United States Patent (19)
`Olarig et al.
`
`US006009524A
`Patent Number:
`11
`(45) Date of Patent:
`
`6,009,524
`Dec. 28, 1999
`
`54 METHOD FOR THE SECURE REMOTE
`FLASHING OF A BIOS MEMORY
`75 Inventors: Sompong P. Olarig, Cypress; Michael
`F. Angelo, Houston, both of Tex.
`73 Assignee: Compact Computer Corp, Houston,
`TeX.
`
`6
`
`21 Appl. No.: 08/920,810
`22 Filed:
`Aug. 29, 1997
`51) Int. Cl. ........................................................ G06F 9/24
`52 U.S. Cl. .......................... 713/200; 713/201; 709/225;
`380/25
`58 Field of Search ............................. 70925; 713/201,
`713/200; 380/4, 25
`
`56)
`
`2 : 1-2
`
`aO e a
`
`
`
`5,844,986 9/1996 Davis .......................................... 380/4
`5,859,911
`6/1997 Angelo et al. ............................ 380/25
`OTHER PUBLICATIONS
`U.S. Patent Application “System and Method for Secure
`Information Transmission Over A Network”, SN08/764,177
`filed Dec. 13, 1996, P-1257.
`Primary Examiner-Ly V. Hua
`ASSistant Examiner Wasseem Hamdan
`Attorney, Agent, or Firm-Robert Groover
`57
`ABSTRACT
`An improved system and method for FLASH BIOS
`-
`0
`upgrades which is particularly useful in network hubs. Each
`hub or node which is equipped with a FLASH memory is
`-
`also equipped with a validation System, which ensures that
`a received FLASH upgrade is authorized and uncorrupted.
`Each set of instructions to be flashed is marked both with a
`References Cited
`vendor authorization digital Signature and also a System
`administrator authorization digital Signature, and BOTH
`U.S. PATENT DOCUMENTS
`digital Signatures must be recognized by the validation
`system before the FLASH memory will be upgraded.
`i. 2.9. S. et i.
`5,455,865. 10/1995 Perlman .................................... so Because digital signatures are used for security purposes,
`5,666,416 9/1997 Micali ....................................... 380/23
`flash upgrades can be performed from any location on the
`5,692,047 11/1997 McManis .....
`... 380/4
`network, and are not limited to an administrative node.
`5,757,914 5/1998 McManis ...
`... 380/4
`5,778,070 6/1996 Mattison ................................... 380/25
`
`17 Claims, 2 Drawing Sheets
`
`135
`
`KEYBOARD
`
`140
`
`MOUSE
`
`I/F
`MANAGER
`
`130
`PORTS
`
`125
`
`5 4.
`
`150
`
`155
`160
`
`is P.
`as Disk / H MoD so
`
`FDD
`
`175
`
`180
`
`190
`
`SAMSUNG EX. 1027 - 1/8
`
`

`

`U.S. Patent
`
`Dec. 28, 1999
`
`Sheet 1 of 2
`
`6,009,524
`
`155
`160
`
`MDD
`FDD
`
`150
`
`170
`175
`
`180
`
`FIC. 1
`
`135
`
`KEYBOARD
`
`140
`
`MOUSE
`
`I/F
`
`145
`
`WDA
`
`185
`
`130
`forts
`
`125
`
`2 CACHE
`
`190
`
`FIG. 2
`
`210
`
`220
`
`230
`
`240
`
`ADMIN RECEIVES AND VERIFIES
`FLASH CODE AND VENOOR SIGNATURE
`
`ADMIN SIGNS WITH ADMIN KEY
`
`FLASH DATA AND TWO SIGNATURES
`ARE TRANSMITTED TO HUB/NODE
`
`DATA VERIFED AGAINST
`VENDOR AND ADMIN SIGNATURES
`
`
`
`
`
`
`
`- - - - - - - - - -
`
`250
`
`
`
`SYSTEM IS FLASHED
`260-TNEW FLASH DATA is VERIFEDT
`-------(OPTIONA).------ -
`"ACTIVE" FLAG IS TOGGLED
`
`
`
`SYSTEM IS RESTARTED
`
`OTHER HALF OF FLASH
`MEM S FLASHED
`
`SAMSUNG EX. 1027 - 2/8
`
`

`

`U.S. Patent
`
`Dec. 28, 1999
`
`Sheet 2 of 2
`
`6,009,524
`
`
`
`
`
`
`
`FIG. 4
`
`
`
`ADMIN KEY
`VENDOR KEY
`ACTIVE FLAG
`
`
`
`
`
`VALIDATION
`SOFTWARE
`
`
`
`ADMIN AUTHORIZED
`VENDOR SIGNAL
`FLASH CODE
`
`
`
`HUB 1
`
`SAMSUNG EX. 1027 - 3/8
`
`

`

`1
`METHOD FOR THE SECURE REMOTE
`FLASHING OF A BIOS MEMORY
`
`BACKGROUND AND SUMMARY OF THE
`INVENTION
`This application relates to computer network Systems, and
`more particularly to network flash BIOS memories.
`Background: BIOS Updates
`A Basic Input/Output System (BIOS) memory is a
`memory (typically Small) which stores the basic Software to
`provide for initial System Setup and configuration, and
`allows the System to load and execute Subsequent programs.
`This configuration Software must be available to the System
`when it is first started, so the BIOS memory must be
`non-volatile.
`In Some Systems it is Sufficient to Supply a read-only
`memory which is hard coded with the BIOS system. With
`today's rapidly changing technologies, however, it has
`become advantageous to provide rewritable BIOS
`memories, so that the BIOS Software can be upgraded when
`necessary. Therefore, many of today's Systems use flash or
`EEPROM memories to store the BIOS Software, and pro
`vide means for the user of the system to reprogram the BIOS
`memory when necessary. With a flash BIOS, the BIOS
`image or a portion of the BIOS image can be updated by a
`Software update. This is often performed by downloading or
`Storing the new Software, or "flash' information, onto a
`media Storage device, Such as a floppy disk, and executing
`a program to write the new software into the BIOS memory.
`This procedure is commonly referred to as “flashing” the
`memory.
`A flash BIOS typically consists of two separately pro
`grammable portions, each of which, during normal
`operation, contains an identical copy of the BIOS Software.
`An “active flag” indicates which memory portion is actually
`executed when the System is started.
`To upgrade a BIOS in flash memory, only half the
`memory is updated at one time. In order to update the BIOS
`without ever losing operability, the inactive half of the
`BIOS, according to the active flag, is overwritten, and then
`the flag State is changed to make the inactive half active, and
`then the System is power cycled.
`This causes the System to come up in the active Side of the
`BIOS.
`
`Background: Networked Systems
`In many common applications, the BIOS must be flashed
`locally, requiring the operator's actual presence at the
`machine to be updated. In other systems, the BIOS may be
`updated remotely, by Sending the BIOS upgrade over a
`telephone connection or local network. Remote flashing
`makes System upgrades much more convenient, but intro
`duces possible security problems, in that the BIOS may
`possibly be replaced or corrupted by a remote user or even
`a “virus' running on a remote System.
`In a typical computer network, multiple computer Systems
`are each connected to a node of a common network hub.
`Typically, one of these nodes is designated as an “admin'
`node, i.e., a node from which a System administrator can
`perform remote updating of the BIOS Software of the
`network hub.
`On a current networked computer System, each node of a
`computer network is a computer which may have an indi
`vidual flash memory, and the network hub also has its own
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6,009,524
`
`2
`flash memory. In current Systems, there is no procedure or
`system by which to perform upgrades to the BIOS software
`in a way that can conveniently be handled by System
`administrators, and which also assures Security and compat
`ibility.
`
`Background: Public Key Cryptosystems
`In public key cryptosystems, each user has two related
`complementary keys, a publicly revealed key and a private
`key. Each key unlocks the code that the other key makes.
`Knowing the public key does not help you deduce the
`corresponding private key. The public key can be published
`and widely disseminated acroSS a communications network.
`In the context of this application, a public key may be Stored
`in an otherwise Vulnerable memory, but that public key is
`only useful to decrypt data which was encrypted with the
`corresponding private key.
`Background: Digital Signatures
`Digital Signatures are used to provide message authenti
`cation. The Sender, for example a Software vendor or System
`administrator, uses his own private key to encrypt a “mes
`Sage digest,” thereby signing the message. A message
`digest is a cryptographically-Strong one-way hash function.
`It is Somewhat analogous to a “checkSurn” or Cylic Redun
`dancy Check (CRC) error checking code, in that it com
`pactly represents the message and is used to detect changes
`in the message. Unlike a CRC, however, it is computation
`ally infeasible for an attacker to devise a Substitute message
`that would produce an identical message digest. The mes
`Sage digest gets encrypted by the Sender's private key,
`creating a digital Signature of the message. Various digital
`Signature Standards have been proposed, Such as Secure
`Hash Algorithm (SHA) or Message Digest 5 (MD5)
`The recipient can verify the digital Signature by using the
`Sender's public key to decrypt it. This proves that the Sender
`was the true originator of the message, and that the message
`has not been Subsequently altered by anyone else, because
`the Sender alone possesses the private key that made that
`digital signature. Forgery of a signed message is infeasible,
`and the Sender cannot later disavow his digital Signature.
`These two processes (encryption and digital signatures)
`can be combined to provide both privacy and authentication
`by first Signing a message with the Sender's private key, then
`encrypting the Signed message with the recipient's public
`key. The recipient reverses these Steps by first decrypting the
`message with his own private key, then checking the
`enclosed digital signature with the Sender's public key. In
`this way, the encrypted message cannot be read by anyone
`but the recipient, and it can only have been created by the
`Sender.
`Further background on digital Signatures can be found, for
`example, in the following books, all of which are hereby
`incorporated by reference: Pfitzman, Digital Signature
`Schemes (1996); Grant, Understanding Digital Signature
`(1997).
`Improved System and Method for FLASH BIOS
`Upgrades
`The present application discloses an improved System and
`method for FLASH BIOS upgrades which is particularly
`useful in network hubs. Each hub or node which is equipped
`with a FLASH memory is also equipped with a validation
`System, which ensures that a received FLASH upgrade is
`authorized and uncorrupted. Each Set of instructions to be
`
`SAMSUNG EX. 1027 - 4/8
`
`

`

`3
`flashed is marked both with a vendor authorization digital
`Signature and also a System administrator authorization
`digital signature, and both digital signatures must be recog
`nized by the validation system before the FLASH memory
`will be upgraded. Because digital Signatures are used for
`Security purposes, flash upgrades can be performed from any
`location on the network, and are not limited to an admin
`node.
`
`BRIEF DESCRIPTION OF THE DRAWING
`The disclosed inventions will be described with reference
`to the accompanying drawings, which show important
`Sample embodiments of the invention and which are incor
`porated in the Specification hereof by reference, wherein:
`FIG. 1 shows a block diagram of a computer system with
`FLASH memory according to the presently preferred
`embodiment.
`FIG. 2 shows a flowchart of the process of the presently
`preferred embodiment.
`FIG. 3 shows a block diagram of a computer network
`System according to the presently preferred embodiment.
`FIG. 4 shows a block diagram of a computer System
`connected to a network hub according to presently preferred
`embodiment.
`FIG. 5 shows a block diagram of a computer system
`(node) and hub where the dual-flash variant is employed.
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENTS
`The numerous innovative teachings of the present appli
`cation will be described with particular reference to the
`presently preferred embodiment. However, it should be
`understood that this class of embodiments provides only a
`few examples of the many advantageous uses of the inno
`Vative teachings herein. In general, Statements made in the
`Specification of the present application do not necessarily
`delimit any of the various claimed inventions. Moreover,
`Some Statements may apply to Some inventive features but
`not to others.
`FIG. 4 shows a block diagram of a computer System
`NODE A connected to a network hub HUB1 according to
`presently preferred embodiment. Node A may be a typical
`desktop computer or perhaps a network Server computer. In
`this single-flash Scenario, Node A obtains flash information
`from HUB1. The Admin in NODE A verifies the flash
`information and digitally Signs. This provides validation for
`the flash as well as authorization. Next, the Admin transmits
`a double-signed code to HUB1. HUB1 validates that the
`code was authorized by Admin and is valid as from the
`vendor.
`FIG. 5 shows a block diagram of a computer system
`(node) and hub where the dual-flash embodiment is
`employed. HUB1 determines which portion of Flash
`memory, A or B, is not in use. This can be done by looking
`at a particular bit that indicates which Flash is running.
`Assuming Flash A is active, HUB1 then flashes Flash B.
`HUB1 revalidates Flash B and sets Flash B active. Finally,
`HUB1 generates a reset to boot to the new flash firmware
`update.
`Error conditions returned to the user include the follow
`ing: if the flash code is not authorized, the System ignores the
`flash; if the flash code doesn’t have a valid vendor digital
`Signature, again, the System ignores the flash; the flash code
`is determined to be invalid if the flash reboot process times
`out-HUB1 then Sets Flash A as active, generates a reset,
`and reboots.
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6,009,524
`
`4
`FIG. 2 shows a flowchart of the process of the presently
`preferred embodiment covering both the Single and dual
`flash Scenarios. In a BIOS upgrade process according to
`preferred embodiment, the System administrator obtains the
`upgrade Software and loads it into the admin node. The
`administrator will examine the Software, using the vendor's
`public key, which is also Stored in each flash memory, and
`Verify that it contains an appropriate vendor digital Signature
`(step 210). Having verified the upgrade, the administrator
`then attaches his own authorization digital signature (Step
`220), using his private key, to verify that the software is to
`be flashed to the target memory. The upgrade Software, with
`both vendor and authorization digital Signatures, is trans
`mitted to the target system (step 230), which may be the
`network hub or another computer System on the network.
`When the target System receives the transmission, it
`verifies each of the digital signatures (Step 240), using the
`Stored public keys, to ensure that the upgrade is valid and
`authorized. If it is, the target System then applies the upgrade
`to the inactive portion of the flash memory (step 250). The
`target System may then optionally perform a checksum
`operation on the inactive memory portion (step 260) to
`ensure that it has been properly programmed. The active flag
`is then toggled to Set the newly programmed portion of the
`memory active (step 270).
`The target system is restarted (step 280), and the BIOS
`Software is loaded. Since the active flag has been reset, the
`upgraded Software is executed. If it executes with no errors,
`the other flash memory portion, now inactive, is flashed with
`the upgrade software (step 290). If, however, the new
`Software causes the System to crash, or causes Some other
`error, the active flag is automatically toggled back to the
`memory portion with the known good software (step 270).
`Each Set of update Software must have two digital Signa
`tures. One of these digital Signatures identifies the Software
`vendor, which will ensure that only an authentic BIOS
`upgrade is applied. The Second digital signature is an
`authorization digital Signature of the System administrator,
`which ensures that only authorized BIOS upgrades are
`applied. The digital signatures can be defined by any con
`venient digital signature Standard (an RSA-Rivest, Shamir,
`& Adleman-standard is preferred).
`The flash memory must therefore contain two public
`decryption keys according to a dual-key encryption System.
`One public key will correspond to a private key known only
`to the vendor, and the other public key will correspond to a
`private key known only to the System administrator. By
`using a dual-key digital signature Standard, there is little
`chance of a Security compromise if the flash is examined (by
`users or intruders) to determine the Stored public keys.
`According to the disclosed process, these public keys will
`Still not allow an unauthorized Software upgrade to be
`applied.
`The verification of the digital signatures on the target
`System may be accomplished in multiple ways. The pre
`ferred embodiment requires a double digital Signature: flash
`updates must be signed both by the Vendor and by the System
`administrator, and both digital Signatures must be identified
`by the data in the flash memory. This identification is
`accomplished by a dual-key digital-signature-verification
`system. “Public' keys for both the vendor and the admin
`istrator are stored or hard-coded into the flash memory. The
`corresponding “private' keys are held by the vendor and
`System administrator, and only these private keys can gen
`erate the digital Signatures which the hub can recognize
`using the public keys Stored in the flash memory.
`
`SAMSUNG EX. 1027 - 5/8
`
`

`

`S
`Therefore, even if the keys stored in the memory are
`compromised, the flash is still secure. With the private keys
`possessed only by the Vendor and System administrator, it is
`practically impossible for unauthorized individuals to create
`an acceptable digital signature for the BIOS upgrade.
`In another alternate embodiment, other Stenographic
`implementations based upon cryptographic relations can be
`used.
`In an alternative class of embodiments, an additional flag
`can be used to allow or restrict downgrading of the BIOS
`more than a certain number of revision levels. This avoids
`the common problem where users "upgrade' to obsolete
`Software.
`For System initialization, overwriting of the administra
`tor's public key in the flash is preferably a protected
`operation, unless the address reserved for this is empty. If no
`administrator public key is known, then no verification of an
`administrator Signature is possible. Thus this option helps to
`assure Safe initialization of new Systems.
`FIG. 3 shows a block diagram of a computer network
`System according to the presently preferred embodiment. In
`this Scenario, a central Six-port hub HUB1 connects a Small
`network of six nodes, NODESA-F, each node comprising
`either a desktop computer or perhaps even a network Server.
`FIG. 1 shows a block diagram of a computer system with
`FLASH memory according to the presently preferred
`embodiment. The complete computer System includes, in
`this example:
`user input devices (e.g. keyboard 135 and mouse 140);
`at least one microprocessor 125 which is operatively
`connected to receive inputs from Said input device,
`through an interface manager chip 130 (which also
`provides an interface to the various ports);
`a memory (e.g. flash memory 155 and RAM 160), which
`is accessible by the microprocessor,
`a data output device (e.g. display 150 and display driver
`card 145) which is connected to output data generated
`by microprocessor, and
`a magnetic disk drive 170 which is read-write accessible,
`through an interface unit 165, by the microprocessor.
`Optionally, of course, many other components can be
`included, and this configuration is not definitive by any
`CS.
`The internal hardware architecture of a network hub or
`route is similar in many respects, but includes additional
`features (and may not contain all the peripherals). For
`example, a hub typically includes a Service processor-e.g.
`a 6800-with its own serial link-which would handle
`requests for flash update.
`According to a disclosed class of innovative embodiments
`there is provided: A computer System, comprising: memory,
`and a microprocessor operatively connected to read and
`write Said memory; a flash memory; a flashing circuit for
`Writing Said flash memory; and a validation circuit con
`nected to Said flashing circuit to Verify first and Second
`digital signature codes, wherein Said validation circuit
`enables Said flashing circuit only when Said first and Second
`digital signature codes are validated.
`According to another disclosed class of innovative
`embodiments, there is provided: A computer network
`System, comprising: a network hub; a plurality of computer
`Systems, each System connected to Said network hub and
`having a user input device, a microprocessor operatively
`connected to detect inputs from Said input device, a memory
`which is connected to be read/write accessible by Said
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6,009,524
`
`6
`microprocessor, a programmable non-volatile memory, Said
`programmable non-volatile memory containing first and
`Second validation keys, a power Supply connected to provide
`power to Said microprocessor, Said memory, and Said dis
`play; wherein Said programmable non-volatile memory of
`any of Said computer Systems may only be programmed
`when first and Second encrypted digital Signatures respec
`tively corresponding to first and Second validations code are
`received by that System.
`According to another disclosed class of innovative
`embodiments, there is provided: A computer network
`System, comprising: a network hub having a programmable
`non-volatile memory; a plurality of computer Systems, each
`System connected to Said network hub and having a user
`input device, a microprocessor operatively connected to
`detect inputs from Said input device, a memory which is
`connected to be read/write accessible by Said
`microprocessor, a Video controller connected to Said
`microprocessor, a display operatively connected to display
`data generated by Said Video controller at a first refresh rate,
`and a power Supply connected to provide power to Said
`microprocessor, Said memory, and Said display; wherein Said
`programmable non-volatile memory of Said network hub can
`only be programmed when codes corresponding to first and
`Second digital signatures are received by Said hub and
`Verified against public keys Stored by Said hub.
`According to another disclosed class of innovative
`embodiments, there is provided: A method, comprising the
`Steps of: (a) receiving, in a computer System, data corre
`Sponding to a System program, a Vendor digital signature,
`and an authorization digital signature; (b.) decrypting Said
`vendor digital Signature and Said authorization digital Sig
`nature in Said computer System to produce a Vendor code and
`an authorization code; (c.) comparing said vendor code and
`Said authorization code with first and Second access codes
`Stored in said System; (d.) if Said vendor code and Said
`authorization code correspond to Said first and Second access
`codes, then programming a memory of Said System with Said
`System program.
`
`Modifications and Variations
`As will be recognized by those skilled in the art, the
`innovative concepts described in the present application can
`be modified and varied over a tremendous range of
`applications, and accordingly the Scope of patented Subject
`matter is not limited by any of the Specific exemplary
`teachings given.
`The presently preferred embodiment uses an RSA algo
`rithm for digital Signature verification, but in alternative
`embodiments other digital signature verification algorithms
`can be used.
`In an alternative embodiment the dual-digital Signature
`Verification requirement is applied only to remote updating
`of flash memory, and can be bypassed by a user who is
`physically present at the computer. This provides additional
`protection against loss of the administrator public key (e.g.
`if an administrator quits).
`It should also be noted that the disclosed innovative ideas
`are not limited only to Windows. DOS or UNIX systems, but
`can also be implemented in other operating Systems.
`It should also be noted that the disclosed innovative ideas
`are not limited only to Systems based on an x86-compatible
`microprocessor, but can also be implemented in Systems
`using 680x0, RISC, or other processor architectures.
`It should also be noted that the disclosed innovative ideas
`are not by any means limited to Systems using a single
`
`SAMSUNG EX. 1027 - 6/8
`
`

`

`7
`processor CPU, but can also be implemented in computers
`using multiprocessor architectures.
`It should also be noted that the disclosed innovative ideas
`are applicable not only to network hubs, but also to network
`routers which interconnect network hubs, and other simi
`larly related network Systems.
`What is claimed is:
`1. A computer System, comprising:
`a Writable nonvolatile memory;
`at least one microprocessor operatively connected to
`execute at least one instruction Sequence from Said
`nonvolatile memory at reboot, and to control writing
`thereto;
`validation data in Said nonvolatile memory which can
`authenticate digital Signatures from first and Second
`originators;
`wherein Said microprocessor enables writing into Said
`non Volatile memory only after Successful
`authentication, using Said validation data, of first and
`Second digital Signature codes which are attached to the
`data to be written, by a digital signature verification
`proceSS,
`wherein Said first digital signature code corresponds to a
`vendor Signature;
`wherein Said Second digital Signature code corresponds to
`an administrator Signature;
`whereby the administrator can update a System program
`from any computer in the System by providing Said
`Second digital Signature code.
`2. The system of claim 1, wherein said first digital
`Signature code is checked for validation of Said data to be
`written, and Said Second digital Signature code is checked for
`validation of Said first digital signature in combination with
`Said data to be written.
`3. The System of claim 1, wherein Said digital Signature
`codes are checked using a public-key/private-key digital
`Signature relationship, and Said nonvolatile memory con
`tains public keys corresponding to Said first and Second
`originators.
`4. The system of claim 1, wherein said nonvolatile
`memory is a flash memory which comprises Separately
`programmable first and Second halves, and a toggle bit to
`Select between Said halves.
`5. The system of claim 1, wherein said system is a
`network hub, and an initialization program Stored in Said
`nonvolatile memory is executed whenever Said System
`undergoes a System reset.
`6. The System of claim 1, wherein Said System is a
`network route, and an initialization program Stored in Said
`nonvolatile memory is executed whenever Said System
`undergoes a System reset.
`7. A computer network System, comprising:
`a network hub;
`a plurality of computer Systems, each System connected to
`Said network hub and having
`a user input device,
`a microprocessor operatively connected to detect inputs
`from Said input device,
`a memory which is connected to be read/write acces
`Sible by Said microprocessor,
`a programmable non-volatile memory, Said program
`mable non-volatile memory containing first and Sec
`ond validation keys as well as boot routines,
`a power Supply connected to provide power to Said
`microprocessor, Said memory, and Said display;
`
`5
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6,009,524
`
`8
`wherein Said programmable non-volatile memory of any
`of Said computer Systems can be remotely
`programmed, but only when two digital Signatures on
`the data to be programmed are both validated by a
`digital Signature verification proceSS which uses Said
`first and Said Second validation keys,
`wherein Said first digital Signature corresponds to a ven
`dor Signature
`wherein Said Second digital signature corresponds to a
`System administrator Signature,
`whereby the administrator can update a System program
`from any computer in the System by providing Said
`Second digital Signature.
`8. The system of claim 7, wherein said programmable
`non-volatile memory is a flash memory.
`9. The system of claim 7, wherein said programmable
`non-volatile memory is a flash memory comprising Sepa
`rately programmable first and Second halves.
`10. The system of claim 7, wherein said programmable
`non-volatile memory comprises Separately programmable
`first and Second halves.
`11. The system of claim 7, wherein an initialization
`program Stored in Said programmable non-volatile memory
`is executed whenever Said network hub is powered on.
`12. The system of claim 7, wherein said programmable
`non-volatile memory of any of Said computer Systems can
`only be remotely programmed if Said first digital Signature
`validates Said data to be written, and Said Second digital
`Signature validates Said first digital Signature in combination
`with said data to be written.
`13. A computer network System, comprising:
`a network hub having a programmable non-volatile
`memory;
`a plurality of computer Systems, each System connected to
`Said network hub and having
`a user input device,
`a microprocessor operatively connected to detect inputs
`from Said input device,
`a memory which is connected to be read/write acces
`Sible by Said microprocessor,
`a Video controller connected to Said microprocessor,
`a display operatively connected to display data gener
`ated by said video controller at a first refresh rate,
`and
`a power Supply connected to provide power to Said
`microprocessor, Said memory, and Said display;
`wherein Said programmable non-volatile memory of Said
`network hub can only be programmed when codes
`corresponding to first and Second digital Signatures are
`received by Said hub and verified against public keys
`stored by said hub;
`wherein Said first digital Signature corresponds to a ven
`dor code;
`wherein Said Second digital Signature corresponds to an
`authorization code,
`whereby the administrator can update a System program
`from any computer in the System by providing Said
`Second digital Signature.
`14. The system of claim 13, wherein said programmable
`non-volatile memory is a flash memory.
`15. The system of claim 13, wherein said programmable
`non-volatile memory comprises Separately programmable
`first and Second halves.
`16. The system of claim 13, wherein an initialization
`program Stored in Said programmable non-volatile memory
`is executed whenever Said network hub is powered on.
`
`SAMSUNG EX. 1027 - 7/8
`
`

`

`6,009,524
`
`17. A method, comprising the Steps of:
`(a.) receiving, in a computer System, boot memory update
`data corresponding to a System program, together with
`a vendor digital Signature and an administrator digital
`Signature;
`(b.) verifying that Said first digital signature authenticates
`Said boot memory update data, and Said Second digital
`Signature authenticates Said boot memory update data
`in combination with Said first digital Signature, using
`
`10
`public keys which are nonvolatilely Stored in Said
`System; and
`(c.) only if said verifying step is Successful, then pro
`gramming a programmable nonvolatile memory of Said
`System with Said boot memory update data;
`whereby the administrator can update a System program
`from any computer in the System by providing Said
`administrator digital Signature.
`
`k
`
`k
`
`k
`
`k
`
`k
`
`SAMSUNG EX. 1027 - 8/8
`
`