Search

US-12625970-B2 - Providing bios features in a pre-boot environment for a client computer system

US12625970B2US 12625970 B2US12625970 B2US 12625970B2US-12625970-B2

Abstract

A Method And System For Providing Secure And Customized Bios Features Via Execution Requests In A Pre-boot Environment For A Client Computer System. The Bios Features Are Provided To The Client Computer System Utilizing Signed Certificates For Verifying A Command And Control Client As Validated Firmware, Verifying Enrollment Of The Command And Control Client And Verifying Execution Requests Prior To Execution Of Processes In The Execution Request. The Execution Of The Processes Results In The Customized Bios Features For The Client Computer System.

Inventors

  • Ken Taylor

Assignees

  • PHOENIX TECHNOLOGIES EMEA LIMITED

Dates

Publication Date
20260512
Application Date
20230307

Claims (20)

  1. 1 . A non-transitory machine-readable storage medium storing one or more sequences of instructions for providing BIOS features in a pre-boot environment for a client computer system, which when executed by one or more processors, cause: authentication of a command and control client with a firmware key to verify the command and control client as validated firmware, the client computer system to be returned to a pre-boot environment and to generate a unique system identifier with the command and control client; initiation of an enrollment request for the command and control client, the initiating including transmittal of the unique system identifier to an administrator server; the administrator server to combine the unique system identifier, an authorized code identifier and an administrator key into an enrollment package; transmittal of the enrollment package to an independent signing server; the enrollment package to be signed with an independent signing server key; and the signed enrollment package to be saved to the hidden boot partition.
  2. 2 . The non-transitory machine-readable storage medium of claim 1 , wherein execution of the one or more sequences of instructions further cause: prior to loading any operating system on the client computer system, to generate a unique session identifier; an execution request, the unique system identifier and the administrator key to be combined to form a signed execution request; the signed execution request to be stored in the hidden boot partition of the client computer system; the signed enrollment package to be authenticated in the hidden boot partition with an enrollment authentication key; upon authenticating the signed enrollment package, the command and control client to receive the signed execution request; the signed execution request to be authenticated with the administrator key with the command and control client; the target of the signed execution request to be authenticated with the code signing key with the command and control client; and upon authentication of the signed enrollment package, the authentication of the signed execution request and the authenticating of the target of the execution request, one or more processes to be executed based on the execution request with the command and control client.
  3. 3 . The non-transitory machine-readable storage medium of claim 2 , wherein execution of the one or more processes further cause: upon completion of the executing the one or more processes, removal of the signed execution request from the hidden boot partition.
  4. 4 . The non-transitory machine-readable storage medium of claim 2 , wherein the firmware key and independent signing server key are private keys.
  5. 5 . The non-transitory machine-readable storage medium of claim 2 , wherein the hidden boot partition is a UEFI boot partition.
  6. 6 . The non-transitory machine-readable storage medium of claim 2 , wherein the enrollment package and the signed execution request include a JSON web token (JWT).
  7. 7 . The non-transitory machine-readable storage medium of claim 2 , wherein authenticating the signed enrollment package includes encrypting the signed enrollment package with the independent signing server key generated by the independent signing server.
  8. 8 . The non-transitory machine-readable storage medium of claim 2 , wherein one or more processes include code to provide drive deletion and/or formatting, code to provide configuration of UEFI, and code to provide boot time authorization.
  9. 9 . The non-transitory machine-readable storage medium of claim 2 , wherein the signed execution request further includes a unique session identifier.
  10. 10 . A method for providing BIOS features in a pre-boot environment for a client computer system, comprising: authenticating a command and control client with a firmware key to verify the command and control client as validated firmware, returning the client computer system to a pre-boot environment and generating a unique system identifier with the command and control client; initiating an enrollment request for the command and control client, the initiating including transmittal of the unique system identifier to an administrator server; combining the unique system identifier, an authorized code identifier and an administrator key into an enrollment package; transmitting the enrollment package to an independent signing server; signing the enrollment package with an independent signing server key; and saving the signed enrollment package to the hidden boot partition.
  11. 11 . The method of claim 10 , further comprising: prior to loading any operating system on the client computer system, generating a unique session identifier; combining an execution request, the unique system identifier and the administrator key to form a signed execution request; storing the signed execution request in the hidden boot partition of the client computer system; authenticating the signed enrollment package in the hidden boot partition with an enrollment authentication key; upon authenticating the signed enrollment package, receiving the signed execution request with the command and control client; authenticating the signed execution request with the administrator key with the command and control client; authenticating the target of the signed execution request with the code signing key with the command and control client; and upon authentication of the signed enrollment package, the authentication of the signed execution request and the authenticating of the target of the execution request, executing one or more processes based on the execution request with the command and control client.
  12. 12 . The method of claim 11 , wherein execution of the one or more sequences of instructions further cause: upon completion of the executing the one or more processes, removing the signed execution request from the hidden boot partition.
  13. 13 . The method of claim 11 , wherein the firmware key and independent signing server key are private keys.
  14. 14 . The method of claim 11 , wherein the hidden boot partition is a UEFI boot partition.
  15. 15 . The method of claim 11 , wherein the enrollment package and the signed execution request include a JSON web token (JWT).
  16. 16 . The method of claim 11 , wherein authenticating the signed enrollment package includes encrypting the signed enrollment package with the independent signing server key generated by the independent signing server.
  17. 17 . The method of claim 11 , wherein one or more processes include code to provide drive deletion and/or formatting, code to provide configuration of UEFI, and code to provide boot time authorization.
  18. 18 . The method of claim 11 , wherein the signed execution request further includes a unique session identifier.
  19. 19 . A computer system configured for providing BIOS features in a pre-boot environment for a client computer system, comprising: a client computer system comprising one or more processors; an administrator server; an independent signing server for enrolling a command and control client; one or more computer-readable storage mediums storing one or more sequences of instructions, which when executed, cause: authentication of the command and control client with a firmware key to verify the command and control client as validated firmware, the client computer system to be returned to a pre-boot environment and to generate a unique system identifier with the command and control client; initiation of an execution request for the command and control client, the initiating including transmittal of the unique system identifier to an administrator server; the administrator server to combine the unique system identifier, an authorized code identifier and an administrator key into an enrollment package; transmittal of the enrollment package to an independent signing server; the enrollment package to be signed with an independent signing server key; and the signed enrollment package to be saved to the hidden boot partition.
  20. 20 . The computer system of claim 19 , wherein execution of the one or more sequences of instructions further cause: prior to loading any operating system on the client computer system, to generate a unique session identifier; an execution request, the unique system identifier and the administrator key to be combined to form a signed execution request; the signed execution request to be stored in the hidden boot partition of the client computer system; the signed enrollment package to be authenticated in the hidden boot partition with an enrollment authentication key; upon authenticating the signed enrollment package, the command and control client to receive the signed execution request; upon authentication of the signed enrollment package, the authentication of the signed execution request and the authenticating of the target of the execution request, the signed execution request to be authenticated with the administrator key with the command and control client; the target of the signed execution request to be authenticated with the code signing key with the command and control client; and one or more processes to be executed based on the execution request with the command and control client.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application claims priority to U.S. Ser. No. 63/317,139, entitled “PHOENIX LAUNCHER” filed Mar. 7, 2022, the disclosure of which is incorporated herein by reference in its entirety. FIELD OF THE INVENTION Embodiments of the invention relate to providing BIOS features in a pre-boot environment for a client computer system. BACKGROUND OF THE INVENTION When a computer is powered on, the computer undergoes an initial set of operations to configure the hardware and software of the computer. This process is known as the boot process. BIOS code may execute prior to the initialization of an operating system (OS) of the information handling system. A Unified Extensible Firmware Interface (UEFI) standard has been developed by the Unified EFI Forum industry group to enhance the booting process of modern computer systems. However, not all problems in the boot process have been addressed by the UEFI standard and/or current techniques of the art. Known basic input/output system (BIOS) have either limited features or features that are not easily changed. Likewise, system administrators lack the ability to administer features of BIOS or UEFI for their client systems. In addition, there are significant security concerns regarding placing and executing code in BIOS. In addition, network access within BIOS environment is problematic and dependent on, among other things, whether or not the required network drivers are installed by the OEM. It is to be noted that various terms discussed herein (e.g., Secure Boot, etc.) are described, for example, in the UEFI Specification version 2.9, which was released in March 2021 (hereinafter, UEFI Specification), which is hereby incorporated by reference in its entirety. One of ordinary skill in the art with the benefit of this disclosure will understand its applicability to other specifications (e.g., prior or successor versions of the UEFI Specification). Further, some embodiments may be applicable to different technologies other than UEFI. What is needed is ability to provide BIOS features in a pre-boot environment that is secure and provides flexibility for administrators over an enterprise system. Other features and advantages will be made apparent from the present specification. The teachings disclosed extend to those embodiments that fall within the scope of the claims, regardless of whether they accomplish one or more of the aforementioned needs. SUMMARY OF THE INVENTION Embodiments of the present invention include a method and system for providing secure and customized BIOS features via execution requests in a pre-boot environment for a client computer system. The BIOS features are provided to the client computer system utilizing signed certificates for verifying a command and control client as validated firmware, verifying enrollment of the command and control client and verifying execution requests prior to execution of processes in the execution request. The execution of the processes results in the customized BIOS features for the client computer system. One embodiment of the present invention includes, a non-transitory machine-readable storage medium storing one or more sequences of instructions for providing BIOS features in a pre-boot environment for a client computer system, which when executed by one or more processors, cause, authentication of a command and control client with a firmware key to verify the command and control client as validated firmware. The client computer system is caused to be returned to a pre-boot environment and to generate a unique system identifier with the command and control client. The instructions further cause initiation of an enrollment request for the command and control client. The initiating includes transmittal of the unique system identifier to an administrator server. The administrator server is caused to combine the unique system identifier, an authorized code identifier and an administrator key into an enrollment package. Transmittal is caused of the enrollment package to an independent signing server. The instructions further cause the enrollment package to be signed with an independent signing server key and the signed enrollment package is caused to be saved to the hidden boot partition. Another embodiment of the present invention includes, a non-transitory machine-readable storage medium storing one or more sequences of instructions for providing BIOS features in a pre-boot environment for a client computer system, which when executed by one or more processors, cause, prior to loading any operating system on the client computer system, to generate a unique session identifier. The instructions further cause an execution request, the unique system identifier and the administrator key to be combined to form a signed execution request. The signed execution request is caused to be stored in the hidden boot partition of the client computer system. The signed enrollment package is caused to