then avoids the desired password routine.
Obviously, this gives an individual without positive or good intentions an opportunity to cause great damage to a system's security, even if the system had power-on-password protection turned on.