CN105930733A - Trust chain construction method and apparatus - Google Patents
Trust chain construction method and apparatus Download PDFInfo
- Publication number
- CN105930733A CN105930733A CN201610239704.3A CN201610239704A CN105930733A CN 105930733 A CN105930733 A CN 105930733A CN 201610239704 A CN201610239704 A CN 201610239704A CN 105930733 A CN105930733 A CN 105930733A
- Authority
- CN
- China
- Prior art keywords
- digital signature
- benchmark
- efi
- file
- tpm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Abstract
The invention provides a trust chain construction method and apparatus. The method comprises the steps of marking out a security storage space for an ARM processor and storing hardware information as a root of trust in the security storage space; starting a TPM (Trusted Platform Module) based on the root of trust, performing a power-on self-test, and determining that the TPM is available; by utilizing the TPM, measuring codes and data of an initialization module of an EFI (Extensible Firmware Interface) and a server from a power-on stage to an operating guide stage; verifying whether the codes and the data of the initialization module of the EFI and the server from the power-on stage to the operating guide stage are complete or not, and if yes, loading the codes and the data of the initialization module of the EFI and the server from the power-on stage to the operating guide stage; measuring drive files and device files in a drive execution environment and a drive program by utilizing the codes of the initialization module of the EFI and the server from the power-on stage to the operating guide stage; and verifying the completeness of the drive files and the device files. According to the scheme provided by the method and apparatus, the credibility of the root of trust is effectively improved.
Description
Technical field
The present invention relates to computer security technique field, particularly to a kind of trust chain constructing method and apparatus.
Background technology
Extensible Firmware Interface (EFI) is as the upgrading scheme of basic input output system (BIOS), in store
After the program of basic input and output of computer, system set-up information, start, self-check program and system are from opening
Dynamic program, provides the bottom, the most direct hardware setting and control for computer so that EFI is usually
By virus Trojan attack.At present, the integrity of main trust chain technology for detection EFI by trust computing,
Whether i.e. detection EFI is destroyed.
In existing trust chain technology, using reliable platform module (TPM) as root of trust, detect EFI
Integrity, and build trust chain and start server, in this course, in root of trust can be loaded into
In depositing, cause that there is destroyed probability so that the credibility of root of trust is relatively low.
Summary of the invention
Embodiments provide a kind of trust chain constructing method and apparatus, be effectively improved root of trust
Credibility.
A kind of trust chain constructing method, marks off secure memory space for arm processor, is believed by hardware
Breath is stored in described secure memory space as root of trust, also includes:
Open TPM based on described root of trust, be powered up self-inspection, and determine that described TPM can use;
The initialization module and the server that utilize described TPM, tolerance EFI power on the operation guide stage
Code and data;
Verify that the initialization module of described EFI and server power on the code sum in operation guide stage
Complete according to whether, if it is, load the initialization module of described EFI and described server powers on
The code in operation guide stage and data;
The initialization module of described EFI and server is utilized to power on the code metric in operation guide stage
Drive the driving file and device file performed in environment and driver;
Verify described driving file and the integrity of device file.
Preferably, said method farther includes: tolerance hardware information, the initialization mould of TPM, EFI
The power on code sum in operation guide stage of block, server according to this and drives file and the base of device file
Quasi-digital signature;
The described TPM of determination can use, including: the first digital signature of tolerance hardware information, determine described
First digital signature is consistent with the benchmark digital signature of described hardware information;And measure second number of TPM
Word is signed, and determines that described second digital signature is consistent with the benchmark digital signature of described TPM;
The initialization module of the described EFI of described checking and server power on the code in operation guide stage
Whether complete with data, including: in the credible tolerance environment of hardware protection, initial by described EFI
Change module and server and power on the 3rd digital signature of the code in operation guide stage and data with corresponding
Benchmark digital signature compare, check described 3rd digital signature and described corresponding benchmark numeral label
Name is the most consistent;
Described checking described driving file and the integrity of device file, including: by described driving file and
4th digital signature of device file is consistent with corresponding benchmark digital signature.
Preferably, described tolerance drives the driving file and device file performed in environment and driver,
Including:
Scanning OPROM memorizer, calculates the driving file being pre-loaded in described OPROM memorizer
Digital signature with device file.
Preferably, described tolerance hardware information, the initialization module of TPM, EFI, server power on
The code sum in operation guide stage according to this and drives file and the benchmark digital signature of device file, including:
When first time initialized operating system starts, determine hash algorithm, utilize described hash algorithm meter
Calculate hardware information, the initialization module of TPM, EFI, server power on the code in operation guide stage
Sum according to this and drives file and each self-corresponding first regular length cryptographic Hash of device file, and with signing
Described first regular length cryptographic Hash is signed by the private key of algorithm, generates benchmark digital signature, by institute
State benchmark digital signature and store described secure memory space.
Preferably.Described determine that digital signature is consistent with benchmark digital signature, including: utilize hash algorithm
The second regular length cryptographic Hash that calculation document information is corresponding, and described benchmark digital signature is decrypted,
Determine the first regular length cryptographic Hash that described second regular length cryptographic Hash is corresponding, and determine described second
Regular length cryptographic Hash is consistent with the first corresponding regular length cryptographic Hash.
Preferably, said method farther includes:
During checking integrity failure, send information, and selected to perform pass by user with the form authorized
Close credible startup function or intervene manually.
A kind of trust chain constructing device, arm processor has secure memory space, this secure memory space
For storage as the hardware information of root of trust, also include:
Power-On Self-Test unit, for opening TPM based on the hardware information in described secure memory space, enters
Row Power-On Self-Test, and determine that described TPM can use;
First metric check unit, is used for utilizing described TPM, the initialization module of tolerance EFI and clothes
Business device powers on the code in operation guide stage and data;And verify described EFI initialization module and
Server power on the code in operation guide stage and data the most complete, if it is, trigger load single
Unit;
Described loading unit, for loading the initial of the complete EFI of described first metric check unit checks
Change module and described server to power on the code in operation guide stage and data;
Second metric check unit, is used for the initialization mould of the described EFI utilizing described loading unit to load
Lumpiness amount drives the driving file and device file performed in environment and driver;And verify described driving
File and the integrity of device file.
Preferably, said apparatus, farther include: benchmark metric unit, wherein,
Described benchmark metric unit, for measuring hardware information, the initialization module of TPM, EFI, clothes
The power on code sum in operation guide stage of business device according to this and drives the benchmark numeral of file and device file
Signature;
Described Power-On Self-Test unit, for measuring the first digital signature of hardware information, determines described first
Digital signature is consistent with the benchmark digital signature of the hardware information that described benchmark metric unit is measured;And measure
Second digital signature of TPM, determines described second digital signature and described benchmark metric unit tolerance
The benchmark digital signature of TPM is consistent;
Described first metric check unit, in the credible tolerance environment of hardware protection, by described EFI
Initialization module and server power on the code in operation guide stage and the 3rd digital signature of data
Compare with the benchmark digital signature of corresponding described benchmark metric unit tolerance, check described 3rd number
Word signature is the most consistent with the benchmark digital signature of described corresponding described benchmark metric unit tolerance;
Described second metric check unit, for signing the 4th numeral of described driving file and device file
Name is consistent with the benchmark digital signature of corresponding described benchmark metric unit tolerance.
Preferably, described benchmark metric unit, it is used for when first time initialized operating system starts, really
Determine hash algorithm, utilize described hash algorithm computing hardware information, the initialization module of TPM, EFI,
Server power on the operation guide stage code sum according to this and drive file and device file the most corresponding
The first regular length cryptographic Hash, and with the private key of signature algorithm, described first regular length cryptographic Hash is entered
Row signature, generates benchmark digital signature, described benchmark digital signature is stored described secure memory space.
Preferably, described first metric check unit, for utilizing hash algorithm to calculate the initialization of EFI
Module and server power on the code in the operation guide stage second regular length Hash corresponding with data
Value, and described benchmark digital signature is decrypted, determine that described second regular length cryptographic Hash is corresponding
First regular length cryptographic Hash, and determine that described second regular length cryptographic Hash is fixing with corresponding first long
Degree cryptographic Hash is consistent.
Preferably, described second metric check unit, it is used for utilizing hash algorithm to calculate and drives execution environment
The second regular length cryptographic Hash corresponding with device file with the driving file in driver, and to described
Benchmark digital signature is decrypted, and determines the first regular length that described second regular length cryptographic Hash is corresponding
Cryptographic Hash, and determine that described second regular length cryptographic Hash is consistent with the first corresponding regular length cryptographic Hash.
Embodiments providing a kind of trust chain constructing method and apparatus, the method is ARM process
Device marks off secure memory space, and as root of trust, hardware information is stored in described secure memory space,
Open TPM based on described root of trust, be powered up self-inspection, and determine that described TPM can use;Utilize institute
Stating TPM, the initialization module of tolerance EFI and server power on the code sum in operation guide stage
According to;Verify that the initialization module of described EFI and server power on the code sum in operation guide stage
Complete according to whether, if it is, load the initialization module of described EFI and described server powers on
The code in operation guide stage and data;The initialization module and the server that utilize described EFI power on
The code metric in operation guide stage drives the driving file and device file performed in environment and driver;
Verify described driving file and the integrity of device file, owing to hardware information is difficult to be tampered, then profit
Ensure that the credibility of trusted root as trusted root with hardware information, it addition, by marking off safe storage
Space, stores trusted root this secure memory space and further ensures the credibility of trusted root, thus
It is effectively improved the credibility of root of trust.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to reality
Execute the required accompanying drawing used in example or description of the prior art to be briefly described, it should be apparent that below,
Accompanying drawing in description is some embodiments of the present invention, for those of ordinary skill in the art, not
On the premise of paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of a kind of trust chain constructing method that one embodiment of the invention provides;
Fig. 2 is the flow chart of a kind of trust chain constructing method that another embodiment of the present invention provides;
Fig. 3 is the structural representation of the trust chain constructing device place framework that one embodiment of the invention provides;
Fig. 4 is the structural representation of a kind of trust chain constructing device that one embodiment of the invention provides;
Fig. 5 is the structural representation of a kind of trust chain constructing device that another embodiment of the present invention provides.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below in conjunction with this
Accompanying drawing in bright embodiment, is clearly and completely described the technical scheme in the embodiment of the present invention,
Obviously, described embodiment is a part of embodiment of the present invention rather than whole embodiments, based on
Embodiment in the present invention, those of ordinary skill in the art are institute on the premise of not making creative work
The every other embodiment obtained, broadly falls into the scope of protection of the invention.
As it is shown in figure 1, embodiments provide a kind of trust chain constructing method, the method can be wrapped
Include following steps:
Step 101: mark off secure memory space for arm processor, using hardware information as root of trust
It is stored in secure memory space;
Step 102: open TPM based on root of trust, be powered up self-inspection, and determine that TPM can use;
Step 103: utilize TPM, the operation that powers on of the initialization module of tolerance EFI and server is drawn
Lead code and the data in stage;
Step 104: the checking initialization module of EFI and server power on generation in operation guide stage
Code and data are the most complete, if it is, perform step 105;Otherwise, step 106 is performed;
Step 105: load the initialization module of EFI and server powers on generation in operation guide stage
Code and data;
Step 106: utilize the initialization module of EFI and server to power on generation in operation guide stage
Code tolerance drives the driving file and device file performed in environment and driver;
Step 107: checking drives file and device file complete, and terminates current process;
Step 108: the generation in the operation guide stage that initialization module of EFI and server do not powered on to
Code and data load.
In the embodiment shown in fig. 1, by marking off secure memory space for arm processor, will
Hardware information is stored in described secure memory space as root of trust, opens TPM based on described root of trust,
It is powered up self-inspection, and determines that described TPM can use;Utilize described TPM, the initialization of tolerance EFI
Module and server power on the code in operation guide stage and data;Verify the initialization of described EFI
Module and server power on the code in operation guide stage and data the most complete, if it is, add
Carry the initialization module of described EFI and described server powers on the code in operation guide stage and data;
The power on code metric in operation guide stage of the initialization module of described EFI and server is utilized to drive
Perform the driving file in environment and driver and device file;Verify described driving file and equipment literary composition
The integrity of part, owing to hardware information is difficult to be tampered, then utilizes hardware information to ensure as trusted root
The credibility of trusted root, it addition, by marking off secure memory space, store this peace by trusted root
Full memory space further ensures the credibility of trusted root, thus is effectively improved the credible of root of trust
Property.
In an embodiment of the invention, in order to ensure the accuracy of links, phase authentication, above-mentioned
Method farther includes: tolerance hardware information, the initialization module of TPM, EFI, server power on
The code sum in operation guide stage according to this and drives file and the benchmark digital signature of device file;Step
The detailed description of the invention of 102, including: the first digital signature of tolerance hardware information, determine the first numeral
Sign consistent with the benchmark digital signature of hardware information;And measure second digital signature of TPM, determine
Second digital signature is consistent with the benchmark digital signature of TPM;The detailed description of the invention of step 104, bag
Include: in the credible tolerance environment of hardware protection, initialization module and the server of EFI are powered on to
The code in operation guide stage and the 3rd digital signature of data compare with corresponding benchmark digital signature,
Check the 3rd digital signature the most consistent with corresponding benchmark digital signature;The specific embodiment party of step 107
Formula, including: file and the 4th digital signature of device file and corresponding benchmark digital signature one will be driven
Cause.
In an embodiment of the invention, the detailed description of the invention of step 106, including: scanning OPROM
Memorizer, calculates the driving file and the digital signature of device file being pre-loaded in OPROM memorizer.
In an embodiment of the invention, in order to ensure the safety of benchmark digital signature, tolerance is hard
Part information, the initialization module of TPM, EFI, server power on the code sum in operation guide stage
According to this and drive the detailed description of the invention of benchmark digital signature of file and device file, including: first
Secondary initialized operating system start time, determine hash algorithm, utilize hash algorithm computing hardware information, TPM,
The initialization module of EFI, server power on the operation guide stage code sum according to this and drive file
Self-corresponding first regular length cryptographic Hash each with device file, and solid to first with the private key of signature algorithm
Measured length cryptographic Hash is signed, and generates benchmark digital signature, benchmark digital signature is stored safety and deposits
Storage space.
In an embodiment of the invention, be embodied as consistent with benchmark digital signature of digital signature is determined
Mode, including: utilize the second regular length cryptographic Hash that hash algorithm calculation document information is corresponding, and right
Benchmark digital signature is decrypted, and determines the first regular length Hash that the second regular length cryptographic Hash is corresponding
Value, and determine that the second regular length cryptographic Hash is consistent with the first corresponding regular length cryptographic Hash.
In an embodiment of the invention, in order to improve the selectivity of the building process of trust chain, on
The method of stating farther includes: during checking integrity failure, send information, and with the form that authorizes by
User selects to perform close credible startup function or intervene manually.
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with the accompanying drawings and specifically real
The present invention is described in further detail to execute example.
As in figure 2 it is shown, embodiments provide a kind of trust chain constructing method, the method can be wrapped
Include following steps:
Step 200: determine hash algorithm;
Step 201: mark off secure memory space for arm processor, using hardware information as root of trust
It is stored in secure memory space;
In this step, can be marked off in arm processor by Trustzone hardware isolated technology
Secure memory space, in secure memory space storage for security incident, security incident will not be by arbitrarily
Distort, by root of trust is stored in secure memory space, it is ensured that the safety of root of trust, also have
Ensure that to effect the safety of root of trust.This hardware information includes: CPU, mainboard and TPM chip etc.
Information.
Step 202: tolerance hardware information, the initialization module of TPM, EFI, server power on behaviour
The code sum making the vectoring phase according to this and drives file and the benchmark digital signature of device file;
In this step, when first time initialized operating system starts, determine hash algorithm, utilize and breathe out
Uncommon algorithm computing hardware information, the initialization module of TPM, EFI, server power on operation guide rank
The code sum of section according to this and drives file and each self-corresponding first regular length cryptographic Hash of device file,
And with the private key of signature algorithm, the first regular length cryptographic Hash is signed, generate benchmark digital signature,
Benchmark digital signature is stored secure memory space, is effectively improved by encryption further to cryptographic Hash
The safety of cryptographic Hash.
Step 203: open TPM based on root of trust, be powered up self-inspection, and determine that TPM can use;
In embodiments of the present invention, TPM include TPM2.0, TPM2.0 be recently server, desktop computer,
A series of extensive platforms such as embedded system, mobile device and the network equipment provide industry Installation Flexibility.
For TPM impaired situation in start-up course, it is proposed that when server runs, in system layer
TPM data, user key and policy data are backuped to safe U disc by face, in order to recover to use.
By the first digital signature of hash algorithm tolerance hardware information, determine the first digital signature and hardware information
Benchmark digital signature consistent;And measure second digital signature of TPM, determine the second digital signature with
The benchmark digital signature of TPM is consistent, it is ensured that the accuracy of TPM availability inspection.
Step 204: utilize TPM and hash algorithm, calculates on initialization module and the server of EFI
Electricity arrives code and the second regular length cryptographic Hash of data in operation guide stage;
Step 205: judge that the initialization module of EFI and server power on generation in operation guide stage
The first regular length Hash that code is corresponding with benchmark digital signature with the second regular length cryptographic Hash of data
Value is the most consistent, if it is, perform step 206;Otherwise, step 209 is performed;
Step 206: load the initialization module of EFI and server powers on generation in operation guide stage
Code and data;
Step 207: utilize the initialization module of EFI and server to power on generation in operation guide stage
Code tolerance drives the driving file and device file performed in environment and driver;
In this step, by hash algorithm, calculate and drive the driving literary composition performed in environment and driver
The cryptographic Hash of the second regular length of part and device file.
Step 208: judge to drive file and device file the most complete, if it is, perform step 210,
Otherwise, step 211 is performed;
The second regular length driving file and device file performed in environment and driver will be driven
The cryptographic Hash first regular length cryptographic Hash corresponding with benchmark digital signature contrasts, if second is solid
The cryptographic Hash of the measured length first regular length cryptographic Hash corresponding with benchmark digital signature is consistent, then illustrate
Drive file and device file complete, if it is inconsistent, explanation drives file and device file imperfect.
Step 209: the generation in the operation guide stage that initialization module of EFI and server do not powered on to
Code and data load, and terminate current process;
Step 210: load driver file and device file, and terminate current process;
Step 211: be not loaded with driving file and device file, sends information, and with the shape authorized
Formula is selected to perform close credible startup function or intervene manually by user.
During whole, the secure memory space of benchmark cryptographic Hash can be PCR memorizer, is carrying out
In checking loading procedure, generate event log such as each event: for load driver file and equipment literary composition
Part generates the first event log, and the initialization module of EFI and server power on the operation guide stage
Code and data genaration second event daily record etc., to facilitate user to check.
As shown in Figure 3, Figure 4, a kind of trust chain constructing device is embodiments provided.Device is real
Execute example to be realized by software, it is also possible to realize by the way of hardware or software and hardware combining.From firmly
For part aspect, as it is shown on figure 3, the trust chain constructing device place equipment provided for the embodiment of the present invention
A kind of hardware structure diagram, except the processor shown in Fig. 3, internal memory, network interface and non-volatile
Property memorizer outside, in embodiment, the equipment at device place generally can also include other hardware, as be responsible for
Process forwarding chip of message etc..As a example by implemented in software, as shown in Figure 4, as a logic meaning
Device in justice, is that the CPU by its place equipment is by computer journey corresponding in nonvolatile memory
Sequence instruction reads and runs formation in internal memory.The trust chain constructing device that the present embodiment provides, including:
Arm processor 401 has secure memory space, and this secure memory space is used for storing as trust
The hardware information of root;
Power-On Self-Test unit 402, the hardware in secure memory space based on arm processor 401
Information opens TPM, is powered up self-inspection, and determines that TPM can use;
First metric check unit 403, for the TPM utilizing Power-On Self-Test unit 402 to determine, tolerance
The initialization module of EFI and server power on the code in operation guide stage and data;And verify EFI
Initialization module and server power on the code in operation guide stage and data the most complete, if
It is then to trigger loading unit 404;
For loading the first metric check unit 403, loading unit 404, checks that complete EFI's is initial
Change module and server to power on the code in operation guide stage and data;
Second metric check unit 405, is used for the initialization mould of the EFI utilizing loading unit 404 to load
Lumpiness amount drives the driving file and device file performed in environment and driver;And verify driving file
Integrity with device file.
As it is shown in figure 5, in an alternative embodiment of the invention, above-mentioned trust chain constructing device, wraps further
Include: benchmark metric unit 501, wherein,
Benchmark metric unit 501, for measuring hardware information, the initialization module of TPM, EFI, clothes
The power on code sum in operation guide stage of business device according to this and drives the benchmark numeral of file and device file
Signature;
Power-On Self-Test unit 402, for measuring the first digital signature of hardware information, determines the first numeral
Sign consistent with the benchmark digital signature of the hardware information of benchmark metric unit 501 tolerance;And measure TPM
The second digital signature, determine the base of the TPM of the second digital signature and benchmark metric unit 501 tolerance
Quasi-digital signature is consistent;
First metric check unit 403, in the credible tolerance environment of hardware protection, by EFI's
Initialization module and server power on the code in operation guide stage and data the 3rd digital signature with
The benchmark digital signature of corresponding benchmark metric unit 501 tolerance compares, and checks the 3rd digital signature
The most consistent with the benchmark digital signature of corresponding benchmark metric unit 501 tolerance;
Second metric check unit 405, for by drive the 4th digital signature of file and device file with
The benchmark digital signature of corresponding benchmark metric unit 501 tolerance is consistent.
In an alternative embodiment of the invention, benchmark metric unit 501, at first time initialization operation
During system start-up, determine hash algorithm, utilize at the beginning of hash algorithm computing hardware information, TPM, EFI
Beginningization module, server power on the operation guide stage code sum according to this and drive file and equipment literary composition
The each self-corresponding first regular length cryptographic Hash of part, and with the private key of signature algorithm, the first regular length is breathed out
Uncommon value is signed, and generates benchmark digital signature, benchmark digital signature is stored secure memory space.
In an alternative embodiment of the invention, the first metric check unit 403, by utilizing based on hash algorithm
Calculate the initialization module of EFI and server power on the code in operation guide stage corresponding with data the
Two regular length cryptographic Hash, and benchmark digital signature is decrypted, determine the second regular length cryptographic Hash
The first corresponding regular length cryptographic Hash, and determine that the second regular length cryptographic Hash is fixed with corresponding first
Length hash value is consistent.
In still another embodiment of the process, the second metric check unit 405, by utilizing based on hash algorithm
Calculate and drive the second regular length performing environment corresponding with device file with the driving file in driver to breathe out
Uncommon value, and be decrypted benchmark digital signature, determines corresponding first solid of the second regular length cryptographic Hash
Measured length cryptographic Hash, and determine the second regular length cryptographic Hash and the first corresponding regular length cryptographic Hash one
Cause.
The contents such as the information between each unit in said apparatus is mutual, execution process, due to the present invention
Embodiment of the method is based on same design, and particular content can be found in the narration in the inventive method embodiment, this
Place repeats no more.
According to such scheme, various embodiments of the present invention, at least have the advantages that
1. mark off secure memory space for arm processor, hardware information is stored in as root of trust
Described secure memory space, opens TPM based on described root of trust, is powered up self-inspection, and determines described
TPM can use;Utilizing described TPM, the initialization module of tolerance EFI and server power on operation
The code of vectoring phase and data;Verify that the initialization module of described EFI and server power on operation
The code of vectoring phase and data are the most complete, if it is, load the initialization module of described EFI with
And described server powers on the code in operation guide stage and data;Utilize the initialization mould of described EFI
The power on code metric in operation guide stage of block and server drives and performs in environment and driver
Drive file and device file;Verify described driving file and the integrity of device file, owing to hardware is believed
Breath is difficult to be tampered, then utilize hardware information to ensure that the credibility of trusted root as trusted root, it addition,
By marking off secure memory space, trusted root stores this secure memory space further ensures can
The credibility of letter root, thus it is effectively improved the credibility of root of trust.
2., when first time initialized operating system starts, determine hash algorithm, utilize hash algorithm to calculate
Hardware information, the initialization module of TPM, EFI, server power on the operation guide stage code and
Data and drive file and each self-corresponding first regular length cryptographic Hash of device file, and with signature calculation
First regular length cryptographic Hash is signed by the private key of method, generates benchmark digital signature, by benchmark numeral
Signature storage is to secure memory space, by signature further to cryptographic Hash, it is achieved that add cryptographic Hash
Close, reduce cryptographic Hash and probability that file is cracked, further increase the safety of trust chain.
3., by building trusted root based on hardware information, measure TPM by trusted root, and hardware is believed
Breath and TPM are difficult to be tampered, and can preferably ensure safety and the credibility of metrics process.
It should be noted that in this article, the relational terms of such as first and second etc be used merely to by
One entity or operation separate with another entity or operating space, and not necessarily require or imply this
Relation or the order of any this reality is there is between a little entities or operation.And, term " includes ",
" comprise " or its any other variant is intended to comprising of nonexcludability, so that include that one is
The process of row key element, method, article or equipment not only include those key elements, but also include the brightest
Other key elements really listed, or also include intrinsic for this process, method, article or equipment
Key element.In the case of there is no more restriction, statement " include one " and limit
Key element, it is not excluded that there is also another in including the process of described key element, method, article or equipment
Outer same factor.
One of ordinary skill in the art will appreciate that: realize all or part of step of said method embodiment
Can be completed by the hardware that programmed instruction is relevant, aforesaid program can be stored in embodied on computer readable
Storage medium in, this program upon execution, performs to include the step of said method embodiment;And it is aforementioned
Storage medium include: various Jie that can store program code such as ROM, RAM, magnetic disc or CD
In matter.
Last it should be understood that the foregoing is only presently preferred embodiments of the present invention, it is merely to illustrate this
The technical scheme of invention, is not intended to limit protection scope of the present invention.All spirit in the present invention and former
Any modification, equivalent substitution and improvement etc. done within then, are all contained in protection scope of the present invention.
Claims (10)
1. a trust chain constructing method, it is characterised in that mark off safe storage for arm processor
Space, is stored in described secure memory space using hardware information as root of trust, also includes:
Open TPM based on described root of trust, be powered up self-inspection, and determine that described TPM can use;
The initialization module and the server that utilize described TPM, tolerance EFI power on the operation guide stage
Code and data;
Verify that the initialization module of described EFI and server power on the code sum in operation guide stage
Complete according to whether, if it is, load the initialization module of described EFI and described server powers on
The code in operation guide stage and data;
The initialization module of described EFI and server is utilized to power on the code metric in operation guide stage
Drive the driving file and device file performed in environment and driver;
Verify described driving file and the integrity of device file.
Method the most according to claim 1, it is characterised in that farther include: tolerance hardware letter
Breath, the initialization module of TPM, EFI, server power on the operation guide stage code sum according to this
And drive file and the benchmark digital signature of device file;
The described TPM of determination can use, including: the first digital signature of tolerance hardware information, determine described
First digital signature is consistent with the benchmark digital signature of described hardware information;And measure second number of TPM
Word is signed, and determines that described second digital signature is consistent with the benchmark digital signature of described TPM;
The initialization module of the described EFI of described checking and server power on the code in operation guide stage
Whether complete with data, including: in the credible tolerance environment of hardware protection, initial by described EFI
Change module and server and power on the 3rd digital signature of the code in operation guide stage and data with corresponding
Benchmark digital signature compare, check described 3rd digital signature and described corresponding benchmark numeral label
Name is the most consistent;
Described checking described driving file and the integrity of device file, including: by described driving file and
4th digital signature of device file is consistent with corresponding benchmark digital signature.
Method the most according to claim 1, it is characterised in that described tolerance drive perform environment and
Driving file in driver and device file, including:
Scanning OPROM memorizer, calculates the driving file being pre-loaded in described OPROM memorizer
Digital signature with device file.
Method the most according to claim 2, it is characterised in that described tolerance hardware information, TPM,
The initialization module of EFI, server power on the operation guide stage code sum according to this and drive file
With the benchmark digital signature of device file, including:
When first time initialized operating system starts, determine hash algorithm, utilize described hash algorithm meter
Calculate hardware information, the initialization module of TPM, EFI, server power on the code in operation guide stage
Sum according to this and drives file and each self-corresponding first regular length cryptographic Hash of device file, and with signing
Described first regular length cryptographic Hash is signed by the private key of algorithm, generates benchmark digital signature, by institute
State benchmark digital signature and store described secure memory space.
5. according to the method described in claim 2 or 4, it is characterised in that
Described determine that digital signature is consistent with benchmark digital signature, including: utilize hash algorithm calculation document
The second regular length cryptographic Hash that information is corresponding, and described benchmark digital signature is decrypted, determine institute
State the first regular length cryptographic Hash that the second regular length cryptographic Hash is corresponding, and determine that described second is fixing long
Degree cryptographic Hash is consistent with the first corresponding regular length cryptographic Hash.
6. according to the arbitrary described method of Claims 1-4, it is characterised in that farther include:
During checking integrity failure, send information, and selected to perform pass by user with the form authorized
Close credible startup function or intervene manually.
7. a trust chain constructing device, it is characterised in that arm processor has secure memory space,
This secure memory space, also includes as the hardware information of root of trust for storage:
Power-On Self-Test unit, for opening TPM based on the hardware information in described secure memory space, enters
Row Power-On Self-Test, and determine that described TPM can use;
First metric check unit, is used for utilizing described TPM, the initialization module of tolerance EFI and clothes
Business device powers on the code in operation guide stage and data;And verify described EFI initialization module and
Server power on the code in operation guide stage and data the most complete, if it is, trigger load single
Unit;
Described loading unit, for loading the initial of the complete EFI of described first metric check unit checks
Change module and described server to power on the code in operation guide stage and data;
Second metric check unit, is used for the initialization mould of the described EFI utilizing described loading unit to load
Lumpiness amount drives the driving file and device file performed in environment and driver;And verify described driving
File and the integrity of device file.
Device the most according to claim 7, it is characterised in that farther include: benchmark metric list
Unit, wherein,
Described benchmark metric unit, for measuring hardware information, the initialization module of TPM, EFI, clothes
The power on code sum in operation guide stage of business device according to this and drives the benchmark numeral of file and device file
Signature;
Described Power-On Self-Test unit, for measuring the first digital signature of hardware information, determines described first
Digital signature is consistent with the benchmark digital signature of the hardware information that described benchmark metric unit is measured;And measure
Second digital signature of TPM, determines described second digital signature and described benchmark metric unit tolerance
The benchmark digital signature of TPM is consistent;
Described first metric check unit, in the credible tolerance environment of hardware protection, by described EFI
Initialization module and server power on the code in operation guide stage and the 3rd digital signature of data
Compare with the benchmark digital signature of corresponding described benchmark metric unit tolerance, check described 3rd number
Word signature is the most consistent with the benchmark digital signature of described corresponding described benchmark metric unit tolerance;
Described second metric check unit, for signing the 4th numeral of described driving file and device file
Name is consistent with the benchmark digital signature of corresponding described benchmark metric unit tolerance.
Device the most according to claim 8, it is characterised in that described benchmark metric unit, is used for:
When first time initialized operating system starts, determine hash algorithm, utilize described hash algorithm meter
Calculate hardware information, the initialization module of TPM, EFI, server power on the code in operation guide stage
Sum according to this and drives file and each self-corresponding first regular length cryptographic Hash of device file, and with signing
Described first regular length cryptographic Hash is signed by the private key of algorithm, generates benchmark digital signature, by institute
State benchmark digital signature and store described secure memory space.
Device the most according to claim 8 or claim 9, it is characterised in that
Described first metric check unit, for utilize hash algorithm calculate EFI initialization module and
Server powers on the code in the operation guide stage second regular length cryptographic Hash corresponding with data, and right
Described benchmark digital signature is decrypted, determine described second regular length cryptographic Hash corresponding first fix
Length hash value, and determine described second regular length cryptographic Hash and the first corresponding regular length cryptographic Hash
Unanimously;
And/or,
Described second metric check unit, is used for utilizing hash algorithm to calculate and drives execution environment and drive journey
Sequence drives the file second regular length cryptographic Hash corresponding with device file, and to described benchmark numeral
Signature is decrypted, and determines the first regular length cryptographic Hash that described second regular length cryptographic Hash is corresponding,
And determine that described second regular length cryptographic Hash is consistent with the first corresponding regular length cryptographic Hash.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610239704.3A CN105930733A (en) | 2016-04-18 | 2016-04-18 | Trust chain construction method and apparatus |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610239704.3A CN105930733A (en) | 2016-04-18 | 2016-04-18 | Trust chain construction method and apparatus |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105930733A true CN105930733A (en) | 2016-09-07 |
Family
ID=56839865
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610239704.3A Pending CN105930733A (en) | 2016-04-18 | 2016-04-18 | Trust chain construction method and apparatus |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105930733A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108154032A (en) * | 2017-11-16 | 2018-06-12 | 中国科学院软件研究所 | It is a kind of that the computer system root of trust construction method of memory integrity ensuring is had the function of based on credible performing environment |
CN109144584A (en) * | 2018-07-27 | 2019-01-04 | 浪潮(北京)电子信息产业有限公司 | A kind of programmable logic device and its starting method, system and storage medium |
CN109245899A (en) * | 2018-09-06 | 2019-01-18 | 成都三零嘉微电子有限公司 | One kind being based on the novel trust chain design method of SM9 cryptographic algorithm |
CN110109710A (en) * | 2019-05-15 | 2019-08-09 | 苏州浪潮智能科技有限公司 | A kind of OS trust chain constructing method and system of no physics trusted root |
CN110414235A (en) * | 2019-07-08 | 2019-11-05 | 北京可信华泰信息技术有限公司 | A kind of dual Architecture system of the active immunity based on ARM TrustZone |
CN110598401A (en) * | 2019-08-29 | 2019-12-20 | 青岛海尔科技有限公司 | Method and device for controlling module in household appliance to be powered on and household appliance |
CN112511306A (en) * | 2020-11-03 | 2021-03-16 | 中国航空工业集团公司西安航空计算技术研究所 | Safe operation environment construction method based on mixed trust model |
CN114385248A (en) * | 2020-10-22 | 2022-04-22 | 四零四科技股份有限公司 | Computing system and device for processing trust chain |
US11373445B2 (en) | 2018-08-01 | 2022-06-28 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Method and apparatus for processing data, and computer readable storage medium |
-
2016
- 2016-04-18 CN CN201610239704.3A patent/CN105930733A/en active Pending
Non-Patent Citations (5)
Title |
---|
刘东丽: "基于UEFI的信任链设计及TPM驱动程序实现", 《中国优秀硕士学位论文全文数据库(电子期刊),信息科技辑》 * |
吴悠 等: "嵌入式TPM及信任链的研究与实现", 《计算机工程与设计》 * |
周骅 等: "动态可信度量分析的硬件安全机制研究", 《电子技术应用》 * |
方炜炜 等: "基于EFI的可信计算平台研究", 《计算机应用研究》 * |
杨少谦: "EFI BIOS安全增强方案设计与实现", 《中国优秀硕士学位论文全文数据库(电子期刊),信息科技辑》 * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108154032A (en) * | 2017-11-16 | 2018-06-12 | 中国科学院软件研究所 | It is a kind of that the computer system root of trust construction method of memory integrity ensuring is had the function of based on credible performing environment |
CN108154032B (en) * | 2017-11-16 | 2021-07-30 | 中国科学院软件研究所 | Computer system trust root construction method with memory integrity guarantee function |
CN109144584A (en) * | 2018-07-27 | 2019-01-04 | 浪潮(北京)电子信息产业有限公司 | A kind of programmable logic device and its starting method, system and storage medium |
US11373445B2 (en) | 2018-08-01 | 2022-06-28 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Method and apparatus for processing data, and computer readable storage medium |
CN109245899B (en) * | 2018-09-06 | 2021-03-16 | 成都三零嘉微电子有限公司 | Trust chain design method based on SM9 cryptographic algorithm |
CN109245899A (en) * | 2018-09-06 | 2019-01-18 | 成都三零嘉微电子有限公司 | One kind being based on the novel trust chain design method of SM9 cryptographic algorithm |
CN110109710A (en) * | 2019-05-15 | 2019-08-09 | 苏州浪潮智能科技有限公司 | A kind of OS trust chain constructing method and system of no physics trusted root |
CN110109710B (en) * | 2019-05-15 | 2020-05-08 | 苏州浪潮智能科技有限公司 | Method and system for establishing OS (operating system) trust chain without physical root of trust |
CN110414235A (en) * | 2019-07-08 | 2019-11-05 | 北京可信华泰信息技术有限公司 | A kind of dual Architecture system of the active immunity based on ARM TrustZone |
CN110598401A (en) * | 2019-08-29 | 2019-12-20 | 青岛海尔科技有限公司 | Method and device for controlling module in household appliance to be powered on and household appliance |
CN114385248A (en) * | 2020-10-22 | 2022-04-22 | 四零四科技股份有限公司 | Computing system and device for processing trust chain |
CN114385248B (en) * | 2020-10-22 | 2024-04-23 | 四零四科技股份有限公司 | Computing system and device for processing trust chain |
CN112511306A (en) * | 2020-11-03 | 2021-03-16 | 中国航空工业集团公司西安航空计算技术研究所 | Safe operation environment construction method based on mixed trust model |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105930733A (en) | Trust chain construction method and apparatus | |
US11176255B2 (en) | Securely booting a service processor and monitoring service processor integrity | |
US11503030B2 (en) | Service processor and system with secure booting and monitoring of service processor integrity | |
CN103914658B (en) | Safe starting method of terminal equipment, and terminal equipment | |
US8850212B2 (en) | Extending an integrity measurement | |
TWI330784B (en) | Security system for information handling system and method for verifying security of data delivered on information handling system | |
US8296579B2 (en) | System and method for updating a basic input/output system (BIOS) | |
US8667263B2 (en) | System and method for measuring staleness of attestation during booting between a first and second device by generating a first and second time and calculating a difference between the first and second time to measure the staleness | |
CN105391717B (en) | A kind of APK signature authentication method and its system | |
CN103270519B (en) | The safety applications using dynamic measure kernel proves | |
US8375219B2 (en) | Program and operation verification | |
CN102012979B (en) | Embedded credible computing terminal | |
CN101650764B (en) | Creditable calculation password platform and realization method thereof | |
US20140040636A1 (en) | Embedded controller to verify crtm | |
US20090019285A1 (en) | Establishing a Trust Relationship Between Computing Entities | |
JP2012524479A (en) | Device justification and / or authentication for communication with the network | |
TW201500960A (en) | Detection of secure variable alteration in a computing device equipped with unified extensible firmware interface (UEFI)-compliant firmware | |
CN101983375A (en) | Binding a cryptographic module to a platform | |
US20210248239A1 (en) | Verification of a provisioned state of a platform | |
CN107861793A (en) | Virtual hardware platform starts method, apparatus, equipment and computer-readable storage medium | |
CN104850792A (en) | Establishment method and apparatus of trust chain of server | |
CN108280351A (en) | A kind of credible startup method of the electricity consumption acquisition terminal based on TPM | |
CN107480535A (en) | The reliable hardware layer design method and device of a kind of two-way server | |
KR20170089352A (en) | Firmware integrity verification for performing the virtualization system | |
CN112511306A (en) | Safe operation environment construction method based on mixed trust model |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160907 |
|
WD01 | Invention patent application deemed withdrawn after publication |