This invention relates generally to computer operating systems, and more particularly to verifying components loaded by an operating system.
A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever. The following notice applies to the software and data as described below and in the drawings hereto: Copyright (copyright) 1997, Microsoft Corporation, All Rights Reserved.
More and more content is being delivered in digital form, and more and more digital content is being delivered online over private and public networks, such as Intranets, the Internet and cable TV networks. For a client, digital form allows more sophisticated content, while online delivery improves timeliness and convenience. For a publisher, digital content also reduces delivery costs. Unfortunately, these worthwhile attributes are often outweighed in the minds of publishers by the corresponding disadvantage that online information delivery makes it relatively easy to obtain pristine digital content and to pirate the content at the expense and harm of the publisher.
To prevent their content from being stolen or misused, content providers will download content only to trusted software, and therefore only to subscriber computers that can prove that the software executing on the subscriber computer is trusted. This trust concept is predicated on having a trusted operating system executing on the computer, which, by its nature, only loads trusted components and provides some kind of secure storage. The problem then becomes one of identifying an operating system with such peculiarity that the content provider can make an intelligent decision whether to trust its content to the operating system.
The related application titled xe2x80x9cSystem and Method for Authenticating an Operating System to a Central Processing Unit, Providing the CPU/OS with Secure Storage, and Authenticating the CPU/OS to a Third Partyxe2x80x9d discloses one embodiment of a unique operating system identifier that is a cryptographic digest of all the software components loaded by the operating system. However, computers contain a myriad different hardware components, and the corresponding supporting software components are frequently updated to add enhancements and fix problems, resulting in a virtually unlimited number of operating system identities. While the content provider can maintain a list of those identities it trusts, or delegate the maintenance of such a list to a third-party, what is needed in the art is a way to reduce the number of trusted operating system identities without limiting the choices of software components available to a user.
The above-mentioned shortcomings, disadvantages and problems are addressed by the present invention, which will be understood by reading and studying the following specification.
Each software component loaded for a verified operating system on a client computer must satisfy a set of boot rules for a boot certificate. The appropriate boot certificate is selected by the user or by default upon each boot of the computer. A verified operating system identifier is created from the boot certificate. The boot certificate is published and signed by a boot authority that attests to the validity of the operating system booted under the boot certificate. Each software component for the operating system is associated with a component certificate published and signed by the same boot authority that signed the boot certificate. The boot rules determine the validity of the software component based on the contents of the component and boot certificates.
The client computer transmits the verified operating system identity and the boot certificate to a server computer, such as a content provider, and the content provider determines whether to trust the verified operating system with its content. Downloaded data is secured on permanent storage through a key derived from the verified operating system identifier. The boot certificate, component certificates, and secured content define the boot domain.
A combination of two or more boot components can be used to boot a verified operating system. Updating of the boot and component certificates, the underlying components, and the changing of the verified operating system identity and its affect on the boot domain are also described.
Because a content provider must only decide which boot authorities, and which boot certificates from those authorities, to trust, the content provider must keep track of only a small number of identities. The client computer is restricted only in that components loaded into a verified operating system must be attested to by one of the boot authorities trusted by the content provider. The client computer can operate under an unverified operating system but data stored under a verified boot domain will not be accessible.
The present invention describes systems, clients, servers, methods, and computer-readable media of varying scope. In addition to the aspects and advantages of the present invention described in this summary, further aspects and advantages of the invention will become apparent by reference to the drawings and by reading the detailed description that follows.