公开(公告)号：US20200320200A1

公开(公告)日：2020-10-08

申请号：US16378068

申请日：2019-04-08

Applicant: Cisco Technology, Inc.

Inventor： Chandan Singh ,  Chandrashekar Sodankoor ,  Chirag Shroff ,  Gregory James Waldschmidt

IPC: G06F21/57 ,  G06F8/65 ,  G06F9/4401

Abstract: Presented herein are methodologies for securing BIOS/bootloader function including booting a computer system from a BIOS image stored in a first boot flash device, detecting an indication of a pending BIOS upgrade, in response to detecting the indication of a pending BIOS upgrade, accessing an upgraded BIOS image stored on a second boot flash device, validating a version of the upgraded BIOS image, authenticating the upgraded BIOS image using a signature stored in a first region of the second boot flash device, when the version of the upgraded BIOS image is validated, and the upgraded BIOS image is authenticated, writing the signature to a second region of the second boot flash device that is different from the first region, locking the second region of the second boot flash device, and rebooting the computer system from the second boot flash device.

公开(公告)号：US20240427896A1

公开(公告)日：2024-12-26

申请号：US18339017

申请日：2023-06-21

Applicant: Cisco Technology, Inc.

Inventor： Chirag K. Shroff ,  William F. Sulzen ,  Ofer Licht ,  Chandan Singh

IPC: G06F21/57 ,  G06F9/445

Abstract: Disclosed are systems, apparatuses, methods, and computer-readable media for configuring network groups without software-based processing and management. A method includes: validating veracity of a secure enclave based on a secure identify of the secure enclave using the instructions of a secure enclave predriver stored in a memory integral to a processor; establishing a secure connection with the secure enclave; retrieving at least one authentication key from the secure enclave; retrieving at least a portion of a bootstrapper from a secure storage based on the instructions of the secure enclave predriver; validating a veracity of the bootstrapper based on the at least one authentication key; initializing an external memory using the instructions of the bootstrapper; copying a bootloader from the secure storage into the external memory; validating a veracity of the bootloader based on the at least one authentication key; and executing the bootloader.

公开(公告)号：US20240202313A1

公开(公告)日：2024-06-20

申请号：US18084196

申请日：2022-12-19

Applicant: Cisco Technology, Inc.

Inventor： Chandan Singh ,  Ofer Licht ,  Chirag Shroff ,  Srinivas Kothapally

IPC: G06F21/52 ,  G06F21/57

CPC classification number: G06F21/52 ,  G06F21/575 ,  G06F2221/033

Abstract: Techniques and architecture are described to control a debug port access employing the debug image signed offline by a challenge/response mechanism, where the signed image itself is tied to an ECID of a chip together with debug lifecycle information coming from fuses and a hash of a loader being debugged. All these inputs form a nonce (the debug image) that ties the debug image to the hardware being debugged and is restricted to the current debug lifecycle. The cryptographically signed debug image is authenticated by a boot image (or the chip) with a public key in the debug image. The debug image may be expanded to secure maintenance using a secure maintenance blob or “firmware maintenance certificate or nonce.” The secure maintenance blob also includes a natural attribute list of low-level features to be enabled upon verification of the secure maintenance blob.

公开(公告)号：US11436333B2

公开(公告)日：2022-09-06

申请号：US16378068

申请日：2019-04-08

Applicant: Cisco Technology, Inc.

Inventor： Chandan Singh ,  Chandrashekar Sodankoor ,  Chirag Shroff ,  Gregory James Waldschmidt

IPC: G06F9/4401 ,  G06F21/57 ,  G06F8/65

Abstract: Presented herein are methodologies for securing BIOS/bootloader function including booting a computer system from a BIOS image stored in a first boot flash device, detecting an indication of a pending BIOS upgrade, in response to detecting the indication of a pending BIOS upgrade, accessing an upgraded BIOS image stored on a second boot flash device, validating a version of the upgraded BIOS image, authenticating the upgraded BIOS image using a signature stored in a first region of the second boot flash device, when the version of the upgraded BIOS image is validated, and the upgraded BIOS image is authenticated, writing the signature to a second region of the second boot flash device that is different from the first region, locking the second region of the second boot flash device, and rebooting the computer system from the second boot flash device.