TW201903601A - Method and system for security verification in a booting sequence with a multi-core processor - Google Patents

Abstract

The disclosure is related to a method and a system for security verification in a booting sequence of a computer system. A multi-core processor of the computer system is utilized to perform a security verification operation initiated by a UEFI BIOS. The security verification operation is configured to test if the computer system is qualified as a secure system for a specific use. In one aspect, the multi-core processor architecture has the benefit of providing a more efficient way allowing each of the multiple cores to perform one verification task for one of the peripherals of the system. An embodiment shows that the multiple cores can be individually assigned to perform different tasks such as verifying security of various medium in parallel processes when the computer system is in the booting sequence.

Description

 Boot method and system for performing security confirmation using multi-core processor  

The invention relates to a security confirmation technology for a computer system, in particular to a booting method and a system for applying a multi-core processor in a computer system and performing security confirmation of different storage media by each core.

After the computer is turned on, the system is ready to be initialized. First, the basic input and output system (the BIOS basic input and output system) starts, and the system hardware information recorded in the BIOS is used to drive various peripheral hardware, including determining the boot magnetic area. The memory is allocated, the status of the input and output, and the start of the power-on self-test (POST), including checking the status of each connection and settings, such as the central processing unit, memory, keyboard, mouse and other devices. After loading the operating system (OS) from the boot sector according to the information contained in the BIOS basic input and output system, the system starts to enter the operating system startup program.

In order to break through the limitations of the traditional BIOS basic input and output system, a basic input and output system called Extensible Firmware Interface (EFI) was developed, and EFI was later developed into Unified Extensible Firmware Interface (Unified EFI, UEFI). In addition to hardware identification, control and system resource control, this type of BIOS basic input and output system allocates storage space systematically. The defined extendable firmware interface is used to communicate hardware, firmware and operating system.

The basic output of such extendable firmware interface can not be divided into hardware control and operation system management. The driver of the extendable firmware interface can be provided as hardware identification, control and system resource control, including There is an operating system, and even the operating system can be executed independently.

Moreover, one of the characteristics of the basic interface of the extendable firmware interface is a flexible driver module architecture, which can expand the driver, so the BIOS is basically the same as the memory type that is difficult to rewrite. Output to the system, this extensibility allows such basic input and output systems to be rewritten.

However, this modifiable feature may also threaten the security of the computer system. For example, if the application is in a game system (or Boao system) that requires high security, it will need to detect the extendable firmware interface in the boot process. Whether the input and output systems have been tampered with. Moreover, in addition to preventing the UEFI BIOS from being tampered with, for a system requiring security, the storage medium therein needs to be securely confirmed, especially in the booting process, which requires additional time to confirm whether various storage media have security concerns.

An extensible firmware interface that is becoming a basic input and output system commonly used in computer systems. The basic input/output system (UEFI/EFI BIOS basic input/output system) has flexible and extensible program features, but is used in computer systems that require strict security verification. In fact, the characteristics of such an extendable firmware interface that is basically imported into the system may lead to suspicion of being tamper-evident and have security concerns. The booting method proposed by the present application for multi-core processor to perform security confirmation is applied to the whole. Various systems of the computer system, such as the operating system and the game system, and perform security confirmation of different storage media by multiple cores in the booting process.

In an embodiment, in the booting method in which the multi-core processor is used to perform the security confirmation, the extendable firmware interface of the computer system is first started to be input into the system in the booting process, and is identified by the program in the basic input and output system. The hardware of the computer system, which is used to detect the multi-core processor of the computer system, and to enable multiple cores of the multi-core processor according to multiple tasks in the boot process, and then allocate each of the enabled cores to process multiple parallels. One of the tasks, and after the task is completed, the system will decide whether to start the operating system of the computer system.

Further, performing the task of confirming the UEFI BIOS by one core of the multi-core, first extracting a basic output of a memory stored in the computer system into a system digest value, thereby comparing the instant in the booting process. A current basic output of the operation enters the system feature value (present BIOS digest); at the same time, another core can perform the task of confirming the operating system (OS), which is to first extract the operating system feature value (OS digest) stored in the memory. In order to compare the current operating system feature value (present OS digest) in the booting program; at the same time, the core can perform the task of confirming the gaming system in the computer system, and the task is first taken out and stored in the memory. A gaming-system digest, which compares the current gaming system scores (the present gaming-system digest) that are computed in the boot process.

After comparing the preset feature values, when the extendable firmware interface is basically input into the system, the operating system and the game system are confirmed, indicating that there is no problem of tampering, the computer system starts to enter and enters the operating system.

The digest is a program code (including a compiled program) that is basically input into the system, the operating system, and the game system, and is implemented in a bitwise operation on the extensible firmware interface stored in a storage medium. And stored in the memory of the computer system. Based on the comparison, the security value can be performed on the system in each storage medium by comparing with the feature value of the instant operation in the booting process.

In another embodiment, the disclosure describes a booting system that uses a multi-core processor to perform security confirmation. The system includes a first memory for storing a UEFI BIOS firmware of the computer system, and a second memory. In order to store the basic input and output system characteristic values, the operating system characteristic values, and the game system characteristic values, there is a third memory for storing the operating system code of the computer system (including the compiled program). Another embodiment shows that the computer system further includes a game system, and the game system feature values should also be stored first.

The system is provided with an encryption module, and in the booting process, the multi-core processor is used to perform the security confirmation method, including starting the booting process, starting the UEFI BIOS, and identifying the hardware of the computer system through the UEFI BIOS. And to detect the information of the multi-core processor, can enable multiple cores of the multi-core processor according to multiple tasks in the boot process. In one task, the first core is assigned to perform firmware verification of the UEFI BIOS, and in another task, the second core is assigned to execute a program for confirming the operating system, and after the task is completed, it is determined whether to start the operating system of the computer system.

In another embodiment, the system further includes a fourth memory that stores the code of the game system and distributes the third core to perform the task of confirming the game system in the boot process.

In order to further understand the technology, method and effect of the present invention in order to achieve the intended purpose, reference should be made to the detailed description and drawings of the present invention. The drawings and the annexed drawings are intended to be illustrative and not to limit the invention.

101‧‧‧Multicore processor

102‧‧‧Memory bus

103‧‧‧Basic input and output system

111‧‧‧Encryption Module

104‧‧‧Non-volatile memory

112‧‧‧Characteristic values

105‧‧‧hard disk drive

113‧‧‧ operating system

201‧‧‧Basic input and output system

202‧‧‧First eigenvalue

203‧‧‧Operating system

204‧‧‧second eigenvalue

30‧‧‧First memory

32‧‧‧Second memory

33‧‧‧ third memory

34‧‧‧ Fourth memory

301‧‧‧ boot block

302‧‧‧Main block

303‧‧‧ Fixed variable block

304‧‧‧Safety feature values

305‧‧‧Remaining space

306‧‧‧Operating system

307‧‧‧ Game System

40‧‧‧Multicore processor

421‧‧‧Basic input and output system

423‧‧‧Start loader

425‧‧‧Encryption Module

427‧‧‧Characteristic values

42‧‧‧Flash memory

S501~S515‧‧‧Safely confirmed boot process

1 is a schematic diagram showing the architecture of a computer system; FIG. 2A is a diagram showing an embodiment of generating feature values by an encryption module; FIG. 2B is a diagram showing another embodiment of generating feature values by an encryption module; and FIG. 3 is a diagram showing the storage of UEFI BIOS. Schematic diagram of a memory block embodiment of the operating system and the feature values of the game system; FIG. 4 is a schematic diagram showing an embodiment of a booting system for performing security confirmation using a multi-core processor; FIG. 5 is a flow chart depicting the application of a multi-core processor A process embodiment of a boot method that performs a security check.

The disclosure describes a boot method and a system embodiment thereof for performing security verification using a multi-core processor in a computer system. Unified Extensible Firmware Interface Basic Input/Output System (UEFI BIOS) is a modifiable basic input/output system that is widely used in modern applications. In the computer system.

Extendable Firmware Interface The basic input and output system can initialize the firmware and hardware of the computer system in the boot process of the computer system. However, such a modified/programmed UEFI BIOS may pose a risk to the computer system, so that the BIOS or Various systems are at risk of being maliciously tampered with. Therefore, for a computer system with high security requirements, it is necessary to perform security confirmation on the BIOS and the system.

For example, a gaming system or a gaming system is extremely demanding on security and cannot tolerate any security threats. Various possible security concerns may cause the computer system to be attacked by unauthorized persons or malicious programs. Vulnerable state. Therefore, when the computer system is booted and enters the boot process, the security confirmation mechanism proposed by the disclosure will perform security confirmation on the system with high security requirements in the computer system, such as the operating system and the gaming system. ), etc., should strictly perform security confirmation on the code (including the compiled program).

The purpose of the security check in the boot process is to prevent the code from being improperly falsified, so as to avoid hidden code in the program. The boot method of the application multi-core processor to perform security confirmation is only allowed to continue through the system of security confirmation. Operation, such as the game system/Boao system, can only be started normally without security threats by completing the security confirmation in the boot process.

However, the boot process will extend the boot time by performing a security check. In an embodiment, in a computer system with a multi-core processor, multiple processing cores can be effectively applied in the boot process to avoid security confirmation. Runs and delays the boot time that is too long. A multi-core processor is a single computing component in a computer system that has more than two processing cores, and multiple processing cores are operational units that actually process data.

When a computer system with a multi-core processor is initialized in the boot process, the multi-core processor of the multi-core processor will be started, and the processing core is enabled at the same time to keep the processing core in operation. In the computer system boot process, the boot process first detects multiple processing cores of the multi-core processor, and multiple processing cores respectively run multi-core processing programs and manage multiple under a multi-core protocol (MP-service protocol) specification. Handle the core handlers. Through this multi-core service agreement, multiple processing cores can be selectively enabled or disabled.

The multi-core service agreement defines two types of processors. One of the multiple processing cores is defined as a bootstrap processor (BSP), and the other cores are application processors (APs). When a computer system with a multi-core processor is powered on or reset, there will be a program running the multi-core service protocol in the boot process. At this point, dynamically, a processing core is selected as the boot processor. (BSP), the core number can be core '0', the remaining processing cores are selected as application processors (AP), and the core numbers can be core 1, core 2, core 3, and so on.

It is revealed that the proposed system adopts a security confirmation mechanism to confirm whether the computer system is safe in the booting process, in particular to ensure that the UEFI BIOS is not improperly tampered with. The security confirmation measures can be applied to content in various storage media other than UEFI BIOS memory. According to the embodiment described in the disclosure, the booting method for executing the security confirmation by the multi-core processor in the computer system, in particular, utilizes the advantages of the multi-core processor in which the plurality of processing programs can run the security confirmation program in different storage media in parallel, so that The computer system can process multiple tasks in the boot process in parallel under a specific service agreement, thereby implementing a security confirmation procedure in the boot process, which is a highly secure solution.

Referring to the schematic diagram of the embodiment shown in FIG. 1, the architecture of the computer system is described. The computer system includes several storage media for storing UEFI BIOS firmware, related digests and operating systems.

In the schematic diagram of this embodiment, the multi-core processor 101 in the computer system is shown, and as the central processing unit of the computer system, the computer system does not exclude that two or more multi-core processors can be employed. The multi-core processor 101 is a chip packaged with a plurality of processing cores. This example is shown as a quad-core processor with four independent processing cores. The schematic shows that the core numbers are core 0 (core 0), core 1 (core 1), core 2 (core 2) and core 3 (core 3), each processing core running program is used to read and execute the instructions of the central processing unit.

The computer system uses a memory I/O bus 102 via a front-side bus to connect the multi-core processor 101 in the system and communicates with other memory through the memory bus. . The memory bus 102 provides a channel for the multi-core processor 101 to access system resources, and each processing core can individually access system resources individually. As such, multiple processing cores can execute multiple instructions simultaneously.

In this embodiment, the schematic diagram shows various forms of storage media, such as a first memory 103 for recording the firmware code of the UEFI BIOS, and a second memory 104 for storing various feature values 112; A hard disk drive 105 for storing at least the code of the operating system 113. In order to implement the security verification procedure during the boot process, according to one of the embodiments, an instruction set is installed in the first memory 103 of the UEFI BIOS. Taking a cryptography module 111 as an example, the encryption module 111 can Is a set of programs embedded in the UEFI BIOS firmware. When the UEFI BIOS starts, the associated encryption module 111 is activated.

In an embodiment, the foregoing first memory 103 for storing the UEFI BIOS firmware may be a serial peripheral interface (SPI) flash memory, but may not be implemented by other forms of storage media. . The second memory 104 is a non-volatile memory, and can also be a serial peripheral interface (SPI) flash memory, or an electronically erasable readable memory (Electrically Erasable Programmable Read-Only Memory). , EEPROM), electronically connecting the first memory 103. The second memory 104 is configured to store the feature value 112. The feature value is mainly a digital information obtained from the UEFI BIOS and the operating system to perform security confirmation, for example, the firmware code of the BIOS and the operating system code. A specific algorithm is operated bit by bit to obtain individual feature values. The first memory 103 and the second memory 104 may be memory chips mounted on a motherboard in a computer system.

While the computer system is running, the computer system can still provide an additional storage device to store the code of the operating system 113. The operating system 113 is loaded into the main memory in the last program of the booting process, and can also be loaded into the hard disk drive 105. Furthermore, the multi-core processor 101 accesses the hard disk drive 105 through the memory bus 102. The hard disk drive 105 can be one or more logical or physical disk partitions, that is, the computer system can include two or more separate logical or physical disk partitions for different operating programs. For example, the system can prepare a disk for the operating system, or a disk for other purposes, such as a gaming system.

According to an embodiment, the UEFI BIOS installed encryption module 111 of the first memory 103 is a firmware-based driver, and the encryption module 111 is one of the booting programs for performing security confirmation. One of the purposes is to check whether the UEFI BIOS has been improperly tampered with. Another purpose of the encryption module 111 is to ensure the security of the program in the hard disk drive 105 or other storage medium.

Further, the security verification program running in the booting process needs to obtain the feature value of the image linked to a specific memory block, and the feature value includes the initial state of the UEFI BIOS or the previously confirmed image. The signature value obtained from the image operation under the previously approved state. Similarly, the operating system also forms its own feature value, and may also be a signature value obtained from the initial state of the operating system or the image operation in the previous (or some) confirmed state. For a computer system having a game system, the game system feature value may be a signature value obtained from an initial state of the game system or an image operation in a previously confirmed state. For the executable code of the extensible firmware interface stored in a storage medium, which is basically input into the system, the operating system and the game system, the system obtains each feature value by bit-to-bit computation and stores it in the computer. In the memory of the system, the feature value obtained by the prior calculation is used as a reference value for the security confirmation comparison, and also includes the feature value obtained by the current operation in the boot process. Such a security confirmation scheme based on the comparison of eigenvalues can be used to check whether these comparison objects (contents of specific storage locations) have been misunderstood.

Referring to FIG. 2A, an overview of the feature values generated by the encryption module operation is displayed. Based on the UEFI BIOS being a modifiable feature, the system performs a security confirmation on the basic input and output system 201 in the boot process, and is preceded by the encryption module 111. The first feature value 202 is calculated for the basic input/output system 201 in the initial state or the confirmed state, and the encryption module 111 can then execute a security confirmation program in the boot process to check whether the basic input/output system 201 has been tampered with. The encryption module 111 can be a hardware or software implemented program, and the program portion can be carried in any storage space of the system, including in a UEFI BIOS related flash memory block.

The above-mentioned security confirmation procedure is mainly used to confirm whether the variable block in the UEFI BIOS has been tampered with. First, the first feature value 202 is calculated by the encryption module 111 carried in the UEFI BIOS, and the first feature value 202 is used as a ratio. The reference value of the pair is used to compare the current feature value of the UEFI BIOS obtained by the encryption module 111 in the booting procedure, and by using the security confirmation program, according to the comparison result, the system can determine whether the UEFI BIOS has been tampered with. The problem.

Similarly, the security confirmation mechanism can be applied to systems stored in other storage media of the computer system, such as the operating system code, and program instructions for specific systems. For example, the second feature value 204 is a feature value calculated by the encryption module 111 according to the initial state of the operating system 203 or the previously confirmed state. In the security verification program, the encryption module 111 is used. It is activated in the booting process to instantly calculate the feature value of the current operating system 203 and compare it with the pre-calculated second feature value 204, thereby confirming whether the operating system 203 stored in the specific storage medium has been tampered with.

The same security confirmation mechanism is also applied to the game system. For example, in order to ensure the security of the game system, the security confirmation program initiated by the encryption module 111 first obtains features from the initial state of the game system or the previously confirmed state operation. The value is then calculated from the specific memory block of the game system in the booting process to obtain the current feature value, and the result of the falsification is obtained through the comparison.

Finally, the system can judge whether the operating system or the game system has been tampered with based on the comparison result of the feature values.

The security confirmation mechanism described above uses the security feature values (first feature value 202, second feature value 204) computed by the UEFI BIOS and the operating system/game system, and from the UEFI BIOS and operating system in the boot process. / The current eigenvalue obtained by the game system operation, the result of the comparison will reflect whether the safely confirmed memory block has been tampered with. The security feature values (202, 204) stored in the specific memory block may be updated, in particular, the old feature values may be replaced by the feature values of the UEFI BIOS and the operating system/game system recalculated by the latest confirmed content. For example, when the administrator of the computer system agrees or authorizes to modify the contents of the BIOS or the operating system, the updated content will be recalculated to obtain a new feature value to replace the original feature value.

The security feature values (202, 204) stored in a particular memory block should themselves be securely stored in a particular memory block in the computer system, and the security feature values (202, 204) should also be protected against theft or tampering. For example, a security algorithm value (202, 204) may be computed by a particular encryption algorithm before being stored in a particular memory block. In the boot process, the encryption module 111 should re-decrypt the encrypted security feature values (202, 204) to compare the feature values of the instant operations.

Refer to Figure 3 for an overview of the relationship between each memory block and the eigenvalues. The first memory 30 is displayed for storing the UEFI BIOS firmware. To ensure that the UEFI BIOS has not been tampered with, the memory block of the UEFI BIOS can be set to write protection. The first memory 30 is a rewritable flash memory or other non-volatile memory; the second memory 32 can be another flash memory or other non-volatile memory such as an EEPROM. To record the feature values. The second memory 32 can be, for example, a hard disk drive or a particular form of storage medium. The code of the operating system 306 is stored in the third memory 33, the hard disk drive, or a specific storage medium. The game system 307 is stored in the fourth memory 34 and can also be a hard disk drive or other form of storage medium.

Further, as shown in the figure of the embodiment, the UEFI BIOS in the first memory 30 is provided with a boot block 301, a main block 302 and a fixed variable block 303. . The boot block 301 is a block defined by the basic input and output system, and is converted to a code section in the boot process. However, the code of the boot block 301 before being converted to the block should be maintained in the security confirmation program. constant. The main block 302 is used to store the main code of the UEFI BIOS, and may also be a memory block stored by the encryption module. However, the actual implementation of the encryption module is not limited to being stored in the memory block. This fixed variable block 303 is typically a memory block in which the UEFI BIOS stores basic input and output system variables. The UEFI BIOS variable can be modified in each boot process, so this fixed variable block 303 is specifically a memory block that prevents writes to ensure that the UEFI BIOS meets security requirements.

In a general embodiment, the second memory, the third memory, and the fourth memory may be the same storage device, or three different partitions in one storage device, or three independent storages. Device. Further, the related operating program of the operating system 306 can be stored in a partition of the third memory 33, and the program of the gaming system 307 can be stored in a partition of the fourth memory 34. In one example, the gaming system is not necessarily a separate system, but may be part of the operating system 306, that is, the third memory 33 and the fourth memory 34 may be two separate partitions in a hard disk drive. Zones, or two separate actual hard drives, can also be other specific forms of storage media.

The security confirmation mechanism allows the system to divide the second memory 32 proposed by the disclosure into a plurality of memory spaces for storing the security feature values 304 through the memory bus, which may be a plurality of feature values. The second memory 32 is configured to store the security feature values 304 obtained by the content operations in the first memory 31, the third memory 33, and the fourth memory 34.

In this embodiment, the security feature value 304 includes a first feature value, and the first feature value is obtained by a fixed encryption algorithm of the UEFI BIOS fixed variable block 303 in the first memory 30. The security feature value 304 includes a second feature value that is computed by the operating system 306 of the third memory 33 in an algorithmic operation. The security feature value 304 includes a third feature value that is computed by the game system 307 in the fourth memory 34 in an algorithmic operation. The dashed line in the figure indicates that the security feature value 304 is calculated by the encryption module to be stored in the fixed variable block 303 of the second memory 32, and the feature values of the operating system 306 and the game system 307 stored in the specific storage medium. The specific algorithm is mainly for computing the feature value of the UEFI BIOS, the operating system or the game system bit by bit and byte.

In an embodiment, the UEFI BIOS carries a program for deriving a feature value in the security confirmation program, and the space other than the stored security feature value 304, that is, the remaining space 305 of the second memory 32, may be set to a null value. (void) to comply with the UEFI BIOS specification. A pointer is also provided to indicate the memory address at which the security feature value 304 is stored, so that the processor can derive the feature value based on the memory address.

In one embodiment, the encryption module is installed in a memory block of the UEFI BIOS, and the encryption module is used to perform an encryption algorithm, and can perform operations on the UEFI BIOS firmware and the code (or program) in the specific storage medium. The eigenvalue is obtained. The cryptographic algorithm can be a Secure Hash Algorithm (SHA) for performing a cryptographic hash algorithm to calculate the bitwise operation of the cryptographic pair. Eigenvalues. The executable code of the extensible firmware interface stored in the storage medium is basically input into the system, the operating system and the game system, and each feature value is obtained by bit-by-bit operation and stored in the memory of the computer system.

Another encryption algorithm, such as an RSA (Ron Rivest, Adi Shamir and Leonard Adleman) developed in 1977, is used to perform asymmetric cryptographic calculus, and is applied in the boot method of security confirmation proposed in the present disclosure, including computing security feature values. , and the current feature values in the boot process.

The security confirmation operation performed in the boot process is simultaneously applied to the code in the UEFI BIOS and the storage medium, compared to the manner in which a processing core performs security confirmation in the boot process (including only one core processor, Or a multi-core processor but only evokes a core processing method. The boot method proposed by the present application for multi-core processor to perform security confirmation uses a multi-core processor, and can enable multiple processing cores according to task requirements. And the parallel processing task processing program is implemented in the booting process, and the related system description can refer to FIG. 4.

The figure shows that the multi-core processor 40 in the computer system includes more than two cores packaged in one chip (IC). This example is shown as four processing cores. In the boot process, these independent processing cores can be processed separately. The respective threads are running in parallel. The cores in the multi-core processor 40 are numbered as core 0, core 1, core 2, and core 3. The boot process can be a program to restart the computer system or reboot.

In the boot process, after an initialization process, the multi-core processor 40 detects that there is a core suitable as a boot processor (BSP), that is, the core is selected as a boot processor (BSP), and the remaining cores are applications. Processor (AP). The boot processor will execute the boot-strap code in the UEFI BIO to set up a systemic environment and set the data structures to begin initializing the application processor (AP). For example, the aforementioned core number is core 0, and the register of core 0 generates a boot processor flag (BSP flag), which is selected as the boot processor. The program of the encryption module 425 is installed in a flash memory 42, and the flash memory 42 is used to store the firmware code of the UEFI BIOS 421.

When the system is powered on, the UEFI BIOS 421 initializes the multi-core processor 40 and the periphery of the computer system and sets the boot processor (BSP) and application processors (APs) of the multi-core processor 40 in accordance with the multi-core service protocol. In the booting process, the UEFI BIOS reads a boot loader 423, which is a program installed in the flash memory 42 for loading the operating system and the software program required for booting the program into the system memory. body. The boot program runs a power-on self-test process at the same time.

The UEFI BIOS 421 initializes the multi-core processor 40, wherein the application processor (AP) starts and enters a sleep mode, waiting for the boot processor (BSP) to start the application processors (APs) to start executing the dispatched instructions, such as exposing the book The security verification procedure described. At this time, the encryption module 425 dispatches a plurality of processing cores (including the BSP and the AP) to perform different security confirmation tasks.

After the UEFI BIOS is started, the encryption module 425 is specifically used to determine whether the UEFI BIOS firmware has been improperly modified, and is also used to determine whether the operating system or the game system program has been tampered with. Prior to this, the system first prepares the security feature values of the programs in each storage medium, including the initial state or the basic input and output system feature values in the previous confirmed state, to form one of the system's plurality of feature values 427, in this example, The feature value 427 is stored in the flash memory 42. Also included are operating system feature values and/or game system feature values. The system initially calculates the feature values of the respective storage media, and the above various feature values are included in the feature values 427 in the illustration.

4 schematically illustrates the use of multiple cores (core 0, core 1, core 2, and core 3) in a multi-core processor 40, including a boot processor and an application processor, each running multiple tasks in the boot process.

Core 0 can be selected as the boot processor (BSP), and the remaining core 1, core 2 and core 3 are selected as application processors (APs). In the initial state, the initial value of the application processor is synchronized with the boot processor. The encryption module 425 operates as a controller of the multi-core processor 40, and first obtains various security feature values 427. The encryption module 425 performs security confirmation operations on the UEFI BIOS 421, the operating system, and/or the game system, and the encryption module 425 is applied. The core service agreement assigns each core to perform its respective tasks, such as task 1, task 2, task 3, and so on.

The multi-core processor 40 plays an important role in the invention proposed by the present disclosure. In a task, the encryption module 425 initiated in the booting process will instruct the individual processing cores to obtain the current basic input and output system feature values in real time, wherein the recorded information reflects the current status of the basic input and output system, and the encryption module. 425. The basic input and output system feature values of one of the security feature values pre-stored in the specific memory block are retrieved, and then the basic input and output system feature values are compared with the current basic input and output system feature values, and the encryption module 425 is based on the comparison result. Determine if the UEFI BIOS has been changed.

In another task, the encryption module 425 instructs another processing core to calculate the current operating system feature value in real time. The information recorded by the feature value reflects the current state of the operating system, and the encryption module 425 further extracts the pre-stored operating system feature value. And compare the current operating system feature values with the operating system feature values. The encryption module 425 can determine whether the operating system has been improperly modified based on the comparison result. According to an embodiment, the encryption module 425 continues to indicate in another task that the different processing cores calculate the current feature values of the particular system in the particular storage medium, such as the code for the game system/blog system (a key memory block) The operation obtains the current game system feature value, wherein the information reflects the current state of the game system, and the encryption module 425 then compares the current game system feature value with the game system feature value pre-stored in the specific memory block, and the comparison result will reflect Whether the game system has been improperly modified.

In the boot process, the four cores in this example process the assigned tasks separately, and the individual assigned tasks can be processed sequentially or non-sequentially. Referring to the flowchart shown in FIG. 5, the flowchart depicts the multi-core processor. The method of booting the security confirmation is performed by a computer system.

The computer system provides a variety of storage media and memory for different purposes. The system includes a first memory, such as a flash memory, to store the UEFI BIOS firmware; the system provides a second memory for storing Basic input and output system feature values, operating system feature values, and game system feature values. The second memory may be a non-volatile memory such as a flash memory or a hard disk drive, wherein the information stored in the stored feature values reflects the initial state of each system or the previously confirmed state. The system provides a third memory, which is a memory block for storing operating system programs/codes, or a fourth memory for storing programs or programs of a specific system, such as a game system/blog system. The cryptographic module that is activated during the boot process will initiate individual cores of the multi-core processor and process different tasks in parallel.

According to the method embodiment, when the computer is booted and powered on, as in step S501, then as in step S503, the UEFI BIOS is started and initialized. In step S505, after the basic input/output system (such as UEFI BIOS) is started, the encryption is started at the same time. The module identifies the hardware information of the computer system by the encryption module. In step S507, the encryption module can obtain the information of the multi-core processor, including the detected multiple cores, as in step S509. At the same time, the encryption module also knows the tasks in the plurality of booting programs according to the set information. For example, in step 511, multiple cores are enabled according to the task to be executed, and each enabled core is executed to execute an individual thread for processing the assigned. The task is as in step S513.

For example, in the first task, the first core is allocated to confirm the firmware of the UEFI BIOS; in the second task, the second core confirms the program, the code of the operating system, or the content of the specific memory block; in the third task The third core is assigned to confirm the program, code or content of the specific memory block of the game system. When these tasks are completed, the system will determine whether to start and enter the operating system, as in step S515.

In the booting process, if the security confirmation program executed by each of the above cores confirms that the various confirmation actions assigned are in compliance with the safety standards, the operating system can be smoothly entered. For example, if it is confirmed that the content of the extended firmware interface into the system, the operating system and the game system meet the pre-stored security feature values, the action page system can be activated.

In summary, in the booting method and system for security confirmation in the booting procedure proposed in the present disclosure, the tasks of the plurality of booting programs are specifically processed by multiple cores of the multi-core processor, and the multi-core service agreement is passed through the specific program. Instructing individual cores to process different tasks in parallel, unlike the conventional technique of processing a plurality of tasks in a boot process with a single core processor or a single core of a multi-core processor, the method proposed by the present disclosure will be Provides a more efficient way to perform security confirmation steps for systems with high security requirements.

The above are only the preferred embodiments of the present invention, and all changes and modifications made to the scope of the present invention should be within the scope of the present invention.

Claims (17)

 A booting method for performing a security confirmation using a multi-core processor, comprising: initiating a booting process; starting a basic firmware input and output system of a scalable firmware interface of a computer system; and substantially importing and outputting the system through the extendable firmware interface, Identifying hardware of the computer system; detecting a multi-core processor of the computer system, and enabling multiple cores of the multi-core processor according to multiple tasks in the boot process; assigning each enabled core parallel processing task And, after the task is completed, decide whether to start the operating system of the computer system.    The method of claim 1, wherein the applying the multi-core processor to perform the security confirmation, wherein the step of assigning the task to the plurality of cores further comprises: assigning a first core to perform confirmation of the extendable firmware interface basic output. The task of entering the firmware of the system; and assigning a second core to perform the task of confirming the operating system of the computer system.    The booting method for applying the security confirmation by the multi-core processor according to claim 2, further comprising: assigning a third core to perform a task of confirming a game system in the computer system.    The booting method for performing security verification by the application multi-core processor according to claim 3, wherein the task of confirming that the extendable firmware interface is basically input into the system is to compare a current basic input and output system characteristic calculated in the booting program. And a value of a basic input and output system characteristic value stored in a memory of the computer system; confirming that the task of the operating system is to compare a current operating system characteristic value calculated in the booting program with a stored in the memory The operating system feature value; confirming that the game system's task is to compare a current game system feature value calculated in the boot process with a game system feature value stored in the memory.    The booting method of applying the security confirmation by the multi-core processor according to claim 4, wherein the computer system starts to start after the extendable firmware interface is basically input into the system, and the operating system and the gaming system complete the confirmation. working system.    The booting method for performing security verification by the application multi-core processor according to claim 5, wherein the extendable firmware interface stored in a storage medium is basically input into the system, the operating system, and the code of the game system. Each feature value is obtained in a bitwise operation and stored in the memory of the computer system.    The booting method for performing a security confirmation by the application multi-core processor according to claim 5, wherein the identifying the computer system hardware, detecting the multi-core processor, enabling the multiple cores, and allocating by using an encryption module Each enabled core performs one of several tasks.    The booting method for performing a security confirmation by the multi-core processor according to claim 7, wherein the encryption module is a program embedded in the basic output system of the extendable firmware interface, when the extendable firmware interface basic output After the system is started, the encryption module is started.    The booting method for performing a security confirmation by the application multi-core processor according to claim 1, wherein the plurality of cores are selectively enabled or stopped by a multi-core service agreement, and the multi-core service agreement is obtained in the booting process. The number of cores of this multi-core processor.    A booting system for performing security verification using a multi-core processor includes: a first memory for storing a firmware of a computer system and a basic firmware input and output system; and a second memory for Storing a basic input and output system feature value, an operating system feature value, and a game system feature value; a third memory for storing a code of an operating system of the computer system; and an encryption module for booting In the program, applying the multi-core processor to perform a security verification method, the method comprising: initiating the booting process; starting the basic output of the extendable firmware interface into the system; and substantially importing and outputting into the system through the extendable firmware interface, Identifying hardware of the computer system; detecting a multi-core processor of the computer system, and enabling multiple cores of the multi-core processor according to multiple tasks in the boot process; assigning a first core in a task Performing to confirm that the extendable firmware interface is basically outputted into the firmware of the system; in another task, assigning a second core to execute the code for confirming the operating system And, after the task is completed, decide whether to start the operating system of the computer system.    The booting system for performing security confirmation by the application multi-core processor according to claim 10, further comprising a fourth memory, wherein the fourth memory stores a program code of the game system, and assigns a third core to perform the confirmation of the game. The task of the system.    The booting system for performing security verification by the application multi-core processor according to claim 11, wherein the task of confirming that the extendable firmware interface is basically input into the system is to compare a current basic input and output system feature calculated in the booting program. And a value of a basic input and output system characteristic value stored in a memory of the computer system; confirming that the task of the operating system is to compare a current operating system characteristic value calculated in the booting program with a stored in the memory The operating system feature value; confirming that the game system's task is to compare a current game system feature value calculated in the boot process with a game system feature value stored in the memory.    The booting system that performs the security confirmation by the application multi-core processor according to claim 12, wherein the computer system starts to start after the extendable firmware interface is basically input into the system, and the operating system and the gaming system complete the confirmation. working system.    The booting system for performing security confirmation by the multi-core processor according to claim 13, wherein the executable file of the executable system stored in a storage medium is input into the system, the operating system and the game system. Each feature value is obtained in a bitwise operation and stored in the memory of the computer system.    The booting system of claim 13, wherein the second memory, the third memory, and the fourth memory system are in the same storage device and three in a storage device. One partition, or three separate storage devices.    The booting system for performing security verification by the multi-core processor according to claim 10, wherein the encryption module is a program embedded in the basic output system of the extendable firmware interface, and the basic output of the extendable firmware interface is After the system is started, the encryption module is started.    The booting system as claimed in claim 10, wherein the plurality of core systems are selectively enabled or disabled by a multi-core service agreement, and the multi-core service agreement is obtained in the booting process. The number of cores of this multi-core processor.