公开(公告)号：US07412596B2

公开(公告)日：2008-08-12

申请号：US10967760

申请日：2004-10-16

申请人： David Carroll Challener ,  Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  James Patrick Hoff ,  Howard Jeffrey Locker ,  Randall Scott Springfield ,  James Peter Ward

发明人： David Carroll Challener ,  Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  James Patrick Hoff ,  Howard Jeffrey Locker ,  Randall Scott Springfield ,  James Peter Ward

IPC分类号： G06F9/00 ,  G06F15/177

CPC分类号： G06F21/575

摘要： A method and system for enabling security attestation for a computing device during a return from an S4 sleep state. When the computing device enters into the S4 state following a successful boot up, the attestation log is appended to the TPM tick count and the log is signed (with a security signature). When the device is awaken from S4 state, the BIOS obtains and verifies the log created during the previous boot. The CRTM maintains a set of virtual PCRs and references these virtual PCRs against the log. If the values do not match, the return from S4 state fails and the device is rebooted.

摘要翻译： 一种用于在从S4睡眠状态返回期间为计算设备提供安全认证的方法和系统。 当计算设备在成功启动后进入S4状态时，认证日志会追加到TPM刻度计数，并且日志被签名（具有安全签名）。 当设备从S4状态唤醒时，BIOS将获取并验证在以前引导过程中创建的日志。 CRTM维护一组虚拟PCR，并将这些虚拟PCR引用到日志中。 如果值不匹配，则S4状态返回失败，设备重启。

公开(公告)号：US07421588B2

公开(公告)日：2008-09-02

申请号：US10749057

申请日：2003-12-30

申请人： David Carroll Challener ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Randall Scott Springfield

发明人： David Carroll Challener ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Randall Scott Springfield

IPC分类号： G06F12/14

CPC分类号： G06F21/575 ,  G06F21/62 ,  G06F2221/2107

摘要： An apparatus, method, and system to seal a data repository to a trusted computing platform is described. The data repository may be sealed by encrypting the data on the repository and sealing a cryptographic key to a specific set of platform resources. With the data repository sealed to the platform, the system boot sequence will fail if the system configuration is compromised, for example by insertion of “snoopware” or a modified BIOS. Additionally, if the computer containing the data repository is lost or stolen, the encrypted data remains secure even if the repository is attached to a system modified to bypass normal safeguards.

摘要翻译： 描述了将数据存储库密封到可信计算平台的装置，方法和系统。 可以通过加密存储库中的数据并将密码密封到特定的一组平台资源来密封数据存储库。 将数据存储库密封到平台，如果系统配置受到威胁，例如插入“snoopware”或修改的BIOS，则系统引导顺序将失败。 另外，如果包含数据存储库的计算机丢失或被盗，加密数据将保持安全，即使存储库附加到修改为绕过正常保护措施的系统。

公开(公告)号：US07533274B2

公开(公告)日：2009-05-12

申请号：US10712237

申请日：2003-11-13

申请人： Joseph Wayne Freeman ,  Steven Dale Goodman ,  Randall Scott Springfield

发明人： Joseph Wayne Freeman ,  Steven Dale Goodman ,  Randall Scott Springfield

IPC分类号： G06F9/24 ,  G06F9/22 ,  G06F9/30

CPC分类号： G06F21/572 ,  G06F21/575

摘要： A method, computer program product and system for reducing the boot time of a TCPA based computing system. A flash memory in the TCPA based computing system may include a register comprising bits configured to indicate whether the segments of the flash memory have been updated. The flash memory may further include a table configured to store measurements of the segments of the flash memory. The flash memory may further include a boot block code that includes a Core Root of Trust for Measurement (CRTM). The CRTM may read the bits in the register to determine if any of the segments of the flash memory have been updated. The CRTM may further obtain the measurement values in the table for those segments that store the POST BIOS code that have not been updated thereby saving time from measuring the POST BIOS code and consequently reducing the boot time.

摘要翻译： 一种用于减少基于TCPA的计算系统的启动时间的方法，计算机程序产品和系统。 基于TCPA的计算系统中的闪速存储器可以包括寄存器，其包括被配置为指示闪速存储器的段是否已被更新的位。 闪存可以进一步包括被配置为存储闪存的片段的测量的表。 闪速存储器还可以包括引导块代码，其包括用于测量的信任核心根（CRTM）。 CRTM可以读取寄存器中的位，以确定闪存中的任何段是否已更新。 CRTM可以进一步获得存储POST BIOS代码的那些片段的表中的测量值，从而节省了测量POST BIOS代码的时间，从而减少了引导时间。

公开(公告)号：US07319299B2

公开(公告)日：2008-01-15

申请号：US11167751

申请日：2005-06-27

申请人： Joseph Wayne Freeman ,  Steven Dale Goodman ,  Isaac Karpel ,  Randall Scott Springfield

发明人： Joseph Wayne Freeman ,  Steven Dale Goodman ,  Isaac Karpel ,  Randall Scott Springfield

IPC分类号： H02P5/00

CPC分类号： G06F1/20 ,  F04D27/00 ,  F04D27/001 ,  F04D29/582

摘要： A cooling fan, system and method for controlling cooling fans in a personal computer. A unique series of sensing points is placed on a rotating hub of a cooling fan in order to uniquely identify the particular type of cooling fan. A tachometer sensor mounted in the cooling fan detects the unique series of sensing points as the cooling fan rotates and generates a sequence of pulses corresponding to the detected sending points. This generated pulse signal may be transmitted by the sensor to the fan control code. The fan control code may determine a particular type of cooling fan that the cooling fan is based on the generated pulse signal. Once the fan control code determines the particular type of cooling fan that the cooling fan is, the fan control code uses particular control parameters set for that particular type of cooling fan to control the cooling fan so that it operates optimally.

摘要翻译： 一种用于控制个人计算机中的冷却风扇的冷却风扇，系统和方法。 为了唯一地识别特定类型的冷却风扇，将一系列传感点放置在冷却风扇的旋转轮毂上。 安装在冷却风扇中的转速计传感器在冷却风扇旋转时检测独特的感测点系列，并产生与检测到的发送点相对应的脉冲序列。 该生成的脉冲信号可以由传感器传输到风扇控制代码。 风扇控制代码可以确定冷却风扇基于生成的脉冲信号的特定类型的冷却风扇。 一旦风扇控制代码确定了冷却风扇的特定类型的冷却风扇，则风扇控制代码使用为特定类型的冷却风扇设置的特定控制参数来控制冷却风扇，使其最佳运行。

公开(公告)号：US07814532B2

公开(公告)日：2010-10-12

申请号：US09847085

申请日：2001-05-02

申请人： Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Eric Richard Kern ,  Randall Scott Springfield

发明人： Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Eric Richard Kern ,  Randall Scott Springfield

IPC分类号： G06F7/04 ,  G08B29/00 ,  G06F9/00 ,  G06F15/177

CPC分类号： G06F21/575

摘要： A data processing system and method of password protecting the boot of a data processing system are disclosed. According to the method, in response to an attempt to boot the data processing system utilizing a boot device, the boot device is interrogated for a password. If the boot device supplies password information corresponding to that of a trusted boot device, the data processing system boots utilizing the boot device. If, however, the boot device does not supply password information corresponding to that of a trusted boot device, booting from the boot device is inhibited. In a preferred embodiment, the password information comprises a unique combination of the boot device's manufacturer-supplied model and serial numbers.

摘要翻译： 公开了一种密码保护数据处理系统引导的数据处理系统和方法。 根据该方法，响应于利用引导设备引导数据处理系统的尝试，引导设备被询问密码。 如果引导设备提供与可信引导设备的密码信息相对应的密码信息，则数据处理系统使用引导设备引导。 但是，如果引导设备不提供与受信任引导设备相对应的密码信息，则禁止从引导设备引导。 在优选实施例中，密码信息包括引导设备的制造商提供的模型和序列号的唯一组合。

公开(公告)号：US07191464B2

公开(公告)日：2007-03-13

申请号：US09978381

申请日：2001-10-16

申请人： Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Eric Richard Kern ,  Randall Scott Springfield

发明人： Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Eric Richard Kern ,  Randall Scott Springfield

IPC分类号： H04L9/32 ,  G06F15/177

CPC分类号： G06F21/575

摘要： A method, system and computer readable medium containing programming instructions for tracking a secure boot in a computer system having a plurality of devices is disclosed. The method, system and computer readable medium include providing an embedded security system (ESS) in the computer system, wherein the ESS includes at least one boot platform configuration register (PCR) and a shadow PCR for each of the at least one boot PCRs, initiating a platform reset to boot the computer system via BIOS, and, for a device booted, generating a measurement value for the device and extending that value to one of the at least one boot PCRs and its corresponding shadow PCR. The system, method and computer readable medium of the present invention also includes comparing the measurement values of the boot PCRs to their corresponding shadow PCRs, whereby the computer system is trusted if the measurement values match.

摘要翻译： 公开了一种包含用于在具有多个设备的计算机系统中跟踪安全引导的编程指令的方法，系统和计算机可读介质。 所述方法，系统和计算机可读介质包括在所述计算机系统中提供嵌入式安全系统（ESS），其中所述ESS包括用于所述至少一个启动PCR中的每一个的至少一个引导平台配置寄存器（PCR）和阴影PCR， 启动平台重置以通过BIOS引导计算机系统，并且对于引导的设备，生成所述设备的测量值并将该值扩展到所述至少一个启动PCR中的一个及其相应的阴影PCR。 本发明的系统，方法和计算机可读介质还包括将引导PCR的测量值与其相应的阴影PCR进行比较，从而如果测量值匹配，则计算机系统被信任。

公开(公告)号：US07174465B2

公开(公告)日：2007-02-06

申请号：US10180160

申请日：2002-06-26

申请人： Joseph Wayne Freeman ,  Chad Lee Gettelfinger ,  Steven Dale Goodman ,  William Fred Keown, Jr. ,  Eric Richard Kern ,  Randall Scott Springfield

发明人： Joseph Wayne Freeman ,  Chad Lee Gettelfinger ,  Steven Dale Goodman ,  William Fred Keown, Jr. ,  Eric Richard Kern ,  Randall Scott Springfield

IPC分类号： H04L9/32 ,  H04L9/00

CPC分类号： G06F21/57

摘要： A method is disclosed for securely updating system attributes of a client computer with a BIOS and includes signing a public key of a secure server with a private key of the BIOS prior to completion of manufacturing of the client computer to create an encrypted public key and embedded private key stored at the server. The method includes receiving at the server a request packet transmitted from the client computer requesting system attribute modification, encrypting the request packet to create an encrypted packet, and transmitting a return packet to client computer comprising the encrypted packet, the server's public key, and server instructions. The client computer decrypts the request packet using the server's public key and compares it to the original request packet, and if identical, executes the server instructions to modify the client computer's boot block to update client computer's system attributes.

摘要翻译： 公开了一种用于使用BIOS安全地更新客户端计算机的系统属性的方法，并且包括在完成客户端计算机的制造之前用BIOS的私钥对安全服务器的公共密钥进行签名以创建加密的公共密钥并且嵌入 私钥存储在服务器端。 该方法包括在服务器处接收从客户端计算机发送的请求系统属性修改的请求分组，对请求分组进行加密以创建加密的分组，以及向包括加密分组，服务器的公钥和服务器的客户端计算机发送返回分组 说明。 客户端计算机使用服务器的公钥解密请求包，并将其与原始请求包进行比较，如果相同，则执行服务器指令修改客户端计算机的启动块以更新客户端计算机的系统属性。

公开(公告)号：US07082129B2

公开(公告)日：2006-07-25

申请号：US10134936

申请日：2002-04-29

申请人： Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Chad Lee Gettelfinger ,  Steven Dale Goodman ,  Eric Richard Kern ,  Randall Scott Springfield

发明人： Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Chad Lee Gettelfinger ,  Steven Dale Goodman ,  Eric Richard Kern ,  Randall Scott Springfield

IPC分类号： H04L12/28

CPC分类号： G06F1/3209 ,  H04L12/12 ,  H04L45/20 ,  Y02D50/40

摘要： In a computer network including a plurality of interconnected computers, one of the computers being a sleeping computer in a power down state, the sleeping computer listening for a packet associated with the sleeping computer, a method and system of waking the sleeping computer from the computer network. An incoming packet of data is transmitted from one of the computers in the network to the sleeping computer. When the sleeping computer detects the incoming packet, it determines if the incoming packet contains a data sequence associated with the sleeping computer. Further, the sleeping computer compares a transit value in the incoming packet to a predetermined value stored at the sleeping computer. The transit value indicates how far the data packet has traveled through the network, indicating the approximate origin of the data packet. Knowing the approximate origin of the data packet allows the client system to identify if the data packet originated from an external network. The predetermined value represents an origin within the internal network. Accordingly, if the incoming packet matches the particular data sequence associated with the sleeping computer, and the transit value in the packet matches the predetermined value stored at the sleeping computer, then a signal is issued to wake the sleeping computer. Otherwise, the incoming packet is discarded and the sleeping computer is not awaken.

摘要翻译： 在包括多个相互连接的计算机的计算机网络中，计算机中的一个是处于断电状态的休眠计算机，睡眠计算机监听与休眠计算机相关联的分组，从计算机唤醒睡眠计算机的方法和系统 网络。 传入的数据包从网络中的一台计算机发送到睡眠计算机。 当睡眠计算机检测到传入分组时，它确定传入分组是否包含与睡眠计算机相关联的数据序列。 此外，睡眠计算机将输入分组中的传输值与存储在睡眠计算机上的预定值进行比较。 传输值表示数据分组通过网络传播的距离，指示数据分组的近似来源。 知道数据包的近似来源允许客户端系统识别数据包是否源自外部网络。 预定值表示内部网络内的原点。 因此，如果输入分组与休眠计算机相关联的特定数据序列匹配，并且分组中的传输值与存储在睡眠计算机上的预定值匹配，则发出信号以唤醒睡眠计算机。 否则，传入的数据包被丢弃，并且睡眠的计算机没有被唤醒。

公开(公告)号：US07249249B2

公开(公告)日：2007-07-24

申请号：US10064087

申请日：2002-06-10

申请人： Joseph Wayne Freeman ,  Steven Dale Goodman ,  Randall Scott Springfield

发明人： Joseph Wayne Freeman ,  Steven Dale Goodman ,  Randall Scott Springfield

IPC分类号： G06F15/177

CPC分类号： G06F21/575 ,  G06F9/4406 ,  G06F2221/2105

摘要： A system and method for access control of a hardfile responsive to a computer system having an operating system is disclosed. The method includes detecting a special boot condition during a pre-boot test of the computer system; and altering, in response to the special boot condition, an operating system access configuration of the hardfile. The system includes a computer system that adjusts an operating system access to a hardfile based upon various boot conditions.

摘要翻译： 公开了一种响应具有操作系统的计算机系统对硬盘进行访问控制的系统和方法。 该方法包括在计算机系统的预引导测试期间检测特殊启动条件; 并且响应于特殊引导条件改变硬文件的操作系统访问配置。 该系统包括一个计算机系统，该计算机系统根据各种引导条件调整对硬盘的操作系统访问。

公开(公告)号：US07200761B1

公开(公告)日：2007-04-03

申请号：US09711028

申请日：2000-11-09

申请人： Joseph Wayne Freeman ,  Randall Scott Springfield ,  Steven Dale Goodman ,  Isaac Karpel

发明人： Joseph Wayne Freeman ,  Randall Scott Springfield ,  Steven Dale Goodman ,  Isaac Karpel

IPC分类号： G06F9/00 ,  G06F11/30 ,  G06F15/173 ,  G06F15/16 ,  H04L9/00

CPC分类号： G06F21/575 ,  G06F11/2284 ,  G06F21/79

摘要： During power up initialization, security data such as passwords and other sensitive data which are stored in a lockable memory device are read and copied to protected system management interrupt (SMI) memory space, subject to verification by code running in the SMI memory space that the call to write the security data originates with a trusted entity. Once copied to SMI memory space, the security data is erased from regular system memory and the lockable storage device is hard locked (requiring a reset to unlock) against direct access prior to starting the operating system. The copy of the security data within the SMI memory space is invisible to the operating system. However, the operating system may initiate a call to code running in the SMI memory space to check a password entered by the user, with the SMI code returning a “match” or “no match” indication. The security data may thus be employed after the lockable memory device is hard locked and the operating system is started.

摘要翻译： 在上电初始化期间，存储在可锁定存储器设备中的安全数据（例如密码和其他敏感数据）被读取并复制到受保护的系统管理中断（SMI）存储器空间，经由在SMI存储器空间中运行的代码进行验证， 调用写入安全数据来源于受信任的实体。 一旦复制到SMI内存空间，安全数据将从常规系统内存中擦除，锁定的存储设备在启动操作系统之前就被硬锁定（需要重新启动）以防止直接访问。 SMI内存空间中的安全数据的副本对于操作系统是不可见的。 然而，操作系统可以启动对在SMI存储器空间中运行的代码的调用，以检查由用户输入的密码，SMI代码返回“匹配”或“不匹配”指示。 因此，在可锁定存储器件被硬锁定并且操作系统启动之后可以采用安全数据。