Summary of the invention
For solving the problem, the object of the invention provides a kind of generation method of trusted program list, and the Trusted List generated via this method is easy to use, and its security is simultaneously also very good.
The present invention discloses a kind of trusted program row table generating method based on TPM/VTPM, comprising:
Step 1, the startup configuration of change computer, changes by start-up mode as trusted program list generation mode into and setting data is sealed up for safekeeping or deblocking password, start-up simulation machine;
Step 2, the hash value of the Boot Loader (start-up loading device) sealing protection up for safekeeping is saved in the non-volatile memories of TPM or VTPM by BIOS; BIOS can only seal the Part I of protection Boot Loader up for safekeeping, and further part seals protection up for safekeeping by front portion;
Step 3, the hash value of the operating system nucleus and correlation module of sealing protection up for safekeeping is saved in the non-volatile memories of TPM or VTPM by Boot Loader;
Step 4, the trusted program list of the key or whole executable program, kernel module and dynamic base of sealing protection up for safekeeping is saved in file system specified file by operating system nucleus.
The described trusted program row table generating method based on TPM/VTPM, also comprises:
Step 5, the operating system nucleus of virtual machine will be saved in the data of VTPM non-volatile memories and step 4 file be saved in file system in step 2 and step 3, be transferred to the file system assigned address of management domain or main frame, and remove in step 2 and step 3 in the data and step 4 being saved in VTPM non-volatile memories the file be saved in file system; In the process used after virtual machine activation, virtual machine user cannot read these trusted program lists at all, further enhancing the security of these lists.
The described trusted program row table generating method based on TPM/VTPM, described step 2 also comprises:
Step 31, BIOS reads the relevant sectors of Boot Loader in startup medium in internal memory;
Step 32, calculates the hash value of the Boot Loader relevant sectors in internal memory, adds Hash array hashes1 to;
Step 33, the Seal function calling TPM or VTPM with data storage password seals protection hashes1 array up for safekeeping, and generate binary data blob1, wherein blob1 is nonvolatile data storage;
Step 34, DefineSpace and the WriteValueAuth function calling TPM or VTPM preserves the nonvolatile storage of blob1 to TPM or VTPM, TPM or VTPM return data index i1, wherein DefineSpace is the space distributed from non-volatile memories, and data are write in the space of distribution by WriteValueAuth.
The described trusted program row table generating method based on TPM/VTPM, described step 3 also comprises:
Step 41, Boot Loader read operation system kernel and correlation module are in internal memory;
Step 42, the operating system nucleus in calculating internal memory and the hash value of correlation module, and add Hash array hashes2 respectively to;
Step 43, the Seal function calling TPM or VTPM with data storage password seals protection hashes2 array up for safekeeping, and generate binary data blob2, wherein blob2 is nonvolatile data storage;
Step 44, DefineSpace and the WriteValueAuth function calling TPM or VTPM preserves the nonvolatile storage of blob2 to TPM or VTPM, TPM or VTPM return data index i2.
The described trusted program row table generating method based on TPM/VTPM, described step 4 also comprises:
Step 51, the configuration file of specifying in resolution file system, calculates the hash value of application program, kernel module and dynamic base described in configuration file respectively, two tuples that mark and the hash value by each program forms is saved in trusted program list array hashes3;
Step 52, the Seal function calling TPM or VTPM with data storage password seals protection hashes3 array up for safekeeping, and generate binary data blob3, wherein blob3 is nonvolatile data storage;
Step 53, is saved to blob3 in file system specified file fblob3.dat.
The described trusted program row table generating method based on TPM/VTPM, described step 5 also comprises:
Step 61, or first will be saved in the data dump of VTPM non-volatile memories in step 2 and step 3 in virtual machine file system specified file by the operating system nucleus of virtual machine, and remove in step 2 and step 3 data being saved in VTPM non-volatile memories, by application layer program these file transfer are deleted simultaneously these files in virtual machine after having started to the file system assigned address of management domain or main frame.
The described trusted program row table generating method based on TPM/VTPM, described step 61 also comprises:
Step 71, the ReadValueAuth function calling VTPM reads blob1, blob2 that in VTPM non-volatile memories, i1, i2 place preserves, and wherein ReadValueAuth reads the data in VTPM nonvolatile storage;
Step 72, passes to management domain or main frame by blob1 and blob2 and fblob3.dat by transmission means between the territory such as network or shared drive, and to be saved in management domain or host file system in specified file respectively;
Described management domain, refers to, in the TYPE1 virtual platform of XEN, provide the territory of management function of virtual machine;
Described main frame, refers to HOST in the TYPE2 virtual platform of KVM;
Step 73, the DefineSpace function calling VTPM removes blob1, blob2 that in the non-volatile memories of VTPM, i1, i2 place preserves;
Step 74, deletes virtual machine file system specified file fblob3.dat.
The present invention also discloses a kind of trusted program profile generation system based on TPM/VTPM, comprising:
Startup manager module, for changing the startup configuration of computer, changes by start-up mode as trusted program list generation mode into and setting data is sealed up for safekeeping or deblocking password, start-up simulation machine;
Patched BIOS module, for being saved in the non-volatile memories of TPM or VTPM by the hash value of the patched GRUB module of sealing protection up for safekeeping; BIOS can only seal the Part I of protection patched GRUB module up for safekeeping, and further part seals protection up for safekeeping by front portion;
Patched GRUB module, for being saved in the non-volatile memories of TPM or VTPM by the hash value blob2 of the operating system nucleus and correlation module of sealing protection up for safekeeping;
Patched operating system nucleus module, for being saved to the trusted program list of the key or whole executable program, kernel module and dynamic base of sealing protection up for safekeeping in file system specified file.
The described trusted program profile generation system based on TPM/VTPM, also comprises:
Trusted program list update module, for being saved in file transfer in the file system file system assigned address to management domain or main frame by being saved in patched BIOS module and patched GRUB module in the data of VTPM non-volatile memories and patched operating system nucleus module, and remove in the data and patched operating system nucleus module being saved in VTPM non-volatile memories in patched BIOS module and patched GRUB module the file be saved in file system.
The described trusted program profile generation system based on TPM/VTPM, described patched BIOS module also comprises:
Read medium module, for reading the relevant sectors of patched GRUB module in startup medium in internal memory;
Calculating hash value module, for calculating the hash value of the patched GRUB module relevant sectors in internal memory, adding Hash array hashes1 to;
Call and seal functional module up for safekeeping, the Seal function for calling TPM or VTPM with data storage password seals protection hashes1 array up for safekeeping, and generate binary data blob1, wherein blob1 is nonvolatile data storage; DefineSpace and the WriteValueAuth function calling TPM or VTPM preserves the nonvolatile storage of blob1 to TPM or VTPM, TPM or VTPM return data index i1, wherein DefineSpace is the space distributed from non-volatile memories, and data are write in the space of distribution by WriteValueAuth.
The described trusted program profile generation system based on TPM/VTPM, described patched GRUB module also comprises:
Read information module, for patched GRUB module read operation system kernel and operating system correlation module in internal memory;
Calculating hash value module, for calculating the hash value of operating system nucleus in internal memory and correlation module, and adding Hash array hashes2 respectively to;
Call and seal functional module up for safekeeping, the Seal function for calling TPM or VTPM with data storage password seals protection hashes2 array up for safekeeping, and generate binary data blob2, wherein blob2 is nonvolatile data storage; DefineSpace and the WriteValueAuth function calling TPM or VTPM preserves the nonvolatile storage of blob2 to TPM or VTPM, TPM or VTPM return data index i2.
The described trusted program profile generation system based on TPM/VTPM, described patched operating system nucleus module also comprises:
Resolve profile module, for the configuration file of specifying in resolution file system, calculate the hash value of application program, kernel module and dynamic base described in configuration file respectively, then two tuples that mark and the hash value by each program forms are saved in trusted program list array hashes3;
Call and seal functional module up for safekeeping, the Seal function for calling TPM or VTPM with data storage password seals protection hashes3 array up for safekeeping, and generate binary data blob3, wherein blob3 is nonvolatile data storage; Afterwards blob3 is saved in file system specified file fblob3.dat.
The described trusted program profile generation system based on TPM/VTPM, described trusted program list update module also comprises:
Application management module, for the data dump of VTPM non-volatile memories will be saved in patched BIOS module and patched GRUB module in virtual machine file system specified file by the operating system nucleus of virtual machine, and remove the data being saved in VTPM non-volatile memories in patched BIOS module and patched GRUB module; By application layer program these file transfer are deleted simultaneously these files in virtual machine after virtual machine activation completes to the file system assigned address of management domain or main frame.
The described trusted program profile generation system based on TPM/VTPM, described application management module also comprises:
Call read data functional module, read for the ReadValueAuth function calling VTPM blob1, blob2 that in VTPM non-volatile memories, i1, i2 place preserves, wherein ReadValueAuth is read data;
Document transmission module, for by blob1 and blob2 and fblob3.dat by network or shared drive, between territory, transmission means passes to management domain or main frame, and to be saved in management domain or host file system in specified file respectively;
Described management domain, refers to, in the TYPE1 virtual platform of XEN, provide the territory of management function of virtual machine;
Described main frame, refers to HOST in the TYPE2 virtual platform of KVM;
Call DefineSpace functional module, remove for the DefineSpace function calling VTPM blob1, blob2 that in the non-volatile memories of VTPM, i1, i2 place preserves, DefineSpace for delete data from non-volatile memories; And delete virtual machine file system specified file fblob3.dat.
Beneficial effect of the present invention is:
Advantage of the present invention is to provide a kind of generation method being easy to use, safe trusted program list.In the process used after computer starting, malicious user at all cannot deblocking, distort the trusted program list generated via this method.If under virtual platform, virtual machine user cannot read or access these trusted program lists at all, further enhancing its security.But in the local trust authentication process of computer, each stage of normal boot process but can successfully deblocking, use these lists, be highly susceptible to using.The trusted program list that this method generates in sum is suitable in the local trust authentication method of computer very much, and the remote trusted checking that this method is compatible traditional simultaneously, has good market prospects and using value.
Detailed description of the invention
Provide the specific embodiment of the present invention below, by reference to the accompanying drawings to invention has been detailed description.
Object of the present invention is just to provide a kind of generation method of trusted program list, and the Trusted List generated via this method is easy to use, and its security is simultaneously also very good.
In the method, for a kind of new start-up mode introduced by computer: trusted program list generation mode.In such a mode, each stage of start-up course generates according to the current state of TPM and only has this stage could the trusted program list of deblocking.In the process used after computer starting, malicious user at all cannot deblocking, distort these trusted program lists, ensure that their security, and then ensure that the validity of local trust authentication method.Simultaneously in the local trust authentication process of computer, each stage of normal boot process but can successfully deblocking, use these lists, therefore it is also highly susceptible to using.
Specifically, the generation method that the present invention is directed to trusted program list comprises the following steps:
A. change the startup configuration of computer, start-up mode is changed into trusted program list generation mode and setting data is sealed up for safekeeping or deblocking password p, start-up simulation machine.
Described " computer ", refer to TPM equipment is housed server, PC, terminal device and virtual platform on use VTPM(virtual credible platform module) fully virtualized virtual machine.
Described " sealing up for safekeeping ", the Seal(that referring to TPM or VTPM provides seals up for safekeeping) function.
Described " deblocking ", refers to the Unseal(deblocking that TPM or VTPM provides) function.
Described " data storage or deblocking password ", refer to seal up for safekeeping, deblocking data time TPM or VTPM the Dataauth (data authentication code) that provides is provided.
Hash value-the blob1 of the Boot Loader (start-up loading device) sealing protection up for safekeeping is saved in the non-volatile memories of TPM or VTPM by B.BIOS.Boot Loader(start-up loading device) start-up course may comprise some independent sectors, therefore BIOS may can only seal the Part I of protection Boot Loader up for safekeeping, and further part seals protection up for safekeeping by front portion.Its implementation is:
B1.BIOS reads the relevant sectors of Boot Loader in startup medium (disk or subregion) in internal memory.
B2. calculate the hash value of the Boot Loader relevant sectors in internal memory, add Hash array hashes1 to.
B3. be that the Seal function that data storage password calls TPM or VTPM seals protection hashes1 array up for safekeeping with p, generate binary data blob1.
B4. the DefineSpace(calling TPM or VTPM distributes one section of space from non-volatile memories) and WriteValueAuth(data are write in the space of distribution) function preserves the nonvolatile storage of blob1 to TPM or VTPM, TPM or VTPM return data index i1.
The hash value blob2 of the operating system nucleus and correlation module of sealing protection up for safekeeping is saved in the non-volatile memories of TPM or VTPM by C.Boot Loader, and its implementation is:
C1.Boot Loader read operation system kernel and correlation module are in internal memory.
C2. the operating system nucleus in calculating internal memory and the hash value of correlation module, and add Hash array hashes2 respectively to.
C3. be that the Seal function that data storage password calls TPM or VTPM seals protection hashes2 array up for safekeeping with p, generate binary data blob2.
C4. DefineSpace and the WriteValueAuth function calling TPM or VTPM preserves the nonvolatile storage of blob2 to TPM or VTPM, TPM or VTPM return data index i2.
D. the trusted program list of the key or whole executable program, kernel module and dynamic base of sealing protection up for safekeeping is saved in file system specified file fblob3.dat by operating system nucleus, the file system specified file that described fblob3.dat refers to for application the present invention, is not limited to fblob3.dat in practical operation; Its concrete methods of realizing is:
The configuration file of D1. specifying in resolution file system, calculates the hash value of application program, kernel module and dynamic base described in configuration file respectively, two tuples that mark and the hash value by each program forms is saved in trusted program list array hashes3.
D2. be that the Seal function that data storage password calls TPM or VTPM seals protection hashes3 array up for safekeeping with p, generate binary data blob3.
D3. blob3 is saved in file system specified file fblob3.dat.
E. this step is optional step, if under virtual platform, blob1 and blob2 and fblob3.dat that are saved in VTPM non-volatile memories are transferred to the file system assigned address of management domain or main frame by the operating system nucleus of virtual machine, and blob1 and blob2 removed in VTPM non-volatile memories, in the process used after such virtual machine activation, virtual machine user cannot read these trusted program lists at all, further enhancing the security of these lists.Also first by the operating system nucleus of virtual machine, blob1 and blob2 of VTPM non-volatile memories can be dumped to virtual machine file system specified file fblob1.dat, fblob2.dat, and blob1 and blob2 removed in VTPM non-volatile memories, file system assigned address fblob1.dat, fblob2.dat and fblob3.dat being transferred to management domain or main frame by application layer program after having started deletes fblob1.dat, fblob2.dat and fblob3.dat in virtual machine simultaneously.Its concrete methods of realizing is:
E1. ReadValueAuth (read data) function calling VTPM reads blob1, blob2 that in VTPM non-volatile memories, i1, i2 place preserves.
E2. blob1 and blob2 and fblob3.dat is passed to management domain or main frame by transmission means between the territory such as network or shared drive, and to be saved in management domain or host file system in specified file respectively.
Described " management domain ", refers in the TYPE1 virtual platforms such as XEN, provides the territory of management function of virtual machine, the domain-0 (first territory that XEN starts) in such as XEN.
Described " main frame ", refers to HOST in the TYPE2 virtual platforms such as KVM.
E3. the DefineSpace function calling VTPM removes blob1, blob2 that in the non-volatile memories of VTPM, i1, i2 place preserves.
E4. the fblob3.dat in virtual machine file system is deleted.
The present invention comprise simultaneously use GRUB(start-up loading device) and (SuSE) Linux OS XEN virtual platform under fully virtualized virtual machine Trusted List generation method system as shown in Figure 1, this system is made up of following module:
1) start administration module: the start-up mode configuration information that parsing user provides and data storage deblocking encrypted message, and these information securities are submitted to patched BIOS module.In addition, the data that the VTPM of XEN cannot use VTPM to preserve last time, be mainly manifested in the same virtual machine each run of following two aspect: A., VTPM uses the same virtual machine each run of different instance number B., and VTPM uses different EK (Endorsement Key).This module mainly revises some logic errors of VTPM.
2) patched BIOS: except the patch of TCG-BIOS (credible BIOS) is got to BIOS (being called hvmloader in XEN) upper except, also need to increase the code that reads stage1, start, stage1_5 of starting patched GRUB in medium and call the code that VTPM carries out data storage, read-write non-volatile stores.
3) patched GRUB: except being got to except on GRUB by the patch of TCG-GRUB (credible GRUB), also needs to increase at stage1_5 and stage2 of patched GRUB to call the code that VTPM carries out data storage, read-write non-volatile stores.
4) patched operating system nucleus: need TPM to drive and disk drive is compiled in kernel, needs the configuration file that brief analysis is specified simultaneously, and calculates their hash value, and call VTPM and carry out data storage, Trusted List dump etc.
5) trusted program list update module: comprise client and service end two parts, client is positioned at General Virtual Machine, the trusted program listing file of specifying in its file reading system, and is transferred to server end; Service end is positioned at management domain, and it receives the data that client is sent, and is kept in the disk of management domain.
The described trusted program profile generation system based on TPM/VTPM, described patched BIOS module also comprises:
Read medium module, for reading the relevant sectors of patched GRUB module in startup medium in internal memory;
Calculating hash value module, for calculating the hash value of the patched GRUB module relevant sectors in internal memory, adding Hash array hashes1 to;
Call and seal functional module up for safekeeping, the Seal function for calling TPM or VTPM with data storage password seals protection hashes1 array up for safekeeping, and generate binary data blob1, wherein blob1 is nonvolatile data storage; DefineSpace and the WriteValueAuth function calling TPM or VTPM preserves the nonvolatile storage of blob1 to TPM or VTPM, TPM or VTPM return data index i1, wherein DefineSpace is the space distributed from non-volatile memories, and data are write in the space of distribution by WriteValueAuth.
The described trusted program profile generation system based on TPM/VTPM, described patched GRUB module also comprises:
Read information module, for patched GRUB module read operation system kernel and operating system correlation module in internal memory;
Calculating hash value module, for calculating the hash value of operating system nucleus in internal memory and correlation module, and adding Hash array hashes2 respectively to;
Call and seal functional module up for safekeeping, the Seal function for calling TPM or VTPM with data storage password seals protection hashes2 array up for safekeeping, and generate binary data blob2, wherein blob2 is nonvolatile data storage; DefineSpace and the WriteValueAuth function calling TPM or VTPM preserves the nonvolatile storage of blob2 to TPM or VTPM, TPM or VTPM return data index i2.
The described trusted program profile generation system based on TPM/VTPM, described patched operating system nucleus module also comprises:
Resolve profile module, for the configuration file of specifying in resolution file system, calculate the hash value of application program, kernel module and dynamic base described in configuration file respectively, then two tuples that mark and the hash value by each program forms are saved in trusted program list array hashes3;
Call and seal functional module up for safekeeping, the Seal function for calling TPM or VTPM with data storage password seals protection hashes3 array up for safekeeping, and generate binary data blob3, wherein blob3 is nonvolatile data storage; Afterwards blob3 is saved in file system specified file fblob3.dat.
The described trusted program profile generation system based on TPM/VTPM, described trusted program list update module also comprises:
Application management module, for the data dump of VTPM non-volatile memories will be saved in patched BIOS module and patched GRUB module in virtual machine file system specified file by the operating system nucleus of virtual machine, and remove the data being saved in VTPM non-volatile memories in patched BIOS module and patched GRUB module; By application layer program these file transfer are deleted simultaneously these files in virtual machine after virtual machine activation completes to the file system assigned address of management domain or main frame.
The described trusted program profile generation system based on TPM/VTPM, described application management module also comprises:
Call read data functional module, read for the ReadValueAuth function calling VTPM blob1, blob2 that in VTPM non-volatile memories, i1, i2 place preserves, wherein ReadValueAuth is read data;
Document transmission module, for by blob1 and blob2 and fblob3.dat by network or shared drive, between territory, transmission means passes to management domain or main frame, and to be saved in management domain or host file system in specified file respectively;
Described management domain, refers to, in the TYPE1 virtual platform of XEN, provide the territory of management function of virtual machine;
Described main frame, refers to HOST in the TYPE2 virtual platform of KVM;
Call DefineSpace functional module, remove for the DefineSpace function calling VTPM blob1, blob2 that in the non-volatile memories of VTPM, i1, i2 place preserves, DefineSpace for delete data from non-volatile memories; And delete virtual machine file system specified file-fblob3.dat.
Below in conjunction with accompanying drawing, the invention will be further described to generate embodiment by the Trusted List of virtual machine fully virtualized under XEN virtual platform (using GRUB, (SuSE) Linux OS).
Realize an application system as shown in Figure 1, this system comprises startup administration module as shown in the figure, patched BIOS, patched GRUB, patched operating system nucleus, trusted program list update module 5 modules.
The start-up course of this virtual machine is very similar to the start-up course of General Physics machine, as shown in Figure 2: be first that BIOS runs after system power-up (virtual machine activation); BIOS loads GRUB, first loads the GRUB stage1 being positioned at and starting medium first sector, and GRUB stage1 loads the GRUB start being positioned at and starting medium second sector afterwards, and then GRUB start loads GRUB stage1_5; Stage1_5 loads and is arranged in/boot file system GRUB stage2; Last stage2 resolves GRUB configuration file, the corresponding operating system nucleus of on-demand loading.
The flow chart of method as shown in Figure 3.The inventive method comprises:
A. change fully virtualized virtual machine configuration, start-up mode changed into Trusted List generate pattern and provide data storage deblocking password-welltt, start virtual machine, startup manager resolves these information, and they are passed to patched BIOS safely.Needverify=2 (Trusted List generate pattern) and authstring=" welltt " as shown in Figure 4.
The hash value blob1 of stage1, start and stage1_5 of sealing the patched GRUB of protection up for safekeeping is saved in the non-volatile memories of VTPM by B.patched BIOS; The hash value blob2 of the stage2 sealing the patched GRUB of protection up for safekeeping is saved in the non-volatile memories of VTPM by the stage1_5 of patched GRUB;
The hash value blob3 of the patched operating system nucleus sealing protection up for safekeeping is saved in the non-volatile memories of VTPM by C.patched GRUB stage2;
The trusted program list of the key or whole executable program, kernel module and dynamic base of sealing protection up for safekeeping is saved in file system specified file fblob4.dat by D.patched operating system nucleus.
As shown in Figure 5, can in configuration file assigned operation type: MERGE (newly-increased a program to be verified to trusted program list), REPLACE (replacement), OTHER (other), the type of program to be verified can be specified: executable program (ELF), APP_END (terminate mark, after having verified a program, trust authentication terminates), kernel module (KO) and dynamic base (SO), also the ID of program to be verified (kernel module module name identifies, and other identifies with Program path) can be specified.
E. by the patched operating system nucleus of virtual machine by the blob1 of VTPM non-volatile memories, blob2 and blob3 is dumped to file system specified file fblob1.dat, fblob2.dat and fblob3.dat, and the blob1 removed in VTPM non-volatile memories, blob2 and blob3, after having started by the client of trusted program list update module by fblob1.dat, fblob2.dat, fblob3.dat and fblob4.dat is transferred to the server end of the trusted program list update module being positioned at management domain or main frame, the client of trusted program list update module deletes the fblob1.dat in virtual machine simultaneously, fblob2.dat, fblob3.dat and fblob4.dat, finally, these files are saved in file system assigned address by the server end of trusted program list update module.
Those skilled in the art, under the condition not departing from the spirit and scope of the present invention that claims are determined, can also carry out various amendment to above content.Therefore scope of the present invention is not limited in above explanation, but determined by the scope of claims.