Abstract: A system and method for sending RESTful commands to UEFI firmware using UEFI variable services is discussed. Processed RESTful commands return data in a RESTful format.

Abstract: A system and method for dynamically sizing system memory for a computing device using firmware and NVDIMMs is discussed. Additionally techniques for allocating between system memory and non-volatile storage on one or more NVDIMMs are discussed.

Abstract: A mechanism for securing a series of related function calls for firmware services using session tokens is discussed.

Abstract: Mechanisms for moving data between different operating systems in a dual OS computing device are discussed. More particularly, embodiments of the present invention utilize the clipboard facilities supported by the operating systems, along with firmware and helper software in each OS, to move data back and forth when switching between an active and inactive operating system. The clipboard contents are preserved in non-volatile storage that is not lost across the sleep-state transitions used to switch operating systems. Helper software analyzes the clipboard contents being copied and converts them into a format recognized by the current operating system and its applications.

Abstract: A mechanism for making more memory available in a computing device featuring dual operating systems uses the device firmware to save the contents of overlapped memory locations being used by the operating systems to non-volatile storage when switching operating systems while speeding up the switching process.

Abstract: A mechanism for automatically enrolling option ROMs into the system security database used for a UEFI Secure Boot is discussed. A request is received by a computing device to auto-enroll one or more option ROMs for one or more respective devices on the next boot of the system. Upon receiving the request, a flag or other type of indicator indicative of an auto-enroll status is changed to an active mode. The indicator is stored in non-volatile memory and may be stored as a UEFI Authenticated Variable. Following the changing of the indicator, the system is either reset or shut down. During the next boot only, after identifying the indicator indicative of an active mode auto-enroll status, the signatures for the option ROMs of all discovered devices whose signatures do not exist in the system security database are calculated (hashed) and added to the UEFI Secure Boot database without user interaction.

Abstract: A technique for securing on-board bus transactions in a computing device is discussed. A shared key is generated and then programmed into the read-only non-volatile write-once storage of two on-board components. The shared key may be generated during the manufacturing process. Once complete, all transactions between the two on-board components are encrypted by the components using the shared key without exposing the key on any external bus.

Abstract: A mechanism for reducing the cost of providing network-based remote platform management by allowing system firmware to communicate with a remote platform administrator or process by sharing a NIC that is also used for normal network traffic is discussed. The dual use of the NIC reduces the cost of remote platform management by removing the need for a secondary controller or CPU core on the computing device that is dedicated to remote management tasks. Additionally, performance in the computing device improves as a byproduct of a CPU core or thread not being dedicated to the management task and instead being available for handling of other tasks.

Abstract: A mechanism for certifying that an operating system-based application has authorization to change a UEFI authenticated variable held in the system firmware is discussed. Embodiments of the present invention receive with the system firmware a request from an operating system-based application to change a UEFI authenticated variable. The request includes an authentication descriptor header with a timestamp and pre-determined GUID. The request also includes a hash calculated using a password known to the firmware. The system firmware certifies that the caller has authorization to change an authenticated variable by first verifying the information in the header and then creating a new hash using the password. The new hash is compared to the received hash and must match in order for the system firmware to allow the alteration of the UEFI authenticated variable. In one embodiment, the password is the system firmware password.

Abstract: Upon initialization or startup of an electronic device, the device checks a predetermined section of non-volatile memory, referred to as the signature byte or lock byte, and allows either the manufacturing mode which allows for installation of the final or production version of firmware to be loaded into non-volatile memory, or the production mode which write-protects certain portions of non-volatile memory before giving operating control of the electronic device to another program, for example, an operating system. By only allowing execution of operating system or other executable code after write-protecting certain portions of non-volatile memory, system security, integrity, and robustness are substantially increased.

Abstract: Embodiments of the present invention store data in read-protected storage for use by firmware and then transfer the data or data related to that stored data into a secure execution environment for use during normal platform operation. The read-protected storage is readable only between a time period after platform reset but before the read-protected storage is locked prior to the operating system being loaded. This read-protected storage is locked prior to executing any untrusted code in normal system memory so that the data in the read-protected storage is not exposed to malicious code execution.

Abstract: A system firmware agent providing the capabilities of a Baseboard Management Controller (BMC) from within System Management Mode (SMM) is discussed. A virtual BMC provides dedicated communication channels for system firmware, other BMCs in the platform and remote management agents. The virtual BMC may monitor the status of the system, record system events, and control the system state.

Abstract: Mechanisms for moving data between different operating systems in a dual OS computing device are discussed. More particularly, embodiments of the present invention utilize the clipboard facilities supported by the operating systems, along with firmware and helper software in each OS, to move data back and forth when switching between an active and inactive operating system. The clipboard contents are preserved in non-volatile storage that is not lost across the sleep-state transitions used to switch operating systems. Helper software analyzes the clipboard contents being copied and converts them into a format recognized by the current operating system and its applications.

Abstract: Embodiments of the present invention store data in read-protected storage for use by firmware and then transfer the data or data related to that stored data into a secure execution environment for use during normal platform operation. The read-protected storage is readable only between a time period after platform reset but before the read-protected storage is locked prior to the operating system being loaded. This read-protected storage is locked prior to executing any untrusted code in normal system memory so that the data in the read-protected storage is not exposed to malicious code execution.

Abstract: Mechanisms for providing enhanced system performance and reliability on multi-core computing devices are discussed. Embodiments use modified hardware and/or software so that when a System Management Interrupt (SMI#) is generated, only a single targeted CPU core enters System Management Mode (SMM) in response to the SMI while the remaining CPU cores continue operating in normal mode. Further, a multi-threaded SMM environment and mutual exclusion objects (mutexes) may allow guarding of key hardware resources and software data structures to enable individual CPU cores among the remaining CPU cores to subsequently also enter SMM in response to a different SMI while the originally selected CPU core is still in SMM.

Abstract: A mechanism for making more memory available in a computing device featuring dual operating systems uses the device firmware to save the contents of overlapped memory locations being used by the operating systems to non-volatile storage when switching operating systems while speeding up the switching process.

Abstract: A mechanism for certifying that an operating system-based application has authorization to change a UEFI authenticated variable held in the system firmware is discussed. Embodiments of the present invention receive with the system firmware a request from an operating system-based application to change a UEFI authenticated variable. The request includes an authentication descriptor header with a timestamp and pre-determined GUID. The request also includes a hash calculated using a password known to the firmware. The system firmware certifies that the caller has authorization to change an authenticated variable by first verifying the information in the header and then creating a new hash using the password. The new hash is compared to the received hash and must match in order for the system firmware to allow the alteration of the UEFI authenticated variable. In one embodiment, the password is the system firmware password.

Abstract: A technique for sharing an application between devices is discussed. Embodiments of the present invention transmit information about an application from a source computing device to a target computing device. An application sharing service on the target computing device then automatically searches the target computing device for a resident corresponding application or its equivalent and if a corresponding application is not found, searches an application store or repository for the corresponding application. If the application or its equivalent is found in the application store or repository, a user may be prompted to download the application or the application may be downloaded automatically. If the corresponding application was found on the target computing device originally, a check may be performed to determine if the most recent update is installed and, if the most recent version is not installed, it may be downloaded from the application store.

Abstract: A mechanism for automatically enrolling option ROMs into the system security database used for a UEFI Secure Boot is discussed. A request is received by a computing device to auto-enroll one or more option ROMs for one or more respective devices on the next boot of the system. Upon receiving the request, a flag or other type of indicator indicative of an auto-enroll status is changed to an active mode. The indicator is stored in non-volatile memory and may be stored as a UEFI Authenticated Variable. Following the changing of the indicator, the system is either reset or shut down. During the next boot only, after identifying the indicator indicative of an active mode auto-enroll status, the signatures for the option ROMs of all discovered devices whose signatures do not exist in the system security database are calculated(hashed) and added to the UEFI Secure Boot database without user interaction.

Abstract: A technique for securing on-board bus transactions in a computing device is discussed. A shared key is generated and then programmed into the read-only non-volatile write-once storage of two on-board components. The shared key may be generated during the manufacturing process. Once complete, all transactions between the two on-board components are encrypted by the components using the shared key without exposing the key on any external bus.