Computing devices execute firmware and/or software code to perform various operations. The code may be in the form of user applications, BIOS routines, operating system routines, etc. Some operating systems provide limited protections for maintaining the integrity of the computing device against rogue code. For example, an administrator may limit users or groups of users to executing certain pre-approved code. Further, an administrator may configure a sandbox or an isolated environment in which untrusted code may be executed until the administrator deems the code trustworthy. While the above techniques provide some protection, they generally require an administrator to manually make a trust determination based upon the provider of the code, historic performance of the code, and/or review of the source code itself.
Other mechanisms have also been introduced to provide automated mechanisms for making a trust decision. For example, an entity (e.g. software manufacturer) may provide the code with a certificate such as a X.509 certificate that digitally signs the code and attests to the integrity of the code. An administrator may configure an operating system to automatically allow users to execute code that provides a certificate from a trusted entity without the administrator specifically analyzing the code in question. While the above technique may be sufficient for some environments, the above technique inherently trusts the operating system or other software executing under the control of the operating system to correctly process the certificate.
Certain operations, however, may not be able to trust the operating system to make such a determination. For example, the code to be executed may result in the computing device determining whether the operating system is to be trusted. Relying on the operating system to authenticate such code would thwart the purpose of the code. Further, the code to be executed may comprise system initialization code that is executed prior to the operating system of the computing device. Such code therefore cannot be authenticated by the operating system.