News Archive (1999-2012) | 2013-current at LinuxGizmos | Current Tech News Portal |    About   

Next-generation BIOS boasts network, security features

Jun 1, 2004 — by LinuxDevices Staff — from the LinuxDevices Archive — 1 views

Phoenix Technology today launched a family of next-generation BIOS firmware aimed at increasing the security and manageability of PCs, notebooks, servers, embedded devices, and the networks that connect them. The company also launched a pre-boot environment, firmware development tools, and key application components providing advanced device-based authentication and encryption features.

Phoenix is demonstrating its next-generation BIOS products — which it calls “TrustedCore” — for the first time at the main hall and in the Linux Pavilion at the Computex 2004 trade event in Taipei, Taiwan, this week.

Phoenix began supplying TrustedCore firmware to Notebook manufacturers several months ago, but is now launching the product family in earnest and will soon offer it in separate versions for notebooks, desktops, servers, and embedded systems (outlined below).

As indicated in the diagram at the left, TrustedCore includes the system's initialization and management firmware (including the code that interfaces with the hardware), but also provides a “pre-boot” environment in which various applications can run without requiring the presence of an operating system.

Phoenix calls this class of firmware and applications “Core System Software” (CSS), a term which it hopes will catch on for all pre-boot software.

Security a key focus

A key function of Phoenix's new TrustedCore software components is to enable “built-in device authentication,” according to Phoenix, that creates a “'chain of trust' architecture that integrates with popular enterprise standards for network system management and security.”

Security functions provided by TrustedCore firmware enable administrators to optionally assign unique IDs, or keys, to systems in their networks. These keys are stored in “StrongROM,” a kind of secure flash memory storage system. Device keys can then be used to “transparently” authenticate the system to the network, or to applications, according to Phoenix, or to encrypt data using public key cryptography.

Phoenix says it partnered with Verisign on its Public Key Infrastruction (PKI) implementation, and plans to certify TrustedCore to FIPS140 security requirements for cryptographic modules.

Other features

TrustedCore firmware additionally provides a secure, console-managed environment supporting system recovery applications from Phoenix and certified third-party providers. Such applications can be launched from the pre-boot environment in the event of a system failure or security breach, and be used to recover the system.

TrustedCore also provides a mechanism for digitally signed installation of firmware updates, such as virus fingerprint or other security update information.

Multiple versions

The notebook, desktop, server, and embedded versions of TrustedCore are differentiated primarily by the system recovery and other applications that each supports. Phoenix describes the different versions thus:

  • TrustedCore Server — Supports Intelligent Platform Management Interface (IPMI) 2.0 remote server management in Windows, Linux, and heterogeneous environments. Enhanced scalability, asset management, and reliability features support volume servers, as well as blade, cluster, and grid computing models.
  • TrustedCore Embedded — Supports cost-effective embedded platforms, chipsets, and operating environments supporting a wide range of special purpose x86 architecture OEM designs. Offers extensive system boot options, supporting local and network boot capabilities.
  • TrustedCore Desktop — Supports new technologies including PCI-Express and PCI 3.0. A modular design provides value-add opportunities for branded system builders and reseller channels.
  • TrustedCore Notebook — Supports mobile computing requirements such as optimized power management capabilities for notebook, sub-notebook, and tablet PCs. Also supports for Absolute TheftGuard asset tracking service.

Other CSS products

Along with the TrustedCore platform and pre-boot software architecture, Phoenix has also introduced . . .

  • TrustedCore firmware development tool — “CoreArchitect” is a firmware development tool for Phoenix ODM and OEM partners developing TrustedCore firmware and pre-boot applications. Phoenix claims CoreArchitect is the first firmware development environment integrated with Microsoft Visual Studio .NET. A spokesperson said Phoenix expects CoreArchitect to bring increased productivity to firmware developers long limited by command-line-only tools. CoreArchitect was first launched on March 1, 2004.
  • TrustConnection Crypto services — “TrustConnection” is a Crypto Service Provider (CSP) application that installs as a Windows DLL using an installation wizard. It provides additional secure links into Microsoft Windows operating systems and application environments, according to Phoenix. TrustConnector can be used with or without TrustedCore BIOS firmware. It has been licensed by SafeNet for use in the High Assurance Client (HAC) that ships with its suite of virtual private networking (VPN) IP (intellectual property).
  • Console for system recovery — Phoenix's CSS products also includes recovery products, including one interesting one based on embedded Linux. The “Console” recovery firmware can boot a crippled machine into a pre-boot environment based on embedded Linux — sort of like having a built-in Linux recovery CD. Console makes SMI calls into BIOS, and runs independently of it, enabling it to run on any PC, regardless of firmware version, according to Phoenix.

Windows-only, no; X86-only, yes

“The biggest vulnerability today is to Windows-based infrastructure, however our specific technology is not tied to Windows,” a Phoenix spokesperson said. Phoenix plans later this summer to have security-related application software that will run on the various distributions of Linux.

Clearly, in order to fulfill its ambitious vision of network- and security-aware BIOS firmware, the company will need to drive its TrustedCore technology into a range of embedded Linux devices, including switches, routers, wireless access points, network servers, VoIP systems, thin-client devices, and more. One possible limiting factor could be the lack of support for non-x86 architectures. Phoenix pioneered the x86 BIOS in 1979, and has cleaved to the architecture ever since.

Phoenix spokespeople stated that they believe the use of x86 to be growing in embedded systems. This may be true in simple terms, but a recent LinuxDevices.com reader survey suggested that ARM and other commonly embedded architectures may be overtaking x86 as a percentage of total embedded Linux projects.

Early adopters

One early TrustedCore customer, Japanese networking giant NTT, uses the technology in its SecureAccess product, which it markets to security-conscious organizations such as governments and enterprises. Other Phoenix partners supporting TrustedCore products include notebook OEM Compal and integrated services provider Arima.

“Until now firmware has been designed as if the system is standalone. Phoenix cME TrustedCore delivers a solution that integrates devices into network computing environments,” said Phoenix Sr. VP of Marketing Michael Goldgof. “Phoenix partners throughout the value chain - systems integrators, OEMs and ODMs — can now deliver business solutions with built-in security and management capabilities that integrate with enterprise security policy and management systems.”

Intel's next-generation BIOS effort

Another BIOS firmware technology billed as “next-generation,” Intel's EFI is not limited to the x86 architecture. Intel today announced that it would open source EFI in an effort to drive adoption.


 
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.



Comments are closed.