RU151429U1 - COMPUTER WITH PROTECTED DATA STORAGE - Google Patents

Abstract

1. A computer with a secure data storage containing a motherboard and a secure data storage connected to the motherboard through a connector with the possibility of temporary disconnection, while the secure data storage has its own microcontroller, a SPI Flash chip containing an initialization and input / output program - BIOS or UEFI, and at least one non-volatile memory block used to load and store trusted applications. 2. A computer according to claim 1, characterized in that the power source of the secure data storage is the standby power source of the computer. A computer according to claim 1, characterized in that the microcontroller is configured in such a way that it protects the SPI Flash chip from modification of the source code written on it, monitors all calls to the SPI Flash chip and the non-volatile memory block and blocks access to them from the application side a computer that does not have the appropriate permissions.

Description

The proposed utility model relates to the field of secure computing, namely, it is proposed to create a computer with a secure data warehouse.

Currently, Unified Extensible Firmware (UEFI) is used for modern motherboards. This interface is designed to replace the computer BIOS and is intended to correctly initialize the equipment when the system is turned on and transfer control to the bootloader of the operating system. UEFI has two phases: the preliminary EFI phase at which the computer elements are initialized and the Driver Execution Environment (DXE) driver loading phase, after which the computer operating system is already loaded, see, for example, US 2009319763 A1 dated 12.24.2009. Thanks to the use of UEFI, the loading of the computer operating system is accelerated. In this case, the BIOS or UEFI are physically recorded on the SPI Flash chip, which is part of the computer's motherboard.

The closest technical solution is a computer for working with a secure data warehouse, disclosed in the application for the invention of the Russian Federation No. 20088132185 from 02.20.2010. This technical solution contains the steps of starting the bootloader of the operating system, reading the encryption key, checking the integrity of the operating system and loading the operating system. At the same time, the bootloader is pre-recorded on an external medium, at the initial stage of the boot, all sectors of the computer hard drive are encrypted, before checking the integrity of the operating system, the encryption key necessary for this check and subsequent download is stored, which is previously stored in the protected memory of the external device for access to which require user authentication, and thus provide protection against unauthorized access to data stored on the hard drive.

A drawback of existing technical solutions is the potential for modifying BIOS or UEFI data stored on the SPI Flash chip before launching a trusted application located on an external medium.

The proposed technical solution is aimed at creating a computer with a secure data warehouse, in which the SPI Flash chip containing the base system (BIOS or UEFI) is located directly on the secure storage.

The technical result of the proposed solution is to increase the protection of computer data from unauthorized modifications at any time, starting from the moment the computer is turned on.

The technical result is achieved by the fact that a computer with a secure data storage contains a motherboard and a secure data storage connected to the motherboard through a connector with the possibility of temporary disconnection, while the secure data storage has its own microcontroller, an SPI Flash chip containing an initialization and input / output - BIOS or UEFI, and at least one block of non-volatile memory used to load and store trusted applications. It is advisable to configure the connector that connects the data store to the motherboard so that the data store is supplied with power from the standby power supply of the computer, which allows the microcontroller, which is part of the protected data store, to work until the computer is physically turned on. The microcontroller of the secure data warehouse is configured in such a way that it protects the SPI Flash chip from modification of the source code written on it, monitors all calls to the SPI Flash chip and the non-volatile memory block and blocks access to them from computer applications that do not have the appropriate permissions.

The operation of the proposed device contains the steps:

- turn on the computer,

- integrity monitoring in BIOS or UEFI,

- computer boot BIOS or UEFI, from the chip SPI Flash protected data storage,

- downloading trusted applications from the non-volatile memory block of the secure data warehouse,

- launch the main operating system,

- controlling the microcontroller with all the access of the computer to the secure data warehouse during the entire session of the computer,

- when the computer is shut down, access to the data warehouse is closed until the next data warehouse controller initialization.

Consider a more specific implementation of the proposed utility model. To implement the computer, a motherboard is used, which provides a specialized connector for connecting a secure data warehouse. At the same time, this connector provides power to the storage from the standby (backup) power supply of the computer, which provides power to the secure data storage until the computer is physically turned on. The data warehouse has its own microcontroller, the SPI Flash chip, containing the initialization and organization of input / output - BIOS or UEFI, and at least one block of non-volatile memory of a significant amount used to download and store trusted applications. The remaining elements of the computer represent standard computer elements: a processor with a cooling system, RAM, a video card, hard disks (SSD or HDD), a monitor, a case with a power supply, a keyboard and mouse, and other input-output devices.

A computer with a secure data warehouse works as follows:

the user turns on the computer, after which the controller of the protected data warehouse already working at that moment ensures loading the BIOS or UEFI from the SPI Flash microcircuit, which is part of the protected data storage, and various graphic or textual design of the BIOS or UEFI boot can be formed on the monitor;

the controller launches trusted applications from the non-volatile memory block of a secure data warehouse, for example, a hypervisor, a trusted operating system, applications that provide user access control, antivirus protection, etc., including those processed by the main computer processor;

during computer operation, the controller monitors all calls to the SPI Flash chip and the non-volatile memory block and blocks access to them from computer applications that do not have the appropriate permissions;

when the computer is turned off, the controller of the secure data warehouse also locks the internal memory of the data warehouse.

Thus, the controller of the secure data warehouse is “tied” to the motherboard in such a way that only their joint work is possible. Attempting to disconnect a secure data warehouse causes the computer to become inoperative.

A specific embodiment of the proposed technical solution was disclosed above, but it is obvious to a person skilled in the art that based on the disclosed data, it is possible to create variations of a computer with a secure data storage, for example, using various computer control circuits from the data storage microcontroller. Thus, the scope of the utility model should not be limited to the specific embodiment described in the proposed utility model formula.

Claims (3)

1. A computer with a secure data storage containing a motherboard and a secure data storage connected to the motherboard through a connector with the possibility of temporary disconnection, while the secure data storage has its own microcontroller, a SPI Flash chip containing an initialization and input / output program - BIOS or UEFI, and at least one non-volatile memory block used to load and store trusted applications. 2. The computer according to claim 1, characterized in that the power source of the secure data warehouse is the standby power source of the computer. 3. The computer according to claim 1, characterized in that the microcontroller is configured in such a way that it protects the SPI Flash chip from modification of the source code written on it, monitors all calls to the SPI Flash chip and the non-volatile memory block and blocks access to them from parties to computer applications that do not have the appropriate permissions.