CN109032636A - A method of UEFI firmware is updated based on encryption certification BMC - Google Patents
A method of UEFI firmware is updated based on encryption certification BMC Download PDFInfo
- Publication number
- CN109032636A CN109032636A CN201810783130.5A CN201810783130A CN109032636A CN 109032636 A CN109032636 A CN 109032636A CN 201810783130 A CN201810783130 A CN 201810783130A CN 109032636 A CN109032636 A CN 109032636A
- Authority
- CN
- China
- Prior art keywords
- bmc
- firmware
- module
- uefi
- system firmware
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The present invention provides a kind of method that UEFI firmware is updated based on encryption certification BMC, belong to encryption storage and server system firmware technical field, server system firmware portions executable code is as update module, it stores in the storage medium used for BMC, BMC security authentication module and BMC application module also are stored in this medium.After BMC receives the signal that safety certification passes through, BMC application module checks, more new function server system firmware UEFI.Server system firmware entirely collapse the operating right for being also able to achieve system firmware reparation, while limiting BMC avoid malice distort, from two in terms of improve system firmware safeguard reliability.
Description
Technical field
The present invention relates to encryption storage and server system firmware technologies, more particularly to one kind to be based on encryption certification BMC more
The method of new UEFI firmware.
Background technique
Each side's surface technology of computer continues to optimize upgrading, in addition to computer performance, in various aspects such as safety, maintainabilities
Have technology upgrading.
BMC(Baseboard Management Controller) baseboard management controller, it is main on server system
Will be used to monitor be unite operation conditions with outer management of software ic device.The fan that can be used on monitoring server, CPU/ memory
Etc. equipment temperature, record system error message, control system switching on and shutting down, tele-control system operation etc. functions.Based on this
More multiserver administration control function can be developed.
The i.e. unified Extensible Firmware Interface of UEFI, is a set of interface and number between platform firmware and operating system
According to the definition set of structure.The start-up course of UEFI includes the protected mode of SEC(security setting CPU), before PEI(EFI
Initialization PEI), DXE(executes driving, installation Device handle, installation protocol), BDS (startup equipment selection),
Several stages such as TSL (temporary system loading), RT (runing time).UEFI BIOS is quickly grown, and has many previous generations
The unexistent advantage of BIOS.But it since various aspects develop the secure context different, especially UEFI BIOS is safeguarded, still has some deficits
It needs to continue to improve.
Update for UEFI BIOS firmware can be upgraded by modes such as network, storage mediums, there is different realities
Existing mode.Updating firmware by BMC has different implementations, and developer is easier to realize.But machine is in client
On hand, firmware damage upgrade environments just have various limitations, and upgrading authority is also difficult to control.
Summary of the invention
In order to solve the above technical problems, the invention proposes a kind of sides for updating UEFI firmware based on encryption certification BMC
Method.Update is detected automatically after can solving system firmware damage, does not need cd-rom recorder, the Environmental supports such as network, while there is permission
Limitation, avoids any update bring security risk.
The technical scheme is that
A method of UEFI firmware is updated based on encryption certification BMC, by storage section UEFI firmware module in BMC, is realized
Automatically update the UEFI firmware thoroughly damaged;BMC operation firmware carries out safety certification when repairing.
Server system firmware portions execute code as update module, store into the storage medium used for BMC,
BMC security authentication module and BMC application module also are stored in this medium;After BMC receives the signal that safety certification passes through,
BMC application module checks, more new function server system firmware UEFI;Server system firmware entirely collapses also real
Existing system firmware reparation, while the operating right for limiting BMC avoids malice from distorting, and system firmware maintenance is improved in terms of two
Reliability.
Specific step is as follows:
1) the UEFI firmware for needing to update has been stored in server end, has started server, and insertion safety certification can be with BMC safety
Authentication module starting, carries out hardware security certification;
2) BMC application module detection safety certification stops BMC operating function if safety certification does not pass through by flag bit,
Continue to operate in next step if safety certification passes through;
3) BMC application module continues cycling through detection UEFI firmware operating status flag bit, and UEFI firmware is detected in delay time
End of run mark then detects firmware update mark, if there is firmware update, then UEFI firmware update is run, otherwise after reforwarding
Row other systems startup item;
If 4) does not detect the end of run mark of any module, firmware module in BMC is set and executes mark automatically,
BMC directly transmits Restart Signal, server restarting;BMC application execution SEC and PEI firmware stages module updates at this time;?
SEC and PEI module in BMC memory write in the correspondence memory block of system firmware, and the end of run mark of two modules is arranged
Will and firmware update mark, BMC send Restart Signal, server restarting;
5) step 3) is entered at this time;
6) system start completion.
Firmware, which thoroughly damages, can also update, and do not need external hardware environment or professional technician supports, when client uses
It is automatically repaired update.
BMC updates the safety certification before system firmware, can avoid any update bring security risk.
The friendly of system firmware maintenance can be improved, and guarantee the safety of firmware update.It can be realized when use solid
Part restoration updating reduces personnel's maintenance cost, brings advantage to the user simultaneously.
Detailed description of the invention
Fig. 1 is data layout and realization principle block diagram of the invention;
Fig. 2 is flow diagram of the invention.
Specific embodiment
In the following with reference to the drawings and specific embodiments to a kind of side for updating UEFI firmware based on encryption certification BMC of the invention
Method is described further.
Main operational steps are as follows:
1) PCH bridge (for connecting the bus of the external equipments such as keyboard, mouse) connects system firmware by SPI or lpc bus and deposits
Chip is stored up, to carry out data interaction.Data interaction is carried out also by lpc bus between BMC chip simultaneously.BMC chip with
Between its corresponding storage chip EEPROM, communicated by spi bus, and with system firmware storage chip, LPC/ can be passed through
The buses such as USB/PCIE are communicated.
2) it has been stored in server end and has needed the UEFI firmware that updates, insertion safety certification can be with.
3) start server, the starting of BMC security authentication module carries out hardware security certification.
If 4) safety certification does not pass through, system starting stops.
If 5) safety certification passes through, BMC application module detected within delay time UEFI firmware whether end of run.If being
System firmware end of run, then detect whether to need firmware update, update if necessary, then run UEFI firmware update, otherwise
Continue to run other systems startup item.
6) if you do not need to updating, then firmware module in BMC is set and is executed automatically, BMC directly transmits Restart Signal, service
Device restarting.
7) BMC application execution SEC and PEI firmware stages module updates.In BMC memory SEC and PEI module write
In the correspondence memory block of system firmware, and the end of run mark and firmware update mark of two modules are set, letter is restarted in BMC transmission
Number, server restarting.
8) step 5) is entered.
9) it continues to run, system start completion.
Claims (3)
1. a kind of method for updating UEFI firmware based on encryption certification BMC, which is characterized in that
By storage section UEFI firmware module in BMC, realization automatically updates the UEFI firmware thoroughly damaged;
BMC operation firmware carries out safety certification when repairing.
2. the method according to claim 1, wherein
Server system firmware portions execute code as update module, store into the storage medium used for BMC, BMC peace
Full authentication module and BMC application module also are stored in this medium;
After BMC receives the signal that safety certification passes through, BMC application module to server system firmware UEFI, checked,
More new function;
Server system firmware entirely collapses and also realizes system firmware reparation, while the operating right for limiting BMC avoids malice from usurping
Change, the reliability of system firmware maintenance is improved in terms of two.
3. according to the method described in claim 2, it is characterized in that,
Specific step is as follows:
1) the UEFI firmware for needing to update has been stored in server end, has started server, and insertion safety certification can be with BMC safety
Authentication module starting, carries out hardware security certification;
2) BMC application module detection safety certification stops BMC operating function if safety certification does not pass through by flag bit,
Continue to operate in next step if safety certification passes through;
3) BMC application module continues cycling through detection UEFI firmware operating status flag bit, and UEFI firmware is detected in delay time
End of run mark then detects firmware update mark, if there is firmware update, then UEFI firmware update is run, otherwise after reforwarding
Row other systems startup item;
If 4) does not detect the end of run mark of any module, firmware module in BMC is set and executes mark automatically,
BMC directly transmits Restart Signal, server restarting;BMC application execution SEC and PEI firmware stages module updates at this time;?
SEC and PEI module in BMC memory write in the correspondence memory block of system firmware, and the end of run mark of two modules is arranged
Will and firmware update mark, BMC send Restart Signal, server restarting;
5) step 3) is entered at this time;
6) system start completion.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810783130.5A CN109032636A (en) | 2018-07-17 | 2018-07-17 | A method of UEFI firmware is updated based on encryption certification BMC |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810783130.5A CN109032636A (en) | 2018-07-17 | 2018-07-17 | A method of UEFI firmware is updated based on encryption certification BMC |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109032636A true CN109032636A (en) | 2018-12-18 |
Family
ID=64642913
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810783130.5A Pending CN109032636A (en) | 2018-07-17 | 2018-07-17 | A method of UEFI firmware is updated based on encryption certification BMC |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109032636A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109743319A (en) * | 2019-01-03 | 2019-05-10 | 北京工业大学 | A kind of credible starting of network type private server and method for safe operation |
| TWI710953B (en) * | 2019-05-31 | 2020-11-21 | 緯創資通股份有限公司 | Firmware update device and firmware update method |
| CN112000351A (en) * | 2020-08-07 | 2020-11-27 | 北京浪潮数据技术有限公司 | Updating method, updating device, updating equipment and storage medium of BMC (baseboard management controller) firmware |
| CN112732308A (en) * | 2020-12-31 | 2021-04-30 | 广州万协通信息技术有限公司 | Firmware upgrading method, equipment and storage medium for module fine-grained |
| CN113360914A (en) * | 2021-05-14 | 2021-09-07 | 山东英信计算机技术有限公司 | BIOS updating method, system, equipment and medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140122851A1 (en) * | 2012-10-31 | 2014-05-01 | International Business Machines Corporation | Transferring files to a baseboard management controller ('bmc') in a computing system |
| CN104410636A (en) * | 2014-12-01 | 2015-03-11 | 浪潮集团有限公司 | Method for enhancing security of BMC/SMC in cloud computing system |
| US20150261546A1 (en) * | 2013-12-31 | 2015-09-17 | International Business Machines Corporation | Baseboard management controller and method of loading firmware |
| CN105718806A (en) * | 2016-01-26 | 2016-06-29 | 浪潮电子信息产业股份有限公司 | Method for achieving trusted active measurement based on domestic BMC and TPM2.0 |
| CN105975842A (en) * | 2016-05-11 | 2016-09-28 | 浪潮集团有限公司 | KEY-based BIOS safety authentication method and system in UEFI |
| CN106325915A (en) * | 2015-07-01 | 2017-01-11 | 广达电脑股份有限公司 | Systems, methods, and computer-readable storage media for updating a computer firmware |
| CN106990985A (en) * | 2017-03-28 | 2017-07-28 | 南京百敖软件有限公司 | Apparatus and method based on BMC renewals and standby system UEFI firmwares |
| CN108255505A (en) * | 2018-01-10 | 2018-07-06 | 浪潮(北京)电子信息产业有限公司 | A kind of firmware update, device, equipment and computer readable storage medium |
-
2018
- 2018-07-17 CN CN201810783130.5A patent/CN109032636A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140122851A1 (en) * | 2012-10-31 | 2014-05-01 | International Business Machines Corporation | Transferring files to a baseboard management controller ('bmc') in a computing system |
| US20150261546A1 (en) * | 2013-12-31 | 2015-09-17 | International Business Machines Corporation | Baseboard management controller and method of loading firmware |
| CN104410636A (en) * | 2014-12-01 | 2015-03-11 | 浪潮集团有限公司 | Method for enhancing security of BMC/SMC in cloud computing system |
| CN106325915A (en) * | 2015-07-01 | 2017-01-11 | 广达电脑股份有限公司 | Systems, methods, and computer-readable storage media for updating a computer firmware |
| CN105718806A (en) * | 2016-01-26 | 2016-06-29 | 浪潮电子信息产业股份有限公司 | Method for achieving trusted active measurement based on domestic BMC and TPM2.0 |
| CN105975842A (en) * | 2016-05-11 | 2016-09-28 | 浪潮集团有限公司 | KEY-based BIOS safety authentication method and system in UEFI |
| CN106990985A (en) * | 2017-03-28 | 2017-07-28 | 南京百敖软件有限公司 | Apparatus and method based on BMC renewals and standby system UEFI firmwares |
| CN108255505A (en) * | 2018-01-10 | 2018-07-06 | 浪潮(北京)电子信息产业有限公司 | A kind of firmware update, device, equipment and computer readable storage medium |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109743319A (en) * | 2019-01-03 | 2019-05-10 | 北京工业大学 | A kind of credible starting of network type private server and method for safe operation |
| CN109743319B (en) * | 2019-01-03 | 2021-02-05 | 北京工业大学 | Trusted starting and safe operation method of networking type special server |
| TWI710953B (en) * | 2019-05-31 | 2020-11-21 | 緯創資通股份有限公司 | Firmware update device and firmware update method |
| CN112000351A (en) * | 2020-08-07 | 2020-11-27 | 北京浪潮数据技术有限公司 | Updating method, updating device, updating equipment and storage medium of BMC (baseboard management controller) firmware |
| CN112000351B (en) * | 2020-08-07 | 2023-04-07 | 北京浪潮数据技术有限公司 | Updating method, updating device, updating equipment and storage medium of BMC (baseboard management controller) firmware |
| CN112732308A (en) * | 2020-12-31 | 2021-04-30 | 广州万协通信息技术有限公司 | Firmware upgrading method, equipment and storage medium for module fine-grained |
| CN113360914A (en) * | 2021-05-14 | 2021-09-07 | 山东英信计算机技术有限公司 | BIOS updating method, system, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109032636A (en) | A method of UEFI firmware is updated based on encryption certification BMC | |
| TWI754317B (en) | Method and system for optimal boot path for a network device | |
| US9852298B2 (en) | Configuring a system | |
| CN105144185B (en) | Access control device code and system start code | |
| US10719604B2 (en) | Baseboard management controller to perform security action based on digital signature comparison in response to trigger | |
| US11030347B2 (en) | Protect computing device using hash based on power event | |
| EP2989547B1 (en) | Repairing compromised system data in a non-volatile memory | |
| TWI740158B (en) | A server system, a centralized flash memory module, and a method of updating flash firmware image | |
| WO2018095107A1 (en) | Bios program abnormal processing method and apparatus | |
| WO2021057795A1 (en) | System starting method and apparatus, node device and computer-readable storage medium | |
| CN112925653B (en) | Virtualization cluster expansion method, related equipment and computer readable storage medium | |
| WO2024022212A1 (en) | Configuration information management method and apparatus, and server | |
| CN115981687A (en) | Firmware upgrading method, device, equipment and storage medium | |
| CN116049824A (en) | Firmware image checking system, firmware image checking method and computer system | |
| JP2011145827A (en) | Virtual bus system and device management method | |
| KR20090000576A (en) | Apparatus and method for providing security | |
| TWI840907B (en) | Computer system and method for detecting deviations, and non-transitory computer readable medium | |
| JP7389877B2 (en) | Network optimal boot path method and system | |
| CN111258805B (en) | Hard disk state monitoring method and device for server and computer device | |
| US11960372B2 (en) | Verified callback chain for bios security in an information handling system | |
| US11995182B2 (en) | Baseboard management controller to perform security action based on digital signature comparison in response to trigger | |
| US11977638B2 (en) | Low-impact firmware update | |
| US20240143435A1 (en) | Remediation Interface for Self Heal Field Faults | |
| CN114546507A (en) | System initialization method and device and electronic equipment | |
| CN115586910A (en) | Application upgrading method and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181218 |
|
| RJ01 | Rejection of invention patent application after publication |