WO2018124894A1 - Code oem intégré pour la récupération de défauts - Google Patents

Code oem intégré pour la récupération de défauts Download PDF

Info

Publication number
WO2018124894A1
WO2018124894A1 PCT/PL2016/050059 PL2016050059W WO2018124894A1 WO 2018124894 A1 WO2018124894 A1 WO 2018124894A1 PL 2016050059 W PL2016050059 W PL 2016050059W WO 2018124894 A1 WO2018124894 A1 WO 2018124894A1
Authority
WO
WIPO (PCT)
Prior art keywords
microcontroller
fault
executable code
fuse
occurred
Prior art date
Application number
PCT/PL2016/050059
Other languages
English (en)
Inventor
Janusz JURSKI
Robert Swanson
Bradley Burres
Piotr Kwidzinski
Vincent J. Zimmer
Pawel Szymanski
Original Assignee
Intel Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intel Corporation filed Critical Intel Corporation
Priority to PCT/PL2016/050059 priority Critical patent/WO2018124894A1/fr
Publication of WO2018124894A1 publication Critical patent/WO2018124894A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1415Saving, restoring, recovering or retrying at system level
    • G06F11/1417Boot up procedures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/572Secure firmware programming, e.g. of basic input output system [BIOS]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot

Definitions

  • Embodiments described herein generally relate to microcontrollers and in particular, to using embedded original equipment manufacturer (OEM) code for fault recovery.
  • OFEM embedded original equipment manufacturer
  • Many computing platforms include a platform controller hub, which includes multiple embedded programmable microcontrollers.
  • microcontrollers include a manageability engine (ME) and an innovation engine (IE) microcontroller. These microcontrollers are used to provide security, integrity checking, and other functions to the host system.
  • ME manageability engine
  • IE innovation engine
  • FIG. 1 is a schematic diagram illustrating a microcontroller arrangement, according to an embodiment
  • FIG. 2 is a flowchart illustrating a recovery process, according to an embodiment
  • FIG. 3 is a block diagram illustrating a control system for using embedded original equipment manufacturer code for fault recovery, according to an embodiment
  • FIG. 4 is a flowchart illustrating a method of using embedded original equipment manufacturer code for fault recovery, according to an embodiment
  • FIG. 5 is a block diagram illustrating an example machine upon which any one or more of the techniques (e.g., methodologies) discussed herein may perform, according to an example embodiment.
  • Microcontrollers load the initial piece of program code from some read-only memory (ROM). Other pieces of the code to be executed by the microcontroller are loaded from some non- volatile (NV) storage location.
  • ROM read-only memory
  • NV non- volatile
  • an original equipment manufacturer may insert code into the NV storage during manufacturing.
  • the OEM expects such code to be executed by the microcontrollers.
  • NV storage may be erased or overwritten, causing unforeseeable execution of the microcontrollers that rely on the code.
  • Such actions may compromise the integrity of the system controlled by the microcontrollers.
  • microcontrollers may provide security features like authenticating a trusted root component. Interrupting the operation of such a microcontroller may expose the platform to malicious code, render the system inoperable, or otherwise compromise the integrity of the system.
  • FIG. 1 is a schematic diagram illustrating a microcontroller arrangement 100, according to an embodiment.
  • the microcontroller arrangement 100 includes a platform controller hub (PCH) 102 and a non- volatile (NV) storage 104 that is external from the PCH 102.
  • the NV storage 104 is a memory that is able to maintain its contents even after a power cycle. Examples of 104 include, but are not limited to erasable programmable read-only memory (EPROM), flash memory, Ferroelectric random access memory (RAM), hard disk drive (HDD), optical discs, and other types.
  • EPROM erasable programmable read-only memory
  • RAM Ferroelectric random access memory
  • HDD hard disk drive
  • optical discs and other types.
  • the NV storage 104 is typically flash memory or EPROM.
  • the PCH 102 and NV storage 104 are connected with a bus 106.
  • the bus may be a serial peripheral interface (SPI) bus.
  • SPI serial peripheral interface
  • the bus 106 is used to send date between microcontrollers in the PCH 102 and other peripherals in the microcontroller arrangement 100, including the NV storage 104. Flash memory used with an SPI bus is conventionally referred to as SPI flash.
  • the PCH 102 may include one or more microcontrollers.
  • the PCH 102 includes a manageability engine (ME) microcontroller 108 and an innovation engine (IE) microcontroller 110.
  • the ME microcontroller 108 is a dedicated microcontroller that provides various security and operational components to the PCH 102.
  • some aspects of the ME microcontroller 108 include, but are not limited to providing remote configuration, booting from a remote hard drive, using one-time passwords for two-factor authentication, and enabling a poison pill that may be used to disable or wipe a remote system over a 3G connection.
  • the IE microcontroller 110 may act in concert with the ME microcontroller 108 and provide extensibility to the ME microcontroller 108.
  • the IE microcontroller 110 may be used to execute OEM-provided firmware that is stored outside of the PCH 102. OEMs (e.g., system builders) are able to provide their own unique, differentiating firmware for server, storage, and networking markets via the IE microcontroller 110.
  • the IE microcontroller 110 is cryptographically bound to the OEM. Code not authenticated by the OEM will not load in the IE microcontroller 110.
  • the ME microcontroller 108 may execute code embedded in the PCH 102 by the chip manufacturer. For instance, the ME microcontroller 108 may access a read-only memory (ROM) 112 that is built into the PCH 102, and obtain the code to execute.
  • the ROM 112 may include low-level instructions or data, defined by the PCH 102 hardware manufacturer, and used by the PCH 102 to provide fundamental operations. However, the ROM 112 is inaccessible by OEMs.
  • the IE microcontroller 110 may load program code from the NV storage 104 to be executed.
  • Program code may be stored by an OEM during system assembly.
  • the PCH 102 may be provided by Intel® and an OEM, such as DELL®, may program the NV storage 104 with DELL-specific basic input/output system (BIOS) code or data.
  • BIOS basic input/output system
  • the OEM-specific code or data is loaded from the external NV storage 104 and used by the ME microcontroller 108 or IE microcontroller 110.
  • Each OEM may provide its own programming or data and store it in the NV storage 104.
  • the contents of the NV storage 104 may be corrupted, altered, or erased, either intentionally (e.g., in a cyber-attack) or unintentionally (e.g., with a memory failure).
  • the microcontrollers in the PCH 102 include authentication mechanisms to guarantee that only the code put in the NV storage 104 by an OEM is executed. For instance, the OEM may sign the contents of NV storage 104 and the ME microcontroller 108 or IE microcontroller 110 may authenticate the contents using the OEM's signature. If the ME microcontroller 108 or IE microcontroller 110 is unable to authenticate the contents, the ME
  • microcontroller 108 and IE microcontroller 110 will not execute some other arbitrary code. As such, when the PCH 102 attempts to bring up the system and the contents of the NV storage 104 are inaccessible or unexecutable, then the system may be vulnerable to additional attacks or may be unstable or inoperable.
  • MITM man- in-the-middle
  • a non- volatile, one-time programmable (OTP) memory structure 114 is used to store code or data to recover.
  • the PCH 102 may access the memory structure 114 to obtain code to execute, and attempt to recover from the fault.
  • the memory structure 114 may be a set of field programmable fuses (FPFs).
  • PROM Programmable read-only memory
  • FPROM field programmable read-only memory
  • OTP NVM one-time programmable non- volatile memory
  • each fuse In fuse-based technology, the fuse starts with a low resistance and is designed to permanently break an electrically conductive path when the current applied to the path exceeds a specified limit. Similarly, in antifuse technology, each antifuse starts with a high resistance and is designed to permanently create an electrically conductive path when voltage across the antifuse exceeds a specified limit. Each fuse or antifuse represents a digital bit, and burning specific fuses or antifuses creates digital data on the ROM.
  • the memory structure 114 may be fuse-based or antifuse-based memory.
  • an unburnt fuse is assumed to be associated with the binary value "1" because the fuse is conductive and allows a charge to pass through.
  • the fuse is burnt, the structure is altered to be non- conductive and then has a binary value of "0".
  • Antifuses operate in the opposite manner.
  • An antifuse is a structure that changes state from not conducting to conducting (e.g., from higher resistance to lower resistance) in response to electrical stress (e.g., programming voltage or current).
  • electrical stress e.g., programming voltage or current
  • an antifuse has a binary value of "0” and after being "blown” (e.g., "burnt") the antifuse is conductive and has a binary value of "1". While much of the present disclosure discusses examples in terms of a fuse-based PROM, it is understood that variants using antifuses are within the scope of this disclosure.
  • the memory structure 114 is protected from being erased once programmed.
  • the embedded microcontrollers are able to access the memory structure 114 and load the code from there even if the external NV storage 104 is not available.
  • the IE microcontroller 110 arrangement provides a guarantee that the critical code will be executed by the microcontrollers.
  • the code to be embedded in the memory structure 114 may be defined by the OEM as opposed to the ROM code in ROM 112 being defined by the PCH 102 hardware manufacturer.
  • the code to be embedded in the memory structure 114 may be defined and modified according to the set of features expected to be fulfilled by the microcontroller by the OEM, while the ROM code in the ROM 112 must always be the same across all different OEM product configurations.
  • OEMs are able to customize and tailor the response performed by the PCH 102 when a fault occurs. For instance, one OEM may prioritize security and decide to include a piece of code in the memory structure 114 that will halt the main host processor and toggle a PCH pin in order to trigger an alarm. Another OEM may decide instead to prioritize reliability and let the system to continue booting even if there is no code loaded from the NV storage 104.
  • the microcontroller arrangement 100 provides OEMs full flexibility to store code, configuration parameters, and other information in the memory structure 114 according to their preferred platform design.
  • the memory structure 114 may also store other information, such as core microcode for the IE microcontroller 110, for instance when firmware updates are available, core CPU microcode, or a BIOS initial boot block.
  • core microcode for the IE microcontroller 110
  • core CPU microcode for instance when firmware updates are available
  • BIOS initial boot block for instance when firmware updates are available.
  • the PCH 102 hardware vendor generates microcode patches, but the OEM ecosystem integrates them into the BIOS image. If the end user does not patch the BIOS, then the microcode patches may not be applied to the PCH 102. By storing the patches in the memory structure 114, the PCH 102 is more likely to be timely updated.
  • ROM code in the ROM 112 may implement a library of procedures that may be later used by the code embedded in the memory structure 114 by the OEM. As such, the OEM may only need to store library calls in the memory structure 114, thereby reducing the amount of fuses needed. It is understood that a mixture of library calls and self-contained executable code may be stored in the memory structure 114 by the OEM.
  • FIG. 2 is a flowchart illustrating a recovery process 200, according to an embodiment.
  • System power is applied (operation state 202).
  • the ME microcontroller 108 or IE microcontroller 110 determine whether an attack is in progress (decision block 204).
  • microcontroller 110 may make this determination in a number of ways. A non- limiting example is by use of an OEM signature. The OEM may sign the BIOS image or other core files. Upon startup, the ME microcontroller 108 or IE microcontroller 110 may verify that the BIOS image, for example, is authentic before allowing the BIOS to execute.
  • BIOS may be stored in a local memory to the PCH 102, such as a static random access module (SRAM) device incorporated in the PCH 102.
  • SRAM static random access module
  • the operating system is booted (operational state 208).
  • the ME microcontroller 108 and IE microcontroller 110 causes code from the memory structure 114 to be executed (operational block 210).
  • the ME microcontroller 108 or IE microcontroller 110 may direct a reset vector to the code's location in the memory structure 114.
  • the reset vector is the default location a CPU will go to find the first instruction it will execute after a reset.
  • the reset vector is a pointer or address where the CPU begins execution.
  • the code in the memory structure 114 may cause the CPU to send an alert to a system administrator using one or more of available communication channels or protocols, such as HTTP, JSON, etc.
  • the CPU may initiate alerts to an administrator upon attack via any outward facing communication path, e.g., HTTP, IPMI alerts, SMBus, Omni-Path fabric, etc.
  • the ME microcontroller 108 or the IE microcontroller 110 may cause code from the memory structure 114 to be executed, in some embodiments, it may be only the ME microcontroller 108 or the IE microcontroller 110 that performs this activity.
  • the recovery code in the memory structure 114 may access a storage location to obtain a clean BIOS image.
  • the storage location may be a NAND flash storage, a 3D XPointTM non- volatile memory, an NVMe device accessible via an IE PCIe interface, or other memory.
  • the storage location may be internal to the PCH 102 or external, such as in NV storage 104.
  • the clean BIOS image is downloaded into the local memory in the PCH 102.
  • the local memory may be a SRAM device incorporated into the PCH 102 architecture.
  • the BIOS image may be downloaded using memory mapped input/output (MMIO).
  • MMIO memory mapped input/output
  • the reset vector will be allowed to be consumed (operational block 216).
  • the operating system brought up using the clean BIOS image (operational state 208).
  • the ME microcontroller 108 and IE microcontroller 110 work in tandem.
  • the ME microcontroller 108 may have access to interfaces for external ports, memory structures, or communication circuits, that the IE microcontroller 110 may not have access to depending on the design of the PCH 102.
  • the ME microcontroller 108 and IE microcontroller 110 may pass control data between one another in order to perform the functions described herein.
  • FIG. 3 is a block diagram illustrating a control system 300 for using embedded original equipment manufacturer code for fault recovery, according to an embodiment.
  • the control system 300 includes a microcontroller 302, a fuse- based memory device 304, and an interface to an external memory storage 306.
  • the interface 306 may be a SPI interface.
  • the external memory storage may be a NAND flash, EPROM, or other NV storage device.
  • the microcontroller 302 may include a manageability engine microcontroller, an innovation engine microcontroller, or be otherwise configured or programmed to provide similar or additional functions as an ME or IE microcontroller, either alone or combined.
  • the fuse-based memory device 304 may use fuses or antifuses, depending on the design.
  • the fuses (or antifuses) may be blown (e.g., programmed) by an OEM or system builder during manufacturing or assembly.
  • the microcontroller 302 used to verify the BIOS and initiate the boot operation.
  • the microcontroller 302 may be configured or otherwise programmed to access a BIOS over an SPI interface to external memory storage, and detect when the BIOS is not authentic. For instance, the BIOS may be signed by the OEM and the microcontroller 302 may check a signature of the OEM. If the microcontroller 302 determines that the BIOS is invalid, then the microcontroller 302 may initiate a recovery operation.
  • the microcontroller 302 may be unable to access the BIOS from its regular location.
  • the BIOS may be corrupted or erased due to malicious intervention or some hardware failure.
  • microcontroller 302 may attempt to recover from either type of situation by obtaining a clean BIOS image from an alternative storage location, and loading the clean BIOS image into local storage to complete the boot sequence. Alerts, logs, or other notifications may be generated to inform a user, system
  • the microcontroller 302 may determine that the host system (e.g., user computing device) has been stolen, lost, or compromised. In order to maintain the user's privacy, the host system may be disabled, wiped, or transmit a "phone home" beacon. Code to control such activities may be stored in the fuse-based memory device 304.
  • the host system e.g., user computing device
  • the host system may be disabled, wiped, or transmit a "phone home" beacon. Code to control such activities may be stored in the fuse-based memory device 304.
  • a system for using embedded original equipment manufacturer code for fault recovery includes a microcontroller 302 and a fuse-based memory device 304.
  • the microcontroller 302 may be configured to detect that a fault has occurred and load executable code from the fuse-based memory device when the fault has been detected.
  • the microcontroller 302 comprises a manageability engine microcontroller. In a related embodiment, the microcontroller 302 comprises an innovation engine microcontroller.
  • the fuse-based memory device 304 is an antifuse device. In a related embodiment, the fuse-based memory device 304 is programmed only by an original equipment manufacturer (OEM). In an embodiment, the system comprises a platform controller hub.
  • OEM original equipment manufacturer
  • the microcontroller 302 is to attempt to access a basic input/output system (BIOS) image from a default storage location that is external from the system, and detect that the fault has occurred when the BIOS image is inaccessible or invalid.
  • BIOS basic input/output system
  • the BIOS image is signed with a signature, and the microcontroller 302 is to determine that the BIOS image is invalid by analyzing the signature.
  • the executable code accesses a clean BIOS image and loads the clean BIOS image into local memory to recover from the fault. In another embodiment, the executable code transmits an alert to a system administrator.
  • the microcontroller 302 is to obtain information that the system has been stolen and detect that the fault has occurred based on the information.
  • the executable code disables the system.
  • the executable code transmits an alert to a user of the system.
  • the executable code transmits an alert to a system administrator.
  • the microcontroller 302 is to direct a reset vector to a location in the fuse-based memory device 304, the location indicating the executable code.
  • the microcontroller 302 is to read executable instructions from the fuse-based memory device 304 into operational memory.
  • the microcontroller 302 has access to an outward facing communication path, and the microcontroller 302 uses the outward facing communication path to transmit information to an external destination.
  • the outward facing communication path is to a cellular radio.
  • the outward facing communication path is to a network interface card.
  • the microcontroller 302, fuse-based memory device 304, and interface 306 are understood to encompass tangible entities that are physically constructed, specifically configured (e.g., hardwired), or temporarily (e.g., transitorily) configured (e.g., programmed) to operate in a specified manner or to perform part or all of any operations described herein.
  • Such tangible entitles may be constructed using one or more circuits, such as with dedicated hardware (e.g., field programmable gate arrays (FPGAs), logic gates, system on chip, etc.).
  • FPGAs field programmable gate arrays
  • the tangible entities described herein may be referred to as circuits, circuitry, processor units, subsystems, or the like.
  • FIG. 4 is a flowchart illustrating a method 400 of using embedded original equipment manufacturer code for fault recovery, according to an embodiment.
  • a microcontroller determines that a fault has occurred.
  • executable code is loaded from the fuse-based memory device when the fault has been detected.
  • the microcontroller comprises a manageability engine microcontroller.
  • the microcontroller comprises an innovation engine microcontroller.
  • the microcontroller is incorporated in a platform controller hub.
  • the fuse-based device is an antifuse device.
  • the fuse-based device is programmed only by an original equipment manufacturer (OEM).
  • OEM original equipment manufacturer
  • detecting that the fault has occurred comprises attempting to access a basic input/output system (BIOS) image from a default storage location that is external from the system and detecting that the fault has occurred when the BIOS image is inaccessible or invalid.
  • BIOS basic input/output system
  • the BIOS image is signed with a signature, and detecting that the fault occurred when the BIOS image is invalid comprises determining that the BIOS image is invalid by analyzing the signature.
  • the executable code accesses a clean BIOS image and loads the clean BIOS image into local memory to recover from the fault.
  • the executable code transmits an alert to a system administrator.
  • detecting that the fault has occurred comprises obtaining information that the system has been stolen and detecting that the fault has occurred based on the information.
  • the executable code disables the system.
  • the executable code transmits an alert to a user of the system.
  • the executable code transmits an alert to a system administrator.
  • loading the executable code comprises directing a reset vector to a location in the fuse-based memory device, the location indicating the executable code.
  • loading the executable code comprises reading executable instructions from the fuse-based memory device into operational memory.
  • the microcontroller has access to an outward facing communication path, and the method 400 comprises using the outward facing communication path to transmit information to an external destination.
  • the outward facing communication path is to a cellular radio.
  • the outward facing communication path is to a network interface card.
  • Embodiments may be implemented in one or a combination of hardware, firmware, and software. Embodiments may also be implemented as instructions stored on a machine-readable storage device, which may be read and executed by at least one processor to perform the operations described herein.
  • a machine-readable storage device may include any non-transitory mechanism for storing information in a form readable by a machine (e.g., a computer).
  • a machine-readable storage device may include read-only memory (ROM), random-access memory (RAM), magnetic disk storage media, optical storage media, flash-memory devices, and other storage devices and media.
  • a processor subsystem may be used to execute the instruction on the machine-readable medium.
  • the processor subsystem may include one or more processors, each with one or more cores. Additionally, the processor subsystem may be disposed on one or more physical devices.
  • the processor subsystem may include one or more specialized processors, such as a graphics processing unit (GPU), a digital signal processor (DSP), a field programmable gate array (FPGA), or a fixed function processor.
  • GPU graphics processing unit
  • DSP digital signal processor
  • FPGA field programmable gate array
  • Examples, as described herein, may include, or may operate on, logic or a number of components, modules, or mechanisms.
  • Modules may be hardware, software, or firmware communicatively coupled to one or more processors in order to carry out the operations described herein.
  • Modules may be hardware modules, and as such modules may be considered tangible entities capable of performing specified operations and may be configured or arranged in a certain manner.
  • circuits may be arranged (e.g., internally or with respect to external entities such as other circuits) in a specified manner as a module.
  • the whole or part of one or more computer systems may be configured by firmware or software (e.g., instructions, an application portion, or an application) as a module that operates to perform specified operations.
  • the software may reside on a machine- readable medium.
  • the software when executed by the underlying hardware of the module, causes the hardware to perform the specified operations.
  • the term hardware module is understood to encompass a tangible entity, be that an entity that is physically constructed, specifically configured (e.g., hardwired), or temporarily (e.g., transitorily) configured (e.g., programmed) to operate in a specified manner or to perform part or all of any operation described herein.
  • each of the modules need not be instantiated at any one moment in time.
  • the modules comprise a general-purpose hardware processor configured using software; the general-purpose hardware processor may be configured as respective different modules at different times.
  • Software may accordingly configure a hardware processor, for example, to constitute a particular module at one instance of time and to constitute a different module at a different instance of time.
  • Modules may also be software or firmware modules, which operate to perform the methodologies described herein.
  • Circuitry or circuits may comprise, for example, singly or in any combination, hardwired circuitry, programmable circuitry such as computer processors comprising one or more individual instruction processing cores, state machine circuitry, and/or firmware that stores instructions executed by programmable circuitry.
  • the circuits, circuitry, or modules may, collectively or individually, be embodied as circuitry that forms part of a larger system, for example, an integrated circuit (IC), system on-chip (SoC), desktop computers, laptop computers, tablet computers, servers, smart phones, etc.
  • IC integrated circuit
  • SoC system on-chip
  • FIG. 5 is a block diagram illustrating a machine in the example form of a computer system 500, within which a set or sequence of instructions may be executed to cause the machine to perform any one of the methodologies discussed herein, according to an example embodiment.
  • the machine operates as a standalone device or may be connected (e.g., networked) to other machines.
  • the machine may operate in the capacity of either a server or a client machine in server-client network environments, or it may act as a peer machine in peer-to-peer (or distributed) network environments.
  • the machine may be a wearable device, personal computer (PC), a tablet PC, a hybrid tablet, a personal digital assistant (PDA), a mobile telephone, or any machine capable of executing instructions (sequential or otherwise) that specify actions to be taken by that machine.
  • PC personal computer
  • PDA personal digital assistant
  • mobile telephone or any machine capable of executing instructions (sequential or otherwise) that specify actions to be taken by that machine.
  • machine shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.
  • processor-based system shall be taken to include any set of one or more machines that are controlled by or operated by a processor (e.g., a computer) to individually or jointly execute instructions to perform any one or more of the methodologies discussed herein.
  • Example computer system 500 includes at least one processor 502 (e.g., a central processing unit (CPU), a graphics processing unit (GPU) or both, processor cores, compute nodes, etc.), a main memory 504 and a static memory 506, which communicate with each other via a link 508 (e.g., bus).
  • the computer system 500 may further include a video display unit 510, an alphanumeric input device 512 (e.g., a keyboard), and a user interface (UI) navigation device 514 (e.g., a mouse).
  • the video display unit 510, input device 512 and UI navigation device 514 are incorporated into a touch screen display.
  • the computer system 500 may additionally include a storage device 516 (e.g., a drive unit), a signal generation device 518 (e.g., a speaker), a network interface device 520, and one or more sensors (not shown), such as a global positioning system (GPS) sensor, compass, accelerometer, gyrometer, magnetometer, or other sensor.
  • a storage device 516 e.g., a drive unit
  • a signal generation device 518 e.g., a speaker
  • a network interface device 520 e.g., a Wi-Fi sensor
  • sensors not shown
  • GPS global positioning system
  • the storage device 516 includes a machine-readable medium 522 on which is stored one or more sets of data structures and instructions 524 (e.g., software) embodying or utilized by any one or more of the methodologies or functions described herein.
  • the instructions 524 may also reside, completely or at least partially, within the main memory 504, static memory 506, and/or within the processor 502 during execution thereof by the computer system 500, with the main memory 504, static memory 506, and the processor 502 also constituting machine-readable media.
  • machine-readable medium 522 is illustrated in an example embodiment to be a single medium, the term “machine-readable medium” may include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more instructions 524.
  • the term “machine-readable medium” shall also be taken to include any tangible medium that is capable of storing, encoding or carrying instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present disclosure or that is capable of storing, encoding or carrying data structures utilized by or associated with such instructions.
  • the term “machine-readable medium” shall accordingly be taken to include, but not be limited to, solid-state memories, and optical and magnetic media. Specific examples of machine-readable media include nonvolatile memory, including but not limited to, by way of example,
  • semiconductor memory devices e.g., electrically programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM)
  • EPROM electrically programmable read-only memory
  • EEPROM electrically erasable programmable read-only memory
  • flash memory devices e.g., magnetic disks such as internal hard disks and removable disks; magneto-optical disks; and CD-ROM and DVD- ROM disks.
  • the instructions 524 may further be transmitted or received over a communications network 526 using a transmission medium via the network interface device 520 utilizing any one of a number of well-known transfer protocols (e.g., HTTP).
  • Examples of communication networks include a local area network (LAN), a wide area network (WAN), the Internet, mobile telephone networks, plain old telephone (POTS) networks, and wireless data networks (e.g., Bluetooth, Wi-Fi, 3G, and 4G LTE/LTE-A or WiMAX networks).
  • POTS plain old telephone
  • wireless data networks e.g., Bluetooth, Wi-Fi, 3G, and 4G LTE/LTE-A or WiMAX networks.
  • transmission medium shall be taken to include any intangible medium that is capable of storing, encoding, or carrying instructions for execution by the machine, and includes digital or analog communications signals or other intangible medium to facilitate communication of such software.
  • Example 1 is a system for using embedded original equipment manufacturer code for fault recovery, the system comprising: a microcontroller; and a fuse-based memory device; wherein the microcontroller is to: detect that a fault has occurred; and load executable code from the fuse-based memory device when the fault has been detected.
  • Example 2 the subject matter of Example 1 optionally includes wherein the microcontroller comprises a manageability engine microcontroller.
  • Example 3 the subject matter of any one or more of Examples 1-2 optionally include wherein the microcontroller comprises an innovation engine microcontroller.
  • Example 4 the subject matter of any one or more of Examples 1-3 optionally include wherein the fuse-based device is an antifuse device.
  • Example 5 the subject matter of any one or more of Examples 1-4 optionally include wherein the fuse-based device is programmed only by an original equipment manufacturer (OEM).
  • OEM original equipment manufacturer
  • Example 6 the subject matter of any one or more of Examples 1-5 optionally include wherein the system comprises a platform controller hub.
  • Example 7 the subject matter of any one or more of Examples 1-6 optionally include wherein to detect that the fault has occurred, the
  • microcontroller is to: attempt to access a basic input/output system (BIOS) image from a default storage location that is external from the system; and detect that the fault has occurred when the BIOS image is inaccessible or invalid.
  • BIOS basic input/output system
  • Example 8 the subject matter of Example 7 optionally includes wherein the BIOS image is signed with a signature, and wherein the
  • microcontroller is to determine that the BIOS image is invalid by analyzing the signature.
  • Example 9 the subject matter of any one or more of Examples 7-8 optionally include wherein the executable code accesses a clean BIOS image and loads the clean BIOS image into local memory to recover from the fault.
  • Example 10 the subject matter of any one or more of Examples 7-9 optionally include wherein the executable code transmits an alert to a system administrator.
  • Example 11 the subject matter of any one or more of Examples 1- 10 optionally include wherein to detect that the fault has occurred, the microcontroller is to: obtain information that the system has been stolen; and detect that the fault has occurred based on the information.
  • Example 12 the subject matter of Example 11 optionally includes wherein the executable code disables the system.
  • Example 13 the subject matter of any one or more of Examples 11-
  • the executable code transmits an alert to a user of the system.
  • Example 14 the subject matter of any one or more of Examples 11-
  • the executable code transmits an alert to a system administrator.
  • Example 15 the subject matter of any one or more of Examples 1-
  • the microcontroller is to direct a reset vector to a location in the fuse-based memory device, the location indicating the executable code.
  • Example 16 the subject matter of any one or more of Examples 1-
  • the microcontroller is to read executable instructions from the fuse-based memory device into operational memory.
  • Example 17 the subject matter of any one or more of Examples 1- 16 optionally include wherein the microcontroller has access to an outward facing communication path, and the microcontroller uses the outward facing communication path to transmit information to an external destination.
  • Example 18 the subject matter of Example 17 optionally includes wherein the outward facing communication path is to a cellular radio.
  • Example 19 the subject matter of any one or more of Examples 17- 18 optionally include wherein the outward facing communication path is to a network interface card.
  • Example 20 is a method of using embedded original equipment manufacturer code for fault recovery, the method comprising: detecting, at a microcontroller, that a fault has occurred; and loading executable code from the fuse-based memory device when the fault has been detected.
  • Example 21 the subject matter of Example 20 optionally includes wherein the microcontroller comprises a manageability engine microcontroller.
  • Example 22 the subject matter of any one or more of Examples 20-
  • microcontroller comprises an innovation engine microcontroller.
  • Example 23 the subject matter of any one or more of Examples 20-
  • the fuse-based device is an antifuse device.
  • Example 24 the subject matter of any one or more of Examples 20-
  • the fuse-based device is programmed only by an original equipment manufacturer (OEM).
  • OEM original equipment manufacturer
  • Example 25 the subject matter of any one or more of Examples 20-
  • microcontroller 24 optionally include wherein the microcontroller is incorporated in a platform controller hub.
  • Example 26 the subject matter of any one or more of Examples 20- 25 optionally include wherein detecting that the fault has occurred comprises: attempting to access a basic input/output system (BIOS) image from a default storage location that is external from the system; and detecting that the fault has occurred when the BIOS image is inaccessible or invalid.
  • BIOS basic input/output system
  • Example 27 the subject matter of Example 26 optionally includes wherein the BIOS image is signed with a signature, and wherein detecting that the fault occurred when the BIOS image is invalid comprises determining that the BIOS image is invalid by analyzing the signature.
  • Example 28 the subject matter of any one or more of Examples 26-
  • 27 optionally include wherein the executable code accesses a clean BIOS image and loads the clean BIOS image into local memory to recover from the fault.
  • Example 29 the subject matter of any one or more of Examples 26-
  • the executable code transmits an alert to a system administrator.
  • Example 30 the subject matter of any one or more of Examples 20-
  • detecting that the fault has occurred comprises: obtaining information that the system has been stolen; and detecting that the fault has occurred based on the information.
  • Example 31 the subject matter of Example 30 optionally includes wherein the executable code disables the system.
  • Example 32 the subject matter of any one or more of Examples 30-
  • 31 optionally include wherein the executable code transmits an alert to a user of the system.
  • Example 33 the subject matter of any one or more of Examples 30-
  • Example 34 the subject matter of any one or more of Examples 20-
  • loading the executable code comprises directing a reset vector to a location in the fuse-based memory device, the location indicating the executable code.
  • Example 35 the subject matter of any one or more of Examples 20-
  • loading the executable code comprises reading executable instructions from the fuse-based memory device into operational memory.
  • Example 36 the subject matter of any one or more of Examples 20-
  • Example 35 optionally include wherein the microcontroller has access to an outward facing communication path, and the method comprises using the outward facing communication path to transmit information to an external destination.
  • the outward facing communication path is to a cellular radio.
  • Example 38 the subject matter of any one or more of Examples 36- 37 optionally include wherein the outward facing communication path is to a network interface card.
  • Example 39 is at least one machine-readable medium including instructions, which when executed by a machine, cause the machine to perform operations of any of the methods of Examples 20-38.
  • Example 40 is an apparatus comprising means for performing any of the methods of Examples 20-38.
  • Example 41 is an apparatus for using embedded original equipment manufacturer code for fault recovery, the apparatus comprising: means for detecting, at a microcontroller, that a fault has occurred; and means for loading executable code from the fuse-based memory device when the fault has been detected.
  • Example 42 the subject matter of Example 41 optionally includes wherein the microcontroller comprises a manageability engine microcontroller.
  • Example 43 the subject matter of any one or more of Examples 41-
  • microcontroller comprises an innovation engine microcontroller.
  • Example 44 the subject matter of any one or more of Examples 41-
  • fuse-based device is an antifuse device.
  • Example 45 the subject matter of any one or more of Examples 41-
  • the fuse-based device is programmed only by an original equipment manufacturer (OEM).
  • OEM original equipment manufacturer
  • Example 46 the subject matter of any one or more of Examples 41-
  • microcontroller 45 optionally include wherein the microcontroller is incorporated in a platform controller hub.
  • Example 47 the subject matter of any one or more of Examples 41- 46 optionally include wherein the means for detecting that the fault has occurred comprise: means for attempting to access a basic input/output system (BIOS) image from a default storage location that is external from the system; and means for detecting that the fault has occurred when the BIOS image is inaccessible or invalid.
  • BIOS basic input/output system
  • Example 48 the subject matter of Example 47 optionally includes wherein the BIOS image is signed with a signature, and wherein the means for detecting that the fault occurred when the BIOS image is invalid comprise means for determining that the BIOS image is invalid by analyzing the signature.
  • Example 49 the subject matter of any one or more of Examples 47-
  • the executable code accesses a clean BIOS image and loads the clean BIOS image into local memory to recover from the fault.
  • Example 50 the subject matter of any one or more of Examples 47-
  • 49 optionally include wherein the executable code transmits an alert to a system administrator.
  • Example 51 the subject matter of any one or more of Examples 41-
  • the means for detecting that the fault has occurred comprise: means for obtaining information that the system has been stolen; and means for detecting that the fault has occurred based on the information.
  • Example 52 the subject matter of Example 51 optionally includes wherein the executable code disables the system.
  • Example 53 the subject matter of any one or more of Examples 51-
  • the executable code transmits an alert to a user of the system.
  • Example 54 the subject matter of any one or more of Examples 51-
  • the executable code transmits an alert to a system administrator.
  • Example 55 the subject matter of any one or more of Examples 41-
  • the means for loading the executable code comprise means for directing a reset vector to a location in the fuse-based memory device, the location indicating the executable code.
  • Example 56 the subject matter of any one or more of Examples 41-
  • the means for loading the executable code comprise means for reading executable instructions from the fuse-based memory device into operational memory.
  • Example 57 the subject matter of any one or more of Examples 41-
  • the microcontroller has access to an outward facing communication path
  • the apparatus comprises means for using the outward facing communication path to transmit information to an external destination.
  • Example 58 the subject matter of Example 57 optionally includes wherein the outward facing communication path is to a cellular radio.
  • Example 59 the subject matter of any one or more of Examples 57- 58 optionally include wherein the outward facing communication path is to a network interface card.
  • Example 60 is at least one machine-readable medium including instructions for using embedded original equipment manufacturer code for fault recovery, which when executed by a machine, cause the machine to: detect, at a microcontroller, that a fault has occurred; and load executable code from a fuse- based memory device when the fault has been detected.
  • Example 61 the subject matter of Example 60 optionally includes wherein the microcontroller comprises a manageability engine microcontroller.
  • Example 62 the subject matter of any one or more of Examples 60-
  • microcontroller comprises an innovation engine microcontroller.
  • Example 63 the subject matter of any one or more of Examples 60-
  • fuse-based device is an antifuse device.
  • Example 64 the subject matter of any one or more of Examples 60-
  • fuse-based device is programmed only by an original equipment manufacturer (OEM).
  • OEM original equipment manufacturer
  • Example 65 the subject matter of any one or more of Examples 60-
  • the 64 optionally include wherein the machine comprises a platform controller hub.
  • Example 66 the subject matter of any one or more of Examples 60-
  • the microcontroller is to: attempt to access a basic input/output system (BIOS) image from a default storage location that is external from the machine; and detect that the fault has occurred when the BIOS image is inaccessible or invalid.
  • BIOS basic input/output system
  • Example 67 the subject matter of Example 66 optionally includes wherein the BIOS image is signed with a signature, and wherein the
  • Example 68 the subject matter of any one or more of Examples 66- 67 optionally include wherein the executable code accesses a clean BIOS image and loads the clean BIOS image into local memory to recover from the fault.
  • Example 69 the subject matter of any one or more of Examples 66- 68 optionally include wherein the executable code transmits an alert to a system administrator.
  • Example 70 the subject matter of any one or more of Examples 60- 69 optionally include wherein to detect that the fault has occurred, the microcontroller is to: obtain information that the machine has been stolen; and detect that the fault has occurred based on the information.
  • Example 71 the subject matter of Example 70 optionally includes wherein the executable code disables the machine.
  • Example 72 the subject matter of any one or more of Examples 70-
  • the executable code transmits an alert to a user of the machine.
  • Example 73 the subject matter of any one or more of Examples 70-
  • Example 74 the subject matter of any one or more of Examples 60- 73 optionally include wherein to load the executable code, the microcontroller is to direct a reset vector to a location in the fuse-based memory device, the location indicating the executable code.
  • Example 75 the subject matter of any one or more of Examples 60-
  • the microcontroller is to read executable instructions from the fuse-based memory device into operational memory.
  • Example 76 the subject matter of any one or more of Examples 60-
  • 75 optionally include wherein the microcontroller has access to an outward facing communication path, and the microcontroller uses the outward facing communication path to transmit information to an external destination.
  • Example 77 the subject matter of Example 76 optionally includes wherein the outward facing communication path is to a cellular radio.
  • the subject matter of any one or more of Examples 76- 77 optionally include wherein the outward facing communication path is to a network interface card.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Debugging And Monitoring (AREA)

Abstract

L'invention concerne divers systèmes et procédés d'utilisation d'un code de fabricant d'équipement d'origine intégré (OEM) pour la récupération de défauts. Un système comprend un microcontrôleur; et un dispositif de mémoire à base de fusibles; le microcontrôleur étant destiné à : détecter qu'une défaillance s'est produite; et charger un code exécutable à partir du dispositif de mémoire à base de fusibles lorsque la défaillance a été détectée.
PCT/PL2016/050059 2016-12-29 2016-12-29 Code oem intégré pour la récupération de défauts WO2018124894A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/PL2016/050059 WO2018124894A1 (fr) 2016-12-29 2016-12-29 Code oem intégré pour la récupération de défauts

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/PL2016/050059 WO2018124894A1 (fr) 2016-12-29 2016-12-29 Code oem intégré pour la récupération de défauts

Publications (1)

Publication Number Publication Date
WO2018124894A1 true WO2018124894A1 (fr) 2018-07-05

Family

ID=57838449

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/PL2016/050059 WO2018124894A1 (fr) 2016-12-29 2016-12-29 Code oem intégré pour la récupération de défauts

Country Status (1)

Country Link
WO (1) WO2018124894A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10809944B1 (en) 2020-01-22 2020-10-20 Cypress Semiconductor Corporation Memory device resilient to cyber-attacks and malfunction

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6571347B1 (en) * 1999-05-24 2003-05-27 Winbond Electronics Corporation Apparatus and method for intelligent computer initiation program recovery
US6757838B1 (en) * 2000-10-13 2004-06-29 Hewlett-Packard Development Company, L.P. Hardware independent implementation of computer system BIOS recovery
WO2013006698A1 (fr) * 2011-07-07 2013-01-10 Intel Corporation Protection et notification en cas d'attaque de bios par flashage
US20150277930A1 (en) * 2014-03-28 2015-10-01 Nitin V. Sarangdhar In-system provisioning of firmware for a hardware platform

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6571347B1 (en) * 1999-05-24 2003-05-27 Winbond Electronics Corporation Apparatus and method for intelligent computer initiation program recovery
US6757838B1 (en) * 2000-10-13 2004-06-29 Hewlett-Packard Development Company, L.P. Hardware independent implementation of computer system BIOS recovery
WO2013006698A1 (fr) * 2011-07-07 2013-01-10 Intel Corporation Protection et notification en cas d'attaque de bios par flashage
US20150277930A1 (en) * 2014-03-28 2015-10-01 Nitin V. Sarangdhar In-system provisioning of firmware for a hardware platform

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10809944B1 (en) 2020-01-22 2020-10-20 Cypress Semiconductor Corporation Memory device resilient to cyber-attacks and malfunction

Similar Documents

Publication Publication Date Title
US11256797B2 (en) Remote attestation for multi-core processor
US10860305B1 (en) Secure firmware deployment
EP2601588B1 (fr) Utilisation d'une mémoire non volatile rapide dans un environnement sécurisé
US11334502B2 (en) Memory protection based on system state
US10776488B2 (en) Extend root of trust to include firmware of individual components of a device
US20190156039A1 (en) Determine Malware Using Firmware
US20200042709A1 (en) Measurement Methods, Devices and Systems Based on Trusted High-Speed Encryption Card
CN111158767B (zh) 基于bmc的服务器安全启动方法及装置
EP2962241A1 (fr) Continuation de confiance pour microprogramme de démarrage de plate-forme
KR20150027828A (ko) 비휘발성 메모리 장치를 이용한 대안적인 부트 경로 지원
JP2011070654A (ja) アンチマルウェアを有するコンピュータシステムおよび方法
US9977682B2 (en) System management mode disabling and verification techniques
US11354417B2 (en) Enhanced secure boot
US20150220736A1 (en) Continuous Memory Tamper Detection Through System Management Mode Integrity Verification
US9245122B1 (en) Anti-malware support for firmware
US10019577B2 (en) Hardware hardened advanced threat protection
US11347858B2 (en) System and method to inhibit firmware downgrade
Dhobi et al. Secure firmware update over the air using trustzone
WO2018124894A1 (fr) Code oem intégré pour la récupération de défauts
US20200235917A1 (en) Shared secret generation
US20230109011A1 (en) Placing a device in secure mode
CN117632280A (zh) 安全启动过程

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16828797

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16828797

Country of ref document: EP

Kind code of ref document: A1