As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is information handling systems. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
When an information handling system is first powered on, the POST (power-on self-test) process begins whereby the boot process and the BIOS perform a series of system checks. For instance, the BIOS upon start-up of the information handling system determines if certain devices and components are connected and functioning properly. Once the POST and BIOS complete the system checks, the results of the system checks are compared against the data in the CMOS (complementary metal-oxide semiconductor) memory chip or memory module. The CMOS memory module is the official record of the installed components within the information handling system. Powered by a small battery and consuming extremely little power, the CMOS memory module retains crucial information about the hardware comprising the information handling system even when the power to the information handling system is turned off.
Any changes to the basic system configuration of the information handling system must be recorded in the CMOS setup. For instance, if the system tests detect new hardware, such as a new monitor, a printer, or a disk drive, the user of the information handling system is given the chance to update the setup configuration. For example, if the user installs a new hard drive in the information handling system, when running the POST the BIOS detects the new hard drive. When comparing the tested configuration with the stored configuration in the CMOS, the BIOS detects that the new hard drive is not stored in the configuration stored in the CMOS and therefore is alerted to the fact that the hard drive is a new component and requires proper installation. Once properly installed, the configuration in the CMOS is updated to include the new hard drive. In addition to system configurations, the CMOS also stores such system information as the clock/calendar time, types of disks, and the amount of memory.
In current information handling systems, the BIOS serves as a guardian for the CMOS. Before being able to make a change to the CMOS, an administrator password must be supplied to the BIOS whether the password be supplied directly by the user or by a remote management system. The administrator password is stored inside the CMOS. The BIOS checks the password provided by the user with the administrator password stored in the CMOS before writing to the CMOS. If the two passwords match, the BIOS allows the user to write to or read from the CMOS. If the two passwords do not match, the BIOS does not execute the write or read requests in the CMOS.
The BIOS acting as the guardian does not provide complete security for the CMOS. The CMOS may be directly accessed and therefore a user may bypass the BIOS and directly access the CMOS. An unauthorized user desiring to obtain information from the information handling system can directly access the CMOS and manipulate the bits within the CMOS to locate the administrator password. Because the CMOS is directly accessible, the bits within the CMOS are unguarded and therefore unprotected by the BIOS. After accessing the CMOS, a user may obtain the administrator password and make changes to the CMOS by supplying the correct administrator password to the BIOS. Furthermore, with direct access to the CMOS, the user can make any changes to the CMOS without having to go through the BIOS or supply the administrator password. Hence software authentication or protection of the CMOS with the administrator password does not serve to completely protect or secure the CMOS and is easily defeatable because the CMOS and the administrator password are directly accessible to users without having to access the BIOS.