(19) 9d
`
`(12)
`
`Europaisches Patentamt
`
`European Patent Office
`
`Office européen des brevets
`
`(11)
`
`EP 0 824 233 A2
`
`EUROPEAN PATENT APPLICATION
`
`(43) Date of publication:
`18.02.1998 Bulletin 1998/08
`
`(21) Application number: 97305891.0
`
`(22) Dateoffiling: 04.08.1997
`
`(84) Designated Contracting States:
`AT BE CH DE DK ES FI FR GB GRIEIT LI LU MC
`NL PT SE
`
`Designated Extension States:
`AL LT LV RO SI
`
`(30) Priority: 07.08.1996 US 693458
`
`(71) Applicant: Compaq Computer Corporation
`Houston Texas 77070 (US)
`
`(61) Intcl&: GO6F 1/00, GO6F 1/30,
`GO6F 11/00
`
`
`
`(72) Inventors:
`* Angelo, Michael F.
`Houston, Texas 77068 (US)
`* Miller, Craig A.
`Cedar Park, Texas 78613 (US)
`
`(74) Representative: Brunner, Michael John
`GILL JENNINGS & EVERY
`
`Broadgate House
`7 Eldon Street
`
`London EC2M 7LH (GB)
`
`(54) Method and apparatus for secure execution of software prior to a computer system being
`powered downor entering a low energy consumption mode
`
`(57)|Acomputer system that automatically and se-
`handler routine then generates a current modification
`detection value for each registered program. The cur-
`curely executes registered programs immediately prior
`rent modification detection values are compared with
`to a transition to a reduced energy consumptionstate.
`the secure modification detection values. Execution of
`A registrar table specifying registered programs and a
`secure modification detection value for each registered
`program are maintained in system management mode
`memory or other secure memory space in the computer
`system. A system management interrupt is generated
`following a request to remove power from the computer
`system or the occurrence of an event that triggers an
`energy saving mode. The system managementinterrupt
`
`a registered program is permitted if the values match.
`After all registered programs have been executed, the
`computer system automatically powers down or enters
`an energy saving mode. The computer system thereby
`allows secure and convenient execution of programs or
`commands that would typically interfere with normal
`computer use.
`
`z
`
`|
`
` HOST
`
`VIDEO MEMBRY
`
`170
`
`185
`
`
`
`[||||||
`
`i|cea CONTROLLER
`
`‘MORY
`i
`CPU/MEMOR
`MONITOR
`84-BIT MEMORY DATA
`104
`|
`6
`VID DATA
`16
`2
`
`CACHE CTRL praw's|LH!HB 6)
`
`
`168-~
`YPIKEL DATA
`
`
`; CACHEuggHOST ADDR / a
`VGA DATA
`RGB
`MONITOR
`RAMDAC
`1
`PAtI6..3)
`DATA
`sve, vse L_COMN
`MONITOR [D's:
`'
`64-BIT HOST DATA
`BUFFERS
`|
`!
`a
`‘
`169
`!
`|
`RASZ, CASY
`|
`I
`NETWORK Ficrensi|176
`
`MEN ADDR, MEMWE!
`INTERFACE
`XFRMRS
`CACHE &
`DEASSERT
`MICRO
`MEMORY
`ASSERT
`1OBT
`CONN) p<24
`
`processor|PAGT3} (708|conTRaLLER
`LOGIC
`124
`[oT HOSTCTRUISTATUS
`PARALLEL PORT(~~132
`CONN
`
`Yoo|HARD IDE PCI
`
`Xx
`————
`*
`LRET
`isn pus
`'SA
`oo
`xX.ws¥
`~— a Q
`— a: i
`
`POWERL-180
`ISA BUS (ISA ADDR/DATAICTRL;
`SUPPLY
`
`Ww
`Pl
`
`PCI BUS(PCI A/D & CTRL)
`{P
`134] isa conn|[Percown}~142
`
`FLOPPY CONTROLLER
`
`RTCICMOS
`
`134—[1sa conn||pci conn[~-142 [pny
`UARTS
`/|
`KEYBOARD CONTROLLER
`138
`136
`S44 KYBD||MOUSE
`
`
`159
`
`40
`
`EP0824233A2
`
`
`
`Printed by Jouve, 75001 PARIS (FR)
`
`US Patent No. 6,411,941
`
`HTC EX. 1018
`HTC v. Ancora
`
`Page 1
`
`Page 1
`
`HTC EX. 1018
`HTC v. Ancora
`US Patent No. 6,411,941
`
`

`

`1
`
`EP 0 824 233 A2
`
`2
`
`Description
`
`The present invention relates to computer system
`security.
`The present invention relates to a method for se-
`curely executing registered software applications in a
`computer system that is either being powered down or
`entering an energy saving mode.
`Computers are becoming increasingly important in
`many aspects of modernlife, both in homesand in busi-
`nesses. Huge amounts of moneyare invested by com-
`panies and individuals to purchase executable software.
`Even more money andtime is spent developing the in-
`formation containedin data files such as text documents
`
`and spreadsheets. Protecting these resourcesis there-
`fore an important concern. Security-conscious users are
`requesting that security and integrity features be incor-
`poratedinto their personal computers to protect access
`to critical files and to guarantee the trustworthiness of
`installed programs.
`Ideally,
`these security features
`should interfere with normal computer operationaslittle
`as possible.
`Two main causesof software untrustworthiness are
`
`SHUT DOWNitem causes a dialog box to appear on
`the screen, giving the user the options of shutting down
`completely, restarting the PC, or exiting to the disk op-
`erating system (DOS).
`the shut
`In these advanced operating systems,
`downprocedure is needed because the numerous piec-
`es of status information and configuration data con-
`tained in the Windows Registry file are not updated until
`the system has been properly shut down. Further, data
`stored in the disk cache may not be flushed to the disk
`unless the user properly exits Windows 95™ or Win-
`dows NT™. Network connections that are not properly
`severed can cause additional problems. Thus, the re-
`moval of power without following the proper shutdown
`procedure can corrupt the Windows Registry file and
`compromise the overall reliability ofthe computer during
`subsequent operations.
`It should be noted, however,
`that properly exiting these operating systems requires
`the user to take affirmative action via menu commands
`
`prior to toggling the on/offpower switch.
`Another threat to software integrity is the problem
`of "malicious code", also referred to as computer virus-
`
`One common commercial method of assessing the
`integrity of user software is to check for viruses by run-
`ning a virus checking software program. Such programs
`rely on the characteristics of the known viruses to detect
`their presence. A new virus may not be detectable by
`the virus checking software. If a virus is present, the vi-
`file corruption and viruses. File corruption usually fol-
`lows a system failure occurring during a file transfer (i.
`rus checking softwareitself is susceptible because it is
`loadedfrom the infected hard disk and must run in mem-
`e. the system is turned off whileafile is being copied
`onto the hard disk, etc.) or similar occurrence.
`ory that could be infected.
`In addition, virus checking
`Controlling the power-down of the computer system
`software can be inconvenient to execute. A thorough
`is therefore important, particularly in computers with ad-
`check of system resources can take several minutes,
`vanced operating systems such as Windows 95™ and
`and the user is not able to run other applications during
`Windows NT™, available from Microsoft Corp. These
`this time. Although virus checking software can be con-
`operating systems require the user to shut downvia spe-
`figured to execute automatically during system boot up,
`cific software steps rather than by simply turning off the
`the user must again take affirmative action to execute
`or schedule a virus scan at other times.
`power switch. For example, in Windows 95™, the user
`35
`should click a START button and select the SHUT
`Another method of assessingafile's integrity prior
`DOWNitem from the START menu. The selection of the
`to executing involves computing an integrity assess-
`ment codefor the file and verifying that the code match-
`es a predetermined value. Checksums(a type of integ-
`rity assessment code) are adequate for detecting acci-
`dental modifications of data. However, they are an inse-
`cure defense against viruses. A well-designed virus
`aimed at bypassing normal security features can easily
`attach itself to a host program without resulting in a dif-
`ferent checksum.
`
`es. While many computer viruses are relatively benign,
`computer viruses can be hostile, clandestine and creat-
`ed to target specific types of software or hardware. They
`can be introduced into a computer in as many ways as
`the computer can communicate externally, such as
`through the floppy drive, a network connection or a mo-
`dem connection. Viruses are typically designed to rep-
`licate by secretly attaching copies of themselvestofiles
`or boot records so that the user is unawareof the intru-
`
`sion. Itis importantto note that once a virus has attached
`itself to a host program, the program must bedifferent
`and its integrity has been violated.
`Once infected, any subsequent copies of the host
`file also contain the virus, thereby increasing the poten-
`tial for destruction. The virus is then activated when the
`
`file is executed. Consequently, a virus attached to a data
`file may remain dormant because the datafile is not ex-
`ecutable.
`
`20
`
`25
`
`30
`
`40
`
`45
`
`50
`
`55
`
`To addressthis problem, advanced modification de-
`tection codes (or MDC's) have been developed to spe-
`cifically detect deliberate corruption of data, and are su-
`perior to simple checksums. The intent of MDC's is to
`makeit computationally infeasible to modify data so as
`to preserve a specific modification detection code value.
`Modification detection codes are sometimesreferred to
`
`by other names, including: "cryptographic checksums",
`“cryptographic hashes", "secure hash algorithms", and
`"message digests".
`In some earlier systems, a secure hash value is cal-
`culated and stored for newly installed software. There-
`after, when the computer is turned on again, the stored
`hash value is compared to a newly calculated value. If
`
`Page 2
`
`Page 2
`
`

`

`3
`
`EP 0 824 233 A2
`
`4
`
`
`
`a discrepancyis found, the user is alerted. A main dis-
`advantage with this methodis that the integrity assess-
`ment codes must bestored on the hard disk, thus mak-
`ing the codes themselves susceptible to attack by ma-
`icious code. Reverse-engineering a modification detec-
`ion code, while difficult,
`is not a mathematically intrac-
`able problem. Thus, software-only protective products
`can offer only limited insurance againstthe attack of ma-
`icious code, due mainly to architectural weakness
`present in most computer systems. A potential solution
`is to embed the modification detection code in a perma-
`nent read-only memory device, but this can make sys-
`em reconfiguration quite difficult.
`Some degree of protection from data lossis afford-
`ed by performing regular backups to a tape drive or sim-
`ilar storage medium. If a file becomescorrupted, an ear-
`ier, trusted version can be restored from a backup tape.
`Any changes madeto the file after the backup wasper-
`ormed are lost. Like virus scanning and various other
`administrative procedures, performing backup opera-
`ions usually preempts other uses of the computer. To
`circumvent this potential inconvenience, it is desirable
`o schedule backups during non-working hours or at
`imes when the user is away from the machine. Sched-
`uling and running the backups also require some sort of
`affirmative action to be taken by the user or systern ad-
`ministrator.
`
`Aproblem canarise if backups and other operations
`are scheduled to execute at times when it is unlikely that
`the computer system will be in use. Most modern com-
`puter systems incorporate "energy saving" or "hiberna-
`tion" features. Techniques that are utilized to conserve
`energy include powering down disk drives, disabling
`monitors and reducing processor and system clock fre-
`quencies. These features are typically activated when
`the computer is not used for a predetermined period of
`time. Depending on its programming and hardware, a
`computer system may not acknowledge and execute a
`scheduled operation while the system is in an energy
`saving mode. Even if a scheduled operation is recog-
`nized, current computer architectures cannot ensure se-
`cure execution.
`
`Briefly, the present invention provides a computer
`system having the capability to automatically and se-
`curely execute registered commandsor applications im-
`mediately prior to the computer powering down or en-
`tering a low energy consumption mode.
`Following a request to remove power from the com-
`puter system or enter a low power consumption mode,
`a system managementinterrupt (SMI) is generated. Ac-
`cording to the invention, a variety of methods can be
`used to generate the SMI. In one embodiment, closure
`or toggling of the power supply on/off switch causes spe-
`cial interrupt circuitry to generate an interrupt service re-
`quest that instructs the processor to jumpto an interrupt
`service routine which results ina power down SMI being
`asserted. Alternatively, circuitry coupled to the power
`supply on/off switch Is configured to bypassthe interrupt
`
`request and generate the power down SMI directly with-
`out the need for a standard interrupt. In yet another em-
`bodiment, toggling the power supply on/off switch initi-
`ates a software process that results in a power down
`SMI.
`
`Acomputer system according to the present inven-
`tion also allows automatic and secure execution of reg-
`istered applications immediately prior to the computer
`system entering a low power consumption mode. Exam-
`ples of such a low power consumption mode include "hi-
`bernation mode" and "energy saving mode". In this em-
`bodiment, an SMI is again generated in one of a number
`of ways. Special interrupt circuitry, a keyboardinterrupt,
`activity timers or a software process canall be used to
`generate the SMI.
`Regardless of the manner in which it is generated,
`the power down or hibernation mode SMI places the
`computer system in system management mode, caus-
`ing an SMI handler routine to be executed. In turn, the
`SMI handler responds by executing all applications reg-
`istered with the application registrar.
`Importantly, the
`registered applications are verified and executed in a
`secure manner. Before executing a registered applica-
`tion, the SMI handler first generates a current hash val-
`ue for the program. The term "secure hash value" or
`"hash value" is used throughout the remainder of this
`specification to refer generally to a value generated by
`a modification detection code, the value being specific
`to a given software application. A "secure hash value"
`in the preferred embodiment is 160 bits of data (20
`bytes) that is essentially a mathematical representation
`of a file.
`If any bits in the file are changed, a different
`hash value will result.
`
`In general, a secure hash table (or other type ofin-
`tegrity assessment code)is provided that contains a se-
`cure hash value for each program that the user wants
`to execute prior to the power down or entry into hiber-
`nation mode. The hash table is stored in protected mem-
`ory that can only be accessed when the computer sys-
`tem is in system management mode. After it has gener-
`ated a current hash value for the registered application,
`the SMI handler checksthis stored hash table for a se-
`
`If a hash value entry is
`cure entry for the application.
`found, it is compared with the newly-calculated hash val-
`ue for the secured application. In the event the two val-
`ues match, the integrity of the application is guaranteed
`and it is loaded into memory and executed. The process
`is repeated until all applications registered with the ap-
`plication registrar have been executed.
`If the two values do not match, the user is alerted
`to the discrepancy and may be given the option to up-
`date or override the stored hash table entry by entering
`an administrative password. For security sensitive ap-
`plications, the entire application or a portion ofit is load-
`ed into system management mode memory (hereinafter
`"SMM memory") prior to application.
`In an alternate embodiment of the invention, a se-
`cured hash value for the table is maintained in SMM
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`Page 3
`
`Page 3
`
`

`

`5
`
`EP 0 824 233 A2
`
`6
`
`memory, with the hash table itself is stored in normal
`memory. A current table hash value is generated for the
`hash table before a hash table entry is accessed. The
`current table hash value is then comparedwith the table
`hash value stored in SMM memory.
`If the values are
`equal, the integrity of the hash table is verified and the
`new hash value of the program to be executed can be
`safely compared with its original value. This embodi-
`mentofthe invention is useful for overcoming problems
`associated with the limited size of SMM memory. Both
`of the aforementioned embodiments of the invention
`
`have the additional advantage of being operating sys-
`tem independent.
`After all of the registered applications have been ex-
`ecuted, the SMI handler transmits a shutdown com-
`mand to a decoder over a system bus if the SMI was
`generated as a result of a power down request. Upon
`detecting that the computer system has issued a shut-
`down command, the decoder logic causes a SHUT-
`DOWNinput to the power supply to be asserted, thereby
`disabling power to the system. If the SMI was generated
`as a result of low power consumption mode being acti-
`vated,
`the SMI handler transmits appropriate com-
`mandsto hibernation logic that controls various system
`components.
`The presentinvention has a wide variety of potential
`applications, including secure execution of virus detec-
`tion and removal programs and backing up files prior to
`shutting down. These and other registered applications
`are executed securely and without needfor intervention
`by the user.
`A better understanding of the present invention can
`be obtained when the following detailed description of
`the preferred embodimentis considered in conjunction
`with the following drawings, in which:
`
`Figure 1 is aschematic block diagram of acomputer
`system incorporating system management mode
`capabilities in accordance with the present inven-
`tion;
`Figure 2 is a graphical representation of System
`Management Mode memory according to the
`presentinvention;
`Figure 3 is a schematic block diagram of a power
`downcircuitry associated with the power supply of
`the computer system of Figure 1;
`Figure 4 is a block diagram of the power supply of
`the computer system of Figure 1;
`Figure 5 isa schematic block diagram of hibernation
`circuitry according to the present invention;
`Figure 6 is a flowchartillustration of a method ac-
`cording to the present invention for securely exe-
`cuting and verifying the integrity of software appli-
`cations prior to the computer system being turned
`off or entering hibernation mode; and
`Figure 7 is a flowchartillustration of a secure meth-
`od according to the present invention for updating
`a stored hash table or stored hash value.
`
`Referring first to Figure 1, acomputer system S ac-
`cording to the present invention is shown. In the pre-
`ferred embodiment, the system S incorporates twopri-
`mary buses: a Peripheral Component
`Interconnect
`(PCI) bus P which includes an address/data portion and
`a control signal portion; and an Industry Standard Archi-
`tecture (ISA) bus | which includes an addressportion, a
`data portion, and a control signal portion. The PC! and
`ISA buses P and | form the architectural backbone of
`
`the computer system S.
`A CPU/memory subsystem 100 is connected to the
`PCI bus P. The processor 102 is preferably the Pen-
`tium® processor from Intel Corporation, but could be an
`80486 or any number of similar or next-generation proc-
`essors. The processor 102 drives data, address, and
`control portions 116, 106, and 108 of a host bus HB. A
`level 2 (L2) or external cache memory 104 is connected
`to the host bus HB to provide additional caching capa-
`bilities that improve the overall performanceof the com-
`puter systern S. The L2 cache 104 may be permanently
`installed or may be removable if desired. A cache and
`memory controller 110 and a PCI-ISA bridge chip 130
`are connected to the control and address portions 108
`and 106 of the host bus HB. The cache and memory
`controller chip 110 is configured to control a series of
`data buffers 112. The data buffers 112 are preferably the
`82433LX from Intel, and are coupled to and drive the
`host data bus 116 and a MD or memory data bus 118
`that is connected to a memory array 114. Amemory ad-
`dress and memory control signal bus is provided from
`the cache and memory controller 110.
`The data buffers 112, cache and memory controller
`110, and PCI-ISA bridge 130 are all connected to the
`PCI bus P. The PCI-ISA bridge 130 is used to convert
`signals between the PC! bus P and the ISA bus |. The
`PCI-ISA bridge 130 includes: the necessary address
`and data buffers, arbitration and bus master control logic
`for the PCI bus P, ISA arbitration circuitry, an ISA bus
`controller as conventionally used in |ISAsystems, anIDE
`(intelligent drive electronics) interface, and a DMA con-
`troller. A hard disk drive 140 is connected to the IDE
`
`interface of the PCI-ISA bridge 130. Tape drives, CD-
`ROM devices or other peripheral storage devices (not
`shown) can be similarly connected.
`In the disclosed embodiment, the PCI-ISA bridge
`130 also includes miscellaneous system logic. This mis-
`cellaneous system logic contains counters and activity
`timers as conventionally present in personal computer
`systems, an interrupt controller for both the PCI and ISA
`buses P and |, and power managementlogic. Addition-
`ally, the miscellaneous system logic mayincludecircuit-
`ry for a security management system used for password
`verification and to allow access to protected resources.
`The PCI-ISA bridge 130 also includes circuitry to
`generate a "soft" SMI (System ManagementInterrupt),
`as well as SMI and keyboard controller interface circuit-
`ry. The miscellaneous system logic is connected to the
`flash ROM 154 through write protection logic 164. Pref-
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`Page 4
`
`Page 4
`
`

`

`7
`
`EP 0 824 233 A2
`
`8
`
`erably, the PCI-ISA bridge 130 is a single integrated cir-
`cuit, but other combinations are possible.
`A series of ISA slots 134 are connected to the ISA
`
`bus | to receive ISA adapter cards. A series of PCI slots
`142 are similarly provided on the PCI bus P to receive
`PCI adapter cards.
`A video controller 165 is also connected to the PCI
`
`180 receives an AC voltage supply via an AC plug 190
`(Fig. 3).
`An additional feature of the computer system S is a
`Systern Management Mode (SMM), as discussed at
`length immediately below.It is also noted that Figure 1
`presents an exemplary embodiment of the computer
`system S$ and it is understood that numerous other ef-
`fective embodiments could readily be developed as
`knownto those skilled in the art.
`
`bus P. Video memory 166is used to store graphics data
`and is connected to the video graphics controller 165
`Certain microprocessors, such as the Pentium®
`and a digital/analog converter (RAMDAC) 168. The vid-
`processorfrom Intel Corporation, have included a mode
`e0 graphics controller 165 controls the operation of the
`referred to as system management mode (SMM), which
`video memory 166, allowing data to be written and re-
`is entered upon receipt of a system managementinter-
`trieved as required. A monitor connector 169 is connect-
`rupt (SMI). Originally, SMls were power management
`ed to the RAMDAC 168for connecting a monitor 170.
`interrupts devised by Intel Corporation for portable sys-
`Anetwork interface controller (NIC) 122 is also con-
`tems. Portable computers often draw power from bat-
`nected to the PCI bus P. Preferably, the controller 122
`teries which provide a limited amountof energy. To max-
`isasingle integrated circuit that includes the capabilities
`imize battery life, an SMI is typically asserted to turn off
`necessary to act as a PCI bus master and slave, as well
`or reduce the power to any system componentthatis
`as circuitry required to act as an Ethernetinterface. At-
`not currently in use. Although originally meantfor laptop
`tachmentUnit Interface (AU!) and 10 base-T connectors
`computers, SMIs have become popular for desktop and
`124 are provided in the system S, and are connected to
`other stationary models as well.
`the NIC 122 via filter and transformer circuitry 126. This
`circuitry forms a network or Ethernet connection for con-
`SMls are asserted by either an SMI timer, by a sys-
`
`necting the computer systemSto a local area network tem request, or by other means. An SMI is anon-mask-
`25
`(LAN).
`able interrupt having almost the highestpriority in the
`A combination I/O chip 136 is connected to the ISA
`system. Only the reset signal R/S* and cache flush sig-
`bus |. The combination I/O chip 136 preferably includes
`nal FLUSH’, which can be conceptualized as interrupts,
`areal time clock two UARTS, a floppy disk controller for
`have a higher priority than the SMI. When an SMI is as-
`controlling a floppy disk drive 138, and various address
`serted, a microprocessor maps a portion of memory re-
`decode logic and security logic to control accessto the
`ferred to as the system management mode memory
`CMOS memory (not shown) and power-on password
`("SMM memory") into the main memory space. The en-
`values. A control line is provided to the read and write
`tire CPU state is then saved in the SMM memory(in the
`protection logic 164 to further control accessto the flash
`CPU register dump 210 of Fig. 2) in stack-like, last in/
`ROM 154. Serial port connectors 146 and parallel port
`first out fashion. After the initial processor state is saved,
`connector 132 are also connected to the combination I/
`the processor 102 begins executing an SMI handler rou-
`tine, whichis an interrupt service routine to perform spe-
`cific system management tasks such as reducing power
`to specific devices or, as in the case of the presentin-
`vention, providing security services. While the routine is
`executed, other interrupt requests are not serviced, and
`are ignored until the interrupt routine is completed or the
`microprocessor is reset. When the SMI handler com-
`pletes its task, the processor state is retrieved from the
`SMM memory, and the main program continues. An SMI
`active signal referred to as the SMIACT™ signalis pro-
`vided by the processor to indicate operation in SMM.
`As mentioned, following assertion of its SMI input
`(this is generally an active low signal), the processor 102
`calls the SMI handler, which addresses an address
`space that
`is separate from ordinary main memory.
`Thereafter, all memory accesses refer only to SMM
`memory 200. Input/output ("I/O") accesses via instruc-
`tions such as IN or OUT arestill directed to the normal
`
`20
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`/O address space, however. One advantageous side-
`effect of the hardwired separate address SMM areais
`that the routines stored in this space cannot be snooped
`by the cache, providing an additional layer of protection.
`In a typical system management mode implemen-
`
`Page 5
`
`O chip 136.
`An 8042 or keyboard controller is also included in
`the combination |/O chip 136. The keyboard controller
`is of conventional design and is connected in turn toa
`keyboard connector 158 and a mouseor pointing device
`connector 160. Akeyboard 159 is connected to the com-
`puter system S through the keyboard connector 158.
`A buffer 144 is connected to the ISA bus | to provide
`an additional X-bus X for various additional components
`of the computer system S. A flash ROM 154 receivesits
`control, address and data signals from the X-bus X.
`Preferably, the flash ROM 154 contains the BIOSinfor-
`mation for the computer system and can be repro-
`grammedto allow for revisions of the BIOS.
`In the computer system S of Fig. 1, all electronic
`devices discussed above, including the processor 102,
`are powered by a regulated power supply 180. In the
`preferred embodiment,
`the regulated power supply
`(Figs. 3 and 4) has a power supply supervisory circuit
`192 that provides shutdown capability via a SHUT-
`DOWNinput. The power supply 180 is shut-downvia an
`SMI software/hardware processthatis initiated by tog-
`gling the on/off switch 182 (Fig. 3). The power supply
`
`Page 5
`
`

`

`g
`
`EP 0 824 233 A2
`
`10
`
`rithm 208 in SMM memory 200 prevents malicious code
`from modifying or reading these sensitive components
`of the preferred embodimentof the invention.
`In an alternate embodiment of the invention, a se-
`cured table hash value for the hash table 206itself is
`
`maintained in SMM memory 200, while the hash table
`206 is stored in normal, readable memory.In this em-
`bodiment, the integrity of the hash table 206is verified
`before the hash value of the program to be executedis
`compared withits original value. This embodimentof the
`invention, discussed morefully below,is useful for over-
`coming problems associated with the limited size of
`SMM memory (64-Kbyte total in the disclosed embodi-
`ment). It is also contemplated that the secure hash al-
`gorithm 208 could be stored in flash ROM 154. The op-
`tional 32-Kbyte SMM RAMextension 212 can be utilized
`for secure execution of software or to store additional
`hash values.
`
`As used in this disclosure, the term "secure hash
`value" or "hash value" refers generally to a value -- gen-
`erated by an integrity assessment code -- thatis specific
`to a given software application. Although the disclosed
`embodiment of the invention utilizes a hash table 206
`
`containing hash values generated by a secure hash al-
`gorithm 208, it is contemplated that many types of mod-
`ification detection codes could be utilized. Of impor-
`tance to the invention is that each piece of registered
`software has a corresponding and distinct value that
`represents the unaltered state of the software, and that
`this value be stored in a secure memory location. Note
`also that registered software is referred to generally as
`"programs"or "applications", and use of these terms is
`intended to cover software "files".
`
`Turning nowto Fig. 3, circuitry is shown for power-
`ing down the computer system S and generating an SMI
`that initiates execution of registered applications. The
`interrupt controller/SMI generation logic 186 receives an
`input from a power supply on/off switch 182. One end
`of the on/off switch 182 is connected to ground, while
`the other end of the on/off switch 182 is connected toa
`
`20
`
`25
`
`30
`
`35
`
`40
`
`it is intended that battery-buffered SRAM chips
`tation,
`be mappedinto the address space between 30000h and
`Sfiffh by default. External hardware can use the SMI-
`ACT* signal as a chip select signal and thereby address
`either the SRAMchips (the SMIACT* signalis at a logic
`low level), or the normal main memory (the SMIACT*
`signal is at a logic high level). By using the SMIACT*
`signal, then, SMM memory 200 and normal memory can
`be strictly separated.
`The Pentium®, or P5, microprocessor is moreflex-
`ible than earlier processors in that it permits the SMI
`handler starting address and the location of the SMM
`memory space to be changed by the user. Under the
`Pentium® design, the SMI starting address stored in the
`microprocessor register is initially set to the convention-
`al 30000h value. Consequently, whenthe first SMI is as-
`serted, the SMI handler starts at address 38000h (the
`entry point is offset from the SMM memory base). While
`the SMI handler routine is executing, however,
`it may
`provide a different area of memory to be used as the
`SMM memory. This new SMM memory maystart at any
`location in the main memory space chosen by the pro-
`grammer. The SMM memory is a 64-Kbyte block begin-
`ning at the new SMM memory start address. When the
`SMI handler finishes, the new starting address replaces
`the old starting address in the microprocessors SMI
`starting address register.
`When the next SMI is asserted, the microprocessor
`maps the new 64-Kbyte block of memory into the main
`memory space as the SMM memory,and starts the SMI
`handler at the new starting address at the midpoint of
`the new SMM memory. For example, during the first SMI
`service routine, the programmer may change the SMM
`memorystarting point from 030000h to 100000h. When
`the SMI is next asserted, the microprocessor maps the
`SMM memory into main memory space between
`100000h and 10FFFFh. The microprocessor then refer-
`ences address 108000h for the SMI handler. This fea-
`
`ture thus allows the programmer to choose a more con-
`venient location in the main memory.
`Referring more specifically to Fig. 2, a graphical
`representation of SMM memory 200 as configured ac-
`cording to the presentinvention is shown. As mentioned
`above, this address space is addressed by the proces-
`sor 102 following an SMI. Following an SMI, the state of
`the processor 102 is stored in the CPU register dump
`210. The SMI handler 201 is then called and executed
`
`pull-up resistor 184. The output of the on/off switch is
`connected to the interrupt controller/SMI generation log-
`ic 186. When the power supply on/off switch 182 is
`closed -- indicating that the user desires to power the
`system down -- the input to the interrupt controller/SMI
`generation logic 186 is pulled low. While the on/off
`switch 182 is open, pull up resistor 184 pulls the input
`to a high logic level. The outputs of the interrupt control-
`by the processor 102. Importantly, the SMI handler 201
`ler/SMI generation logic are placed onto the primary PCI
`can be written such that it performs tasks other than
`50
`
`power-downoperations. An SMI handler 201 written ac- busPfor transmission to the processor 102. In addition,
`cording to the present invention is able to utilize an ap-
`an SMI is communicated between the interrupt control-
`plication registrar 202, stored hash entries 204,