throbber

`
`
`
`
`
`
`
`
`
`
`
`I 1111111111111111 11111 1111111111 111111111111111 lllll 111111111111111 11111111
`
`US007069452B 1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`02)United States Patent
`
`
`Hind et al.
`
`US 7,069,452 Bl
`
`(10)Patent No.:
`Jun.27,2006
`(45)Date of Patent:
`
`(54)METHODS, SYSTEMS
`AND COMPUTER
`PROGRAM PRODUCTS FOR SECURE
`FIRMWARE UPDATES
`
`OTHER PUBLICATIONS
`
`"Introduction to Digtial Signal Processors", Jun. 15, 1999,
`
`
`
`
`
`[Retrieved from the Internet Apr. 29, 2004], "http://www.
`ece.utexas.edu/-bevans/hp-dsp-seminar/0l_introduct­
`(75)Inventors: John R. Hind, Raleigh, NC (US);
`
`
`ion/".*
`
`
`Marcia Lambert Peters, Durham, NC
`ANSI Standard X9.31. Digital Signatures Using Reversible
`
`
`
`
`(US)
`
`
`
`
`Public Key Cryptography for the Financial Services Industry
`
`(rDSA), 1998.
`
`
`
`435-441 and 466-474.
`
`(73)Assignee: International Business Machines
`
`
`
`
`Corporation, Armonk, NY (US)
`
`Schneier, Bruce, Applied Cryptography, Dec. 1995, pp.
`
`*cited by examiner
`( *) Notice: Subject to any disclaimer, the term of this
`
`
`
`
`
`patent is extended or adjusted under 35
`Primary Examiner-David Jung
`
`U.S.C. 154(b) by 1207 days.
`
`
`Sajovec
`
`
`
`(21)Appl. No.: 09/614,982
`
`(74)Attorney, Agent, or Firm-Myers Bigel Sibley &
`
`(57)
`
`ABSTRACT
`
`(22)Filed:Jul. 12, 2000
`
`(51)Int. Cl.
`
`Methods, systems and computer program products which
`
`
`
`
`
`
`
`provide secure updates of firmware (i.e. data stored in a
`
`
`
`
`programmable memory device of a processing system) are
`(2006.01)
`G06F 17100
`
`
`
`disclosed. Updates of a programmable memory of a device
`
`
`
`(52)U.S. Cl ........................... 713/200; 713/189; 713/1;
`
`
`
`may be controlled by providing an update window of finite
`713/2
`
`
`
`duration during which the programmable memory may be
`(58)Field of Classification Search ................ 703/200;
`
`
`
`updated. Access to the programmable memory may be based
`
`713/1-2,200-202, 189-194
`
`
`
`on the state of an access latch. The access latch may be set
`
`
`
`See application file for complete search history.
`
`
`
`to allow access after a hardware reset of the device. An
`
`
`
`
`
`
`update control program may be executed to control access to
`
`the programmable memory and the latch reset to prevent
`
`
`access upon completion of the update control program.
`
`
`
`
`Verification of the update may be provided through encryp­
`
`
`
`tion techniques and rules incorporated in certificates for
`
`
`
`application of updates to provide for selectively updating
`
`
`
`
`devices. Also disclosed are methods of securely providing
`
`
`
`
`5,022,077 A * 6/1991 Bealkowski et al. ........ 711/163
`
`
`
`differing functionality to generic devices.
`
`
`
`5,293,424 A * 3/ 1994 Holtey et al. ............... 713/193
`
`
`
`
`5,579,522 A * ll/ 1996 Christeson et al. .. .......... 713/2
`
`36 Claims, 12 Drawing Sheets
`
`
`
`
`5,844,986 A * 12/1998 Davis ......................... 713/187
`
`(56)
`
`
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`404
`
`NO NO
`
`y·"
`v-NO
`
`YES
`
`APPLE 1019
`
`1
`
`

`

`U.S. Patent
`
`Jun. 27, 2006
`
`Sheet 1 of 12
`
`US 7,069,452 B1
`
`14
`
`Read Only Memory
`
` Memory Controller
`
` Programmable Memory
`16
`12
`10 Power On
`
`
`
`
`Latch Reset
`
` Access
`
` Processor
`
`Reset
`
`Figure 1
`
`2
`
`

`

`U.S. Patent
`
`Jun. 27, 2006
`
`Sheet 2 of 12
`
`US 7,069,452 B1
`
`I/O Data Ports
`246
`
`Display
`234
`
`Processor
`238
`
`Read Only
`Memory
`240
`
`230
`
`Programmable
`Memory
`236
`
`Input Devices
`232
`
`Processing System
`
`Figure 2
`
`3
`
`

`

`U.S. Patent
`
`Jun. 27, 2006
`
`Sheet 3 of 12
`
`US 7,069,452 B1
`
`Update
`Control
`Program
`282
`
`Public Key
`284
`
`Read Only Memory
`240
`
`236
`
`Processor
`238
`
`:
`Firmware
`254
`—
`
`Configuration
`Data
`270
`
`Programmable Memory
`
`242
`
`-
`Operating
`System
`252
`
`1/0 Device
`Drivers
`258
`
`Update Image
`280
`
`System Memory
`
`Figure 3
`
`4
`
`

`

`U.S. Patent
`
`Jun. 27, 2006
`
`Sheet 4 of 12
`
`US 7,069,452 B1
`
`300
`
`302
`
`304
`
`308
`
`Power on reset
`asserted
`
`
`
`
`
`
`Enable update
`of
`programmable
`memory
`
`
`
`memory
`
`
`Execute
`program in
`update ROM
`
`
`
`
`pdate
`program
`
`sompletez
`
`
`
`YES
`
`Disable update
`ability of
`programmable
`
`Figure 4A
`
`5
`
`

`

`U.S. Patent
`
`Jun. 27, 2006
`
`Sheet 5 of 12
`
`US 7,069,452 B1
`
`300
`
`302
`
`320
`
`304
`
`308
`
`322
`
`Poweron reset
`asserted
`
`Enable access
`to Update
`ROM
`
`Execute
`program in
`Update ROM
`
`306
`
`
`Enable update
`of
`
`
`programmable
`memory
`
`
`
`
`
`
`Disable update
`ability of
`programmable
`memory
`
`Disable access
`to Update
`
`ROM
`
`Figure 4B
`
`
`
`
`pdate
`program
`somplete?
`
`
`YES
`
`6
`
`

`

`U.S. Patent
`
`Jun. 27, 2006
`
`Sheet 6 of 12
`
`US 7,069,452 B1
`
`Figure 5
`
`
`
`Load update
`image in
`scratchpad
`memory
`
`
`
`Verify
`signature in
`update image
`with public key
`
`
`
`Signature
`verified?
`
`NO
`
`Setlatch to
`disable
`updates
`
`7
`
`

`

`
`Extract Public
`key from
`certificate and
`decrypt
`signature of
`next certificate
`
`NO
`
`U.S. Patent
`
`Jun. 27, 2006
`
`Sheet 7 of 12
`
`US 7,069,452 B1
`
`450
`
`452
`
`Figure 6
`
`
`
`
`Obtain
`signature and
`certificate
`chain from
`
`update image
`
`
`
`Decrypt
`
`signature with
`
`CA's public key
`
`
`
`Signaturé
`
`
`present and
`valid?
`
`
`
`
`
`
`YES
`
`_/Gignature
`valid?
`
`
`
`
`
`Verify image
`signature with
`appropriate
`public key
`
`
`
`Exit update
`Perform
`
`
`and disable
`update with
`
`
`
`update of
`image
`
`memory
`
`
`8
`
`

`

`U.S. Patent
`
`Jun. 27, 2006
`
`Sheet 8 of 12
`
`US 7,069,452 B1
`
`510
`
`510°
`
`510"
`
`Signature
`920
`Signature
`520"
`
`Public Key of Next
`Level
`522
`Public Keyof Next
`522!
`
`Firmware Usage Rules
`924
`Firmware Usage Rules
`524
`
`
`
`Signature
`520"
`
`Public icyof Next
`522"
`
`Firmware Usage Rules
`524"
`
`Figure 7
`
`9
`
`

`

`U.S. Patent
`
`Jun. 27, 2006
`
`Sheet 9 of 12
`
`US 7,069,452 B1
`
`600
`
`602
`
`604
`
`606
`
`608
`
`610
`
`612
`
`o a
`
`Develop firmware update for
`multiple systems/functions
`
`Sign firmware update image
`
`
`
`Provide update authority's
`certificate with any firmware
`
`
`update conditions ina
`certificate extension field(s)
`
`
`
`
`Provide brand certificate with
`any firmware update
`extensions and with the brand's
`
`public key
`
`Provide manufacturer's
`certificate with any firmware
`update extensions and with the
`manufacturer's public key
`
`
`
`Provide root certificate
`authority's certificate with the
`certificate authority's public key
`
`Distribute firmware update
`
`End
`
`Figure 8
`
`10
`
`

`

`U.S. Patent
`
`Jun. 27, 2006
`
`Sheet 10 of 12
`
`US 7,069,452 B1
`
`
`Obtain
`
`signature and
`Decrypt
`certificate
`signature with
`
`
`chain from
`CA's public key
`
`update image
`
`
`652
`
` Signature
`present and
`valid?
`
`Figure 9
`
`
`
`
`
` Set flag to
`?
`update
`Update OK?
`YES
`
`Extract Public
`key frem
`certificate and
`decrypt
`signature of
`next certificate
`
`662
`
`NO
`
`
`
`
`
`Signature
`valid’?
`NO
`664
`
`YES
`
`
`?
`Setflag to
`Update OK?
`YES
`update
`
`666
`
`
`
`NO——-_______-_-»|
`
`
`
`676
`
`NO-»
`
`
`
`
`Verify image
`
`signature with
`Signature
`
`
`valid?
`appropriate
`
`
`public key
`
`Exit update
`
`
`Perform
`and disable
`
`update with
`
`
`
`update of
`image
`
`memory
`
`680
`
`11
`
`11
`
`

`

`U.S. Patent
`
`Jun. 27, 2006
`
`Sheet 11 of 12
`
`US 7,069,452 B1
`
`
`
`Firware Update
`Repository
`700
`
`
`
`Firmware Distribution
`702
`
`
`
`Updateable Device
`£05
`
`Updateable Device
`
`706.
`
`
`
`Figure 10
`
`12
`
`12
`
`

`

`U.S. Patent
`
`Jun. 27, 2006
`
`Sheet 12 of 12
`
`US 7,069,452 B1
`
`710
`
`712
`
`714
`
`
`
`
`
`
` Distribute generic
`devices with functions
`defined by the firmware
`in the device and
`having a secure
`firmware update
`capability
`
`
`
`
`
`
`
`
`
`Distribute firmware
`
`
`updatesto define the
`functions of the
`
`
`devices based ona
`device level
`authorization
`
`
`
`
`
`
`
`
`Apply devicelevel
`firmware updatesto the
`
`generic devices to
`provide differing levels
`
`of functionality for the
`devices
`
`
`
`Figure 11
`
`13
`
`13
`
`

`

`US 7,069,452 Bl
`
`1
`METHODS, SYSTEMS AND COMPUTER
`PROGRAM PRODUCTS FOR SECURE
`FIRMWARE UPDATES
`
`RELATED APPLICATIONS
`
`The present application is related to commonly assigned
`and concurrently filed U.S. patent application Ser. No.
`09/614,983, entitled “METHODS, SYSTEMS AND COM-
`PUTER PROGRAM PRODUCTS FOR RULE BASED
`FIRMWARE UPDATES UTILIZING CERTIFICATE
`
`EXTENSIONS”, the disclosure of which is incorporated by
`reference as if set forth fully herein.
`
`FIELD OF THE INVENTION
`
`The present invention relates to data processing systems
`and more particularly to data processing systems having
`programmable memories.
`
`BACKGROUND OF THE INVENTION
`
`Many devices today make use of computational elements
`controlled by software instructions embedded in the device
`to give the device its functional personality. This software,
`often called firmware because of its persistent association
`with the device hardware operation, washistorically placed
`in read-only memory (ROM) and wasactivated when the
`device was powered on. With time, it was recognized that
`firmware, like other forms of software, might be subject to
`coding mistakes and that over the lifetime of the device there
`was a need to modify the functional characteristics of the
`device, for example, to adaptit to a new target environment.
`This need to repair firmware coding errors and/or modify
`firmware functionality led to the use of field-programable
`random-access memory (RAM) as a repository for on-
`device firmware. This provided an easier means of modifi-
`cation than replacing ROM chips.
`As a result of this evolution, typically, firmware can be
`updated without physical hardware modification, using
`removable digital media or a network connection as the
`mechanism by which new firmware is communicated to the
`device. The extensive increase in network connectivity in
`recent years has resulted in an increase in the number of
`firmware-driven devices that allow personality updates.
`With the increasing number of update capable devices may
`come significant security problems. With the ubiquitous
`nature of firmware-driven devices, such security problems
`may extend to homes, businesses and other areas where such
`devices are utilized. For example, personal computers, pag-
`ers, cell phones, satellite receivers, set-top boxes, cable and
`DSL modems,routers, digital TVs, or even appliances like
`refrigerators, sewing machines, and ovens mayall be sus-
`ceptible to such security problems.
`In a personal computer, firmware instructions are gener-
`ally referred to as a Basic Input-Output System (BIOS). A
`BIOS typically contains hardware diagnostics, code which
`initializes and enables/disables certain hardware features
`
`(for example boot from network, system board sound or
`display capability, memory parity, I/O bus speed, DMA,
`etc.), and instructions enabling the operating system and
`application programs to interface with the computer hard-
`ware. Parameters governing branches throughthe initializa-
`tion code to enable/disable or configure certain hardware
`features are often stored in battery-backed-up CMOS RAM.
`All of these instructions,
`typically, must be executed or
`
`10
`
`15
`
`20
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`instantiated as an application program interface (API) suc-
`cessfully in order for the computer to boot.
`It is well knownin the art that the hardware in which the
`
`firmware (e.g., PC BIOS) instructions reside may be a
`field-programmable ROM such as an EE-PROMora Flash
`RAM.Such hardware designs are desirable in allowing the
`manufacturer to update the firmware after manufacture, for
`example, to enable new capabilities or fix problems. How-
`ever, storing the BIOSin a flash memory mayalso open new
`vulnerabilities
`that can be exploited by hackers. For
`example, some of the approximately 50,000 computer
`viruses known today—such as the Chernobyl virus (known
`as CIH and W95.CIH)—overwrite the BIOS with invalid
`instructions, completely disabling the computer and requir-
`ing physical replacement of the BIOSchip.
`However, security problems may extend beyond the mali-
`cious third parties attempting to damage devices in custom-
`ers’ hands. It is well known that many devices are built on
`generic hardware, wherethe sole difference between several
`models may be the sticker on the front panel, the firmware
`load in the resident flash, and the price. In such devices, a
`customer may, for example, change an inexpensive device
`into a more expensive device merely by updating the firm-
`ware. For example, a manufacturer of Compact Disk Read
`Write (CDRW)drive mechanismsrecently began to receive
`service calls about its named brand $300 6x-write-speed
`drives which turned out to be $100 OEM 4x-write-speed
`drives with their named brand firmware update installed.
`Accordingly, manufacturers of devices that use easily
`updateable firmware may be faced with significant security
`problems that are complicated by situations where the
`device executes non-firmware application code, and/or the
`device owner is complicit in the hacking activity.
`
`SUMMARY OF THE INVENTION
`
`Embodiments of the present invention include methods,
`systems, computer program products and business methods
`which provide secure updates of firmware(i.e. data stored in
`a programmable memory device of a processing system).
`Such secure updates may be provided by controlling updates
`of a programmable memory of a device by providing an
`update window offinite duration during which the program-
`mable memory may be updated and allowing updates of the
`programmable memory only during the update window.
`Furthermore, the update window maybeprovided by allow-
`ing access to the programmable memory based onthestate
`of an access latch. The access latch may be set to allow
`access to the programmable memory after a hardware reset
`of the device. An update control program, which mayreside
`in Read Only Memory, may be executed to control access to
`the programmable memory andthe latch reset to prevent
`access to the programmable memory upon completion of the
`update control program.
`In further embodiments of the present invention, access to
`a memory where the update control program resides may be
`allowed when the access latch allows access to the program-
`mable memory and prevented when the access latch pre-
`vents access to the programmable memory. Furthermore, it
`may be determined if an update of the programmable
`memory is available and, if so, the programmable memory
`may be updated. Such a determination ofthe availability of
`an update may be made by examiningatleast one ofa local
`memory location, a local drive, a network drive and an input
`device status to determine if an update is available or by
`examining persistent status information.
`
`14
`
`14
`
`

`

`US 7,069,452 Bl
`
`3
`The programmable memory maybe updated by obtaining
`an update image containing update data to be written to the
`programmable memory, obtaining installation information
`from the update image and writing the update data to the
`programmable memory based on the installation informa-
`tion obtained from the update image. In particular embodi-
`ments of the present invention, the installation information
`may be an install program andtheinstall program executed
`to write the update data to the programmable memory.
`In still further embodiments of the present invention, the
`programmable memory may be updated by loading an
`update image into a temporary workspace and updating the
`programmable memory from the loaded update image. Fur-
`thermore, existing data from the programmable memory
`may bestored so as to provide a backup copy ofthe data of
`the programmable memory. In such embodiments, it may be
`determinedif the update of the programmable memory was
`successful and the contents of the programmable memory
`restored from the backup copyif the update of the program-
`mable memory wasnot successful.
`In yet additional embodiments of the present invention,
`the update control program may verify the authenticity of
`the update of the programmable memory. Such verification
`can be accomplished in various ways, for example by means
`of a shared secret, or by a public-key cryptosystem, or in
`other ways knownto those with skill in the art. In certain
`embodiments, verification of the image may be accom-
`plished by including and checking a digital signature com-
`prising a hash of the image encrypted by the private key of
`an update authority. In addition to the signature, an X.509
`certificate of the update authority may also be included with
`the distribution of the image. See CCITT Recommendation
`X.509, “The Directory-Authentication Framework”, Con-
`sultation Committee,
`International Telephone and Tele-
`graph, International Telecommunications Union, Geneva,
`1989. The verification of the signature may be provided by
`computing the hash over the image, decrypting the signature
`using the public key from the included certificate, and
`comparing the decrypted result with the computed hash
`value. If they are equal,
`the signature verification has
`succeeded. The control program then validates the update
`authority’s certificate by validating a signature contained
`therein, the signature having been created by the certificate
`authority signing the update authority’s certificate using the
`certificate authority’s private key. In a non-chained form,
`this validation may be provided by using a public key of the
`certificate authority that issued the update authority’s cer-
`tificate to decrypt the digital signature contained in the
`update authority’s certificate and comparing it against a
`computed hash of the update authority’s certificate. The
`certificate authority’s public key used to perform this vali-
`dation may be contained in the ROM imageorin the current
`contents of the protected memory. In a more complex
`arrangement, the image would contain a chainofcertificates
`that can be validated back to a certificate signed by the root
`certificate authority.
`In still further embodiments of the present invention, the
`update may include a plurality of certificates in a hierarchy
`of certificates. In such embodiments,
`the verification of
`authenticity may be accomplished by evaluating each of the
`plurality of certificates in the update image to determine if
`a valid digital signature is provided with each certificate of
`the update image. Such an evaluation may be accomplished
`by decrypting a digital signature of a certificate utilizing a
`public key associated with thecertificate and comparing the
`decrypted digital signature with a predefined value to deter-
`mine if the digital signature is a valid digital signature
`
`20
`
`30
`
`35
`
`40
`
`45
`
`55
`
`4
`associated with the certificate. A public key associated with
`another of the digital certificates may be obtained and the
`decryption and comparison repeated utilizing the obtained
`public key associated with anotherofthe digital certificates.
`This process may be repeated until a public key associated
`with a last of the digital certificates is obtained and the
`signature of the last digital certificate decrypted and com-
`pared.
`In additional embodimentsof the present invention, appli-
`cation rules information may be obtained from an extension
`of at least one certificate associated with the update. The
`rules information obtained from a certificate may be evalu-
`ated and the programmable memory selectively updated
`based on the evaluation of the rules information obtained
`
`from the certificate. In particular, the rules information may
`be rules information associated with a manufacturer of the
`device, rules information associated with a brand of the
`device, rules information associated with a software version
`of the device, rules information associated with a license
`authorization of the device or rules associated with the
`individual device.
`
`In still further embodiments of the present invention, a
`system for controlling access to a programmable memory of
`a device may be provided. The system mayincludea latch
`and a memory controller configured to control read and
`write operations to the programmable memory and operably
`associated with the latch so as to allow write operations to
`the programmable memory whenthelatch is in a first state
`and to prevent write operations to the programmable
`memory whenthe latch is in a secondstate. A latch enable
`circuit may be configured to set the latch to the first state
`upon detecting a hardware reset of the device and set the
`latch to the second state upon completion of a memory
`update window.
`In particular embodiments of the present invention, the
`latch enable circuit may include a hardware reset circuit
`which generates a hardware reset of the device, a processor,
`and a read only memory operably associated with the
`processor and containing a program utilized to update the
`programmable memory, wherein the program is configured
`to set the latch to the second state. Furthermore, the pro-
`cessor may be configured to execute the program contained
`in the read only memory upon generation of the hardware
`reset of the device. In still further embodiments of the
`present invention, the program is configured to set the latch
`to the second state upon completion of execution of the
`program.
`In particular embodiments of the present invention, the
`processor comprises a digital signal processor.
`In still further embodiments of the present invention, the
`memory controller is further configured to allow read opera-
`tions of the read only memory whenthe latch is in the first
`state and prevent read operations of the memory when the
`latch is in the secondstate.
`
`In additional embodiments, a plurality of devices having
`differing functionality may be provided by providing a
`plurality of generic processing devices having hardware
`suitable to perform at least a portion of the differing func-
`tionality of the plurality of devices, wherein the generic
`processing devices also have a programmable memory and
`aread only memory. Updates to the programmable memory
`define the functionality of the generic processing devices so
`as to provide the plurality of devices having differing
`functionality. The programmable memories of the generic
`processing devices may be selectively updated utilizing an
`update program provided in the read only memories of the
`generic processing devices which verifies the authorization
`
`15
`
`15
`
`

`

`US 7,069,452 Bl
`
`5
`of an update and selectively updates the programmable
`memory based on the verificd authorization. Furthermore,
`updates of the programmable memories of the generic
`processing devices other than by the update program may be
`prevented.
`In still further embodiments, access to the read only
`memory containing the update program may be prevented
`other than when an update of the programmable memory of
`the generic processing device is being performed. Further-
`more, the generic processing devices may include a digital
`signal processor. In such embodiments, the updates of the
`programmable memory may provide microcodefor control-
`ling the operation of the digital signal processor.
`While the invention has been described above primarily
`with respect to method aspects ofthe invention, both sys-
`tems and/or computer program products are also provided.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a block diagram of a firmware update system
`according to embodiments of the present invention;
`FIG. 2 is a block diagram of a data processing system
`suitable for use with the present invention;
`FIG.3 is a more detailed block diagram of data processing
`systems according to embodiments of the present invention;
`FIG. 4A is a flowchart illustrating operations according to
`embodiments of the present invention;
`FIG.4B is a flowchart illustrating operations according to
`further embodiments of the present invention;
`FIG. 5 is a flowchart illustrating operations for perform-
`ing a firmware update according to embodiments of the
`present invention;
`FIG. 6 is a flowchart illustrating operations according to
`embodiments of the present
`invention utilizing crypto-
`graphic techniques to provide secure firmware updates;
`FIG. 7 is a block diagram of a certificate structure
`according to embodiments of the present invention;
`FIG. 8 is a flowchart illustrating operations for creating a
`firmware update according to embodiments of the present
`invention;
`FIG. 9 is a flowchart illustrating operations for perform-
`ing a firmware update utilizing a certificate structure such as
`described in FIG.7;
`FIG. 10 is a block diagram of a firmware distribution
`system according to embodiments of the present invention;
`and
`
`FIG. 11 is a flowchart illustrating operations according to
`further embodiments of the present invention which may
`provide for methods of doing business according to embodi-
`ments of the present invention.
`
`DETAILED DESCRIPTION OF PREFERRED
`EMBODIMENTS
`
`The present invention now will be described more fully
`hereinafter with reference to the accompanying drawings, in
`which preferred embodiments of the invention are shown.
`This invention may, however, be embodied in manydifferent
`forms and should not be construedas limited to the embodi-
`
`ments set forth herein; rather, these embodiments are pro-
`vided so that this disclosure will be thorough and complete,
`and will fully convey the scope of the invention to those
`skilled in theart.
`
`the
`As will be appreciated by one of skill in the art,
`present
`invention may be embodied as a method, data
`processing system, or computer program product. Accord-
`ingly, the present invention maytake the form ofan entirely
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`hardware embodiment, an entirely software embodiment or
`an embodiment combining software and hardware aspects.
`Furthermore, the present invention may take the form of a
`computer program product on a computer-usable storage
`medium having computer-usable program code means
`embodied in the medium. Any suitable computer readable
`medium may be utilized including hard disks, CD-ROMs,
`optical storage devices, or magnetic storage devices.
`The computer-usable or computer-readable medium may
`be, for example but not limited to, an electronic, magnetic,
`optical, electromagnetic, infrared, or semiconductor system,
`apparatus, device, or propagation medium. Morespecific
`examples (a nonexhaustive list) of the computer-readable
`medium would include the following: an electrical connec-
`tion having one or more wires, a portable computerdiskette,
`a random access memory (RAM), a read-only memory
`(ROM), an erasable programmable read-only memory
`(EPROMor Flash memory), an optical fiber, and a portable
`compact disc read-only memory (CD-ROM). Notethat the
`computer-usable or computer-readable medium could even
`be paper or another suitable medium upon which the pro-
`gram is printed, as the program can be electronically cap-
`tured, via, for instance, optical scanning of the paper or other
`medium, then compiled, interpreted or otherwise processed
`in a suitable manner if necessary, and then stored in a
`computer memory.
`Computer program code for carrying out operations of the
`present
`invention may be written in an object oriented
`programming language such as Java®, Smalltalk or C++.
`However,
`the computer program code for carrying out
`operations of the present invention may also be written in
`conventional procedural programming languages, such as
`the “C” programming language or even assembly language.
`The program code may execute entirely on the user’s
`computer, partly on the user’s computer, as a stand-alone
`software package, partly on the user’s computer and partly
`on a remote computeror entirely on the remote computer. In
`the latter scenario, the remote computer may be connected
`to the user’s computer through a local area network (LAN)
`or a wide area network (WAN), or the connection may be
`made to an external computer (for example, through the
`Internet using an Internet Service Provider).
`The present invention is described below with reference
`to flowchart illustrations and/or block diagrams of methods,
`apparatus (systems) and computer program products accord-
`ing to embodiments of the invention. It will be understood
`that each block of the flowchart illustrations and/or block
`diagrams, and combinations of blocks in the flowchart
`illustrations and/or block diagrams, can be implemented by
`computer program instructions. These computer program
`instructions may be provided to a processor of a general
`purpose computer, special purpose computer, embedded
`processor or other programmable data processing apparatus
`to produce a machine, such that the instructions, which
`execute via the processor of the computer or other program-
`mable data processing apparatus, create means for imple-
`menting the functions specified in the flowchart and/or block
`diagram block or blocks.
`These computer program instructions may also be stored
`in a computer-readable memory that can direct a computer
`or other programmable data processing apparatus to function
`in a particular manner, such that the instructions stored in the
`computer-readable memory produceanarticle of manufac-
`ture including instruction means which implementthe func-
`tion specified in the flowchart and/or block diagram block or
`blocks.
`
`16
`
`16
`
`

`

`US 7,069,452 Bl
`
`7
`The computer program instructions may also be loaded
`onto a computer or other programmable data processing
`apparatus to cause a series of operational steps to be per-
`formed on the computer or other programmable apparatus to
`produce a computer implemented process such that
`the
`instructions which execute on the computer or other pro-
`grammable apparatus provide steps for implementing the
`functions specified in the flowchart and/or block diagram
`block or blocks.
`
`Asis described in more detail below, embodiments of the
`present invention may provide secure firmware updates by
`providing a windowin which firmware updates may be
`provided. Such a window maybe provided by a latch or
`other such device which may beset to allow update access
`to the programmable memory device(s) where the firmware
`to be updated resides and which maybeset to prevent update
`access to the programmable memory device(s). Further-
`more, some or all of the program which performs the
`firmware update may be stored in a Read Only Memory
`(ROM)of the processing system and the program may set
`the latch to prevent updates of the programmable memory
`device(s) upon completion of the update program. Update
`systems according to embodiments may, for example, be
`incorporated into a boot sequence of a processing device to
`provide secure firmware update capabilities. Additional
`embodiments of the present invention may utilize crypto-
`graphic techniques to further increase the security of the
`firmware update. Various embodiments of the present inven-
`tion will now be described with reference to FIGS. 1 through
`11.
`
`Referring now to FIG. 1, a firmware update system
`according to embodiments of the present invention is illus-
`trated. As is seen in FIG. 1, a processor 10, such as a general
`purpose microprocessor, a digital signal processor or a
`specific purpose processor has associated with it a latch 18
`which defines a state of access permissions to a program-
`mable memory 14 and/or a read only memory (ROM) 16.
`Such access may be controlled by a memory controller 12 or
`other such device which allows the processor 10 to access
`the programmable memory 14 andthe read only memory 16.
`In particular, the programmable memory 14 maybeflash
`RAMorother programmable memory which may contain
`firmware, such as a BIOS program or other such firmware,
`which may provide the basic functionality of the device
`incorporating the processor 10. The processor 10 may access
`the programmable memory 14 through the memory control-
`ler 12 to execute instructions stored in the programmable
`memory 14 or to update the contents of the programmable
`memory 14. The processor 10 may also access the ROM 16
`to execute a firmware update program stored in the ROM 16.
`In operation, the processor 10 receives a hardware reset
`signal, such as the power onreset signal illustrated in FIG.
`1, which causes the processor 10 to reset its registers and
`being execution of a program from a predefined memory
`location. Thus, the latch 18 can besetinto an initial state by
`a hardware reset, which is the meansto return the processor
`10 to a known non-debug state executing a specific instruc-
`tion stream (e.g. the instruction stream stored in the ROM
`16). In particular embodiments of the present invention, the
`predefined memory location corresponds to a memory loca-
`tion in the ROM 16. In additionto resetting the processor 10,
`the reset signal also sets the latch 18 to a state which
`instructs the memory controller 12 to allow access to the
`ROM 16 (1e., read operations) and to allow updates (i.e.
`write operations) to the programmable memory 14. Thus, for
`example, when the “Q”of the latch 18 is a logical “1” the
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`8
`memory controller 12 may allow reads of the ROM 16 and
`writes to the programmable memory 14.
`As is further illustrated in FIG. 1, an output of the
`processor 10 mayalso be provided to reset the latch 18 so
`as to prevent updates of the programmable memory 14 and
`optionally prevent read operations to the ROM 16. Thus,
`whenthe firmware update program executed from the ROM
`16 is concluding it may activate the access latch reset output
`of the processor 10 to reset
`latch 18.
`In the example
`described abo

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket