Various mechanisms exist for ensuring that an operating system (OS) is trusted, as long as the OS is launched by another trusted environment. However, trusted operating system environments do not extend to the pre-boot environment and firmware services. Thus, hot plugging components and other firmware operations will typically require a re-boot of the system in order to ensure that the system is still operating in the trusted environment.
The Pentium® 4 processor, for instance, (a processor available from Intel Corporation) may now utilize security instructions called SMX (security management extension instructions). The SMX instructions allow the opportunity to associate a block of code with a signature and also have the ability to start up such signed code blocks in a secure environment. The signature may be signed using a key embedded securely in the processor. The secure machine instructions can securely use a block of digital code in the processor cache as a module. The secure machine instructions provide an environment where the signed digital code block can securely run in the environment without risk of modification. The instructions provide a tool so that if the signed digital code block is changed, the change will be detected and the operation can be aborted. The SMX instruction verifies the digitally signed code block using RSA with SHA (secure hash algorithm). A more complete description of RSA may be found on the public Internet at Uniform Resource Location (URL) www-rsasecurity-com/rsalabs/node.asp?id=2152. It should be noted that URLs identified in this document are modified to use hyphens instead of dots and to omit the http:// prefix to avoid inadvertent hyperlinks. A more complete description of SHA may be found at URL www-itl-nist-gov/fipspubs/fip180-1.htm.
A public key for the RSA verification is stored in the chipset hardware and a digital signature (signed hash) is stored in the binary module. In current systems, RSA and SHA-1 support in hardware may be found for main frame computers, but it has not been available on microprocessors. Very secure transmissions, for instance, for the military, have used these algorithms. The Pentium® 4 processor, for instance, now has this SHA available with the secure machine extension (SMX) architecture. These signed digital code blocks are also referred to as authenticated code modules (ACMs).