WO2020167286A1 - Deletion of firmware instructions - Google Patents

Deletion of firmware instructions Download PDF

Info

Publication number
WO2020167286A1
WO2020167286A1 PCT/US2019/017522 US2019017522W WO2020167286A1 WO 2020167286 A1 WO2020167286 A1 WO 2020167286A1 US 2019017522 W US2019017522 W US 2019017522W WO 2020167286 A1 WO2020167286 A1 WO 2020167286A1
Authority
WO
WIPO (PCT)
Prior art keywords
excludable
firmware instructions
region
instructions
flag
Prior art date
Application number
PCT/US2019/017522
Other languages
French (fr)
Inventor
Christopher H. Stewart
Valiuddin Ali
Original Assignee
Hewlett-Packard Development Company, L.P.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett-Packard Development Company, L.P. filed Critical Hewlett-Packard Development Company, L.P.
Priority to EP19915084.8A priority Critical patent/EP3887943A4/en
Priority to CN201980090905.3A priority patent/CN113330423A/en
Priority to PCT/US2019/017522 priority patent/WO2020167286A1/en
Priority to US17/296,526 priority patent/US20220027074A1/en
Publication of WO2020167286A1 publication Critical patent/WO2020167286A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • G06F8/654Updates using techniques specially adapted for alterable solid state memories, e.g. for EEPROM or flash memories
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • G06F8/62Uninstallation

Definitions

  • Firmware instructions may have enhanced features (such as stolen device recovery features) that are deemed necessary for some users, but may pose a security risk or attack surface for others.
  • FIG. 1A shows a block diagram of an example apparatus that deletes excludable firmware instructions
  • FIG. 1 B shows a block diagram of an example apparatus that deletes excludable firmware instructions
  • FIG. 2A shows a block diagram of an example storage device that includes different regions for storing metadata, core firmware instructions, and excludable instructions;
  • FIG. 2B shows a block diagram of an example storage device that includes deleted excludable instructions
  • FIG. 3 shows a block diagram of an example system that provisions firmware instructions, including core firmware instructions and excludable firmware instructions
  • FIG. 4 depicts a flow diagram of an example method for updating firmware instructions in the presence of deleted excludable firmware instructions
  • FIG. 5 depicts a block diagram of an example non-transitory machine-readable storage medium for executing firmware instructions that incudes core firmware instructions and excludable firmware instructions.
  • Firmware instructions such as Basic Input/Output System code, Unified Extensible Firmware Interface (UEFI), and/or other instructions boot up or otherwise initialize a device to operate.
  • Some firmware instructions may have enhanced features (such as stolen device recovery features) that are deemed necessary for some users, but may pose a security risk or bigger attack surface for others.
  • portions of the firmware instructions having enhanced features may become unwanted instructions or unneeded instructions. Since the firmware instructions may be configured as embedded instructions and may not be able to be removed easily, unwanted or unneeded instructions may create a security risk. While multiple versions of the firmware instructions may be developed, one with and one without the portions of firmware instructions having the enhanced feature(s), this may be technically impractical and infeasible.
  • firmware instructions may include instructions that are used for the functioning of an apparatus on which the firmware instructions are installed.
  • firmware instructions may be used for interfacing with hardware components of the apparatus. Firmware instructions are typically not deleted or otherwise removed once installed.
  • firmware instructions include Basic Input/Output System (BIOS) code, Unified Extensible Firmware Interface (UEFI), and/or other instructions that are used for the functioning of an apparatus on which the instructions are installed.
  • BIOS Basic Input/Output System
  • UEFI Unified Extensible Firmware Interface
  • the firmware instructions may be stored on a storage device (also referred to herein as“firmware storage”).
  • the firmware storage may be dedicated storage space that stores the firmware instructions of an apparatus.
  • firmware storage may be accordingly partitioned into multiple regions to accommodate the firmware architecture.
  • the firmware storage may include, among others, a metadata region, a main region, and an excludable region.
  • the metadata region may store metadata that describes the firmware architecture and the layout of the firmware architecture in the firmware storage.
  • the metadata may include a pointer to a location in the firmware storage where the main region exists, a pointer to a location in the firmware storage where the excludable region exists, and/or other information relating to the firmware architecture.
  • the pointer may include an offset and/or length of a region of the firmware storage.
  • the metadata may further store user- defined flags or other indications that specify whether or not excludable firmware instructions have been disabled. If the flag specifies that excludable firmware instructions have been disabled, then the excludable firmware instructions may be deleted from the excludable region at which the excludable firmware instructions are stored.
  • the metadata may further store a mapping between an excludable region and excludable firmware instructions stored in the excludable region.
  • multiple excludable regions may be provided, each storing respective excludable firmware instructions. The mapping enables identification of an excludable region at which excludable firmware instructions are located.
  • the main region may store the core firmware instructions.
  • the contents of the main region may be digitally signed and authenticated to prevent/detect tampering and verify the integrity of the core firmware instructions.
  • the excludable region may correspond to excludable firmware instructions separate from the core firmware instructions.
  • the contents of the excludable region may be digitally signed, hashed, and/or otherwise subjected to security processing for authentication to prevent/detect tampering and verify the integrity of the contents independently of the core firmware instructions.
  • the excludable region may include a plurality of excludable regions, each excludable region storing corresponding excludable firmware instructions. Content of each of the excludable regions may be cryptographically signed.
  • a hash may be generated and securely stored for the content of each of the excludable regions.
  • each hash may be cryptographically signed.
  • the signatures, hashes, and/or other security information may be used for authentication to prevent and detect tampering of each of the contents of the excludable regions.
  • the security of the core firmware instructions may be maintained while permitting users to remove unwanted excludable firmware instructions. For instance, because the core firmware instructions and excludable firmware instructions are separately stored and digitally signed, excludable firmware instructions may be removed without compromising the digital signature of the core firmware instructions.
  • This technology improvement facilitates, for example, compliance with security or compliance policies that seek to minimize attack surfaces, including those directed to firmware instructions that may be unneeded or unwanted by an organization.
  • FIGS. 1A and 1 B each shows a block diagram of a respective example apparatus 100 that deletes excludable firmware instructions. It should be understood that the example apparatus 100 respectively depicted in FIGS. 1 A and 1 B may include additional features and that some of the features described herein may be removed and/or modified without departing from any of the scopes of the example apparatus 100.
  • the apparatus 100 shown in FIGS. 1 A and 1 B may be a computing device, a server, or the like. As shown in FIGS. 1A and 1 B, the apparatus 100 may include a processor 102 that may control operations of the apparatus 100. The processor 102 may also be referenced herein as a controller and the apparatus 100 may be referenced herein as an electronic device. The processor 102 may be a semiconductor-based microprocessor, a central processing unit (CPU), an application specific integrated circuit (ASIC), a field-programmable gate array (FPGA), and/or other suitable hardware device. Although the apparatus 100 has been depicted as including a single processor 102, it should be understood that the apparatus 100 may include multiple processors, multiple cores, or the like, without departing from the scopes of the apparatus 100 disclosed herein.
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • FPGA field-programmable gate array
  • the apparatus 100 may include a memory 1 10 that may have stored thereon machine-readable instructions (which may also be termed computer readable instructions) 1 12-1 18 (FIG. 1 A) and/or 120-128 (FIG. 1 B) that the processor 102 may execute.
  • the memory 1 10 may be an electronic, magnetic, optical, or other physical storage device that includes or stores executable instructions.
  • the memory 1 10 may be, for example, Random Access memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage device, an optical disc, and the like.
  • the memory 1 10 may be a non-transitory machine-readable storage medium, where the term“non- transitory” does not encompass transitory propagating signals.
  • the apparatus 100 may include a storage device 104, which may be firmware storage for storing firmware instructions for the apparatus 100.
  • the storage device 104 may include a Serial Peripheral Interface (“SPI”) chip, embedded Multi-Media Card (“eMMC”) memory, hard disk, solid state storage, or other device.
  • SPI Serial Peripheral Interface
  • eMMC embedded Multi-Media Card
  • the storage device 104 may include a metadata region 101 and an excludable region 103. Further examples of the storage device are illustrated in FIGS. 2A and 2B below.
  • the memory 1 10 may include the storage device 104.
  • the instructions 1 12-1 18 and 120- 128 may be part of or separate from the core firmware instructions disclosed herein. Attention will now turn to operations at processor 102 to delete excludable firmware instructions.
  • the processor 102 may fetch, decode, and execute the instructions 1 12 to obtain metadata from the metadata region 101 .
  • the metadata may indicate a location of the excludable region 103 in the storage device 104.
  • the processor 102 may fetch, decode, and execute the instructions
  • the indication may include a flag in the metadata that has been set to indicate that the excludable firmware instructions are to be disabled.
  • the processor 102 may obtain the indication by reading the metadata to read the flag.
  • the flag may include a binary (0/1 ; yes/no) setting and/or other value that indicates that the excludable firmware instructions are to be disabled.
  • the flag may be set responsive to a request or other indication to disable the excludable firmware instructions.
  • the flag may be stored in various locations. In examples, different flag storage locations offer different levels of security. As such, the flag storage location may be configured according to particular needs depending on security requirements. This is because the flag may, as described herein, control whether or not data from an excludable region is deleted and continues to be deleted in some examples.
  • the flag may be stored in shared SPI, private SPI, one time writable silicon such as a One-Time Password (OTP) storage, and/or other storage location.
  • Shared SPI may be less secure than private SPI or OTP because Shared SPI may be electrically accessible to other system components.
  • shared SPI may be used to store the flag.
  • Private SPI may be electrically-isolated from other system components. As such, the state of the private SPI may not be readily changed by outside systems or malware because of the electrical isolation of the Private SPI.
  • OTP may include a permanent setting that cannot be changed.
  • the OTP device may be replaced if an apparatus employing the flag and the excludable regions described herein were re-processed to be sold as refurbished.
  • a flag stored in a shared SPI or a private SPI may be reconfigured upon refurbishment.
  • the processor 102 may fetch, decode, and execute the instructions 1 16 to identify, based on the metadata, the excludable region 103.
  • the metadata may include a mapping between the excludable region and the excludable firmware instructions.
  • the excludable region may be identified based on the mapping.
  • the mapping may facilitate generation of a catalog of excludable instructions that may be selected for inclusion or deletion from the firmware instructions.
  • the processor 102 may provide a listing of excludable instructions for selectable inclusion or deletion.
  • the processor 102 may fetch, decode, and execute the instructions 1 18 to delete the excludable firmware instructions from the excludable region 103.
  • the excludable firmware instructions may be disabled by deletion from the excludable region 103.
  • the metadata may include an offset and/or a length of the excludable region.
  • the processor 102 may obtain the offset and the length of the excludable region from the metadata and delete data from the storage device 104 corresponding to the offset and the length.
  • the storage device 104 may include a main region (as will be described in more detail with respect to FIGS. 2A and 2B) that stores core firmware instructions that may not be removed.
  • the processor 102 may further receive an indication to update core firmware instructions, the core firmware instructions stored at the main region.
  • the core firmware instructions may receive an update that is pushed from a source to the apparatus 100 or is pulled by the apparatus 100 from the source.
  • the processor 102 may determine that the flag is set to disable the excludable firmware instructions and update the core firmware instructions without an update to the excludable firmware instructions based on the determination that the flag is set to disable the excludable firmware instructions. In this manner, unintentionally rewriting an updated version of the deleted excludable firmware instructions may be avoided.
  • the processor 102 may implement measures that may secure the firmware instructions.
  • the firmware instructions may be digitally signed by the processor 102 or source of the firmware instructions.
  • Such digital signature may include cryptographic or other hashing techniques that may uniquely identify hashed data to detect tampering.
  • excludable firmware instructions may be deleted, separate digital signatures for the core firmware instructions and the excludable firmware instructions may be generated and separately validated. For instance, a first digital signature for core firmware instructions may be generated and used to validate core firmware instructions separately from the excludable firmware instructions. Similarly, a second digital signature for the excludable firmware instructions may be generated and used to validate the excludable firmware instructions separately from the core firmware instructions.
  • the processor 102 may generate a hash of the firmware instructions (such as for the core firmware instructions and/or each excludable firmware instructions) and then may sign the hash. For example, a hash of each excludable code region may be stored in metadata, which may then be signed.
  • the processor 102 may validate the firmware instructions by validating the metadata signature, extracting the hash, then hashing the content of each appropriate region (such as the main region or excludable region) and comparing the hashed content to the extracted hash. A mismatch may indicate tampering.
  • the processor 102 may skip such hashing and simply ensure that the corresponding excludable region is actually excluded (such as by refraining from using the corresponding excludable firmware instructions and/or deleting the corresponding excludable region).
  • excludable firmware instructions may be deleted with minimal to no effect on the security and validation of the core firmware instructions (and/or other excludable firmware instructions that are not deleted).
  • the processor 102 may implement measures that may secure the excludable regions. For example, the processor 102 may determine that data has been added to the excludable region after the excludable firmware instructions have been deleted. The processor 102 may then delete the data from the excludable region. In some instances, the processor 102 may periodically, on-demand, at firmware updates, and/or other times may consult the metadata to identify excludable regions of the storage device that are associated with disabled (deleted) excludable firmware instructions and delete data from those regions. As such, the processor 102 may periodically purge excludable regions that should not have data in those excludable regions.
  • the excludable region 103 includes a plurality of excludable regions. Each excludable region may store corresponding excludable firmware instructions and each may be individually disabled by deleting the excludable firmware instructions from the storage device 104. For example, the processor 102 may obtain an indication that the second excludable firmware instructions are to be disabled, identify the second excludable region corresponding to the second executable firmware instructions, and delete the second excludable firmware instructions from the second excludable region. Each excludable region may be identified based on a respective offset and/or location that corresponds to the excludable region. Additional details regarding the layout of the excludable regions are discussed with respect to FIGS. 2A and 2B.
  • the processor 102 may fetch, decode, and execute the instructions 120 to obtain metadata from the metadata region, wherein the metadata indicates a first location of the first excludable region in the storage device and a second location of the second excludable region in the storage device.
  • the processor 102 may fetch, decode, and execute the instructions 122 to generate a listing of first excludable firmware instructions and second excludable firmware instructions. [0034] The processor 102 may fetch, decode, and execute the instructions 124 to receive a selection of the first excludable firmware instructions, the selection indicating that the first excludable firmware instructions are to be disabled.
  • the processor 102 may fetch, decode, and execute the instructions 126 to set a first flag to indicate that the first excludable firmware instructions are to be disabled responsive to the selection.
  • the processor 102 may fetch, decode, and execute the instructions 128 to delete the first excludable firmware instructions based on the first flag.
  • the first excludable firmware instructions and the second excludable firmware instructions may be pre-installed at the storage device 104.
  • the first flag may be set to indicate that the first excludable firmware instructions are enabled until disabled, and the second flag is set to indicate that the second excludable firmware instructions are enabled until disabled.
  • FIG. 2A shows a block diagram of an example storage device 104 that includes different regions (101 , 210, 103A- N) for storing metadata 201 , core firmware instructions 212, and excludable instructions 220A-N.
  • the storage device 104 may include a metadata region 101 , a main region 210, and a plurality of excludable regions 103A-N.
  • the metadata region 101 may store metadata 201.
  • the main region 210 may store core firmware instructions 212.
  • the excludable regions 103A-N may each store corresponding excludable firmware instructions 220-N.
  • the core firmware instructions 212 and the excludable firmware instructions 220-N togetherform the firmware instructions 208.
  • the firmware instructions 208 may be used to boot or otherwise initialize an apparatus, such as apparatus 100.
  • the main region 210 and excludable regions 103 may correspond to a Driver Execution Environment (DXE) location on the storage device 104.
  • the architecture of the DXE location in the storage device 104 may be separated into different regions, such as the main region 210 and excludable regions 103A-N.
  • the metadata 201 may store a pointer 204 to the main region 210.
  • the pointer 204 may indicate a location of the main region 210 in the storage device 104.
  • the pointer 204 may include an offset and/or length of the main region 210.
  • the core firmware instructions 212 stored in the main region 210 may be obtained, such as to be booted during bootup of an apparatus, such as apparatus 100.
  • the metadata 201 may store a pointer 206 to the excludable region 103A.
  • the pointer 206 may include an offset and/or length of the excludable region 103A.
  • the excludable firmware instructions 220A stored in the excludable region 103A may be obtained, such as to be booted during bootup of an apparatus, such as apparatus 100.
  • the excludable firmware instructions 220A stored in the excludable region 103A may be deleted from the storage device 104 based on the pointer 206.
  • previous excludable regions may serially point to subsequent excludable regions 103 (such as excludable regions 103B-N).
  • the excludable region 103A may include a pointer 222A that includes information used to locate the next excludable region 103 (in this case, excludable region 103B).
  • the pointer 222A may indicate an offset, length, and/or other location indicator of the next excludable region 103.
  • the pointer 222A may include a length of the current excludable region 103 so that the offset of the next excludable region may be calculated.
  • the excludable regions 103 may be serially laid out next to one another on the storage device 104.
  • excludable regions 103B,N may each include a pointer 222B, 222N that includes information used to locate the next excludable region 103.
  • the pointers 222B, 222N may each indicate an offset, length, and/or other location indicator of the next excludable region 103, and so on.
  • a linked array of excludable regions may be laid out on the storage device 104.
  • the metadata 201 may individually store each of the pointers 222A-N (as well as the pointers 204 and 206).
  • FIG. 2B shows a block diagram of an example storage device 104 that includes deleted excludable instructions.
  • excludable firmware instructions 220A has been disabled and therefore deleted from the storage device 104, as illustrated by the cross- hatching.
  • the excludable firmware instructions 220A have been deleted from the excludable region 103A.
  • the pointer 222A has been maintained so that the next excludable region 103 (excludable region 103B) may be located.
  • FIGS. 2A and 2B represent similar drawing elements. It should be noted that the particular number of excludable firmware instructions and excludable regions shown in FIGS. 2A and 2B are for illustrative purposes. Other numbers may be used as appropriate. Furthermore, the storage device 200 shown in FIGS. 2A and 2B may be part of the memory 1 10 or may be separate from the memory 1 10.
  • FIG. 3 shows a block diagram of an example system 300 that provisions firmware instructions, including core firmware instructions and excludable firmware instructions.
  • a firmware vendor 302 may provide firmware instructions 208.
  • the various components of system 300 may be coupled to one another via a computer network such as, for example, a local area network (LAN), a virtual LAN (VLAN), a wireless local area network (WLAN), a virtual private network (VPN), the Internet, or the like, or a combination thereof.
  • the firmware instructions 208 may be part of the apparatus 100 offered by the firmware vendor 302.
  • Various third parties may supply firmware add-ons 304. Each of these firmware add-ons 304 may be incorporated into the firmware instructions 208.
  • a firmware add-on 304 may be incorporated into the firmware instructions 208 as an excludable firmware instruction 220 by the firmware vendor 302.
  • the firmware vendor 302 may provide the firmware instructions 208 for consumption within a computer infrastructure 310.
  • Multiple computer infrastructures 310A-N are shown but only one (computer infrastructure 310A) is shown in detail for convenience.
  • the computer infrastructure 310 may include a provisioning server 320 used to deploy apparatus 100 based on provisioning rules 322.
  • the provisioning rules 322 may include a compliance policy, a security policy, and/or other policies that dictate the configuration, security, or other operational characteristics of the apparatus 100.
  • An entity may operate each computer infrastructure 310. As such, each entity may control whether and which firmware instructions execute on a given apparatus 100 within the computer infrastructure 310 based on the provisioning rules 322.
  • the provisioning server 320 may facilitate firmware instruction updates to the apparatuses 100 within the computer infrastructure 310. As such, the provisioning server 320 may facilitate updates to the firmware instructions as disclosed herein.
  • the provisioning server 320 may include a processor, such as processor 102, that may perform some or all of the operations of apparatus 100 to delete excludable firmware instructions from an apparatus.
  • FIG. 4 depicts a flow diagram of an example method for updating firmware instructions in the presence of deleted excludable firmware instructions.
  • the processor 102 may receive an indication to update firmware instructions, such as firmware instructions 208.
  • the update may be facilitated by an updater or installer, such as a BIOS or UEFI updater or installer.
  • the update may include an update to the core firmware instructions and to the excludable firmware instructions.
  • the processor 102 may update core firmware instructions.
  • the processor 102 may identify excludable firmware instructions. For example, the processor 102 may access metadata that specifies the excludable firmware instructions. [0051] At block 408, the processor 102 may determine whether the excludable firmware instructions are disabled. For example, the processor 102 may consult a flag for the excludable firmware instructions that indicates whether the excludable firmware instructions have been disabled. If the excludable firmware instructions are disabled, then the processor 102 may skip to block 412, where a determination of whether more excludable firmware instructions are available is made. In this manner, if the update includes excludable firmware instructions that have been disabled (deleted at an apparatus such as apparatus 100), then the update for the excludable firmware instructions may be skipped.
  • the processor 102 may delete data from the excludable region corresponding to the disabled excludable firmware instructions to ensure that malware or other data that should not be present is removed.
  • each apparatus may update only excludable firmware instructions that have not been disabled even if the update includes an update to the disabled excludable firmware instructions. This may make global updates more efficient since the updates may include updates to all firmware instructions without regard to whether a particular apparatus has disabled excludable firmware instructions.
  • the processor 102 may, responsive to a determination that the excludable firmware instructions are not disabled, update the excludable firmware instructions. For example, the processor 102 may identify the excludable firmware instructions to be updated, identify a location on firmware storage (such as storage device 104) at which the excludable firmware instructions are stored (such as an excludable region 103) and write the update files to the appropriate location. In some instances, a signature for the updated excludable firmware instructions may be obtained and stored for later validation.
  • the processor 102 may determine whether more excludable firmware instructions are available. If so, then the processor 102 may return to block 406, where the next excludable firmware instructions are identified.
  • the processor 102 may complete the firmware updates responsive to a determination that no more excludable firmware instructions are available.
  • Some or all of the operations set forth in the method 400 may be included as utilities, programs, or subprograms, in any desired computer accessible medium.
  • the method 400 may be embodied by computer programs, which may exist in a variety of forms.
  • some operations of the method 400 may exist as machine-readable instructions, including source code, object code, executable code or other formats. Any of the above may be embodied on a non-transitory computer readable storage medium. Examples of non-transitory computer readable storage media include computer system RAM, ROM, EPROM, EEPROM, and magnetic or optical disks or tapes. It is therefore to be understood that any electronic device capable of executing the above- described functions may perform those functions enumerated above.
  • FIG. 5 depicts a block diagram of an example non-transitory computer-readable medium 500 for executing firmware instructions that incudes core firmware instructions and excludable firmware instructions.
  • the non- transitory computer-readable medium 500 may be an electronic, magnetic, optical, or other physical storage device that includes or stores executable instructions.
  • the non-transitory computer-readable medium 500 may be, for example, Random Access memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage device, an optical disc, and the like.
  • RAM Random Access memory
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • the non-transitory computer-readable medium 500 may have stored thereon machine-readable instructions 502-508 that a processor, such as the processor 102, may execute.
  • the non-transitory machine-readable medium 500 may boot up a device, such as apparatus 100, using core firmware instructions and excludable firmware instructions that have not been disabled.
  • the machine-readable instructions 502-508 may operate to obtain and execute the core firmware instructions and excludable firmware instructions to boot up the device.
  • Other example uses of machine-readable instructions 502-508 may be implemented as well.
  • the machine-readable instructions 502 may cause the processor to obtain metadata from a storage device, such as storage device 104.
  • the machine-readable instructions 504 may cause the processor to obtain a first flag and a second flag. The first flag and/or the second flag may be stored in a secure location of the storage device.
  • the machine-readable instructions 506 may cause the processor to obtain an execution order from the metadata, the execution order indicating an order in which core firmware instructions, first excludable firmware instructions, and second excludable firmware instructions are to be executed.
  • the machine-readable instructions 508 may cause the processor to execute, based on the execution order: the core firmware instructions, the first excludable firmware instructions when the first flag indicates that the first excludable firmware instructions are enabled, and the second excludable firmware instructions code when the second flag indicates that the second excludable firmware instructions are enabled. It should be noted that when the first flag and/or the second flag indicates that corresponding excludable firmware instructions are disabled, the corresponding excludable firmware instructions have been or will be deleted at boot up, update, and/or other times.
  • the firmware instructions may be individually verified before execution using security information such as a known-good signature.
  • security information such as a known-good signature.
  • a known-good signature for the core firmware instructions may be stored and matched with a current signature of the core firmware instructions to verify the core firmware instructions have not been tampered with.
  • a known-good signature for each excludable firmware instruction may be stored and matched with a current signature of each excludable firmware instruction to verify each of the excludable firmware instructions have not been tampered with as well.
  • separate signature verification may permit deletion of a given excludable firmware instruction.
  • Other types of security information such as a hash contained in signed metadata corresponding to contents of a main or excludable region, a hash of the contents of the main or excludable region, and/or other data may be used as well.
  • firmware vendor 302 which may produce apparatus 100 embedded with or otherwise included with the firmware instructions
  • firmware vendor 302 may offer different functionalities encoded through excludable firmware instructions, such as excludable firmware instructions 220.
  • Consumers such as entities that operate computer infrastructure 310, may elect some or all of these functionalities, in which case they may be provided with corresponding excludable firmware instructions. Otherwise, the vendor may remove the corresponding excludable firmware instructions prior to providing the firmware instructions. This may make distribution of the firmware instructions easier and facilitates different models of such distribution.
  • the terms“a” and“an” may be intended to denote at least one of a particular element.
  • the term “includes” means includes but not limited to, the term“including” means including but not limited to.
  • the term“based on” means based at least in part on.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Stored Programmes (AREA)
  • Human Computer Interaction (AREA)

Abstract

According to examples, an apparatus may include a processor that may delete portions of firmware instructions responsive to an indication that the portions should be disabled. To facilitate the foregoing, the firmware instructions may be deployed in a segmented architecture stored in respective regions of a storage device. The regions may include a metadata region, a main region, and excludable regions. The metadata region may store metadata that describes the structure of the firmware instructions and/or the various other regions. The main region may store core firmware instructions that may not be deleted. Each excludable region may store respective excludable firmware instructions. Each excludable firmware instructions may be associated with a flag that indicates whether or not the instructions should be disabled. If so, the corresponding excludable region in the storage device is identified and the contents may be removed, permanently disabling the excludable firmware instructions that were stored there.

Description

DELETION OF FIRMWARE INSTRUCTIONS
BACKGROUND
[0001] Firmware instructions may have enhanced features (such as stolen device recovery features) that are deemed necessary for some users, but may pose a security risk or attack surface for others.
BRIEF DESCRIPTION OF THE DRAWINGS
[0002] Features of the present disclosure may be illustrated by way of example and not limited in the following figure(s), in which like numerals indicate like elements, in which:
[0003] FIG. 1A shows a block diagram of an example apparatus that deletes excludable firmware instructions;
[0004] FIG. 1 B shows a block diagram of an example apparatus that deletes excludable firmware instructions;
[0005] FIG. 2A shows a block diagram of an example storage device that includes different regions for storing metadata, core firmware instructions, and excludable instructions;
[0006] FIG. 2B shows a block diagram of an example storage device that includes deleted excludable instructions;
[0007] FIG. 3 shows a block diagram of an example system that provisions firmware instructions, including core firmware instructions and excludable firmware instructions;
[0008] FIG. 4 depicts a flow diagram of an example method for updating firmware instructions in the presence of deleted excludable firmware instructions; and
[0009] FIG. 5 depicts a block diagram of an example non-transitory machine-readable storage medium for executing firmware instructions that incudes core firmware instructions and excludable firmware instructions.
DETAILED DESCRIPTION
[0010] Firmware instructions such as Basic Input/Output System code, Unified Extensible Firmware Interface (UEFI), and/or other instructions boot up or otherwise initialize a device to operate. Some firmware instructions may have enhanced features (such as stolen device recovery features) that are deemed necessary for some users, but may pose a security risk or bigger attack surface for others.
[0011] When the enhanced features are not desired, portions of the firmware instructions having enhanced features may become unwanted instructions or unneeded instructions. Since the firmware instructions may be configured as embedded instructions and may not be able to be removed easily, unwanted or unneeded instructions may create a security risk. While multiple versions of the firmware instructions may be developed, one with and one without the portions of firmware instructions having the enhanced feature(s), this may be technically impractical and infeasible.
[0012] Disclosed herein are apparatuses and methods for disabling unwanted or unneeded firmware instructions, with minimal or no effect on core firmware functionality or security, by deleting the unwanted or unneeded firmware instructions. For example, deleting unwanted or unneeded firmware instructions may have minimal or no effect on the core firmware functionality or security when the core firmware functionality is able to execute as if the unwanted or unneeded firmware instructions were not deleted. Generally speaking, as described herein, “firmware instructions” may include instructions that are used for the functioning of an apparatus on which the firmware instructions are installed. For example, the firmware instructions may be used for interfacing with hardware components of the apparatus. Firmware instructions are typically not deleted or otherwise removed once installed. Examples of firmware instructions include Basic Input/Output System (BIOS) code, Unified Extensible Firmware Interface (UEFI), and/or other instructions that are used for the functioning of an apparatus on which the instructions are installed. In these examples, the system disclosed herein may be implemented for BIOS code, UEFI code, and/or other code for booting a device with excludable portions of the BIOS code, UEFI code, and/or other code. The firmware instructions may be stored on a storage device (also referred to herein as“firmware storage”). The firmware storage may be dedicated storage space that stores the firmware instructions of an apparatus.
[0013] To facilitate removal of unwanted or unneeded firmware instructions, various examples disclosed herein may include a firmware architecture in which firmware instructions are grouped into core firmware instructions that may not be removed (because the core firmware instructions may be used for the functioning of an apparatus on which the core firmware instructions are installed) and excludable firmware instructions that may be removed. The firmware storage may be accordingly partitioned into multiple regions to accommodate the firmware architecture. For example, the firmware storage may include, among others, a metadata region, a main region, and an excludable region.
[0014] The metadata region may store metadata that describes the firmware architecture and the layout of the firmware architecture in the firmware storage. For instance, the metadata may include a pointer to a location in the firmware storage where the main region exists, a pointer to a location in the firmware storage where the excludable region exists, and/or other information relating to the firmware architecture. The pointer may include an offset and/or length of a region of the firmware storage. The metadata may further store user- defined flags or other indications that specify whether or not excludable firmware instructions have been disabled. If the flag specifies that excludable firmware instructions have been disabled, then the excludable firmware instructions may be deleted from the excludable region at which the excludable firmware instructions are stored. Furthermore, upon updating the firmware instructions, if the flag specifies that the excludable firmware instructions have been disabled, the excludable firmware instructions may not be updated, preventing unintentional re-imaging of that code through the update. The metadata may further store a mapping between an excludable region and excludable firmware instructions stored in the excludable region. In these examples, multiple excludable regions may be provided, each storing respective excludable firmware instructions. The mapping enables identification of an excludable region at which excludable firmware instructions are located.
[0015] The main region may store the core firmware instructions. The contents of the main region may be digitally signed and authenticated to prevent/detect tampering and verify the integrity of the core firmware instructions. The excludable region may correspond to excludable firmware instructions separate from the core firmware instructions. The contents of the excludable region may be digitally signed, hashed, and/or otherwise subjected to security processing for authentication to prevent/detect tampering and verify the integrity of the contents independently of the core firmware instructions. The excludable region may include a plurality of excludable regions, each excludable region storing corresponding excludable firmware instructions. Content of each of the excludable regions may be cryptographically signed. In some examples, a hash may be generated and securely stored for the content of each of the excludable regions. In some examples, each hash may be cryptographically signed. In examples, the signatures, hashes, and/or other security information may be used for authentication to prevent and detect tampering of each of the contents of the excludable regions.
[0016] By digitally signing the core firmware instructions and excludable firmware instructions independently of each other and separately storing the core firmware instructions and excludable firmware instructions in different regions of a firmware storage, the security of the core firmware instructions may be maintained while permitting users to remove unwanted excludable firmware instructions. For instance, because the core firmware instructions and excludable firmware instructions are separately stored and digitally signed, excludable firmware instructions may be removed without compromising the digital signature of the core firmware instructions. This technology improvement facilitates, for example, compliance with security or compliance policies that seek to minimize attack surfaces, including those directed to firmware instructions that may be unneeded or unwanted by an organization.
[0017] Reference is first made to FIGS. 1A and 1 B, which each shows a block diagram of a respective example apparatus 100 that deletes excludable firmware instructions. It should be understood that the example apparatus 100 respectively depicted in FIGS. 1 A and 1 B may include additional features and that some of the features described herein may be removed and/or modified without departing from any of the scopes of the example apparatus 100.
[0018] The apparatus 100 shown in FIGS. 1 A and 1 B may be a computing device, a server, or the like. As shown in FIGS. 1A and 1 B, the apparatus 100 may include a processor 102 that may control operations of the apparatus 100. The processor 102 may also be referenced herein as a controller and the apparatus 100 may be referenced herein as an electronic device. The processor 102 may be a semiconductor-based microprocessor, a central processing unit (CPU), an application specific integrated circuit (ASIC), a field-programmable gate array (FPGA), and/or other suitable hardware device. Although the apparatus 100 has been depicted as including a single processor 102, it should be understood that the apparatus 100 may include multiple processors, multiple cores, or the like, without departing from the scopes of the apparatus 100 disclosed herein.
[0019] The apparatus 100 may include a memory 1 10 that may have stored thereon machine-readable instructions (which may also be termed computer readable instructions) 1 12-1 18 (FIG. 1 A) and/or 120-128 (FIG. 1 B) that the processor 102 may execute. The memory 1 10 may be an electronic, magnetic, optical, or other physical storage device that includes or stores executable instructions. The memory 1 10 may be, for example, Random Access memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage device, an optical disc, and the like. The memory 1 10 may be a non-transitory machine-readable storage medium, where the term“non- transitory” does not encompass transitory propagating signals. The apparatus 100 may include a storage device 104, which may be firmware storage for storing firmware instructions for the apparatus 100. In some examples, the storage device 104 may include a Serial Peripheral Interface (“SPI”) chip, embedded Multi-Media Card (“eMMC”) memory, hard disk, solid state storage, or other device. The storage device 104 may include a metadata region 101 and an excludable region 103. Further examples of the storage device are illustrated in FIGS. 2A and 2B below. Although illustrated separately, the memory 1 10 may include the storage device 104. Furthermore, the instructions 1 12-1 18 and 120- 128 may be part of or separate from the core firmware instructions disclosed herein. Attention will now turn to operations at processor 102 to delete excludable firmware instructions.
[0020] Referring to FIG. 1A, the processor 102 may fetch, decode, and execute the instructions 1 12 to obtain metadata from the metadata region 101 . In examples, the metadata may indicate a location of the excludable region 103 in the storage device 104.
[0021 ] The processor 102 may fetch, decode, and execute the instructions
1 14 to obtain an indication that excludable firmware instructions stored in the excludable region 103 are to be disabled. In examples, the indication may include a flag in the metadata that has been set to indicate that the excludable firmware instructions are to be disabled. In these examples, the processor 102 may obtain the indication by reading the metadata to read the flag. The flag may include a binary (0/1 ; yes/no) setting and/or other value that indicates that the excludable firmware instructions are to be disabled. In some instances, the flag may be set responsive to a request or other indication to disable the excludable firmware instructions. The flag may be stored in various locations. In examples, different flag storage locations offer different levels of security. As such, the flag storage location may be configured according to particular needs depending on security requirements. This is because the flag may, as described herein, control whether or not data from an excludable region is deleted and continues to be deleted in some examples.
[0022] In examples, the flag may be stored in shared SPI, private SPI, one time writable silicon such as a One-Time Password (OTP) storage, and/or other storage location. Shared SPI may be less secure than private SPI or OTP because Shared SPI may be electrically accessible to other system components. Depending on system configurations and requirements, shared SPI may be used to store the flag. Private SPI may be electrically-isolated from other system components. As such, the state of the private SPI may not be readily changed by outside systems or malware because of the electrical isolation of the Private SPI. OTP may include a permanent setting that cannot be changed. Though highly secure, the OTP device may be replaced if an apparatus employing the flag and the excludable regions described herein were re-processed to be sold as refurbished. On the other hand, a flag stored in a shared SPI or a private SPI may be reconfigured upon refurbishment.
[0023] The processor 102 may fetch, decode, and execute the instructions 1 16 to identify, based on the metadata, the excludable region 103. For example, the metadata may include a mapping between the excludable region and the excludable firmware instructions. The excludable region may be identified based on the mapping. In some examples, the mapping may facilitate generation of a catalog of excludable instructions that may be selected for inclusion or deletion from the firmware instructions. As such, the processor 102 may provide a listing of excludable instructions for selectable inclusion or deletion.
[0024] The processor 102 may fetch, decode, and execute the instructions 1 18 to delete the excludable firmware instructions from the excludable region 103. Thus, the excludable firmware instructions may be disabled by deletion from the excludable region 103. In examples, the metadata may include an offset and/or a length of the excludable region. To delete the excludable firmware instructions, the processor 102 may obtain the offset and the length of the excludable region from the metadata and delete data from the storage device 104 corresponding to the offset and the length.
[0025] In examples, the storage device 104 may include a main region (as will be described in more detail with respect to FIGS. 2A and 2B) that stores core firmware instructions that may not be removed. In these examples, the processor 102 may further receive an indication to update core firmware instructions, the core firmware instructions stored at the main region. For example, the core firmware instructions may receive an update that is pushed from a source to the apparatus 100 or is pulled by the apparatus 100 from the source.
[0026] In any event, responsive to the update, the processor 102 may determine that the flag is set to disable the excludable firmware instructions and update the core firmware instructions without an update to the excludable firmware instructions based on the determination that the flag is set to disable the excludable firmware instructions. In this manner, unintentionally rewriting an updated version of the deleted excludable firmware instructions may be avoided.
[0027] In examples, the processor 102 may implement measures that may secure the firmware instructions. For instance, the firmware instructions may be digitally signed by the processor 102 or source of the firmware instructions. Such digital signature may include cryptographic or other hashing techniques that may uniquely identify hashed data to detect tampering. Because excludable firmware instructions may be deleted, separate digital signatures for the core firmware instructions and the excludable firmware instructions may be generated and separately validated. For instance, a first digital signature for core firmware instructions may be generated and used to validate core firmware instructions separately from the excludable firmware instructions. Similarly, a second digital signature for the excludable firmware instructions may be generated and used to validate the excludable firmware instructions separately from the core firmware instructions.
[0028] In examples, the processor 102 may generate a hash of the firmware instructions (such as for the core firmware instructions and/or each excludable firmware instructions) and then may sign the hash. For example, a hash of each excludable code region may be stored in metadata, which may then be signed. At runtime, the processor 102 may validate the firmware instructions by validating the metadata signature, extracting the hash, then hashing the content of each appropriate region (such as the main region or excludable region) and comparing the hashed content to the extracted hash. A mismatch may indicate tampering. If excludable firmware instructions are disabled, the processor 102 may skip such hashing and simply ensure that the corresponding excludable region is actually excluded (such as by refraining from using the corresponding excludable firmware instructions and/or deleting the corresponding excludable region).
[0029] In this manner, excludable firmware instructions may be deleted with minimal to no effect on the security and validation of the core firmware instructions (and/or other excludable firmware instructions that are not deleted). [0030] In examples, the processor 102 may implement measures that may secure the excludable regions. For example, the processor 102 may determine that data has been added to the excludable region after the excludable firmware instructions have been deleted. The processor 102 may then delete the data from the excludable region. In some instances, the processor 102 may periodically, on-demand, at firmware updates, and/or other times may consult the metadata to identify excludable regions of the storage device that are associated with disabled (deleted) excludable firmware instructions and delete data from those regions. As such, the processor 102 may periodically purge excludable regions that should not have data in those excludable regions.
[0031] In examples, the excludable region 103 includes a plurality of excludable regions. Each excludable region may store corresponding excludable firmware instructions and each may be individually disabled by deleting the excludable firmware instructions from the storage device 104. For example, the processor 102 may obtain an indication that the second excludable firmware instructions are to be disabled, identify the second excludable region corresponding to the second executable firmware instructions, and delete the second excludable firmware instructions from the second excludable region. Each excludable region may be identified based on a respective offset and/or location that corresponds to the excludable region. Additional details regarding the layout of the excludable regions are discussed with respect to FIGS. 2A and 2B.
[0032] Reference will now be made to operations relating to receiving selections of excludable firmware instructions to be disabled. Referring to FIG. 1 B, the processor 102 may fetch, decode, and execute the instructions 120 to obtain metadata from the metadata region, wherein the metadata indicates a first location of the first excludable region in the storage device and a second location of the second excludable region in the storage device.
[0033] The processor 102 may fetch, decode, and execute the instructions 122 to generate a listing of first excludable firmware instructions and second excludable firmware instructions. [0034] The processor 102 may fetch, decode, and execute the instructions 124 to receive a selection of the first excludable firmware instructions, the selection indicating that the first excludable firmware instructions are to be disabled.
[0035] The processor 102 may fetch, decode, and execute the instructions 126 to set a first flag to indicate that the first excludable firmware instructions are to be disabled responsive to the selection.
[0036] The processor 102 may fetch, decode, and execute the instructions 128 to delete the first excludable firmware instructions based on the first flag. In examples, the first excludable firmware instructions and the second excludable firmware instructions may be pre-installed at the storage device 104. The first flag may be set to indicate that the first excludable firmware instructions are enabled until disabled, and the second flag is set to indicate that the second excludable firmware instructions are enabled until disabled.
[0037] Reference will now be made to a more detailed view of a storage device 104 for storing firmware instructions. FIG. 2A shows a block diagram of an example storage device 104 that includes different regions (101 , 210, 103A- N) for storing metadata 201 , core firmware instructions 212, and excludable instructions 220A-N. The storage device 104 may include a metadata region 101 , a main region 210, and a plurality of excludable regions 103A-N. The metadata region 101 may store metadata 201. The main region 210 may store core firmware instructions 212. The excludable regions 103A-N may each store corresponding excludable firmware instructions 220-N. The core firmware instructions 212 and the excludable firmware instructions 220-N togetherform the firmware instructions 208. The firmware instructions 208 may be used to boot or otherwise initialize an apparatus, such as apparatus 100. In the context of BIOS, UEFI, and/or other boot firmware instructions, in some examples, the main region 210 and excludable regions 103 may correspond to a Driver Execution Environment (DXE) location on the storage device 104. The architecture of the DXE location in the storage device 104 may be separated into different regions, such as the main region 210 and excludable regions 103A-N. [0038] In examples, the metadata 201 may store a pointer 204 to the main region 210. The pointer 204 may indicate a location of the main region 210 in the storage device 104. The pointer 204 may include an offset and/or length of the main region 210. As such, the core firmware instructions 212 stored in the main region 210 may be obtained, such as to be booted during bootup of an apparatus, such as apparatus 100.
[0039] In examples, the metadata 201 may store a pointer 206 to the excludable region 103A. The pointer 206 may include an offset and/or length of the excludable region 103A. As such, the excludable firmware instructions 220A stored in the excludable region 103A may be obtained, such as to be booted during bootup of an apparatus, such as apparatus 100. Additionally, the excludable firmware instructions 220A stored in the excludable region 103A may be deleted from the storage device 104 based on the pointer 206.
[0040] In examples, previous excludable regions may serially point to subsequent excludable regions 103 (such as excludable regions 103B-N). For example, the excludable region 103A may include a pointer 222A that includes information used to locate the next excludable region 103 (in this case, excludable region 103B). For example, the pointer 222A may indicate an offset, length, and/or other location indicator of the next excludable region 103. Alternatively or additionally, the pointer 222A may include a length of the current excludable region 103 so that the offset of the next excludable region may be calculated. Thus, the excludable regions 103 may be serially laid out next to one another on the storage device 104. Likewise, excludable regions 103B,N may each include a pointer 222B, 222N that includes information used to locate the next excludable region 103. For instance, the pointers 222B, 222N may each indicate an offset, length, and/or other location indicator of the next excludable region 103, and so on. In this manner, a linked array of excludable regions may be laid out on the storage device 104. Alternatively or additionally, the metadata 201 may individually store each of the pointers 222A-N (as well as the pointers 204 and 206).
[0041] FIG. 2B shows a block diagram of an example storage device 104 that includes deleted excludable instructions. For example, with reference back to FIG. 2A, excludable firmware instructions 220A has been disabled and therefore deleted from the storage device 104, as illustrated by the cross- hatching. Specifically, the excludable firmware instructions 220A have been deleted from the excludable region 103A. However, the pointer 222A has been maintained so that the next excludable region 103 (excludable region 103B) may be located.
[0042] It should be noted that like reference symbols between FIGS. 2A and 2B (and throughout the drawing figures) represent similar drawing elements. It should be noted that the particular number of excludable firmware instructions and excludable regions shown in FIGS. 2A and 2B are for illustrative purposes. Other numbers may be used as appropriate. Furthermore, the storage device 200 shown in FIGS. 2A and 2B may be part of the memory 1 10 or may be separate from the memory 1 10.
[0043] FIG. 3 shows a block diagram of an example system 300 that provisions firmware instructions, including core firmware instructions and excludable firmware instructions. A firmware vendor 302 may provide firmware instructions 208. The various components of system 300 may be coupled to one another via a computer network such as, for example, a local area network (LAN), a virtual LAN (VLAN), a wireless local area network (WLAN), a virtual private network (VPN), the Internet, or the like, or a combination thereof. In examples, the firmware instructions 208 may be part of the apparatus 100 offered by the firmware vendor 302. Various third parties may supply firmware add-ons 304. Each of these firmware add-ons 304 may be incorporated into the firmware instructions 208. In examples, a firmware add-on 304 may be incorporated into the firmware instructions 208 as an excludable firmware instruction 220 by the firmware vendor 302.
[0044] The firmware vendor 302 may provide the firmware instructions 208 for consumption within a computer infrastructure 310. Multiple computer infrastructures 310A-N are shown but only one (computer infrastructure 310A) is shown in detail for convenience. The computer infrastructure 310 may include a provisioning server 320 used to deploy apparatus 100 based on provisioning rules 322. The provisioning rules 322 may include a compliance policy, a security policy, and/or other policies that dictate the configuration, security, or other operational characteristics of the apparatus 100.
[0045] An entity may operate each computer infrastructure 310. As such, each entity may control whether and which firmware instructions execute on a given apparatus 100 within the computer infrastructure 310 based on the provisioning rules 322. In some examples, the provisioning server 320 may facilitate firmware instruction updates to the apparatuses 100 within the computer infrastructure 310. As such, the provisioning server 320 may facilitate updates to the firmware instructions as disclosed herein. It should be noted that the provisioning server 320 (though not illustrated) may include a processor, such as processor 102, that may perform some or all of the operations of apparatus 100 to delete excludable firmware instructions from an apparatus.
[0046] Various manners in which the apparatus 100 may operate to update firmware instructions are discussed in greater detail with respect to the method 400 depicted in FIG. 4. It should be understood that the method 400 may include additional operations and that some of the operations described therein may be removed and/or modified without departing from the scopes of the method 400. The description of the method 400 is made with reference to the features depicted in FIGS. 1 A-3 for purposes of illustration.
[0047] FIG. 4 depicts a flow diagram of an example method for updating firmware instructions in the presence of deleted excludable firmware instructions.
[0048] As shown in FIG. 4, at block 402, the processor 102 may receive an indication to update firmware instructions, such as firmware instructions 208. The update may be facilitated by an updater or installer, such as a BIOS or UEFI updater or installer. In some examples, the update may include an update to the core firmware instructions and to the excludable firmware instructions.
[0049] At block 404, the processor 102 may update core firmware instructions.
[0050] At block 406, the processor 102 may identify excludable firmware instructions. For example, the processor 102 may access metadata that specifies the excludable firmware instructions. [0051] At block 408, the processor 102 may determine whether the excludable firmware instructions are disabled. For example, the processor 102 may consult a flag for the excludable firmware instructions that indicates whether the excludable firmware instructions have been disabled. If the excludable firmware instructions are disabled, then the processor 102 may skip to block 412, where a determination of whether more excludable firmware instructions are available is made. In this manner, if the update includes excludable firmware instructions that have been disabled (deleted at an apparatus such as apparatus 100), then the update for the excludable firmware instructions may be skipped. In some examples, the processor 102 may delete data from the excludable region corresponding to the disabled excludable firmware instructions to ensure that malware or other data that should not be present is removed. As such, each apparatus may update only excludable firmware instructions that have not been disabled even if the update includes an update to the disabled excludable firmware instructions. This may make global updates more efficient since the updates may include updates to all firmware instructions without regard to whether a particular apparatus has disabled excludable firmware instructions.
[0052] At block 410, the processor 102 may, responsive to a determination that the excludable firmware instructions are not disabled, update the excludable firmware instructions. For example, the processor 102 may identify the excludable firmware instructions to be updated, identify a location on firmware storage (such as storage device 104) at which the excludable firmware instructions are stored (such as an excludable region 103) and write the update files to the appropriate location. In some instances, a signature for the updated excludable firmware instructions may be obtained and stored for later validation.
[0053] At block 412, the processor 102 may determine whether more excludable firmware instructions are available. If so, then the processor 102 may return to block 406, where the next excludable firmware instructions are identified.
[0054] At block 414, the processor 102 may complete the firmware updates responsive to a determination that no more excludable firmware instructions are available. [0055] Some or all of the operations set forth in the method 400 may be included as utilities, programs, or subprograms, in any desired computer accessible medium. In addition, the method 400 may be embodied by computer programs, which may exist in a variety of forms. For example, some operations of the method 400 may exist as machine-readable instructions, including source code, object code, executable code or other formats. Any of the above may be embodied on a non-transitory computer readable storage medium. Examples of non-transitory computer readable storage media include computer system RAM, ROM, EPROM, EEPROM, and magnetic or optical disks or tapes. It is therefore to be understood that any electronic device capable of executing the above- described functions may perform those functions enumerated above.
[0056] FIG. 5 depicts a block diagram of an example non-transitory computer-readable medium 500 for executing firmware instructions that incudes core firmware instructions and excludable firmware instructions. The non- transitory computer-readable medium 500 may be an electronic, magnetic, optical, or other physical storage device that includes or stores executable instructions. The non-transitory computer-readable medium 500 may be, for example, Random Access memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage device, an optical disc, and the like. The non-transitory computer-readable medium 500 may have stored thereon machine-readable instructions 502-508 that a processor, such as the processor 102, may execute.
[0057] In various examples, the non-transitory machine-readable medium 500 may boot up a device, such as apparatus 100, using core firmware instructions and excludable firmware instructions that have not been disabled. In these examples, the machine-readable instructions 502-508 may operate to obtain and execute the core firmware instructions and excludable firmware instructions to boot up the device. Other example uses of machine-readable instructions 502-508 may be implemented as well.
[0058] The machine-readable instructions 502 may cause the processor to obtain metadata from a storage device, such as storage device 104. [0059] The machine-readable instructions 504 may cause the processor to obtain a first flag and a second flag. The first flag and/or the second flag may be stored in a secure location of the storage device.
[0060] The machine-readable instructions 506 may cause the processor to obtain an execution order from the metadata, the execution order indicating an order in which core firmware instructions, first excludable firmware instructions, and second excludable firmware instructions are to be executed.
[0061 ] The machine-readable instructions 508 may cause the processor to execute, based on the execution order: the core firmware instructions, the first excludable firmware instructions when the first flag indicates that the first excludable firmware instructions are enabled, and the second excludable firmware instructions code when the second flag indicates that the second excludable firmware instructions are enabled. It should be noted that when the first flag and/or the second flag indicates that corresponding excludable firmware instructions are disabled, the corresponding excludable firmware instructions have been or will be deleted at boot up, update, and/or other times.
[0062] In some examples, the firmware instructions may be individually verified before execution using security information such as a known-good signature. For instance, a known-good signature for the core firmware instructions may be stored and matched with a current signature of the core firmware instructions to verify the core firmware instructions have not been tampered with. Likewise, a known-good signature for each excludable firmware instruction may be stored and matched with a current signature of each excludable firmware instruction to verify each of the excludable firmware instructions have not been tampered with as well. As previously noted, separate signature verification may permit deletion of a given excludable firmware instruction. Other types of security information such as a hash contained in signed metadata corresponding to contents of a main or excludable region, a hash of the contents of the main or excludable region, and/or other data may be used as well.
[0063] The systems, methods, and computer readable media described herein may facilitate various uses and models of distributing firmware instructions, such as firmware instructions 208. For example, a vendor, such as firmware vendor 302 (which may produce apparatus 100 embedded with or otherwise included with the firmware instructions), may offer different functionalities encoded through excludable firmware instructions, such as excludable firmware instructions 220. Consumers, such as entities that operate computer infrastructure 310, may elect some or all of these functionalities, in which case they may be provided with corresponding excludable firmware instructions. Otherwise, the vendor may remove the corresponding excludable firmware instructions prior to providing the firmware instructions. This may make distribution of the firmware instructions easier and facilitates different models of such distribution.
[0064] In other examples, if the consumer has paid for or otherwise acquired a service or functionality provided by excludable firmware instructions but no longer needs or wants such functionality, then the corresponding excludable firmware instructions may be removed using the systems, methods, computer readable media described herein.
[0065] Although described specifically throughout the entirety of the instant disclosure, representative examples of the present disclosure have utility over a wide range of applications, and the above discussion is not intended and should not be construed to be limiting, but is offered as an illustrative discussion of aspects of the disclosure. For example, although described in the context of boot- level initialization, the features and functions described herein may be used in other contexts.
[0066] For simplicity and illustrative purposes, the present disclosure may be described by referring mainly to examples. In the preceding description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure. It will be readily apparent however, that the present disclosure may be practiced without limitation to these specific details. In other instances, some methods and structures have not been described in detail so as not to unnecessarily obscure the present disclosure.
[0067] Throughout the present disclosure, the terms“a” and“an” may be intended to denote at least one of a particular element. As used herein, the term “includes” means includes but not limited to, the term“including” means including but not limited to. The term“based on” means based at least in part on.
[0068] What has been described and illustrated herein is an example of the disclosure along with some of its variations. The terms, descriptions and figures used herein are set forth by way of illustration only and are not meant as limitations. Many variations are possible within the spirit and scope of the disclosure, which is intended to be defined by the following claims - and their equivalents - in which all terms are meant in their broadest reasonable sense unless otherwise indicated.

Claims

CLAIMS What is claimed is:
1. An apparatus comprising:
a storage device including a metadata region and an excludable region; and
a processor to:
obtain metadata from the metadata region, wherein the metadata indicates a location of the excludable region in the storage device;
obtain an indication that excludable firmware instructions stored in the excludable region are to be disabled;
identify, based on the metadata, the excludable region; and delete the excludable firmware instructions from the excludable region.
2. The apparatus of claim 1 , wherein the metadata includes a flag that indicates whether or not to disable the excludable firmware instructions, wherein the processor is further to:
receive an indication to disable the excludable firmware instructions; and set the flag to indicate that the excludable firmware instructions are to be disabled, wherein the indication that the excludable firmware instructions are to be disable is based on the flag.
3. The apparatus of claim 2, wherein the storage device further includes a main region, the processor further to:
receive an indication to update core firmware instructions, the core firmware instructions stored at the main region;
determine that the flag is set to disable the excludable firmware instructions; and
update the core firmware instructions without an update to the excludable firmware instructions, wherein the update to the core firmware instructions is based on the determination that the flag is set to disable the excludable firmware instructions.
4. The apparatus of claim 2, the processor further to:
determine that data has been added to the excludable region after the excludable firmware instructions have been deleted; and
delete the data from the excludable region.
5. The apparatus of claim 1 , the processor further to:
generate a first digital signature for core firmware instructions, wherein the first digital signature is used to verify the integrity of the core firmware instructions; and
generate a second digital signature for the excludable firmware instructions, wherein the second digital signature is used to verify the integrity of the excludable firmware instructions independently of the integrity of the core firmware instructions.
6. The apparatus of claim 1 , wherein the metadata includes an offset and a length of the excludable region, and wherein to delete the excludable firmware instructions, the processor is to:
obtain the offset and the length of the excludable region; and
delete data from the storage device corresponding to the offset and the length.
7. The apparatus of claim 6, wherein the storage device comprises a second excludable region that stores second excludable firmware instructions, the processor being further to:
obtain an indication that the second excludable firmware instructions are to be disabled;
identify the second excludable region corresponding to the second excludable firmware instructions; and delete the second excludable firmware instructions from the second excludable region.
8. The apparatus of claim 7, wherein to identify the second excludable region, the processor is to:
identify, based on the metadata, a second offset of the second excludable region of the storage device corresponding to the second excludable firmware instructions.
9. The apparatus of claim 7, wherein to identify the second excludable region, the processor is further to:
determine that the second excludable region is after the excludable region on the storage device, wherein the second excludable region is identified based on the offset and the length of the excludable region.
10. The apparatus of claim 1 , wherein the metadata includes a mapping between the excludable region and the excludable firmware instructions, and wherein the excludable region is identified based on the mapping.
1 1 . An apparatus comprising:
a storage device including a metadata region, a main region, a first excludable region, and a second excludable region; and
a processor to:
obtain metadata from the metadata region, wherein the metadata indicates a first location of the first excludable region in the storage device and a second location of the second excludable region in the storage device;
generate a listing of first excludable firmware instructions and second excludable firmware instructions;
receive a selection of the first excludable firmware instructions, the selection indicating that the first excludable firmware instructions are to be disabled; set a first flag to indicate that the first excludable firmware instructions are to be disabled responsive to the selection; and
delete the first excludable firmware instructions based on the first flag.
12. The apparatus of claim 1 1 , wherein the first excludable firmware instructions and the second excludable firmware instructions are pre-installed at the storage device, the first flag is set to indicate that the first excludable firmware instructions are enabled until disabled, and a second flag is set to indicate that the second excludable firmware instructions are enabled until disabled.
13. The apparatus of claim 1 1 , wherein the processor is further to:
receive an indication to update core firmware instructions;
determine that the first flag is set to disable the first excludable firmware instructions; and
update the core firmware instructions without an update to the first excludable firmware instructions, wherein the update to the core firmware instructions is based on the determination that the first flag is set to disable the first excludable firmware instructions.
14. A non-transitory computer-readable medium comprising machine- readable instructions that when executed by a controller of an electronic device, cause the controller to:
obtain metadata from a storage device;
obtain a first flag and a second flag;
obtain an execution order from the metadata, the execution order indicating an order in which core firmware instructions, first excludable firmware instructions, and second excludable firmware instructions are to be executed; execute, based on the execution order:
the core firmware instructions;
the first excludable firmware instructions when the first flag indicates that the first excludable firmware instructions are enabled; and the second excludable firmware instructions when the second flag indicates that the second excludable firmware instructions are enabled.
15. The non-transitory computer-readable medium of claim 14, wherein the instructions are further to cause the controller to:
delete the first excludable firmware instructions from a first excludable region of the storage device when the first flag indicates that the first excludable firmware instructions are disabled; and
delete the second excludable firmware instructions from a second excludable region of the storage device when the second flag indicates that the second excludable firmware instructions are disabled.
PCT/US2019/017522 2019-02-11 2019-02-11 Deletion of firmware instructions WO2020167286A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
EP19915084.8A EP3887943A4 (en) 2019-02-11 2019-02-11 Deletion of firmware instructions
CN201980090905.3A CN113330423A (en) 2019-02-11 2019-02-11 Deletion of firmware instructions
PCT/US2019/017522 WO2020167286A1 (en) 2019-02-11 2019-02-11 Deletion of firmware instructions
US17/296,526 US20220027074A1 (en) 2019-02-11 2019-02-11 Deletion of firmware instructions

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2019/017522 WO2020167286A1 (en) 2019-02-11 2019-02-11 Deletion of firmware instructions

Publications (1)

Publication Number Publication Date
WO2020167286A1 true WO2020167286A1 (en) 2020-08-20

Family

ID=72045576

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2019/017522 WO2020167286A1 (en) 2019-02-11 2019-02-11 Deletion of firmware instructions

Country Status (4)

Country Link
US (1) US20220027074A1 (en)
EP (1) EP3887943A4 (en)
CN (1) CN113330423A (en)
WO (1) WO2020167286A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230096832A1 (en) * 2019-10-11 2023-03-30 Telefonaktiebolaget Lm Ericsson (Publ) First node, second node, third node, fourth node, fifth node and methods performed thereby for handling firmware

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060259878A1 (en) * 1999-02-05 2006-11-16 Killian Earl A Automated processor generation system for designing a configurable processor and method for the same
US20070055872A1 (en) * 2003-11-10 2007-03-08 Japan Science And Technology Agency Secure processor
US20090132795A1 (en) * 2007-11-21 2009-05-21 Vlasov Mikhail Y Processor with excludable instructions and registers and changeable instruction coding for antivirus protection
US20170115963A1 (en) 2015-10-26 2017-04-27 Hewlett-Packard Development Company, L.P. Setting a build indicator to enable or disable a feature

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7426612B2 (en) * 2004-06-30 2008-09-16 Intel Corporation Methods and apparatus for enforcing instruction-cache coherence
US7841010B2 (en) * 2007-01-08 2010-11-23 Apple Inc. Software or other information integrity verification using variable block length and selection
US20100262953A1 (en) * 2009-04-14 2010-10-14 Barboni Michael P Systems and methods for automatically enabling and disabling applications and widgets with a computing device based on compatibility and/or user preference
US8402069B2 (en) * 2009-05-04 2013-03-19 Microsoft Corporation Use of delete notifications by file systems and applications to release storage space
US9727318B2 (en) * 2014-02-18 2017-08-08 Facebook, Inc. Techniques to identify and purge unused code
US9747298B2 (en) * 2014-05-02 2017-08-29 Vmware, Inc. Inline garbage collection for log-structured file systems
US9778926B2 (en) * 2014-10-30 2017-10-03 Google Inc. Minimizing image copying during partition updates
US20160321036A1 (en) * 2015-04-28 2016-11-03 Box, Inc. Dynamically monitoring code execution activity to identify and manage inactive code
US10089103B2 (en) * 2016-08-03 2018-10-02 Smartshift Technologies, Inc. Systems and methods for transformation of reporting schema

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060259878A1 (en) * 1999-02-05 2006-11-16 Killian Earl A Automated processor generation system for designing a configurable processor and method for the same
US20080244506A1 (en) * 1999-02-05 2008-10-02 Killian Earl A System and method of designing instruction extensions to supplement an existing processor instruction set architecture
US20070055872A1 (en) * 2003-11-10 2007-03-08 Japan Science And Technology Agency Secure processor
US20090132795A1 (en) * 2007-11-21 2009-05-21 Vlasov Mikhail Y Processor with excludable instructions and registers and changeable instruction coding for antivirus protection
US20170115963A1 (en) 2015-10-26 2017-04-27 Hewlett-Packard Development Company, L.P. Setting a build indicator to enable or disable a feature

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3887943A4

Also Published As

Publication number Publication date
CN113330423A (en) 2021-08-31
EP3887943A4 (en) 2022-07-13
US20220027074A1 (en) 2022-01-27
EP3887943A1 (en) 2021-10-06

Similar Documents

Publication Publication Date Title
US10871955B2 (en) System and method for providing firmware data updates
US20180096154A1 (en) Multiple roots of trust to verify integrity
EP3479282B1 (en) Targeted secure software deployment
US10395039B2 (en) Customer-owned trust of device firmware
US9881162B2 (en) System and method for auto-enrolling option ROMS in a UEFI secure boot database
KR101120825B1 (en) Method and system for ensuring that a software update may be installed or run only on a specific device or class of devices
US20180314829A1 (en) Portable executable and non-portable executable boot file security
US20120310983A1 (en) Executable identity based file access
US20190236279A1 (en) Perform security action based on inventory comparison
US11831687B2 (en) Systems and methods for authenticating platform trust in a network function virtualization environment
SE531992C2 (en) Method and system for secure software commissioning
JP2006216048A (en) System and method for reducing memory capacity required for firmware and for providing safe update and storage area for firmware
US20140149730A1 (en) Systems and methods for enforcing secure boot credential isolation among multiple operating systems
US20160275291A1 (en) Unified extensible firmware interface (uefi) database for secure bootstrap of a computer
TW201333691A (en) Secure option ROM control
US10776493B2 (en) Secure management and execution of computing code including firmware
US11514165B2 (en) Systems and methods for secure certificate use policies
US20140188949A1 (en) Methods and systems for supply chain assurance of information handling system code
US20220027074A1 (en) Deletion of firmware instructions
CN110363011B (en) Method and apparatus for verifying security of UEFI-based BIOS
US10621355B2 (en) Method for initializing a computerized system and computerized system
CN111158771B (en) Processing method and device and computer equipment
Paul et al. Take control of your PC with UEFI secure boot
Berger et al. File Signatures Needed!
US20190147166A1 (en) Method and system for fail-safe booting

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19915084

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2019915084

Country of ref document: EP

Effective date: 20210629

NENP Non-entry into the national phase

Ref country code: DE