公开(公告)号：US09367328B2

公开(公告)日：2016-06-14

申请号：US13536859

申请日：2012-06-28

申请人： Daniel Nemiroff ,  Paul J. Thadikaran ,  Andrew H. Gafken ,  Purushottam Goel ,  Nicholas D. Triantafillou ,  Paritosh Saxena ,  Debra Cablao

发明人： Daniel Nemiroff ,  Paul J. Thadikaran ,  Andrew H. Gafken ,  Purushottam Goel ,  Nicholas D. Triantafillou ,  Paritosh Saxena ,  Debra Cablao

IPC分类号： G06F11/30 ,  G06F9/44 ,  G06F21/55 ,  G06F21/57 ,  H04L9/32

CPC分类号： G06F21/577 ,  G06F9/4401 ,  G06F21/554 ,  G06F21/561 ,  G06F21/575 ,  G06F21/6218 ,  G06F21/64 ,  G06F2221/033 ,  H04L9/3247

摘要： Embodiments of techniques and systems for out-of-band verification of host OS components are described. In embodiments, a out-of-band host OS boot sequence verification system (“BSVS”) may access system memory without detection by a host OS process, or “out of band.” The BSVS may access host OS components in the system memory and may generate signatures from memory footprints of the host OS components. These signatures may then be compared to trusted signatures to verify integrity of the host OS components. In embodiments, this verification may be performed during a boot of a host OS or on demand. In embodiments, the trusted signatures may be pre-stored by the BSVS before a boot; in some embodiments, the trusted signatures may be previously-computed and then stored by the BSVS. Other embodiments may be described and claimed.

摘要翻译： 描述用于主机OS组件的带外验证的技术和系统的实施例。 在实施例中，带外主机OS引导序列验证系统（“BSVS”）可以在主机OS进程或“带外”检测的情况下访问系统存储器.BSVS可以访问系统存储器中的主机OS组件 并且可以从主机OS组件的内存覆盖区生成签名。 然后可以将这些签名与可信签名进行比较以验证主机OS组件的完整性。 在实施例中，可以在主机OS的引导期间或者根据需要执行该验证。 在实施例中，信任签名可以在引导之前被BSVS预先存储; 在一些实施例中，可信任签名可以被预先计算，然后由BSVS存储。 可以描述和要求保护其他实施例。

公开(公告)号：US20140006760A1

公开(公告)日：2014-01-02

申请号：US13536859

申请日：2012-06-28

申请人： Daniel Nemiroff ,  Paul J. Thadikaran ,  Andrew H. Gafken ,  Purushottam Goel ,  Nicholas D. Triantafillou ,  Paritosh Saxena ,  Debra Cablao

发明人： Daniel Nemiroff ,  Paul J. Thadikaran ,  Andrew H. Gafken ,  Purushottam Goel ,  Nicholas D. Triantafillou ,  Paritosh Saxena ,  Debra Cablao

IPC分类号： G06F15/177 ,  H04L9/32

CPC分类号： G06F21/577 ,  G06F9/4401 ,  G06F21/554 ,  G06F21/561 ,  G06F21/575 ,  G06F21/6218 ,  G06F21/64 ,  G06F2221/033 ,  H04L9/3247

摘要： Embodiments of techniques and systems for out-of-band verification of host OS components are described. In embodiments, a out-of-band host OS boot sequence verification system (“BSVS”) may access system memory without detection by a host OS process, or “out of band.” The BSVS may access host OS components in the system memory and may generate signatures from memory footprints of the host OS components. These signatures may then be compared to trusted signatures to verify integrity of the host OS components. In embodiments, this verification may be performed during a boot of a host OS or on demand. In embodiments, the trusted signatures may be pre-stored by the BSVS before a boot; in some embodiments, the trusted signatures may be previously-computed and then stored by the BSVS. Other embodiments may be described and claimed.

摘要翻译： 描述用于主机OS组件的带外验证的技术和系统的实施例。 在实施例中，带外主机OS引导序列验证系统（“BSVS”）可以在主机OS进程或“带外”的检测的情况下访问系统存储器。 BSVS可以访问系统存储器中的主机OS组件，并且可以从主机OS组件的内存占用中产生签名。 然后可以将这些签名与可信签名进行比较以验证主机OS组件的完整性。 在实施例中，可以在主机OS的引导期间或者根据需要执行该验证。 在实施例中，信任签名可以在引导之前被BSVS预先存储; 在一些实施例中，可信任签名可以被预先计算，然后由BSVS存储。 可以描述和要求保护其他实施例。

公开(公告)号：US20140109170A1

公开(公告)日：2014-04-17

申请号：US13995244

申请日：2012-10-17

申请人： Daniel Nemiroff ,  Paul J. Thadikaran ,  Paritosh Saxena ,  Nicholas D. Triantafillou ,  Andrew H. Gafken

发明人： Daniel Nemiroff ,  Paul J. Thadikaran ,  Paritosh Saxena ,  Nicholas D. Triantafillou ,  Andrew H. Gafken

IPC分类号： G06F21/55

CPC分类号： G06F21/55 ,  G06F21/554 ,  G06F21/568 ,  G06F21/78

摘要： An embodiment may include a storage processor that may be comprised, at least in part, in a host. The host may include at least one host central processing unit (CPU) to execute at least one host operating system (OS). The storage processor may execute at least one operation in isolation from interference from and control by the at least one host CPU and the at least one host OS. The at least one operation may facilitate, at least in part: (1) prevention, at least in part, of unauthorized access to storage, (2) prevention, at least in part, of execution by the at least one host CPU of at least one unauthorized instruction, (3) detection, at least in part, of the at least one unauthorized instruction, and/or (4) remediation, at least in part, of at least one condition associated, at least in part, with the at least unauthorized instruction.

摘要翻译： 一个实施例可以包括可以至少部分地包括在主机中的存储处理器。 主机可以包括至少一个主机中央处理单元（CPU），以执行至少一个主机操作系统（OS）。 存储处理器可以与至少一个主机CPU和至少一个主机OS的干扰和控制隔离起来执行至少一个操作。 所述至少一个操作可以至少部分地促进：（1）至少部分地防止非法访问存储，（2）至少部分地防止所述至少一个主机CPU执行 至少一个未经授权的指令，（3）至少部分地至少检测至少一个未经授权的指令，和/或（4）至少部分地至少部分地与 至少未经授权的指令。

公开(公告)号：US07765409B2

公开(公告)日：2010-07-27

申请号：US11790783

申请日：2007-04-27

申请人： Andrew H. Gafken ,  Todd D. Wilson ,  Tom Dodson ,  John V. Lovelace

发明人： Andrew H. Gafken ,  Todd D. Wilson ,  Tom Dodson ,  John V. Lovelace

IPC分类号： H04L9/32

CPC分类号： G06F8/65 ,  G06F8/654 ,  G06F11/1417 ,  G06F21/572

摘要： A modular BIOS update mechanism provides a standardized method to update options ROMs and to provide video and processor microcode upgrades in a computer system without requiring a complete replacement of the system BIOS. The MBU mechanism provides several advantages. First, new features and BIOS bugs from earlier release may be delivered to an installed base of end-user systems even if direct OEM support cannot be identified. Also, BIOS components may be provided as a validated set of revisions. With resort to a validation matrix, BIOS updates may be managed easily. The modular BIOS update is particularly useful in systems having several independent BIOS's stored within unitary firmware.

摘要翻译： 模块化BIOS更新机制提供了一种标准化方法来更新选项ROM，并在计算机系统中提供视频和处理器微代码升级，而无需完全更换系统BIOS。 MBU机制提供了几个优点。 首先，即使直接的OEM支持无法识别，早期版本中的新功能和BIOS错误也可能会发送到最终用户系统的安装基础。 此外，可以将BIOS组件提供为经过验证的修订版本。 通过使用验证矩阵，可以轻松管理BIOS更新。 模块化BIOS更新在具有存储在单一固件中的几个独立BIOS的系统中特别有用。

公开(公告)号：US06311290B1

公开(公告)日：2001-10-30

申请号：US09055032

申请日：1998-04-03

申请人： Robert N. Hasbun ,  David A. Edwards ,  Andrew H. Gafken ,  Christopher J. Spiegel

发明人： Robert N. Hasbun ,  David A. Edwards ,  Andrew H. Gafken ,  Christopher J. Spiegel

IPC分类号： H02H305

CPC分类号： G06F12/0246 ,  G06F11/0793 ,  G06F2212/7205 ,  Y10S707/99953

摘要： Methods of reliably allocating, writing, reading, de-allocating, re-allocating, and reclaiming space within a nonvolatile memory having a bifurcated storage architecture are described. Allocation, writing, reading, de-allocating, re-allocating, and reclamation are handled by a memory manager. The memory manager tracks the progress of each process during execution in order to detect whether a selected process was interrupted for purposes of recovery. The nonvolatile memory is recovered to a known state during initialization. Initialization includes the step of determining a recovery state from a recovery state lookup table. A selected recovery process is selected in accordance with the recovery state lookup table. A restart level for the selected process is determined from a corresponding restart state lookup table. The selected process is then restarted at the restart level. In one embodiment, a method of managing a nonvolatile memory includes the step of identifying an interrupted process from at least one of an allocation, a reclamation, a configuration header reclaim, and a re-allocation process initiated on the nonvolatile memory. A recovery process is selected for the interrupted process. An entry point into the recovery process is determined. The selected recovery process is then restarted at the entry point.

摘要翻译： 描述了在具有分叉存储结构的非易失性存储器内可靠地分配，写入，读取，分配，重新分配和回收空间的方法。 分配，写入，读取，取消分配，重新分配和回收由内存管理员处理。 内存管理器在执行期间跟踪每个进程的进度，以便检测所选进程是否为了恢复目的而中断。 在初始化期间，非易失性存储器恢复到已知状态。 初始化包括从恢复状态查找表确定恢复状态的步骤。 根据恢复状态查找表选择选择的恢复过程。 从相应的重新启动状态查找表确定所选进程的重新启动级别。 然后在重新启动级别重新启动所选进程。 在一个实施例中，管理非易失性存储器的方法包括从在非易失性存储器上发起的分配，回收，配置报头回收和重新分配过程中的至少一个识别中断的进程的步骤。 为中断的进程选择恢复过程。 确定恢复过程的入口点。 然后在入口点重新启动所选的恢复过程。

公开(公告)号：US06157970A

公开(公告)日：2000-12-05

申请号：US936318

申请日：1997-09-24

申请人： Andrew H. Gafken ,  Joseph A. Bennett ,  David I. Poisner

发明人： Andrew H. Gafken ,  Joseph A. Bennett ,  David I. Poisner

IPC分类号： G06F13/28 ,  G06F13/40

CPC分类号： G06F13/28

摘要： A system including a host coupled to a memory device and a peripheral controller device. The host is coupled to the peripheral controller device via a bus having a plurality of general purpose signal lines to carry time-multiplexed address, data, and control information. The peripheral controller device performs direct memory access (DMA) transactions with the memory device via the host and the bus.

摘要翻译： 一种包括耦合到存储器装置的主机和外围控制器装置的系统。 主机经由具有多个通用信号线的总线耦合到外围控制器装置，以承载时分复用的地址，数据和控制信息。 外围控制器设备经由主机和总线与存储器件执行直接存储器访问（DMA）事务。

公开(公告)号：US07174416B2

公开(公告)日：2007-02-06

申请号：US10654559

申请日：2003-09-02

申请人： Robert N. Hasbun ,  David A. Edwards ,  Andrew H. Gafken ,  Christopher J. Spiegel

发明人： Robert N. Hasbun ,  David A. Edwards ,  Andrew H. Gafken ,  Christopher J. Spiegel

IPC分类号： G06F13/00

CPC分类号： G06F9/5016 ,  G06F8/654 ,  G06F12/0246

摘要： Methods of allocating, writing, reading, de-allocating, re-allocating, and reclaiming space within a nonvolatile memory having a bifurcated storage architecture are described. A method of reliably re-allocating a first object includes the step of storing a location of a first object in a first data structure. A location of the first data structure is stored in a second data structure. A duplicate of the first object is formed by initiating a copy of the first object. An erase of the first object is initiated. A write of a second object to the location of the first object is then initiated. The duplicate object is invalidated. The status of copying, erasing, and writing is tracked. The copy status, erase status, write status, and a restoration status are used to determine a recovery state upon initialization of the nonvolatile memory. The duplicate object is invalidated, if the writing status indicates that the writing of the second object has been completed. The first object is erased, if a restoration status indicates copying of the duplicate object was initiated but not completed. The erasing of the first object is completed, if the erase status indicates that erasure of the first object is not completed. A restoration of the duplicate object to the location of the first object is initiated, if the copying status indicates that copying of the first object was completed. The copying of the duplicate object is tracked as a restoration status.

摘要翻译： 描述在具有分叉存储架构的非易失性存储器内分配，写入，读取，分配，重新分配和回收空间的方法。 可靠地重新分配第一对象的方法包括将第一对象的位置存储在第一数据结构中的步骤。 第一数据结构的位置被存储在第二数据结构中。 通过启动第一个对象的副本来形成第一个对象的副本。 启动第一个对象的擦除。 然后启动对第一对象的位置的第二对象的写入。 重复的对象无效。 跟踪复制，删除和写入的状态。 复制状态，擦除状态，写入状态和恢复状态用于在初始化非易失性存储器时确定恢复状态。 如果写入状态指示第二个对象的写入已经完成，则重复的对象无效。 第一个对象被删除，如果恢复状态指示复制对象的复制被启动但未完成。 如果擦除状态指示第一个对象的擦除未完成，则完成第一个对象的擦除。 如果复制状态指示第一个对象的复制已经完成，那么将重新启动对象到第一个对象的位置的恢复。 复制对象的复制被跟踪为恢复状态。

公开(公告)号：US06182188B2

公开(公告)日：2001-01-30

申请号：US08834930

申请日：1997-04-06

申请人： Robert N. Hasbun ,  David A. Edwards ,  Andrew H. Gafken ,  Christopher J. Spiegel

发明人： Robert N. Hasbun ,  David A. Edwards ,  Andrew H. Gafken ,  Christopher J. Spiegel

IPC分类号： G06F1202

CPC分类号： G06F9/5016 ,  G06F8/654 ,  G06F12/0246

摘要： Methods of allocating, writing, reading, de-allocating, re-allocating, and reclaiming space within a nonvolatile memory having a bifurcated storage architecture are described. A method of reliably re-allocating a first object includes the step of storing a location of a first object in a first data structure. A location of the first data structure is stored in a second data structure. A duplicate of the first object is formed by initiating a copy of the first object. An erase of the first object is initiated. A write of a second object to the location of the first object is then initiated. The duplicate object is invalidated. The status of copying, erasing, and writing is tracked. The copy status, erase status, write status, and a restoration status are used to determine a recovery state upon initialization of the nonvolatile memory. The duplicate object is invalidated , if the writing status indicates that the writing of the second object has been completed. The first object is erased, if a restoration status indicates copying of the duplicate object was initiated but not completed. The erasing of the first object is completed, if the erase status indicates that erasure of the first object is not completed. A restoration of the duplicate object to the location of the first object is initiated, if the copying status indicates that copying of the first object was completed. The copying of the duplicate object is tracked as a restoration status.

摘要翻译： 描述在具有分叉存储架构的非易失性存储器内分配，写入，读取，分配，重新分配和回收空间的方法。 可靠地重新分配第一对象的方法包括将第一对象的位置存储在第一数据结构中的步骤。 第一数据结构的位置被存储在第二数据结构中。 通过启动第一个对象的副本来形成第一个对象的副本。 启动第一个对象的擦除。 然后启动对第一对象的位置的第二对象的写入。 重复的对象无效。 跟踪复制，删除和写入的状态。 复制状态，擦除状态，写入状态和恢复状态用于在初始化非易失性存储器时确定恢复状态。 如果写入状态指示第二个对象的写入已经完成，则重复的对象无效。 第一个对象被删除，如果恢复状态指示复制对象的复制被启动但未完成。 如果擦除状态指示第一个对象的擦除未完成，则完成第一个对象的擦除。 如果复制状态指示第一个对象的复制已经完成，那么将重新启动对象到第一个对象的位置的恢复。 复制对象的复制被跟踪为恢复状态。

公开(公告)号：US5893135A

公开(公告)日：1999-04-06

申请号：US587799

申请日：1995-12-27

申请人： Robert N. Hasbun ,  Andrew H. Gafken

发明人： Robert N. Hasbun ,  Andrew H. Gafken

IPC分类号： G11C7/10 ,  G11C16/26 ,  G06F12/00 ,  G06F13/00

CPC分类号： G11C7/1021 ,  G11C16/26 ,  G11C7/1018

摘要： An arrangement for accessing a non-volatile memory array including providing a signal having a first condition if an access is a read and a second condition if an access is for any other operation; reading data directly from an address in the non-volatile memory array if the signal is a first condition; and performing any other access of the non-volatile memory array utilizing a command-centric interface if the signal is a second condition.

摘要翻译： 一种用于访问非易失性存储器阵列的装置，包括如果访问是读取则提供具有第一条件的信号，如果访问用于任何其它操作，则包括第二条件; 如果信号是第一条件，则从非易失性存储器阵列中的地址直接读取数据; 以及如果所述信号是第二条件，则利用以命令为中心的接口执行所述非易失性存储器阵列的任何其它访问。

公开(公告)号：US06711675B1

公开(公告)日：2004-03-23

申请号：US09503046

申请日：2000-02-11

申请人： Christopher J. Spiegel ,  Andrew H. Gafken ,  Robert P. Hale ,  William A. Stevens, Jr.

发明人： Christopher J. Spiegel ,  Andrew H. Gafken ,  Robert P. Hale ,  William A. Stevens, Jr.

IPC分类号： G06F15177

CPC分类号： G06F21/575 ,  G06F9/4401

摘要： A protected boot sequence in a computer system. A reset vector directs the system to a boot program including a protected program. This protected program verifies the integrity of the BIOS contents before branching to the BIOS for execution of normal bootstrap functions. The protected program can also lock down various blocks of bootstrap code to prevent them from being changed after a certain point in the boot sequence. The protected boot sequence can proceed in layers, with each layer providing some level of validation or security for succeeding layers.

摘要翻译： 计算机系统中的受保护引导序列。 复位向量将系统引导到包括受保护程序的引导程序。 此受保护的程序在分支到BIOS以执行正常引导功能之前验证BIOS内容的完整性。 受保护的程序还可以锁定引导代码的各种块，以防止在引导顺序中的某一点之后它们被更改。 受保护的引导序列可以分层进行，每个层为后续层提供一定程度的验证或安全性。