公开(公告)号：US06892305B1

公开(公告)日：2005-05-10

申请号：US09689460

申请日：2000-10-12

申请人： Richard Alan Dayan ,  Steven Dale Goodman ,  Joseph Michael Pennisi ,  Randall Scott Springfield ,  James Peter Ward ,  Joseph Wayne Freeman

发明人： Richard Alan Dayan ,  Steven Dale Goodman ,  Joseph Michael Pennisi ,  Randall Scott Springfield ,  James Peter Ward ,  Joseph Wayne Freeman

IPC分类号： G06F9/00 ,  G06F12/14 ,  G06F21/00 ,  H04L9/32

CPC分类号： G06F21/575

摘要： A method and system for booting up a computer system in a secure fashion is disclosed. The method and system comprise determining the presence of a security feature element during an initialization of the computer system wherein the security feature element includes a public key and a corresponding private key, storing a portion of the public key in a nonvolatile memory within the computer system if the security feature element is present and utilizing an algorithm to determine the presence of the security feature element prior to a subsequent boot-up of the computer system. Through the use of the present invention, a computer system is capable of being booted up whereby the computer system determines if a security feature element was previously present in the system. If a security feature element was previously present in the computer system, any stored keys, along with the secrets that they protect, are prevented from being compromised. It is also an object of the present invention to preclude the system from compromising any keys and associated secrets if a security feature element in the system was not previously present in the system.

摘要翻译： 公开了一种以安全方式引导计算机系统的方法和系统。 该方法和系统包括在计算机系统的初始化期间确定安全特征元素的存在，其中安全特征元素包括公共密钥和相应的私钥，将公钥的一部分存储在计算机系统内的非易失性存储器中 如果存在安全特征元素并且利用算法来确定在计算机系统的后续引导之前的安全特征元素的存在。 通过使用本发明，计算机系统能够被启动，由此计算机系统确定安全特征元素是否先前存在于系统中。 如果安全特征元素以前存在于计算机系统中，则防止任何存储的密钥以及它们保护的秘密被泄露。 如果系统中的安全特征元素先前不存在于系统中，则本发明的另一个目的是排除系统损害任何密钥和相关联的秘密。

公开(公告)号：US06711690B2

公开(公告)日：2004-03-23

申请号：US09953775

申请日：2001-09-17

申请人： Richard Alan Dayan ,  Steven Dale Goodman ,  Joseph Michael Pennisi ,  Randall Scott Springfield

发明人： Richard Alan Dayan ,  Steven Dale Goodman ,  Joseph Michael Pennisi ,  Randall Scott Springfield

IPC分类号： G06F900

CPC分类号： G06F21/79

摘要： A secure write blocking circuit and method of operation thereof. The secure write blocking circuit includes enable and disable block input terminals coupled to a blocking circuit. The blocking circuit, such as a set/reset latch in a preferred embodiment, generates a block signal to prevent write access to a nonvolatile memory device, such as flash memory, in response to signals provided to the enable and disable input terminals. The secure write blocking circuit also includes an interrupt generator, coupled to the disable block input terminal, that generates an interrupt signal in response to a signal at the disable input terminal. In a related embodiment the secure write blocking circuit also includes a logic circuit, coupled to the blocking circuit, that receives the block signal and a write enable signal and in response thereto generates a control signal to a write enable input of the nonvolatile memory device.

摘要翻译： 一种安全的写阻塞电路及其操作方法。 安全写阻断电路包括耦合到阻塞电路的使能和禁止块输入端。 阻塞电路，例如在优选实施例中的设置/复位锁存器，响应于提供给使能和禁止输入端子的信号，产生阻塞信号以防止对非易失性存储器件（例如闪速存储器）的写访问。 安全写阻断电路还包括耦合到禁用块输入端的中断发生器，其响应于禁用输入端的信号而产生中断信号。 在相关实施例中，安全写入分块电路还包括耦合到分块电路的逻辑电路，其接收块信号和写使能信号，并响应于此产生对非易失性存储器件的写使能输入的控制信号。

公开(公告)号：US08862709B2

公开(公告)日：2014-10-14

申请号：US11955886

申请日：2007-12-13

申请人： Daryl Carvis Cromer ,  Richard Alan Dayan ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Eric Richard Kern ,  Howard Jeffrey Locker ,  Randall Scott Springfield

发明人： Daryl Carvis Cromer ,  Richard Alan Dayan ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Eric Richard Kern ,  Howard Jeffrey Locker ,  Randall Scott Springfield

IPC分类号： G06F9/44 ,  H04L29/08 ,  H04L29/12 ,  G06F15/177 ,  H04N21/443

CPC分类号： G06F9/4416 ,  G06F9/4401 ,  G06F9/4406 ,  G06F9/4408 ,  G06F15/177 ,  H04L29/12235 ,  H04L67/34 ,  H04N21/443

摘要： Systems and arrangements for remotely selecting a bootable image via a WOL packet for a wake-on-LAN (WOL) capable computer are contemplated. Server-side embodiments include hardware and/or software for determining a client to be managed, determining whether the client is active on the network, and transmitting a WOL packet having a vector, or operating system partition identification (OSPID), to describe a bootable image accessible by the WOL capable computer. Some embodiments may include an OSPID that points to a secure bootable image such as a bootable image on a hard drive, a compact disk (CD) connected to the computer, or other local resource. Client-side embodiments may receive the WOL packet at, for instance, a network interface card (NIC), recognize that the WOL packet includes an OSPID that describes the bootable image to boot, and implement an alternative boot sequence to boot from that bootable image.

摘要翻译： 可以考虑通过用于具有LAN唤醒（WOL）功能的计算机的WOL分组来远程选择可启动图像的系统和布置。 服务器端实施例包括用于确定要管理的客户机的硬件和/或软件，确定客户端是否在网络上是活动的，以及发送具有向量的WOL分组或操作系统分区标识（OSPID）来描述可引导的 WOL功能的计算机可访问的图像。 一些实施例可以包括指向安全可启动图像的OSPID，例如硬盘驱动器上的可引导映像，连接到计算机的光盘（CD）或其他本地资源。 客户端实施例可以在例如网络接口卡（NIC）处接收WOL分组，识别WOL分组包括描述可启动图像引导的OSPID，并且实现替代的引导顺序以从该可启动图像引导 。

公开(公告)号：US08677117B2

公开(公告)日：2014-03-18

申请号：US10749583

申请日：2003-12-31

申请人： Daryl Carvis Cromer ,  Richard Alan Dayan ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Eric Richard Kern ,  Howard Jeffrey Locker ,  Randall Scott Springfield

发明人： Daryl Carvis Cromer ,  Richard Alan Dayan ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Eric Richard Kern ,  Howard Jeffrey Locker ,  Randall Scott Springfield

IPC分类号： H04L29/06

CPC分类号： G06F9/4416 ,  G06F9/4401 ,  G06F9/4406 ,  G06F9/4408 ,  G06F15/177 ,  H04L29/12235 ,  H04L67/34 ,  H04N21/443

摘要： Systems and arrangements for remotely selecting a bootable image via a WOL packet for a wake-on-LAN (WOL) capable computer are contemplated. Server-side embodiments include hardware and/or software for determining a client to be managed, determining whether the client is active on the network, and transmitting a WOL packet having a vector, or operating system partition identification (OSPID), to describe a bootable image accessible by the WOL capable computer. Some embodiments may include an OSPID that points to a secure bootable image such as a bootable image on a hard drive, a compact disk (CD) connected to the computer, or other local resource. Client-side embodiments may receive the WOL packet at, for instance, a network interface card (NIC), recognize that the WOL packet includes an OSPID that describes the bootable image to boot, and implement an alternative boot sequence to boot from that bootable image.

公开(公告)号：US20080155075A1

公开(公告)日：2008-06-26

申请号：US11955886

申请日：2007-12-13

申请人： Daryl Carvis Cromer ,  Richard Alan Dayan ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Eric Richard Kern ,  Howard Jeffrey Locker ,  Randall Scott Springfield

发明人： Daryl Carvis Cromer ,  Richard Alan Dayan ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Eric Richard Kern ,  Howard Jeffrey Locker ,  Randall Scott Springfield

IPC分类号： G06F15/177

CPC分类号： G06F9/4416 ,  G06F9/4401 ,  G06F9/4406 ,  G06F9/4408 ,  G06F15/177 ,  H04L29/12235 ,  H04L67/34 ,  H04N21/443

摘要： Systems and arrangements for remotely selecting a bootable image via a WOL packet for a wake-on-LAN (WOL) capable computer are contemplated. Server-side embodiments include hardware and/or software for determining a client to be managed, determining whether the client is active on the network, and transmitting a WOL packet having a vector, or operating system partition identification (OSPID), to describe a bootable image accessible by the WOL capable computer. Some embodiments may include an OSPID that points to a secure bootable image such as a bootable image on a hard drive, a compact disk (CD) connected to the computer, or other local resource. Client-side embodiments may receive the WOL packet at, for instance, a network interface card (NIC), recognize that the WOL packet includes an OSPID that describes the bootable image to boot, and implement an alternative boot sequence to boot from that bootable image.

摘要翻译： 可以考虑通过用于具有LAN唤醒（WOL）功能的计算机的WOL分组来远程选择可启动图像的系统和布置。 服务器端实施例包括用于确定要管理的客户机的硬件和/或软件，确定客户端是否在网络上是活动的，以及发送具有向量的WOL分组或操作系统分区标识（OSPID）来描述可引导的 WOL功能的计算机可访问的图像。 一些实施例可以包括指向安全可启动图像的OSPID，例如硬盘驱动器上的可引导映像，连接到计算机的光盘（CD）或其他本地资源。 客户端实施例可以在例如网络接口卡（NIC）处接收WOL分组，识别WOL分组包括描述可启动图像引导的OSPID，并且实现替代引导顺序以从该可启动图像引导 。

公开(公告)号：US07412596B2

公开(公告)日：2008-08-12

申请号：US10967760

申请日：2004-10-16

申请人： David Carroll Challener ,  Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  James Patrick Hoff ,  Howard Jeffrey Locker ,  Randall Scott Springfield ,  James Peter Ward

发明人： David Carroll Challener ,  Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  James Patrick Hoff ,  Howard Jeffrey Locker ,  Randall Scott Springfield ,  James Peter Ward

IPC分类号： G06F9/00 ,  G06F15/177

CPC分类号： G06F21/575

摘要： A method and system for enabling security attestation for a computing device during a return from an S4 sleep state. When the computing device enters into the S4 state following a successful boot up, the attestation log is appended to the TPM tick count and the log is signed (with a security signature). When the device is awaken from S4 state, the BIOS obtains and verifies the log created during the previous boot. The CRTM maintains a set of virtual PCRs and references these virtual PCRs against the log. If the values do not match, the return from S4 state fails and the device is rebooted.

摘要翻译： 一种用于在从S4睡眠状态返回期间为计算设备提供安全认证的方法和系统。 当计算设备在成功启动后进入S4状态时，认证日志会追加到TPM刻度计数，并且日志被签名（具有安全签名）。 当设备从S4状态唤醒时，BIOS将获取并验证在以前引导过程中创建的日志。 CRTM维护一组虚拟PCR，并将这些虚拟PCR引用到日志中。 如果值不匹配，则S4状态返回失败，设备重启。

公开(公告)号：US06823464B2

公开(公告)日：2004-11-23

申请号：US09793239

申请日：2001-02-26

申请人： Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Randall Scott Springfield ,  James Peter Ward

发明人： Daryl Carvis Cromer ,  Joseph Wayne Freeman ,  Steven Dale Goodman ,  Randall Scott Springfield ,  James Peter Ward

IPC分类号： G06F124

CPC分类号： G06F21/305 ,  G06F21/57

摘要： Authentication of an entity remotely managing a data processing system is enabled to allow changes by the remote entity to hard-locked critical security information normally accessible only during the POST and only to trusted entities such as the system BIOS. The remote entity builds a change request and generates a hash from the change request with a current password appended. The change request and the hash are stored in a lockable non-volatile buffer which, once locked, requires a system reset to access. During the next POST, a trusted entity such as the system BIOS reads the change request, generates an authentication hash from the change request and the current password within the hard-locked security information, and compares the buffered hash with the generated hash. If a match is determined, the security information is updated; otherwise a tamper error is reported.

摘要翻译： 允许远程管理数据处理系统的实体的认证允许远程实体更改硬锁定通常只能在POST期间可访问的关键安全性信息，并且只允许受信任的实体（如系统BIOS）。 远程实体构建更改请求，并从附加当前密码的更改请求生成哈希值。 更改请求和哈希存储在可锁定的非易失性缓冲区中，该缓冲区一旦被锁定就需要系统重置才能访问。 在下一个POST期间，诸如系统BIOS的受信任的实体读取更改请求，从改变请求中生成认证散列，并在硬锁定的安全信息内生成当前密码，并将缓冲的散列与生成的散列进行比较。 如果确定匹配，则更新安全信息; 否则报告篡改错误。

公开(公告)号：US20080184025A1

公开(公告)日：2008-07-31

申请号：US12058696

申请日：2008-03-29

申请人： Richard Alan Dayan ,  Joseph Wayne Freeman ,  William Fred Keown ,  Randall Scott Springfield

发明人： Richard Alan Dayan ,  Joseph Wayne Freeman ,  William Fred Keown ,  Randall Scott Springfield

IPC分类号： G06F15/177

CPC分类号： G06F9/4406 ,  G06F11/1417 ,  G06F11/1441

摘要： A system, computer program product and method for booting to a partition in a non-volatile storage unit without a local operator. In one embodiment, one or more bits in a BOOT register may be set by an operating system indicating if the BIOS should boot to the partition. The BIOS may then read the BOOT register to determine if the BIOS is to boot to the partition as well as any activities to perform if the BIOS is to boot to the partition. In another embodiment, a network interface card may insert directive information received from a packet in a register within the network interface card. The BIOS may then read the register within the network interface card to determine if the BIOS is to boot to the partition as well as any activities to perform if the BIOS is to boot to the partition.

摘要翻译： 用于在没有本地操作者的情况下引导到非易失性存储单元中的分区的系统，计算机程序产品和方法。 在一个实施例中，BOOT寄存器中的一个或多个位可以由操作系统设置，指示是否BIOS应该引导到分区。 然后，BIOS可以读取BOOT寄存器，以确定BIOS是否要引导到分区，以及BIOS是否要引导到分区时执行的任何活动。 在另一个实施例中，网络接口卡可以将从分组接收的指令信息插入网络接口卡内的寄存器中。 然后，BIOS可以读取网络接口卡内的寄存器，以确定BIOS是否要引导到分区，以及BIOS要启动到分区的任何活动。

公开(公告)号：US07366888B2

公开(公告)日：2008-04-29

申请号：US09876426

申请日：2001-06-07

申请人： Richard Alan Dayan ,  Joseph Wayne Freeman ,  William Fred Keown, Jr. ,  Randall Scott Springfield

发明人： Richard Alan Dayan ,  Joseph Wayne Freeman ,  William Fred Keown, Jr. ,  Randall Scott Springfield

IPC分类号： G06F15/177

CPC分类号： G06F9/4406 ,  G06F11/1417 ,  G06F11/1441

摘要： A system, computer program product and method for booting to a partition in a non-volatile storage unit without a local operator. In one embodiment, one or more bits in a BOOT register may be set by an operating system indicating if the BIOS should boot to the partition. The BIOS may then read the BOOT register to determine if the BIOS is to boot to the partition as well as any activities to perform if the BIOS is to boot to the partition. In another embodiment, a network interface card may insert directive information received from a packet in a register within the network interface card. The BIOS may then read the register within the network interface card to determine if the BIOS is to boot to the partition as well as any activities to perform if the BIOS is to boot to the partition.

摘要翻译： 用于在没有本地操作者的情况下引导到非易失性存储单元中的分区的系统，计算机程序产品和方法。 在一个实施例中，BOOT寄存器中的一个或多个位可以由操作系统设置，指示是否BIOS应该引导到分区。 然后，BIOS可以读取BOOT寄存器，以确定BIOS是否要引导到分区，以及BIOS是否要引导到分区时执行的任何活动。 在另一个实施例中，网络接口卡可以将从分组接收的指令信息插入网络接口卡内的寄存器中。 然后，BIOS可以读取网络接口卡内的寄存器，以确定BIOS是否要引导到分区，以及BIOS要启动到分区的任何活动。

公开(公告)号：US06658562B1

公开(公告)日：2003-12-02

申请号：US09649440

申请日：2000-08-25

申请人： Ralph Bonomo ,  Richard Alan Dayan ,  Joseph Wayne Freeman ,  Robert Duane Johnson ,  Diane Nolterieke ,  Randall Scott Springfield

发明人： Ralph Bonomo ,  Richard Alan Dayan ,  Joseph Wayne Freeman ,  Robert Duane Johnson ,  Diane Nolterieke ,  Randall Scott Springfield

IPC分类号： G06F924

CPC分类号： G06F9/44505 ,  G06F9/4401 ,  G06F21/572

摘要： A method, system, and program for selecting and implementing a basic input/output system (“BIOS”) configuration among various BIOS configurations for a data processing system are disclosed. Different BIOS configurations are defined for various types of users, such as a home user, a commercial user, and a network user. Each of the BIOS configurations includes a different set of BIOS characteristics, such as program setup features security features, and network server features, under which the data processing system is able to run. The different BIOS configurations are stored into a memory device for the data processing system. A designation is set within the memory device that directs a processor of the data processing system to select and execute a desired one of the BIOS configurations for a particular type of user.

摘要翻译： 公开了一种用于在数据处理系统的各种BIOS配置之间选择和实现基本输入/输出系统（“BIOS”）配置的方法，系统和程序。 为各种类型的用户（例如家庭用户，商业用户和网络用户）定义不同的BIOS配置。 每个BIOS配置包括一组不同的BIOS特性，例如程序设置功能，安全功能和网络服务器功能，数据处理系统可以在这些功能下运行。 不同的BIOS配置被存储到用于数据处理系统的存储器设备中。 在存储器设备内设置指示数据处理系统的处理器为特定类型的用户选择并执行所需的一个BIOS配置的指定。