CPC G06F 21/73 (2013.01) [G06F 21/33 (2013.01); G06F 21/572 (2013.01); G06F 21/602 (2013.01); G06F 21/604 (2013.01)] | 21 Claims |
1. A system comprising:
one or more processors to process data;
hardware including a hardware RoT (root of trust), wherein the hardware RoT includes:
fuses to establish original credentials of the system, the original credentials including a chipset key and a certificate issued by a vendor certificate authority (CA), and
a read-only memory (ROM) to derive a ROM CA private key based at least in part on the chipset key and to derive a public key based at least in part on the ROM CA private key; and
firmware including a firmware TCB (trusted computing base), the firmware having credentials including one or more certificates and one or more keys;
wherein the one or more processors are to:
determine that the firmware TCB is compromised and that the hardware RoT is intact;
issue new credentials by the hardware RoT for the firmware, wherein issuing the new credentials for the firmware includes setting a serial number of a firmware certificate to include an application ID of the firmware and a version number or security version number (SVN) of the firmware; and
revoke one or more old versions of the credentials for the firmware and
wherein the hardware RoT serves as an on-die certificate authority (ODCA), the hardware RoT to issue the new credentials for the firmware without utilizing a connection to a backend server of the vendor.
|