CN105930733A - Trust chain construction method and apparatus - Google Patents

Trust chain construction method and apparatus Download PDF

Info

Publication number
CN105930733A
CN105930733A CN201610239704.3A CN201610239704A CN105930733A CN 105930733 A CN105930733 A CN 105930733A CN 201610239704 A CN201610239704 A CN 201610239704A CN 105930733 A CN105930733 A CN 105930733A
Authority
CN
China
Prior art keywords
digital signature
benchmark
efi
file
tpm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610239704.3A
Other languages
Chinese (zh)
Inventor
仇伟民
戴鸿君
于治楼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Group Co Ltd
Original Assignee
Inspur Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Group Co Ltd filed Critical Inspur Group Co Ltd
Priority to CN201610239704.3A priority Critical patent/CN105930733A/en
Publication of CN105930733A publication Critical patent/CN105930733A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Abstract

The invention provides a trust chain construction method and apparatus. The method comprises the steps of marking out a security storage space for an ARM processor and storing hardware information as a root of trust in the security storage space; starting a TPM (Trusted Platform Module) based on the root of trust, performing a power-on self-test, and determining that the TPM is available; by utilizing the TPM, measuring codes and data of an initialization module of an EFI (Extensible Firmware Interface) and a server from a power-on stage to an operating guide stage; verifying whether the codes and the data of the initialization module of the EFI and the server from the power-on stage to the operating guide stage are complete or not, and if yes, loading the codes and the data of the initialization module of the EFI and the server from the power-on stage to the operating guide stage; measuring drive files and device files in a drive execution environment and a drive program by utilizing the codes of the initialization module of the EFI and the server from the power-on stage to the operating guide stage; and verifying the completeness of the drive files and the device files. According to the scheme provided by the method and apparatus, the credibility of the root of trust is effectively improved.

Description

A kind of trust chain constructing method and apparatus
Technical field
The present invention relates to computer security technique field, particularly to a kind of trust chain constructing method and apparatus.
Background technology
Extensible Firmware Interface (EFI) is as the upgrading scheme of basic input output system (BIOS), in store After the program of basic input and output of computer, system set-up information, start, self-check program and system are from opening Dynamic program, provides the bottom, the most direct hardware setting and control for computer so that EFI is usually By virus Trojan attack.At present, the integrity of main trust chain technology for detection EFI by trust computing, Whether i.e. detection EFI is destroyed.
In existing trust chain technology, using reliable platform module (TPM) as root of trust, detect EFI Integrity, and build trust chain and start server, in this course, in root of trust can be loaded into In depositing, cause that there is destroyed probability so that the credibility of root of trust is relatively low.
Summary of the invention
Embodiments provide a kind of trust chain constructing method and apparatus, be effectively improved root of trust Credibility.
A kind of trust chain constructing method, marks off secure memory space for arm processor, is believed by hardware Breath is stored in described secure memory space as root of trust, also includes:
Open TPM based on described root of trust, be powered up self-inspection, and determine that described TPM can use;
The initialization module and the server that utilize described TPM, tolerance EFI power on the operation guide stage Code and data;
Verify that the initialization module of described EFI and server power on the code sum in operation guide stage Complete according to whether, if it is, load the initialization module of described EFI and described server powers on The code in operation guide stage and data;
The initialization module of described EFI and server is utilized to power on the code metric in operation guide stage Drive the driving file and device file performed in environment and driver;
Verify described driving file and the integrity of device file.
Preferably, said method farther includes: tolerance hardware information, the initialization mould of TPM, EFI The power on code sum in operation guide stage of block, server according to this and drives file and the base of device file Quasi-digital signature;
The described TPM of determination can use, including: the first digital signature of tolerance hardware information, determine described First digital signature is consistent with the benchmark digital signature of described hardware information;And measure second number of TPM Word is signed, and determines that described second digital signature is consistent with the benchmark digital signature of described TPM;
The initialization module of the described EFI of described checking and server power on the code in operation guide stage Whether complete with data, including: in the credible tolerance environment of hardware protection, initial by described EFI Change module and server and power on the 3rd digital signature of the code in operation guide stage and data with corresponding Benchmark digital signature compare, check described 3rd digital signature and described corresponding benchmark numeral label Name is the most consistent;
Described checking described driving file and the integrity of device file, including: by described driving file and 4th digital signature of device file is consistent with corresponding benchmark digital signature.
Preferably, described tolerance drives the driving file and device file performed in environment and driver, Including:
Scanning OPROM memorizer, calculates the driving file being pre-loaded in described OPROM memorizer Digital signature with device file.
Preferably, described tolerance hardware information, the initialization module of TPM, EFI, server power on The code sum in operation guide stage according to this and drives file and the benchmark digital signature of device file, including:
When first time initialized operating system starts, determine hash algorithm, utilize described hash algorithm meter Calculate hardware information, the initialization module of TPM, EFI, server power on the code in operation guide stage Sum according to this and drives file and each self-corresponding first regular length cryptographic Hash of device file, and with signing Described first regular length cryptographic Hash is signed by the private key of algorithm, generates benchmark digital signature, by institute State benchmark digital signature and store described secure memory space.
Preferably.Described determine that digital signature is consistent with benchmark digital signature, including: utilize hash algorithm The second regular length cryptographic Hash that calculation document information is corresponding, and described benchmark digital signature is decrypted, Determine the first regular length cryptographic Hash that described second regular length cryptographic Hash is corresponding, and determine described second Regular length cryptographic Hash is consistent with the first corresponding regular length cryptographic Hash.
Preferably, said method farther includes:
During checking integrity failure, send information, and selected to perform pass by user with the form authorized Close credible startup function or intervene manually.
A kind of trust chain constructing device, arm processor has secure memory space, this secure memory space For storage as the hardware information of root of trust, also include:
Power-On Self-Test unit, for opening TPM based on the hardware information in described secure memory space, enters Row Power-On Self-Test, and determine that described TPM can use;
First metric check unit, is used for utilizing described TPM, the initialization module of tolerance EFI and clothes Business device powers on the code in operation guide stage and data;And verify described EFI initialization module and Server power on the code in operation guide stage and data the most complete, if it is, trigger load single Unit;
Described loading unit, for loading the initial of the complete EFI of described first metric check unit checks Change module and described server to power on the code in operation guide stage and data;
Second metric check unit, is used for the initialization mould of the described EFI utilizing described loading unit to load Lumpiness amount drives the driving file and device file performed in environment and driver;And verify described driving File and the integrity of device file.
Preferably, said apparatus, farther include: benchmark metric unit, wherein,
Described benchmark metric unit, for measuring hardware information, the initialization module of TPM, EFI, clothes The power on code sum in operation guide stage of business device according to this and drives the benchmark numeral of file and device file Signature;
Described Power-On Self-Test unit, for measuring the first digital signature of hardware information, determines described first Digital signature is consistent with the benchmark digital signature of the hardware information that described benchmark metric unit is measured;And measure Second digital signature of TPM, determines described second digital signature and described benchmark metric unit tolerance The benchmark digital signature of TPM is consistent;
Described first metric check unit, in the credible tolerance environment of hardware protection, by described EFI Initialization module and server power on the code in operation guide stage and the 3rd digital signature of data Compare with the benchmark digital signature of corresponding described benchmark metric unit tolerance, check described 3rd number Word signature is the most consistent with the benchmark digital signature of described corresponding described benchmark metric unit tolerance;
Described second metric check unit, for signing the 4th numeral of described driving file and device file Name is consistent with the benchmark digital signature of corresponding described benchmark metric unit tolerance.
Preferably, described benchmark metric unit, it is used for when first time initialized operating system starts, really Determine hash algorithm, utilize described hash algorithm computing hardware information, the initialization module of TPM, EFI, Server power on the operation guide stage code sum according to this and drive file and device file the most corresponding The first regular length cryptographic Hash, and with the private key of signature algorithm, described first regular length cryptographic Hash is entered Row signature, generates benchmark digital signature, described benchmark digital signature is stored described secure memory space.
Preferably, described first metric check unit, for utilizing hash algorithm to calculate the initialization of EFI Module and server power on the code in the operation guide stage second regular length Hash corresponding with data Value, and described benchmark digital signature is decrypted, determine that described second regular length cryptographic Hash is corresponding First regular length cryptographic Hash, and determine that described second regular length cryptographic Hash is fixing with corresponding first long Degree cryptographic Hash is consistent.
Preferably, described second metric check unit, it is used for utilizing hash algorithm to calculate and drives execution environment The second regular length cryptographic Hash corresponding with device file with the driving file in driver, and to described Benchmark digital signature is decrypted, and determines the first regular length that described second regular length cryptographic Hash is corresponding Cryptographic Hash, and determine that described second regular length cryptographic Hash is consistent with the first corresponding regular length cryptographic Hash.
Embodiments providing a kind of trust chain constructing method and apparatus, the method is ARM process Device marks off secure memory space, and as root of trust, hardware information is stored in described secure memory space, Open TPM based on described root of trust, be powered up self-inspection, and determine that described TPM can use;Utilize institute Stating TPM, the initialization module of tolerance EFI and server power on the code sum in operation guide stage According to;Verify that the initialization module of described EFI and server power on the code sum in operation guide stage Complete according to whether, if it is, load the initialization module of described EFI and described server powers on The code in operation guide stage and data;The initialization module and the server that utilize described EFI power on The code metric in operation guide stage drives the driving file and device file performed in environment and driver; Verify described driving file and the integrity of device file, owing to hardware information is difficult to be tampered, then profit Ensure that the credibility of trusted root as trusted root with hardware information, it addition, by marking off safe storage Space, stores trusted root this secure memory space and further ensures the credibility of trusted root, thus It is effectively improved the credibility of root of trust.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to reality Execute the required accompanying drawing used in example or description of the prior art to be briefly described, it should be apparent that below, Accompanying drawing in description is some embodiments of the present invention, for those of ordinary skill in the art, not On the premise of paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of a kind of trust chain constructing method that one embodiment of the invention provides;
Fig. 2 is the flow chart of a kind of trust chain constructing method that another embodiment of the present invention provides;
Fig. 3 is the structural representation of the trust chain constructing device place framework that one embodiment of the invention provides;
Fig. 4 is the structural representation of a kind of trust chain constructing device that one embodiment of the invention provides;
Fig. 5 is the structural representation of a kind of trust chain constructing device that another embodiment of the present invention provides.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below in conjunction with this Accompanying drawing in bright embodiment, is clearly and completely described the technical scheme in the embodiment of the present invention, Obviously, described embodiment is a part of embodiment of the present invention rather than whole embodiments, based on Embodiment in the present invention, those of ordinary skill in the art are institute on the premise of not making creative work The every other embodiment obtained, broadly falls into the scope of protection of the invention.
As it is shown in figure 1, embodiments provide a kind of trust chain constructing method, the method can be wrapped Include following steps:
Step 101: mark off secure memory space for arm processor, using hardware information as root of trust It is stored in secure memory space;
Step 102: open TPM based on root of trust, be powered up self-inspection, and determine that TPM can use;
Step 103: utilize TPM, the operation that powers on of the initialization module of tolerance EFI and server is drawn Lead code and the data in stage;
Step 104: the checking initialization module of EFI and server power on generation in operation guide stage Code and data are the most complete, if it is, perform step 105;Otherwise, step 106 is performed;
Step 105: load the initialization module of EFI and server powers on generation in operation guide stage Code and data;
Step 106: utilize the initialization module of EFI and server to power on generation in operation guide stage Code tolerance drives the driving file and device file performed in environment and driver;
Step 107: checking drives file and device file complete, and terminates current process;
Step 108: the generation in the operation guide stage that initialization module of EFI and server do not powered on to Code and data load.
In the embodiment shown in fig. 1, by marking off secure memory space for arm processor, will Hardware information is stored in described secure memory space as root of trust, opens TPM based on described root of trust, It is powered up self-inspection, and determines that described TPM can use;Utilize described TPM, the initialization of tolerance EFI Module and server power on the code in operation guide stage and data;Verify the initialization of described EFI Module and server power on the code in operation guide stage and data the most complete, if it is, add Carry the initialization module of described EFI and described server powers on the code in operation guide stage and data; The power on code metric in operation guide stage of the initialization module of described EFI and server is utilized to drive Perform the driving file in environment and driver and device file;Verify described driving file and equipment literary composition The integrity of part, owing to hardware information is difficult to be tampered, then utilizes hardware information to ensure as trusted root The credibility of trusted root, it addition, by marking off secure memory space, store this peace by trusted root Full memory space further ensures the credibility of trusted root, thus is effectively improved the credible of root of trust Property.
In an embodiment of the invention, in order to ensure the accuracy of links, phase authentication, above-mentioned Method farther includes: tolerance hardware information, the initialization module of TPM, EFI, server power on The code sum in operation guide stage according to this and drives file and the benchmark digital signature of device file;Step The detailed description of the invention of 102, including: the first digital signature of tolerance hardware information, determine the first numeral Sign consistent with the benchmark digital signature of hardware information;And measure second digital signature of TPM, determine Second digital signature is consistent with the benchmark digital signature of TPM;The detailed description of the invention of step 104, bag Include: in the credible tolerance environment of hardware protection, initialization module and the server of EFI are powered on to The code in operation guide stage and the 3rd digital signature of data compare with corresponding benchmark digital signature, Check the 3rd digital signature the most consistent with corresponding benchmark digital signature;The specific embodiment party of step 107 Formula, including: file and the 4th digital signature of device file and corresponding benchmark digital signature one will be driven Cause.
In an embodiment of the invention, the detailed description of the invention of step 106, including: scanning OPROM Memorizer, calculates the driving file and the digital signature of device file being pre-loaded in OPROM memorizer.
In an embodiment of the invention, in order to ensure the safety of benchmark digital signature, tolerance is hard Part information, the initialization module of TPM, EFI, server power on the code sum in operation guide stage According to this and drive the detailed description of the invention of benchmark digital signature of file and device file, including: first Secondary initialized operating system start time, determine hash algorithm, utilize hash algorithm computing hardware information, TPM, The initialization module of EFI, server power on the operation guide stage code sum according to this and drive file Self-corresponding first regular length cryptographic Hash each with device file, and solid to first with the private key of signature algorithm Measured length cryptographic Hash is signed, and generates benchmark digital signature, benchmark digital signature is stored safety and deposits Storage space.
In an embodiment of the invention, be embodied as consistent with benchmark digital signature of digital signature is determined Mode, including: utilize the second regular length cryptographic Hash that hash algorithm calculation document information is corresponding, and right Benchmark digital signature is decrypted, and determines the first regular length Hash that the second regular length cryptographic Hash is corresponding Value, and determine that the second regular length cryptographic Hash is consistent with the first corresponding regular length cryptographic Hash.
In an embodiment of the invention, in order to improve the selectivity of the building process of trust chain, on The method of stating farther includes: during checking integrity failure, send information, and with the form that authorizes by User selects to perform close credible startup function or intervene manually.
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with the accompanying drawings and specifically real The present invention is described in further detail to execute example.
As in figure 2 it is shown, embodiments provide a kind of trust chain constructing method, the method can be wrapped Include following steps:
Step 200: determine hash algorithm;
Step 201: mark off secure memory space for arm processor, using hardware information as root of trust It is stored in secure memory space;
In this step, can be marked off in arm processor by Trustzone hardware isolated technology Secure memory space, in secure memory space storage for security incident, security incident will not be by arbitrarily Distort, by root of trust is stored in secure memory space, it is ensured that the safety of root of trust, also have Ensure that to effect the safety of root of trust.This hardware information includes: CPU, mainboard and TPM chip etc. Information.
Step 202: tolerance hardware information, the initialization module of TPM, EFI, server power on behaviour The code sum making the vectoring phase according to this and drives file and the benchmark digital signature of device file;
In this step, when first time initialized operating system starts, determine hash algorithm, utilize and breathe out Uncommon algorithm computing hardware information, the initialization module of TPM, EFI, server power on operation guide rank The code sum of section according to this and drives file and each self-corresponding first regular length cryptographic Hash of device file, And with the private key of signature algorithm, the first regular length cryptographic Hash is signed, generate benchmark digital signature, Benchmark digital signature is stored secure memory space, is effectively improved by encryption further to cryptographic Hash The safety of cryptographic Hash.
Step 203: open TPM based on root of trust, be powered up self-inspection, and determine that TPM can use;
In embodiments of the present invention, TPM include TPM2.0, TPM2.0 be recently server, desktop computer, A series of extensive platforms such as embedded system, mobile device and the network equipment provide industry Installation Flexibility. For TPM impaired situation in start-up course, it is proposed that when server runs, in system layer TPM data, user key and policy data are backuped to safe U disc by face, in order to recover to use. By the first digital signature of hash algorithm tolerance hardware information, determine the first digital signature and hardware information Benchmark digital signature consistent;And measure second digital signature of TPM, determine the second digital signature with The benchmark digital signature of TPM is consistent, it is ensured that the accuracy of TPM availability inspection.
Step 204: utilize TPM and hash algorithm, calculates on initialization module and the server of EFI Electricity arrives code and the second regular length cryptographic Hash of data in operation guide stage;
Step 205: judge that the initialization module of EFI and server power on generation in operation guide stage The first regular length Hash that code is corresponding with benchmark digital signature with the second regular length cryptographic Hash of data Value is the most consistent, if it is, perform step 206;Otherwise, step 209 is performed;
Step 206: load the initialization module of EFI and server powers on generation in operation guide stage Code and data;
Step 207: utilize the initialization module of EFI and server to power on generation in operation guide stage Code tolerance drives the driving file and device file performed in environment and driver;
In this step, by hash algorithm, calculate and drive the driving literary composition performed in environment and driver The cryptographic Hash of the second regular length of part and device file.
Step 208: judge to drive file and device file the most complete, if it is, perform step 210, Otherwise, step 211 is performed;
The second regular length driving file and device file performed in environment and driver will be driven The cryptographic Hash first regular length cryptographic Hash corresponding with benchmark digital signature contrasts, if second is solid The cryptographic Hash of the measured length first regular length cryptographic Hash corresponding with benchmark digital signature is consistent, then illustrate Drive file and device file complete, if it is inconsistent, explanation drives file and device file imperfect.
Step 209: the generation in the operation guide stage that initialization module of EFI and server do not powered on to Code and data load, and terminate current process;
Step 210: load driver file and device file, and terminate current process;
Step 211: be not loaded with driving file and device file, sends information, and with the shape authorized Formula is selected to perform close credible startup function or intervene manually by user.
During whole, the secure memory space of benchmark cryptographic Hash can be PCR memorizer, is carrying out In checking loading procedure, generate event log such as each event: for load driver file and equipment literary composition Part generates the first event log, and the initialization module of EFI and server power on the operation guide stage Code and data genaration second event daily record etc., to facilitate user to check.
As shown in Figure 3, Figure 4, a kind of trust chain constructing device is embodiments provided.Device is real Execute example to be realized by software, it is also possible to realize by the way of hardware or software and hardware combining.From firmly For part aspect, as it is shown on figure 3, the trust chain constructing device place equipment provided for the embodiment of the present invention A kind of hardware structure diagram, except the processor shown in Fig. 3, internal memory, network interface and non-volatile Property memorizer outside, in embodiment, the equipment at device place generally can also include other hardware, as be responsible for Process forwarding chip of message etc..As a example by implemented in software, as shown in Figure 4, as a logic meaning Device in justice, is that the CPU by its place equipment is by computer journey corresponding in nonvolatile memory Sequence instruction reads and runs formation in internal memory.The trust chain constructing device that the present embodiment provides, including:
Arm processor 401 has secure memory space, and this secure memory space is used for storing as trust The hardware information of root;
Power-On Self-Test unit 402, the hardware in secure memory space based on arm processor 401 Information opens TPM, is powered up self-inspection, and determines that TPM can use;
First metric check unit 403, for the TPM utilizing Power-On Self-Test unit 402 to determine, tolerance The initialization module of EFI and server power on the code in operation guide stage and data;And verify EFI Initialization module and server power on the code in operation guide stage and data the most complete, if It is then to trigger loading unit 404;
For loading the first metric check unit 403, loading unit 404, checks that complete EFI's is initial Change module and server to power on the code in operation guide stage and data;
Second metric check unit 405, is used for the initialization mould of the EFI utilizing loading unit 404 to load Lumpiness amount drives the driving file and device file performed in environment and driver;And verify driving file Integrity with device file.
As it is shown in figure 5, in an alternative embodiment of the invention, above-mentioned trust chain constructing device, wraps further Include: benchmark metric unit 501, wherein,
Benchmark metric unit 501, for measuring hardware information, the initialization module of TPM, EFI, clothes The power on code sum in operation guide stage of business device according to this and drives the benchmark numeral of file and device file Signature;
Power-On Self-Test unit 402, for measuring the first digital signature of hardware information, determines the first numeral Sign consistent with the benchmark digital signature of the hardware information of benchmark metric unit 501 tolerance;And measure TPM The second digital signature, determine the base of the TPM of the second digital signature and benchmark metric unit 501 tolerance Quasi-digital signature is consistent;
First metric check unit 403, in the credible tolerance environment of hardware protection, by EFI's Initialization module and server power on the code in operation guide stage and data the 3rd digital signature with The benchmark digital signature of corresponding benchmark metric unit 501 tolerance compares, and checks the 3rd digital signature The most consistent with the benchmark digital signature of corresponding benchmark metric unit 501 tolerance;
Second metric check unit 405, for by drive the 4th digital signature of file and device file with The benchmark digital signature of corresponding benchmark metric unit 501 tolerance is consistent.
In an alternative embodiment of the invention, benchmark metric unit 501, at first time initialization operation During system start-up, determine hash algorithm, utilize at the beginning of hash algorithm computing hardware information, TPM, EFI Beginningization module, server power on the operation guide stage code sum according to this and drive file and equipment literary composition The each self-corresponding first regular length cryptographic Hash of part, and with the private key of signature algorithm, the first regular length is breathed out Uncommon value is signed, and generates benchmark digital signature, benchmark digital signature is stored secure memory space.
In an alternative embodiment of the invention, the first metric check unit 403, by utilizing based on hash algorithm Calculate the initialization module of EFI and server power on the code in operation guide stage corresponding with data the Two regular length cryptographic Hash, and benchmark digital signature is decrypted, determine the second regular length cryptographic Hash The first corresponding regular length cryptographic Hash, and determine that the second regular length cryptographic Hash is fixed with corresponding first Length hash value is consistent.
In still another embodiment of the process, the second metric check unit 405, by utilizing based on hash algorithm Calculate and drive the second regular length performing environment corresponding with device file with the driving file in driver to breathe out Uncommon value, and be decrypted benchmark digital signature, determines corresponding first solid of the second regular length cryptographic Hash Measured length cryptographic Hash, and determine the second regular length cryptographic Hash and the first corresponding regular length cryptographic Hash one Cause.
The contents such as the information between each unit in said apparatus is mutual, execution process, due to the present invention Embodiment of the method is based on same design, and particular content can be found in the narration in the inventive method embodiment, this Place repeats no more.
According to such scheme, various embodiments of the present invention, at least have the advantages that
1. mark off secure memory space for arm processor, hardware information is stored in as root of trust Described secure memory space, opens TPM based on described root of trust, is powered up self-inspection, and determines described TPM can use;Utilizing described TPM, the initialization module of tolerance EFI and server power on operation The code of vectoring phase and data;Verify that the initialization module of described EFI and server power on operation The code of vectoring phase and data are the most complete, if it is, load the initialization module of described EFI with And described server powers on the code in operation guide stage and data;Utilize the initialization mould of described EFI The power on code metric in operation guide stage of block and server drives and performs in environment and driver Drive file and device file;Verify described driving file and the integrity of device file, owing to hardware is believed Breath is difficult to be tampered, then utilize hardware information to ensure that the credibility of trusted root as trusted root, it addition, By marking off secure memory space, trusted root stores this secure memory space further ensures can The credibility of letter root, thus it is effectively improved the credibility of root of trust.
2., when first time initialized operating system starts, determine hash algorithm, utilize hash algorithm to calculate Hardware information, the initialization module of TPM, EFI, server power on the operation guide stage code and Data and drive file and each self-corresponding first regular length cryptographic Hash of device file, and with signature calculation First regular length cryptographic Hash is signed by the private key of method, generates benchmark digital signature, by benchmark numeral Signature storage is to secure memory space, by signature further to cryptographic Hash, it is achieved that add cryptographic Hash Close, reduce cryptographic Hash and probability that file is cracked, further increase the safety of trust chain.
3., by building trusted root based on hardware information, measure TPM by trusted root, and hardware is believed Breath and TPM are difficult to be tampered, and can preferably ensure safety and the credibility of metrics process.
It should be noted that in this article, the relational terms of such as first and second etc be used merely to by One entity or operation separate with another entity or operating space, and not necessarily require or imply this Relation or the order of any this reality is there is between a little entities or operation.And, term " includes ", " comprise " or its any other variant is intended to comprising of nonexcludability, so that include that one is The process of row key element, method, article or equipment not only include those key elements, but also include the brightest Other key elements really listed, or also include intrinsic for this process, method, article or equipment Key element.In the case of there is no more restriction, statement " include one " and limit Key element, it is not excluded that there is also another in including the process of described key element, method, article or equipment Outer same factor.
One of ordinary skill in the art will appreciate that: realize all or part of step of said method embodiment Can be completed by the hardware that programmed instruction is relevant, aforesaid program can be stored in embodied on computer readable Storage medium in, this program upon execution, performs to include the step of said method embodiment;And it is aforementioned Storage medium include: various Jie that can store program code such as ROM, RAM, magnetic disc or CD In matter.
Last it should be understood that the foregoing is only presently preferred embodiments of the present invention, it is merely to illustrate this The technical scheme of invention, is not intended to limit protection scope of the present invention.All spirit in the present invention and former Any modification, equivalent substitution and improvement etc. done within then, are all contained in protection scope of the present invention.

Claims (10)

1. a trust chain constructing method, it is characterised in that mark off safe storage for arm processor Space, is stored in described secure memory space using hardware information as root of trust, also includes:
Open TPM based on described root of trust, be powered up self-inspection, and determine that described TPM can use;
The initialization module and the server that utilize described TPM, tolerance EFI power on the operation guide stage Code and data;
Verify that the initialization module of described EFI and server power on the code sum in operation guide stage Complete according to whether, if it is, load the initialization module of described EFI and described server powers on The code in operation guide stage and data;
The initialization module of described EFI and server is utilized to power on the code metric in operation guide stage Drive the driving file and device file performed in environment and driver;
Verify described driving file and the integrity of device file.
Method the most according to claim 1, it is characterised in that farther include: tolerance hardware letter Breath, the initialization module of TPM, EFI, server power on the operation guide stage code sum according to this And drive file and the benchmark digital signature of device file;
The described TPM of determination can use, including: the first digital signature of tolerance hardware information, determine described First digital signature is consistent with the benchmark digital signature of described hardware information;And measure second number of TPM Word is signed, and determines that described second digital signature is consistent with the benchmark digital signature of described TPM;
The initialization module of the described EFI of described checking and server power on the code in operation guide stage Whether complete with data, including: in the credible tolerance environment of hardware protection, initial by described EFI Change module and server and power on the 3rd digital signature of the code in operation guide stage and data with corresponding Benchmark digital signature compare, check described 3rd digital signature and described corresponding benchmark numeral label Name is the most consistent;
Described checking described driving file and the integrity of device file, including: by described driving file and 4th digital signature of device file is consistent with corresponding benchmark digital signature.
Method the most according to claim 1, it is characterised in that described tolerance drive perform environment and Driving file in driver and device file, including:
Scanning OPROM memorizer, calculates the driving file being pre-loaded in described OPROM memorizer Digital signature with device file.
Method the most according to claim 2, it is characterised in that described tolerance hardware information, TPM, The initialization module of EFI, server power on the operation guide stage code sum according to this and drive file With the benchmark digital signature of device file, including:
When first time initialized operating system starts, determine hash algorithm, utilize described hash algorithm meter Calculate hardware information, the initialization module of TPM, EFI, server power on the code in operation guide stage Sum according to this and drives file and each self-corresponding first regular length cryptographic Hash of device file, and with signing Described first regular length cryptographic Hash is signed by the private key of algorithm, generates benchmark digital signature, by institute State benchmark digital signature and store described secure memory space.
5. according to the method described in claim 2 or 4, it is characterised in that
Described determine that digital signature is consistent with benchmark digital signature, including: utilize hash algorithm calculation document The second regular length cryptographic Hash that information is corresponding, and described benchmark digital signature is decrypted, determine institute State the first regular length cryptographic Hash that the second regular length cryptographic Hash is corresponding, and determine that described second is fixing long Degree cryptographic Hash is consistent with the first corresponding regular length cryptographic Hash.
6. according to the arbitrary described method of Claims 1-4, it is characterised in that farther include:
During checking integrity failure, send information, and selected to perform pass by user with the form authorized Close credible startup function or intervene manually.
7. a trust chain constructing device, it is characterised in that arm processor has secure memory space, This secure memory space, also includes as the hardware information of root of trust for storage:
Power-On Self-Test unit, for opening TPM based on the hardware information in described secure memory space, enters Row Power-On Self-Test, and determine that described TPM can use;
First metric check unit, is used for utilizing described TPM, the initialization module of tolerance EFI and clothes Business device powers on the code in operation guide stage and data;And verify described EFI initialization module and Server power on the code in operation guide stage and data the most complete, if it is, trigger load single Unit;
Described loading unit, for loading the initial of the complete EFI of described first metric check unit checks Change module and described server to power on the code in operation guide stage and data;
Second metric check unit, is used for the initialization mould of the described EFI utilizing described loading unit to load Lumpiness amount drives the driving file and device file performed in environment and driver;And verify described driving File and the integrity of device file.
Device the most according to claim 7, it is characterised in that farther include: benchmark metric list Unit, wherein,
Described benchmark metric unit, for measuring hardware information, the initialization module of TPM, EFI, clothes The power on code sum in operation guide stage of business device according to this and drives the benchmark numeral of file and device file Signature;
Described Power-On Self-Test unit, for measuring the first digital signature of hardware information, determines described first Digital signature is consistent with the benchmark digital signature of the hardware information that described benchmark metric unit is measured;And measure Second digital signature of TPM, determines described second digital signature and described benchmark metric unit tolerance The benchmark digital signature of TPM is consistent;
Described first metric check unit, in the credible tolerance environment of hardware protection, by described EFI Initialization module and server power on the code in operation guide stage and the 3rd digital signature of data Compare with the benchmark digital signature of corresponding described benchmark metric unit tolerance, check described 3rd number Word signature is the most consistent with the benchmark digital signature of described corresponding described benchmark metric unit tolerance;
Described second metric check unit, for signing the 4th numeral of described driving file and device file Name is consistent with the benchmark digital signature of corresponding described benchmark metric unit tolerance.
Device the most according to claim 8, it is characterised in that described benchmark metric unit, is used for:
When first time initialized operating system starts, determine hash algorithm, utilize described hash algorithm meter Calculate hardware information, the initialization module of TPM, EFI, server power on the code in operation guide stage Sum according to this and drives file and each self-corresponding first regular length cryptographic Hash of device file, and with signing Described first regular length cryptographic Hash is signed by the private key of algorithm, generates benchmark digital signature, by institute State benchmark digital signature and store described secure memory space.
Device the most according to claim 8 or claim 9, it is characterised in that
Described first metric check unit, for utilize hash algorithm calculate EFI initialization module and Server powers on the code in the operation guide stage second regular length cryptographic Hash corresponding with data, and right Described benchmark digital signature is decrypted, determine described second regular length cryptographic Hash corresponding first fix Length hash value, and determine described second regular length cryptographic Hash and the first corresponding regular length cryptographic Hash Unanimously;
And/or,
Described second metric check unit, is used for utilizing hash algorithm to calculate and drives execution environment and drive journey Sequence drives the file second regular length cryptographic Hash corresponding with device file, and to described benchmark numeral Signature is decrypted, and determines the first regular length cryptographic Hash that described second regular length cryptographic Hash is corresponding, And determine that described second regular length cryptographic Hash is consistent with the first corresponding regular length cryptographic Hash.
CN201610239704.3A 2016-04-18 2016-04-18 Trust chain construction method and apparatus Pending CN105930733A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610239704.3A CN105930733A (en) 2016-04-18 2016-04-18 Trust chain construction method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610239704.3A CN105930733A (en) 2016-04-18 2016-04-18 Trust chain construction method and apparatus

Publications (1)

Publication Number Publication Date
CN105930733A true CN105930733A (en) 2016-09-07

Family

ID=56839865

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610239704.3A Pending CN105930733A (en) 2016-04-18 2016-04-18 Trust chain construction method and apparatus

Country Status (1)

Country Link
CN (1) CN105930733A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108154032A (en) * 2017-11-16 2018-06-12 中国科学院软件研究所 It is a kind of that the computer system root of trust construction method of memory integrity ensuring is had the function of based on credible performing environment
CN109144584A (en) * 2018-07-27 2019-01-04 浪潮(北京)电子信息产业有限公司 A kind of programmable logic device and its starting method, system and storage medium
CN109245899A (en) * 2018-09-06 2019-01-18 成都三零嘉微电子有限公司 One kind being based on the novel trust chain design method of SM9 cryptographic algorithm
CN110109710A (en) * 2019-05-15 2019-08-09 苏州浪潮智能科技有限公司 A kind of OS trust chain constructing method and system of no physics trusted root
CN110414235A (en) * 2019-07-08 2019-11-05 北京可信华泰信息技术有限公司 A kind of dual Architecture system of the active immunity based on ARM TrustZone
CN110598401A (en) * 2019-08-29 2019-12-20 青岛海尔科技有限公司 Method and device for controlling module in household appliance to be powered on and household appliance
CN112511306A (en) * 2020-11-03 2021-03-16 中国航空工业集团公司西安航空计算技术研究所 Safe operation environment construction method based on mixed trust model
CN114385248A (en) * 2020-10-22 2022-04-22 四零四科技股份有限公司 Computing system and device for processing trust chain
US11373445B2 (en) 2018-08-01 2022-06-28 Guangdong Oppo Mobile Telecommunications Corp., Ltd. Method and apparatus for processing data, and computer readable storage medium

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
刘东丽: "基于UEFI的信任链设计及TPM驱动程序实现", 《中国优秀硕士学位论文全文数据库(电子期刊),信息科技辑》 *
吴悠 等: "嵌入式TPM及信任链的研究与实现", 《计算机工程与设计》 *
周骅 等: "动态可信度量分析的硬件安全机制研究", 《电子技术应用》 *
方炜炜 等: "基于EFI的可信计算平台研究", 《计算机应用研究》 *
杨少谦: "EFI BIOS安全增强方案设计与实现", 《中国优秀硕士学位论文全文数据库(电子期刊),信息科技辑》 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108154032A (en) * 2017-11-16 2018-06-12 中国科学院软件研究所 It is a kind of that the computer system root of trust construction method of memory integrity ensuring is had the function of based on credible performing environment
CN108154032B (en) * 2017-11-16 2021-07-30 中国科学院软件研究所 Computer system trust root construction method with memory integrity guarantee function
CN109144584A (en) * 2018-07-27 2019-01-04 浪潮(北京)电子信息产业有限公司 A kind of programmable logic device and its starting method, system and storage medium
US11373445B2 (en) 2018-08-01 2022-06-28 Guangdong Oppo Mobile Telecommunications Corp., Ltd. Method and apparatus for processing data, and computer readable storage medium
CN109245899B (en) * 2018-09-06 2021-03-16 成都三零嘉微电子有限公司 Trust chain design method based on SM9 cryptographic algorithm
CN109245899A (en) * 2018-09-06 2019-01-18 成都三零嘉微电子有限公司 One kind being based on the novel trust chain design method of SM9 cryptographic algorithm
CN110109710A (en) * 2019-05-15 2019-08-09 苏州浪潮智能科技有限公司 A kind of OS trust chain constructing method and system of no physics trusted root
CN110109710B (en) * 2019-05-15 2020-05-08 苏州浪潮智能科技有限公司 Method and system for establishing OS (operating system) trust chain without physical root of trust
CN110414235A (en) * 2019-07-08 2019-11-05 北京可信华泰信息技术有限公司 A kind of dual Architecture system of the active immunity based on ARM TrustZone
CN110598401A (en) * 2019-08-29 2019-12-20 青岛海尔科技有限公司 Method and device for controlling module in household appliance to be powered on and household appliance
CN114385248A (en) * 2020-10-22 2022-04-22 四零四科技股份有限公司 Computing system and device for processing trust chain
CN114385248B (en) * 2020-10-22 2024-04-23 四零四科技股份有限公司 Computing system and device for processing trust chain
CN112511306A (en) * 2020-11-03 2021-03-16 中国航空工业集团公司西安航空计算技术研究所 Safe operation environment construction method based on mixed trust model

Similar Documents

Publication Publication Date Title
CN105930733A (en) Trust chain construction method and apparatus
US11176255B2 (en) Securely booting a service processor and monitoring service processor integrity
US11503030B2 (en) Service processor and system with secure booting and monitoring of service processor integrity
CN103914658B (en) Safe starting method of terminal equipment, and terminal equipment
US8850212B2 (en) Extending an integrity measurement
TWI330784B (en) Security system for information handling system and method for verifying security of data delivered on information handling system
US8296579B2 (en) System and method for updating a basic input/output system (BIOS)
US8667263B2 (en) System and method for measuring staleness of attestation during booting between a first and second device by generating a first and second time and calculating a difference between the first and second time to measure the staleness
CN105391717B (en) A kind of APK signature authentication method and its system
CN103270519B (en) The safety applications using dynamic measure kernel proves
US8375219B2 (en) Program and operation verification
CN102012979B (en) Embedded credible computing terminal
CN101650764B (en) Creditable calculation password platform and realization method thereof
US20140040636A1 (en) Embedded controller to verify crtm
US20090019285A1 (en) Establishing a Trust Relationship Between Computing Entities
JP2012524479A (en) Device justification and / or authentication for communication with the network
TW201500960A (en) Detection of secure variable alteration in a computing device equipped with unified extensible firmware interface (UEFI)-compliant firmware
CN101983375A (en) Binding a cryptographic module to a platform
US20210248239A1 (en) Verification of a provisioned state of a platform
CN107861793A (en) Virtual hardware platform starts method, apparatus, equipment and computer-readable storage medium
CN104850792A (en) Establishment method and apparatus of trust chain of server
CN108280351A (en) A kind of credible startup method of the electricity consumption acquisition terminal based on TPM
CN107480535A (en) The reliable hardware layer design method and device of a kind of two-way server
KR20170089352A (en) Firmware integrity verification for performing the virtualization system
CN112511306A (en) Safe operation environment construction method based on mixed trust model

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160907

WD01 Invention patent application deemed withdrawn after publication