CN107924439A - Coordinate the technology of equipment guiding security - Google Patents
Coordinate the technology of equipment guiding security Download PDFInfo
- Publication number
- CN107924439A CN107924439A CN201580082636.8A CN201580082636A CN107924439A CN 107924439 A CN107924439 A CN 107924439A CN 201580082636 A CN201580082636 A CN 201580082636A CN 107924439 A CN107924439 A CN 107924439A
- Authority
- CN
- China
- Prior art keywords
- firmware
- verification
- register
- routine
- security level
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000005516 engineering process Methods 0.000 title abstract description 33
- 238000012795 verification Methods 0.000 claims abstract description 215
- 238000012545 processing Methods 0.000 claims abstract description 181
- 238000003860 storage Methods 0.000 claims description 105
- 238000000034 method Methods 0.000 claims description 56
- 230000004044 response Effects 0.000 claims description 41
- 238000012360 testing method Methods 0.000 claims description 12
- 230000015572 biosynthetic process Effects 0.000 abstract description 5
- 238000011282 treatment Methods 0.000 abstract description 3
- 230000008569 process Effects 0.000 description 23
- 230000015654 memory Effects 0.000 description 19
- 230000009471 action Effects 0.000 description 11
- 230000011664 signaling Effects 0.000 description 9
- 230000008859 change Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 238000000429 assembly Methods 0.000 description 7
- 230000000712 assembly Effects 0.000 description 7
- 230000005291 magnetic effect Effects 0.000 description 7
- 239000007787 solid Substances 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 5
- 230000008878 coupling Effects 0.000 description 5
- 238000010168 coupling process Methods 0.000 description 5
- 238000005859 coupling reaction Methods 0.000 description 5
- 230000005294 ferromagnetic effect Effects 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 5
- 230000005611 electricity Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000003780 insertion Methods 0.000 description 3
- 230000037431 insertion Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- XEEYBQQBJWHFJM-UHFFFAOYSA-N Iron Chemical compound [Fe] XEEYBQQBJWHFJM-UHFFFAOYSA-N 0.000 description 2
- 239000000872 buffer Substances 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 239000012141 concentrate Substances 0.000 description 2
- 239000004020 conductor Substances 0.000 description 2
- 230000008595 infiltration Effects 0.000 description 2
- 238000001764 infiltration Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 229920000642 polymer Polymers 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- YIWGJFPJRAEKMK-UHFFFAOYSA-N 1-(2H-benzotriazol-5-yl)-3-methyl-8-[2-[[3-(trifluoromethoxy)phenyl]methylamino]pyrimidine-5-carbonyl]-1,3,8-triazaspiro[4.5]decane-2,4-dione Chemical compound CN1C(=O)N(c2ccc3n[nH]nc3c2)C2(CCN(CC2)C(=O)c2cnc(NCc3cccc(OC(F)(F)F)c3)nc2)C1=O YIWGJFPJRAEKMK-UHFFFAOYSA-N 0.000 description 1
- MKYBYDHXWVHEJW-UHFFFAOYSA-N N-[1-oxo-1-(2,4,6,7-tetrahydrotriazolo[4,5-c]pyridin-5-yl)propan-2-yl]-2-[[3-(trifluoromethoxy)phenyl]methylamino]pyrimidine-5-carboxamide Chemical compound O=C(C(C)NC(=O)C=1C=NC(=NC=1)NCC1=CC(=CC=C1)OC(F)(F)F)N1CC2=C(CC1)NN=N2 MKYBYDHXWVHEJW-UHFFFAOYSA-N 0.000 description 1
- NIPNSKYNPDTRPC-UHFFFAOYSA-N N-[2-oxo-2-(2,4,6,7-tetrahydrotriazolo[4,5-c]pyridin-5-yl)ethyl]-2-[[3-(trifluoromethoxy)phenyl]methylamino]pyrimidine-5-carboxamide Chemical compound O=C(CNC(=O)C=1C=NC(=NC=1)NCC1=CC(=CC=C1)OC(F)(F)F)N1CC2=C(CC1)NN=N2 NIPNSKYNPDTRPC-UHFFFAOYSA-N 0.000 description 1
- AFCARXCZXQIEQB-UHFFFAOYSA-N N-[3-oxo-3-(2,4,6,7-tetrahydrotriazolo[4,5-c]pyridin-5-yl)propyl]-2-[[3-(trifluoromethoxy)phenyl]methylamino]pyrimidine-5-carboxamide Chemical compound O=C(CCNC(=O)C=1C=NC(=NC=1)NCC1=CC(=CC=C1)OC(F)(F)F)N1CC2=C(CC1)NN=N2 AFCARXCZXQIEQB-UHFFFAOYSA-N 0.000 description 1
- VCUFZILGIRCDQQ-KRWDZBQOSA-N N-[[(5S)-2-oxo-3-(2-oxo-3H-1,3-benzoxazol-6-yl)-1,3-oxazolidin-5-yl]methyl]-2-[[3-(trifluoromethoxy)phenyl]methylamino]pyrimidine-5-carboxamide Chemical compound O=C1O[C@H](CN1C1=CC2=C(NC(O2)=O)C=C1)CNC(=O)C=1C=NC(=NC=1)NCC1=CC(=CC=C1)OC(F)(F)F VCUFZILGIRCDQQ-KRWDZBQOSA-N 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- JAWMENYCRQKKJY-UHFFFAOYSA-N [3-(2,4,6,7-tetrahydrotriazolo[4,5-c]pyridin-5-ylmethyl)-1-oxa-2,8-diazaspiro[4.5]dec-2-en-8-yl]-[2-[[3-(trifluoromethoxy)phenyl]methylamino]pyrimidin-5-yl]methanone Chemical compound N1N=NC=2CN(CCC=21)CC1=NOC2(C1)CCN(CC2)C(=O)C=1C=NC(=NC=1)NCC1=CC(=CC=C1)OC(F)(F)F JAWMENYCRQKKJY-UHFFFAOYSA-N 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 229910002056 binary alloy Inorganic materials 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 239000003990 capacitor Substances 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 239000011248 coating agent Substances 0.000 description 1
- 238000000576 coating method Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000005314 correlation function Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000008921 facial expression Effects 0.000 description 1
- 229910052742 iron Inorganic materials 0.000 description 1
- 230000002045 lasting effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 230000003340 mental effect Effects 0.000 description 1
- 238000003801 milling Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- SFMJNHNUOVADRW-UHFFFAOYSA-N n-[5-[9-[4-(methanesulfonamido)phenyl]-2-oxobenzo[h][1,6]naphthyridin-1-yl]-2-methylphenyl]prop-2-enamide Chemical compound C1=C(NC(=O)C=C)C(C)=CC=C1N1C(=O)C=CC2=C1C1=CC(C=3C=CC(NS(C)(=O)=O)=CC=3)=CC=C1N=C2 SFMJNHNUOVADRW-UHFFFAOYSA-N 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 230000002207 retinal effect Effects 0.000 description 1
- 230000008054 signal transmission Effects 0.000 description 1
- 229910052710 silicon Inorganic materials 0.000 description 1
- 239000010703 silicon Substances 0.000 description 1
- 241000894007 species Species 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3265—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
Abstract
Various embodiments generally relate to the technology of the formation of the trust chain between the component of Coordination Treatment equipment.A kind of device can include processor module, which includes verification microcode, for based on the first security credentials come authentication verification routine, to create the trust chain for including verifying microcode and verification routine in processing equipment;Register is collected, for being read out providing the hashed value of one or more values of write-in collection register since the initialization of processing equipment;And the checking assembly of the verification routine, for determining the selected security level of the initialization, and it is based on selected security level, firmware is verified based on the second security credentials, is collected with extending the trust chain including the firmware and by being stored in the instruction of the result of the attempted authentication of firmware in register.
Description
Background technology
For guiding processing equipment so that the initialization procedure used may be subject to influencing for different security requirements.
Government and/or corporate entity may need the security level of higher to protect confidential information, including the information (example on personnel
Such as personnel record, customer information etc.) and/or on associated with these entities movable information (such as intellectual property,
Aspect of the project of progress etc.).In order to adapt to this higher security level, various mechanism can be realized during initialization
To force that believable executable routine (for example, firmware, operating system, application routine etc.) is used only.
However, personal may not be needed and/or may be not desired to be used in the processing equipment of its personal use implement at them
The security level of such higher.For example, it is personal to may want to that there is following flexibility:Can be in such processing
Obtained in equipment and any one in various executable routines is installed, it may not be met for being considered as believable executable
One or more qualifications of routine.
Brief description of the drawings
Figure 1A and Figure 1B each illustrates the example embodiment of safe processing system.
Fig. 2 shows the example embodiment that security credentials are provided to the component of processing equipment.
Fig. 3 shows the example embodiment of the instruction of security level selected by reception.
Fig. 4 A and Fig. 4 B together illustrate the example embodiment of authentication verification routine.
Fig. 5 shows the example embodiment of at least one firmware of optionally certification.
Fig. 6 shows the example embodiment for collecting register.
Fig. 7 shows the operating system of analysis trust chain or the example embodiment of application routine.
Fig. 8 A, 8B and 8C together illustrate logic flow according to the embodiment.
Fig. 9 shows another logic flow according to the embodiment.
Figure 10 shows processing framework according to the embodiment.
Embodiment
Various embodiments generally relate to the formation of the trust chain between the component of Coordination Treatment equipment with more easily
Adapt to the technology to the change of one in these components.At least during the initialization of processing equipment, its processor group is incorporated to
Verification microcode in part can be stored in the verification routine in other storage devices of processing equipment with attempted authentication.Successfully recognizing
For results card routine so as to be formed after the initial part of trust chain, processor module can perform verification routine to fetch processor
One or more of component and the processing equipment can perform the instruction for the security level that will implement between routine.Security
Rank can be any one in multiple security levels, include but not limited to:It is strictly required that multiple executable routines are tested
The relatively high security level to firmware and including firmware is demonstrate,proved, abandons the relatively low security of one or more authentication checks
Rank, and/or the intermediate security level between high security rank and low-security rank, it include attempt to one or
Multiple executable routines are authenticated, while keep the safety records of result.Any one of due to various reasons reason, peace
Full property rank can be allowed to operator's setting by processing equipment, including another firmware replacement for allowing use to be certified
Firmware in those executable routines.In this way it is possible to relatively high security level is selected, wherein needing to malice
Operation processing equipment in the environment of the resistance of the raising of software (such as rogue program of virus, worm etc.).Alternatively, with this
Kind mode, can select relatively low security level, be considered less with the resistance in this raising to Malware
Allow individual operator that there are more controls to the various aspects of processing equipment in the case of important.
In some of these embodiments, the one or more assemblies of processing equipment can be selected as meeting
The each side for the IA-32 frameworks promulgated by the Intel company in Santa Clara city and/or by Oregon
The various aspects for the unified Extensible Firmware Interface promulgated than the UEFI forums in Fu Dun city.In such embodiments, handle
Device assembly can be the Pentium (Pentium) of Intel company, Anthem (Itanium) or Duo (Core) series of processes device assembly
One of, verification microcode can be incorporated to processor module during Intel company manufactures, and verification routine can be Intel's public affairs
The authentication codes module (ACM) provided is taken charge of, firmware can be the basic input/output provided by any one of various sources
System (BIOS), and operating system can be the version of the Windows of the Microsoft in Redmond city, either
The version of the Linux provided by various sources.
More specifically, during the processor module that manufacture will be incorporated into processing equipment, micro- generation can will be verified
Code and at least one security credentials are merged into processor module.Verification microcode can cause processor module to be set in processing
During standby interior initialization, the verification routine that can be stored in processing equipment is fetched, and come using at least one security credentials
Attempted authentication verification routine is believable.The initialization of processing equipment can pass through the power-up of such as processing equipment, software triggering
And/or the event of replacement of hardware trigger etc. triggers.In certain embodiments, at least one security credentials can be encryption
Key, it is intended to the digital signature for authentication verification routine (or its hash).Other types can be used in other embodiments
Security credentials and/or other mechanism carry out authentication verification routine.If verify microcode can not authentication verification routine, handle
Device assembly can stop taking any further action to carry out initialization process equipment and/or can take action to set processing
It is standby inoperable, the part as protection processing equipment.
If however, verification microcode can authentication verification routine, processor module can perform verification routine finger
Make to fetch the instruction for the security level that will implement during initialization.The instruction can be retrieved as be stored in deposit
One or more place values in the storage location at particular address in device and/or in the storage device of processing equipment.At some
In embodiment, security level can by processing equipment operator by the user interface (UI) that is provided by processor module come
Selection, wherein UI can allow operator using manual exercisable control (for example, keyboard and/or mouse), to select to pacify
Full property rank.In other embodiments, security level can be used the jump carried by the circuit board of processing equipment by operator
Line selects, which can be moved to one of multiple positions of optional security level that can each represent different.
In some embodiments of relatively high security level are had selected for, processor module can also carry out verification
The instruction of routine using at least one other security credentials to carry out attempted authentication firmware to be believable.It is described at least one other
Security credentials can be intended for the encryption key of the digital signature of authenticated firmware (or hash of firmware) or for recognizing
Demonstrate,prove the another type of security credentials in the different mechanisms of firmware.If verify routine can not authenticated firmware, processor
Component can stop taking any further action to carry out initialization process equipment and/or can take action to so that processing is set
It is standby inoperable, the part as protection processing equipment.
If however, verification routine can authenticated firmware, processor module can store the value in collect register in,
The value indicates the success identity of firmware.Collection register has write therein since can combining since the initialization of processing equipment
All values.When being read out, collect register and may not provide any write-in value therein.On the contrary, collecting register can carry
For the hashed value derived from hash, the hashed value be from since processing equipment last time initialize since have been written into collection deposit
What the combination of all values of device obtained.Therefore, the order period of operating system or application routine is then being performed by processor module
Between, it can read and collect register to fetch hashed value, and can check hashed value to verify that firmware is authenticated successfully as can
Letter so that operating system and/or application routine can trust the firmware.Therefore, collecting this use of register can carry
Verification for forming trust chain in advance between processor module, verification microcode, verification routine and firmware.Operating system and/
Or application routine can determine whether to initialize and/or make one or more special by the verification of the formation of this trust chain
Sign is available.In addition, the dependence of operating system and/or application routine to this verification can be used for extending the trust chain with including behaviour
Make system and/or application routine.
It is alternatively, or in addition, solid but verify that routine can not authenticate having selected for relatively high security level
In the case of part, processing component can further perform verification routine with attempted authentication substitute firmware, rather than take action to
So that processing equipment is inoperable.Compared with the firmware that cannot be certified, substitute firmware can support the function of similar range, or
Person can provide the function of more limited range, so that the operator of processing equipment is able to carry out action to correct authenticated firmware
Ability lacks.
In some embodiments of relatively low security level are had selected for, processor module can be to avoid further
The instruction for performing verification routine carrys out attempted authentication firmware.However, processor module can store a value in register is collected,
Represent without authentication attempt as progress.This can be enabled to then from the generation for collecting register read hashed value, should
Hashed value is not attempt to verification firmware to operating system and/or application routine instruction.Therefore, obtained hashed value may be used as
The instruction of trust chain is only formed between processor module and verification routine, but does not include firmware and causes whether do not know firmware
It is credible.The operating system and/or application routine may rely on trust chain, and the instruction including firmware is initial to determine whether
Change and/or one or more feature is used.
The one of the security level that the medium rank between low-security rank and high security rank has been selected
In a little embodiments, processor module can be with attempted authentication firmware, and the result of trial can be stored in register is collected
Instruction.Processor module may then continue with least a portion for fetching operating system and perform its instruction with initialization operation
System, but regardless of attempted authentication firmware result how.Again, operating system and/or application routine may rely on from collection
The hashed value of register read, it can indicate the trial successfully or not successfully being authenticated to firmware, to determine whether to
Initialize and/or one or more feature is used.
In various embodiments, the security level that can be certified regardless of selected and firmware, processor
Component can carry out the instruction of firmware with attempted authentication operating system.If operating system can be certified, processor group
Part can store another value to register is collected, and instruction operating system can be certified.By the success at least representing firmware
The value of certification and represent that the hashed value that produces of the obtained hash of combination of other values of success identity of operating system can be by
Application routine is read, and is relied on to determine whether to initialize or one or more feature is used.Therefore, with this side
Formula, except processor module, verifies microcode, verifies outside routine and firmware, trust chain can also be extended to including operation
System.
Symbol and term as used herein are typically referenced to, the part being described below in detail can be according in computer or calculating
The program process that is performed on machine network is presented.Those skilled in the art are using these procedural descriptions and expression come by its work
Essence be most effectively communicated to others skilled in the art.Program is typically considered self consistent operation sequence herein
Row, it reaches expected result.These operations are the operations for needing to carry out physical quantity physical manipulation.In general, but not necessarily, this
Tittle takes the electricity that can be stored, transmitted, combined, compared and otherwise manipulated, the form of magnetically or optically signal.Mainly go out
In the reason for the Common usage, it is more convenient that these signals are known as position, value, element, symbol, character, term, numeral etc. sometimes.
It should be noted, however, that all these and similar terms is all associated with appropriate physical quantity, and it is only to be suitable for
The facilitate label of this tittle.
In addition, the term that these operations are commonly referred to as such as added or compared etc, its usually with by human operator
The mental operation of execution is associated.However, in any behaviour of the part described here for forming one or more embodiments
In work, this ability of human operator is in most cases not required either desired.On the contrary, these operations are
Machine operates.The useful machine of operation for performing various embodiments includes general purpose digital computer, it is stored in it
Computer program optionally activate or configure, the computer program is write according to teaching herein, and/or including special
For the device of required purpose construction.Various embodiments further relate to the device or system for performing these operations.These devices can
With the special configuration for required purpose, or all-purpose computer can be included.It is from given description it can be seen that various
Structure needed for these machines.
Referring now to attached drawing, wherein similar reference numeral is used to refer to similar element all the time.In the following description, go out
In the purpose of explanation, numerous specific details are set forth to provide to its thorough understanding.It will be apparent, however, that can be
Novel embodiment is put into practice in the case of these no details.In other cases, it is well-known for the ease of description
Structure and equipment are shown in block diagram form.Purpose is all modifications, equivalent and the alternative solution covered in right.
Figure 1A shows to combine one or more credential devices 100, one or more remote storage devices 400 and/or place
Manage the block diagram of the embodiment of the safe processing system 1000 of equipment 500.In safe processing system 1000, one or more matching
Security credentials collection can be provided by one or more credential devices 100, the one or more assemblies of equipment 500 for processing
To using, enable to be formed one or more parts of trust chain therebetween during the initialization of processing equipment 500.This
The one or more of a little components, which can perform routine, to be supplied to processing equipment 500 by one or more remote storage devices 400.
As depicted, at least one or more remote storage device 400 and processing equipment 500 can pass through network 999
It can perform routine as exchange.Moreover, one or more of these executable routines exchanged can be handed in an encrypted form
Change and read with preventing and/or it is changed.However, one or more of these equipment equipment can be via network 999 and that
This and/or exchanged with other equipment (not shown) with other completely irrelevant data of initialization process equipment 500.In various implementations
In example, network 999 be probably may be confined to extend in single building or other relatively limited regions single network,
The combination of the connection network of relatively large distance may be extended, and/or internet may be included.Therefore, network 999 can be based on logical
Any of various (or combination) communication technologys of signal can be exchanged by crossing it, including but not limited to using electricity and/or light guide
The cable technology of cable and the wireless technology being wirelessly transferred for using infrared, radio frequency or other forms.
In various embodiments, processing equipment 500 can include processor module 550, storage device 560, supporting assembly
570th, wire jumper 510, manually operable control 520, display 580 and/or the network that processing equipment 500 is coupled to network 999
Interface 590.Processor module 550 can include microcode to control the various aspects that it is operated, including verification microcode 551.Branch
Various forms of hard-wired support logics can be provided to processor module 550 by holding component 570, such as in processor module
Bus interface between 550 and one or more other assemblies of processing equipment 500.More specifically, as shown in the figure, support group
Part 570 can include and set register 575, in certain embodiments, set register 575 to be carried to processor module 550
For the instruction of the current state of 510 (if present) of wire jumper.Also as shown in the figure, processor module 550 or supporting assembly 570 can be with
Register 555a and/or 555b are collected comprising one or more.
Storage device 560 can store verification routine 542, firmware 543, operating system (OS) 544, one or more application
Routine 545 and event log 539.As shown in the figure, storage device 560 can include movable storage medium 569 (for example, can be from
CD, solid-state memory device and/or hard disk drive that the shell of processing equipment 500 removes etc.), it can perform routine 542-
One or more of 545 can be from the another part for being wherein copied to storage device 560, which can be not based on can
Mobile memory medium (for example, solid-state memory and/or hard disk drive for being incorporated into the shell of processing equipment 500).It can replace
For ground or additionally, one can be fetched from one or more remote storage devices 400 via network 999 and network interface 590
A or multiple executable routine 542-545.Also as depicted, verify that routine 542 and/or firmware 543 can be based on allowing in it
Hold capped but retain the memory technology of these contents during the time for being not applied to electric power and be stored in non-volatile
In storage device 562 (for example, one or more flash (FLASH) storage devices).As will be explained in greater detail, computing device
500 operator can override the content of non-volatile memory device 562 with substitute firmware (not shown) using this ability
Instead of firmware 543, substitute firmware may not be certified unlike firmware 543, and such operator can use it is removable
Storage medium 569 and/or one or more remote storage devices 400 are moved to realize the replacement.
Verify that microcode 551, verification routine 542, firmware 543, OS 544 and/or one or more application routine 545 are every
One can be included in the command sequence operated on processor module 550, to realize the logic performed various functions.As will be more detailed
Carefully explain, processor module 550 can be attempted in processor module 550 and extremely when it at least performs verification microcode 551
Verify less and (use the safety that can be provided by one or more credential devices 100 between microcode 551 and/or verification routine 542
Property voucher) formed trust chain.More specifically, the execution of verification microcode 551 can cause 550 attempted authentication of processor module to test
Routine 542 is demonstrate,proved, and certification as hypothesis is successful, and the execution of verification routine 542 can cause processor module 550 to taste
Try authenticated firmware 543.In addition, in certain embodiments, if the certification of firmware 543 is also successful, the execution of firmware 543
It can cause processor module attempted authentication OS 544.
Figure 1B shows the alternate embodiment of the safe processing system 1000 of the alternate embodiment comprising processing equipment 500
Block diagram.As depicted, the alternate embodiment of processing equipment 500 can include the security control comprising processor module 650
Device 600.Processor module 650 can be as the controller processor in the controller processing environment in Security Controller 600
Operated, which can carry out with processor module 550 as the primary Processor Element of processing equipment 500
The main process task environment separation of operation.Such separation can make the controller processing environment of processor module 650 to that may penetrate into
Malware (such as " rogue program ") inaccessible of the main process task environment of processor module 550.This can cause processor
Component 650 is able to carry out various security correlation functions, ensures that these functions will not be by main process task ring at least to a certain extent
Malware present in border disturbs.
Security Controller 600, which can also include, collects register 555 to replace processor module 550 or supporting assembly
Any one in 570 is so done, and/or can also be included and be set register 575 so to be done instead of supporting assembly 570.
Also as shown in the figure, processor module 650 can include verification microcode 551 so to be done instead of processor module 550.Cause
This, in the alternate embodiment of discribed processing equipment 500, it can be the security control for performing verification microcode 551
The processor module 650 rather than processor module 550 of device 600.In this way it is possible to by processor module 650 attempt by
542 certification of routine is verified to be reliable out of safer controller processing environment, to form processor module 550, test
Demonstrate,prove microcode 551 and verify the initial part of the trust chain between routine 542.
With reference to Figure 1A and 1B, either processor module 550 or 650 performs verification microcode 551 with by attempting to recognize
Results demonstrate,proves routine 542 and initially forms trust chain, and such certification may need use to be carried by one or more credential devices 100
The security credentials of confession.In addition, in order to form trust chain, the security level to be implemented can be by making during initialization
Selected in advance with wire jumper 510 or using the user interface of one or both of control 520 and display 580.
Fig. 2, which is depicted, provides matched security credentials to realize the formation between the component of processing equipment 500 and extend
The aspect of the trial of trust chain.As depicted, verify every in microcode 551, verification routine 542, firmware 543 and OS 544
One can be generated using different authoring apparatus 200.Each authoring apparatus 200 can be perform compiler server or
The computing device of other forms and/or for generate executable routine with produce these executable routines 551,542,543 and/or
Corresponding one other instruments in 544.
As known to the technical staff of the component of development process equipment, the various hardware of processing equipment 500 can be provided
And component software, to be coordinated between them by different entities (for example, different companies, education and/or government entity)
Seldom or without coordination in the case of be included in processing equipment 500 in, it includes every in such as processor module 550 and/or 650
Such component of one, and/or each executable routine 551,542,543 and/or 544.Therefore, different entities may be gathered around
Have and operate the different authoring apparatus in discribed authoring apparatus 200 with develop and generate respectively executable routine 551,
542nd, different one in 543 and/or 544.Again, as an example, processor module 550 or 650 and verification microcode
551 and/or verification routine 542 can be provided by the Intel company in Santa Clara city, and firmware 543 can be by
Any one offer in various entities, and OS can be provided by the Microsoft in Redmond city, or provide
Any one of various entities of the version of Linux.
However, as those skilled in the familiar, although the component from entity from different sources forms processing equipment
Only assembling can be performed in the case of little or no coordination between them, be one provided by such source entity
Component provide another component that certification is provided by another such source entity ability usually need really these entities it
Between at least a degree of coordination, (such as encrypted with the source of the security credentials at least up to used in this certification
Key, seed etc.) consistent degree.As a result, and as depicted, matched security credentials collection can be supplied to
Difference in the executable routine 551,542,543 and/or 544 of generation can perform the different authoring apparatus 200 that routine is associated,
To realize such certification between them.
More specifically, and by way of illustration, in order to enable 551 authentication verification routine of verification microcode
542, matched security credentials 512a and 512b can be supplied to generating in the two executable routines 551 and 542
Each associated different authoring apparatus 200.In certain embodiments, there is provided make in generation verification microcode 551
In addition the security credentials 512a of authoring apparatus 200, which can include being embedded in verification microcode 551, (or to be wrapped
Include on verification microcode 551 side) encryption key.Correspondingly, there is provided verify that the creation used in routine 542 is set in generation
Standby 200 security credentials 512b can include matched encryption key, by the matched encryption key, verify routine 542
(or its hash) can be digitally signed when verifying that routine 542 is generated, and enable to use peace by verification microcode 551
The encryption key of full property voucher 512a carrys out authentication verification routine 542.Again, and as will be discussed in, micro- generation is verified
The success identity of 541 pairs of verification routines 542 of code can be enabled in processor module 550, verification microcode 551 and verification example
The initial part of trust chain is formed between journey 542.
Correspondingly, and as another example, in order to enable verification routine 542 can authenticated firmware 543, will can match
Security credentials 523a and 523b be supplied to generate in the two executable routines 542 and 534b each is associated
Different authoring apparatus 200.In certain embodiments, there is provided to the peace that the authoring apparatus 200 used in routine 542 is verified in generation
Full property voucher 523a can include being embedded in verification routine 542 (or being in addition included in 542 side of verification routine)
Encryption key.Correspondingly, there is provided the security credentials 523b to the authoring apparatus 200 used in firmware 543 is generated can be wrapped
Include matched encryption key, by the matched encryption key, firmware 543 (or its hash) can when generating firmware 543 quilt
Digital signature, enables to the encryption key by 542 safety in utilization voucher 523a of verification routine come authenticated firmware 543.Such as
It will be discussed in, verification routine 542 can make the success identity of firmware 543 processor module 550, verification microcode
551 and verification routine 542 in the extension of existing trust chain can then include firmware 543.
As further discribed, similarly it is solid can be provided to generation by matched security credentials 534a and 534b
The authoring apparatus 200 that part 543 and OS 544 are associated, so that firmware 543 can authenticate OS 544.It should be noted that each matching
Any one in security credentials collection 512a and 512b, 523a and 523b and 534a and 534b can be by different credential devices
100 provide, and the different credential device 100 is possessed and operated by different entities, or can be by providing different hold
The single entities that all entities of row routine 551,542,543 and 544 are reached an agreement possess and operate.Alternatively, single reality
The single credential device 100 that body possesses and operates produces and provides all these security credentials.It is also to be noted that although
Above example specifically discuss uses matching key as security credentials, but be intended to in various types of authentication techniques
Various other types that any type is used together security credentials (such as hash, hashed value, certificate, for random number give birth to
Into seed etc.) any one of can be used in various embodiments.
Also as being further depicted as, verify that the copy of microcode 551 can be set together with security credentials 512a by supply
Standby 300 are provided to processor module 550 or 650.Supply equipment 300 can be incorporated into wherein processor module 550 and/or
In the operation of 650 manufacturing facilities manufactured.More specifically, processor module 550 or 650 is being incorporated into processing equipment 500
In before, can by verify microcode 551 copy be incorporated into together with security credentials 512a in processor module 550 or 650.Make
For example, supply equipment 300 may be electrically coupled to wherein outside the encapsulation of the semiconductor element comprising processor module 550 or 650
The one or more pins carried on shell, with before the circuit board of connection processing device assembly 550 or 650 to processing equipment 500
Verification microcode 551 and the security credentials 512a to it are provided.
As previously discussed, the operator of processing equipment 500, which may attempt to use, may not include security credentials 523b
Or 534a and/or may not with it is any including digital signature, digital signature hash or safety in utilization voucher 523b generation
The substitute firmware (not shown) that the mode of any other security features generates replaces firmware 543.As a result, verify routine performing
When 542, processor module 550 may not authenticate such substitute firmware, and in substitute firmware as execution, place
Reason device assembly 550 may not authenticate OS 544.Therefore, as with such substitute firmware replace firmware 543 as a result, may
It is not likely to form the trust chain expanded to outside processor module 550, verification microcode 551 and verification routine 542.
Fig. 3, which is depicted, to be received and stored at least between processor module 550, verification microcode 551 and verification routine 542
The each side of the instruction of the selected security level to be implemented in trust chain is generated.Register 575 is set to store instruction
Position, byte, word or the other kinds of value of selected security level.
In certain embodiments, can be provided to security level by using wire jumper 510, the operator of processing equipment 500
The instruction of other selection.Wire jumper 510 can be conductive component, it can be manually positioned in the circuit by processing equipment 500
With optionally by two short circuits in these pins among multiple conductive pins of plate carrying, so that from least two are set
Make choice.In certain embodiments, the existence or non-existence by wire jumper 510 at by the position of two pin short circuits, can
To be made choice between higher security level and relatively low security level.In other embodiments, can be based on multiple
Which a pair of pins in pin is shorted to carry out the selection of security level.It may then pass through and set register 575 to lock
Such instruction for using the selection to security level made by jumper wire device 510 is deposited and stores, then to lead to
Processor module 550 is crossed to fetch the instruction.It is to be noted, however, that however specifically discuss and depict wire jumper 510
Such use, other manual-operating mechanisms can be used, include but not limited to rotary selector switch (such as binary system compile
Code rotary selector switch), slide switch, biserial linear position (DIP) switch, separable conductor loop can be optionally
With the pad on the circuit board of multiple conducting wires bridge, etc..
In other embodiments, one or more of firmware 543, OS 544 and application routine 545 can include configuration
For component 548 to provide user interface (UI), the operator of processing equipment 500 can select security level by the UI.More
Exactly, at least one part in performing firmware 543, OS 544 and/or application routine 545, place can be made
Manage device assembly 550 and perform configuration component 548.So do, processor module 550 can be made to operate display 580 may include with presenting
The UI of the menu for the different security levels that can be selected by operator, and may be such that the monitoring of processor module 550 can grasp manually
The control 520 (for example, pointing device of keyboard and/or such as mouse) of work, the instruction for its operation is to provide to security
The instruction of the selection of rank.Then the instruction can be stored in by processor module 550 is set in register 575.It should be noted that
, set register 575 to realize that the non-volatile storage components can protect wherein with non-volatile storage components
The instruction of selected security level is held, although the example of processing equipment 500 is powered down and/or is disconnected with any external power supply.
Back to Figure 1A and 1B, the result as the power-up of processing equipment 500 is (for example, due to starting to processing equipment 500
Electric power is provided) and/or be used as by hardware based logic (for example, supporting assembly 570) or by software (for example, executable routine
One in 542-545) triggering processing equipment 500 it is replacement as a result, processor module 550 or 650 can be initialised.
In response to such initialization, processor module 550 or 650 can perform verification microcode 551, this can cause processor group
Part 550 is fetched and attempted authentication verification routine 542 is believable.
Fig. 4 A and 4B, which are together illustrated, is so performed verification microcode 551 by any one in processor module 550 or 650
With the aspect of authentication verification routine 542.Fig. 4 A show the various aspects of the certification of verification routine 542, and Fig. 4 B, which are shown, to be fetched
Verify at least one of exemplary each side of routine 542.As shown in Figure 4 A, verify that microcode 551 can include fetching group
One or both of part 5511 and checking assembly 5512a.Therefore, processor module 550 or 650 performs verification microcode 551
It may need to perform one or both of its component 5511 and 5512a.
In certain embodiments, (for example, hard coded) following address can be embedded in verification microcode 551, at this
Verify that routine 542 can be accessed in storage device 560 at address so that processor module 550 or 650 (at least giving tacit consent to) is extremely
The verification routine 542 at the address is attempted to access that less.In such embodiments, processor module 550 or 650, which can perform, tests
The instruction of card component 5512a with access verification routine 542 can wherein find security credentials 512b or can find from
At least a portion of the derived signatures of security credentials 512b, hash or other security credentials.Then checking assembly 5512a may be used
Attempt using with verify microcode 551 or be directly embedded into security credentials 512a therein come security that certification fetched with
Card.
In other embodiments, it may be necessary to the one or more for leading to verification routine 542 is accessed in storage device 560
The tracking (trail) of pointer, it is then determined that verification routine 542 is stored in the address in storage device 560.Such other
In embodiment, processor module 550 or 650, which can perform, fetches the instruction of component 5511 so that access in storage device 560 can be with
First such pointer being embedded at the address of (for example, hard coded) in verification microcode 551.It is possible that first
Pointer is located at the head of the tracking of the multiple pointers for the address for leading to verification routine 542, or the first pointer directly indicates to verify
The address of routine 542.No matter how many such tracking of pointer composition, fetches component 5511 and can be provided in verification routine 542
Tracking ending at the direct address that finds to checking assembly 5512a so that checking assembly 5512a being capable of attempted authentication verification example
Journey 542.
The one or more aspects that Fig. 4 B depict processing equipment 500 wherein are configured to comply with by California
The each side for the IA-32 frameworks that the Intel company of Santa Clara is promulgated and/or by UEFI of the Oregon than Fu Dun city
The example of such tracking in the embodiment of each side for the unified Extensible Firmware Interface that forum promulgates.In such embodiment
In, the part of storage device 560 can be mapped to the part of the address of four gigabytes scopes, wherein security level data
541st, verify that routine 542, firmware 543 and table pointer 566 are mapped to the upper end of the four gigabytes address realm.Table pointer
566 can be directed toward the initial address for the form 5430 that can be embedded in a part for firmware 543.Form 5430 can include more
A pointer, including at least one firmware pointer 5433 of at least initial address of firmware 543 is directed toward, it is directed toward verification routine 542
The security level pointer of the verification routine pointer 5432 of initial address and the initial address of direction security level data 541
5431。
In this illustration, fetch component 5511 can access first can be embedded in verification microcode 551 in having
Table pointer 566 at the address of four gigabytes address realms.Then, fetch component 5511 and can continue to table pointer
The initial address of form 5430 pointed by 566.Then, fetch component 5511 and can continue to verification routine pointer 5432, verification
Routine pointer 5432 can be located at the offset for the initial address for deviateing form 5430 in form 5430, which also can be embedding
Enter in verification microcode 551.Fetch component 5511 and then checking assembly 5512a can be indicated by verification routine pointer 5432
Verification routine 542 is accessed at the initial address of direction, to begin attempt to authentication verification routine 542.
Fig. 4 A are returned, can be with if verification routine 542 cannot be by checking assembly 5512a certifications, in certain embodiments
So that processor module 550 or 650 avoids performing any further operation and carrys out initialization process equipment 500 and/or can adopt
Take action to make processing equipment 500 inoperable and/or make the data inaccessible being stored in processing equipment 500.Alternatively or
Additionally, 550 or 650 operational controls 520 of processor module and/or display 580 can be made with to the operator of processing equipment
The instruction of erroneous condition is presented.
If however, verification routine 542 can be verified by checking assembly 5512a, can cause processor module 550 or
650 start to perform verification routine 542.As already discussed, in the case of the success identity of verification routine 542, at least locating
Manage device assembly 550, verification microcode 551 and the initial part for verifying formation trust chain between routine 542.Example in figure ia
In embodiment, perform verification microcode 551 is processor module 550, and processor module 550 can be simply from performing verification
Microcode 551 is changed into execution verification routine 542.However, in the example embodiment of Figure 1B, verification microcode 551 is performed
It is processor module 650, processor module 650 can signal processor module 550 and start to perform verification routine 542.
Return Figure 1A and 1B, regardless of so that processor module 550 start perform verification routine 542 exact way,
Processor module can fetch the finger for being selected as the security level to be carried out during the initialization of processing equipment 500
Show.Depending on selected security level, processor module 550 can attempt or not attempted authentication firmware 543, and depending on
In the result (if if the attempt to) of the certification of this trial, processor module 550 may or may not perform firmware 543 (or
Substitute firmware, if any).
Fig. 5 depict by processor module 550 so perform verification routine 542 with determine selection security level and
The optionally aspect of certification and/or the beginning at least execution of firmware 543.As shown in the figure, verification routine 542 can include verification
One or both of component 5422 and selection component 5423.Therefore, processor module 550 performs verification routine 542 and may need
Perform one or both of component 5422 and 5423 therein.
Processor module 550 can perform the instruction of checking assembly 5422, with from setting register 575 to access and from setting
The instruction for the security level for having been selected to implement during the initialization of processing equipment 500 is fetched in register 575.
In some embodiments, checking assembly 5422 can store the position for the security level for indicating selection in register 555a is collected
Value, byte value, the value of word value or another bit width.As will be explained in further detail, in OS 544 and/or application routine 545
One or more at least can then read collect register 555a with obtained from since the initialization write-in collect register
The whole of 555a is worth obtained hash, including as selected by checking assembly 5422 writes instruction therein security level value.
In the case where having selected for of a relatively high security level, processor module 550 can be performed further
The instruction of checking assembly 5422 using security credentials 523a to be attempted 543 certification of firmware to be believable.More precisely,
Processor module 550 can perform the instruction of checking assembly 5422 to access (it may be found that security credentials 523b or may send out
Now sign derived from security credentials 523b, hash or other security credentials) firmware 543 at least a portion.Verification
Component 5422 may then pass through trial to be recognized using with verifying routine 542 or be directly embedded into security credentials 523a therein
The fetched security credentials of card, carry out attempted authentication firmware 543.
If firmware 543 cannot be verified 5422 certification of component, in certain embodiments, it can cause processor module
550, which avoid performing any further operation, carrys out initialization process equipment 500 and/or can take action to so that processing equipment
500 is inoperable and/or to be stored in data inaccessible in processing equipment 500.Alternatively, or in addition, place can be made
550 or 650 operational controls 520 of device assembly and/or display 580 are managed so that the finger of erroneous condition to be presented to the operator of processing equipment
Show.If however, verification routine 5422 can authenticated firmware 543, processor module 550 can continue to execute the finger of firmware 543
Make to continue with the initialization of equipment 500.In certain embodiments, processor module 550 can also collect register
Storage provides the value for the instruction that firmware 543 is authenticated successfully in 555b.
The operator of processing equipment 500 can (processing equipment 500 it is highly safe resist infiltration and the danger of Malware
In the case that evil is considered important) of a relatively high security level as selection.Verification routine 542 is performed before at it
It is certified and then the requirement of the high security rank of verification firmware 543 is used to ensure before being executed:If it is unable to shape
Into extended from processor module 550, by verify microcode 551 and verify routine 542 and reach firmware 543 trust chain, then
Processing equipment 500 is by the execution for not starting OS 544 (such as " guiding " OS 544).In addition, the instruction of the security level of selection
Thus stored in collect register 555a in and firmware 543 success identity instruction thus stored in collect register
In 555b, it can be able to verify that OS 544 and have selected high security rank, and firmware 543 is verified routine 542 and successfully recognizes
Card.More properly, OS 544 may be able to determine that has had successfully formed trust under the requirement of the security level of higher
Chain so that OS 544 is considered to be operated in relatively high security environment so that OS 544 can allow its own
It is performed and/or can allows using its more feature.Alternatively, or in addition, one or more application routine 545 can be with
Similarly access and collect one or both of register 555a and 555b, to be made as to whether to allow it to perform and/or be
It is no to allow to determine using the similar of its more feature.
In collection register 555a and 555b that OS 544 and/or one or more application routine 545 can be relied on so
Each can be combined all values therein have been write since the initialization last time of processing equipment 500 starts.When
It is read out, each register 555a-b that collects can not directly provide write-in any value therein.On the contrary, collect register
Each in 555a-b can provide therein all from having been had been written to since 500 last time of processing equipment is initialised
Hashed value derived from the obtained hash of combination of value.Fig. 6 depicts each collection register 555a's and 555b in more detail
The aspect of exemplary function.Each collected in register 555a and 555b can be patrolled with hardware based door or transistor level
Collect to realize.As it was previously stated, collect the part that register 555a and 555b may be implemented as supporting assembly 570.
As depicted, each collected in register 555a and 555 can include cascade component 5551 and hash group
Part 5552.Cascade component 5551 can be (to form the bit wide for the combination that the position of each such value is cascaded and causes these values
Increased mode is spent with each new value) store each value of corresponding one for being written to and collecting in register 555a-b.Lift
For example, if each eight bit widths of the value with a byte of one in register 555a or 555b are collected in write-in,
The combination of the value formed from the cascade component 5551 for being written to the value of one collected in register 555a or 555b simply with
Each value so to be write and increase a byte on bit width.
The hash component 5552 of each in collection register 555a and 555b can take to be created by cascade component 5551
Value cascading hash so as to whenever read collect in register 555a or 555b corresponding one when as output quilt
There is provided.Therefore, register 555a or 555b is collected to be read out not exporting any write-in value therein.Posted on the contrary, collecting
Each in storage 555a and 555b is being read out output by its corresponding hashed value for generating of hash component 5552.This may
Help to prevent Malware from finding other the executable routines which value has been verified in routine 542 and/or processing equipment 500
Any one in register 555a or 555b is collected in write-in.In addition, in certain embodiments, the hashed value of output can have
The bit wide identical with the write-in cascading for collecting all values of corresponding one in register 555a or 555b.
As the these behaviors of component 5551 and 5552 as a result, being obtained from one collected in register 555a or 555b
Particular Hash value output may need the particular combination of value being written to one collected in register 555a or 555b and be
Carry out in a particular order.Therefore, Malware (causes one or the other output collected in register 555a or 555b wrong
By mistake indicate processing equipment 500 in secure operating environment particular Hash value) any trial all may failure because not having
Method makes Malware fetch that what value previously has been written into any one collected in register 555a or 555b.In addition, inciting somebody to action
In the case of any one in each value write-in collection register 555a or 555b, by the bit wide of the hashed value of any one offer
Degree increase, if the hashed value that the bit width has currently been exported is met or exceeded, this may cause to cause certain bits
The output operation of the hashed value of width is impossible.
Fig. 5 is returned to, in certain embodiments, OS 544 and/or 545 retrieval of one or more application routine are each collected
The hashed value of register 555a-b outputs, and by these hashed values with indicating the selection of of a relatively high security level and to solid
The known hashed value of the success identity of part 543 be compared as determine any one whether be a genuine part.In other implementations
, can be by one or both of hashed value fetched from collection register 555a-b with also referring to from what is stored elsewhere in example
Show whether the security level of selection and/or the certification to firmware 543 are successfully worth obtained hash and are compared.Fig. 7 is more
It illustrate in detail the exemplary aspect of this comparison.
Specifically, Fig. 7, which is described, collects security level selected by storage instruction in register 555a and event log 539
Value aspect and the hash that then these values are taken by OS 544 or application routine 545 comparison aspect.In verification example
During the execution of journey 542, its checking assembly 5422 can be performed into firmware 543 or substitute firmware 543a whichever
There is provided and indicate that it is stored in the identical value for collecting selected security level when in register 555a.Firmware 543 or substitute firmware
That in 543a can subsequently generate event log 539 as will initialize relevant each bar information with processing equipment 500
The mechanism of OS 544 is transmitted to, and the identical value of instruction security level can be included wherein.Then, OS 544 and/or
One or more application routine 545 can fetch the value from event log 539, and can be dissipated from collecting register 555a and reading
Train value.Then, OS 544 and/or one or more application routine 545 can be used dissipates with collecting used in register 555a
The identical hashing algorithm of row algorithm to obtain hashed value from event log 539, then can be by the hashed value with being deposited from collection
The hashed value that device 555a is read is compared.If two Hash value matches, OS 544 and/or one or more application routine
545 can be considered as the value fetched from event log 539 the true instruction of selected security level.
Return to Fig. 5, have selected relatively high security level but checking assembly 5422 can not authenticated firmware 543 feelings
Under condition, as the replacement for stopping further initialization process equipment 500, processing component 550 can perform selection component 5423
Instruction is to determine whether there is substitute firmware 543a, and if it is, processor module 550 can further perform checking assembly
5422 instruction is with substitute firmware 543a as attempted authentication.In certain embodiments, substitute firmware 543a can be firmware
" rollback " form, it can be used by this way, and wherein firmware 543 cannot be recognized due to be modified or replacing
Card, either since failure is also due to the malicious action of Malware.As this rollback form of firmware, substitute firmware
The function of 543a may be more confined from so that substitute firmware 543a can to cause firmware 543 than taking action to correct
The situation of authentification failure is made more.In addition, and discussed before, the operator of processing equipment 500 may attempt to use
The firmware 543 of new version replaces firmware 543, and the firmware 543 of the new version is more operated any one of due to various reasons
The favor of person.However, operator may ignore the selection for changing security level can not authenticate new version to adapt to possibly
The situation of firmware 543.Therefore, after the failure of firmware 543 of certification new version, returned using substitute firmware 543a as such
Moving back can cause message is presented on display 580, so that the substitute firmware 543 of new version is not authenticated, so as to remind operation
Person changes security level.
In the case where having selected for relatively low security level, processor module 550 can be to avoid further holding
The instruction of row checking assembly 5422 carrys out safety in utilization voucher 523a to attempt 543 certification of firmware to be believable.In some realities
Apply in example, processor module 550 storage value, the value can also provide in register 555b is collected and not be authenticated firmware
The instruction of 543 trial.In this way it is possible to by collecting both register 555a and 555b to OS 544 and/or one
Or multiple application routine 545 provide instruction:Relatively low security level is have selected, and is not attempt to so that trust chain extends
Beyond processor module 550, verification microcode 551 and verification routine 542.Therefore, the possible yes or no of firmware 543 is believable.
Then, OS 544 and/or one or more application routine 545 can determine each it whether will be allowed to be performed and/or each
Whether will allow using each more or fewer features.
It is selected as the intermediate level between lower-security rank and higher-security rank in security level
In the case of, processor module 550 can further perform the instruction of checking assembly 5422 to be attempted using security credentials 523a
It is believable by 543 certification of firmware.Then processor module 550 can store the value in collects in register 555b, which carries
Whether the instruction for the result being authenticated to trial to firmware 543, succeed but regardless of trial.In this way it is possible to pass through
Collect register 555a and have selected for intermediate security level to OS 544 and/or the offer of one or more application routine 545
Instruction, wherein being authenticated the trial of firmware 543 to attempt to extend trust chain beyond processor module 550, verification microcode
551 and verification routine 542.Also, in this way it is possible to by collecting register 555b to OS 544 and/or one or more
A application routine 545 provides whether the trial being authenticated to firmware 543 successfully indicates.Then, OS 544 and/or one or
Multiple application routine 545 can determine each its own whether will be allowed to be performed and/or each whether will allow using each
More or fewer features.
The operator of processing equipment 500 can in the case of following medium rank or relatively low safety as selection
Property rank:Wherein replacing the flexibility of such as one of component of firmware 543 etc is considered than making 500 such height of processing equipment
Infiltration and the harm for safely resisting Malware are more important.Firmware 543 is performed in each rudimentary and intermediate security level
The requirement of authenticated firmware 543 before lacks for ensuring that operator can replace firmware 543 with another firmware, this another
Firmware can have one or more to be not present in firmware 543 still may be not yet using so that such another firmware be recognized
The benefit of the security credentials of card and the desired character produced.It is contemplated that such operator of processing equipment 500 can also
Selection is abandoned using any type of OS 544 and/or any type of application routine 545, it, which needs to be formed, includes firmware 543
Trust chain.Alternatively or additionally, it is contemplated that such operator can also select to receive the form of OS 544 and/or one or more
The form of a application routine 545 can be not included in the limit functionally applied automatically in the trust chain in response to firmware 543
System.
In certain embodiments, low-security rank, middle level security level can be defined in security level data 541
The various aspects of one or more of other and/or high security rank.As an example, can be in security level data 541
It is interior to specify:Whether attempt to be authenticated firmware 543 when the opposite low-security rank of selection, and/or it is relatively high when have selected
Whether attempt to be authenticated substitute firmware 543a during security level.Briefly referring back to Fig. 4 B, in certain embodiments, peace
Full property rank data 541 can be stored in the address specified in storage device 560 by security level pointer 5431, and test
Card component 5422 (or another component of verification routine 542) can be used as access security using access security rank pointer 5431
A part for rank data 541.
In various embodiments, processor module 550 can include any one in various commercially available processors
Kind.In addition, one or more of these processor modules can include multiple processors, multiline procedure processor, multinuclear processing
Device (no matter multiple cores are coexisted on identical or separated tube core), and/or a variety of physically separated processors are at certain
The multiple processor structure for some other species being connected in degree.
In various embodiments, storage device 560 can be based on any one of various information storage technologies,
It may include needing the uninterrupted volatibility technology that electric power is provided, and may include needing use be probably moveable or can
It can not be the technology of movable machine readable storage medium storing program for executing.Therefore, each in these storage devices can include various
Any of storage device of type (or combination of type), includes but not limited to read-only storage (ROM), arbitrary access is deposited
Reservoir (RAM), dynamic ram (DRAM), double data rate DRAM (DDR-DRAM), synchronous dram (SDRAM), static state RAM
(SRAM), programming ROM (PROM), erasable programmable ROM (EPROM), electrically erasable ROM (EEPROM), flash memory,
Polymer memory (such as ferroelectric polymer memory), ovonic memory, phase transformation or ferroelectric memory, silicon-oxide-nitride
Thing-oxide-silicon (SONOS) memory, magnetic or optical card, one or more individually ferromagnetic disks drivers or tissue
Into one or more arrays multiple storage devices (for example, being organized into the redundant array or RAID array of array of independent disks
Multiple ferromagnetic disks drivers).It should be noted that although each in these storage devices be described as it is single
Block, but one of these or it is multiple can include can multiple storage devices based on different memory technologies.Therefore, example
Such as, one or more of each in these discribed storage devices can represent that (program and/or data can be at certain
Storage and transmission on the machinable medium of kind of form) optical drive or flash memory card reader, relatively long
Ferromagnetic disks driver and one or more in period in local repository program and/or data can be relatively rapid
Access the combination of the volatile solid-state equipment (for example, SRAM or DRAM) of program and/or data.It is further noted that
It is that each in these storage devices can be by based on identical memory technology but since specialization be used (for example, one
A little DRAM devices are used as main storage device and other DRAM devices are used as the different frame buffers of graphics controller) and individually tie up
Multiple storage assemblies of shield are formed.
In various embodiments, as described above, at least a portion of network interface 590 can be used in various signaling technologies
Any type so that these equipment can be coupled to other equipment.Each in these interfaces includes providing at least one
A little necessary functions are to realize the circuit of this coupling.However, each in these interfaces can also be at least in part by right
Command sequence (for example, realizing protocol stack or other features) that the processor module answered performs is realized.Using electricity and/or light
In the case of leading cable, these interfaces can use the signaling and/or agreement for meeting any of a variety of industrial standards, including
But it is not limited to RS-232C, RS-422, USB, Ethernet (IEEE-802.3) or IEEE-1394.Needing to use wireless signal
In the case of transmission, these interfaces, which can use, meets the signaling and/or agreement of any of various industrial standards, including but
It is not limited to, (commonly referred to as " mobile broadband wireless connects for IEEE 802.11a, 802.11b, 802.11g, 802.16,802.20
Enter ");Bluetooth;ZigBee;Or cellular radio call business, such as GSM band General Packet Radio Services (GSM/GPRS),
CDMA/1xRTT, global evolution enhancing data rate (EDGE), only evolution data/optimization (EV-DO), data and voice evolution
(EV-DV), high-speed slender body theory (HSDPA), high speed uplink packet access (HSUPA), 4G LTE etc..
Fig. 7 illustrates the embodiment of logic flow 2100.Logic flow 2100 can be represented by one described here or more
Some or all operations that a embodiment performs.More specifically, logic flow 2100 can be illustrated by 550 He of processor module
One or both of 560 perform performed by verification microcode 551, verification one or more of routine 542 and firmware 543
Operation, and/or as the operation performed by the other assemblies of processing equipment 500.Especially, logic flow 2100 concentrates on initially
Change processing equipment 500 for the operation used.
2110, the primary Processor Element or controller processor component of processing equipment are (for example, the place of processing equipment 500
One in reason device assembly 550 or 650) the verification microcode being incorporated into the processor module can be performed (for example, verification is micro-
Code 551) it is used for the verification routine (for example, verification routine 542) of authenticated firmware with attempted authentication.If verify routine 2112
It cannot be certified, then 2114, performing the primary Processor Element of verification microcode or controller processor component can stop appointing
The operation of what further initialization process equipment.In addition, the processor module can with the display of operation processing equipment and/or
Another component provides the wrong instruction in the initialization of processing equipment.
However, if verification routine can be certified 2112, primary Processor Element can perform verification at 2120
Routine is to fetch the instruction of the security level of selection.As already discussed, may (or other be similar by setting wire jumper
Component) or by operate such as keyboard and/or mouse manually operable control be used as by primary Processor Element execution
A part for the user interface of configuration component and the instruction of the security level of selection is supplied to processing equipment in advance.Again
Secondary, then the instruction of the selected security level provided can be stored in sets register (for example, setting register 575)
In and/or the position that is stored in storage device (for example, storage device 560) at, primary Processor Element can take from the position
Return it.
At 2122, primary Processor Element can collect register (such as collecting register 555a) memory storage first and refer to
Show the value of selected security level.As described above, such collection register can cascade write-in multiple values therein, and can
To provide the hash of the value of cascade combination in response to being read, thus refuse Malware and access write-in collection register
Any of any value directly indicates.Also as discussed, later can be by OS or application routine (for example, OS 544 or application routine
One of 545) such hashed value is fetched from collection register, and itself and one or more hashed values is compared to determine
For example, any security level have selected.
At 2130, if the security level of selection is relatively low security level, at 2132, primary processor
Component can be stored the value in the second collection register, its indicate be not attempt to be stored in processing equipment firmware (for example,
Firmware 543) it is authenticated.Moreover, at 2134, primary Processor Element can be to avoid authenticated firmware, and can start to perform
Firmware is to continue with the initialization of equipment.
If however, it is not relatively low security level that security level is selected at 2130, but it is at 2140
Intermediate security level, then 2142, primary Processor Element can perform verification routine with attempted authentication firmware.At 2144,
Primary Processor Element can store the value of the result for the trial that instruction is authenticated the firmware in the second collection register, and
And can start perform firmware to continue with the initialization of equipment, but regardless of the attempted authentication firmware result how.
If however, it is not relatively low security level that security level is selected at 2130, and at 2140 not
It is intermediate security level, then 2150, primary Processor Element can perform verification routine with attempted authentication firmware.2160,
If firmware cannot be certified, at 2162, primary Processor Element can stop any further initialization process equipment
Operation.In addition, primary Processor Element can be with the display of operation processing equipment and/or another component to provide processing equipment
Wrong instruction in initialization.If however, at 2160 can authenticated firmware, at 2164, primary Processor Element can
To collect the value of storage instruction success identity firmware in register second, and primary Processor Element can start to perform firmware
To continue with the initialization of equipment.
Fig. 8 illustrates the embodiment of logic flow 2200.Logic flow 2200 can be represented by one described here or more
Some or all operations that a embodiment performs.More specifically, logic flow 2200 can show that processor module 550 is performing
Verify operation performed when one or more of routine 542, firmware 543 and substitute firmware 543a, and/or by processing equipment
Operation performed by 500 other assemblies.Especially, logic flow 2200 concentrates on initialization process equipment 500 for using
Operation.
At 2210, the processor module (for example, processor module 550 of processing equipment 500) of processing equipment is executable
The firmware that verification routine is stored in processing equipment with attempted authentication is (for example, verification routine 542 is performed to verify firmware
543).If firmware can be certified at 2220, at 2222, processor module can will indicate the success identity of firmware
Value, which is stored in, collects in register (such as collecting register 555b), and processor module can start to perform firmware to continue to locate
Manage the initialization of equipment.
If however, failing authenticated firmware 2220, at 2230, processor module can perform verification routine to attempt
Certification is stored in the substitute firmware (for example, substitute firmware 543a) in processing equipment.If substitute firmware can be by 2240
Certification, then 2242, the value for the success identity for indicating substitute firmware can be stored in and collect in register by processor module, and
And processor module can start to perform substitute firmware to continue with the initialization of equipment.
If however, firmware cannot be certified at 2240,2250, processor module can stop it is any further
Initialization process equipment operation.In addition, processor module can be come with the display of operation processing equipment and/or another component
Wrong instruction in the initialization of processing equipment is provided.
Fig. 9 shows the embodiment for the exemplary process framework 3000 for being adapted for carrying out foregoing various embodiments.
More specifically, processing framework 3000 (or its variation) may be implemented as the portion of one or more of equipment 100,400 or 800
Point.It should be noted that the component of processing framework 3000 is given reference numeral, wherein most final two digits correspond to foregoing description and
It is described as the last two digits of the reference numeral of at least some components of the part of equipment 100,400 and 800.This is as right
The associated component of each component aids in completing.
Processing framework 3000 includes the various elements of generally use in digital processing, includes but not limited at one or more
Manage device, polycaryon processor, coprocessor, memory cell, chipset, controller, peripheral hardware, interface, oscillator, timing means,
Video card, audio card, multimedia input/output (I/O) component, power supply etc..As used in this application, term " system " and
" component " is intended to indicate that the entity for the equipment for wherein carrying out digital processing, which is that hardware, hardware and software combine, soft
Part or executory software, its example are provided by discribed exemplary process framework.For example, component can (but be not limited to
Be) process run on processor module, processor module in itself, storage device it is (more in array for example, hard disk drive
A memory driver etc.), it can use optics and/or magnetic-based storage media, software object, executable instruction sequence, execution
Thread, program, and/or whole equipment (such as whole computer).For example, the application and the server run on the server
It can be component.One or more assemblies may reside within process and/or execution thread, and component can be located at one
In equipment and/or it is distributed between two or more equipment.In addition, component can by various types of communication media coordinated manipulation and
It is coupled with each other.Coordination may relate to one-way or bi-directional exchange of information.For example, component can be to be transmitted by communication media
Signal form transmission information.The information may be implemented as distributing to the signal of one or more signal wires.Message (including
Order, state, address or data-message) can be one in such signal, or can be multiple such signals, and
And can serially or substantially in parallel it be transmitted by any one of a variety of connections and/or interface.
As described, when realizing processing framework 3000, equipment includes at least processor module 950, storage device
960th, to the interface 990 and male part 959 of other equipment.As will be explained, according to the equipment for realizing processing framework 3000
Each side, including its desired use and/or use condition, such equipment may further include add-on assemble, such as but
It is not limited to display interface device 985.
The one or more that male part 959 includes at least being communicably coupled to processor module 950 storage device 960 is total
Line, point-to-point interconnection, transceiver, buffer, cross point switches and/or other conductors and/or logic.Male part 959 can be into one
Processor module 950 is coupled to one or more of interface 990, audio subsystem 970 and display interface device 985 and (taken by step
Certainly in also there are which of these and/or other components).So coupled by male part 959 in processor module 950
In the case of, processor module 950 is able to carry out the various tasks of above-detailed, for any one in the said equipment
(multiple) realize processing framework 3000.Male part 959 can be using any technology in various technologies or signal by light and/or electricity
Transmission by the combination of technology realize.In addition, at least a portion of male part 959, which can use, meets various rows
Any one timing and/or agreement in industry standard, include but not limited to accelerated graphics port (AGP), CardBus, extension
Industry Standard Architecture (E-ISA), minitype channel framework (MCA), NuBus, periphery component interconnection (extension) (PCI-X), PCI
Express (PCI-E), Personal Computer Memory Card International Association (PCMCIA) bus, HyperTransportTM、QuickPath
Etc..
As it was previously stated, processor module 950 (it can correspond to processor module 450) can include it is a variety of it is commercial can
Any one of processor, using any technology in multiple technologies and the either type in utilization in many ways
One or more cores for physically combining are realized.
As discussed previously, storage device 960 (it may correspond to storage device 460) can be different by one or more
Storage device composition, any of the combination of the storage device based on various technologies or technology.More specifically
Say, as shown in the figure, storage device 960 can include volatile storage devices 961 (for example, the RAM based on one or more forms
The solid storage device of technology), non-volatile memory device 962 is (for example, solid-state, ferromagnetic or constant supply of electric power is not required
To preserve other storage devices of its content) and removable media storage device 963 (for example, by its can equipment it
Between transmit information removable disk or solid-state storage card memory appts) in one or more.It may include a variety of different types
This description of storage device 960 of storage device recognize and generally set in a device using the storage of more than one type
Standby, one of which type provides comparatively faster reading and write capability, enabling is carried out faster by processor module 950
The data manipulation (but " volatibility " technology for being continuously needed electric power may be used) of speed, and the offer of another type is relatively highly dense
The non-volatile memory device (but relatively slow reading and write capability may be provided) of degree.
In view of the characteristic being typically different of the different storage device using different technologies, pass through different storage controls
It is common by the other parts that these different storage devices are coupled to equipment, which passes through different
Interface is coupled to its different storage device.For example, exist and based on RAM technologies in volatile storage devices 961
In the case of, volatile storage devices 961 can be communicably coupled to male part 959, storage control by storage control 965a
Device 965a provides suitable interface to volatile storage devices 961, which may be sought using row and column
Location, and storage control 965a can perform that row refreshes and/or other maintenance tasks are stored in volatibility and deposit to help to preserve
Store up the information in equipment 961.As another example, exist and including one or more iron in non-volatile memory device 962
In the case of magnetic and/or solid magnetic disc driver, non-volatile memory device 962 can be by storage control 965b communicatedly
It is coupled to male part 959, storage control 965b provides appropriate interface to non-volatile memory device 962, this is non-volatile
Storage device 962 may use the addressing to block of information and/or cylinder and sector.As another example, in removable medium
Storage device 963 exist and including using one or more machinable mediums 969 one or more optics and/or
In the case of solid magnetic disc driver, removable medium storage device 963 can be communicatively coupled by storage control 965c
To male part 959, suitable interface is provided to removable medium storage device 963, removable medium storage device 963 may adopt
With the addressing to block of information, and wherein storage control 965c can be with specific to extending 969 longevity of machinable medium
The mode of life coordinates to read, wipes and write operation.
One or the other in volatile storage devices 961 or non-volatile memory device 962 can including machine
The product of storage medium form is read, the sequence of instructions including that can be performed by processor module 950 can be stored on the storage medium
The routine of row, this depends on the technology being each based on.For example, include in non-volatile memory device 962 based on ferromagnetic
Disc driver (for example, so-called " hard disk drive ") in the case of, each this disc driver generally use one
Or multiple rotating disks, the coating of magnetic-responsive particulate is deposited in the rotating disk, with the storage medium similar to such as floppy disk etc
Mode in various patterns magnetic aligning to store the information of such as command sequence.As another example, non-volatile memory device
962 can be made of the storehouse of solid storage device, and the information of such as command sequence is stored in a manner of similar to compact flash cards.
Again, the use of different types of storage device to store executable routine and/or data is in a device common in different time
's.Therefore, including the routine of command sequence to be performed by processor module 950 can be initially stored in machine readable storage
On medium 969, and it can then be set using removable media storage device 963 the routine is copied to non-volatile memories
Standby 962 are used to store for a long time, it is not necessary to the lasting presence of machinable medium 969 and/or volatile storage devices 961,
Can quickly it be accessed so that being performed processor module 950 in the routine.
As previously discussed, interface 990 (it can correspond to interface 490), which can use, corresponds to the various communication technologys
Any of various signaling technologies in any technology, these communication technologys can be used for by equipment communication being coupled to one
A or multiple other equipments.It is also possible to make processing using one or both of various forms of wired or wireless signalings
Device assembly 950 can with input-output apparatus (for example, discribed example keyboard 920 or printer 925) and/or other set
Standby interaction, may pass through network (for example, network 999) or one group of network of interconnection.Recognizing that any one equipment must be through
During the characteristic often to differ widely of the polytype signaling and/or agreement often supported, interface 990 is portrayed as including multiple
Different interface controller 995a, 995b and 995c.Interface controller 995a can use various types of cabled digitals serial
Any one of interface or radio frequency wireless interface receive the string from user input equipment (such as discribed keyboard 920)
The message of row transmission.Interface controller 995b can use it is a variety of based on cable or wireless signaling, pass through discribed net
Network 999 (be probably be made of one or more links network, less network or be probably internet) set to access other
Any of standby timing and/or agreement.More specifically, interface controller 995b can include one or more radio frequencies (RF)
Transceiver and/or one or more antennas 991 (it can be incorporated into a part for interface 990) are may be coupled to with one
(multiple) the exchange RF wireless signals of antenna of a or a number of other equipment, as the wireless communication on discribed network 999
Part.Interface 995c can use any of various conducting cables, enabling using serial or parallel signal transmission come by
Data are transmitted to discribed printer 925.It can be communicatively coupled by one or more interface controllers of interface 990
Other examples of equipment include but not limited to for the sound of guarder to receive the language that may be sent via them by those people
Sound or other sound and the order sent and/or the microphone of data, remote controler, stylus, card reader, finger-printer reader, void
Intend reality interaction gloves, graphic tablet, joystick, other keyboards, retinal scanner, touch-screen touch input component,
The movement of trace ball, various sensors, guarder is to receive the order sent by those people via gesture and/or facial expression
And/or the camera or camera array of data, laser printer, ink-jet printer, mechanical robot, milling machine etc..
In equipment communication it is coupled to (or may actually include) display (for example, discribed example display
980) in the case of, display interface device 985 can also be included by realizing this equipment of processing framework 3000.Although more typically change
Interface type can be utilized in a manner of being communicably coupled to display, show various shapes in a visual manner over the display
The somewhat specialized additional treatments and the somewhat specialty of the used interface based on cable being frequently necessary to during the content of formula
The property of change usually make it that it is desirable to provide unique display interface.The display interface device in the communicative couplings of display 980
The 985 wiredly and/or wirelessly signaling technologies that can be used can utilize meet any of a variety of industrial standards signaling and/
Or agreement, include but not limited to any in various analog video interfaces, digital visual interface (DVI), DisplayPort etc.
Kind.
More generally, the various elements for the equipment for being described herein and describing can include various hardware elements, software element
Or both combination.The example of hardware element can include equipment, logical device, component, processor, microprocessor, circuit, place
Manage device assembly, circuit element (such as transistor, resistor, capacitor, inductor etc.), integrated circuit, application-specific integrated circuit
(ASIC), programmable logic device (PLD), digital signal processor (DSP), field programmable gate array (FPGA), memory
Unit, logic gate, register, semiconductor devices, chip, microchip, chipset etc..The example of software element can include soft
Part component, program, application, computer program, application program, system program, software development procedures, machine program, operating system
Software, middleware, firmware, software module, routine, subroutine, function, method, program, software interface, application programming interfaces
(API), instruction set, calculation code, computer code, code segment, computer code segments, word, value, symbol, or any combination thereof.
However, determine whether one embodiment can be according to such as given realization to realize using hardware element and/or software element
Mode is desired it is expected computation rate, power level, heat resistance, processing cycle budget, input data rate, output data speed
Rate, memory resource, data bus speed and other designs or any amount of factor of performance constraints etc. and change.
Some embodiments can be described using expression " one embodiment " or " embodiment " and its derivative.These terms
The a particular feature, structure, or characteristic for meaning to combine embodiment description is included at least one embodiment.In specification
The phrase " in one embodiment " occurred everywhere is not necessarily all referring to the same embodiment.In addition it is possible to use expression " coupling " and
" connection " and its derivative describe some embodiments.These terms are not necessarily intended to as mutual synonym.For example, can be with
Some embodiments are described using term " connection " and/or " coupling ", to indicate two or more elements physics directly with one another
Or electrical contact.However, term " coupling " can also mean that two or more elements are not directly contacted with each other, but still that
This cooperation or interaction.In addition, aspect or element from different embodiments can be combined.
It is stressed that, there is provided it is disclosed to make a summary to allow reader quickly to determine property disclosed in technology.It with
It is lower understanding and submit, it will not be used to explain or limit the scope or implication of claim.In addition, in specific implementation above
In mode, it can be seen that for the purpose for simplifying the disclosure, various features are grouped together in single embodiment.This public affairs
This method opened is not interpreted to reflect that embodiment claimed is needed more more than what is be expressly recited in each claim
The intention of feature.On the contrary, as the following claims reflect, subject matter is all spies less than single open embodiment
Sign.Therefore, following claims is hereby incorporated into embodiment, wherein each claim is in itself as single
Embodiment.In the following claims, term " including (including) " and " wherein (in which) " are, respectively, used as accordingly
The brief English equivalent of term " including (comprising) " and " wherein (wherein) ".In addition, term " first ", " the
Two ", " 3rd " etc. is merely used as label, and is not intended to and applies numerical requirements to its object.
Content described above includes the example of disclosed framework.It is, of course, not possible to the every of component and/or method is described
A possible combination, but those of ordinary skill in the art will recognize that many further combinations and permutations are possible
's.Therefore, novel framework is intended to all such changes, modifications fallen within the spirit and scope of the appended claims
And change.Detailed disclosure is turning now to the example provided on further embodiment.Examples provided below is not intended to be limited to.
In example 1, a kind of device includes:First processor component, including verification microcode, with response to processing equipment
Initialization and attempt based on the first security credentials come authentication verification routine, include at least verifying to create in processing equipment
The trust chain of microcode and verification routine;First collects register, for having write the since being read out providing from initialization
One collects the first hashed value of one or more values of register;And the checking assembly of the verification routine, for determining
The selected security level of initialization is stated, and is based on selected security level, attempts to verify based on the second security credentials
First firmware, the trust chain is expanded to including first firmware and by the finger of the attempted authentication result of the first firmware
Show and be stored in the first collection register.
In the example 2 of the theme including example 1, first processor component can include being embedded in verification microcode
First security credentials, the first security credentials can include key, and verification routine can be using associated with key
The digital signature of another key generation, and verify that microcode can include fetching component to fetch verification routine and verify micro-
Code is to attempt key and digital signature matches verifying routine with attempted authentication.
In the example 3 of the theme of any one in including example 1-2, the second security credentials can include being embedded in testing
Key in card routine, the digital signature that the first firmware can be generated using another key associated with key, and
The checking assembly of verification routine can be attempted key and digital signature matches with the first firmware of attempted authentication.
In the example 4 of the theme of any one in including example 1-3, in response to the failure of authentication verification routine, first
Processor module can initialize to avoid the further of processing equipment is performed.
In the example 5 of any one theme in including example 1-4, first processor component can in response to including
The selected security level of relatively high security level and in response to the first firmware of certification failure and avoid execution processing set
Standby further initialization.
In the example 6 of the theme of any one in including example 1-5, which can include the selection group of verification routine
Part, for identifying the second firmware based on selected security level, and checking assembly can be tasted based on selected security level
Examination based on the second security credentials come the second firmware of certification expanding to trust chain including the second firmware, and by the second firmware
The instruction of the result of attempted authentication is stored in the first collection register.
In the example 7 of the theme of any one in including example 1-6, first processor component can be by the first firmware
The instruction of the result of attempted authentication be stored in the first collection register but regardless of result how, and can attempt in response to bag
The selected security level for including intermediate security level carrys out operating system in initialization process equipment.
In the example 8 of the theme of any one in including example 1-7, first processor component can avoid try to certification
First firmware, and can first collect register in memory response in the selected safety including relatively low security level
Property rank and the instruction of the first firmware of non-attempted authentication.
In the example 9 of the theme of any one in including example 1-8, which can include operating system, for from
First collects the first hashed value of register read to obtain the instruction of the scope of trust chain, and determined based on the first hashed value be
The no feature allowed using operating system.
In the example 10 of the theme of any one in including example 1-9, described device can include second and collect deposit
Device, be read out providing the one or more values for being written to since initialization the second collection register taken it is scattered
Second hashed value of row, and verify that the value of security level selected by instruction can be stored in the second receipts by the checking assembly of routine
Collect in register.
In the example 11 of the theme of any one in including example 1-10, first collects register or the second collection deposit
At least one in device can be incorporated at least one in first processor component and supporting assembly with by the first processing
Device assembly is coupled to bus.
In the example 12 of the theme including any of example 1-11, which can include operating system, for from
First collects the first hashed value of register read, and collects the second hashed value of register read from second, to obtain trust chain
The instruction of scope, and determine whether based on the first and second hashed values the initialization of the operating system in processing equipment.
In the example 13 of the theme including any of example 1-12, checking assembly can be by security level selected by instruction
Other value is supplied to the first firmware, and the first firmware can generate the event log including the value and be supplied to the event log
Operating system, and operating system can export the 3rd hashed value from the value in event log, and by second and the 3rd hashed value
It compare to determine if the initialization for allowing the operating system in processing equipment.
In the example 14 of the theme of any one in including example 1-13, which can include wire jumper, which can
Operation is used at least one position for selecting selected security level, and can be deposited by the setting of first processor component accesses
Device, for being read out providing the instruction for the selected security level selected via wire jumper.
In the example 15 of the theme including any of example 1-14, described device can include:Register, institute are set
State and set register to be read out providing the instruction of selected security level, Yi Jipei by first processor component accesses
Component is put, for operating at least one of display or manually operable controller, enables to select selected safety
Property rank, and by the instruction of selected security level be stored in set register in.
In the example 16 of the theme of any one in including example 1-15, first processor component can perform verification example
Journey, so that checking assembly is authenticated the first firmware, to extend trust chain with including the first firmware, and verifies that microcode can
To create trust chain with including first processor component.
In the example 17 of the theme including any of example 1-16, described device can include second processor group
Part, for performing the verification routine, so that the checking assembly verifies first firmware, to extend the trust
Chain verifies that microcode can create trust chain with including second processing device assembly with including the first firmware.
In example 18, a kind of device includes:First processor component, including verification microcode, to be set in response to processing
Standby initialization, is attempted based on the first security credentials come authentication verification routine, includes at least testing to create in processing equipment
Demonstrate,prove microcode and verify the trust chain of routine;The checking assembly of the verification routine determines the selected security level of the initialization
Not, and selected security level is based on, attempted based on the second security credentials come the first firmware of certification, by the trust chain
Expand to including first firmware, and the instruction of the attempted authentication result of the first firmware is stored in the first collection register
In, the first collection register collects one or more values of register being read out providing the write-in first since initialization
The first hashed value;And the selection component of the verification routine, for based on selected security level and in response to certification
The failure of first firmware and identify the second firmware, the checking assembly is based on selected security level and attempts based on described the
Second firmware described in two security credentials certifications, to extend the trust chain with including second firmware, and by described
The instruction of the result of the attempted authentication of two firmwares is stored in described first and collects in register.
In the example 19 of the theme including example 18, first processor component can include being embedded in verification microcode
The first security credentials, the first security credentials can include key, and verification routine can be included with associated with key
The digital signature of another key generation, and verify that microcode can include fetching component to fetch verification routine, and test
Card microcode can be attempted key and digital signature matches verifying routine with attempted authentication.
In the example 20 of the theme of any one in including example 18-19, the second security credentials can include insertion
Key in verification routine, the first firmware can include the numeral label that another key associated with key can be used to generate
Name, and verify that the checking assembly of routine can be attempted key and digital signature matches with the first firmware of attempted authentication.
In the example 21 of the theme of any one in including example 18-20, in response to the failure of authentication verification routine,
One processor module can initialize to avoid the further of processing equipment is performed.
In the example 22 of the theme of any one in including example 18-21, first processor component can avoid try to
Any one in the first firmware of certification or the second firmware, and during register can be collected first memory response in including opposite
The instruction that the selected security level of low-security rank is authenticated the first firmware or the second firmware without trial.
In the example 23 of the theme of any one in including example 18-22, which can include operating system, be used for
The first hashed value of register read is collected to obtain the instruction of the scope of trust chain from first, and is determined based on the first hashed value
Whether feature using operating system is allowed.
In the example 24 of the theme of any one in including example 18-23, which can include second and collect deposit
Device, for being read out the offer hash that one or more values of the collection of write-in second register take since initialization
Second hashed value, and verify that the value of security level selected by instruction can be stored in the second collection and posted by the checking assembly of routine
In storage.
In the example 25 of the theme of any one in including example 18-24, which can include operating system, be used for
The first hashed value of register read is collected from first, and the second hashed value of register read is collected to obtain trust chain from second
Scope instruction, and determine whether based on the first and second hashed values the initialization of the operating system in processing equipment.
In the example 26 of the theme of any one in including example 18-25, checking assembly can be provided to the first firmware
The value of security level selected by instruction, the first firmware can generate the event log including the value and provide event log to operation
System, and operating system can export the 3rd hashed value from the value in event log, and compare second and the 3rd hashed value, with
Determine whether to use processing equipment initialized operating system.
In the example 27 of the theme of any one in including example 18-26, first processor component can perform verification
Routine is so that checking assembly is authenticated the first firmware to extend trust chain with including the first firmware, and verifies that microcode can
To create trust chain with including first processor component.
In the example 28 of the theme including any of example 18-27, described device can include second processor group
Part, to perform the verification routine, so that the checking assembly is authenticated first firmware, to extend the trust chain
With including the first firmware, and verify that microcode can create trust chain with including second processing device assembly.
In example 29, calculating the method for realization includes:In response to the initialization of processing equipment, in first processor component
The interior verification microcode that performs to attempt based on the first security voucher come authentication verification routine, with created in processing equipment to
Few trust chain for including verifying microcode and verifying routine;Success identity in response to verifying routine, performs verification routine with true
Surely the selected security level initialized;And in response to success identity and selected security level is based on, perform verification example
Journey is to attempt based on the second security credentials come the first firmware of certification to extend trust chain with including the first firmware and will be to
The instruction of the attempted authentication of one firmware is stored in the first collection register, first collection register be read out provide since
The first hashed value of one or more values of register is collected in write-in first since initialization.
In the example 30 of the theme including example 29, first processor component can include being embedded in verification microcode
The first security credentials;First security credentials can include key, and verification routine can be using associated with key
Another key generation digital signature;And this method can include fetching verification example from the storage device of processing equipment
Journey, and attempt to be matched key with digital signature and routine is verified with attempted authentication.
In the example 31 of the theme of any one in including example 29-30, the second security credentials can include insertion
Key in routine is verified;The numeral that first firmware can include being generated with another key associated with the key is signed
Name;And this method can include attempt to digital signature be matched key with the first firmware of attempted authentication.
In the example 32 of the theme of any one in including example 29-31, this method can include:Tested in response to certification
The failure of routine is demonstrate,proved, avoids performing the further initialization of processing equipment.
In the example 33 of the theme of any one in including example 29-32, the method may include:In response to including
The selected security level of relatively high security level, and fail in response to the first firmware of certification, avoid execution processing from setting
Standby further initialization.
In the example 34 of the theme including any of example 29-33, this method can include:Based on selected security
Rank performs verification routine to identify the second firmware;Attempt based on second security credentials come the second firmware described in certification with
The trust chain is expanded to including second firmware;And the instruction of the attempted authentication result of the second firmware is stored in
One collects in register.
In the example 35 of the theme of any one in including example 29-34, this method can include in response to including in
The selected security level of level security rank, performs verification routine and deposits the instruction of the result of the attempted authentication of the first firmware
Storage first collect register in, but regardless of result how;And attempt the operating system in initialization process equipment.
In the example 36 of the theme of any one in including example 29-35, the method may include:In response to including
The selected security level of relatively low security level, avoids try to the first firmware of certification, and perform verification routine with
Storage is not attempt to the instruction of the first firmware of certification in first collection register.
In the example 37 of the theme of any one in including example 29-36, this method can include:Collect and post from first
Storage reads the first hashed value, to obtain the instruction of the scope of trust chain;And determine whether to make based on the first hashed value
With the feature of operating system.
In the example 38 of the theme of any one in including example 29-37, the method may include perform to verify example
Journey is the value of security level selected by instruction is stored in the second collection register, and the second collection register is being read
When can provide and the second of the hash that one or more values of the second collection register take has been written to since initialization hashes
Value.
In the example 39 of the theme of any one in including example 29-38, this method can include:Collect and post from first
Storage reads the first hashed value, and collects the second hashed value of register read from second, to obtain the instruction of the scope of trust chain;
And the initialization of the operating system in processing equipment is determined whether based on the first hashed value and the second hashed value.
In the example 40 of the theme of any one in including example 29-39, the method may include perform to verify example
Journey with to the first firmware provide instruction selected by security level value;First firmware is performed to generate the thing including described value
The event log is simultaneously supplied to operating system by part daily record;The 3rd hashed value is exported from the value in event log;Compare second
Hashed value and the 3rd hashed value;And based on the initialization for comparing the operating system determined whether in processing equipment.
In the example 41 of the theme of any one in including example 29-40, verification microcode can be created including first
The trust chain of processor module, and this method can include performing the verification routine in first processor component to cause first
The certification of firmware.
In the example 42 of the theme of any one in including example 29-41, verification microcode can create trust chain with
Second processing device assembly including processing equipment, and this method can be included in execution verification routine in second processing device assembly
To cause the certification of the first firmware.
In example 43, at least one tangible machinable medium includes instruction, and described instruction is set by processing
During standby execution processing equipment can be made to perform the verification microcode in first processor component in response to initialization to attempt base
In the first security credentials authentication verification routine the verification microcode and institute are included at least to be created in the processing equipment
State the trust chain of verification routine;Success identity in response to verifying routine, performs verification routine to determine the selected peace of initialization
Full property rank;And in response to successful certification and selected security level is based on, verification routine is performed to attempt based on the
Two security credentials are carried out the first firmware of certification and are deposited with extending trust chain including the first firmware and in the first collection register
Store up the instruction of the attempted authentication of the first firmware, the first collection register has write first being read out providing since initialization
Collect the first hashed value of one or more values of register.
In the example 44 of the theme including example 43, first processor component can include being embedded in verification microcode
The first security credentials, the first security credentials can include key, and verification routine can be included with associated with key
The digital signature of another key generation, and processing equipment can be made to fetch verification example from the storage device of processing equipment
Journey, and attempt to be matched key with digital signature and routine is verified with attempted authentication.
In the example 45 of the theme of any one in including example 43-44, the second security credentials can include insertion
Key in verification routine, the digital signature that the first firmware can be generated using another key associated with key,
And processing equipment may be caused to attempt key and digital signature matches with the first firmware of attempted authentication.
, can in response to the failure of authentication verification routine in the example 46 of the theme of any one in including example 43-45
So that processing equipment avoids performing the further initialization of processing equipment.
In the example 47 of the theme of any one in including example 43-46, in response to including relatively high security level
The security level of other selection and in response to the failure of the first firmware of certification, can make processing equipment avoid execution processing from setting
Standby further initialization.
, can be with based on selected security level in the example 48 of the theme of any one in including example 43-47
Processing equipment is set to identify the second firmware;Attempt based on second security credentials come the second firmware described in certification with by the letter
Chain is appointed to expand to including second firmware;And the instruction of the attempted authentication result of the second firmware is stored in the first collection to post
In storage.
In the example 49 of the theme of any one in including example 43-48, in response to including intermediate security level
Selected security level, can make processing equipment perform verification routine, by the instruction of the result of the attempted authentication of the first firmware
Be stored in the first collection register, but regardless of result how, and attempt the operating system in initialization process equipment.
In the example 50 of the theme of any one in including example 43-49, in response to including relatively low security level
Other selected security level, can cause processing equipment to avoid try to the first firmware of certification and perform verification routine with the
Storage is not attempt to the instruction of the first firmware of certification in one collection register.
In the example 51 of the theme of any one in including example 43-50, processing equipment can be made to be collected from first and posted
Storage reads the first hashed value to obtain the instruction of the scope of trust chain, and determines whether to use based on the first hashed value
The feature of operating system.
In the example 52 of the theme of any one in including example 43-51, processing equipment can be caused to perform verification example
Journey, the value of security level selected by instruction is stored in the second collection register, and the second collection register is being read
It can be provided when taking and the second scattered of the hash that one or more values of the second collection register take has been written to since initialization
Train value.
In the example 53 of the theme of any one in including example 43-52, processing equipment can be made to be collected from first and posted
Storage reads the first hashed value, and collects the second hashed value of register read from second, to obtain the finger of the scope of trust chain
Show, and the initialization of the operating system in processing equipment is determined whether based on the first hashed value and the second hashed value.
In the example 54 of the theme of any one in including example 43-53, processing equipment can be made to perform verification routine,
To provide the value of security level selected by instruction to the first firmware;First firmware is performed to generate the event including described value
The event log is simultaneously supplied to operating system by daily record;The 3rd hashed value is exported from the value in event log;Compare second to dissipate
Train value and the 3rd hashed value;Based on the initialization for comparing the operating system determined whether in processing equipment.
In the example 55 of the theme of any one in including example 43-54, verification microcode can create trust chain with
Including first processor component, and processing equipment can be made to perform the verification routine in first processor component to cause first
The certification of firmware.
In the example 56 of the theme of any one in including example 43-55, verification microcode create trust chain with including
The second processing device assembly of processing equipment, and processing equipment can be made to perform verification routine in the second processing device assembly
To cause the certification of first firmware.
In example 57, at least one tangible machinable medium can be included in when being performed by processor module
So that the instruction of any one during processor module execution is above-mentioned.
In example 58, device can include be used for perform it is above-mentioned in the unit of any one.
Claims (25)
1. a kind of device for security initialization, including:
First processor component, including verification microcode, are attempted for the initialization in response to processing equipment based on the first peace
Full property voucher carrys out authentication verification routine, and to create trust chain in the processing equipment, the trust chain includes at least described test
Demonstrate,prove microcode and the verification routine;
First collects register, for posting being read out providing being written to since the initialization described first and collecting
First hashed value of one or more values of storage;And
The checking assembly of the verification routine, for determining the selected security level of the initialization, and is based on the institute
Security level is selected, attempts to expand to the trust chain including institute come the first firmware of certification based on the second security credentials
State the first firmware, and finger of the storage to the result of the attempted authentication of first firmware in the described first collection register
Show.
2. device according to claim 1, the first processor component includes being embedded in the verification microcode
First security credentials, first security credentials include key, and the verification routine is using related to key
The digital signature of another key generation of connection, and the verification microcode includes fetching component, for fetching the verification example
Journey and the verification microcode are to attempt with the digital signature to be matched the key to verify example described in attempted authentication
Journey.
3. device according to claim 1, the first processor component responds are in the failure that routine is verified described in certification
And avoid performing the further initialization of the processing equipment.
4. device according to claim 3, the first processor component will recognize the trial of first firmware
The instruction of the result of card is stored in described first and collects in register, but regardless of the result how, and in response to including in
The selected security level of level security rank and attempt to initialize the operating system in the processing equipment.
5. device according to claim 1, including:Second collects register, for being read out providing from since institute
The second hashed value of the hash that the described second one or more values for collecting register take has been written to since stating initialization, and
The value of security level selected by instruction is stored in described second and collected in register by the checking assembly of the verification routine.
6. device according to claim 5, including operating system, for collecting described in register read the from described first
One hashed value, and the second hashed value described in register read is collected from described second, to obtain the finger of the scope of the trust chain
Show, and determined whether in the processing equipment to described based on first hashed value and second hashed value
The initialization of operating system.
7. device according to claim 6, the checking assembly provides security level selected by instruction to first firmware
Other described value, first firmware produce the event log for including described value and the event log are supplied to operation system
System, and the operating system exports the 3rd hashed value, and second hash from the described value in the event log
Value and the 3rd hashed value, to determine whether the initialization in the processing equipment to the operating system.
8. device according to claim 1, including:
Wire jumper, it can be operated at least one position to select selected security level;And
Register is set, it can be by the first processor component accesses, to be read out providing such as via the wire jumper
The instruction of the selected security level of selection.
9. device according to claim 1, including second processing device assembly, for performing the verification routine so that described
Checking assembly is authenticated first firmware, and the trust chain is expanded to including first firmware, and described
Verification microcode is used to create the trust chain with including the second processing device assembly.
10. a kind of device for security initialization, including:
First processor component, including verification microcode, are attempted for the initialization in response to processing equipment based on the first peace
Full property voucher carrys out authentication verification routine, and to create trust chain in the processing equipment, the trust chain includes at least described test
Demonstrate,prove microcode and the verification routine;
The checking assembly of the verification routine, for determining the selected security level of the initialization, and based on selected peace
Full property rank, is attempted based on the second security credentials come the first firmware of certification, and the trust chain is expanded to including described the
One firmware, and the instruction of the result of the attempted authentication of first firmware will be stored in the first collection register, it is described
First collection register be read out providing be written to since the initialization described first collect register one
First hashed value of a or multiple values;And
The selection component of the verification routine, for based on selected security level and in response to the first firmware described in certification
Failure and identify the second firmware, the checking assembly be used for based on selected security level attempt based on second security with
Identification demonstrate,proves second firmware and expands to the trust chain including second firmware, and by second firmware
The instruction of the result of attempted authentication is stored in described first and collects in register.
11. device according to claim 10, second security credentials include being embedded in the verification routine
Key, the digital signature that first firmware is generated using another key associated with the key, and described test
The checking assembly of card routine is attempted to be matched the key with the digital signature to consolidate with described in attempted authentication first
Part.
12. device according to claim 10, the first processor component responds are in the mistake that routine is verified described in certification
Lose and avoid performing the further initialization of the processing equipment.
13. device according to claim 12, the first processor component avoid try to the first firmware described in certification or
Any one in second firmware, and store following instruction in the described first collection register:In response to including phase
To appointing in the first firmware described in the selected security level of low security level and non-attempted authentication or second firmware
One.
14. device according to claim 10, including operating system, for being collected from described first described in register read
First hashed value, to obtain the instruction of the scope of the trust chain, and determines whether to use based on first hashed value
The feature of the operating system.
15. device according to claim 10, the first processor component performs the verification routine so that described test
Card component is authenticated first firmware expanding to the trust chain including first firmware, and the verification
Microcode is used to create the trust chain with including the first processor component.
16. a kind of computer implemented method for being used to protect initialization, including:
In response to the initialization of processing equipment, verification microcode is performed in first processor component to attempt based on the first safety
Property voucher carrys out authentication verification routine, and to create trust chain in the processing equipment, the trust chain includes at least the verification
Microcode and the verification routine;
In response to the success identity of the verification routine, the verification routine is performed to determine the selected security of the initialization
Rank;And
In response to the success identity and selected security level is based on, performs the verification routine to attempt based on the second peace
Full property voucher carrys out the first firmware of certification to expand to including first firmware and will consolidate to described first the trust chain
The instruction of the attempted authentication of part is stored in the first collection register, it is described first collection register be read out provide since
The first hashed value of the described first one or more values for collecting register has been written to since the initialization.
17. computer implemented method according to claim 16, second security credentials include being embedded in described
Verify the key in routine, the numeral that first firmware is generated using another key associated with the key is signed
Name, and the described method includes attempt to be matched the key with the digital signature to consolidate with described in attempted authentication first
Part.
18. computer implemented method according to claim 16, including in response to verifying the failure of routine described in certification
And avoid performing the further initialization of the processing equipment.
19. computer implemented method according to claim 18, including in response to including relatively high security level
Selected security level and being avoided in response to the failure of the first firmware described in certification perform the processing equipment into one
Step initialization.
20. computer implemented method according to claim 18, including based on selected security level perform described in test
Routine is demonstrate,proved, is used for:
Identify the second firmware;
Attempt based on second security credentials come the second firmware described in certification to expand to the trust chain including described
Second firmware;And
Instruction of the storage to the result of the attempted authentication of second firmware in the described first collection register.
21. computer implemented method according to claim 18, including in response to the institute including intermediate security level
Security level is selected, the verification routine is performed, is used for:
Regardless of the result, described first will be stored in the instruction of the result of the attempted authentication of first firmware and is collected
In register;And
Attempt the initialized operating system in the processing equipment.
22. computer implemented method according to claim 16, including:
The first hashed value described in register read is collected from described first to obtain the instruction of the scope of the trust chain;And
Feature using operating system is determined whether based on first hashed value.
23. computer implemented method according to claim 16, including the verification routine is performed with by selected by instruction
The value of security level is stored in the second collection register, and the second collection register is being read out providing from since institute
The second hashed value of the hash that the described second one or more values for collecting register take has been written to since stating initialization.
24. computer implemented method according to claim 16, the verification microcode creates the trust chain to wrap
Include the first processor component, and the described method includes performed in the first processor component verification routine with
So that first firmware is authenticated.
25. at least one tangible machine readable storage medium storing program for executing, it includes instruction, and described instruction makes when being performed by processor module
The processor module performs the method according to any one of claim 16-24.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2015/090576 WO2017049539A1 (en) | 2015-09-24 | 2015-09-24 | Techniques for coordinating device boot security |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107924439A true CN107924439A (en) | 2018-04-17 |
| CN107924439B CN107924439B (en) | 2022-01-14 |
Family
ID=58385657
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201580082636.8A Active CN107924439B (en) | 2015-09-24 | 2015-09-24 | Apparatus, method, and computer program product for coordinating device boot security |
Country Status (3)
| Country | Link |
|---|---|
| EP (1) | EP3353699A4 (en) |
| CN (1) | CN107924439B (en) |
| WO (1) | WO2017049539A1 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113168474A (en) * | 2019-06-10 | 2021-07-23 | 谷歌有限责任公司 | Secure verification of firmware |
| CN114124398A (en) * | 2020-08-28 | 2022-03-01 | 美光科技公司 | Device with chain of trust |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022019880A1 (en) * | 2020-07-20 | 2022-01-27 | Hewlett-Packard Development Company, L.P. | Pairing hardware components to authorize operation |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040064457A1 (en) * | 2002-09-27 | 2004-04-01 | Zimmer Vincent J. | Mechanism for providing both a secure and attested boot |
| WO2007095385A2 (en) * | 2006-02-15 | 2007-08-23 | Intel Corporation | Technique for providing secure firmware |
| US7533274B2 (en) * | 2003-11-13 | 2009-05-12 | International Business Machines Corporation | Reducing the boot time of a TCPA based computing system when the core root of trust measurement is embedded in the boot block code |
| US20140089651A1 (en) * | 2012-09-25 | 2014-03-27 | Jiewen Yao | Computing device boot software authentication |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8925055B2 (en) * | 2011-12-07 | 2014-12-30 | Telefonaktiebolaget Lm Ericsson (Publ) | Device using secure processing zone to establish trust for digital rights management |
-
2015
- 2015-09-24 EP EP15904426.2A patent/EP3353699A4/en not_active Withdrawn
- 2015-09-24 CN CN201580082636.8A patent/CN107924439B/en active Active
- 2015-09-24 WO PCT/CN2015/090576 patent/WO2017049539A1/en unknown
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040064457A1 (en) * | 2002-09-27 | 2004-04-01 | Zimmer Vincent J. | Mechanism for providing both a secure and attested boot |
| US7533274B2 (en) * | 2003-11-13 | 2009-05-12 | International Business Machines Corporation | Reducing the boot time of a TCPA based computing system when the core root of trust measurement is embedded in the boot block code |
| WO2007095385A2 (en) * | 2006-02-15 | 2007-08-23 | Intel Corporation | Technique for providing secure firmware |
| US20140089651A1 (en) * | 2012-09-25 | 2014-03-27 | Jiewen Yao | Computing device boot software authentication |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113168474A (en) * | 2019-06-10 | 2021-07-23 | 谷歌有限责任公司 | Secure verification of firmware |
| CN114124398A (en) * | 2020-08-28 | 2022-03-01 | 美光科技公司 | Device with chain of trust |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2017049539A1 (en) | 2017-03-30 |
| EP3353699A4 (en) | 2019-04-10 |
| CN107924439B (en) | 2022-01-14 |
| EP3353699A1 (en) | 2018-08-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9589138B2 (en) | Computing device boot software authentication | |
| US10521571B2 (en) | Secure storage devices, with physical input device, for secure configuration in a configuration-ready mode | |
| CN105074716B (en) | For making the technology safe to use of one-time password | |
| CN103797492B (en) | The method and apparatus kidnapping protection for safety storage | |
| TWI447583B (en) | Data protecting method, memory controller and memory storage device | |
| CN102385671B (en) | Software enciphering method and system | |
| CN110516428B (en) | Data reading and writing method and device of mobile storage equipment and storage medium | |
| CN103714295B (en) | A kind of detection method and system of financial integrated circuit card personal data | |
| CN109388974A (en) | With the non-volatile memory device read safely | |
| CN104021323A (en) | Password authentication method and device | |
| CN104766206A (en) | NFC payment method and device based on mobile terminal | |
| CN107924439A (en) | Coordinate the technology of equipment guiding security | |
| CN109271789A (en) | Malicious process detection method, device, electronic equipment and storage medium | |
| CN103198037A (en) | Reliable pipe control method and system for IO (input output) equipment | |
| CN103810440B (en) | Access system and method | |
| Li et al. | Retrieving forensically sound evidence from the esp series of iot devices | |
| CN108197457A (en) | Hard disk secure control method and device | |
| TWI614684B (en) | Field firmware upgrading method and computer-readable medium | |
| CN111177752B (en) | Credible file storage method, device and equipment based on static measurement | |
| CN106909341A (en) | The enabled method of the functional module based on register, device and mobile terminal | |
| WO2020047341A1 (en) | Concurrent image measurement and execution | |
| RU2766542C1 (en) | Method and system for remote control of remote electronic devices | |
| TWI386809B (en) | Apparatus and method for integrating memories | |
| CN107430656A (en) | SMM Trust Establishment for OS level drivers | |
| RU154304U1 (en) | COMPUTER WITH PROTECTED DATA STORAGE |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |