AEGIS modifies the boot process shown in figure 2 by dividing the BIOS into two logical sections. The first section contains the bare essentials needed for integrity verification and recovery. Coupled with the AEGIS ROM, it comprises the ``trusted software''. The second section contains the remainder of the BIOS.
The first section executes and performs the standard checksum calculation over its address space in order to protect against ROM failures. Following successful completion of the checksum, the cryptographic hash of the second section is computed and verified against a stored signature. If the signature is valid, control is passed to the second section, i.e., Level 1.
The second section proceeds normally with one change. Prior to executing an expansion ROM, a cryptographic hash is computed and verified against a stored digital signature for the expansion code. If the signature is valid, then control is passed to the expansion ROM. Once the verification of each expansion ROM is complete (Level 2), the BIOS passes control to the operating system bootstrap code. The bootstrap code was previously verified as part of the BIOS, and thus no further verification is required. The bootstrap code finds the bootable device and verifies the boot block.
Assuming that the boot block is verified successfully, control is passed to it (Level 3). If a secondary boot block is required, then it is verified by the primary block before passing control to it. Finally, the kernel is verified by the last boot block in the chain before passing control to it (Level 4).
Any integrity failures identified in the above process are recovered either through storage on the expansion ROM card, or through a network host. If the component that fails its integrity check is a portion of the BIOS, then it must be recovered from the ROM card. The recovery process is a simple memory copy from the address space of the ROM card to the memory address of the failed component, in effect shadowing the failed component.
A failure beyond the BIOS causes the system to boot into a recovery kernel contained on the ROM card. The recovery kernel contacts a ``trusted'' host through a secure protocol, e.g., IPv6 [1], to recover a verified copy of the failed component. The failed component is then replaced and the system is restarted.
The resultant AEGIS boot process is shown in figure 3. Note that when the boot process enters the recovery procedure it becomes isomorphic to a secure network boot.
Figure 3: AEGIS boot control flow