Search

US-12625965-B2 - Systems and methods for secure firmware updates

US12625965B2US 12625965 B2US12625965 B2US 12625965B2US-12625965-B2

Abstract

Systems and methods prevent nonsecure updates to firmware of an IHS (Information Handling System). During factory provisioning of the IHS, a manifest of firmware loaded for operating a hardware component of the IHS is digitally signed by a remote access controller of the IHS, and the signed manifest is stored to the IHS. Once the IHS has been deployed and during an interval where the IHS does not have access to external networks by which to validate a received firmware update, the signed manifest of loaded firmware is retrieved and used to determine whether the received firmware update is compatible with the loaded firmware of the hardware component. When the update is compatible with the loaded firmware, at least a portion of the loaded firmware is replaced with the firmware update and an updated manifest is digitally signed to reflect availability of the update for use by the hardware component.

Inventors

  • Deepaganesh Paulraj
  • Mahesh Babu Ramaiah
  • Rama Rao Bisa
  • Ajay Shenoy
  • Manjunath Vishwanath
  • Sivakami Velusamy

Assignees

  • DELL PRODUCTS, L.P.

Dates

Publication Date
20260512
Application Date
20220926

Claims (20)

  1. 1 . An Information Handling System (IHS) comprising: one or more CPUs utilizing one or more buses that connect to a plurality of hardware components of the IHS, the plurality of hardware components comprising one or more network controllers; and a remote access controller that interfaces with the one or more CPUs via a plurality of inband busses of the IHS and that support remote management of the plurality of hardware components of the IHS via a plurality of sideband management busses connecting the remote access controller directly to respective hardware components of the IHS, wherein the remote management comprises management of firmware updates for the plurality of hardware components of the IHS, the remote access controller comprising a logic unit and a memory device having instructions stored thereon that, upon execution by the logic unit, cause the remote access controller to: during factory provisioning of the IHS, sign a firmware manifest of instructions within a firmware image loaded for operation by a first of the plurality of hardware components of the IHS and store the signed firmware manifest to a secured memory of the remote access controller, wherein the signed firmware manifest specifies two or more delineated sets of firmware instructions within the firmware image, each delineated set of firmware instructions defined by one or more boundaries within a firmware image, and wherein the signed firmware manifest comprises a mapping of different firmware versions that can be assembled from the delineated sets of firmware instructions located within the boundaries of the firmware image; upon deployment of the IHS and while the one or more network controllers are unable to connect to any external networks, receive a request to update firmware used to operate the first hardware component; in response to the firmware update request and while the one or more network controllers are unable to connect to any external networks, retrieve the signed firmware manifest from the secured memory of the remote access controller; based on the signed firmware manifest and while the one or more network controllers are unable to connect to any external networks, determine whether the received firmware update request is consistent with the one or more boundaries of the firmware image that is loaded for operation by the first hardware component; when the received firmware update request is consistent with the loaded firmware: assemble the requested firmware update from a plurality of the delineated sets of firmware instructions located in the boundaries of the firmware image, replace at least a portion of the loaded firmware with the assembled requested firmware update, update the manifest to specify updated firmware boundaries that specify storage locations for updated firmware instructions in the assembled requested update, and sign the updated firmware manifest; and when the received firmware update request is not consistent with the loaded firmware, prevent use of the requested firmware update.
  2. 2 . The IHS of claim 1 , wherein the firmware manifest is used to evaluate the consistency of the requested firmware update with the loaded firmware during an interval while the one or more network controllers are unable to connect to any external networks that can be used to interface with a certificate authority that can validate authenticity of the requested firmware update.
  3. 3 . The IHS of claim 1 , wherein the consistency of the firmware update with the loaded firmware is determined while the one or more network controllers are unable to connect to any networks based on whether a size of the requested firmware update is consistent with a size of the firmware image stored by the first hardware component.
  4. 4 . The IHS of claim 1 , wherein the firmware manifest is signed during factory provisioning of the IHS by the remote access controller using a private keypair generated by the remote access controller.
  5. 5 . The IHS of claim 4 , wherein the signed firmware manifest is cryptographically bound to the remote access controller based on the remote access controller generating the private keypair used to sign the manifest.
  6. 6 . The IHS of claim 1 , wherein the first hardware component comprises a hardware accelerator and wherein the requested firmware update switches a mode of operation by the hardware accelerator.
  7. 7 . The IHS of claim 1 , wherein the firmware manifest comprises a mapping of boundaries of the delineated sets of firmware within the firmware image, and wherein the delineated sets of firmware within the firmware image enable different modes of operations by the first hardware component.
  8. 8 . The IHS of claim 1 , wherein the consistency of the requested firmware update with the loaded firmware is determined based on whether a size of the requested firmware update is consistent with one or more sizes of the mapped boundaries of the delineated sets of firmware within the firmware image.
  9. 9 . The IHS of claim 8 , wherein the requested firmware update comprises an update to a portion of the firmware image stored within a mapped firmware boundary specified in the firmware manifest, and wherein the update to the mapped firmware boundary of the firmware image enables or disables a feature of the first hardware component.
  10. 10 . The IHS of claim 1 , wherein prevent use of the requested firmware update comprises deletion of the firmware update by the remote access controller without transmitting any portion of the firmware update to the first hardware component.
  11. 11 . A method for preventing nonsecure updates to firmware of a hardware component of an Information Handling System (IHS), wherein the firmware updates are managed by a remote access controller of the IHS that provides management of the hardware component by administrative tools remote from the IHS, the method comprising: during factory provisioning of the IHS, signing a manifest of instructions within a firmware image loaded for operation by the hardware component of the IHS and storing the signed firmware manifest to the IHS, wherein the firmware manifest specifies two or more delineated sets of firmware instructions within the firmware image, each delineated set of firmware instructions defined by one or more boundaries within the firmware image, and wherein the signed firmware manifest comprises a mapping of different firmware versions that can be assembled from the delineated sets of firmware instructions located in the boundaries of the firmware image; upon deployment of the IHS and during an interval when the IHS does not have access to external networks: receiving a request to update firmware used to operate the hardware component; in response to the firmware update request, retrieving the signed manifest of loaded firmware that was stored to the IHS during factory provisioning of the IHS; based on the firmware manifest, determining whether the received firmware update request is consistent with the one or more boundaries of the firmware image that is loaded for operation by the hardware component; when the received firmware update request is consistent with the loaded firmware: assembling the requested firmware update from a plurality of the delineated sets of firmware instructions located in the boundaries of the firmware image, replacing at least a portion of the loaded firmware with the assembled requested firmware update, updating the manifest to specify updated firmware boundaries that specify storage locations for updated firmware instructions in the assembled requested update, and signing the updated firmware manifest; and when the received firmware update request is not consistent with the loaded firmware, preventing use of the requested firmware update.
  12. 12 . The method of claim 11 , wherein the consistency of the firmware update with the loaded firmware is determined based on whether a size of the firmware update is consistent with a size of the firmware image stored by the hardware component.
  13. 13 . The method of claim 12 , wherein the hardware component comprises a hardware accelerator and wherein the requested firmware update switches a mode of operation by the hardware accelerator.
  14. 14 . The method of claim 11 , wherein the hardware component is provisioned with a link that indicates a location of the signed firmware manifest in a secure storage of the IHS.
  15. 15 . The method of claim 12 , wherein the consistency of the requested firmware update with the loaded firmware is further determined based on whether a size of the firmware update is consistent with one or more sizes of the mapped firmware boundaries within the firmware image.
  16. 16 . A system comprising: a hardware component of an Information Handling System (IHS), wherein operations of the hardware component may be adapted based on updates to firmware utilized by the hardware component; and a remote access controller installed on a motherboard of the IHS and supporting remote management of the hardware component by tools that are remote from the IHS, the remote access controller comprising a logic unit and a memory device having instructions stored thereon that, upon execution by the logic unit, cause the remote access controller to: during factory provisioning of the IHS, sign a firmware manifest of two or more delineated sets of firmware instructions within a firmware image loaded for operation by the hardware component and store the signed firmware manifest to the IHS, wherein each delineated set of firmware instructions is defined by one or more boundaries within the firmware image, and wherein the signed firmware manifest comprises a mapping of different firmware versions that can be assembled from the delineated sets of firmware instructions located in the boundaries of the firmware image; upon deployment of the IHS and while the IHS is unable to connect to any external networks, receive a request to update firmware used to operate the hardware component; in response to the request to update firmware and while the IHS is unable to connect to any external networks, retrieve the signed firmware manifest; based on the firmware manifest and while the IHS is unable to connect to any external networks, determine whether the request to update firmware is consistent with the one or more boundaries of the firmware image that is loaded for operation by the hardware component; when the request to update firmware is consistent with the loaded firmware: assemble the requested firmware update from a plurality of the delineated sets of firmware instructions located in the boundaries of the firmware image, replace at least a portion of the firmware loaded during the factory provisioning of the IHS with the assembled requested firmware update, update the manifest to specify updated firmware boundaries that specify storage locations for updated firmware instructions in the assembled requested update, and sign the updated firmware manifest; and when the request to update firmware is not consistent with the loaded firmware, prevent use of the requested firmware update.
  17. 17 . The system of claim 16 , wherein the consistency of the received firmware update request with the loaded firmware is evaluated during an interval where the IHS does not have access to any external networks that can be used to interface with a certificate authority that can validate authenticity of the requested firmware update.
  18. 18 . The system of claim 16 , wherein the consistency of the received firmware update request with the loaded firmware is determined based on whether a size of the requested firmware update is consistent with a size of the firmware image stored by the hardware component.
  19. 19 . The system of claim 16 , wherein the firmware manifest is signed by the remote access controller using a private keypair generated by the remote access controller.
  20. 20 . The system of claim 16 , wherein the preventing of the use of the firmware update comprises deletion of the firmware update by the remote access controller without transmitting any portion of the firmware update to the hardware component.

Description

FIELD The present disclosure relates generally to Information Handling Systems (IHSs), and relates more particularly to managing firmware used by IHSs. BACKGROUND As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is Information Handling Systems (IHSs). An IHS generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, IHSs may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in IHSs allow for IHSs to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, IHSs may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems. Various hardware components of an IHS may operate using firmware instructions. From time to time, it is expected that firmware utilized by hardware components of an IHS may be updated. Such firmware updates may be made in order to modify the capabilities of a particular hardware component, such as to address security vulnerabilities or to adapt the operations of the hardware component to a specific computing task. When firmware updates are made to a hardware component of an IHS, it is preferable that the IHS experience no downtime and with minimal degradation in the performance of the IHS. In addition, presented firmware updates must be authenticated in order to prevent loading of malicious firmware instructions and thus compromising the operation of hardware components of an IHS. SUMMARY In various embodiments, IHSs may include: one or more CPUs utilizing one or more buses that connect to a plurality of hardware components of the IHS; a remote access controller supporting remote management of the Information Handling System (IHS), the remote access controller comprising a logic unit and a memory device having instructions stored thereon that, upon execution by the logic unit, cause the remote access controller to: during factory provisioning of the IHS, digitally sign a manifest of firmware loaded for operation by a first of the hardware components of the IHS and store the digitally signed firmware manifest to the IHS; upon deployment of the IHS, receive an update to firmware used to operate the first hardware component; in response to the receipt of the firmware update, retrieve the digitally signed manifest of loaded firmware; based on the firmware manifest, determine whether the received firmware update is compatible with the firmware loaded for operation by the first hardware component during the factory provisioning of the IHS; when the received firmware update is compatible with the loaded firmware, replace at least a portion of the firmware loaded during the factory provisioning of the IHS with the firmware update and digitally sign an updated firmware manifest to reflect availability of the firmware update for use by the first hardware component; and when the received firmware update is not compatible with the loaded firmware, prevent use of the received firmware update. In some IHS embodiments, the firmware update is received and the firmware manifest is used to evaluate the compatibility of the firmware update with the loaded firmware during an interval where the IHS does not have access to any external networks. In some IHS embodiments, the firmware manifest identifies a firmware image stored by first hardware component and wherein the compatibility of the firmware update with the loaded firmware is determined based on whether the firmware update is consistent with the firmware image stored by the first hardware component. In some IHS embodiments, the firmware manifest is digitally signed by the remote access controller using a private keypair of the remote access controller. In some IHS embodiments, the signed firmware manifest is cryptographically bound to the remote access controller. In some IHS embodiments, the firmware manifest comprises a plurality of digital signatures corresponding to the firmware that is loaded for operation by the first hardware component during the factory provisioning of the IHS. In some IHS embodiments, the firmware manifest comprises a mapping of firmware boundaries within the firmware image. In some IHS embodiments, the compatibility of the firmware update with the loaded firmware is further determined ba