KR20050123152A - Physical presence determination in a trusted platform - Google Patents

Abstract

A computer system (and a motherboard for a computer system) is presented which provides a trusted platform by which operations can be performed with an increased level trust and confidence. The basis of trust for the computer system (or motherboard) is established by an encryption coprocessor and by code which interfaces with the encryption coprocessor and establishes root of trust metrics for the platform. The encryption coprocessor is built such that certain critical operations are allowed only if physical presence of an operator has been detected. Physical presence is determined by inference based upon the status of registers in the core chipset (e.g. on the motherboard).

Description

PHYSICAL PRESENCE DETERMINATION IN A TRUSTED PLATFORM}

The present invention relates to computer systems and other information processing systems, and more particularly to computer systems built on a trusted platform, such as the TCPA industry standard platform.

In the computer industry, users need to increase the reliability of running applications to execute network transactions. This is especially true for electronic commerce where users use keys for credit cards and other sensitive information. Several solutions are emerging in this industry. One solution, smart cards, is emerging as a standard for increasing reliability by providing hardware to validate trusted users. In smart card solutions, computer systems are not trusted entities. Rather, a trusted entity is smart card hardware associated with a particular user. Another solution, the Trusted Computing Platform, is emerging as a standard for increasing reliability by providing hardware to establish a trusted platform. On a trusted platform, users are not trusted entities. Rather, it is the platform that can be trusted.

Modern computer systems provide remote power-on characteristics. For example, the computer may be powered on when it detects a ring signal from the incoming FAX from the computer modem. The computer can then be powered on and booted up to receive the incoming fax. Similarly, the computer can be powered on when it detects LAN activity on the LAN card and then booted to respond to any LAN request. However, computers with this characteristic are dangerous, especially when not in use, because they are vulnerable to attack even when powered off.

Best Modes for Carrying Out the Invention Preferred embodiments of the present invention will be described below with reference to the following drawings.

1 is a diagram illustrating a computer system constructed in accordance with an embodiment of the present invention.

2 is a detailed block diagram of a security component of an embodiment of the invention.

3 is a perspective view of a motherboard that supports and provides electrical interconnections for security components of one embodiment of the present invention.

According to one aspect of the invention, a step of determining whether power is applied to a computer system by activation of a power-on switch by reading a power-on status register indicating the occurrence of the activity, and according to the action of the determination And affecting the operation of the Trusted Platform Module (TPM) included in the computer system.

In one embodiment, the power-on status register is settable only in hardware.

In one embodiment, the determining and affecting step occurs after a reset event and before an OS loading event loading the operating system. The OS loading event may be the first instance of INT 19h following the reset event. The reset event may be an event selected from the group consisting of a hardware initiated reset and a software initiated reset. The affecting step may further include setting a physical presence flag in the TPM. The affecting step preferably further includes setting a physical presence lock flag in the TPM.

In one embodiment, the determining step and the affecting step occur after a reset event and before the computer system's I / O device becomes available. The I / O device of the computer system is a device selected from the group consisting of a keyboard device, a video device, and a pointing device. The reset event may be an event selected from the group consisting of a hardware initiated reset and a software initiated reset.

In one embodiment, the affecting step is to limit the operation of the TPM in response to determining that the power-on switch is not active.

In one embodiment, the affecting step is to allow certain reliable operation to be performed in the TPM in response to the application of power by activation of the power-on switch, which is determined in the determining step.

According to another aspect of the invention, the invention provides a method for determining whether power is applied to a computer system by activation of a power-on switch connected to the computer system by reading a power-on status register indicating the occurrence of the activity. And, wherein the power-on status register is settable only in hardware, and a trusted platform included in the computer system to indicate the absence of a physical presence in response to the determination of the power-on switch that the power-on switch is not active. Configuring a physical presence flag of a module (TPM), wherein the determining and configuring steps occur after a system reset event and before an OS loading event and the operation of the TPM in accordance with the action of the configuring step. It provides a method comprising the step of limiting.

In one embodiment, the method further comprises setting a physical presence lock flag at the TPM to lock the physical presence flag at the TPM, wherein the locking step occurs after a system reset event and before an OS loading event. The OS loading event is preferably an event for loading an operating system, and the system reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. The event loading operating system may be the first instance of INT 19h following the system reset event.

According to another aspect of the invention, the invention provides a method for determining whether power is applied to a computer system by activation of a power-on switch connected to the computer system by reading a power-on status register indicating the occurrence of the activity. Wherein the power-on state register is included in the computer system to indicate a physical presence in response to the application of power by an activation of a power-on switch and a determination step that is settable only in hardware. Configuring a physical presence flag of a trusted platform module (TPM), wherein the determining and configuring steps occur after a system reset event and before an OS loading event, Allowing execution at the TPM in accordance with the action of the configuration step. It provides a method to include.

Preferably, it is possible to set a physical presence lock flag in the TPM to lock the physical presence flag in the TPM, which is preferably done after a system reset event and before an OS loading event. The OS loading event is preferably an event that loads an operating system, and the system reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. The event loading operating system may be the first instance of INT 19h following the system reset event.

According to another aspect of the present invention, there is provided a program product comprising a computer usable medium having computer readable program code recorded thereon, wherein the computer readable program code of the program product, upon execution, A determination is made as to whether power is applied to the computer system by activation by reading a power-on status register indicating the occurrence of the activity, and in accordance with the action of the determination, a trusted platform module (TPM) included in the computer system. This is effective to affect the operation of).

According to another aspect of the invention, the invention provides a program product comprising a computer usable medium having computer readable program code recorded thereon, wherein the computer readable program code of the program product is connected to a computer system when executed. Determine whether power is applied to the computer system by activation of a power-on switch by reading a power-on status register indicating the occurrence of the activity, the power-on status register being settable only in hardware, and power-on switch Configure the physical presence flag of the Trusted Platform Module (TPM) included in the computer system to indicate the absence of physical presence in response to the determination indicating that is not active—this determination and configuration is performed after the system reset event and the OS Loading event Will made to -, it is effective to limit the operation of the TPM as a function of said configuration.

According to another aspect of the invention, the invention provides a program product comprising a computer usable medium having computer readable program code recorded thereon, wherein the computer readable program code of the program product is connected to a computer system when executed. Whether or not power is applied to the computer system by activation of a power-on switch is determined by reading a power-on status register indicating the occurrence of the activity, wherein the power-on status register is settable only in hardware, Configure the physical presence flag of the trusted platform module (TPM) included in the computer system to indicate a physical presence in response to the application of power by activation of the power-on switch accordingly; such determination and configuration is made after a system reset event. And before the OS loading event It is effective to allow certain reliable actions to be performed in the TPM in accordance with the action of the configuration.

According to another aspect of the invention, the invention comprises a trusted platform module (TPM), a nonvolatile memory in which computer readable program code is stored, and a circuit board connecting the TPM and the nonvolatile memory. Wherein the circuit board includes a processor to execute code stored in the non-volatile memory, the power-on status state indicating how the application of power to the circuit board was initiated the other time. And a status register for estimating a value, wherein the processor reads the power-on status state of the status register at the time of execution of the code stored in the nonvolatile memory, and applies the power to the circuit board the other time. A status register whether or not initiated by activation of a power-on switch connected to the circuit board And from determination on the basis of the read out will power-on status state, it is effective to issue commands affecting the operation of the TPM as a function of the determined power-on state.

In one embodiment, the status register is settable only in hardware.

In one embodiment, the code valid for reading, determining, and issuing is executed after a reset event and before execution of code stored in something other than the nonvolatile memory.

In one embodiment, the code valid for reading, determining, and issuing is executed after a reset event and before execution of the code loading the operating system. The code that loads the operating system may be the first instance of INT 19h following the reset event.

In one embodiment, the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset.

In one embodiment, the code stored in the nonvolatile memory is also valid at runtime to set a physical presence flag in the TPM. Code stored in non-volatile memory is also effective when executing to set a physical presence lock flag in the TPM.

In one embodiment, the code valid for reading, determining, and issuing is executed after a reset event and before execution of any code that accesses an I / O device of the computer system, wherein the I / O device of the computer system is a keyboard device. And a device selected from the group consisting of a video device and a pointing device.

In one embodiment, the issued command limits the operation of the TPM in response to a determination based on a power-on status condition read from the status register that the power-on switch was not active upon the application of the last-initiated power source.

In one embodiment, the issued command is subject to a predetermined reliable operation in the TPM in response to a determination based on a power-on context condition read from the status register that the power-on switch was activated upon application of the last-initiated power source. Allow to run.

According to another aspect of the present invention, the present invention provides a reliable platform module (TPM), a nonvolatile memory in which computer readable program codes are stored, the TPM and the nonvolatile memory, and a processor and a status register. And a status register is settable only in hardware, and estimates a power-on status state indicating how the application of power to the circuit board has been initiated the other time. Volatile memory is configured on the circuit board to execute code stored in nonvolatile memory, the first code executed by the processor in response to a reset event, wherein the code, upon execution, powers on the status register. Read the status status and apply power to the circuit board the other time Determines whether is initiated by the activation of a power-on switch connected to the circuit board based on the power-on status state read from the status register, and in response to determining that the power-on switch is not active, Valid for configuring a physical presence flag in the TPM to indicate, code that is valid for reading, determining, and configuring is executed before an OS loading event, and the operation of the TPM is limited by the action of the configured physical presence flag.

In one embodiment, the code stored in the non-volatile memory is also valid when executing to set a physical presence lock flag in the TPM to lock a physical presence flag in the TPM, the code being physically present before an OS loading event. Lock the flag. The OS loading event is preferably an event that loads an operating system, the reset event being an event selected from the group consisting of a hardware initiated reset and a software initiated reset. The event loading operating system is preferably the first instance of INT 19h following the reset event.

According to another aspect of the present invention, the present invention provides a reliable platform module (TPM), a nonvolatile memory in which computer readable program codes are stored, the TPM and the nonvolatile memory, and a processor and a status register. And a status register is settable only in hardware, and estimates a power-on status state indicating how the application of power to the circuit board was initiated last time, and is inferior to the processor. Volatile memory is configured on the circuit board to execute code stored in nonvolatile memory, the first code executed by the processor in response to a reset event, wherein the code, upon execution, powers on the status register. Read the status status and apply power to the circuit board the other time Determines whether is initiated by the activation of a power-on switch connected to the circuit board based on the power-on status state read from the status register, and to indicate a physical presence in response to the determination that the power-on switch is activated. Code that is valid for configuring a physical presence flag in the TPM, and code that is valid for reading, determining, and configuring is executed before an OS loading event, and certain reliable actions are performed in the TPM in accordance with the action of the configured physical presence flag. It is allowed to run.

In one embodiment, the code stored in the non-volatile memory is also valid when executing to set a physical presence lock flag in the TPM to lock a physical presence flag in the TPM, the code being physically present before an OS loading event. Lock the flag. The OS loading event is preferably an event that loads an operating system, and the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. The event loading operating system is preferably the first instance of INT 19h following the reset event.

According to another aspect of the present invention, the present invention provides, as a circuit board, an unpopulated processor socket and a status register for estimating a power-on situation state indicating how the application of power to the circuit board was started the other time. A nonvolatile memory having a circuit board, a reliable platform module (TPM) mounted on the circuit board, a nonvolatile memory mounted on the circuit board, connected to the TPM, and storing computer readable program code. And a code stored in the non-volatile memory, when executed, reads the power-on status state of the status register, and the application of power to the circuit board the last time is connected to the circuit board. The power-on situation read from the status register whether or not it has been initiated by activation of a power-on switch. It is determined based on the state, and is effective for issuing a command that affects the operation of the TPM in accordance with the action of the determined power-on state.

In one embodiment, a status register indicating that power was applied by activation of the power-on switch is only settable in hardware.

In one embodiment, the code valid for reading, determining, and issuing is executed after a reset event and before execution of code stored in something other than the nonvolatile memory.

In one embodiment, the code valid for reading, determining, and issuing is executed after a reset event and before execution of the code loading the operating system. The code that loads the operating system is preferably the first instance of INT 19h following the reset event.

In one embodiment, the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset.

In one embodiment, the code stored in the nonvolatile memory is also valid at runtime to set a physical presence flag in the TPM. Code stored in non-volatile memory is also valid at runtime to set a physical presence lock flag in the TPM.

In one embodiment, the code valid for reading, determining, and issuing is executed after a reset event and before execution of any code that accesses an I / O device of the computer system, wherein the I / O device of the computer system is a keyboard. It is preferably a device selected from the group consisting of a device, a video device, and a pointing device.

In one embodiment, the issued command limits the operation of the TPM in response to a determination based on a power-on status condition read from the status register that the power-on switch was not active upon the application of the last-initiated power source.

In one embodiment, the issued command is subject to a predetermined reliable operation in the TPM in response to a determination based on a power-on context condition read from the status register that the power-on switch was activated upon application of the last-initiated power source. It is allowed to run.

According to another aspect of the present invention, the present invention provides a reliable platform module (TPM), a non-volatile memory in which computer-readable program codes are stored, connecting the TPM and non-volatile memory, and a blank processor socket and a state. Providing a motherboard comprising a circuit board with a register, the status register being settable only in hardware, estimating a power-on status state indicating how the application of power to the circuit board was initiated the other time; Non-volatile memory is configured on the circuit board to execute code stored in non-volatile memory, which is the first code to be executed in response to a reset event, which code, upon execution, controls the power-on status of the status register. Read the other time, the application of power to the circuit board The TPM determines whether it is initiated by the activation of a connected power-on switch, based on a power-on situation state read from the status register, and indicates the absence of physical presence in response to determining that the power-on switch is not active. Code that is valid for constructing a physical presence flag in, wherein the code that is valid for reading, determining, and configuring is executed before execution of code stored in something other than the non-volatile memory, and the operation of the TPM is effected by the action of the configured physical presence flag. Limited according to.

In one embodiment, the code stored in the non-volatile memory is also effective to set a physical presence lock flag in the TPM at runtime to lock the physical presence flag in the TPM, wherein the code is other than the nonvolatile memory. Lock the physical presence flag before executing any code stored in it. Execution of code stored in something other than the nonvolatile memory is code that loads an operating system, and the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. The code that loads the operating system is preferably the first instance of INT 19h following the reset event.

According to another aspect of the present invention, the present invention provides a reliable platform module (TPM), a nonvolatile memory in which computer readable program code is stored, and a connection between the TPM and the nonvolatile memory, a blank processor socket and a state. Providing a motherboard comprising a circuit board having a register, the status register being settable only in hardware, estimating a power-on situation state indicating how the application of power to the circuit board was initiated last time; Non-volatile memory is configured on the circuit board to execute code stored in non-volatile memory, which is the first code to be executed in response to a reset event, wherein the code, upon execution, power-on status state of the status register. Read the last time, the application of power to the circuit board Whether or not initiated by the activation of a power-on switch coupled to a physical controller at the TPM to determine a physical presence in response to the determination that the power-on switch has been activated; Code that is valid for constructing an existence flag, and that is effective for reading, determining, and constructing is executed before execution of code stored in something other than the nonvolatile memory, and certain reliable actions are performed on the configured physical presence flag. Depending on the action it is allowed to run in the TPM.

In one embodiment, the code stored in the non-volatile memory is also effective to set a physical presence lock flag in the TPM at runtime to lock the physical presence flag in the TPM, wherein the code is other than the nonvolatile memory. Lock the physical presence flag before executing any code stored in it. Execution of code stored in something other than the nonvolatile memory is code that loads an operating system, and the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. The code that loads the operating system is preferably the first instance of INT 19h following the reset event.

According to an embodiment, there is provided a computer system having a reliable platform module (TPM), a nonvolatile memory for storing program code, and a circuit board on which the TPM and nonvolatile memory are supported. The circuit board preferably further includes a processor for executing code. In addition, the circuit board preferably includes a status register for estimating a power-on status state indicating how power was applied in the past. During execution, the code is preferably valid for reading the power-on status state of the status register. The code then preferably determines whether or not the application of the power supply was started by the activation of the power-on switch. This determination is preferably based on the power-on status state read from the status register. Preferably, as a result, a command is issued that affects the operation of the TPM.

According to one embodiment, a motherboard article of manufacture for use in the manufacture of a computer system is provided. It is recommended that the motherboard support and provide electrical interconnection between the Trusted Platform Module (TPM) and the nonvolatile memory that stores program code. The motherboard also preferably includes a blank processor socket that provides a connection to the processor. This socket is preferably configured such that when the motherboard is used to make a computer system, the installed processor executes code in nonvolatile memory. In addition, the motherboard preferably includes a status register for estimating a power-on status state indicating how power was applied in the past. The code is preferably valid at run time to read the power-on status state of the status register. The code then preferably determines whether or not the application of the power source has been started recently based on the activation of the power-on switch. This determination is preferably based on the power-on status state read from the status register. Preferably, the results are organized to issue commands that affect the operation of the TPM.

According to one embodiment, a method is provided for providing a trusted platform to a computer system. Determination as to whether power is applied to the computer system is made by the activation of the power-on switch. At the time of determination, the power-on status register indicating the occurrence of the activity is preferably read. Preferably, depending on the determination result, the operation of the trusted platform module included in the computer system is affected.

In another embodiment, a program product is provided that provides a trusted platform to a computer system on a computer readable medium having program code stored thereon. This code is preferably effective at run time to determine whether power has been applied to the computer system by activation of the power-on switch. At the time of determination, the power-on status register indicating the occurrence of the activity is preferably read. As a result of the determination, the operation of the trusted platform module included in the computer system is affected.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The present invention will be described in more detail below with reference to the accompanying drawings, which show preferred embodiments of the invention, and that those skilled in the art can modify the invention described herein while achieving the desired results of the invention. It must be understood at the outset. Thus, the following description is a broad and teaching disclosure for those skilled in the art, but should be understood as not limiting the invention.

Referring now to the accompanying drawings, first of all, a perspective view of a motherboard 301 or a circuit board constructed in accordance with an embodiment of the present invention is shown. Motherboard 301 provides mechanical support and electrical interconnection between TPM 111, NVRAM 116, core southbridge chipset 202, and a blank processor socket. This circuit arrangement provides the basis for manufacturing a reliable system platform that provides and receives information to the user. In manufacturing, the platform consists of the circuit configuration shown in FIG. 3, a processor or CPU installed in the socket 310, and a primary peripheral device (not shown) mounted on the circuit board 301. The primary peripheral device may be viewed as a device mounted directly on the motherboard 301 and directly interacting with the motherboard. Examples include PCI cards, LPC components, USB host controllers and root hubs, and installed serial and parallel ports. However, USB and IEEE 1394 devices are not considered as primary peripherals.

1 illustrates an exemplary computer system 113 configured in accordance with a preferred embodiment of the present invention (eg, a computer system using a motherboard configured in accordance with an embodiment of the present invention). System 113 includes a central processing unit (CPU) 110 that is connected to various components by a system bus 112. System bus 112 may be a straight bus or may be a hierarchical bus system. Flash nonvolatile random access memory (“NVRAM”) 116 is coupled to system bus 112 and includes an input / output system (“BIOS”) that controls certain basic functions of computer system 113. NVRAM ( The function of storing the basic input / output system performed by 116 is traditionally the same as that performed by the ROM device The flash device of this embodiment has the advantage of being field upgradable Random Access Memory ("RAM"). 114, I / O adapter 118, and communication adapter 134 are also connected to system bus 112. I / O adapter 118 communicates with SCSI (Small) communication with disk storage 120. FIG. Computer adapter (134), which may interconnect a bus 112 with an external network 160 (e.g., the Internet) that allows a computer system to communicate with other such systems. I / O device is user It is also connected to the system bus via the interface adapter 122 and the display adapter 136. The keyboard 124 and the mouse 126 are all interconnected to the bus 112 via the user interface adapter 122. Display The monitor 138 is connected to the system bus 112 by the display adapter 136. In this way, the user inputs to the system 113 via the keyboard 124 or the mouse 126, and the display 138 It is possible to receive the output from the system.

Implementations of the invention preferably include an implementation as a computer system programmed to execute the method or methods described herein, and as a computer program product. According to a computer system implementation, program code or a set of instructions for executing a method or methods may reside in NVRAM 116. In other embodiments, program code need not reside on NVRAM 116, but may reside on other non-volatile memory. Until a computer system (e.g., manufactured by motherboard 301) is needed, program code may be stored in a separate computer memory, e. Can be stored as a computer program product in the disk drive 120. In one embodiment, the program code is executed as original code that is executed following any reset event in the computer system, regardless of its source. The code may also be stored on a separate computer and, if necessary, transmitted to the user's workstation by the network or by the external network 160. Those skilled in the art can understand that in the physical storage of the program code, the medium on which the code is stored is physically changed so that the medium carries computer readable information. The change may be an electrical, magnetic, chemical, biological or other physical change. Although the invention is described in terms of instructions, symbols, characters, etc. for convenience, those skilled in the art should remember that both these and similar terms should be associated with appropriate physical elements.

Computer system 113 is implemented to provide a user with a trusted platform on which certain trusted operations may be performed (eg, motherboard 301 may be implemented to provide a user with such a trusted platform). Can be]. The system (motherboard 301 in one embodiment) is built according to the Trusted Computing Platform Alliance (TCPA) specification entitled TCPA Main Specification Version 1.1b, which is incorporated herein by reference. In a preferred embodiment, computer system 113 (motherboard 301 in one embodiment) is implemented as a PC architecture system, which is also incorporated herein by reference by reference herein TCPA PC Specific Implementation Specification Stick to Version 1.00. Trusted Platform Module (TPM) 111 is a cryptographic processor that provides a computer system (in one embodiment motherboard 301) with hardware-assisted cryptographic features. The TPM 111 may be a fully integrated security module designed to be integrated into the system. Any form of cryptographic processor may be available. In the preferred embodiment, however, the TPM 111 implements version 1.1b of the TCPA specification of the Trusted Platform Module (TPM). The TPM 111 includes, among other things, an asymmetric cryptographic coprocessor that performs key generation, random number generation, digital signature key generation, and hash generation functions. The TPM 111 has a built-in EEPROM storage capable of computing an RSA signature using a CRT and capable of storing a predetermined number of RSA keys. Also included is a set of 20 byte Platform Configuration Registers (PCRs) to establish the root of trust for the platform. One example of such a TPM device is Atmel® part number AT97SC320.

In addition to storing BIOS code, NVRAM 116 may store code used to execute a power on self test (POST) routine. Portions of this POST code establish the basis for trust in the platform. Trust is established in the platform by providing reliable building blocks with NVRAM 116 and TPM 111 physically and / or logically coupled to the computer system.

As will be described in more detail below, on a chip circuit (eg, motherboard 301) where NVRAM 116 and TPM 111 are also known as motherboards, reliable code stored in NVRAM 116 may be stored in a computer system upon system reset. Assembled in such a way as to gain control. This trusted code is known as the Core Root of Trust for Measurement (CRTM). In order to verify that the POST code being executed is code loaded by the manufacturer, each section is first sized before the execution of that section by the CRTM itself (in one embodiment the code is the motherboard 301). In the above, each section is configured in such a way that it is sized by the CRTM itself-before executing the section. Each section of code is checked for length and check sum, and a hash is generated to indicate that the code is running. Each hash is then stored in one of the 20 byte PCRs in the TPM 111. These hash values are then verified by comparing the published hash values published by the manufacturer for verification purposes.

Since it is possible to remotely power on a computer system by, for example, a wake on LAN or a wake on RING, it is possible to remotely power on and attack the system. However, such an attack can be prevented by providing a physical presence detection function that meets the requirements of the TCPA specification (eg, on motherboard 301). In order to maintain a secure system, the CRTM code checks for the physical presence of the individual at power-on before certain deterministic actions can be performed on the computer system. Since the description of this embodiment follows, it will be described in detail below. Instead of implementing a physical jumper or switch as shown in the TCPA specification, the system of the present invention (in one embodiment, the motherboard 301) is a computer. Check the physical presence by checking the core chipset registers for an indication of how power is turned on. Based on this check, the computer system of the present invention estimates the physical presence of the user. If it is assumed that there is no physical presence, the CRTM code interfaces with the TPM 111 in such a way that the TPM 111 from that point on, that is, the boot on, rejects a certain deterministic type of TPM transaction. On the other hand, if it is assumed that there is a physical presence, certain deterministic types of TPM transactions are allowed. Embodiments of the present invention can reduce manufacturing costs by avoiding physical jumpers or switches. In addition, because of the absence of physical jumpers or switches, components can be manufactured without electrical or physical uniqueness. Since this specificity is lost, the components of the system can be enhanced, such as components of other systems that share the same electrical and mechanical design (eg, motherboards in any system that share the same electrical and mechanical design). 301) is likely to increase.

3, as described above, a perspective view of a circuit board 301 or motherboard constructed in accordance with an embodiment of the present invention is shown. The circuit board 301 may provide mechanical support and electrical interconnection between the TPM 111, NVRAM 116, the core southbridge chipset 202, the CPU, or a processor (eg, installed in the socket 310). good. This circuit arrangement provides the basis for a reliable system platform that provides and receives information to the user. The platform itself consists of the circuit configuration shown in FIG. 3, a processor or CPU installed in the socket 310, and a primary peripheral (not shown) mounted on the circuit board 301. The primary peripheral device may be viewed as a device mounted directly on the CPU 110 and directly interacting with the CPU. For example, PCI cards, LPC components, USB host controllers and root hubs, mounted serial and parallel ports, and the like. However, USB and IEEE 1394 devices are not primary peripherals.

2 and 3, the processor 110 executes a CRTM code stored in the NVRAM 116. As mentioned above, this CRTM code interacts with the TPM 111 to provide a reliable platform. The reliable CRTM code and the TPM 111 stored in NVRAM 116 are the optimal reliable components of the platform. If a proper binding is established between the CRTM code and the TPM 111, the basis of trust is established in the platform. The binding of NVRAM 116 and TPM 111 may be physical or logical, and is considered to be outside the scope of the present invention. The details of the CTRM's binding to the TPM 111 are well known in reliable computing techniques and will be omitted here so that the description is not to be confused with unnecessary details. In this embodiment, CRTM is included in a portion of NVRAM 116. However, in other embodiments, the CRTM code occupies the entirety of NVRAM 116. Since CRTM and TPM 111 are the optimal trusted components of the platform, and because the indication of physical presence causes a trusted mechanism to be activated by the platform user, the indication of physical presence is the CRTM of NVRAM 116. It is included in the code and the TPM 111.

Bus 112 of the preferred embodiment is a tiered bus having a north bus bridge (hereinafter not shown as "Northbridge") and a south bus bridge 202 (hereafter referred to as "Southbridge"). The northbridge includes buses operatively closer to the processor, such as memory and caching buses. Southbridge 202 includes buses, X-buses, IDEs, LPCs, and other buses that are closer to system I / O. However, it should be appreciated that the bus 112 of the preferred embodiment does not need to be implemented as a tiered bus. Instead, the systematic flat bus shown in FIG. 1 can be physically implemented. Alternatively, a hierarchical type involving a single bridge chip may be used. Southbridge 202 provides an LPC bus connecting NVRAM 116, among other components. The LPC bus is a Low Pin Count (LPC) bus based on the IBM® PCAT bus and forms part of the tiered bus 112 [IBM is a registered trademark of International Business Machines Corporation in the United States and other countries]. . In addition, the southbridge 202 connects the TPM 111. The southbridge 202 also includes a number of low level system controllers, such as an Advanced Configuration and Power Interface (ACPI) compatible power controller 204. ACPI is an industry standard interface for OS-oriented configuration and power management. The ACPI power controller 204 in Southbridge provides a hardware interface between the operating system and the power controlled device. Most of the functionality provided by the power controller 204 is accessed through a register, which is an enable or status register. One such register is status register 206. Status register 206 includes a series of bits, each providing a state for the power configuration of the machine and its current and initial states. In a preferred embodiment, one of its bits, the power switch bit, is reserved to indicate whether power was previously applied to the system by the activation of a system power switch housed in the front of the system. The system power switch is connected directly to the circuit board 301 (eg, motherboard) or indirectly through a power supply. In addition, the system power switch may be mounted indirectly to the power supply although it is preferable to mount the power switch on the front side. When the last application of power is made to the machine (motherboard 301 in one embodiment) by the system power switch, the power switch bit is asserted. When the last application of power is made to the machine by something other than the system power switch, the power switch bit is deasserted. Thus, if the system (in one embodiment a system made of motherboard 301) is powered on remotely via a wake on LAN or wake on RING event, for example, the power switch bit is deasserted. In the preferred embodiment, the power switch bits are implemented to be settable only in hardware, not in software. This is done to prevent spoofing by Trojan or virus software attempting to attack the security of the platform. Allowing the power switch bits to be reset (set to a desert state) by software is considered an acceptable design choice because the desing of the power switch bits is ignored after the operating system loads, and if not ignored, the power switch bits 'S software desserts function differently to increase the security level of the system. In the preferred embodiment, the power switch bit indicates whether the application of power by the system power switch was initiated at the last power on event. In another embodiment, the power switch bit is designed to indicate whether the system power switch has been pressed. In the latter case, the software making the decision must run quickly, or take other measures in different ways to make a reliable decision.

Preferably, processor 110 executes the CRTM code stored in NVRAM 116 as the first code to execute after a system reset. [In one embodiment, motherboard 301 is built with a processor such as processor 110 installed in socket 310.] The system (in one embodiment motherboard 301) is reset from a hardware or software reset event. Initiate the state. The hardware reset state can be initiated upon application of power to the computer system or can be initiated via a dedicated system reset switch. In a preferred embodiment, the CRTM code is under initial control of the computer system to establish trust in the platform. When the CRTM code executes, the CRTM interacts with the TPM 111 to establish a foundation of trust for the platform. As described above, the CRTAM code verifies itself using the PCR register and hashing function of the TPM 111. Also, most of all, the CRTM code reads the status register 206 for the current state of the power switch bit. The CRTM code makes an estimate regarding the presence of a user on the machine and issues a command to the TPM 111 to limit or allow certain critical TPM functions based on this estimation.

If the power switch bit of the status register 206 is found to be in an asserted state, it is assumed that the user is present at that machine. In this case, the issued command allows a predetermined series of functions to be executed in the TPM 111. In a preferred embodiment, the issued command is a command that sets a physical presence flag in the TPM. At this time, the TPM 111 is implemented to allow certain functions only when the physical presence is indicated according to the physical presence flag. An example of such a command is a command for resetting the TPM 111 to the factory default state. Such a command can be allowed and executed by the TPM 111 only when a physical presence is determined.

Conversely, if it is found that the power switch bit of the status register 206 is in a dessert state, it is assumed that the user is not present in the machine. In this case, the issued command prevents the predetermined series of functions from being executed in the TPM 111. In a preferred embodiment, the issued command is a command to reset the physical presence flag at the TPM 111 following a determination indicating the absence of physical presence. The TPM 111 is implemented to limit certain functions when the physical presence is not indicated according to the physical presence flag. In this series of situations, it is indicated that there is no physical presence, so that the exemplary command to reset the TPM 111 to its factory default state is blocked by the TPM 111.

In most cases, details of the commands restricted by the TPM 111 and the commands allowed are omitted as much as this content is not necessary to obtain a thorough understanding of the present invention and is within the skill of those skilled in the art. Alternatively, those skilled in the art who are interested in the detailed description of the command may refer in other ways to the TCPA specification, which is incorporated by reference providing such details.

In another embodiment, in addition to setting or resetting the physical presence flag at the TPM 111, an additional command is issued to set the physical presence lock flag at the TPM 111. The TPM 111 is implemented such that if the physical presence lock flag is set, the value of the physical presence flag is unchanged. Locking the physical presence flag has a lifespan extending to the next platform reset.

Regardless of whether the physical presence flag is locked by the mechanism of the lock flag or by some other binding mechanism, if all CRTM metrics are recorded in the hash table of the TPM 111 PCR, and the physical presence or absence thereof If established in the TPM 111, the platform is then considered to be reliable and secure to a determined extent. After platform trust is established, control can be passed to non-secure code.

In one embodiment of the invention, control is passed to an insecure POST code residing within NVRAM 116. In this embodiment, the code that takes over control after the platform is secured is code that accesses any I / O device of the computer system, such as a keyboard device, a video device, or a pointing device.

In another embodiment, the CRTM code is considered to be the entire code stored within NVRAM 116. Then, control is transferred to the non-secure code stored in something other than NVRAM 116 in this embodiment. In general, this is the code that loads the operating system. In an IBM PC compatible computer system (in one embodiment, a motherboard for an IBM compatible computer system), the loading of the operating system is typically instantiated by execution of software INT 19 executed as the latest instruction stored in NVRAM 116. do. However, those skilled in the art can use other methods for loading the operating system, and any method used is within the spirit and scope of the present invention.

Claims (60)

Determining whether power is applied to the computer system by activation of the power-on switch by reading a power-on status register indicating the occurrence of the activity; In accordance with the action of the determination, affecting the operation of a trusted platform module (TPM) included in the computer system. The method of claim 1, wherein the power-on status register is settable only in hardware. The method of claim 1, wherein the act of determining and affecting occurs after a reset event and before an OS loading event that loads an operating system. 4. The method of claim 3, wherein the OS loading event is the first instance of INT 19h following a reset event. 4. The method of claim 3 wherein the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. 4. The method of claim 3, wherein affecting further comprises setting a physical presence flag in the TPM. 7. The method of claim 6, wherein affecting further comprises setting a physical presence lock flag in the TPM. 2. The method of claim 1, wherein the determining and affecting steps occur after a reset event and before the I / O device of the computer system becomes available, wherein the I / O device of the computer system is a keyboard device, a video device. And a pointing device. 9. The method of claim 8 wherein the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. 4. The method of claim 1, wherein the effecting step is to limit the operation of the TPM in response to determining that the power-on switch is not active. The method of claim 1, wherein the effecting step allows the predetermined reliable operation to be performed at the TPM in response to the application of power by activation of a power-on switch that is determined in the determining step. . Determining whether power is applied to the computer system by activation of a power-on switch connected to the computer system by reading a power-on status register indicating the occurrence of the activity, wherein the power-on status register is settable only in hardware. Determination step, Configuring a physical presence flag of the trusted platform module (TPM) included in the computer system to indicate the absence of physical presence in response to the determination of the determining step that the power-on switch is not activated, wherein the determining step includes: The configuration step occurs after a system reset event and before an OS loading event;  Limiting the operation of the TPM in accordance with the action of the configuration step. 13. The method of claim 12, further comprising setting a physical presence lock flag at the TPM to lock a physical presence flag at the TPM, Wherein said locking step occurs after a system reset event and before an OS loading event. The method of claim 13, wherein the OS loading event is an event that loads an operating system and the system reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. The method of claim 14, wherein the event that loads the operating system is the first instance of INT 19h following a system reset event.  Determining whether power is applied to the computer system by activation of a power-on switch connected to the computer system by reading a power-on status register indicating the occurrence of the activity, wherein the power-on status register is settable only in hardware. Determination step,  Configuring a physical presence flag of a trusted platform module (TPM) included in the computer system to indicate a physical presence in response to the application of power by activation of the power-on switch determined in the determining step, wherein The determining step and the configuring step occur after the system reset event and before the OS loading event; Allowing certain reliable operations to be executed in the TPM in accordance with the action of the configuration step. 17. The method of claim 16, further comprising setting a physical presence lock flag in the TPM to lock a physical presence flag in the TPM, Wherein said locking step occurs after a system reset event and before an OS loading event. 18. The method of claim 17, wherein the OS loading event is an event that loads an operating system and the system reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. The method of claim 18, wherein the event that loads the operating system is the first instance of INT 19h following a system reset event. A program product comprising a computer usable medium having computer readable program codes recorded thereon, The computer readable program code of the program product, upon execution, Whether power is applied to the computer system by the activation of the power-on switch is determined by reading a power-on status register indicating the occurrence of the activity, And, in accordance with the action of the determination, is effective to affect the operation of a trusted platform module (TPM) included in the computer system. A program product comprising a computer usable medium having computer readable program codes recorded thereon, The computer readable program code of the program product, upon execution, Determining whether power is applied to the computer system by the activation of a power-on switch connected to the computer system by reading a power-on status register indicating the occurrence of the activity, wherein the power-on status register is settable in hardware only; , Configure a physical presence flag of a trusted platform module (TPM) included in the computer system to indicate the absence of physical presence in response to the determination indicating that the power-on switch is not activated-the determination and configuration result in a system reset event. After and before the OS loading event-, Program product effective to limit the operation of the TPM in accordance with the action of the configuration. A program product comprising a computer usable medium having computer readable program codes recorded thereon, The computer readable program code of the program product, upon execution, Determining whether power is applied to the computer system by the activation of a power-on switch connected to the computer system by reading a power-on status register indicating the occurrence of the activity, wherein the power-on status register is settable in hardware only; , Configure a physical presence flag of a trusted platform module (TPM) included in the computer system to indicate a physical presence in response to the application of power by activation of a power-on switch in accordance with the determination-such determination and configuration After the reset event and before the OS loading event- Program product that is effective to allow certain reliable operations to be executed in the TPM in accordance with the action of the configuration. Trusted Platform Module (TPM), Non-volatile memory that stores computer readable program code, An apparatus comprising a circuit board connecting the TPM and a nonvolatile memory. The circuit board includes a processor that executes code stored in the nonvolatile memory, and further includes a status register that estimates a power-on status state indicating how the application of power to the circuit board was initiated the other time. Include, When the processor executes code stored in the nonvolatile memory, Read the power-on status of the status register, Determining whether the application of power to the circuit board was initiated by the activation of a power-on switch connected to the circuit board on the basis of a power-on status state read from a status register, And issue a command that affects the operation of the TPM in accordance with the action of the determined power-on state. 24. The apparatus of claim 23, wherein the status register is settable only in hardware. 24. The apparatus of claim 23, wherein code valid for reading, determining, and issuing is executed after a reset event and before execution of code stored in something other than the nonvolatile memory. 24. The apparatus of claim 23, wherein code valid for reading, determining, and issuing is executed after a reset event and before execution of code that loads an operating system. 27. The apparatus of claim 26, wherein the code for loading the operating system is the first instance of INT 19h following a reset event. 27. The apparatus of claim 25, wherein the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. 27. The apparatus of claim 25, wherein the code stored in the nonvolatile memory is also effective when executing to set a physical presence flag in the TPM. 30. The apparatus of claim 29, wherein code stored in the nonvolatile memory is also effective when executing to set a physical presence lock flag in the TPM. 24. The computer-readable medium of claim 23, wherein code valid for reading, determining, and issuing is executed after a reset event and before execution of any code that accesses an I / O device of the computer system. And a device selected from the group consisting of a keyboard device, a video device, and a pointing device. 24. The method of claim 23, wherein the issued command restricts the operation of the TPM in response to a determination based on a power-on context condition read from the status register that the power-on switch was not activated upon application of the last-initiated power source. Device. 24. The method of claim 23, wherein the issued command is further configured to perform a predetermined reliable operation in response to a determination based on a power-on status state read from the status register that the power-on switch was activated at the time of application of the last-initiated power source. Device that allows to run in a TPM. Trusted Platform Module (TPM), Non-volatile memory that stores computer readable program code, A device comprising a circuit board connecting the TPM and a nonvolatile memory, the circuit board having a processor and a status register. The status register is settable only in hardware, and estimates a power-on status state indicating how the application of power to the circuit board was started the other time, The processor and the nonvolatile memory are configured on the circuit board to execute code stored in the nonvolatile memory, which is the first code executed by the processor in response to a reset event, When the code is run, Read the power-on status of the status register, Determining whether the application of power to the circuit board was initiated last time by the activation of a power-on switch connected to the circuit board, based on the power-on status state read from the status register, Is effective to configure a physical presence flag in the TPM to indicate the absence of a physical presence in response to determining that a power-on switch is not active, Code that is valid for reading, determining, and configuring is executed before an OS loading event, and the operation of the TPM is limited according to the action of a configured physical presence flag. 35. The system of claim 34, wherein the code stored in the non-volatile memory is also effective to set a physical presence lock flag in the TPM and to lock a physical presence flag in the TPM when executed. Wherein the code locks a physical presence flag prior to an OS loading event. 36. The apparatus of claim 35, wherein the OS loading event is an event loading an operating system and the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. 37. The apparatus of claim 36, wherein the event of loading the operating system is the first instance of INT 19h following a reset event. Trusted Platform Module (TPM), Non-volatile memory that stores computer readable program code, A device comprising a circuit board connecting the TPM and a nonvolatile memory, the circuit board having a processor and a status register. The status register is settable only in hardware, and estimates a power-on status state indicating how the application of power to the circuit board was started last time, The processor and the nonvolatile memory are configured on the circuit board to execute code stored in the nonvolatile memory, which is the first code executed by the processor in response to a reset event, When the code is run, Read the power-on status of the status register, It is determined on the basis of the power-on status state read from the status register whether or not the application of power to the circuit board has been started by the activation of a power-on switch connected to the circuit board. Is effective to configure a physical presence flag in the TPM to indicate a physical presence in response to determining that a power-on switch is activated, Code that is valid for reading, determining, and configuring is executed before an OS loading event, and certain trusted actions are allowed to be executed in the TPM in accordance with the action of the configured physical presence flag. 39. The computer-readable medium of claim 38, wherein the code stored in the nonvolatile memory is also effective to set a physical presence lock flag in the TPM when executing to lock the physical presence flag in the TPM. Wherein the code locks a physical presence flag prior to an OS loading event. 40. The apparatus of claim 39 wherein the OS loading event is an event loading an operating system and the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. 41. The apparatus of claim 40, wherein the event of loading the operating system is the first instance of INT 19h following the reset event. A circuit board comprising: a circuit board having an unpopulated processor socket, a status register for estimating a power-on status state indicating how the application of power to the circuit board was started last time; A reliable platform module (TPM) mounted on the circuit board, A motherboard mounted on the circuit board and connected to the TPM, the motherboard including a nonvolatile memory storing computer readable program code. Code stored in the nonvolatile memory is executed at run time, Read the power-on status of the status register, Determining whether the application of power to the circuit board has been started recently by the activation of a power-on switch connected to the circuit board, based on the power-on status state read from the status register, And is effective for issuing a command affecting the operation of the TPM in accordance with the action of the determined power-on state. 43. The motherboard of claim 42 wherein a status register indicating that power is applied by activation of the power-on switch is only settable in hardware. 43. The motherboard of claim 42 wherein the code valid for reading, determining, and issuing is executed after a reset event and before execution of code stored in something other than the nonvolatile memory. 43. The motherboard of claim 42 wherein the code valid for reading, determining, and issuing is executed after a reset event and before execution of code that loads an operating system. 46. The motherboard of claim 45 wherein the code for loading the operating system is the first instance of INT 19h following a reset event. 45. The motherboard of claim 44 wherein the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. 45. The motherboard of claim 44 wherein the code stored in the nonvolatile memory is also effective when executing to set a physical presence flag in the TPM. 49. The motherboard of claim 48 wherein the code stored in the nonvolatile memory is also effective when executing to set a physical presence lock flag in the TPM. 43. The computer-readable medium of claim 42, wherein code valid for reading, determining, and issuing is executed after a reset event and before execution of any code that accesses an I / O device of the computer system. Is a device selected from the group consisting of a keyboard device, a video device, and a pointing device. 43. The method of claim 42, wherein the issued command limits the operation of the TPM in response to a determination based on a power-on context condition read from the status register that the power-on switch was not active upon application of the last-initiated power source. Motherboard. 43. The method of claim 42, wherein the issued command is further configured to perform a predetermined reliable operation in response to a determination based on a power-on status state read from the status register that the power-on switch was activated upon application of the last-initiated power source. The motherboard that is allowed to run in the TPM. Trusted Platform Module (TPM), Non-volatile memory that stores computer readable program code, Providing a motherboard comprising a circuit board connecting the TPM and a nonvolatile memory and having a blank processor socket and a status register;  The status register is settable only in hardware, and estimates a power-on status state indicating how the application of power to the circuit board was started last time, The nonvolatile memory is configured on the circuit board to execute code stored in the nonvolatile memory, which is the first code executed in response to a reset event, When the code is run, Read the power-on status of the status register, Determining whether the application of power to the circuit board has been started recently by the activation of a power-on switch connected to the circuit board, based on the power-on status state read from the status register, Is effective to configure a physical presence flag in the TPM to indicate the absence of a physical presence in response to determining that a power-on switch is not active, Code that is valid for reading, determining, and configuring is executed before execution of code stored in something other than the non-volatile memory, and the operation of the TPM is limited by the action of the configured physical presence flag. 54. The computer-readable medium of claim 53, wherein the code stored in the nonvolatile memory is also effective to set a physical presence lock flag in the TPM to lock the physical presence flag in the TPM when executed. And said code to lock a physical presence flag prior to execution of code stored in something other than said nonvolatile memory. 55. The method of claim 54, wherein execution of code stored in something other than the nonvolatile memory is execution of code loading an operating system, and wherein the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. Motherboard. 56. The motherboard of claim 55 wherein the code to load the operating system is the first instance of INT 19h following a reset event. Trusted Platform Module (TPM), Non-volatile memory that stores computer readable program code, Providing a motherboard connecting the TPM to a nonvolatile memory and including a circuit board having a blank processor socket and a status register, The status register is settable only in hardware, and estimates a power-on status state indicating how the application of power to the circuit board was started last time, The nonvolatile memory is configured on the circuit board to execute code stored in the nonvolatile memory, which is the first code executed in response to a reset event, The code is executed at run time, Read the power-on status of the status register, Determining whether the application of power to the circuit board has been started recently by the activation of a power-on switch connected to the circuit board, based on the power-on status state read from the status register, Is effective to configure a physical presence flag in the TPM to indicate a physical presence in response to determining that a power-on switch is activated, Code that is valid for reading, determining, and configuring is executed before execution of code stored in something other than the non-volatile memory, and wherein certain reliable operations are executed in the TPM in accordance with the action of the configured physical presence flag. Motherboard that is allowed. 58. The computer-readable medium of claim 57, wherein the code stored in the nonvolatile memory is also effective to set a physical presence lock flag in the TPM and to lock a physical presence flag in the TPM when executed. And said code to lock a physical presence flag prior to execution of code stored in something other than said nonvolatile memory. 59. The motherboard of claim 58 wherein execution of code stored in something other than the nonvolatile memory is code that loads an operating system, and wherein the reset event is an event selected from the group consisting of a hardware initiated reset and a software initiated reset. . 60. The motherboard of claim 59 wherein the code for loading the operating system is the first instance of INT 19h following a reset event.