JP2015001800A - Method of resuming from sleep state, portable electronic device, and computer program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To resume a computer in a short time while ensuring security of the computer.SOLUTION: A notebook PC10 can perform power on authentication (POA) by using a fingerprint authentication device (FPR) 67 when a password is set. The password is stored in a secure NVRAM 31. When a finger is brought close to a proximity sensor 68 in a sleep mode, a power source is activated, and system firmware uses the password read out from the NVRAM 31 to permit provisional access to a system. In this stage, the provisional access is switched to formal access as it is if authentication by the FPR is successful, but the access is forbidden if it is unsuccessful.

Description

  The present invention relates to a technology for resuming a portable electronic device in a short time while ensuring security, and further relates to a technology for resuming a portable electronic device for which a password is set in a short time.

  A portable electronic device such as a smartphone, a tablet terminal, or a notebook personal computer (notebook PC) can be set with a password for restricting access to the system. A plurality of passwords may be set depending on the access destination configured by hardware or software.

  When an unauthorized access is made by a third party to a portable electronic device, it is common that the system has just transitioned to a power-off state or a sleep state. Therefore, the method in which the system requests a password when resuming is effective for security. While setting a password improves system security, an authentic user finds it cumbersome to enter a password each time he resumes.

  In order to eliminate the complexity of inputting a plurality of passwords, a method called single sign-on (SSO) that is substituted by biometric authentication is known. Patent Document 1 discloses a method for realizing SSO by starting a computer power supply when fingerprint authentication is successful and omitting a password required by the BIOS under predetermined conditions. In this document, BIOS obtains the power-on password, supervisor password, and HDD password stored in the fingerprint authentication device, and obtains the power-on password, supervisor password, and HDD stored in NVRAM. Compared to the HDD password, it is described that the authentication is completed without user intervention.

  Patent Document 2 discloses a method for restarting an OS that can reduce the waiting time of a user while ensuring security when the OS is restarted. In the invention of this document, when the OS is restarted, the authentication module authenticates authentication information input from the authentication information input module in response to a user operation before shutdown. Next, the screen lock release module executes screen lock after logon of the OS after rebooting, acquires authentication information authenticated after screen lock from the authentication module as authentication information for screen lock release, and releases the screen lock. Authenticate.

JP 2010-146048 A JP 2011-141607 A

  During operation, the computer transitions to various power states to reduce power consumption. Windows (registered trademark) 8 employs a power state called Connected Standby. Connected Standby is a power state of S0i3 that is newly added in addition to the power states such as S3 (suspend state), S4 state (hibernation), or S5 (soft off) specified by ACPI (Advanced Configuration and Power Interface). Realized in state.

  In the S0i3 state, the ACPI definition is the S0 state (power-on state), but the CPU transitions to the C10 state in which power consumption is almost zero, and many peripheral devices transition to the stop or power saving state. The power consumption of the system is greatly reduced. In addition, the resume from the S0i3 state is completed in a time of about several hundred milliseconds, which is much shorter than the resume from the S3 state, so that the convenience for the user is hardly impaired.

  Currently, smartphones and tablet terminals employ an architecture that can be resumed in a short time such as S0i3, but it is expected that similar architectures will spread to notebook PCs in the future. By the way, a company requires that a password be set for a notebook PC used by an employee so that a third party cannot gain unauthorized access when starting up or leaving the company.

  If a password is set, the system will prompt for a password each time it resumes from sleep mode, so it cannot be resumed in a short time. For tablet devices and smartphones used for personal purposes, passwords may not be set to enjoy the convenience of resume, but there are security measures when using such portable electronic devices in the business field. It becomes essential.

  When SSO using fingerprint authentication as in Patent Document 1 is used for resume from the sleep state, password input can be omitted, but time is required for fingerprint authentication and interface initialization. Takes about 2 to 3 seconds and cannot be resumed in a short time. SUMMARY OF THE INVENTION An object of the present invention is to provide a method for making a portable electronic device usable from a sleep state in a short time while ensuring the security of the portable electronic device. A further object of the present invention is to provide a method for enabling personal authentication in a portable electronic device such as a smart phone or a tablet terminal while maintaining quick resume. Furthermore, the objective of this invention is providing the portable electronic device and computer program which employ | adopted such a method.

  A portable electronic device according to the present invention includes an authentication device for performing biometric authentication or security token authentication, and makes a transition between a sleep state and a power-on state. The system receives a resume event while transitioning to the sleep state. Allows access to the system in response to resume events. Access is prohibited (locked) when it is determined that authentication by the authentication device has failed after enabling access to the system.

  With the above configuration, when a resume event is generated in the sleep state, access can be performed without authentication, so that quick resume can be realized. On the other hand, it is possible to secure safety by performing authentication by the authentication device in parallel with the access permission and prohibiting the access once permitted if it is determined that the authentication has failed. The failure of authentication includes a case where the user does not perform an authentication act within a certain time.

  The authentication by the authentication device may be either a contact type or a non-contact type as long as the user can do it in a shorter time than the password input. The portable electronic device can be a notebook PC, a tablet terminal, or a smartphone. The portable electronic device can be set with a password required by the system when resuming from the sleep state. The set password is stored in a secure storage area of the portable electronic device, and the system can unlock the password using the stored password when resuming.

  If the system can be accessed before the authentication by the authentication device is successful, the security level is lowered even temporarily. Before the user shifts to the sleep state, the user can set the set password to be valid or invalid according to the use state in consideration of safety and convenience. When the password is set to valid, the system can be accessed after successful authentication by the authentication device. When the password is set to invalid, the stored password is used to unlock and then the authentication device authenticates. By doing so, the user can select a resume method according to the use state to compensate for a decrease in the security level and to ensure convenience.

  The authentication device may be a fingerprint authentication device, and a resume event may be generated when a finger approaching the fingerprint authentication device is detected. In this case, according to the normal procedure for user authentication, a resume event is generated and access is granted immediately, and if the subsequent fingerprint authentication succeeds, the access continues and if it fails, the access continues. Can be locked.

  If the resume event is generated when the casing of the notebook PC is opened, convenience is improved because the user can immediately access the casing when the casing is opened. The sleep state can be a power-on power saving state in which the main processor transitions to an idle state and other devices transition to a halt state or a sleep state. The password at that time can be a password set by the operating system. In this case, even if a password is set, quick resume can be realized while ensuring security by the password in a time that can be resumed when no password is set.

  The sleep state can also be a suspend state in which the main processor is powered down and main memory storage is maintained. The password in this case can be a password set by the system firmware. In order to alleviate the decrease in the security level, when access is enabled, a desktop screen can be displayed, or a screen that does not interfere with viewing by a third party can be displayed. Further, access to a predetermined input / output device can be prohibited.

  According to the present invention, it is possible to provide a method for making a portable electronic device usable from a sleep state in a short time while ensuring the security of the portable electronic device. Furthermore, according to the present invention, it has been possible to provide a method for enabling personal authentication while maintaining quick resume in a portable electronic device such as a smartphone or a tablet terminal. Furthermore, according to the present invention, a portable electronic device and a computer program adopting such a method can be provided.

FIG. 3 is a block diagram illustrating a configuration of main hardware of a notebook PC. It is a state transition diagram showing a power state. It is a block diagram explaining the structure of the main software of a notebook PC. It is a figure explaining the password which secure NVRAM stores. It is a figure explaining the setting menu of DPOA. It is a flowchart which shows the procedure of DPOA. It is a flowchart which shows the procedure which sets a DPOA bit dynamically.

[Overall hardware configuration]
FIG. 1 is a block diagram illustrating a main hardware configuration of the notebook PC 10. FIG. 2 is a state transition diagram for explaining the power state of the notebook PC 10. FIG. 3 is a block diagram illustrating the software configuration of the notebook PC 10. FIG. 4 is a diagram for explaining a password stored in the secure NVRAM 31. The notebook PC 10 is an example of a portable electronic device, and the present invention can also be applied to a tablet terminal or a smartphone. The notebook PC 10 may be a clamshell type that can open and close the display case relative to the system case, or may be a hybrid type that can be used as a tablet terminal by removing the display case from the system case.

  The notebook PC 10 transitions from one of the soft-off state (S5 state), hibernation state (S4 state), and suspend state (S3 state) defined by ACPI as the system power state to the power-on state (S0 state). can do. The hibernation state and the suspend state are called sleep states. In the sleep state, the power of the CPU core 13 is stopped, and when resumed, the power is reset.

  In the power-on state, the CPU core 13 transitions between an active state (C0 state) and an idle state (Cn state) according to the load state. When the system is in the power-on state, the CPU core 13 transitions to the deepest C10 state to reduce power consumption, and returns to the active state in a shorter time than when the power of the CPU core 13 is stopped. can do. Further, in the power-on state, the peripheral device transitions between an active state (D0 state) and a sleep state (D1, D2 state) or a stopped state (D3 state) according to an instruction from the OS. The power-on power saving state (S0ix state) defined in this specification is a power-on state defined by ACPI as a system, but the CPU core 13 is in an idle state and other devices are in a sleep state or a halt state. The power state is transitioning to.

  In the power-on power saving state, the CPU core 13 is in an idle state, and therefore stops operating. In order to use the system, it is necessary to shift at least the CPU core 13 to the active state. The power-on power saving state consumes slightly more power than the suspend state, but the resume time is much shorter. The power-on power saving state can reduce the time from when a resume event is generated until it can be used to about 300 milliseconds.

  In this way, making the CPU core 13 usable from the sleep state in an extremely short time required for the transition from the idle state to the active state is referred to as quick resume. When the password is locked at the time of resume, quick resume means that the lock is released. Since the power-on power saving state is a state in which the system does not operate and power consumption is low, this specification will be described in the sleep state defined by ACPI. Although the sleep state is not particularly limited, the present invention is suitable for a power state in which the resume time is shorter than the suspend state, such as a power-on power saving state.

  Since the present invention does not depend on specific hardware and software configurations, an example of hardware to which the present invention can be applied will be described below. In the CPU package 11, a CPU core 13, a GPU 15, a memory controller 17, a PCIe interface 19, a PCH (Platform Controller Hub) 21, and the like are configured as one package by an MCM (Multi-Chip Module). The PCH 21 includes an RTC memory 22.

  The CPU package 11 typically includes a main memory 23 for storing programs executed by the CPU core 13, a wireless module 24 connected to the WWAN or WLAN, an HDD 25 for storing programs such as the OS 103 and the POA manager 101, an LCD 27, and UEFI. Alternatively, a firmware ROM 29 for storing system firmware 105 such as BIOS, a secure NVRAM 31, an embedded controller (EC) 51, a fingerprint authentication device (FPR) 67, and the like are connected. The FPR 67 is connected to the USB controller of the PCH 21 via USB.

  The OS 103 is, for example, Windows (registered trademark) 8 and supports Connected Standby. Under Connected Standby, the idle CPU core 13 periodically changes to the active state to operate the wireless module 24, and the system acquires the latest communication data even during the power-on power-saving state. it can. The OS 103 includes an authentication module for setting and authenticating a login / password. The OS 103 stores the set login password so that other programs cannot access the HDD 25. The OS 103 supports a power saving technology called Runtime D3 that reduces the power of an idle device when the system is in a power-on state. A device capable of supporting Runtime D3 transitions to a deeper sleep state or stop state than before when the system is powered on.

  In the system firmware 105, when the system resumes from the power-off state, the hibernation state, or the suspend state to the power-on state, the CPU core 13 that has been power-on / reset executes POST (Power On Self Test) And a module for setting and authenticating a power-on password and an HDD password.

  When resuming from the power-on power saving state, POST is not executed because the CPU core 13 is not power-on-reset. The system firmware 105 is stored in a boot block that is write-protected in the firmware ROM 29 so that it cannot be rewritten without special authority, and serves as the basis for platform trust as a CRTM (Core Root of Trust for Measurement). Configure. In the present invention, it is assumed that the system firmware 31 is not tampered.

  Further, the system firmware 105 performs processing related to power-on-delay authentication (DPOA) introduced in the present invention. Here, power on authentication (POA) and DPOA will be described. POA is an authentication such as biometric authentication or token when a system with a power-on password, HDD password, login password, etc. transitions from a power-off state or a sleep state to a power-on state. This is a technology for generating activation events and authenticating instead of passwords.

  When fingerprint authentication is adopted as an example of biometric authentication for POA, a power source related to fingerprint authentication is activated when a finger approaches FPR 67, and the entire power source is activated and power on when fingerprint authentication is successful. Transition to the state. The POA can omit the user's startup operation and password input procedure, so that the user's operation time during resumption can be shortened. However, resuming by POA requires about 2-3 seconds for FPR67 authentication and USB interface initialization, and about 300 milliseconds when a system without a password is resumed from a power-on power-saving state. It cannot be said that this time is sufficiently short.

  On the other hand, DPOA is a technology that realizes quick resume using the mechanism of POA, and the method will be described in detail later. The system firmware 105 displays a setup screen for setting the POA or DPOA by the user at the time of booting, and stores the set state in the RTC memory 22 of the PCH 22. The setup screen can enable / disable the sleep state of the transition source for each of POA and DPOA.

  Either POA or DPOA is set to enable, or both are set to disable. The transition source sleep state is one of a hibernation state, a suspend state, and a power-on power saving state. When the system transitions to the sleep state, the system firmware 105 refers to the setting contents of the RTC memory 22 to enable either POA or DPOA in the register 58 of the EC 51 according to the transition destination sleep state. Or, set whether both are disabled. The system firmware 105 stores the power-on password, the HDD password, and the login password, which are input when setting the POA or DPOA, in the secure NVRAM 31.

  The POA manager 101 is an application program that makes user settings and controls the POA and DPOA. FIG. 5 is a diagram for explaining a DPOA setting menu provided by the POA manager 101. In the DPOA setting menu, a screen lock condition that is a condition for applying DPOA in the power-on power-saving state can be set. The screen lock condition is set when the DPOA is executed only when the screen saver is not displayed in the power-on power saving state and the POA is executed when the screen saver is displayed. The display of the screen saver here corresponds to a state in which a login / password is requested for restoration, and the user forcibly locks the screen to ensure security.

  By setting the screen lock condition, the DPOA bit is dynamically set in the register 59 in accordance with the display state of the screen saver. The procedure will be described with reference to FIG. In the DPOA setting menu, it is also possible to set the display contents and the access range when access is permitted. The screen displayed when access is permitted in DPOA can be a continuation screen during work before transition to the sleep state in order to maintain continuity of work. Alternatively, when safety is given priority, a screen with low confidentiality such as a desktop screen may be used, or a designated screen that is frequently used by a user with low confidentiality such as a conference room reservation screen may be set.

  The user can set to display a desktop screen at a place where others can access, and can set to display a continuation screen when determining that the notebook PC 10 does not leave the monitor. In addition, I / O devices such as the HDD 25, USB device, or wireless module 23 that have a high risk of permitting access without authentication are accessed during the provisional access permission period until it is determined that the authentication is successful. Can be limited. When the HDD 25 is set, programs and data cannot be read from the HDD 25 during temporary access permission.

  When a USB device is set, data cannot be read out by connecting an external USB memory during temporary access permission. When the wireless module 23 is set, it is possible to prevent access from the network during temporary access permission. The DPOA manager 101 can store the setting contents of the DPOA menu in the RTC memory 22 through the system firmware 105.

  The HDD 25 has a deep sleep function defined by SATA, and can stop the rotation of the magnetic disk and reduce power consumption when there is no access from the system in the power-on power-saving state. The HDD 25 can set the HDD password received from the system firmware 105. The set HDD password is stored in a secure area of the magnetic disk.

  The HDD 25 in which the HDD password is set locks access from the system unless it receives the HDD password from the system firmware 105. As shown in FIG. 4, the secure NVRAM 31 is a non-volatile memory that stores a power-on password, an HDD password, and a login password set by the system firmware 105. The secure NVRAM 31 further stores a screen lock bit.

  The user can display a screen saver by operating a predetermined key of the keyboard 69 in the power-on state. The POA manager 101 sets the screen lock bit in the secure NVRAM 31 through the system firmware 105 when the screen lock condition is set in the RTC memory 22 when displaying the screen saver. When the system firmware 105 transfers the control right of the CPU core 13 to the OS 103, the system firmware 105 locks the controller of the PCH 21 and prohibits other programs from accessing the secure NVRAM 31.

  The EC 51 is a microcomputer composed of a CPU 53, a RAM 55, a ROM 57, and the like, and further includes registers 58, 59, and 60. The ROM 57 stores firmware that executes POA and DPOA. Register 58 sets POA or DPOA enable in the current sleep state, and register 59 sets the DPOA bit to execute DPOA according to the screen saver display state when DPOA is enabled The register 60 sets a tamper bit for maintaining the security of the DPOA.

  The system firmware 105 always sets the DPOA bit in the register 59 when DPOA is enabled in the RTC memory 22 and the screen lock condition is not set. The DPOA bit setting procedure when the screen lock condition is set will be described with reference to FIG. An FPR 67, a keyboard 69, a DC / DC converter 61, a lid sensor 63, and a tamper switch 65 are connected to the EC 51.

  The FPR 67 is connected to the EC 51 with a dedicated side band different from the USB interface. The DC / DC converter 61 converts a DC voltage supplied from an AC / DC adapter (not shown) or a battery pack into a plurality of voltages necessary for operating the notebook PC 10, and is further defined according to the power state. Power is supplied to each device based on the power supply category.

  The lid sensor 63 generates a resume event for resuming from the sleep state to the power-on state when the casing of the notebook PC 10 is opened. When the EC 51 receives the resume event, the EC 51 can activate the DC / DC converter 61 to transition the system to the power-on state. A tamper bit is set in the register 60 by the system firmware 105 when a power-on password is input. When the casing of the notebook PC 10 is opened and the tamper switch 65 is operated, or when the battery is removed from the notebook PC 10, the tamper bit of the register 60 is released. When the tamper bit is released, the DPOA may not be implemented because the system may be at risk.

  The FPR 67 is attached to the casing of the notebook PC 10, stores authentic user verification fingerprint data registered in advance as a template, and authenticates the person by comparing the fingerprint characteristics received from the fingerprint sensor with the template. The FPR 67 can notify the EC 51 that the authentication has failed through the side band when executing DPOA. The FPR 67 can notify the authentication result to the PCH 21 through the USB interface when executing POA.

  The FPR 67 includes a proximity sensor 68 that detects a finger approaching the fingerprint sensor to swipe the finger by a change in electric field or capacitance. When the proximity sensor 68 detects the approach of the finger, the FPR 67 sends a resume event to the EC 51 through the side band. The power of the proximity sensor 67 of FPR 67 and the circuit that sends the resume event is maintained even when the system is in the sleep state. The FPR 67 determines that the authentication has failed when the authentication is not successful even after a predetermined time has elapsed since the proximity sensor 67 detected the approach of the finger.

[DPOA execution procedure]
A procedure when the notebook PC 10 executes DPOA will be described with reference to FIG. DPOA is a technique for performing a quick resume in the notebook PC 10 that needs to ensure security. Therefore, the execution of DPOA basically assumes that a password is set in the notebook PC 10 and is not necessarily limited to this.

  In block 201, the notebook PC 10 has transitioned to the sleep state. The sleep state may be any of those described with reference to FIG. 2, but here, the power-on power saving state (S0ix) will be described as an example. When the system firmware 105 transitions to the sleep state, the system firmware 105 refers to the RTC memory 22 and sets either POA or DPOA in the register 58 to be enabled. It is assumed that the DPOA bit is set in the register 59 of the EC 51 by the procedure shown in FIG. The secure NVRAM 31 stores a power-on password, an HDD password, and a login password.

  However, since it is the login password that needs to be unlocked when resuming from the power-on power saving state, the power-on password and the HDD password may not be set. When transitioning to the power-on power saving state, the notebook PC 10 is not being used. Users should close the chassis when not in use for a relatively long period of time, such as moving from the office to a conference room, and leave the chassis open when not working for a short time after performing another work on the desk. Can be considered. When the casing is closed at block 203, processing is performed at block 205, and when it is open, processing is performed at block 251.

  When the user opens the enclosure for use in the meeting room that arrived at block 205, the lid sensor 63 operates to generate a resume event. The CPU 53 of the EC 51 that has received the resume event in block 206 checks the register 58. When POA enable is set in the register 58, the process proceeds to block 230, and when DPOA enable is set, the process proceeds to block 207.

  The CPU 53 controls the DC / DC converter 61 in block 207 to supply power to the stopped device, and to make the CPU core 13 transition to the active state. The CPU core 13 restores the context stored in the registers and pointers saved in a predetermined area in the idle state, transitions to the active state, and in a state before transitioning to the idle state in a short time. Resume operation. The CPU core 13 executes the OS 103 to shift the sleep state device to the active state. However, the screen is not displayed on the LCD 27 at this time. When the power supply is activated, the USB controller of the PCH 21 to which the FPR 67 is connected is initialized.

  In block 209, the EC 51 refers to the registers 59 and 60 and confirms the DPOA bit and the tamper bit. When both the DPOA bit and the tamper bit are set, the process proceeds to block 211. When either the DPOA bit or the tamper bit is cleared, the process moves to block 281 to execute POA in order to give priority to safety.

  In block 211, the CPU 53 issues a system management interrupt (SMI) to shift the CPU core 13 to the system management mode (SMM). The CPU core 13 having shifted to the SMM stores the system context in the SMRAM area secured in the main memory 21 and transfers control to the SMI handler loaded in the SMRAM area. When the SMI handler confirms that the DPOA bit is set in the register 59, the SMI handler acquires the login password from the NVRAM 31, acquires the setting contents of the DPOA menu shown in FIG. 5 from the RTC memory 22, and passes them to the POA manager 101. .

  The POA manager 101 passes the received login / password to the authentication module of the OS 103 in the same manner as the user inputs from the keyboard 69. Receiving the login password, the OS 103 permits access to the system at block 213 in the same manner as when the login password is input. At this time, the POA manager 101 can limit the access range with the contents set in the DPOA setting menu. The procedure up to here does not require password input, USB controller initialization, and FPR67 authentication, so that quick resume can be realized. However, the access permission for the system at this point is provisional access permission because it is not based on formal authentication.

  The system requires fingerprint authentication because continuing to permit access without formal authentication detracts from the significance of setting a login / password. The user swipes his finger to FPR 67 at block 215, similar to POA. Unless the CPU 53 receives notification from the FPR 67 that the fingerprint authentication has failed in block 217, the process proceeds to block 219, where the procedure ends, and the state where access to the system is permitted in block 213 continues. If access to the display screen or some I / 0 devices is restricted in block 213, the POA manager 101 releases the restriction after a predetermined time has elapsed.

  In block 221, if the CPU 53 determines that the fingerprint authentication is not successful or has failed within a predetermined time such as 2 to 3 seconds after receiving the resume event, the CPU 53 proceeds to block 223. In block 223, the CPU 53 issues an SMI and notifies the POA manager 101 through the system firmware 105 that the fingerprint authentication has failed. Note that the POA manager 101 may move to block 223 when it does not receive a notification from the FPR 67 that the fingerprint authentication is successful within a predetermined time. In block 225, the POA manager 101 requests the OS 103 to prohibit access to the system. The OS 103 stops access to all the input / output devices and displays a password request screen on the LCD 27. Thereafter, the user cannot access the system without entering a login password.

  In block 230, the CPU 53 controls the DC / DC converter 61 to supply power to the FPR 67 and the PCH 21. When the initialization of the USB controller is completed and the PCH 21 receives a notification of successful fingerprint authentication from the FPR 67, the PCH 21 instructs the EC 51 to shift the system to the power-on state. The POA manager 101 inputs the login password stored in the secure NVRAM 31 received from the system firmware 105 to the authentication module of the OS 103 and unlocks the system. If fingerprint authentication is not successful within a predetermined time, the POA manager 101 displays a password input screen on the LCD 27 through the OS 103.

  In block 281, the power is already turned on, but fingerprint authentication and unlocking are performed according to the POA procedure. The POA manager 101 unlocks the system when authentication by the FPR 67 is successful. Since time is required for fingerprint authentication by FPR67 and initialization of the USB interface, quick resume cannot be realized with POA.

  Returning to block 203, if the housing is already open, in block 251, swipe your finger to FPR 67 for fingerprint authentication. When the proximity sensor 68 detects the approaching finger, the FPR 67 sends a resume event to the EC 51. The procedure of blocks 252 to 259 after receiving the resume event is the same as the procedure of blocks 206 to 213.

  According to the above procedure, when a resume event is generated by the lid sensor 63 or the proximity sensor 68, the system causes the system to transition to the power-on state even though the login password is set. Since the user's access is temporarily permitted, quick resume can be realized. Then, when the fingerprint authentication performed with a slight delay is successful, the state where the access is permitted is continued as it is. When fingerprint authentication fails, the system is locked at that time, so security can be ensured.

  DPOA can improve security without deteriorating operability even on smartphones and tablet terminals that have previously been difficult to set passwords. The generation of the resume event has been described by taking the lid sensor 63 and the proximity sensor 68 as an example. However, in order to ensure the DPOA safety, it may be limited to devices that are actually generated by physically accessing the notebook PC 10. desirable. Therefore, the CPU 53 may generate a resume event by operating a specific key of the keyboard 69 or operating a power button. However, for a resume event sent through a network such as WOL, It is desirable to prevent DPOA from functioning.

  So far, at least a login password has been set as an example and a quick resume from a power-on power-saving state has been described. However, the fact that a login password is set is related to the present invention. Is that the notebook PC is intended to ensure security with a password. Therefore, the above procedure can also be applied to a notebook PC that ensures safety only by fingerprint authentication without setting a login password, and a notebook PC that cannot set a password. In this case, the procedure of blocks 211 and 257 is omitted, access to the system is permitted, and when subsequent fingerprint authentication fails, the POA manager 101 notifies the OS 103 to lock access to the system. can do.

  In block 201, DPOA can also be applied when the sleep state is the suspend state. When a resume event is generated in the suspended state, the CPU core 13 is powered on and reset, and the system firmware 105 is always executed first. At this time, the system firmware 103 can execute the authentication code and request the power-on password and the HDD password.

  When DPOA is adopted, the system firmware 105 reads the power-on password and HDD password from the secure NVRAM 31 in the POST, and unlocks the system. Subsequently, when the boot moves to the OS 103, the system firmware 105 passes the login password read from the secure NVRAM 31 to the POA manager 101, and releases the login password set by the OS 105.

  When the authentication fails, the system firmware 103 or the POA manager 101 can return the system to the original suspended state. DPOA can also be realized by using an authentication device that performs authentication other than FPR67. For example, it can be realized by using a biometric authentication device that performs iris recognition or voice recognition, or a contact or non-contact security token.

[DPOA Dynamic Settings]
When the case is closed for a short period of time, such as moving to a conference room, the notebook PC 10 does not leave the user, so there is a low possibility of being exposed to danger. In this case, it is desirable to place importance on quick resume. Further, when the screen saver for requesting a password to return is displayed on the LCD 27 by operating the keyboard 69 when leaving the notebook PC 10 for a long time, the user wants to ensure the safety of the notebook PC 10. Indicates. In this case, it is desirable to place importance on security. For this purpose, it is possible to adjust the decrease in the security level of the DPOA to the POA and the convenience of quick resume by reflecting the usage state of the notebook PC 10 and the user's intention.

  In the present embodiment, either DPOA or POA can be selected and executed by dynamically setting the register 59 according to the state before the transition to the sleep state. FIG. 7 is a flowchart showing a procedure for setting the DPOA bit in the register 59. The procedure in FIG. 7 is based on the assumption that a screen lock condition is set in the RTC memory 22. At block 301, the system is powered on and the CPU core 13 is active. The user sets screen lock conditions from the DPOA setting menu of the POA manager 101. The user inputs a specific key on the keyboard 69 to display a screen saver for a long leave.

  In response to the input of a specific key, the POA manager 101 sets a screen lock bit in the secure NVRAM 31 through the system firmware 103. When there is no specific key input, the screen lock bit is released. At block 303, the system generates a sleep event and initiates a transition to the sleep state. The sleep event can be generated when the lid sensor 63 detects that the casing is closed, or when the idle state of the CPU core 13 continues for a certain period of time.

  When the screen lock bit is set in the secure NVRAM 31, the system firmware 31 clears the DPOA bit of the register 59 at block 309, and when the screen lock bit is released, the system firmware 31 clears the DPOA bit at block 307. Set. The system firmware 105 releases the screen lock bit before the system transitions to the sleep state or at the next resume.

  When the system shifts to the sleep state at block 311 and the CPU 53 determines at block 313 that a predetermined time has elapsed since the generation of the sleep event, the DPOA bit set at block 307 is released at block 315. In this procedure, if the user enters the power-on power-saving state after displaying the screen saver before entering the sleep state, the process moves to the path where the POA is executed in blocks 209 and 255 in FIG. Access after fingerprint authentication. When the screen saver is shifted to the power-on power saving state without displaying the screen saver, the path is shifted to the path where DPOA is executed and access is temporarily permitted. Even if the DPOA bit is set once and the power-on power-saving state is entered, if the user times out in the block 313, it is determined that the user is not in use for a long time so that safety is given priority. The POA can be executed by clearing the DPOA bit.

  Although the present invention has been described with the specific embodiments shown in the drawings, the present invention is not limited to the embodiments shown in the drawings, and is known so far as long as the effects of the present invention are achieved. It goes without saying that any configuration can be adopted.

10 Notebook PC
11 CPU package 21 PCH
51 Embedded Controller (EC)
22, 59, 60 registers

Claims (20)

A method in which a portable electronic device equipped with an authentication device for biometric authentication or security token authentication resumes from a sleep state,
Receiving a resume event while the system transitions to a sleep state;
Enabling access to the system in response to the resume event;
The system locks access when it determines that authentication by the authentication device has failed after enabling access to the system. Setting a password required by the system when resuming from the sleep state;
Storing the password in the portable electronic device,
The method of claim 1, wherein allowing access to the system comprises unlocking using the stored password.   The method of claim 2, wherein the authentication device is a fingerprint authentication device.   The method of claim 3, wherein the resume event is generated when the system detects a finger approaching the fingerprint authentication device.   The method according to claim 2, wherein the computer is a notebook portable computer, and the resume event is generated when a housing is opened.   6. The sleep state is a power-on power-saving state in which a main processor transitions to an idle state and other devices transition to a stop state or a sleep state. Method.   The method of claim 6, wherein the password comprises a password set by an operating system.   6. The method according to claim 2, wherein the sleep state is a suspend state in which the main processor is powered off and the storage of the main memory is maintained.   The method of claim 8, wherein the password comprises a password set by system firmware.   The method according to any one of claims 1 to 9, wherein the step of enabling access includes a step of displaying a predetermined screen.   11. A method as claimed in any preceding claim, wherein enabling the access comprises locking access to a given input / output device. Setting the set password to be valid or invalid;
Enabling access to the system after successful authentication by the authentication device when the password is set to valid;
The method according to claim 2, further comprising: authenticating by the authentication device after releasing the lock using the stored password when the password is set to be invalid. A method for controlling the power state of a notebook computer equipped with a fingerprint authentication device, comprising:
Registering the password required by the system when resuming from sleep;
Activating the computer in response to opening the housing in a sleep state and unlocking the system using the registered password; and
The computer locking the system when it is determined that authentication by the fingerprint authentication device has failed after the unlocking.   14. The method of claim 13, wherein releasing the lock includes restricting access to some input / output devices.   15. The method of claim 14, wherein the input / output device is either a network device, a disk drive, or an externally connected memory. A portable electronic device capable of setting a password required by the system when resuming from a sleep state and capable of transitioning between a sleep state and a power-on state,
An authentication device for biometric authentication or security token authentication;
An access permission unit that releases the password and permits access to the system in response to a resume event generated during the transition to the sleep state;
A portable electronic device comprising: an access prohibition unit that prohibits access to the system when it is determined that authentication by the authentication device has failed after permitting the access.   The portable electronic device according to claim 16, wherein the portable electronic device is one of a notebook personal computer, a tablet terminal, and a smartphone.   The portable electronic device according to claim 16 or 17, wherein the resume event is generated when an authentication target for the authentication device approaches.   The password includes a first password required to access the operating environment of the system firmware and a second password required to access the operating environment of the operating system, and the access permission unit includes the first password The portable electronic device according to any one of claims 16 to 18, wherein a password and the second password are canceled. A computer equipped with an authentication device for biometric authentication or security token authentication,
Receiving a resume event while the computer is in a sleep state;
Enabling access to the computer in response to the resume event;
A computer program for realizing a function of prohibiting access to the computer when it is determined that authentication by the authentication device has failed after enabling access.

Images