This section is intended to introduce the reader to various aspects of art, which may be related to various aspects of the present invention, which are described and or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present invention. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.
A conventional computer system typically includes one or more central processing units (CPUs) and one or more memory subsystems. Computer systems also include peripheral devices for inputting and outputting data. Some common peripheral devices include, for example, monitors, keyboards, printers, modems, hard disk drives, floppy disk drives, and network controllers.
Computer security is becoming increasingly important in today's environment of heavily networked computer systems. As a result, security and integrity features are becoming desirable in the use of personal computers and servers and the various subsystems. Of particular concern is the protection of reprogrammable start up memory of important subsystems embedded in the computer from unauthorized reprogramming or alteration of the computer's non-volatile memory.
Providing security for a system involves providing protection from a variety of possible attacks. For instance, providing security may include protecting a system from viruses. Further, it may include protecting the system from hackers. For a specific company with particular internal systems, it may include authentication of attached machines and prevention of rogue or external devices, which may be foreign to the internal system, from accessing the internal machines.
When a microprocessor based subsystem is initially turned on, the processor executes a series of instructions from a specified startup routine. It stores the basic software to provide for initial set up and configuration of the subsystem and allows the system to initiate and execute subsequent programs.
In the past, the software for an embedded device was generally stored in a read only memory device. However, it has become more common in recent years to store the software for embedded subsystems in a reprogrammable so that the subsystem's software can be upgraded when necessary. Thus, typically the software is stored in FLASH memory or a non-volatile Random Access Memory (NVRAM) to allow the functionality of the subsystem to be changed. The act of changing the contents of non-volatile memory is often called “flashing” the memory.
Flashable or reprogrammable components may be protected using digital signature technology. Specifically, the firmware may contain a protected segment which is generally not flashable or reprogrammable. This segment or “Boot Block” may be used to validate the integrity of the subsystem's memory prior to allowing it to execute. However, if the Boot Block is somehow corrupted the security system may fail. Further, this security measure may be circumvented if the flash memory can be replaced or removed. It is important to verify various start-up and memory components each time the system is powered-on to ensure that the components have not been corrupted. By validating the integrity of the program that the subsystem will execute, it is possible to know the behavior of the subsystem has not been altered either accidentally or intentionally.
Presently, digital signatures are used to authenticate the digital data. Software and firmware used by an embedded subsystem can be considered digital data. Currently there are no methods to assure the integrity of a Boot Block and firmware when firmware updates are required in embedded subsystem that have small amounts of memory. If the subsystem had large amounts of RAM memory, it could absorb the entire image, check the digital signatures and proceed with flashing the EEPROM. But for systems with small amounts of memory, the flashing of the EEPROM (which alters the integrity of the EEPROM) must proceed a piece at a time. For example, if the Boot Block or the firmware image that will be used to update the EEPROM is compromised in some way, by way of a hacker or poor network connectivity, presently there is no method of validating the correctness of the program the subsystem will execute.
Furthermore, the Boot Block typically is not changed very often, although firmware is potentially altered often. This invention allows the independent updating of both the Boot Block and firmware while providing a mechanism to insure the integrity of the software stays intact. The firmware is typically too large to be verified prior to flashing it into memory. Thus, it is possible that an unauthorized or corrupted version of firmware could be flashed into the subsystems EEPROM memory. This invention allows the subsystem to detect this prior to executing the compromised software. The Boot Block is typically small enough that the system can verify its correctness prior to flashing it into EEPROM. Only if it is unaltered and digitally signed by the correct author will the updating fo the Boot Block occur. This invention allows the updating of either piece of software independent of the other while at the same time insuring the integrity of the subsystem's firmware.
The present invention addresses the problems discussed above.