Many electronic devices include a set of semi-permanently stored instructions referred to as firmware. For instance, computers include a type of firmware referred to as the basic input/output system (BIOS). Being executed by a processor of the computer, the BIOS is coded to perform various functions. For example, during a pre-boot cycle at power-up, the BIOS controls the initialization of the computer as well as the initialization of various hardware peripherals. Normally provided by a single vendor, the BIOS is loaded into pre-boot space of a non-volatile memory such as a read-only memory (ROM) component or a flash memory component during manufacture of the computer.
Recently, however, it has become desirable to store more sophisticated routines and data in the pre-boot space of the non-volatile memory. As an example, in recent efforts to protect against software viruses and malicious corruption of the BIOS, an image of the BIOS code may be digitally signed to produce a digital signature. Prior to execution of the BIOS, the digital signature may be used to determine whether the BIOS has been modified. This provides much needed virus protection.
Well known in the art, a digital signature is digital data signed using a private key of its signatory. Similar to encryption, the “signing process” may be accomplished using any of a number of software algorithms such as a Rivert Shamir and Adleman (RSA) algorithm or the Digital Signature Algorithm (DSA) 30 as set forth in a Federal Information Processing Standards publication 186 entitled “Digital Signature Standard” (May 19, 1994). Normally, the digital data is placed in an encoded form (referred to as the “hash value”), achieved by performing a one-way hash operation on the original digital data, prior to signing the hash value. The term “one-way” indicates that there does not readily exist an inverse operation or function to recover any discernible portion of the digital data from the hash value.
Recently, the computer industry has made efforts to develop BIOS as a collection of software modules produced by different vendors rather than a piece of monolithic code produced by a single vendor. It is likely that the code of the BIOS modules would be configured as “execute-in-place” modules because this code would be executed before the availability of system random access memory (RAM). Also, it is likely that relocation would be used to properly load the BIOS modules within the non-volatile memory because it would be too difficult for all of the BIOS vendors to agree on the specific addressing scheme beforehand.
As commonly known in the industry, “relocation” is a process by which addresses within each BIOS module are adjusted based on the particular address location in memory allotted for the BIOS module (referred to as the “base address”). Thus, software routines within a BIOS module are usually coded with relative offsets from a base address that has not yet been assigned. During relocation, the addresses of various software routines within the BIOS module would be adjusted by adding the base address to each of the relative offsets.
Unfortunately, if relocation is performed on the execute-in-place BIOS modules, any digital signatures associated with the images of the BIOS modules would be ineffective because any data integrity analysis using the digital signatures would indicate that the BIOS module has been modified. Hence, it is virtually impossible to determine whether modification of the BIOS module was unauthorized or merely due to the relocation operation. Thus, it would be desirable to develop an integrity verification mechanism that improves the effectiveness of digital signatures in detecting unauthorized modifications to the BIOS module while still allowing the image to undergo relocation.
Moreover, when BIOS is developed as a collection of digitally signed BIOS modules produced by different vendors, in certain situations, it may be desirable to dynamically link these digitally signed modules. In particular, one BIOS module may be configured to make a call for a function coded in another BIOS module. However, in order to dynamically link the BIOS modules together, it would require modification of at least one BIOS module, which would invalidate any digital signature associated with the image of that BIOS module. Thus, the original digital signatures would not be effective to identifying unauthorized modification of the module. Thus, an integrity verification mechanism that overcomes this problem would be desirable.