JP4422717B2 - Determining physical presence in a trusted platform - Google Patents

Description

  The present invention relates to computer systems and other information processing systems, and more particularly to computer systems built on trusted platforms such as the TCPA industry standard platform.

  There is a need in the computer industry to increase the level of trust that users have when executing applications and performing network transactions. This is especially true in the case of electronic commerce where the user enters a credit card and other sensitive information. There are several solutions in the industry. One solution, smart card, has emerged as a standard for raising the level of trust by providing hardware to establish trusted users. In smart card solutions, the computer system is not a trusted entity. Rather, it is smart card hardware that is a trusted entity and associated with a particular user. Another solution, Trusted Computing Platform, has emerged as a standard for raising the level of trust by providing hardware that establishes a trusted platform. Users using the trust platform are not trusted entities. Rather, it is the platform that can be trusted.

  Current computer systems provide remote power-on functionality. For example, the computer can turn on when the computer's modem detects a RING signal from an incoming fax. The computer can then perform power on, boot, and receive incoming faxes. Similarly, the computer can turn on and then boot to respond to any local area network request when local area network activity is detected on its LAN card.

  However, computers with this capability are particularly at risk during their absence because they are vulnerable to attack even when the power is off.

  According to one aspect, determining whether power has been applied to the computer system by activation of the power-on switch by reading a power-on status register indicating the occurrence of activation of the power-on switch; A method is provided that includes affecting the operation of a trusted platform module (TPM) included in the computer system in response to the determination.

  In one embodiment, the power-on status register can only be set in hardware.

  In one embodiment, the determination and influence steps occur after a reset event and before an OS load event that loads the operating system. The OS load event may be the first instance of INT 19h following the reset event. The reset event may be an event selected from the group consisting of a hardware initiated reset and a software initiated reset. Preferably the influence step further comprises the step of setting a physical presence flag in the TPM. Preferably the influence step further comprises the step of setting a physical presence lock flag in the TPM.

  In one embodiment, the determination and influence steps occur after a reset event and before the computer system I / O device is available. Preferably, the computer system I / O device is a device selected from the group consisting of a keyboard device, a video device, and a pointing device. The reset event may be an event selected from the group consisting of a hardware initiated reset and a software initiated reset.

  In one embodiment, the affecting step is to limit the operation of the TPM in response to determining that the power-on switch has not been activated in the determining step.

  In one embodiment, the influencing step is such that a predetermined trust operation can be performed in the TPM in response to application of power by activation of a power-on switch as determined in the determining step. .

  According to another aspect, the present invention provides a computer system with activation of a power-on switch coupled to the computer system by reading a power-on status register indicating the occurrence of activation of the power-on switch. A step of determining whether power is applied, a determination step in which the power-on status register can be set only in hardware, and a determination that the power-on switch in the determination step has not been activated. In response, configuring a trusted platform module (TPM) physical presence flag included in the computer system to indicate a lack of physical presence, wherein the determining and configuring step is a system reset Occurs after event and before OS load event And than further provides a method and a step of restricting the operation of the TPM in response to the configuration step.

  In one embodiment, the method further comprises the step of locking the physical presence flag in the TPM by setting a physical presence lock flag in the TPM, wherein the locking step includes a system reset event. Occurs after and before the OS load event. The OS load event is preferably an event that loads the operating system, and the system reset event is preferably an event selected from the group consisting of a hardware initiated reset and a software initiated reset. The event that loads the operating system may be the first instance of INT 19h following the system reset event.

  According to another aspect, power is applied to the computer system by activation of a power-on switch coupled to the computer system by reading a power-on status register indicating the occurrence of activation of the power-on switch. The power-on status register can be set only in hardware, and in response to the application of power by the activation of the power-on switch determined in the determination step. Configuring a trusted platform module (TPM) physical presence flag included in the computer system to indicate physical presence, said determining and configuring step after a system reset event and Occurs before the OS load event Furthermore, the method having the steps to be able to perform a predetermined confidence operations in the TPM in response to said configuration step is provided.

  Preferably, it is possible to lock the physical presence flag in the TPM by setting the physical presence lock flag in the TPM, preferably after the system reset event and before the OS load event. Executed. Preferably, the OS load event is an event for loading an operating system, and the system reset event is an event selected from the group consisting of a hardware start reset and a software start reset. Preferably, the event that loads the operating system is the first instance of INT 19h following the system reset event.

  According to another aspect, there is provided a computer usable medium having computer readable program code embodied therein, or a program that is a set of computer readable program code, wherein the computer readable program code in said program is provided. The code determines whether power has been applied to the computer system by activation of the power-on switch by reading a power-on status register indicating the occurrence of activation of the power-on switch; It is effective to execute the operation of the trusted platform module (TPM) included in the computer system accordingly.

  According to another aspect, there is provided a computer usable medium having computer readable program code embodied therein, or a program that is a set of computer readable program code, wherein the computer readable program code in said program is provided. The code can only be set in hardware and the computer by activation of a power-on switch coupled to the computer system by reading a power-on status register indicating the occurrence of activation of the power-on switch Determining whether power has been applied to the system, in response to the determination indicating that the power-on switch in the determining step has not been activated, to indicate a lack of physical presence Included within Configuring the physical presence flag of a platform module (TPM), to limit the operation of the TPM in response to the configuration, it is effective when performing city. Here, the determination and configuration occurs after the system reset event and before the OS load event.

  According to another aspect, there is provided a computer usable medium having computer readable program code embodied therein, or a program that is a set of computer readable program code, wherein the computer readable program code in said program is provided. The code can only be set in hardware and the computer by activation of a power-on switch coupled to the computer system by reading a power-on status register indicating the occurrence of activation of the power-on switch Determining whether power has been applied to the system, a trust included in the computer system to indicate physical presence in response to applying power by activating a power-on switch according to the determination; Platform module Configuring the physical presence flag Le (TPM), to be able to perform a predetermined confidence operations in the TPM in response to the configuration, it is useful for the execution. Here, the determination and configuration occurs after the system reset event and before the OS load event.

  According to another aspect, a trusted platform module (TPM), a non-volatile memory having computer readable program code stored therein, and a processor for executing the code stored in the non-volatile memory And a status register that assumes a power-on status condition and having a circuit board that couples the TPM and the non-volatile memory. Here, the power-on status state indicates how power application to the circuit board was started last time. When the processor executes code stored in the non-volatile memory, the processor reads the power-on status state of the status register, and therefore, based on the power-on status status read from the status register, the processor To determine if an application was previously initiated by activation of a power-on switch coupled to the circuit board and to issue commands that affect the operation of the TPM in response to the determined power-on state , Effective.

  In one embodiment, the status register can only be set in hardware.

  In one embodiment, code valid for reading, determining, and issuing is executed after a reset event and before executing code stored outside the non-volatile memory.

  In one embodiment, code that is valid for reading, determining, and issuing is executed after a reset event and before execution of code that loads the operating system. The code that loads the operating system may be the first instance of INT 19h following the reset event.

  In one embodiment, the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset.

  In one embodiment, the code stored in the non-volatile memory is further useful when performing a physical presence flag set in the TPM. The code stored in the non-volatile memory is preferably further effective when executing a physical presence lock flag set in the TPM.

  In one embodiment, code valid for reading, determining, and issuing is executed after a reset event and prior to execution of any code that accesses a computer system I / O device, preferably computer system I The / O device is a device selected from the group consisting of a keyboard device, a video device, and a pointing device.

  In one embodiment, the issued command is based on the power-on status state read from the status register, and in response to determining that the power-on switch has not been activated by the previous application of power. Restrict TPM operation.

  In one embodiment, the issued command is based on the power-on status state read from the status register, and in response to determining that the power-on switch has been activated by the previous application of power, the TPM. A predetermined trust operation can be executed.

  According to another aspect, a trusted platform module (TPM), non-volatile memory having computer readable program code stored therein, a processor, and power that can only be set in hardware An apparatus is provided that includes a status register that assumes an on-status condition and includes a circuit board that couples the TPM and the non-volatile memory. Here, the power-on state indicates how the application of power to the circuit board was started last time. A processor and the non-volatile memory are configured on the circuit board to execute code stored as initial code executed by the processor in response to a reset event, the code being in a power-on status state of a status register Determining whether the application of power to the circuit board was previously initiated by activation of a power-on switch coupled to the circuit board based on a power-on status condition read from the status register And configuring a physical presence flag in the TPM to indicate a lack of physical presence in response to determining that the power-on switch has not been activated, and Code valid for reading, determining and configuring is executed before the OS load event, and the TPM Operation is limited according to the physical presence flag configured.

  In one embodiment, further effective if the code stored in the non-volatile memory performs locking of a physical presence flag in the TPM by setting a physical presence lock flag in the TPM. And the code locks the physical presence flag before the OS load event. Preferably, the OS load event is an event for loading an operating system, and the reset event is an event selected from the group consisting of a hardware start reset and a software start reset. Preferably, the event that loads the operating system is the first instance of INT 19h following the reset event.

  According to another aspect, a trusted platform module (TPM), a non-volatile memory having computer readable program code stored therein, a processor, and a power-on that is configurable only in hardware An apparatus is provided having a status register status that assumes a status status and having a circuit board coupling the TPM and the non-volatile memory. Here, the power-on status state indicates how power application to the circuit board was started last time. The processor and the non-volatile memory are configured on the circuit board to execute the code stored therein when the initial code is executed by the processor in response to a reset event, the code being in a status register Whether the application of power to the circuit board was previously initiated by the activation of a power-on switch coupled to the circuit board based on the power-on status state read from the status register Useful to determine whether and to configure a physical presence flag in the TPM to indicate physical presence in response to determining that the power-on switch has been activated. Yes, code that is valid for reading, determining, and configuring is executed before the OS load event and is used for certain trust operations. Shon may be performed within the TPM in response to physical presence flag configured.

In one embodiment, further effective if the code stored in the non-volatile memory performs locking of a physical presence flag in the TPM by setting a physical presence lock flag in the TPM. And the code locks the physical presence flag before the OS load event. Preferably, the OS load event is an event for loading an operating system, and the reset event is an event selected from the group consisting of a hardware start reset and a software start reset. Preferably, the event that loads the operating system is the first instance of INT 19h following the reset event.

  According to another aspect, a circuit board having a processor socket without components, a status register that assumes a power-on status condition, a trusted platform module (TPM) mounted on the circuit board, and A motherboard is provided having a non-volatile memory mounted on a circuit board and thereby coupled to the TPM and having computer readable program code stored therein. Here, the power-on status state indicates how power application to the circuit board was started last time. The code stored in the non-volatile memory reads the power-on status state of the status register, and the application of power to the circuit board is coupled to the circuit board based on the power-on status status read from the status register Useful to determine if it was last started by activation of the selected power-on switch and issue commands that affect the operation of the TPM in response to the determined power-on state It is.

  In one embodiment, a status register indicating that power has been applied by activation of a power-on switch can only be set in hardware.

  In one embodiment, code valid for reading, determining, and issuing is executed after a reset event and before executing code stored outside the non-volatile memory.

  In one embodiment, code that is valid for reading, determining, and issuing is executed after a reset event and before execution of code that loads the operating system. Preferably the code that loads the operating system is the first instance of INT 19h following the reset event.

  In one embodiment, the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset.

  In one embodiment, the code stored in the non-volatile memory is further useful when performing a physical presence flag set in the TPM. The code stored in the non-volatile memory is preferably further effective when executing a physical presence lock flag set in the TPM.

  In one embodiment, code valid for reading, determining, and issuing is executed after a reset event and prior to execution of any code that accesses a computer system I / O device. The device is a device selected from the group consisting of a keyboard device, a video device, and a pointing device.

  In one embodiment, the issued command is based on the power-on status state read from the status register, and in response to determining that the power-on switch has not been activated by the previous application of power. Restrict TPM operation.

  In one embodiment, the issued command is based on the power-on status state read from the status register, and in response to determining that the power-on switch has been activated by the previous application of power, the TPM. A predetermined trust operation can be executed.

  According to another aspect, a trusted platform module (TPM), non-volatile memory with computer readable program code stored therein, a processor socket without components, and only in hardware There is provided a motherboard having a status register that can be set to a power-on status state and having a circuit board that couples the TPM and the nonvolatile memory. Here, the power-on status state indicates how power application to the circuit board was started last time. The non-volatile memory is configured on the circuit board to execute code stored as initial code that is executed in response to a reset event, the code reading a power-on status state of a status register; Determining whether application of power to the circuit board was previously initiated by activation of a power-on switch coupled to the circuit board based on a power-on status state read from a status register; Useful for performing a physical presence flag in the TPM to indicate a lack of physical presence in response to a determination that the switch was not activated; And the code valid for the configuration is executed before the execution of the code stored in the non-volatile memory, and the TPM operation is executed. Shon is limited in accordance with the physical presence flag configured.

  In one embodiment, further effective if the code stored in the non-volatile memory performs locking of a physical presence flag in the TPM by setting a physical presence lock flag in the TPM. The code locks the physical presence flag before executing the code stored in the non-volatile memory. Preferably, the execution of the code stored other than the non-volatile memory is a code for loading an operating system, and the reset event is an event selected from the group consisting of a hardware start reset and a software start reset. Preferably, the code that loads the operating system is the first instance of INT 19h following the reset event.

  According to another aspect, a trusted platform module (TPM), a non-volatile memory having computer readable program code stored therein, a processor socket without components, and in hardware There is provided a motherboard having a status register status assuming a power-on status state that can only be set, and having a circuit board that couples the TPM and the non-volatile memory. Here, the power-on status state indicates how power application to the circuit board was started last time. The non-volatile memory is configured on the circuit board to execute the code stored therein when the initial code is executed in response to a reset event, and the code is in a status register power-on status. Read status, determine whether power application to the circuit board was previously initiated by activation of a power-on switch coupled to the circuit board based on the power-on status status read from the status register And configuring a physical presence flag in the TPM to indicate physical presence in response to determining that the power-on switch has been activated, read, The code valid for determination and configuration is executed before the execution of the code stored in the non-volatile memory, and a predetermined trust operation is executed. It can be performed within the TPM in response to physical presence flag configured.

  In one embodiment, further effective if the code stored in the non-volatile memory performs locking of a physical presence flag in the TPM by setting a physical presence lock flag in the TPM. The code locks the physical presence flag before executing the code stored in the non-volatile memory. Preferably, the execution of the code stored other than the non-volatile memory is a code for loading an operating system, and the reset event is an event selected from the group consisting of a hardware start reset and a software start reset. Preferably, the code that loads the operating system is the first instance of INT 19h following the reset event.

  According to one embodiment, a computer system is provided having a trusted platform module (TPM), a non-volatile memory that stores program code, and a circuit board that supports the TPM and non-volatile memory. Preferably, the circuit board also includes a processor for executing the code. Preferably, the circuit board also includes a status register that assumes a power-on status condition indicating how power was previously applied. The code is useful during execution, preferably for reading the power-on status state of the status register. Preferably, the code then determines whether the last power application was previously initiated by activation of a power on switch. This determination is preferably based on the power-on status state read from the status register. Preferably, commands that affect the operation of the TPM are issued according to this result.

  According to one embodiment, a motherboard product for use in the manufacture of a computer system is provided. Preferably, the motherboard supports and provides electrical interconnection between the trusted platform module (TPM) and the non-volatile memory that stores the program code. Preferably, the motherboard also includes an unpartitioned processor socket that provides a connection to the processor. Preferably, the socket is arranged such that the provided processor executes code in non-volatile memory when the motherboard is used in the manufacture of a computer system. Preferably, the motherboard also includes a status register that assumes a power-on status state indicating how power was previously applied. Preferably, when code is executed, it is useful to read the power-on status state of the status register. Preferably, the code then determines whether the last power application has been initiated by activation of a power on switch. This determination is preferably based on the power-on status state read from the status register. Preferably, it is organized to issue commands that affect the operation of the TPM according to this result.

  Preferably, according to one embodiment, a method for providing a trusted platform within a computer system is provided. Preferably, a determination is made as to whether power is applied to the computer system by activating the power-on switch. In determination, a power-on status register is preferably read that indicates the occurrence of such activation. Preferably, depending on the result of the determination, the operation of the trusted platform module included in the computer system is affected.

  In another embodiment, the program is provided on a computer readable medium having program code stored to provide a trusted platform for the computer system. Preferably, the code is useful when performing a determination as to whether power is applied to the computer system by activating a power-on switch. When performing the determination, a power-on status register is preferably read indicating the occurrence of such activation. Preferably, depending on the result of the determination, the operation of the trusted platform module included in the computer system is affected.

  Preferred embodiments of the present invention will now be described by way of example only with reference to the following drawings.

  The present invention will be described in more detail below with reference to the accompanying drawings, in which preferred embodiments of the invention are shown, but at the beginning of the following description, those skilled in the art still achieve the preferred results of the invention. However, it will be understood that modifications to the invention described herein are possible. Accordingly, it will be understood that the following description is a disclosure of the broad teachings directed to those of ordinary skill in the art and is not intended to limit the invention.

  Referring initially to the accompanying drawings, initially FIG. 3 illustrates a motherboard 301 or circuit board configured in accordance with one embodiment of the present invention. Motherboard 301 provides mechanical support and electrical interconnection between TPM 111, NVRAM 116, core south bridge chipset 202, and processor sockets without components. This circuit arrangement provides the basis for manufacturing a trusted system platform that presents information to the user and receives information from the user. The manufactured platform consists of the circuit arrangement shown in FIG. 3, the processor or CPU provided in socket 310, and primary peripheral devices (not shown) attached to circuit board 301. The primary peripheral device is considered as a device that is directly attached to and interacts directly with the motherboard 301. Examples include PCI cards, LPC components, USB host controllers, and root hubs attached to serial and parallel ports. However, USB and IEEE 1394 devices are not considered primary peripheral devices.

  FIG. 1 is a diagram illustrating an exemplary computer system 113 configured in accordance with a preferred embodiment of the present invention (eg, a computer system utilizing a motherboard configured in accordance with one embodiment of the present invention). The system 113 has a central processing unit (CPU) 110 coupled to various other components by a system bus 112. System bus 112 may be a straight bus or may be a hierarchical system of buses. Flash non-volatile random access memory (“NVRAM”) 116 is coupled to system bus 112 and includes a basic input / output system (“BIOS”) that controls certain basic functions of computer system 113. The functions performed by NVRAM 116 that stores the basic input / output system are the same as those conventionally performed by ROM devices. The flash device of this embodiment has the advantage that it can be upgraded in the field. Random access memory (“RAM”) 114, I / O adapter 118, and communication adapter 134 are also coupled to system bus 112. The I / O adapter 118 may be a small computer system interface (“SCSI”) adapter that communicates with the disk storage device 120. A communications adapter 134 interconnects the bus 112 with an external network 160 (eg, the Internet) and allows computer systems to communicate with other such systems. Input / output devices are also connected to the system bus 112 via a user interface adapter 122 and a display adapter 136. The keyboard 124 and mouse 126 are all interconnected to the bus 112 via the user interface adapter 122. Display monitor 138 is connected to system bus 112 via display adapter 136. In this manner, the user can input to the system 113 via the keyboard 124 or mouse 126 and receive output from the system via the display 138.

  Implementations of the invention preferably include implementations as computer systems and as computer programs programmed to perform the methods described herein. According to the computer system implementation, a set of instructions or program code for performing the method may reside in NVRAM 116. In alternative embodiments, the program code need not reside on NVRAM 116, but can reside on other non-volatile memory. Until required by the computer system (eg, manufactured with motherboard 301), the program code is stored in other computer memory, eg (finally an optical disc or floppy for use with disc drive 120). It can be stored as a computer program in the disk drive 120 (which can include removable memory such as a disk). In one embodiment, the program code is executed as initial code that is executed following any reset event in the computer system, regardless of its source. In addition, the code can be stored on other computers and transmitted to the user's workstation by network or by external network 160 if desired. Those skilled in the art will appreciate that the physical storage of program code physically modifies the media stored thereon such that the media carries computer readable information. The change can be electrical, magnetic, chemical, biological, or some other physical change. While it is convenient to describe the present invention in terms of instructions, symbols, characters, or others, the reader should note that all of these and similar representations should be associated with the appropriate physical elements.

  The computer system 113 is implemented to provide the user with a trusted platform that can perform certain trusted operations (eg, the motherboard 301 can be implemented to provide such a trusted platform to the user). The system (motherboard 301 in one embodiment) is built according to the use of a Trusted Computing Platform Alliance (TCPA) entitled TCPA Main Specification Version 1.1b. In the preferred embodiment, the computer system 113 (in one embodiment, the motherboard 301) is implemented as a PC architecture system and further complies with TCPA PC Specific Implementation Specification Version 1.00. The trusted platform module (TPM) 111 is an encryption processor that provides a hardware assisted encryption function for the computer system 113 (in one embodiment, the motherboard 301). The TPM 111 can be a fully integrated security module designed to be incorporated into the system. Any type of cryptographic processor can be used. However, in the preferred embodiment, TPM 111 implements version 1.1b of the TCPA specification for the Trusted Platform Module (TPM). The TPM 111 includes an asymmetric cryptographic coprocessor that performs functions of key generation, random number generation, digital signature key generation, and hash generation, among others. The TPM 111 is capable of RSA signature computing using a CRT and has an internal EEPROM storage for storing a predetermined number of RSA keys. It also includes the setting of a 20-byte platform configuration register (PCR) to establish a trusted root for the platform. An example of such a TPM device is Atmel ™ part number AT97SC320.

  In addition to storing BIOS code, NVRAM 116 also stores code used to execute a power-on self test (POST) routine. Part of this POST code is responsible for establishing a trusted root for the platform. Trust is established within the platform by physically and / or logically combining NVRAM 116 and TPM 111 within the computer system to form a trust building block.

  As will be described in more detail below, NVRAM 116 and TPM 111 are circuit boards (also referred to as motherboards, for example motherboards) in such a way that the trust code stored in NVRAM 116 gains control of the computer system upon system reset 301) assembled on top. This trust code is known as Core Root of Trust for Measurement (CRTM). Each section is first sized by the CRTM itself before it is executed to verify that the running POST code is code shipped by the manufacturer (in one embodiment, the code is executed by each section). It is arranged on the motherboard 301 so that it is first sized by the CRTM itself before being done). The length and checksum of each section of code is checked and a hash representing the code being executed is created. Each hash is then stored in one of the 20 byte PCRs in TPM 111. The verification of these hash values can then be performed by comparing the hash values with published hash values published by the manufacturer for verification.

  For example, a computer system can be remotely powered on by wake on LAN or wake on RING, so the system can be remotely powered on to attack it. However, such attacks can be prevented by providing a physical presence detection function (eg, on the motherboard 301) that meets the requirements of the TCPA specification. In order to maintain a secure system, the CRTM code checks the physical presence of a person at power-on before allowing certain important operations to be performed on the computer system. Rather than implementing physical jumpers or switches as dictated by the TCPA specification, as described in more detail below in the description of this embodiment, the system of this embodiment (motherboard 301 in one embodiment) The physical presence is checked by examining the core chipset registers for an indication of how the computer was powered on. The computer system of the present embodiment estimates the physical presence of the user based on this inspection. If it is inferred that it does not physically exist, the CRTM code interfaces with the TPM 111 in such a manner that the TPM 111 rejects certain important types of TPM transactions after that point and after the boot. On the other hand, certain important types of TPM transactions are allowed if they are inferred to be physically present. This embodiment reduces manufacturing costs by avoiding physical jumpers or switches. Furthermore, the absence of physical jumpers or switches can result in components that are not electrically or mechanically unique. This lack of uniqueness exploits the components of the system as components of other systems that share the same electrical and mechanical design (eg, any system that shares the same electrical and mechanical design) This makes it possible to further improve the overall cost of the manufacturer.

  Referring to FIG. 3, there is shown a perspective view of a circuit board 301 or motherboard configured in accordance with embodiments of the present invention as previously discussed. The circuit board 301 preferably provides mechanical support and electrical interconnection between the TPM 111, NVRAM 116, core south bridge chipset 202, CPU or processor (eg, provided in socket 310). This circuit arrangement provides the basis for a trusted system platform that presents information to and receives information from the user. The platform itself consists of the circuit arrangement shown in FIG. 3, the processor or CPU provided in socket 310, and primary peripheral devices (not shown) attached to circuit board 301. The primary peripheral device is considered to be a device that attaches directly to and interacts directly with CPU 110. Examples include PCI cards, LPC components, USB host controllers, and root hubs attached to serial and parallel ports. However, USB and IEEE 1394 devices are not considered primary peripheral devices.

  With reference to FIGS. 2 and 3, processor 110 executes CRTM code stored in NVRAM 116. As previously mentioned, this CRTM code interacts with TPM 111 in a manner that provides a trusted platform. The trusted CRTM code and TPM 111 stored in NVRAM 116 are the basic components of the trusted platform and are the only trusted components of the platform. Once the proper connection is established between the CRTM code and the TPM 111, the basis of trust is established within the platform. The combination of NVRAM 116 and TPM 111 can be physical or logical and is considered outside the scope of the present invention. Details regarding the combination of CRTM and TPM 111 are well known in the field of trusted computing and are omitted so as not to unnecessarily detail and obscure the disclosure of the present invention. In this embodiment, the CRTM is stored in part of the NVRAM 116. However, in other embodiments, the CRTM code consumes the entire NVRAM 116. Because the CRTM and TPM 111 are the only trusted component of the platform and because the physical presence indication requires the platform user to invoke the trust mechanism, the physical presence indication is the CRTM of the NVRAM 116. Code and stored in TPM 111.

  The bus 112 of the preferred embodiment is a hierarchical bus having a North Bus Bridge (hereinafter referred to as “North Bridge”, not shown) and a South Bus Bridge 202 (hereinafter referred to as “South Bridge”). . Northbridge encompasses buses that are operably closer to the processor, such as memory and caching buses. Southbridge 202 includes buses that are closer to system I / O, such as X buses, IDE, LPC, and other buses. However, it should be noted that the bus 112 of the preferred embodiment does not necessarily have to be implemented as a hierarchical bus. Instead, the flat bus shown schematically in FIG. 1 can be physically implemented. Alternatively, a hierarchy that includes only a single bridge chip can be used. Southbridge 202 provides an LPC bus that couples NVRAM 116, among other components. The LPC bus is a low pin count bus based on the IBM® PCAT bus and forms part of the hierarchical bus 112 (IBM is a registered trademark of International Business Machines Corporation in the United States and other countries) Is). Southbridge 202 also couples TPM 111. Southbridge 202 also includes a number of low-level system controllers, such as a power supply controller 204 that is compliant with Advanced Configuration and Power Interface (ACPI). ACPI is an industry standard interface for OS indication configuration and power management. The ACPI power controller 204 within the south bridge 202 provides a hardware interface between the operating system and the device whose power is being controlled. Many of the functions provided by the power supply controller 204 are accessed through registers as either enable or status registers. One such register is the status register 206. The status register 206 includes a series of bits each giving a status relating to the machine's power configuration and its current and initial status. In the preferred embodiment, one of the bits, the power switch bit, is reserved to indicate whether the last power was applied to the system by activation of a system power switch housed in the front of the system. . The system power switch can be connected directly to the circuit board 301 (eg, motherboard) or indirectly through a power source. The power switch is preferably mounted on the front, but the system power switch can also be mounted directly on the power supply. When the last application of power is applied to the machine (in one embodiment, to the motherboard 301) by the system power switch, the power switch bit is asserted. If the last application of power is applied to the machine by anything other than the system power switch, the power switch bit is deasserted. Thus, the power switch bit is deasserted if the system (in one embodiment, a system manufactured with motherboard 301) is powered on remotely, for example via a wake on LAN or wake on RING event. The In the preferred embodiment, the power switch bits are implemented to be configurable only in hardware and not by software. This is done to prevent spoofing by Trojan or virus software that attempts to breach platform security. Allowing the power switch bit to be reset (set to the deasserted state) by software is an acceptable design because the deassertion of the power switch bit after the operating system loads is ignored. Even if considered an option and not ignored, software de-assertion of the power switch bit would otherwise serve to raise the security level in the system. In the preferred embodiment, the power switch bit indicates whether application of power by the system power switch was initiated at the last power-on event. In an alternative embodiment, the power switch bit can be designed to indicate whether the system power switch has been pressed. In the latter case, the software to be discriminated will be executed sooner or else some other means must be taken to make a reliable discrimination.

  Preferably, processor 110 executes the CRTM code stored in NVRAM 116 as initial code to be executed after a system reset. (In one embodiment, the motherboard 301 is built with a processor, such as the processor 110, provided in the socket 310.) The system (in one embodiment, the motherboard 301) is from either a hardware or software reset event. Enter the reset status of. The hardware reset state can be entered into the computer system when power is applied, or can be entered through a dedicated system reset switch. In the preferred embodiment, the CRTM code is a given initial control of the computer system to establish trust within the platform. Once the CRTM code is executed, the CRTM interacts with the TPM 111 to establish a root of trust for the platform. As mentioned above, the CRTM code verifies itself using the hash function and the TPM 111 PCR register. Additionally and specifically, the CRTM code reads the status register 206 for the current state of the power switch bit. The CRTM code then makes a guess as to whether the user is present on the machine and issues commands to the TPM 111 to limit or allow certain important TPM functions based on this guess.

  If the power switch bit in status register 206 is found to be asserted, it is assumed that the user is on the machine. In this case, a predetermined function set can be executed in the TPM 111 by an issued command. In the preferred embodiment, the issued command is a command that sets a physical presence flag in the TPM 111. The TPM 111 is then implemented only so that certain functions can be performed when physical presence is indicated by the physical presence flag. An example of such a command is a command that resets the TPM 111 to its factory default state. Such commands can be accepted and executed by the TPM 111 only if the physical presence is determined.

  Conversely, if the power switch bit in status register 206 is found to be deasserted, it is assumed that the user is not present on the machine. In this case, the issued command blocks the predetermined function set from being executed by the TPM 111. In the preferred embodiment, the issued command is a command that resets the physical presence flag in TPM 111 following a determination indicating a lack of physical presence. Thereafter, the TPM 111 is implemented to limit certain functions when the physical presence flag does not indicate physical presence. Given this environment set, the physical presence is not indicated, so an exemplary command attempting to reset the TPM 111 to its factory default state will be blocked by the TPM 111.

  For the most part, details regarding which commands are restricted and which commands are allowed by the TPM 111 are not necessary for a full understanding of the present invention, as such details are not necessary for ordinary technicians in the relevant field. Has been omitted because it is within the technical scope of Otherwise, any technical reader interested in the details about the command will be directed to the TCPA specification that presents these details incorporated by reference.

  In an alternative embodiment, in addition to setting or resetting a physical presence flag in TPM 111, an additional command is issued that sets a physical presence lock flag in TPM 111. The TPM 111 is then implemented so that the value of the physical presence flag cannot be changed once the physical presence lock flag is set. The lifetime of the physical presence flag lock extends to the next platform reset.

  Once all CRTM metrics are documented in the TPM 111 hash table PCR, regardless of whether the physical presence flag is locked by the lock flag mechanism or by some other binding mechanism, and once Once the physical presence or lack thereof is established at TPM 111, the platform is then considered reliable and secure to a determined extent. After platform trust is established, control can be passed to insecure code.

  In one embodiment of the invention, control is then passed to non-secure POST code that resides in NVRAM 116. In this embodiment, the code that is passed control after the platform is secure is the code that accesses any computer system I / O device such as a keyboard device, video device, or pointing device.

  In other embodiments, the CRTM code is considered the entire code stored in NVRAM 116. In this embodiment, control is passed to non-secure code stored outside NVRAM 116. This is typically code that loads the operating system. In an IBM® PC compatible computer system (in one embodiment, on the motherboard for an IBM® PC compatible computer system), the operating system loading is typically the last stored in NVRAM 116. Is instantiated by execution of software INT 19 executed as However, those skilled in the art can use other methods to load the operating system, and any method used does not depart from the spirit and scope of the present invention.

1 illustrates a computer system configured in accordance with one embodiment of the present invention. FIG. 2 is a detailed block diagram illustrating security components of one embodiment of the present invention. 1 is a perspective view illustrating a motherboard that supports and provides electrical interconnection for a security component of one embodiment of the present invention. FIG.

Claims (54)

In a computer system in which a trust platform is constructed by combining a trust code (CRTM) and a trust platform module (TPM), a method for controlling the function of the TPM,
The computer system is supplied with power;
Power is applied to the computer system by operation of the power-on switch by reading a power-on status register that stores information indicating the operation of the power-on switch connected to the computer system. Causing the computer system to realize a function of determining whether or not
In response to the determination result in step to realize the function of the determination to the computer system, the method comprising the steps of realizing the function of the CRTM to restrict or allow certain functions of the TPM to the computer system.   The method according to claim 1, wherein the information stored in the power-on status register can be set only in hardware. The step of causing the computer system to implement the function of determining and the step of causing the computer system to implement the function of limiting or permitting are performed after a reset event and before an OS load event that loads an operating system. The method of claim 1, wherein   4. The method of claim 3, wherein the OS load event is a first instance of INT 19h following the reset event.   The method of claim 3, wherein the reset event is an event selected from the group consisting of a hardware-initiated reset and a software-initiated reset. 4. The method according to claim 3, wherein the step of causing the computer system to implement the function of restricting or permitting further comprises the step of causing the computer system to set a function of setting a physical presence flag in the TPM. 7. The step of causing the computer system to implement the function of restricting or permitting further comprises the step of causing the computer system to implement a function of setting a physical presence lock flag in the TPM. Method. The step of causing the computer system to implement the function of determining and the step of causing the computer system to perform the function of limiting or permitting are performed after a reset event, and a keyboard device and a video device of the computer system. And the method of claim 1, occurring before any I / O device selected from the group consisting of pointing devices can be used.   9. The method of claim 8, wherein the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. In a computer system in which a trust platform is constructed by combining a trust code (CRTM) and a trust platform module (TPM), a method for controlling the function of the TPM,
The computer system is supplied with power;
Power is applied to the computer system by operation of the power-on switch by reading a power-on status register that stores information indicating the operation of the power-on switch connected to the computer system. Causing the computer system to realize a function of determining whether or not
In response to the determination result that power is applied without operating the power-on switch in the step of realizing the function to be determined in the computer system, the CRTM indicates the lack of the physical presence of the user. Causing the computer system to realize the function of configuring the physical presence flag of the TPM;
And a step of realizing the functions in response to said step of implementing the function of the structure to the computer system CRTM to limit certain functions of the TPM to the computer system,
The method of causing the computer system to implement the determining function and causing the computer system to implement the configuring function occurs after a system reset event and before an OS load event. The CRTM has the function of locking the physical presence flag in the TPM by setting the physical presence lock flag in the TPM after the system reset event and before the OS load event. The method of claim 10, comprising the steps of causing a computer system to implement .   The method of claim 11, wherein the OS load event is an event that loads an operating system, and the system reset event is an event selected from the group consisting of a hardware-initiated reset and a software-initiated reset. .   13. The method of claim 12, wherein the event that loads the operating system is a first instance of INT 19h following the system reset event. In a computer system in which a trust platform is constructed by combining a trust code (CRTM) and a trust platform module (TPM), a method for controlling the function of the TPM,
The computer system is supplied with power;
Power is applied to the computer system by operation of the power-on switch by reading a power-on status register that stores information indicating the operation of the power-on switch connected to the computer system. Causing the computer system to realize a function of determining whether or not
In response to the determination result that the power-on switch is operated and power is applied in the step of realizing the function to be determined in the computer system, the CRTM indicates the physical presence of the user. Causing the computer system to implement the function of configuring the TPM physical presence flag;
Causing the computer system to implement a function for allowing the CRTM to permit a certain function in the TPM in accordance with the step of causing the computer system to implement the function to be configured.
The method of causing the computer system to implement the determining function and causing the computer system to implement the configuring function occurs after a system reset event and before an OS load event. The function of the CRTM and before the OS load event after the system reset event is to lock the physical presence flag in said TPM by setting a physical presence lock flag in said TPM The method of claim 14, comprising causing the computer system to implement .   The method of claim 15, wherein the OS load event is an event that loads an operating system, and the system reset event is an event selected from the group consisting of a hardware-initiated reset and a software-initiated reset.   The method of claim 16, wherein the event that loads the operating system is a first instance of INT 19h following the system reset event. Trust code (CRTM) and trust platform module (TPM) are combined to build a trust platform and to supply power to computer systems
Determine whether power is applied to the computer system by operating the power-on switch by reading a power-on status register that stores information indicating the operation of the power-on switch connected to the computer system Function to
A computer program for realizing a function for restricting or permitting a certain function of the TPM in accordance with a result of determination in the function to be determined. Trust code (CRTM) and trust platform module (TPM) are combined to build a trust platform and to supply power to computer systems
Determine whether power is applied to the computer system by operating the power-on switch by reading a power-on status register that stores information indicating the operation of the power-on switch connected to the computer system Function to
A function of configuring a physical presence flag of the TPM to indicate a lack of a physical presence of a user according to a determination result that power is applied without operating the power-on switch in the determining function; ,
A function for restricting a certain function of the TPM in accordance with the function to be configured;
A computer program that realizes the function of determining and the function of configuring the function after the system reset event and before the OS load event. Trust code (CRTM) and trust platform module (TPM) are combined to build a trust platform and to supply power to computer systems
Determine whether power is applied to the computer system by operating the power-on switch by reading a power-on status register that stores information indicating the operation of the power-on switch connected to the computer system Function to
A function of configuring a physical presence flag of the TPM in order to indicate a physical presence of a user according to a determination result that the power-on switch in the determination function is operated and power is applied;
A function for permitting a certain function in the TPM according to the function to be configured;
A computer program that realizes the function of determining and the function of configuring the function after the system reset event and before the OS load event. Trusted platform module (TPM),
Non-volatile memory for storing program code;
A circuit board that combines the TPM and the non-volatile memory, including a processor that executes the program code and a status register that stores information indicating a power application state;
Information indicating the application state of the power indicates how the last application of power to the circuit board was started,
The processor has executed the program code, read the information stored in the status register, has the last application of power to the circuit board been initiated by the operation of a power-on switch connected to the circuit board? An apparatus that determines whether or not and restricts or permits certain functions of the TPM according to the determination result.   The apparatus according to claim 21, wherein the information stored in the status register can be set only in hardware.   The apparatus of claim 21, wherein the program code is executed after a reset event and before execution of code stored outside the non-volatile memory.   The apparatus of claim 21, wherein the program code is executed after a reset event and before execution of code that loads an operating system.   25. The apparatus of claim 24, wherein the code that loads the operating system is a first instance of INT 19h following the reset event.   24. The apparatus of claim 23, wherein the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset.   24. The apparatus of claim 23, wherein the processor executes the program code to set a physical presence flag in the TPM.   28. The apparatus of claim 27, wherein the processor executes the program code to set a physical presence lock flag in the TPM.   The program code is executed after a reset event and accessing any I / O device selected from the group consisting of a keyboard device, a video device, and a pointing device of the computer system The apparatus of claim 21, which is performed before. Trusted platform module (TPM),
A nonvolatile memory for storing the program code,
A circuit board that combines the TPM and the non-volatile memory, including a processor that executes the program code and a status register that stores information indicating a power application state;
Information indicating the application state of the power indicates how the last application of power to the circuit board was started,
The processor and the non-volatile memory are configured on the circuit board to execute the program code stored as initial code executed by the processor in response to a reset event;
The processor executes the program code, reads the information stored in the status register, and the last application of power to the circuit board is initiated by the operation of a power-on switch connected to the circuit board. In response to the determination result that power is applied without operating the power-on switch, a physical presence flag in the TPM is configured to indicate the absence of the physical presence of the user. And
The apparatus, wherein the program code is executed before an OS load event and certain functions of the TPM are restricted according to the configured physical presence flag.   The processor executes the program code to lock the physical presence flag in the TPM by setting a physical presence lock flag in the TPM prior to the OS load event. 30. Apparatus according to 30.   32. The apparatus of claim 31, wherein the OS load event is an event that loads an operating system and the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset.   33. The apparatus of claim 32, wherein the event that loads the operating system is a first instance of INT 19h following the reset event. Trusted platform module (TPM),
Non-volatile memory for storing program code;
A circuit board that combines the TPM and the non-volatile memory, including a processor that executes the program code and a status register that stores information indicating a power application state;
Information indicating the application state of the power indicates how the last application of power to the circuit board was started,
The processor and the non-volatile memory are configured on the circuit board to execute the program code stored as initial code executed by the processor in response to a reset event;
The processor executes the program code, reads the information stored in the status register, and the last application of power to the circuit board is initiated by the operation of a power-on switch connected to the circuit board. In response to the determination result that power is applied by operating the power-on switch, and configuring a physical presence flag in the TPM to indicate the physical presence of the user,
The apparatus, wherein the program code is executed prior to an OS load event and certain functions of the TPM are permitted according to the configured physical presence flag.   The processor executes the program code to lock the physical presence flag in the TPM by setting a physical presence lock flag in the TPM prior to the OS load event. 34. The apparatus according to 34.   36. The apparatus of claim 35, wherein the OS load event is an event that loads an operating system, and the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset.   38. The apparatus of claim 36, wherein the event that loads the operating system is a first instance of INT 19h following the reset event. A motherboard mounted on a computer system,
A circuit board having a processor socket in which a processor can be mounted and a status register for storing information indicating a power application state;
A trusted platform module (TPM) mounted on the circuit board;
A non-volatile memory mounted on the circuit board and coupled to the TPM for storing program code;
Information indicating the application state of the power indicates how the last application of power to the circuit board was started,
The program code is executed by the processor to read information stored in the status register, and the last application of power to the circuit board is performed by operating a power-on switch connected to the circuit board. A motherboard for determining whether or not the computer system has been started, and causing the computer system to realize a function of issuing a command for restricting or permitting a certain function of the TPM according to the determination result.   39. The motherboard according to claim 38, wherein the information stored in the status register can be set only in hardware.   40. The motherboard of claim 38, wherein the program code is executed after a reset event and before execution of code stored outside the non-volatile memory.   40. The motherboard of claim 38, wherein the program code is executed after a reset event and before execution of code that loads an operating system.   42. The motherboard of claim 41, wherein the code for loading the operating system is a first instance of INT 19h following the reset event.   41. The motherboard of claim 40, wherein the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. 41. The motherboard according to claim 40, wherein the program code is executed by the processor to cause the computer system to realize a function of setting a physical presence flag in the TPM. 45. The motherboard according to claim 44, wherein the program code is executed by the processor to cause the computer system to realize a function of setting a physical presence lock flag in the TPM.   The program code is a code for accessing any I / O device selected from the group consisting of a keyboard device, a video device, and a pointing device of the computer system after the reset event. 40. The motherboard of claim 38, wherein the motherboard is executed before execution. A motherboard mounted on a computer system,
Trusted platform module (TPM),
Non-volatile memory for storing program code;
A circuit board for coupling the TPM and the non-volatile memory, including a processor socket in which a processor can be mounted and a status register for storing information indicating a power application state that can be set only in hardware ,
Information indicating the application state of the power indicates how the last application of power to the circuit board was started,
The processor and the non-volatile memory are configured on the circuit board to execute the program code stored as initial code that is executed in response to a reset event;
The program code is executed by the processor to read information stored in the status register, and the last application of power to the circuit board is performed by operating a power-on switch connected to the circuit board. A physical presence flag in the TPM to indicate whether or not the power on switch has been operated and in response to a determination result that power has been applied without being operated, to indicate a lack of physical presence of the user The computer system realizes the function of configuring
The motherboard, wherein the program code is executed before an OS load event, and certain functions of the TPM are restricted according to the configured physical presence flag.   The processor executes the program code and sets the physical presence flag in the TPM by setting a physical presence lock flag in the TPM before executing code stored in other than the non-volatile memory. 48. The motherboard of claim 47, wherein the motherboard is locked.   49. The code stored in other than the non-volatile memory is code that loads an operating system, and the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. The listed motherboard.   50. The motherboard of claim 49, wherein the code that loads the operating system is a first instance of INT 19h following the reset event. A motherboard mounted on a computer system ,
Trusted platform module (TPM),
Non-volatile memory for storing program code;
A circuit board for coupling the TPM and the non-volatile memory, including a processor socket in which a processor can be mounted and a status register for storing information indicating a power application state that can be set only in hardware ,
Information indicating the application state of the power indicates how the last application of power to the circuit board was started,
The processor and the non-volatile memory are configured on the circuit board to execute the program code stored as initial code that is executed in response to a reset event;
The program code is executed by the processor to read information stored in the status register, and the last application of power to the circuit board is performed by operating a power-on switch connected to the circuit board. A physical presence flag in the TPM is configured to indicate the physical presence of the user in response to the determination result that the power-on switch is operated and power is applied. To realize the function to perform in the computer system ,
The motherboard, wherein the program code is executed before execution of code stored other than the non-volatile memory, and certain functions of the TPM are permitted according to the configured physical presence flag. When the program code is executed by the processor, the physical presence in the TPM is set by setting a physical presence lock flag in the TPM before executing the code stored in the non-volatile memory. 52. The motherboard according to claim 51, wherein said computer system realizes a function of locking a flag.   53. The code stored in other than the non-volatile memory is code that loads an operating system, and the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. The listed motherboard.   54. The motherboard of claim 53, wherein the code that loads the operating system is a first instance of INT 19h following the reset event.

Images