CN103810443B - Device and method for protecting basic input and output systems - Google Patents

Abstract

The invention discloses a device and a method for protecting a basic input output system. A read-only memory includes a plurality of partitions and a plurality of encrypted digests. Each partition is stored as readable text. Each encrypted digest includes an encrypted version of the first digest and a corresponding partition. A selector selects one or more partitions in response to the interrupt. A detector accesses the partition and the corresponding encrypted digest in response to the interrupt and instructs a microprocessor to generate the corresponding one or more second digests corresponding to the partition and the corresponding one or more decrypted digests corresponding to the encrypted digest using the same algorithms and keys used to generate the first digest and the encrypted digest. A selector compares the second digest with the decrypted digest and prevents operation of the microprocessor when the second digest and the decrypted digest are not in the same pair.

Description

Device and method for protecting basic input and output systems

technical field

The present invention relates to a microelectronics, in particular to a device and method capable of protecting a basic input/output system (BIOS) in a computing system.

Background technique

Computing platforms come in all shapes and sizes, such as: desktops, notebooks, tablets, personal digital assistants (PDAs), and smartphones. Of these various forms of computing platforms, only a few employ very powerful tools.

When a computing platform is taken apart, almost all forms of computing platforms share the same basic structure or configuration. At its core is a central processing unit (usually a microprocessor), memory for storing programs (in the form of a hard disk or solid-state drive), faster memory for executing programs (usually random access memory), and Memory that stores the basic input/output system (BIOS).

For these platforms, the BIOS is the lowest level of hierarchical programming that enables standard operating systems and applications to be launched using the hardware configured for a particular computing platform to perform operations. The BIOS usually has a lot of dependencies on the hardware interface, so when the platform configuration changes, the higher-level programs don't need to be modified to accommodate those changes. Of course, the BIOS is usually updated when there are changes, which is why the storage of the BIOS is usually separate from the storage of the operating system and applications.

The BIOS not only includes the basic operations of the computing platform, but also includes configuration data and security data (such as whether the computing system is authorized to execute specific applications, etc.). Because the BIOS contains security data, it is often a target for hackers and the like. For example, by modifying the system's BIOS, unauthorized users can execute unauthorized programs. Therefore, it is extremely important to system designers that the validity and integrity of the BIOS is protected and guaranteed when the system is not functioning and the BIOS is operating.

Therefore, in order to support upgrades and/or reprogramming to support system configuration changes, it is desirable on the one hand that the BIOS of the system be easily accessible. On the other hand, it is important to protect or restrict access to the contents of the BIOS to avoid tampering by unauthorized persons.

Some attempts to achieve one or both of the above goals result in constrained architectures. For example, moving the stored BIOS to the same chip as the microprocessor in a similar system prevents the BIOS from being tampered with, but completely defeats the purpose of easy upgrades since the BIOS is no longer physically accessible. Other techniques emphasize encryption of the BIOS contents, which is advantageous from a protection point of view, but can detract from system performance. Because it requires an unacceptable number of operations to decrypt the BIOS content each time.

Therefore, there is a need for a novel technology that can support the accessibility and upgrade of the BIOS content of the computing system, and can also protect the BIOS content from unauthorized tampering.

Contents of the invention

The present invention provides a better technique to solve the above problems and meet other problems and disadvantages as well as limitations of the prior art.

The present invention provides an excellent technique for protecting the BIOS of a computing system from attacks. In one embodiment, an apparatus for securing a BIOS within a computing system is provided. The device includes a BIOS ROM, a partition selector and a tamper detector. The above-mentioned BIOS ROM includes multiple BIOS content partitions and multiple encrypted message digests. Each of the BIOS content partitions is stored as readable text, and each of the encrypted message digests includes an encrypted version of a first message digest and the corresponding BIOS content partition. In response to a BIOS check interrupt interrupting normal operation of the computing system, the partition selector selects one or more of the BIOS content partitions. The tamper detector is coupled to the BIOS ROM and the partition selector. In response to the BIOS check interrupt, the tamper detector accesses one or more of the BIOS content partitions and the corresponding one or more of the encrypted message digests, and instructs a microprocessor to use to generate the same algorithm and key as the above-mentioned first message digest and the above-mentioned encrypted message digest to generate one or more corresponding second message digests corresponding to one or more of the above-mentioned BIOS content partitions and corresponding to one One or more decrypted message digests corresponding to one or more of the above encrypted message digests. The tamper detector compares the second message digest with the decrypted message digest, and prevents operation of the microprocessor when one or more of the second message digests and one or more of the decrypted message digests are not pairwise identical.

Furthermore, the present invention provides another device for protecting a BIOS in a computing system. The device includes a BIOS ROM and a microprocessor coupled to the BIOS ROM. The BIOS ROM includes: a plurality of BIOS content partitions, each of which is stored as readable text; and a plurality of encrypted message digests, wherein each of the encrypted message digests It includes an encrypted version of a first message digest and the corresponding BIOS content partition. The microprocessor includes a partition selector and a tamper detector. In response to a BIOS check interrupt interrupting normal operation of the computing system, the partition selector selects one or more of the BIOS content partitions. The tamper detector is coupled to the BIOS ROM and the partition selector. In response to the BIOS check interrupt, the tamper detector accesses one or more of the BIOS content and the corresponding one or more of the encrypted message digests, and instructs the microprocessor to use generating the same algorithm and key for the above-mentioned first message digest and the above-mentioned encrypted message digest to generate corresponding one or more second message digests corresponding to one or more of the above-mentioned BIOS content partitions and corresponding to one or more One or more decrypted message digests corresponding to the plurality of encrypted message digests. The tamper detector compares the second message digest with the decrypted message digest, and prevents operation of the microprocessor when one or more of the second message digests and one or more of the decrypted message digests are not pairwise identical.

Furthermore, the present invention provides a method for protecting a BIOS in a computing system. storing a plurality of BIOS content partitions and a plurality of encrypted message digests in a BIOS read-only memory, wherein each of said BIOS content partitions is stored as readable text, and each of said encrypted message digests includes An encrypted version of a first message digest and the corresponding BIOS content partition. One or more of the BIOS content partitions are selected in response to a BIOS check interrupt interrupting normal operation of the computing system. In response to the above-mentioned BIOS check interrupt, accessing one or more of the above-mentioned BIOS content and the corresponding one or more of the above-mentioned encrypted message digests, and using the information used to generate the above-mentioned first message digest and the above-mentioned encrypted The same algorithm and key for the message digests to generate one or more second message digests corresponding to one or more of the aforementioned BIOS content partitions and corresponding one or more second message digests corresponding to one or more of the aforementioned encrypted message digests One or more decrypted message digests for . The above second message digest is compared with the above decrypted message digest. and preventing operation of a microprocessor when one or more of said second message digests and one or more of said decrypted message digests are not pairwise identical.

Furthermore, the present invention provides another device for protecting a BIOS in a computing system. The apparatus includes: a BIOS ROM, comprising: a plurality of BIOS content partitions, each of which is stored as readable text; and a plurality of encrypted message digests, each of which an encrypted message digest including an encrypted version of a first message digest and the corresponding BIOS content partition; a partition selector responsive to a BIOS check interrupting normal operation of the computing system an interrupt for selecting one or more of the BIOS content partitions; and a tamper detector coupled to the BIOS ROM and the partition selector for detecting at a combination of time intervals and event occurrences generating the above-mentioned BIOS check interrupt, responding to the above-mentioned BIOS check interrupt, accessing one or more of the above-mentioned BIOS content partitions and the corresponding one or more of the above-mentioned encrypted message digests, and instructing a micro The processor uses the same algorithm and key used to generate the first message digest and the encrypted message digest to generate one or more second message digests corresponding to the one or more BIOS content partitions and corresponding one or more decrypted message digests corresponding to one or more of said encrypted message digests, comparing said second message digest with said decrypted message digest, and when one or more of said second message digests and one or more When said decrypted message digests are not pairwise identical, said microprocessor is prevented from operating.

Furthermore, the present invention provides another device for protecting a BIOS in a computing system. The apparatus includes: a BIOS ROM, comprising: a plurality of BIOS content partitions, each of which is stored as readable text; and a plurality of encrypted message digests, each of which The above-mentioned encrypted message digest includes an encrypted version of the first message digest and the corresponding content partition of the above-mentioned BIOS; a microprocessor, coupled to the above-mentioned BIOS ROM, includes: a partition selector , for selecting one or more of said BIOS content partitions in response to a BIOS check interrupt interrupting normal operation of said computing system; and a tamper detector coupled to said BIOS read-only The memory and the above-mentioned partition selector are used to generate the above-mentioned BIOS check interrupt at a combination of time intervals and event occurrences, and partition one or more of the above-mentioned BIOS content in response to the above-mentioned BIOS check interrupt and the corresponding one or more encrypted message digests to access, instruct the microprocessor to use the same algorithm and key used to generate the first message digest and the encrypted message digest to generate one or more corresponding One or more second message digests corresponding to the above-mentioned BIOS content partitions and one or more decrypted message digests corresponding to one or more of the above-mentioned encrypted message digests, comparing the above-mentioned second message digests with the above-mentioned decrypting message digests, and preventing operation of said microprocessor when one or more of said second message digests and one or more of said decrypted message digests are not pairwise identical.

Furthermore, the present invention provides another method for protecting a BIOS in a computing system. storing a plurality of BIOS content partitions and a plurality of encrypted message digests in a BIOS read-only memory, wherein each of said BIOS content partitions is stored as readable text, and each of said encrypted message digests includes An encrypted version of a first message digest and the corresponding BIOS content partition. One or more of the BIOS content partitions are selected in response to a BIOS check interrupt interrupting normal operation of the computing system. The above-mentioned BIOS check interrupt is generated at a combination of time intervals and event occurrences. In response to the above-mentioned BIOS check interrupt, accessing one or more of the above-mentioned BIOS content and the corresponding one or more of the above-mentioned encrypted message digests, and using the information used to generate the above-mentioned first message digest and the above-mentioned encrypted The same algorithm and key for the message digests to generate one or more second message digests corresponding to one or more of the aforementioned BIOS content partitions and corresponding one or more second message digests corresponding to one or more of the aforementioned encrypted message digests One or more decrypted message digests for . The above second message digest is compared with the above decrypted message digest. and preventing operation of a microprocessor when one or more of said second message digests and one or more of said decrypted message digests are not pairwise identical.

For industrial applications, the invention may be implemented in microprocessors, which are general or special purpose computing devices.

Description of drawings

FIG. 1 is a block diagram showing the physical components provided on a motherboard of a present day computing system;

FIG. 2 is a block diagram showing the interconnection of the elements in FIG. 1 to illustrate how the computing system configures the basic input/output system;

FIG. 3 is a block diagram showing an architecture according to an embodiment of the present invention for protecting a basic input/output system of a computing system;

4 is a block diagram illustrating a periodic architecture for protecting a basic input/output system of a computing system according to an embodiment of the present invention;

5 is a block diagram illustrating an event-based architecture for protecting a basic input/output system of a computing system according to an embodiment of the present invention;

FIG. 6 is a block diagram showing a driver-based architecture for protecting a basic input/output system of a computing system according to an embodiment of the present invention; and

FIG. 7 is a block diagram showing a secure BIOS tamper protection architecture according to an embodiment of the invention.

detailed description

In order to make the above and other objects, features, and advantages of the present invention more comprehensible, preferred embodiments are enumerated below, which are described in detail with reference to the accompanying drawings.

Exemplary and illustrative embodiments of the invention are described below. In the interest of clarity, not all features of an actual implementation are described herein. Those skilled in the art will appreciate that in the development of any such actual embodiment, many implementation-specific decisions to achieve specific goals, such as compliance with system-related and business-related constraints, may vary from one implementation to another. implementation. Moreover, it will be appreciated that such a development effort might be complex and time consuming, but would nevertheless be a routine undertaking for those skilled in the art having the benefit of this invention. Various modifications to the preferred embodiment will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments. Therefore, the invention is not intended to be limited to the particular embodiments shown and described herein but is to be accorded the widest scope consistent with the novel features of the disclosed invention.

The invention will be described with reference to the following figures. The various structures, systems and devices depicted in the figures are illustrative only and will not obscure the present invention to those skilled in the art. However, the following drawings are exemplary examples for describing and explaining the present invention. The words and phrases used herein should be understood and interpreted to have a meaning consistent with the understanding of those words and phrases by those skilled in the art. There is no particular definition of a term or a phrase, that is, a definition different from a conventional meaning understood by those skilled in the art means that a consistent name or phrase is used here. To the extent that a name or phrase has a special meaning, that is, a meaning different from that understood by those skilled in the art, such specific definitions will be explicitly recited in the section that directly and unambiguously provides that particular definition to that name or phrase. In the detailed description in the definition method.

An Integrated Circuit (IC) is a group of electronic circuits fabricated within a small piece of semiconductor material, usually silicon. Integrated circuits are also known as chips, microchips, or dies.

A central processing unit (CPU) is an electronic circuit (such as "hardware") that executes instructions of a computer program (also called a "computer application" or "application"), where the electronic circuit is used to perform arithmetic operations on data , logical operations, and input/output operations.

A microprocessor is an electronic component that acts as the central processing unit on a single integrated circuit. A microprocessor receives digital data as input, processes the data according to instructions read from a memory (whether on-chip or off-chip), and produces as output the results of operations specified by the instructions. General-purpose microprocessors can be used in desktop computers, mobile phones, or tablet computers for computing, document editing, multimedia display, and Internet browsing. Microprocessors can also be provided in embedded systems to control a wide variety of devices including appliances, mobile phones, smartphones and industrial control devices.

A multi-core processor, also known as a multi-core microprocessor, is a microprocessor that has multiple central processing units fabricated on a single integrated circuit.

Instruction Set Architecture (ISA) or instruction set is the part of computer architecture related to programming, including data types, instructions, registers, addressing modes, memory architecture, interrupt and exception management, and input/output. An instruction set architecture includes a set of operational codes (opcodes, or machine language instructions) implemented by a particular central processing unit, as well as the specification of native commands.

An x86-compatible microprocessor is a microprocessor capable of executing computer applications programmed according to the x86 instruction set architecture.

Microcode (microcode) is a plurality of microinstructions. A microinstruction (also known as a "native instruction") is a type of instruction executed by a subunit of a microprocessor. Exemplary subunits include integer units, floating point units, MMX units, and load/store units. For example, microinstructions can be directly executed by a reduced instruction set computer (reduced instructionset computer, RISC) microprocessor. For complex instruction set computer (CISC) microprocessors, such as x86-compatible microprocessors, x86 instructions are translated into related microinstructions, and related microinstructions are directly read by CISC Executed by a subunit or subunits within a microprocessor.

A fuse is a conductive structure, usually arranged as a thin wire. The filament can be blown at a selected location by applying a voltage to the filament and/or passing a current through the filament. Fuses can be placed on the die using existing fabrication techniques to configure filaments in all programmable areas. After fabrication, the fuse architecture is blown (or unblown) to provide the required programming of the corresponding elements disposed on the die.

In view of the prior art about protecting critical programs and data in a trusted computing system, and the techniques in today's systems to detect and/or prevent tampering with these programs and data, the following Figures 1-2 will describe the current system in the BIOS. Subsequently, the present invention will be described in FIGS. 3-7.

Referring to FIG. 1 , a block diagram 100 is shown showing the physical components of a motherboard 102 (also referred to as a system board) provided in a modern computing system. The components of motherboard 102 include microprocessor 104 (also called central processing unit, processor, processor chip, etc.), volatile memory 106 (also called random access memory, RAM), chipset 108 (also called A basic input/output system (BIOS) read-only memory (read-only memory) that is usually plugged into socket 112, which is a memory controller, memory hub, input/output hub, or bridge chip (such as a Northbridge or a Southbridge) only memory, ROM) 110 and hard disk interface 114. The motherboard 102 is usually installed in a computer case (such as a desktop or notebook computer case, a mobile phone case, a tablet computer case, set-top box enclosure). As known to those skilled in the art, there are many additional components and parts (such as clock generators, fans, connectors, graphics processors, etc.) installed on the motherboard 102, and for simplicity of description, these additional components and parts will not be displayed. In addition, the components 104, 106, 114, 108, 110 and 112 shown in FIG. 112 is in reference to their recognized names. In this embodiment, the microprocessor 104 is coupled to the components 106 , 114 , 108 , 110 and 112 via physical interfaces (not shown) on the motherboard 102 , usually metal traces. It should be noted that the socket 112 is disposed on the motherboard 102 because the BIOS ROM 110 is likely to be replaced quite frequently in the factory and/or in the field.

Referring to FIG. 2 , a block diagram 200 is a schematic diagram showing interconnection of components 104 , 106 , 114 , 108 , 110 , and 112 in FIG. 1 , to illustrate how a computing system configures a Basic Input/Output System (BIOS). Block diagram 200 shows microprocessor 204 including on-chip high-speed cache memory 230 . The microprocessor 204 is coupled to the low-speed RAM 206 via the memory bus 216 . Microprocessor 204 is also coupled to chipset 208 via system bus 218 , and chipset 208 is coupled to hard disk interface 214 and BIOS ROM 210 via hard disk interface bus 224 and ROM bus 220 respectively. The BIOS ROM 210 can be coupled to an optional BIOS programming interface (not shown) via the BIOS programming bus 222 . As known to those skilled in the art, variations of the configuration shown in FIG. 2 may include chipset 208, which also provides an interface to random access memory 206 via system bus 218, rather than direct memory bus 216, and may provide Other types of buses (not shown) are used to connect the microprocessor 204 to other types of peripheral interfaces (eg, Peripheral Component Interconnect Express (PCI Express), graphics processors).

Operationally, application programs 234 (such as Microsoft It is stored on the hard disk (or solid state disk) (not shown), which is accessed through the hard disk interface 214 . Because the hard disk is a relatively slow device, the application program 234 is usually transferred to the external RAM 206 before being executed. Then, part of the application program 234 is cached for execution by the microprocessor 204 in its internal cache memory 230 . When the instructions of the application program 234 require the microprocessor 204 to perform system-level operations (such as storing files to the hard disk), instructions from the operating system software 232 (such as storage requests) will be executed by the microprocessor 204, wherein from the operation The instructions of the system software 232 are also loaded from the hard disk into the random access memory 206 and cached into the internal cache memory 230 . Operating system software 232 provides a more general interface that enables application programs 234 to perform system-level functions without specific known system settings. The operating system software 232 also allows for the microprocessor 204 to execute multiple applications 234 concurrently, and also performs background operations to efficiently manage the use of the random access memory 206 .

However, the operating system 232 is in fact the middle level of software in today's computing systems. In order to actually connect to the hardware of the computing system (eg hard disk), the operating system 232 must execute the instructions of the BIOS 236 stored in the BIOS ROM 210 . BIOS 236 is usually many small programs, which are the lowest level software of the computing system and are used to connect the operating system 232 to the hardware of the computing system. Similar to the operating system 232, the BIOS 236 provides a common interface to the computer hardware, allowing the operating system 232 to access the hardware without the need for a specific interface design. BIOS 236 enables system designers to change the hardware of the computing system (eg, hard disk, chipset 208 , RAM 206 ) without requiring changes to operating system 232 or application programs 234 . However, when the system settings are changed, the BIOS 236 must be updated, and this is why the socket 112 and/or the BIOS programming bus 222 must be provided on the motherboard 102, which will allow the BIOS ROM 210 to be easily replaced or rebuilt. programming. In some system configurations, the BIOS ROM 210 can be directly reprogrammed via the BIOS ROM bus 220 . Therefore, in order to make changes to BIOS236, almost all current computing systems provide the above framework. The BIOS ROM 210 is a separate component for easy reprogramming or replacement.

The BIOS 236 is a very necessary feature in any computing system setup because its instructions enable the application programs 234 and the operating system 232 to directly interface with the hardware. In addition to providing connectivity to system hardware, BIOS236 performs other normal functions necessary on the system. For example, when the system is turned on, a power-on self-test (POST) program in the BIOS 236 will be executed to test the hardware and verify the correct setting and operation of the system. BIOS 236 also includes programs to identify and allocate system resources to newly installed devices. The BIOS 236 also includes a program to download the operating system 232 from the hard disk to the random access memory 206 and transfer system control to the operating system 232 . Finally, BIOS 236 includes programs to detect and prevent tampering of the computing system.

Because BIOS 236 is important to the security and operation of computing systems, it is often a prime target for hacking and other unauthorized tampering. For example, many well-known operating systems have specifications given by the device manufacturer according to the BIOS 236 within the computing system, thus allowing the manufacturer to sell the computing system with the operating system pre-installed. Typically, the manufacturer will program a flag (or "mark") into a specific location of the BIOS 236, and when the operating system is powered on, the flag will be read from the specific location of the BIOS 236 to confirm that it is booted on an authorized system. If the flag is absent or incorrect, the operating system will not boot.

The above example is one of many different types of security features programmed into BIOS236 today, and provides an in-depth discussion of BIOS security features. It is to be noted that the BIOS 236 on the system is the main target of tampering for the system designer, so the protection of the BIOS 236 is a major concern. In the example above, the hacker edited (or reprogrammed) BIOS 236 to present the computing system as an authorized system to the protected operating system, or to modify the BIOS so that the operating system thought it was operating on an authorized system, however Actually not.

As previously described, most current BIOS ROMs 110 are separate components on the motherboard 102 and are installed in socket 112 for easy replacement when system hardware changes require changes to the BIOS 236 . Thus, in the absence of other security architectures, hacking as previously described is possible.

Accordingly, system designers have developed many different techniques to detect and prevent tampering of the system and the applications 234 and/or operating system 232 running on the system. For example, in US Patent Publication No. 2005/0015749, Mittal proposes to encrypt and decrypt programs and data by providing a secure memory portion and logic including encryption technology to protect software from tampering. However, the BIOS is stored in a separate memory space for the system software, so any form of tampering cannot be prevented if the BIOS is moved to the same chip as a microprocessor. Therefore, the BIOS can be easily updated by replacing the chip.

In US Patent Publication No. 7,831,839, Hatakeyama discloses a secure boot ROM and a processor, wherein the secure boot ROM includes an encrypted boot code (such as BIOS) and the processor includes a hardware decryption unit. When the processor is turned on, the encrypted BIOS will be read into the internal memory of the processor, and the decryption unit will decrypt and authenticate the BIOS. If successful, the processor enters secure processing mode, and all BIOS requirements are then executed from internal memory. Although Hatakeyama provides an architecture to protect the BIOS through encryption of its own content, in order to be effective, on-chip local memory must be used to store the decrypted BIOS. As known by those skilled in the art, the size of the current BIOS program (including system setting data) is megabytes. Hatakeyama's BIOS protection method is disadvantageous because providing on-chip local memory that can store megabytes of data increases the size and power consumption of the microprocessor, which reduces device reliability and increases overall cost.

Other techniques have been developed to encrypt all or part of the BIOS content and decrypt it each time a BIOS request is made. As a result, such techniques degrade computing system performance, especially when powered on, because decryption is an inherently slow process, even with on-chip encryption hardware used. Therefore, encrypting the BIOS contents is undesirable from a performance point of view.

Therefore, all the above techniques (tagging, partitioning secure memory, on-chip local BIOS memory, encrypting BIOS content) do not provide easy access to the system BIOS ROM and at the same time have a reduced performance impact. Therefore, the present invention provides novel techniques applied to BIOS ROMs to overcome these limitations, wherein these socket-mounted BIOS ROMs can be easily upgraded. Next, unencrypted (eg readable text) BIOS content (eg instructions and/or setting data) is provided. Then, after power-on, initial tampering can be detected without significantly degrading the performance of the system. The invention will be described in the diagrams of Figures 3-7.

Referring to FIG. 3 , FIG. 3 is a block diagram 300 illustrating an architecture for protecting a BIOS of a computing system according to an embodiment of the present invention. Block diagram 300 depicts a microprocessor (eg, processor, CPU, etc.) disposed on a single chip and packaged for mounting on a motherboard, as previously described. In one embodiment, the microprocessor is compatible with the x86 architecture and can execute all instructions of the x86 instruction set. In another embodiment, the microprocessor is a multi-core processor disposed on a single chip. In another embodiment, the microprocessor is a virtual processing core, which represents a physical processor that can share an operating system within a logical portion of the processor. In order to describe the present invention, the essential elements of a microprocessor will be described below, where many other elements (such as load/store logic, cache memory, sort logic, etc.) as known to those skilled in the art will be simplified.

The microprocessor includes fetch logic 302 coupled to a translator 304 via a bus 324 . Translator 304 is coupled to execution logic 306 via bus 326 . Execution logic 306 includes a crypto/hash unit 308 coupled to key storage 310 via bus 322 . The microprocessor also includes a bus interface 318 for connecting the microprocessor to the chipset. The bus interface 318 is coupled to the reset controller 312 via the bus 328 . The reset controller 312 receives the reset signal RESET and generates a shutdown signal SHUTDOWN. The reset controller 312 includes a tamper detector 314 , wherein the tamper detector 314 is coupled to the boot loader 316 via the bus NOBOOT. Reset controller 312 is coupled to execution logic 306 via tamper bus TBUS.

In operation, the fetch logic 302 is used to fetch program instructions (from applications, operating system, and cached BIOS in memory) for execution. Program instructions are provided to the translator 304 via the bus 324 . The translator 304 translates the program instructions into one or more microinstructions, wherein the microinstructions are executed by one or more elements in the execution logic 306 to perform the operations specified by the program instructions. Microinstructions (also called microcode or firmware) are unique to the microprocessor and cannot be accessed at the package level.

Under normal operation, after booting, BIOS commands and setting data are recorded and cached in the virtual memory, and fetched by the fetch logic 302 for execution. However, normal operation of the microprocessor occurs after a successful reset and power-on sequence. The reset controller 312 receives the reset signal RESET and instructs the execution logic 306 to execute the microcode to perform self-test and boot the system. In order to detect tampering of the BIOS and prevent unauthorized operation of the microprocessor-equipped system, before booting, the reset controller 312 will extract the entire contents of the BIOS ROM (not shown) via the bus interface 318, and The extracted content is provided to execution logic 306 via tamper bus TBUS. In one embodiment, the content of the BIOS ROM includes a digital signature (digital signature) (also known as a hash (hash) or message digest (digest)), which is stored in a specific location in the BIOS ROM . As known to those skilled in the art, the digital signature corresponding to the hash of the BIOS ROM (4 megabytes in size) is very small in size (e.g. 256 bits) depending on the particular hashing operation used. ), and are unique to the specific contents of the BIOS ROM. Thus, if the contents of the ROM were changed, the hash of the changed contents would result in a different digital signature.

Before storing in the BIOS ROM, the manufacturer of the microprocessor encrypts the digital signature with a cryptographic key provided by the BIOS manufacturer. During the manufacturing process of the microprocessor, the key is programmed into the key storage 310 and cannot be accessed later by program instructions. In one embodiment, the key is unique to the microprocessor. In one embodiment, the contents of the key store 310 are only accessed by the cipher/hash unit 308 under the control of the tamper detection microcode. The tamper detection microcode instructs the reset controller 312 to extract the contents of the BIOS ROM, where the contents include the encrypted digital signature, and the extracted contents are provided to the execution logic 306 via the tamper bus TBUS. Simultaneously, the tamper detection microcode instructs the cipher/hash unit 308 to perform hashing of the BIOS according to the hashing algorithm used by the BIOS manufacturer to generate the digital signature. In an embodiment, the hash algorithm may be a secure hash algorithm (such as SHA-0, SHA-1, etc.). Other embodiments use any known message digest algorithm. The tamper detection microcode also instructs the cipher/hash unit 308 to use the key stored in the key storage 310 to decrypt the encrypted digital signature extracted from the BIOS ROM. In one embodiment, the cipher/hash unit 308 uses a Digital Encryption Standard (DES) algorithm to decrypt the key. In another embodiment, the cipher/hash unit 308 uses an Advanced Encryption Standard (AES) algorithm. Other embodiments use any known cryptographic algorithm. The digital signature generated by the cipher/hash unit 308 and the decrypted digital signature will be provided to the tamper detector 314 via the tamper bus TBUS, wherein the encrypted version of the decrypted digital signature is stored in the BIOS ROM specific location.

The tamper detector 314 compares the two digital signatures. If the two digital signatures are the same, the tamper detector 314 instructs the boot loader 316 to begin the normal boot sequence of the microprocessor via the NOBOOT bus. If the two digital signatures are different, the tamper detector 314 provides a shutdown signal SHUTDOWN and instructs the bootloader 316 to stop the boot sequence. The shutdown signal SHUTDOWN instructs the remaining components in the microprocessor to cut off power or enter a mode that precludes normal operation.

According to an embodiment of the present invention, each time the microprocessor is reset, only the encrypted message digest stored in a specific location of the BIOS ROM needs to be decrypted, i.e., a 256-bit string instead of 4 million bytes string. Additionally, embodiments of the present invention allow the use of plaintext BIOS instructions/data stored in physically accessible configurations, such as the configurations depicted in FIGS. 1-2 . The BIOS can be easily updated without degrading system performance. There is no need to use expensive internal local memory for storing decrypted BIOS. In addition, the key stored in the BIOS ROM and used to encrypt the message digest cannot be accessed by program instructions. The key is directly accessible only by the cipher/hash unit 308 .

Referring to FIG. 4 , FIG. 4 is a block diagram 400 illustrating a periodic architecture for protecting a BIOS of a computing system according to an embodiment of the present invention. The architecture in FIG. 3 is to protect the BIOS of the system at startup, but when the system is operating normally, the BIOS may be tampered with. Therefore, it is necessary to be able to protect the BIOS from illegal intrusion during the operation of the system and when the system is powered on. Therefore, a periodic architecture is proposed to accomplish this purpose.

Block diagram 400 depicts a microprocessor disposed on a single chip and packaged for mounting on a motherboard, as previously described. In one embodiment, the microprocessor is compatible with the x86 architecture and can execute all instructions of the x86 instruction set. In another embodiment, the microprocessor is a multi-core processor disposed on a single chip. In another embodiment, the microprocessor is a virtual processing core, which represents a physical processor that can share an operating system within a logical portion of the processor. In order to describe the present invention, the essential elements of a microprocessor will be described below, where many other elements (such as load/store logic, cache memory, sort logic, etc.) as known to those skilled in the art will be simplified.

The microprocessor includes fetch logic 402 coupled to translator 404 via bus 424 . Translator 404 is coupled to execution logic 406 via bus 426 . Execution logic 406 includes a cipher/hash unit 408 coupled to key storage 410 via bus 422 . The execution logic 406 also includes a random number generator 430 . The microprocessor also includes a bus interface 418 for connecting the microprocessor to the chipset. The bus interface 418 is coupled to the reset controller 412 via the bus 428 . The reset controller 412 receives the reset signal RESET and generates a shutdown signal SHUTDOWN. The reset controller 412 includes a tamper detector 414 , wherein the tamper detector 414 is coupled to the boot loader 416 via the bus NOBOOT. Tamper detector 414 includes a tamper timer 432 . The reset controller 412 is coupled to the execution logic 406 via the tamper bus TBUS and the random number bus RBUS.

Operationally, elements within the architecture of FIG. 4 perform in a manner substantially similar to elements of the same name within the architecture of FIG. 3 . However, in addition to detecting BIOS tampering during the reset boot sequence, the architecture of FIG. 4 also includes periodically checking the BIOS tamper detection microcode and components to determine whether the BIOS has been tampered with during operation of the computing system. For keys, the tamper timer 432 is not accessible by program instructions, but is exclusively accessed by the tamper detector 414 and the tamper detection microcode. In one embodiment, the tamper timer 432 interrupts normal operation of the system for a time interval set by the tamper detection microcode. In one embodiment, the time interval is 1 millisecond, which is enough time to detect physical attacks that intend to replace the BIOS ROM in the hacked BIOS ROM. A time interval of 1 millisecond is also sufficient to detect an attack intended to reprogram an existing BIOS ROM. When the interval is interrupted, the reset controller 412 fetches the entire contents of the BIOS ROM (not shown) via the bus interface 418 and provides the fetched contents to the execution logic 406 via the tamper bus TBUS. The tamper detection microcode instructs the reset controller 412 to extract the contents of the BIOS ROM including the encrypted digital signature, and the extracted contents are provided to the execution logic 406 via the tamper bus TBUS. Simultaneously, the tamper detection microcode instructs the cipher/hash unit 408 to perform hashing of the BIOS according to the hashing algorithm used by the BIOS manufacturer to generate the digital signature. The tamper detection microcode also instructs the cipher/hash unit 408 to use the key stored in the key storage 410 to decrypt the encrypted digital signature extracted from the BIOS ROM. The digital signature generated by the cipher/hash unit 408 and the decrypted digital signature will be provided to the tamper detector 414 via the tamper bus TBUS, wherein the encrypted version of the decrypted digital signature is stored in the BIOS ROM specific location.

The tamper detector 414 compares the two digital signatures. If the two digital signatures are the same, the tamper detector 414 restores control of the microprocessor at the point in time when the timer interrupt occurred. If the two digital signatures are different, the tamper detector 414 provides a shutdown signal SHUTDOWN. The shutdown signal SHUTDOWN instructs the remaining components in the microprocessor to either cut off power or enter a mode that prevents normal operation.

In another embodiment, the tamper timer 432 does not use a fixed time interval. After completing the periodic BIOS tampering check, the tamper detection microcode instructs the random number generator 430 to generate a random number, which is input to the tampering timer 432 to generate the next time interval for the next BIOS tampering check. In this approach, the timing of performing intrusion checks is unpredictable and unpredictable.

Similar to the architecture of FIG. 3, according to an embodiment of the present invention, the periodic architecture of FIG. 4 only needs to decrypt the encrypted message digest stored in a specific location of the BIOS ROM, that is, decrypt the 256-bit string, and Not a 4 megabyte string. In addition, during normal operation of the system, the periodic architecture protects the security system from illegal intrusion of the BIOS.

Referring to FIG. 5 , FIG. 5 is a block diagram 500 illustrating an event-based architecture for protecting a BIOS of a computing system according to an embodiment of the present invention. The architecture of FIG. 4 can be used as another embodiment to protect the system BIOS when the computing system is operating normally, but one based on the occurrence of events rather than the passage of time. These events may include (but are not limited to): hard disk access (or other forms of I/O access), changes to virtual memory mapping (mapping) (this framework can be used in the system settings of the virtual processing system) , changes to velocity, and other kinds of events that commonly occur in today's computing systems. Therefore, an event-based architecture is provided to accomplish this purpose.

Block diagram 500 depicts a microprocessor disposed on a single chip and packaged for mounting on a motherboard, as previously described. In one embodiment, the microprocessor is compatible with the x86 architecture and can execute all instructions of the x86 instruction set. In another embodiment, the microprocessor is a multi-core processor disposed on a single chip. In another embodiment, the microprocessor is a virtual processing core, which represents a physical processor that can share an operating system within a logical portion of the processor. In order to describe the present invention, the essential elements of a microprocessor will be described below, where many other elements (such as load/store logic, cache memory, sort logic, etc.) as known to those skilled in the art will be simplified.

The microprocessor includes fetch logic 502 , wherein fetch logic 502 is coupled to translator 504 via bus 524 . Translator 504 is coupled to execution logic 506 via bus 526 . Execution logic 506 includes a cipher/hash unit 508 coupled to key storage 510 via bus 522 . The execution logic 506 also includes a random number generator 530 . The microprocessor also includes a bus interface 518 for connecting the microprocessor to the chipset. The bus interface 518 is coupled to the reset controller 512 via the bus 528 . The reset controller 512 receives the reset signal RESET and generates a shutdown signal SHUTDOWN. The reset controller 512 includes a tamper detector 514 coupled to a boot loader 516 via a bus NOBOOT. The tamper detector 514 includes an event detector 542 that receives an input/output access signal I/O ACCESS, a virtual memory map change signal VMMAP, a processor speed change signal SPEED, and other event signals OTHER. The reset controller 512 is coupled to the execution logic 506 via the tamper bus TBUS and the random number bus RBUS.

Operationally, elements within the architecture of FIG. 5 perform in a manner substantially similar to elements of the same name within the architectures of FIGS. 3 and 4 . However, in addition to detecting BIOS tampering during the reset boot sequence, the architecture of FIG. 4 also includes tamper detection microcode and components capable of checking the BIOS to determine if the BIOS has been tampered with while the computing system is in operation. The validity check of BIOS is based on the occurrence of events, not based on time. Applicant notes that in today's computing systems, microprocessors perform regularly occurring events such as I/O accesses (i.e. hard disks, Peripheral Component Interconnect Express (PCI Express)), core clock speed changes, operating system Calls, system state changes, etc. Therefore, the signals received by the event detector 542 are only examples, and are not intended to limit the types of events that can be used to trigger the BIOS check in the block diagram 500 .

Similar to a key, the event detector 542 cannot be accessed by executing program instructions, and the event detector 542 is only accessible by the tamper detector 514 and the tamper detection microcode. In one embodiment, the event detector 542 interrupts the normal operation of the system when one of the above events occurs, ie, one of the signals I/O ACCESS, VMMAP, SPEED and OTHER is present. In another embodiment, the event detector 542 interrupts normal operation of the system when one of the above events occurs. In another embodiment, the event detector 542 interrupts the normal operation of the system when multiple events occur (eg, I/O access and core clock speed change). The selected event and the number of occurrences are set by the tamper detection microcode. When an interrupt occurs, the reset controller 512 fetches the entire contents of the BIOS ROM (not shown) via the bus interface 518 and provides the fetched contents to the execution logic 506 via the tamper bus TBUS. The tamper detection microcode instructs the reset controller 512 to extract the contents of the BIOS ROM, including the encrypted digital signature, and the extracted contents are provided to the execution logic 506 via the tamper bus TBUS. The tamper detection microcode instructs the cipher/hash unit 508 to perform hashing of the BIOS according to a hashing algorithm used by the BIOS manufacturer to generate the digital signature. The tamper detection microcode also instructs the cipher/hash unit 508 to use the key stored in the key storage 510 to decrypt the encrypted digital signature extracted from the BIOS ROM. The digital signature generated by the cipher/hash unit 508 and the decrypted digital signature will be provided to the tamper detector 514 via the tamper bus TBUS, wherein the encrypted version of the decrypted digital signature is stored in the BIOS ROM specific location.

The tamper detector 514 compares the two digital signatures. If the two digital signatures are the same, the tamper detector 514 restores control of the microprocessor at the point in time when the event-triggered interrupt occurs. If the two digital signatures are different, tamper detector 514 provides a shutdown signal SHUTDOWN. The shutdown signal SHUTDOWN instructs the remaining components in the microprocessor to either cut off power or enter a mode that prevents normal operation.

In another embodiment, the tamper detection microcode instructs the random number generator 530 to generate a random number instead of using the number of event occurrences when completing the BIOS intrusion check. The random number is input to the event detector 542 to set the number of subsequent events that occur before the next BIOS intrusion check is performed. In this embodiment, the number of events that trigger a trespass check cannot be predicted and anticipated through the secret application executed by the microprocessor. In another embodiment, the nonce is used to change the type of event that triggers the next BIOS hack check.

Similar to the architectures of FIG. 3 and FIG. 4 , according to an embodiment of the present invention, the event-triggered architecture of FIG. 5 only needs to decrypt the encrypted message digest stored in a specific location of the BIOS ROM, that is, the 256-bit string ( i.e. the encrypted message digest) to decrypt instead of the 4 megabyte string (i.e. the entire BIOS). Furthermore, during normal operation of the system, the event-triggered architecture protects the security system from BIOS intrusions, wherein the number and types of events that trigger intrusion checks cannot be determined and forced.

Referring to FIG. 6 , FIG. 6 is a block diagram 600 illustrating a partition-based architecture for protecting a BIOS of a computing system according to an embodiment of the present invention. The architecture of FIG. 6 can be used as another embodiment to protect the system BIOS when the computing system is operating normally, but one is when a tamper timer interrupt (such as the embodiment of FIG. 3 ) or triggered by a system event (such as the embodiment of FIG. 4), only a subset of the BIOS is checked. Therefore, the partition-based mechanism provides a very critical setting for performance, because only a part of the BIOS is checked at each trigger point, and thus has less impact on system performance.

In the embodiment of FIG. 6 , the BIOS space is divided into multiple partitions, wherein each partition has a corresponding message digest, wherein the message digest is encrypted and stored in a corresponding location in the BIOS ROM. In one embodiment, the partition size is the same for each partition of the plurality of partitions. In another embodiment, the multiple partitions are of different sizes. In one embodiment, only one of the plurality of partitions is checked in response to a BIOS check trigger (eg, a timer interrupt when an event occurs). In response to the BIOS check trigger, multiple partitions of the multiple partitions are checked. In another embodiment, in response to a BIOS check trigger, the number of partitions to be checked among the plurality of partitions is determined by the tamper detection microcode (eg, a repeating cycle 1-3-1-2).

Block diagram 600 depicts a microprocessor provided on a single chip and packaged for mounting on a motherboard, as previously described. In one embodiment, the microprocessor is compatible with the x86 architecture and can execute all instructions of the x86 instruction set. In another embodiment, the microprocessor is a multi-core processor disposed on a single chip. In another embodiment, the microprocessor is a virtual processing core, which represents a physical processor that can share an operating system within a logical portion of the processor. In order to describe the present invention, the essential elements of a microprocessor will be described below, where many other elements (such as load/store logic, cache memory, sort logic, etc.) as known to those skilled in the art will be simplified.

The microprocessor includes fetch logic 602 coupled to translator 604 via bus 624 . Translator 604 is coupled to execution logic 606 via bus 626 . Execution logic 606 includes a cipher/hash unit 608 coupled to key storage 610 via bus 622 . The execution logic 606 also includes a random number generator 630 . The microprocessor also includes a bus interface 618 for connecting the microprocessor to the chipset. The bus interface 618 is coupled to the reset controller 612 via the bus 628 . The reset controller 612 receives the reset signal RESET and generates a shutdown signal SHUTDOWN. The reset controller 612 includes a tamper detector 614 coupled to a boot loader 616 via a bus NOBOOT. Tamper detector 614 includes partition selector 652 . The reset controller 612 is coupled to the execution logic 606 via the tamper bus TBUS and the random number bus RBUS.

Operationally, elements within the architecture of FIG. 6 perform in a manner substantially similar to elements of the same name within the architecture of FIGS. 3-5 . However, in addition to detecting BIOS tampering during the reset boot sequence, the architecture of FIG. 6 also includes tamper detection microcode and components capable of checking the BIOS to determine if the BIOS has been tampered with while the computing system is in operation. The validity check of the BIOS is based on the occurrence of triggers as previously described. Upon occurrence of a trigger, partition selector 652 effectively selects one or more partitions of the BIOS for inspection.

Similar to a key, the partition selector 652 cannot be accessed by executing program instructions, and the partition selector 652 is only accessible by the tamper detector 614 and the tamper detection microcode. When a BIOS check trigger occurs, the normal operation of the computing system is interrupted, and the partition selector 652 instructs the controller 612 to extract the contents of one or more partitions of the BIOS ROM (not shown) via the bus interface 618 and transfer them via Tampering bus TBUS provides the extracted content to execution logic 606 . Content including one or more corresponding encrypted digital signatures is provided to execution logic 606 via tamper bus TBUS. The tamper detection microcode instructs the cipher/hash unit 608 to perform hashing of one or more partitions according to a hashing algorithm used by the BIOS manufacturer to generate one or more digital signatures. The tamper detection microcode also instructs the cipher/hash unit 608 to use the key stored in the key storage 610 to decrypt the corresponding one or more encrypted digital signatures extracted from the BIOS ROM. The one or more digital signatures and the decrypted one or more digital signatures generated by the cipher machine/hash unit 608 will be provided to the tampering detector 614 via the tampering bus TBUS, wherein the decrypted one or more digital signatures An encrypted version of the chapter is stored in one or more specific locations in the BIOS ROM.

Tamper detector 614 compares one or more pairs of digital signatures. If all comparisons are the same, the tamper detector 614 restores control of the microprocessor at the point in time when the event-triggered interrupt occurs. If the digital signature is different, tamper detector 614 provides a shutdown signal SHUTDOWN. The shutdown signal SHUTDOWN instructs the remaining components in the microprocessor to either cut off power or enter a mode that prevents normal operation.

In another embodiment, the tamper detection microcode instructs the random number generator 630 to generate random numbers instead of checking multiple partitions of fixed or cyclic numbers when completing the BIOS tamper check. A random number is input to the partition selector 652 to set the number of subsequent events that occur before the next BIOS intrusion check is performed. In this embodiment, the number of valid partitions at the time of the checkpoint trigger cannot be predicted and anticipated by the secret application executed by the microprocessor. In various embodiments, the nonce is used to indicate the next partition of the plurality of partitions to be checked.

Referring to FIG. 7 , FIG. 7 is a block diagram 700 showing a BIOS tampering protection architecture according to an embodiment of the present invention. The embodiment of FIG. 7 provides a complete configuration that not only performs a comprehensive check of the computing system's BIOS at power-on and reset, but also performs a full check of the system's BIOS in conjunction with the operations used with reference to the techniques of FIGS. 4-6 . Provides comprehensive protection.

Block diagram 700 depicts a microprocessor disposed on a single chip and packaged for mounting on a motherboard, as previously described. In one embodiment, the microprocessor is compatible with the x86 architecture and can execute all instructions of the x86 instruction set. In another embodiment, the microprocessor is a multi-core processor disposed on a single chip. In another embodiment, the microprocessor is a virtual processing core, which represents a physical processor that can share an operating system within a logical portion of the processor. In order to describe the present invention, the essential elements of a microprocessor will be described below, where many other elements (such as load/store logic, cache memory, sort logic, etc.) as known to those skilled in the art will be simplified.

The microprocessor includes fetch logic 702 , wherein fetch logic 702 is coupled to translator 704 via bus 724 . Translator 704 is coupled to execution logic 706 via bus 726 . Execution logic 706 includes a cipher/hash unit 708 coupled to key storage 710 via bus 722 . The execution logic 706 also includes a random number generator 730 . The microprocessor also includes a bus interface 718 for connecting the microprocessor to the chipset. The bus interface 718 is coupled to the reset controller 712 via a bus 728 . The reset controller 712 receives the reset signal RESET and generates a shutdown signal SHUTDOWN. The reset controller 712 includes a tamper detector 714 coupled to a boot loader 716 via a bus NOBOOT. Tamper detector 714 includes a tamper timer 732 , an event detector 742 , and a partition selector 752 . The event detector 742 receives an input/output access signal I/OACCESS, a virtual memory map change signal VMMAP, a processor speed change signal SPEED, and other event signals OTHER. The reset controller 712 is coupled to the execution logic 706 via the tamper bus TBUS and the random number bus RBUS.

Operationally, elements within the architecture of FIG. 7 perform in a manner substantially similar to elements of the same name within the architecture of FIGS. 3-6 . However, in addition to detecting BIOS tampering during the reset boot sequence, the architecture of FIG. 7 also includes tamper detection microcode and components capable of checking the BIOS to determine if the BIOS has been tampered with while the computing system is in operation. The validity check of the BIOS is based on the occurrence of a timer interrupt from the tamper timer 732 and event triggers as described in FIG. 5 . According to the occurrence of timer interrupt or event trigger, the partition selector 752 will effectively select one or more partitions of the BIOS to check, as described in FIG. 6 .

Tamper timer 732, event detector 742, and partition selector 752 are not accessible via executing program instructions, while partition selector 752 is only accessible by tamper detector 714 and tamper detection microcode. When a timer interrupt or event trigger occurs, the normal operation of the computing system is interrupted, and the partition selector 752 will instruct the controller 712 to retrieve the information of one or more partitions of the BIOS ROM (not shown) via the bus interface 718. content and provide the extracted content to execution logic 706 via the tamper bus TBUS. Content including one or more corresponding encrypted digital signatures is provided to execution logic 706 via tamper bus TBUS. The tamper detection microcode instructs the cipher/hash unit 708 to perform hashing of one or more partitions according to a hashing algorithm used by the BIOS manufacturer to generate one or more digital signatures. The tamper detection microcode also instructs the cipher/hash unit 708 to use the key stored in the key storage 710 to decrypt the corresponding one or more encrypted digital signatures extracted from the BIOS ROM. The one or more digital signatures and the decrypted one or more digital signatures generated by the cipher machine/hash unit 708 will be provided to the tampering detector 714 via the tampering bus TBUS, wherein the decrypted one or more digital signatures An encrypted version of the chapter is stored in one or more specific locations in the BIOS ROM.

Tamper detector 714 compares one or more pairs of digital signatures. If all comparisons are the same, the tamper detector 714 restores control of the microprocessor at the point in time when the event-triggered interrupt occurs. If the digital signature is different, tamper detector 714 provides a shutdown signal SHUTDOWN. The shutdown signal SHUTDOWN instructs the remaining components in the microprocessor to either cut off power or enter a mode that prevents normal operation.

In one embodiment, the combination sequence of the timer interrupt and the event trigger is determined by the tamper detection microcode. In another embodiment, the random number generated by the random number generator 730 at the end of the BIOS check indicates whether the next BIOS check will be initiated by a timer interrupt or an event trigger. As shown in FIGS. 4-5 , in some embodiments, the random number generator 730 randomly changes the time interval and/or event type and number of events.

In another embodiment, the tamper detection microcode instructs the random number generator 730 to generate random numbers instead of checking multiple partitions of fixed or cyclic numbers when completing the BIOS tamper check. The random number is input to the partition selector 752 to set the next number of partitions to be checked during the next BIOS intrusion check. In this embodiment, the number of valid partitions at the time of the checkpoint trigger cannot be predicted and anticipated by the secret application executed by the microprocessor. In various embodiments, the nonce is used to indicate the next partition of the plurality of partitions to be checked.

According to an embodiment of the present invention, the elements of the microprocessor are configured to perform the previously described functions and operations. Elements include logic, circuits, devices, or microcode (ie, microinstructions or native instructions) or combinations thereof, or equivalent elements used to perform the functions and operations described herein. Elements used in the microprocessor to perform functions and operations may be shared with other circuits, microcode, etc. in the microprocessor used to perform other functions and/or operations. According to the application of the present invention, microcode is used to represent one or more microinstructions. Microinstructions (also known as native instructions) are instructions executed by a unit. For example, microinstructions may be executed directly by a Reduced Instruction Set Computer (RISC) microprocessor. For Complex Instruction Set Computer (CISC) microprocessors, such as x86-compatible microprocessors, x86 instructions are translated into associated microinstructions, and the associated microinstructions are directed to one or executed by multiple units.

The software or algorithms and symbols provided by the present invention and corresponding descriptions represent operations on data bits in a computer memory. These contents and accompanying drawings enable those skilled in the art to effectively convey the related contents to others skilled in the art. The use of the above algorithm is to express a self-consistent sequence. The steps require physical-scale manipulations of physical quantities. Generally speaking, these physical quantities may be optical, electrical or magnetic signals, which can be stored, converted, integrated, compared and otherwise manipulated. Some of these signals will be referred to as bits, values, elements, symbols, properties, items, quantities or other related content for convenience.

However, it should be noted that these similar terms are related to physical quantities and are only used for convenience in describing these physical quantities. Unless specifically stated otherwise, the above terms (such as processing, estimating, calculating, judging, displaying, or other related terms) refer to the actions of a computer system, a microprocessor, a central processing unit, or similar electronic computing devices. And processing, which manipulates and converts data representing physical properties, registers and memory quantities of a computer system, to obtain data of physical quantities of memory, registers, or other similar information storage devices, or display devices of other similar computer systems.

It should be noted that the method of implementing software in the present invention is to encode on a program storage medium or other similar transmission medium. The program storage medium may be electronic (such as ROM, flash ROM, electronically erasable ROM), random access memory magnetic (such as a floppy disk or hard disk), or optical (such as CDROM ), and other read-only or random-access components. Likewise, the transmission medium may be metallic wire, twisted pair wire, coaxial cable, fiber optics, or other known similar transmission media. The present invention is not limited to these examples.

Although the present invention has been disclosed above with preferred embodiments, it is not intended to limit the present invention. Those skilled in the art can make some changes and modifications without departing from the spirit and scope of the present invention. Therefore, The scope of protection of the present invention is based on the claims of the present invention.

Claims (42)

1. An apparatus for protecting a BIOS within a computing system, comprising: A BIOS ROM, comprising: a plurality of BIOS content partitions, wherein each of said BIOS content partitions is stored as readable text; and a plurality of encrypted message digests, each of which includes an encrypted version of a first message digest and the corresponding BIOS content partition; a partition selector for selecting one or more of the above-mentioned BIOS content partitions in response to a BIOS check interrupt interrupting normal operation of the above-mentioned computing system, wherein the selected one or more of the above-mentioned BIOS The number of system content partitions is determined by a tamper detection microcode; and a tamper detector, coupled to the BIOS ROM and the partition selector and having access to the partition selector, for testing one or more of the BIOS in response to the BIOS check interrupt Outputting the system content partition and the corresponding one or more encrypted message digests for access, instructing a microprocessor to use the same algorithm and key used to generate the first message digest and the encrypted message digest to generate the corresponding The one or more second message digests corresponding to the one or more above-mentioned BIOS content partitions and the corresponding one or more decrypted message digests corresponding to the one or more above-mentioned encrypted message digests, comparing the above-mentioned second Preventing operation of the microprocessor when the message digest is not pairwise identical to the decrypted message digest, and one or more of the second message digests and one or more of the decrypted message digests. 2. The apparatus as claimed in claim 1, wherein said BIOS check interrupt is periodically generated at a time interval. 3. The device as claimed in claim 1, wherein the above-mentioned BIOS check interrupt is generated according to the occurrence of an event, wherein the above-mentioned event includes one or more occurrences of one selected from the following events: - input/output access; a change in processor speed; and A virtual memory map change. 4. The apparatus of claim 1, wherein the microprocessor generates the second message digest using a secure hash algorithm. 5. The apparatus of claim 1, wherein said microprocessor uses an Advanced Encryption Standard algorithm to generate said decrypted message digest. 6. The apparatus of claim 1, wherein said microprocessor includes a cipher/hash unit disposed within an execution logic, and said second message digest and said decrypted message digest are generated by said cipher/hash unit generated by the column unit, wherein the above-mentioned key can only be accessed by the above-mentioned cipher/hash unit. 7. The apparatus of claim 6, wherein said microprocessor further comprises a random number generator disposed within said execution logic, wherein said random number generator generates a random number after completing a current BIOS check , wherein the above-mentioned partition selector uses the above-mentioned random number to randomly set the number of the above-mentioned BIOS content partitions to be checked during the next BIOS check. 8. An apparatus for protecting a BIOS within a computing system, comprising: A BIOS ROM, comprising: a plurality of BIOS content partitions, wherein each of said BIOS content partitions is stored as readable text; and a plurality of encrypted message digests, wherein each said encrypted message digest includes an encrypted version of a first message digest and the corresponding said BIOS content partition; and A microprocessor coupled to the above-mentioned BIOS ROM, including: a partition selector for selecting one or more of the above-mentioned BIOS content partitions in response to a BIOS check interrupt interrupting normal operation of the above-mentioned computing system, wherein the selected one or more of the above-mentioned BIOS The number of system content partitions is determined by a tamper detection microcode; and a tamper detector, coupled to the BIOS ROM and the partition selector and having access to the partition selector, for testing one or more of the BIOS in response to the BIOS check interrupt Outputting the system content partition and one or more corresponding encrypted message digests for access, instructing the microprocessor to use the same algorithm and key used to generate the first message digest and the encrypted message digest to generate the corresponding The one or more second message digests corresponding to the one or more above-mentioned BIOS content partitions and the corresponding one or more decrypted message digests corresponding to the one or more above-mentioned encrypted message digests, comparing the above-mentioned second Preventing operation of the microprocessor when the message digest is not pairwise identical to the decrypted message digest, and one or more of the second message digests and one or more of the decrypted message digests. 9. The apparatus as claimed in claim 8, wherein said BIOS check interrupt is periodically generated at a time interval. 10. The apparatus as claimed in claim 8, wherein the above-mentioned BIOS check interrupt is generated according to the occurrence of an event, wherein the above-mentioned event includes one or more occurrences of one selected from the following events: - input/output access; a change in processor speed; and A virtual memory map change. 11. The apparatus of claim 8, wherein the microprocessor generates the second message digest using a secure hash algorithm. 12. The apparatus of claim 8, wherein said microprocessor uses an Advanced Encryption Standard algorithm to generate said decrypted message digest. 13. The apparatus as claimed in claim 8, wherein said microprocessor further comprises: A cipher/hash unit is set in an execution logic to generate the second message digest and the decrypted message digest, wherein the key can only be accessed by the cipher/hash unit. 14. The apparatus of claim 13, wherein said microprocessor further comprises: a random number generator, arranged in the above execution logic, for generating a random number after completing a current basic input output system check, Wherein the above-mentioned partition selector uses the above-mentioned random number to randomly set the number of the above-mentioned BIOS content partitions to be inspected during the next BIOS inspection. 15. A method for securing a BIOS within a computing system, comprising: storing a plurality of BIOS content partitions and a plurality of encrypted message digests in a BIOS read-only memory, wherein each of said BIOS content partitions is stored as readable text, and each of said encrypted message digests includes An encrypted version of the first message digest and the corresponding BIOS content partition; In response to a BIOS check interrupt interrupting normal operation of said computing system, selecting one or more of said BIOS content partitions, wherein the number of selected one or more of said BIOS content partitions is determined by - Determined by the tamper detection microcode; In response to the above-mentioned BIOS check interrupt, access one or more of the above-mentioned BIOS content partitions and the corresponding one or more of the above-mentioned encrypted message digests, and use the method used to generate the above-mentioned first message digest and the above-mentioned the same algorithm and key for encrypting the message digest to generate corresponding one or more second message digests corresponding to the selected one or more of the aforementioned BIOS content partitions and corresponding to one or more of the aforementioned encrypted message digests one or more decrypted message digests corresponding to the digest; comparing said second message digest with said decrypted message digest; and and preventing operation of a microprocessor when one or more of said second message digests and one or more of said decrypted message digests are not pairwise identical. 16. The method of claim 15, wherein said BIOS check interrupt is periodically generated at a time interval. 17. The method as claimed in claim 15, wherein the above-mentioned BIOS check interrupt is generated according to the occurrence of an event, wherein the above-mentioned event includes one or more occurrences of one selected from the following events: - input/output access; a change in processor speed; and A virtual memory map change. 18. The method of claim 15, wherein said one or more of said BIOS content partitions and corresponding one or more of said encrypted message digests are accessed in response to said BIOS check interrupt The steps also include: A secure hash algorithm is used to generate the above-mentioned second message digest. 19. The method of claim 15, wherein said one or more of said BIOS content partitions and the corresponding one or more of said encrypted message digests are accessed in response to said BIOS check interrupt The steps also include: An APSC algorithm is used to generate the decrypted message digest. 20. The method of claim 15, wherein said microprocessor includes a cipher/hash unit disposed within an execution logic, and said second message digest and said decrypted message digest are generated by said cipher/hash unit generated by the column unit, wherein the above-mentioned key can only be accessed by the above-mentioned cipher/hash unit. 21. The method of claim 20, wherein said microprocessor further comprises a random number generator disposed within said execution logic, wherein said random number generator generates a random number after completing a current BIOS check , wherein the above-mentioned partition selection is to use the above-mentioned random number to randomly set the number of the above-mentioned BIOS content partitions to be checked during the next BIOS check. 22. An apparatus for protecting a BIOS within a computing system, comprising: A BIOS ROM, comprising: a plurality of BIOS content partitions, wherein each of said BIOS content partitions is stored as readable text; and a plurality of encrypted message digests, each of which includes an encrypted version of a first message digest and the corresponding BIOS content partition; a partition selector for selecting one or more of the above-mentioned BIOS content partitions in response to a BIOS check interrupt interrupting normal operation of the above-mentioned computing system, wherein the selected one or more of the above-mentioned BIOS The number of system content partitions is determined by a tamper detection microcode; and a tamper detector coupled to the BIOS ROM and the partition selector and capable of accessing the partition selector for generating the BIOS check interrupt at a combination of time intervals and event occurrences , responding to the above-mentioned BIOS check interrupt, accessing one or more of the above-mentioned BIOS content partitions and the corresponding one or more of the above-mentioned encrypted message digests, instructing a microprocessor to use the method used to generate the above-mentioned first A message digest with the same algorithm and key as the encrypted message digest to generate one or more second message digests corresponding to one or more of the above BIOS content partitions and corresponding to one or more of the above one or more decrypted message digests corresponding to the encrypted message digest, comparing the second message digest with the decrypted message digest, and when one or more of the second message digests and one or more of the decrypted message digests are not paired At the same time, the operation of the above-mentioned microprocessor is prevented. 23. The apparatus of claim 22, wherein the microprocessor generates the second message digest using a secure hash algorithm. 24. The apparatus of claim 22, wherein said microprocessor uses an Advanced Encryption Standard algorithm to generate said decrypted message digest. 25. The apparatus of claim 22, wherein said combination of time intervals and event occurrences comprises a programmed sequence of time intervals and event occurrences. 26. The apparatus of claim 22, wherein said microprocessor includes a cipher/hash unit disposed within an execution logic, and said second message digest and said decrypted message digest are generated by said cipher/hash unit generated by the column unit, wherein the above-mentioned key can only be accessed by the above-mentioned cipher/hash unit. 27. The apparatus of claim 26, wherein said microprocessor further comprises a random number generator disposed within said execution logic, wherein said random number generator generates a random number after completing a current BIOS check , wherein when the time interval for an event to occur expires, the tampering timer uses the above-mentioned random number to randomly set the next BIOS to check whether the interrupt is established. 28. The apparatus of claim 26, wherein said microprocessor further comprises a random number generator disposed within said execution logic, wherein said random number generator generates a random number after completing a current BIOS check , wherein the above-mentioned partition selector uses the above-mentioned random number to randomly set the number of the above-mentioned BIOS content partitions to be checked during the next BIOS check. 29. An apparatus for protecting a BIOS within a computing system, comprising: A BIOS ROM, comprising: a plurality of BIOS content partitions, wherein each of said BIOS content partitions is stored as readable text; and a plurality of encrypted message digests, each of which includes an encrypted version of a first message digest and the corresponding BIOS content partition; A microprocessor coupled to the above-mentioned BIOS ROM, including: a partition selector for selecting one or more of the above-mentioned BIOS content partitions in response to a BIOS check interrupt interrupting normal operation of the above-mentioned computing system, wherein the selected one or more of the above-mentioned BIOS The number of system content partitions is determined by a tamper detection microcode; and a tamper detector coupled to the BIOS ROM and the partition selector and capable of accessing the partition selector for generating the BIOS check interrupt at a combination of time intervals and event occurrences , responding to the above-mentioned BIOS check interrupt, accessing one or more of the above-mentioned BIOS content partitions and the corresponding one or more of the above-mentioned encrypted message digests, instructing the above-mentioned microprocessor to use the method used to generate the above-mentioned first A message digest with the same algorithm and key as the encrypted message digest to generate one or more second message digests corresponding to one or more of the above BIOS content partitions and corresponding to one or more of the above one or more decrypted message digests corresponding to the encrypted message digest, comparing the second message digest with the decrypted message digest, and when one or more of the second message digests and one or more of the decrypted message digests are not paired At the same time, the operation of the above-mentioned microprocessor is prevented. 30. The apparatus of claim 29, wherein the microprocessor generates the second message digest using a secure hash algorithm. 31. The apparatus of claim 29, wherein said microprocessor uses an Advanced Encryption Standard algorithm to generate said decrypted message digest. 32. The apparatus of claim 29, wherein said combination of time intervals and event occurrences comprises a programmed sequence of time intervals and event occurrences. 33. The apparatus of claim 29, wherein said microprocessor further comprises: A cipher/hash unit is set in an execution logic to generate the second message digest and the decrypted message digest, wherein the key can only be accessed by the cipher/hash unit. 34. The apparatus of claim 33, wherein said microprocessor further comprises: A random number generator, arranged in the above-mentioned execution logic, to generate a random number after completing a current BIOS check, wherein when the time interval for an event to occur expires, the tampering timer uses the above-mentioned random number to randomly ground set the next BIOS to check whether the interrupt is true. 35. The apparatus of claim 33, wherein said microprocessor further comprises: a random number generator, arranged in the execution logic, to generate a random number after a current BIOS check is completed, wherein the partition selector uses the random number to randomly set the next BIOS The number of the above BIOS content partitions to check during the check. 36. A method for securing a BIOS within a computing system, comprising: storing a plurality of BIOS content partitions and a plurality of encrypted message digests in a BIOS read-only memory, wherein each of said BIOS content partitions is stored as readable text, and each of said encrypted message digests includes An encrypted version of the first message digest and the corresponding BIOS content partition; In response to a BIOS check interrupt interrupting normal operation of said computing system, selecting one or more of said BIOS content partitions, wherein the number of selected one or more of said BIOS content partitions is determined by - Determined by the tamper detection microcode; The above-mentioned BIOS check interrupt is generated at a combination of time intervals and event occurrences; In response to the above-mentioned BIOS check interrupt, access one or more of the above-mentioned BIOS content partitions and the corresponding one or more of the above-mentioned encrypted message digests, and use the method used to generate the above-mentioned first message digest and the above-mentioned the same algorithm and key for encrypting the message digest to generate corresponding one or more second message digests corresponding to the selected one or more of the aforementioned BIOS content partitions and corresponding to one or more of the aforementioned encrypted message digests one or more decrypted message digests corresponding to the digest; comparing said second message digest with said decrypted message digest; and Preventing operation of a microprocessor when one or more of said second message digests and one or more of said decrypted message digests are not pairwise identical. 37. The method of claim 36, wherein said one or more of said BIOS content partitions and corresponding one or more of said encrypted message digests are accessed in response to said BIOS check interrupt The steps also include: A secure hash algorithm is used to generate the above-mentioned second message digest. 38. The method of claim 36, wherein said one or more of said BIOS content partitions and corresponding one or more of said encrypted message digests are accessed in response to said BIOS check interrupt The steps also include: An APSC algorithm is used to generate the decrypted message digest. 39. The method of claim 36, wherein said combination of time intervals and event occurrences comprises a programmed sequence of time intervals and event occurrences. 40. The method of claim 36, wherein said microprocessor includes a cipher/hash unit disposed within an execution logic, and said second message digest and said decrypted message digest are generated by said cipher/hash unit generated by the column unit, wherein the above-mentioned key can only be accessed by the above-mentioned cipher/hash unit. 41. The method of claim 40, wherein said microprocessor further comprises a random number generator disposed within said execution logic, wherein said random number generator generates a random number after completing a current BIOS check , wherein when the time interval for an event to occur expires, the tampering timer uses the above-mentioned random number to randomly set the next BIOS to check whether the interrupt is established. 42. The method of claim 40, wherein said microprocessor further comprises a random number generator disposed within said execution logic, wherein said random number generator generates a random number after completing a current BIOS check , wherein the partition selection is to use the random number to randomly set the number of the above-mentioned BIOS content partitions to be checked during the next BIOS check.