1. Field of the Invention
The present invention generally relates to computer security. More particularly, the invention relates to secure storage and verification of passwords and configuration information in a computer system. Still more particularly, the invention relates to the use of read only memory (“ROM”) and the system management mode (“SMM”) to enhance security of passwords and configuration data.
2. Background Information
Many, if not all, computers have a password security feature. There are different uses for passwords. For instance, entry of a correct password may be necessary to log onto a network or even an operating system. Other passwords may be necessary to permit access to a particular service on the network. Further still, many computers have hardware-based passwords that are specific to the use of the computer itself. This disclosure pertains to these types of passwords.
Many computers have two hardware-based passwords—a power-on password and an administrator password. In many computers, these passwords can be enabled or disabled. If enabled, the power-on password permits the computer to complete the initialization process. Accordingly, the computer stops initializing at an early point in the initialization process and prompts the user for a correct power-on password. If a correct password is entered, the computer completes the initialization process. The administrator password is used for changing various configuration features of the computer. For example, many computers have a “hood lock” which typically comprises an electromagnetic solenoid dead bolt. The hood lock is used to prevent someone from opening the computer case to access the electronic components therein. The hood lock can be locked and unlocked via a configuration bit, and to do so requires entry of a correct administrator password. The administrator password may also be required to “flash” (i.e., write) the read only memory (“ROM”), change the administrator and power-on passwords, and perform other types of system level configuration.
Naturally, it is important to maintain a high level of security surrounding the administrator and power-on passwords. With access to these passwords, an unauthorized entity can power on the computer, change the configuration information and even reflash the ROM to cause the system to behave differently (e.g., reflashing the ROM to place a “virus” in the system basic input/output system (“BIOS”) firmware). In some computers, the passwords were stored in battery backed-up complimentary metal oxide semiconductor (“CMOS”) memory. To prevent an unauthorized entity from accessing the computer and simply reading the passwords from CMOS memory, an application specific integrated circuit (“ASIC”) was developed. This ASIC performed the function of continually snooping for read and write accesses to the locations in CMOS memory which include the passwords or other configuration data that was protected. If the ASIC detected accesses to the protected CMOS locations and a valid administrator password had not been entered, the ASIC blocked the access from completing. An example of such an ASIC is disclosed in U.S. Pat. No. 6,138,240, incorporated herein by reference.
Although generally effective, this approach of using a security ASIC added cost and complexity to the computer system. Accordingly, it would be desirable to provide adequate security to a computer's passwords and configuration data without requiring additional hardware components.