Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-11-20
2003-04-01
Hayes, Gail (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
Reexamination Certificate
active
06542995
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to computer system security and, more particularly, to a device and method for preventing access of a secured plug and play peripheral device (or address range within the peripheral device) whose base address has been modified.
2. Description of the Related Art
Contained within a portion of the computer system non-volatile memory is a program often referred to as Basic Input/Output System (“BIOS”). BIOS is the interface between the computer system hardware and the operating system and applications software. The BIOS is generally run at boot-up in order to establish the serial and parallel ports, test memory, and generally determine the overall hardware configuration of the computer system. Thereafter, the processor within the computer system is instructed to read the operating system software (and eventually the applications software) from a configured disk drive.
In order to configure various hardware resources during boot-up, it is necessary that the input/output (“I/O”) address space of each hardware resource be assigned. This may entail writing an I/O address space to a register assigned to that hardware resource. Typically, the configuration register of each resource is contained on the same card as the interface to that resource so that whenever accesses occur, those accesses are immediately mapped to the corresponding resource.
Many types of hardware resources contain sensitive data and/or instructions. Those hardware resources are often linked to peripheral buses within the computer system, and are henceforth referred to as “peripheral devices”. For example, a computer system may employ several peripheral buses, such as an Integrated Drive Electronics (“IDE”) bus, a Peripheral Component Interface (“PCI”) bus, and/or an Industry Standard Architecture (“ISA”) bus. A peripheral device, such as a disk drive, can reside upon the IDE bus and may contain sensitive information that must be periodically secured against unauthorized access. Certain information accessible across a serial port, a parallel port, or contained within a floppy disk drive, and commonly linked to an ISA bus may also be securable. Passwords stored within static RAM, linked to the ISA bus must be maintained private to only the individual or individuals who are authorized to examine or modify those passwords. The static RAM attributed to a computer system is often referred to as CMOS RAM.
The desire to maintain security to certain peripheral devices connected to a peripheral bus, for example the ISA bus, becomes particularly acute with the advent of what is commonly known as “Plug and Play” devices. Set forth in the “Plug and Play ISA Specification” Version 1.0a, May 5, 1994, copyright Intel and Microsoft Corporation (herein incorporated by reference and henceforth referred to as the “Specification”), the interface to various peripheral devices can be configured upon an adapter card and merely plugged into slots associated with the computer system. In the example provided, the slots are connected to the ISA bus such that a user interface adapter, a memory media adapter, and various other adapters can be easily and quickly plugged into numerous slots associated with the ISA bus. A popular ISA adapter includes what is often referred to as a “Super I/O” adapter. The Super I/O is essentially an application specific chip, a suitable such chip obtainable from National Semiconductor Corporation as part no. PC87310.
The ease by which hardware resources and, more specifically, ISA peripheral devices (interchangeably referred to as either the devices themselves or as “cards” containing an interface to the devices) can be connected to the ISA bus poses numerous security concerns. For example, a peripheral device, once secured to a slot that is secured, may not remain secured if that peripheral device is re-assigned to a dissimilar slot during removal of its associated adapter card and re-insertion of that card into another slot. Additionally, a peripheral device which is presently secured is often protected against unwarranted accesses to that particular device's I/O address space. However, if that device is removed from its slot and another device inserted, the second device will be secured even though it may be desirable that it not be secured. It would therefore be beneficial to introduce a computer security system which can maintain security to Plug and Play peripheral devices even though those devices are moved. Moreover, it would be of further benefit to disable security of a slot previously occupied by a secured device, but re-assigned to a device that is not to be secured. The flexibility of re-assigning security controls within an existing Plug and Play ISA system would present a beneficial advancement over conventional, non-flexible (or fixed) security assignments.
SUMMARY OF THE INVENTION
The problems outlined above are in large part solved by an improved computer security system hereof. The security system can flexibly secure I/O address spaces to take advantage of modifications allowed by the Plug and Play architecture. Securement can apply to any peripheral device, such as an ISA device. Securing ISA devices, such as the Super I/O device, is achieved by placing security components within a southbridge of the computer system. The southbridge includes a password store and compare unit which retrieves passwords stored in non-volatile memory during computer boot-up, and compares those stored passwords against user-entered passwords. The password store and computer unit is interchangeably referred to as a “black box”. This description of a black box security device is generally well-known, and set forth in, for example, U.S. Pat. No. 5,748,888 (herein incorporated by reference).
Also contained within the southbridge is a configuration control unit. Upon receiving an initialization key, the configuration control unit isolates each Plug and Play device (i.e., device or card) upon, e.g., the ISA bus and assigns a unique identifier number to each of those respective devices. The identifier number is contained within a register proximate to its respective device. Additionally, the identifier number is contained within a shadow register or device identification register located within the southbridge. For each peripheral device, a corresponding device identification register and unique identifying number is present.
Further embodied upon the southbridge is a security control unit. The security control unit, similar to the configuration control unit, is coupled to the peripheral bus (e.g., ISA bus) and receives a configuration command, or wake command, transmitted across the peripheral bus. The configuration command will cause all peripheral devices that have an identifying number which matches the subsequent write data to transition from a sleep state to possibly a configuration state. Within the configuration state, configuration registers associated with corresponding peripheral devices can be configured with an I/O address range. The configuration registers are assigned to respective peripheral devices and are usually attributed to adapter cards on which those devices reside. The configuration registers are programmed during the configuration state, when boot-up occurs. In addition to programming the configuration registers, the I/O address spaces of respective peripheral devices are also programmed into shadow registers, or I/O address registers, contained within the southbridge.
The device identification registers and I/O address registers shadow or track configuration information stored within configuration registers upon respective adapter cards. However, by placing the configuration information within the southbridge via the shadow registers, allowance of subsequent accesses to particular peripheral devices and to particular I/O base addresses can be made within the southbridge. Accordingly, the security control unit includes a protection comparator which compares, e.g., ISA bus transaction addresses to base addresses and id
Heinrich David F.
Le Hung Q.
Compaq Information Technologies Group L.P.
Conley & Rose, P.C.
Daffer Kevin L.
Ha Leynna
Hayes Gail
LandOfFree
Apparatus and method for maintaining secured access to... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Apparatus and method for maintaining secured access to..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Apparatus and method for maintaining secured access to... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3012521