WO2015131607A1 - Method and device for creating trusted environment, and method and device for restoration after base station fault - Google Patents

Method and device for creating trusted environment, and method and device for restoration after base station fault Download PDF

Info

Publication number
WO2015131607A1
WO2015131607A1 PCT/CN2014/093999 CN2014093999W WO2015131607A1 WO 2015131607 A1 WO2015131607 A1 WO 2015131607A1 CN 2014093999 W CN2014093999 W CN 2014093999W WO 2015131607 A1 WO2015131607 A1 WO 2015131607A1
Authority
WO
WIPO (PCT)
Prior art keywords
base station
version
trusted
data
operating system
Prior art date
Application number
PCT/CN2014/093999
Other languages
French (fr)
Chinese (zh)
Inventor
成峰波
姜军
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015131607A1 publication Critical patent/WO2015131607A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/572Secure firmware programming, e.g. of basic input output system [BIOS]
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/67Risk-dependent, e.g. selecting a security level depending on risk profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/08Access point devices

Definitions

  • the present invention relates to the field of wireless communications, and in particular, to a trusted environment creation method and apparatus, and a base station abnormality recovery method and apparatus.
  • the communication base station is a component of the mobile communication network, and has the characteristics of large number, wide distribution, and complicated working environment, especially the outdoor communication base station. Because the physical security protection is relatively weak and often lacks active security defense capability, it is easy in the entire communication network. A link to a security attack.
  • communication base stations are the infrastructure for providing communication services, and the requirements for their operational availability are extremely severe.
  • the communication base station faces complex risks such as hardware failure, software failure, human failure, and credible metric failure.
  • the characteristics and countermeasures of various failure risks are also different. If the base station can identify various failure risks, conduct comprehensive analysis, and use the data recovery mechanism of the trusted computing environment to provide self-recovery from the abnormality, which will greatly improve the availability level of the base station, improve the communication user experience and improve communication operations. Business benefits are helpful.
  • Modern communication base stations are generally embedded computer systems, and use Trusted Computing (TC) technology to provide active security defense capabilities for communication base stations.
  • TC Trusted Computing
  • TPM Trusted Platform Modules
  • the cryptographic mechanism establishes a chain of trust and builds a trusted computing environment, making it possible to fundamentally solve security problems and has better system scalability.
  • trusted computing technology is very rapid. Many foreign technology companies, such as Atmel and Broadcom, have launched TPM and security PCs that comply with trusted computing specifications. But such products typically focus on hardware-based computing platforms, including security coprocessors, personal tokens, cryptographic accelerators, and multifunction devices. The goal of these examples is to ensure data authenticity, data confidentiality, and number According to protection. However, these products are more focused on providing basic trusted computing services from the hardware platform level, and can not provide comprehensive trusted services for software systems and services.
  • TPM application software and operating systems that can provide functions such as management files, information transfer, key delivery, and smart signature.
  • pure software services affect their applications because of the possibility of tampering. Reliability. And because these software systems are generally integrated or based on desktop-level hardware platforms, or heavy-duty systems that rely on operating systems, applications in embedded systems such as base stations are limited.
  • the related technical solutions for applying trusted technology to communication base stations generally focus on the establishment of a trusted environment, lack of comprehensive analysis of various failure risks faced by the base station, and lack of a backup mechanism for system trusted data. After the exception, the system reset is simply implemented. There is no effective data recovery method, or it can not effectively recover from the abnormal state to the normal communication state, or other third-party system intervention is required to recover, but the recovery time is obviously prolonged.
  • the trusted computing technology solution applied to the communication base station is limited in the application of the limited resources of the embedded computing system, and cannot provide a reliable data backup mechanism adapted to the operation requirements of the base station and comprehensive analysis of various failure risks. Therefore, it is impossible to provide a reliable function for the base station to actively recover from an abnormality.
  • the embodiment of the invention provides a method and device for creating a trusted environment and a method and device for recovering an abnormality of a base station, which solves the problem that the trusted computing technology solution provides a reliable abnormal recovery function for the base station.
  • a base station abnormal recovery method includes:
  • BIOS controls loading of the secure operating system, and transferring the trusted environment control right to the secure operating system
  • the secure operating system loads the software environment and creates a trusted environment.
  • the method further includes:
  • the TPM hardware and the non-volatile storage of the base station are initialized before the base station is shipped from the factory.
  • the non-volatile storage includes a data protection area and a file system data area, and specifically includes:
  • the pre-installed version of the base station includes a trusted Boot Loader code, a BOOT code, an image of a secure operating system, and a trusted Network software library, application software and weight data,
  • the key set and the BIOS code associated with the pre-installed version of the base station are written into the TPM hardware, and the key set includes a plurality of keys.
  • the BIOS controls to perform loading of the secure operating system, and transferring the trusted environment control to the secure operating system includes:
  • the BIOS checks the credibility of the data stored in the data protection area of the base station
  • the BIOS preloads the pre-installed version of the base station in the data protection area by using the Boot Loader code loading;
  • the secure operating system image is extracted and loaded from the pre-installed version of the base station, and the trusted environment control is transferred to the secure operating system.
  • the BIOS further includes:
  • the BIOS triggers the base station to restart resetting when the reliability check of the data stored in the data protection zone fails.
  • extracting an image of the secure operating system from the pre-installed version of the base station, and transferring the control of the trusted environment to the secure operating system includes:
  • the image of the secure operating system passes the trusted authentication
  • the image of the secure operating system is loaded. For example, pass the trusted environment control to the secure operating system.
  • determining, according to the version switching identifier, a pre-installed version of the base station, and extracting an image of the secure operating system from the pre-installed version of the base station includes:
  • the version switch identifier indicates the pre-installed version of the base station in the file system data area, extract the corresponding secure operating system image directly from the pre-installed version of the base station indicated by the version switch identifier;
  • the pre-installed version of the base station is restored to the file system data area, and then extracted from the pre-installed version of the base station in the file system data area. Secure operating system image.
  • the method further includes:
  • the base station After the image of the security operating system fails to pass the trusted authentication, the base station is triggered to restart the reset, and the value of the version switch identifier is forcibly set to indicate that the other base station is pre-installed, and the other base station pre-installed version is stored in the File system data area or data protection area.
  • the security operating system loads the software environment, and the creation of the trusted environment includes:
  • the security operating system is started, and the application software is extracted and loaded from the pre-installed version of the base station, and the trusted network software library is attached.
  • the method further includes:
  • the base station After the security operating system is started, the base station requests authentication from the remote control terminal;
  • the base station receives a new pre-installed version of the base station and a set of matching keys issued by the remote control end;
  • the base station writes the new base station pre-installed version into the data protection area and the file system data area, and writes the matching key set into the TPM hardware of the base station;
  • the value of the base station changing version switch identifier indicates that the new base station is pre-installed, and initiates a reset, and loads the new base station pre-installed version after reset.
  • the embodiment of the invention further provides a base station abnormality recovery method, including:
  • the base station When the base station is abnormal in the reliability risk check, the base station is reset and restored to the trusted base station pre-installed version.
  • the trusted environment of the base station is configured by a security operating system running on the base station, a trusted service software library, and a trusted network service system, where the method further includes:
  • the base station pre-installed version including a trusted Boot Loader code, a BOOT code, and a security operation System image, trusted network software library and application software;
  • a key set and a BIOS code associated with the pre-installed version of the base station are written in advance to the TPM hardware of the base station.
  • performing a trusted risk check on the base station, and performing a trusted risk check on the base station includes:
  • the security operating system cooperates with the application software and the trusted network software library to periodically perform self-test on system hardware, storage system, network communication, and software behavior;
  • a risk assessment decision is made on the data obtained by the self-test identification to determine whether a base station abnormality has occurred.
  • the security operating system cooperates with the application software and the trusted network software library, and periodically performs self-checking on system hardware, storage system, network communication, and software behavior, including:
  • the security operating system cooperates with the application software to periodically perform self-test on the system hardware and the storage system of the base station, and collect static credibility evaluation data, where the static credibility evaluation data includes at least one of the following Or data of any number of base station anomalies:
  • the network communication is authenticated in real time, and the application system periodically authenticates to the operating system to collect system dynamic credibility evaluation data, and the system dynamic credibility evaluation data includes at least the following Data for any or any number of base station anomalies:
  • the external instruction concentration data check is performed by the service instruction category received by the application software, and the data of the unauthorized behavior feature is collected, and the unauthorized behavior feature data includes at least data of any one or any of the following base station abnormal events:
  • an assessment decision is made on the risk obtained by the self-test identification, and determining whether the risk is a base station abnormality includes:
  • the static credibility assessment data obtained by the self-test identification, the system dynamic credibility assessment data, and the data of the unauthorized behavior characteristics are evaluated and determined;
  • a base station resetting scheme is made and the version switching identifier saved by the data protection area is synchronously updated.
  • using the weighted linear Bayesian decision algorithm to evaluate the static credibility assessment data, the system dynamic credibility assessment data, and the data of the unauthorized behavior characteristics of the self-test identification includes:
  • the weight obtained is higher than the corresponding threshold in the weight data. The decision occurs that the base station is abnormal.
  • the method further includes:
  • the base station receives a new base station version and a matching key set delivered by the remote control end;
  • the value of the base station changing version switch identifier indicates that the new base station is pre-installed, and initiates a reset, and loads the new base station pre-installed version after reset.
  • the embodiment of the invention further provides a trusted environment creation device, including:
  • BIOS startup module configured to: after the base station is powered on for the first time, run a BIOS code of the TPM hardware pre-written to the base station, and transfer the control of the trusted environment to the BIOS;
  • BIOS configured to: control loading of the operating system, and transfer the control of the trusted environment to the secure operating system;
  • a secure operating system that is set up to load a software environment and create a trusted environment.
  • the device further includes:
  • an initialization module configured to: initialize the TPM hardware and non-volatile storage of the base station before the base station leaves the factory, the non-volatile storage includes a data protection area and a file system data area, including:
  • the pre-installed version of the base station includes a trusted Boot Loader code, a BOOT code, an image of a secure operating system, and a trusted Network software library, application software and weight data,
  • the key set and the BIOS code associated with the pre-installed version of the base station are written into the TPM hardware, and the key set includes a plurality of keys.
  • BIOS includes:
  • a credibility checking unit configured to: after the end of the hardware self-test, check the credibility of the data stored in the data protection area of the base station;
  • a version loading unit configured to: after the credibility check of the data stored in the data protection zone is passed, preloading the pre-installed version of the base station in the data protection zone by loading the Boot Loader code;
  • a file system creation unit configured to: start executing the BOOT code, perform hardware initialization on the embedded system of the base station, create a file system, and perform trusted authentication on the file system;
  • An image loading unit is configured to: after completing the trusted authentication of the file system, extract a secure operating system image from the pre-installed version of the base station, and transfer the trusted environment control right to the secure operating system.
  • BIOS further includes:
  • a restarting unit configured to: when the credibility check of the data stored in the data protection zone fails, trigger the base station to restart the reset.
  • the image loading unit includes:
  • a version selection subunit configured to: determine a pre-installed version of the base station according to the version switching identifier, and extract an image of the security operating system from the pre-installed version of the base station;
  • An authentication subunit configured to: perform trusted authentication on an image of the secure operating system
  • the loading subunit is configured to: after the image of the security operating system passes the trusted authentication, load the image of the secure operating system, and transfer the trusted environment control right to the secure operating system.
  • the version selection subunit is configured to: directly, when the version switching identifier indicates a pre-installed version of the base station in the file system data area, directly from the pre-installed version of the base station indicated by the version switching identifier Extract the corresponding secure operating system image,
  • the pre-installed version of the base station is restored to the file system data area, and then extracted from the pre-installed version of the base station in the file system data area. Secure operating system image.
  • the version selection sub-unit is further configured to: after the image of the security operating system fails to pass the trusted authentication, trigger the base station to restart the reset, and forcibly set the value of the version switching identifier to indicate another base station.
  • the pre-installed version is stored in the file system data area or the data protection area.
  • the device further includes:
  • a remote authentication module configured to: after the security operating system is started, the base station requests authentication from the remote control terminal;
  • a version downloading module configured to receive a new pre-installed version of the base station and a set of supporting keys issued by the remote control terminal after being authenticated by the remote control terminal;
  • a storage module configured to: write the new base station pre-installed version into the data protection area and the file system data area, and write the matching key set into the TPM hardware of the base station;
  • a reset module configured to: change the value of the version switch identifier to indicate the pre-installed version of the new base station, and initiate a reset, and load the new base station pre-installed version after the reset.
  • the embodiment of the invention further provides a base station abnormality recovery device, including:
  • An checking module configured to perform a trusted risk check on the base station in a trusted environment of the base station
  • the abnormality recovery module is configured to reset and restore the base station to a trusted pre-installed version of the base station when the base station is abnormal in the reliability risk check.
  • the trusted environment of the base station is composed of a security operating system running on the base station, a trusted service software library, and a trusted network service system, and the device further includes:
  • a first configuration module configured to: write a version switch identifier and a pre-installed version of the base station to the data protection area and the file system data area of the non-volatile storage of the base station in advance, where the pre-installed version of the base station includes a trusted Boot Loader code, BOOT code, image of secure operating system, trusted network software library and application software;
  • a second configuration module configured to: write a key set and a BIOS code matched with the pre-installed version of the base station to the TPM hardware of the base station in advance.
  • the checking module includes:
  • a self-checking unit configured to: control the security operating system to cooperate with the application software and the trusted network software library, and periodically perform self-checking on system hardware, storage system, network communication, and software behavior;
  • the abnormality determining unit is configured to: perform risk assessment decision on the data obtained by the self-test identification, and determine whether a base station abnormality occurs.
  • the self-test unit includes:
  • a hardware self-test sub-unit configured to: control the security operating system to cooperate with the application software, periodically perform self-test on the system hardware and the storage system of the base station, and collect static credibility evaluation data
  • the static credibility assessment data contains at least data of any one or any of the following base station anomaly events:
  • a network self-checking sub-unit configured to: authenticate the network communication in real time through the basic service function of the trusted network software library, periodically authenticate the operating system through the application software, and collect system dynamic credibility evaluation data
  • the system dynamic credibility assessment data includes at least data of any one or any of the following base station anomaly events:
  • a software self-test sub-unit configured to: perform external command concentration data check by the service instruction category received by the application software, and collect data of an unauthorized behavior feature, where the non-authorized behavior feature data includes at least one of the following or Data for any number of base station exception events:
  • the abnormality determining unit includes:
  • the decision subunit is configured to: use a weighted linear Bayesian decision algorithm to evaluate and determine the static credibility evaluation data, the system dynamic credibility evaluation data, and the data of the unauthorized behavior characteristics obtained by the self-test identification;
  • the solution determining unit is configured to: when the decision result is that the base station abnormality occurs, make a base station resetting scheme and synchronously update the version switching identifier saved by the data protection zone.
  • the device further includes:
  • a version downloading module configured to: after the base station is authenticated by the remote control end, receive a new base station version and a matching key set delivered by the remote control end;
  • a storage module configured to: write the new base station version into the data protection zone, and write the matching key set into the TPM hardware of the base station;
  • a reset module configured to: change a value of the version switch identifier to indicate the pre-installed version of the new base station, and initiate a reset, and load the new base station pre-installed version after resetting
  • Embodiments of the present invention also provide a computer program comprising program instructions that, when executed by a computer, cause the computer to perform the method described above.
  • Embodiments of the present invention also provide a computer readable storage medium carrying the computer program.
  • An embodiment of the present invention provides a method and device for creating a trusted environment, and a method and device for recovering an abnormality of a base station, creating a trusted environment of the base station, and performing a trusted risk check on the base station in a trusted environment of the base station.
  • the base station is abnormal in the trusted risk check, the base station is reset and restored to the trusted base station pre-installed version.
  • the abnormal self-test and automatic recovery of the base station based on the trusted environment are realized, and the problem that the trusted computing technology scheme provides a reliable abnormal recovery function for the base station is solved.
  • FIG. 1 is a flowchart of a base station abnormality recovery method according to Embodiment 1 of the present invention
  • FIG. 2 is a flowchart of a method for creating a trusted environment according to Embodiment 1 of the present invention
  • step 203 in FIG. 2 is a specific flowchart of step 203 in FIG. 2;
  • Figure 5 is a specific flow chart of step 102 in Figure 1;
  • FIG. 6 is a schematic structural diagram of a trusted environment creation apparatus according to Embodiment 2 of the present invention.
  • FIG. 7 is a schematic structural diagram of a BIOS 602 of FIG. 6;
  • FIG. 8 is a schematic structural diagram of the image loading unit 704 of FIG. 7;
  • FIG. 9 is a schematic structural diagram of a base station abnormality recovery apparatus according to Embodiment 2 of the present invention.
  • FIG. 10 is a schematic structural diagram of the self-checking module 901 of FIG. 9;
  • FIG. 11 is a schematic structural view of the self-test unit 1001 of FIG. 10;
  • FIG. 12 is a schematic structural diagram of the abnormality determining unit 1102 of FIG. 11;
  • Figure 13 is a schematic diagram of the composition of a universal mobile communication system
  • 15 is a schematic diagram showing the structure of a base station using trusted computing technology
  • FIG. 16 is a schematic diagram of the main components of the TPM firmware
  • 17 is a schematic diagram of space allocation of non-volatile storage of a base station.
  • the trusted computing related technical solution applied to the communication base station is limited in application of the limited resources of the embedded computing system, and cannot provide a reliable data backup mechanism adapted to the operation requirements of the base station and comprehensive analysis of various failure risks, thereby failing to The base station provides reliable ability to actively recover from anomalies.
  • an embodiment of the present invention provides a base station abnormal recovery law and apparatus.
  • Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
  • the embodiment of the present invention provides a base station abnormality recovery method based on a trusted environment.
  • the process of performing self-test and recovery of the abnormality of the base station by using the method is as shown in FIG. 1 , and includes:
  • Step 101 Create a trusted environment of the base station.
  • An embodiment of the present invention provides a method for creating a trusted environment, and the process is as shown in FIG. 2, including:
  • Step 201 Initialize, by the base station, the TPM hardware and non-volatile storage of the base station, where the non-volatile storage includes a data protection zone and a file system data zone, and create a first one of the trusted environment. Complete source point;
  • the version switch identifier and the pre-installed version of the base station are written into the data protection area and the file system data area, and the pre-installed version of the base station includes a trusted boot loader code, a boot (BOOT) code, and a security operation.
  • a trusted boot loader code e.g., a boot (BOOT) code
  • a security operation e.g., a security operation.
  • the file system data area is a storage area that can be changed when the security operating system is running. At the time of shipment, the file system data area is consistent with the storage content in the data protection area.
  • the version switch identifier points to a pre-installed version of the base station. It should be noted that one or more pre-installed versions of the base station may exist in the data protection area and the file system data area, and the value of the version switch identifier may point to a pre-installed version of any base station in the data protection zone, or may point to a file. A pre-installed version of any base station in the system data area.
  • the Trusted Network Software Library is a function library used by the secure operating system to access hardware storage information.
  • the weight data is used as a criterion for determining the subsequent decision, and at least includes a threshold for determining whether an event has occurred.
  • the key set includes a plurality of keys, and each key has an index number.
  • the key may be selected according to the index sent by the other party for authentication, or the key may be selected. The index of the key is then sent to the other party for authentication.
  • the Boot loader code and BOOT code are placed side by side in the data protection area along with the pre-installed version.
  • Step 202 After the base station is powered on for the first time, run the BIOS code of the TPM hardware pre-written to the base station, and transfer the control of the trusted environment to the BIOS.
  • the base station powers up the TPM hardware BIOS.
  • the trusted environment of the base station online operation process is created, starting from any power-on process of the base station.
  • the hardware circuit enables the TPM hardware BIOS to take over control of the system, first performing a hardware self-test.
  • Step 203 The BIOS controls to load the operating system, and transfers the control of the trusted environment to the security operating system.
  • This step is shown in Figure 3 and includes:
  • Step 301 After the hardware self-test ends, the BIOS checks the credibility of the data stored in the data protection area of the base station.
  • the BIOS authenticates the data protection zone. After the hardware self-test is completed, the BIOS checks the reliability of the data protection zone data of the base station by using the agreed key.
  • Step 302 After the reliability check of the data stored in the data protection zone is passed, the BIOS loads the security pre-installed in the pre-installed version of the base station in the data protection zone by using the Boot Loader code loading.
  • Operating system image
  • the operating system can be loaded by the trusted Boot Loader code. If the credibility check of the data protection zone fails, the alarm indicator of the base station is prompted. The base station restarts reset.
  • Step 303 Start executing the BOOT code, perform hardware initialization on the embedded system of the base station, create a file system, and perform trusted authentication on the file system.
  • BOOT starts execution. BOOT first performs hardware initialization on the embedded system.
  • BOOT creates a file system and performs trusted authentication on the file system.
  • Step 304 After completing the trusted authentication of the file system, extract a secure operating system image from the pre-installed version of the base station, and pass the trusted environment control right to the secure operating system.
  • the corresponding security operating system image is selected for loading. If the value of the version switch identifier indicates that the secure operating system image is loaded from the file system area of the base station, the load flow proceeds directly to step 204. If it is instructed to load from the data protection zone, after the data protection zone version is restored to the file system with TPM support, the operating system image is ready to be loaded.
  • the security operating system is directly loaded.
  • the value of the version switch identifier is forcibly set to load the pre-installed version of the base station from the data protection zone (optionally, at least one base station is pre-installed in the file system data area)
  • the value of the version switch identifier may be set to indicate that another base station pre-installed version in the data area of the file system is loaded.
  • the data change rule of the version switch identifier may be set according to requirements, and the present invention does not limit this. It is ensured that the manner in which the pre-installed version of the other base station is replaced without being trusted is considered to be within the protection scope of the present invention), and the base station is reset.
  • Step 204 The security operating system loads a software environment and creates a trusted environment.
  • the secure operating system extracts and executes the application software from the pre-installed version of the base station, completes the hooking of the trusted network software library, loads the trusted network software library, and transfers the control of the trusted environment to the The application software and the trusted network software library.
  • the base station performs loading of the security operating system image, and the secure operating system takes over the control of the trusted environment, and completes the hook invoked by the TPM driver and the trusted network software library (both included in the pre-installed version of the base station).
  • Trusted authentication of the application software by the secure operating system If the authentication is passed, the application software is just loaded and loaded; if the authentication fails, the base station is reset after the version switching identifier is set.
  • the trusted environment creation of the base station online operation process also includes the trusted delivery of the trusted environment after the version upgrade of the base station.
  • the version upgrade during the operation of the base station is coordinated with the dynamic upgrade of the data protection area of the base station.
  • the dynamic upgrade update of the base station version is based on the trusted network service provided by the trusted environment, and is performed by the base station control terminal through remote interaction.
  • the security operating system After the security operating system is started, it can detect whether the current pre-installed version of the base station needs to be updated, and perform the update when it needs to be updated, as shown in Figure 4, including:
  • Step 401 First, the base station and the remote control end perform key authentication of the session, where the key used is the key in the foregoing key set.
  • Step 402 After the base station is authenticated by the remote control end, the base station receives a new pre-installed version of the base station and a set of matching keys issued by the remote control terminal.
  • Step 403 The base station writes the received pre-installed version of the trusted base station to the data protection zone, and the new The key set of the pre-installed version of the base station is written into the TPM hardware storage area.
  • Step 404 The base station changes the version switching identifier and initiates a reset, and loads the new base station pre-installed version after the reset.
  • the base station changes the version switching identifier and initiates a reset, and loads the upgraded base station version after the reset.
  • the trusted environment control is passed to the secure operating system and finally passed to the trusted network software library to provide trusted services for the application software. After the trusted application software is successfully launched, the trusted environment is created. success.
  • the detection of the abnormality of the base station can be continued.
  • Step 102 Perform a trusted risk check on the base station in a trusted environment of the base station.
  • the security operating system cooperates with the application software and the trusted network software library, periodically performs self-test on the system hardware, the storage system, the network communication, and the software behavior, and obtains the static credibility evaluation data.
  • the system authenticates the network communication in real time through the basic service function of the trusted service library, periodically authenticates to the operating system through the application software, collects the system dynamic credibility evaluation data, and performs external command concentration through the service instruction category received by the application software. Data check to identify software behavior characteristics and external execution characteristics.
  • a risk assessment decision is made on the data obtained by the self-test identification to determine whether a base station abnormality has occurred.
  • the comprehensive decision of the base station operation risk The identified hardware failure risk, software failure risk, human failure risk, and credibility measurement risk are uniformly sent to the decision maker, and the decision maker uses the weighted linear Bayesian decision algorithm to make the evaluation decision, wherein the weight data is stored in the software version. You can follow the version to upgrade. If the decision maker gives a base station reset in the base station reset scheme, the base station resets after the version switch identifier saved by the base station data protection area is synchronously updated; if the base station does not need to reset, the base station continues to work normally.
  • This step is shown in Figure 5 and includes:
  • Step 501 During the operation of the base station, the security operating system and the trusted application software cooperate to periodically perform self-test on the system hardware and the storage system, identify risks such as hardware failure and illegal version replacement, and obtain static credibility evaluation data.
  • the static credibility evaluation data includes at least data of any one or any of the following base station abnormal events:
  • Step 502 The system authenticates the network communication in real time through the basic service function of the trusted network software library, periodically authenticates to the operating system through the application software, identifies the network unauthorized access, network hijacking, and the like, and collects the system dynamic credibility evaluation data.
  • the system dynamic credibility evaluation data includes at least data of any one or any of the following base station abnormal events:
  • Step 503 Perform external command concentration data check, data of the non-authorized behavior feature by using the service instruction category received by the application software, where the unlicensed behavior feature data includes at least data of any one or any of the following base station abnormal events:
  • Step 504 Using a weighted linear Bayesian decision algorithm to evaluate the static credibility evaluation data, the system dynamic credibility evaluation data, the software behavior characteristics, and the external execution characteristics of the self-test identification;
  • the weight obtained is higher than the corresponding threshold in the weight data.
  • the decision occurs that the base station is abnormal.
  • the weight data is stored in the pre-installed version of the base station and can be upgraded following the version.
  • Step 505 When the result of the decision is that the base station is abnormal, perform a base station resetting scheme and synchronously update the version switching identifier saved by the data protection zone.
  • the decision maker when it is confirmed that a base station abnormality occurs, the decision maker gives a base station reset scheme and synchronously updates the version switching identifier saved in the non-volatile storage data protection area to ensure abnormal active recovery after the base station is reset.
  • Step 103 When the base station is abnormal in the reliability risk check, the base station is reset and restored to a pre-installed version of the trusted base station.
  • This step is to restore the base station to the pre-installed version of the base station indicated by the value of the current version switch identifier.
  • the trusted authentication method involved in the embodiment of the present invention is described below, and is a trusted authentication based on key matching and ciphertext comparison.
  • the specific authentication algorithm is:
  • the authenticator provides 36 bytes of authentication data (RND).
  • the first 4 bytes are the random number (RND1) determined when the data to be authenticated is generated, and the 16 bytes of data are the key-encrypted check data (RND2), and the last 16 bytes are the data to be checked (RND3). ).
  • the authenticator selects an encryption key based on the authentication data RND.
  • This step is divided into the following steps:
  • the authenticator encrypts the last 16 bytes of the RND (called RND3) with 3DES_ECB_ENC using the "authentication session key” to obtain ciphertext data (16 bytes).
  • the ciphertext data is compared with RND2. If the comparison is passed, the authentication is passed; if the comparison fails, the authentication fails.
  • the BIOS is the authenticator, and the data protection zone is the authenticated party; for step 303, the BOOT code is the authenticator, and the file system is the authenticated party; for step 304, the BOOT code is the authenticator.
  • the image of the secure operating system is the authenticated party; for step 204, the secure operating system is the authenticator and the application software is the authenticated party; for the base station preinstalled version update process shown in FIG. 4, the remote control end is the authenticator.
  • the base station is the authenticated party.
  • the embodiment of the invention provides a trusted environment creation device, which can create a trusted environment inside the base station.
  • the structure of the device is as shown in FIG. 6 and includes:
  • the BIOS startup module 601 is configured to run a pre-write to the base station after the base station is powered on for the first time.
  • the BIOS code of the TPM hardware transfers the control of the trusted environment to the BIOS;
  • the BIOS 602 is configured to control loading of the operating system, and transfer the control of the trusted environment to the secure operating system;
  • the secure operating system 603 is configured to load a software environment and create a trusted environment.
  • the device further includes:
  • the initialization module 604 is configured to initialize the TPM hardware and the non-volatile storage of the base station before the base station is shipped from the factory.
  • the non-volatile storage includes a data protection area and a file system data area, and specifically includes:
  • the pre-installed version of the base station includes a trusted Boot Loader code, a BOOT code, an image of a secure operating system, and a trusted Network software library, application software and weight data,
  • the key set and the BIOS code associated with the pre-installed version of the base station are written into the TPM hardware, and the key set includes a plurality of keys.
  • the structure of the BIOS 602 is as shown in FIG. 7, and includes:
  • the credibility checking unit 701 is configured to check the credibility of the data stored in the data protection area of the base station after the hardware self-test ends;
  • the version loading unit 702 is configured to pre-write the pre-installed version of the base station in the data protection area by using the Boot Loader code after the credibility check of the data stored in the data protection area is passed;
  • the file system creating unit 703 is configured to start executing the BOOT code, perform hardware initialization on the embedded system of the base station, create a file system, and perform trusted authentication on the file system;
  • the image loading unit 704 is configured to, after completing the trusted authentication of the file system, extract a secure operating system image from the pre-installed version of the base station, and transfer the trusted environment control right to the secure operating system.
  • BIOS 602 further includes:
  • the restarting unit 705 is configured to trigger the base station to restart the reset when the credibility check of the data stored in the data protection zone fails.
  • the image loading unit 704 is configured as shown in FIG. 8 and includes:
  • the version selection subunit 801 is configured to determine a pre-installed version of the base station according to the version switching identifier, and extract an image of the security operating system from the pre-installed version of the base station;
  • the authentication subunit 802 is configured to perform trusted authentication on the image of the secure operating system
  • the loading sub-unit 803 is configured to load the image of the secure operating system after the image of the secure operating system passes the trusted authentication, and transfer the trusted environment control right to the secure operating system.
  • the version selection sub-unit 801 is configured to directly use the pre-installed version of the base station indicated by the version switching identifier when the version switching identifier indicates a pre-installed version of the base station in the file system data area. Extract the corresponding secure operating system image,
  • the pre-installed version of the base station is restored to the file system data area, and then extracted from the pre-installed version of the base station in the file system data area. Secure operating system image.
  • the version selection sub-unit 801 is further configured to: after the image of the security operating system fails to pass the trusted authentication, trigger the base station to restart the reset, and forcibly set the value of the version switching identifier to indicate another base station.
  • the pre-installed version is stored in the file system data area or the data protection area.
  • the device further includes:
  • the remote authentication module 605 is configured to: after the security operating system is started, the base station requests authentication from the remote control terminal;
  • the version downloading module 606 is configured to receive a new base station pre-installed version and a matching key set delivered by the remote control end after being authenticated by the remote control end;
  • the storage module 607 is configured to write the new base station pre-installed version into the data protection area and the file system data area, and write the matching key set into the TPM hardware of the base station;
  • the reset module 608 is configured to change the value of the version switch identifier to indicate the pre-installed version of the new base station, and initiate a reset, and load the new base station pre-installed version after the reset.
  • the embodiment of the invention further provides a base station abnormality recovery device, and the structure of the device is as shown in FIG. Show, including:
  • the checking module 901 is configured to perform a trusted risk check on the base station in a trusted environment of the base station;
  • the abnormality recovery module 902 is configured to reset and restore the base station to a trusted base station pre-installed version when a base station abnormality is found in the trusted risk check.
  • the trusted environment of the base station is composed of a security operating system running on the base station, a trusted service software library, and a trusted network service system, and the device further includes:
  • the first configuration module 903 is configured to write a version switching identifier and a pre-installed version of the base station to the data protection area and the file system data area of the non-volatile storage of the base station in advance, where the pre-installed version of the base station includes a trusted boot.
  • the second configuration module 904 is configured to write a key set and a BIOS code associated with the pre-installed version of the base station to the TPM hardware of the base station in advance.
  • the structure of the check module 901 is as shown in FIG. 10, and includes:
  • the self-checking unit 1001 is configured to control the security operating system to cooperate with the application software and the trusted network software library, and periodically perform self-checking on system hardware, storage system, network communication, and software behavior;
  • the abnormality determining unit 1002 is configured to perform a risk assessment decision on the data obtained by the self-test identification, and determine whether a base station abnormality has occurred.
  • the structure of the self-test unit 1001 is as shown in FIG. 11 and includes:
  • the hardware self-test sub-unit 1101 is configured to control the security operating system to cooperate with the application software, periodically perform self-test on the system hardware and the storage system of the base station, and collect static credibility evaluation data, where the static
  • the credibility assessment data contains at least data of any one or any of the following base station anomaly events:
  • the network self-test sub-unit 1102 is configured to authenticate the network communication in real time through the basic service function of the trusted network software library, periodically authenticate the operating system through the application software, and collect system dynamic credibility evaluation data, the system Dynamic credibility assessment data includes at least one of the following Data for multiple base station anomalies:
  • the software self-test sub-unit 1103 is configured to perform external command concentration data check by the service instruction category received by the application software, and collect data of an unauthorized behavior feature, where the non-authorized behavior feature data includes at least one of the following or any Data for multiple base station anomalies:
  • the structure of the abnormality determining unit 1102 is as shown in FIG. 12, and includes:
  • the decision subunit 1201 is configured to use the weighted linear Bayesian decision algorithm to evaluate the static credibility evaluation data, the system dynamic credibility evaluation data, and the data of the unauthorized behavior characteristics obtained by the self-test identification;
  • the solution determining unit 1202 is configured to: when the decision result is that the base station abnormality occurs, make a base station resetting scheme and synchronously update the version switching identifier saved by the data protection zone.
  • the device further includes:
  • the version downloading module 905 is configured to receive a new base station version and a matching key set delivered by the remote control end after the base station is authenticated by the remote control end;
  • the storage module 906 is configured to write the new base station version into the data protection zone, and write the set of matching keys to the TPM hardware of the base station;
  • the reset module 907 is configured to change the value of the version switch identifier to indicate that the new base station is pre-installed, and initiate a reset, and load the new base station pre-installed version after the reset.
  • the trusted environment creation device and the base station abnormality recovery device may be integrated into the base station device, and the base station device performs the corresponding function.
  • the trust is transmitted to the operating system, and then the operating system takes over the system and provides the application through the trusted software service library.
  • Letter calculation function Lightweight level including hardware system, software system and network service based on embedded hardware platform through TPM firmware basic support Integrated trusted service.
  • the data protection service based on the trusted environment realizes the non-volatile storage data protection area and the protection area update mechanism in the embedded system, and is used for ensuring the base station configuration data and the backup version credibility stored in the protection area.
  • the data protection zone and the file system data zone are divided, and under the protection of the TPM firmware and the trusted service, the integrity of the base station's factory trusted environment and the version update after the operation are ensured.
  • the data protection area of the non-volatile storage of the base station always keeps the trusted base station version and data backup.
  • a version switch identifier is stored in the data protection area of the non-volatile storage for selecting a trusted version during base station startup.
  • the version switch identifier is updated by the exception decision algorithm and is also protected by the trusted environment. The method can ensure that the base station recovers the trusted version by changing the version switching identifier and then resetting the base station after identifying the abnormal risk, so as to ensure the trusted operation of the base station.
  • the base station collect hardware self-test detection results, static trusted evaluation results, software operation behavior characteristics, external command feature identification, dynamic trusted evaluation results, etc., identification of hardware failure risks, software failure risks, and human failure risks.
  • the credibility metric risk is sent to the decision maker, and the decision maker uses the weighted linear Bayesian decision algorithm to make the evaluation decision.
  • the base station reset scheme is given and the non-volatile storage-storing version switching identifier is updated synchronously to ensure that the base station can be abnormal after reset. Active recovery.
  • the embodiment of the present invention provides a base station abnormality recovery method and device, which can be applied to a Universal Mobile Telecommunications System (UMTS), and is generally composed of a baseband processing unit (BBU) and a radio remote unit (RRU). As shown in Figure 13. It can also be applied to an evolved UTRAN architecture (E-UTRAN), which is mainly composed of a layer of an evolved NodeB (eNodeB), as shown in FIG.
  • UMTS Universal Mobile Telecommunications System
  • BBU baseband processing unit
  • RRU radio remote unit
  • E-UTRAN evolved UTRAN architecture
  • eNodeB evolved NodeB
  • the device consists of three parts: hardware motherboard (including TPM firmware and embedded hardware circuit), secure operating system, and trusted network software library. The relationship between the components is shown in Figure 15.
  • the TPM firmware is used as a trusted source point in the system to provide hardware level cryptography calculation and key protection and small capacity data storage, and its components are shown in FIG. 16.
  • the BIOS for the embedded system startup is stored in the TPM memory, mainly to complete the hardware self-test and the credibility check of the non-volatile storage in the embedded system.
  • the BIOS in the TPM storage cannot be updated to ensure that the BIOS is trusted, but the key stored in the TPM module can be updated online after the trusted environment is established.
  • the non-volatile storage space of the embedded hardware platform is divided into a data protection area and a file system data area.
  • the space allocation diagram is shown in FIG.
  • the data protection area is used to store the execution version of the base station and the backup of important configuration data, the Boot Loader code, the BOOT code, and can only be operated by block device access, and the access operation is protected by the TPM to ensure only authorized operations. Update the data of the protected area.
  • the file system data area is controlled and accessed by the operating system file system and is also protected by a trusted environment. Because the running version of the base station generally accesses data through the file system during the running process, the data protection area can greatly prevent the risk of rewriting caused by software failure and improve the reliability of the system backup data.
  • the secure operating system is based on embedded linux, which performs random and trusted authentication changes to the kernel's network communication services, adding TPM driver and authentication services.
  • the trusted network software library encapsulates the basic trusted authentication service provided by the secure operating system, provides a friendly calling interface, and provides trusted service functions such as transaction-level trusted authentication services.
  • Embodiments of the present invention provide a trusted environment creation method and apparatus, and a base station abnormality recovery method and apparatus, which create a trusted environment of a base station, and perform a trusted risk check on the base station in a trusted environment of the base station.
  • the base station is abnormal in the risk check, the base station is reset and restored to the trusted base station pre-installed version.
  • the abnormal self-test and automatic recovery of the base station based on the trusted environment are realized, which solves the problem that the existing trusted computing technology scheme provides a reliable abnormal recovery function for the base station.
  • the creation of the trusted operating environment, the identification of the abnormal risk and the comprehensive decision, and the active abnormal recovery of the base station can be realized by completely relying on the capability of the communication base station, and no intervention by other systems or network elements is required. Cooperation.
  • the embodiment of the invention can effectively establish a lightweight integrated trusted environment of hardware, software and service on the embedded hardware, so that the base station has certain active security defense capabilities; and the trusted data is created through a creative data protection zone mechanism. On the basis of protection, it supports the unification of normal version upgrade and abnormal scene version switching; and through the identification and comprehensive judgment of various abnormal risks of base stations, The abnormal recovery is more active and effective, and the effect of improving the availability of the base station is achieved, which can reduce the maintenance cost of the operator and improve the user experience.
  • all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve. Thus, the invention is not limited to any specific combination of hardware and software.
  • the devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
  • each device/function module/functional unit in the above embodiment When each device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium.
  • the above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • the embodiment of the invention implements the abnormal self-test and automatic recovery of the base station based on the trusted environment, and solves the problem that the trusted computing technology solution provides a reliable abnormal recovery function for the base station.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Stored Programmes (AREA)

Abstract

A method and a device for creating a trusted environment, and a method and a device for restoration after a base station fault. The method for restoration after a base station fault comprises: in a trusted environment, performing a trustability/risk-level check on the base station; upon discovering a base station fault during the trustability/risk-level check, resetting the base station and restoring same to trusted factory settings.

Description

可信环境创建方法和装置及基站异常恢复方法和装置Trusted environment creation method and device, and base station abnormality recovery method and device 技术领域Technical field
本发明涉及无线通信领域,尤其涉及一种可信环境创建方法和装置及基站异常恢复方法和装置。The present invention relates to the field of wireless communications, and in particular, to a trusted environment creation method and apparatus, and a base station abnormality recovery method and apparatus.
背景技术Background technique
当前网络安全成为迫切需要解决的问题,特别是移动通信网络因为在现代社会生活、生产中发挥了不可替代的作用,其安全性值得关注。通信基站是移动通信网络的组成部分,具有数量多、分布广、工作环境复杂等特点,尤其是户外通信基站,因为物理安全防护相对较为薄弱且往往缺乏主动安全防御能力,是整个通信网络中容易遭受安全攻击的一个环节。At present, network security has become an urgent problem to be solved. In particular, mobile communication networks play an irreplaceable role in modern society's life and production, and their security is worthy of attention. The communication base station is a component of the mobile communication network, and has the characteristics of large number, wide distribution, and complicated working environment, especially the outdoor communication base station. Because the physical security protection is relatively weak and often lacks active security defense capability, it is easy in the entire communication network. A link to a security attack.
同时,通信基站是提供通信服务的基础设施,对其工作可用性的要求也是极为严苛的。而通信基站在运行过程中,面临硬件失效、软件失效、人为失效、可信度量失效等复杂的风险,各种失效风险的特征及应对措施也不尽相同。如果基站能够识别各种失效风险,进行综合分析,利用可信计算环境的数据恢复机制,提供自行从异常中恢复的能力,将极大提高基站的可用性水平,对提升通信用户体验及提高通信运营商效益均有帮助。At the same time, communication base stations are the infrastructure for providing communication services, and the requirements for their operational availability are extremely severe. In the operation process, the communication base station faces complex risks such as hardware failure, software failure, human failure, and credible metric failure. The characteristics and countermeasures of various failure risks are also different. If the base station can identify various failure risks, conduct comprehensive analysis, and use the data recovery mechanism of the trusted computing environment to provide self-recovery from the abnormality, which will greatly improve the availability level of the base station, improve the communication user experience and improve communication operations. Business benefits are helpful.
现代通信基站一般是嵌入式的计算机系统,使用可信计算(TC,Trusted Computing)技术可以为通信基站提供主动安全防御能力。与传统的由防火墙、入侵监测、病毒防范等组成的被动安全防御系统相比,使用可信平台模块(TPM,Trusted Platform Modules)为底层固件的安全系统通过在计算系统中构建信任源点,利用密码机制建立信任链,构建可信计算环境,使得从根本上解决安全问题成为可能,并且具有较好的系统扩展性。Modern communication base stations are generally embedded computer systems, and use Trusted Computing (TC) technology to provide active security defense capabilities for communication base stations. Compared with the traditional passive security defense system consisting of firewall, intrusion detection, virus prevention, etc., the Trusted Platform Modules (TPM) is used as the security system of the underlying firmware to build a trust source point in the computing system. The cryptographic mechanism establishes a chain of trust and builds a trusted computing environment, making it possible to fundamentally solve security problems and has better system scalability.
可信计算技术的发展非常迅猛,许多国外科技公司,例如Atmel、Broadcom等都推出了符合可信计算规范的TPM、安全PC等产品。但是这类产品一般侧重于以硬件为基础的计算平台,包括安全协处理器、个人令牌、密码加速器及多功能器件等。这些实例的目标是保证数据的真实性、数据机密性、数 据保护。但是这些产品更侧重从硬件平台层面提供基础可信计算服务,还不能提供软件系统、服务的综合可信服务。The development of trusted computing technology is very rapid. Many foreign technology companies, such as Atmel and Broadcom, have launched TPM and security PCs that comply with trusted computing specifications. But such products typically focus on hardware-based computing platforms, including security coprocessors, personal tokens, cryptographic accelerators, and multifunction devices. The goal of these examples is to ensure data authenticity, data confidentiality, and number According to protection. However, these products are more focused on providing basic trusted computing services from the hardware platform level, and can not provide comprehensive trusted services for software systems and services.
Verisign、Phoenix Technologies、Microsoft等公司也推出了可以提供管理文件、信息传递、密钥传递、智能签名等功能的TPM应用软件、操作系统,但是单纯的软件服务因为存在被篡改可能性从而影响其应用的可靠性。并且因为这些软件系统,一般是集成或者基于桌面级硬件平台,或者依赖于操作系统的重量级系统,在基站这类嵌入式系统中的应用受到限制。Companies such as Verisign, Phoenix Technologies, and Microsoft have also introduced TPM application software and operating systems that can provide functions such as management files, information transfer, key delivery, and smart signature. However, pure software services affect their applications because of the possibility of tampering. Reliability. And because these software systems are generally integrated or based on desktop-level hardware platforms, or heavy-duty systems that rely on operating systems, applications in embedded systems such as base stations are limited.
使用可信技术应用于通信基站的相关技术方案,一般侧重于实现可信环境的建立,对基站运行中面临的各种失效风险缺乏综合分析,也缺乏系统可信数据的备份机制,在检测到异常后仅仅简单实现系统复位,并不具备有效的数据恢复方法,要么不能有效地从异常状态恢复到正常通信状态,要么需要其他第三方系统干预才能恢复,但恢复时间明显延长。The related technical solutions for applying trusted technology to communication base stations generally focus on the establishment of a trusted environment, lack of comprehensive analysis of various failure risks faced by the base station, and lack of a backup mechanism for system trusted data. After the exception, the system reset is simply implemented. There is no effective data recovery method, or it can not effectively recover from the abnormal state to the normal communication state, or other third-party system intervention is required to recover, but the recovery time is obviously prolonged.
综上所述,应用于通信基站的可信计算技术方案,在嵌入式计算系统有限资源条件下应用受到限制,且不能提供适应基站运行要求的可信数据备份机制以及各种失效风险的综合分析,从而无法为基站提供可靠的对异常进行主动恢复的功能。In summary, the trusted computing technology solution applied to the communication base station is limited in the application of the limited resources of the embedded computing system, and cannot provide a reliable data backup mechanism adapted to the operation requirements of the base station and comprehensive analysis of various failure risks. Therefore, it is impossible to provide a reliable function for the base station to actively recover from an abnormality.
发明内容Summary of the invention
本发明实施例提供了一种可信环境创建方法和装置及基站异常恢复方法和装置,解决了可信计算技术方案为基站提供可靠的异常恢复功能的问题。The embodiment of the invention provides a method and device for creating a trusted environment and a method and device for recovering an abnormality of a base station, which solves the problem that the trusted computing technology solution provides a reliable abnormal recovery function for the base station.
一种基站异常恢复方法,包括:A base station abnormal recovery method includes:
在基站首次上电后,运行预写入所述基站的可信平台模块(TPM)硬件的BIOS代码,将可信环境控制权转移给BIOS;After the base station is powered on for the first time, running the BIOS code of the Trusted Platform Module (TPM) hardware pre-written to the base station, and transferring the control of the trusted environment to the BIOS;
所述BIOS控制进行安全操作系统的加载,将所述可信环境控制权转移至所述安全操作系统;The BIOS controls loading of the secure operating system, and transferring the trusted environment control right to the secure operating system;
所述安全操作系统加载软件环境,创建可信环境。The secure operating system loads the software environment and creates a trusted environment.
可选地,在基站首次上电后,运行预写入所述基站的TPM硬件的BIOS代码,将可信环境控制权转移给BIOS的步骤之前,还包括: Optionally, after the base station is powered on for the first time, before the step of running the BIOS code of the TPM hardware pre-written to the base station to transfer the control of the trusted environment to the BIOS, the method further includes:
在所述基站出厂前进行对该基站的所述TPM硬件和非易失存储进行初始化,所述非易失存储包括数据保护区和文件系统数据区,具体包括:The TPM hardware and the non-volatile storage of the base station are initialized before the base station is shipped from the factory. The non-volatile storage includes a data protection area and a file system data area, and specifically includes:
向所述数据保护区及所述文件系统数据区均写入版本切换标识及基站预装版本,所述基站预装版本包括可信的Boot Loader代码、BOOT代码、安全操作系统的映像、可信网络软件库、应用软件和权值数据,Writing a version switch identifier and a pre-installed version of the base station to the data protection area and the file system data area, where the pre-installed version of the base station includes a trusted Boot Loader code, a BOOT code, an image of a secure operating system, and a trusted Network software library, application software and weight data,
将与所述基站预装版本使用配套的密钥集、所述BIOS代码写入所述TPM硬件,所述密钥集包含多个密钥。The key set and the BIOS code associated with the pre-installed version of the base station are written into the TPM hardware, and the key set includes a plurality of keys.
可选地,所述BIOS控制进行安全操作系统的加载,将所述可信环境控制权转移至所述安全操作系统包括:Optionally, the BIOS controls to perform loading of the secure operating system, and transferring the trusted environment control to the secure operating system includes:
所述BIOS在硬件自检结束后,对所述基站的数据保护区中存储的数据的可信度进行检查;After the hardware self-test ends, the BIOS checks the credibility of the data stored in the data protection area of the base station;
所述BIOS在所述数据保护区中存储的数据的可信度检查通过后,通过所述Boot Loader代码加载预写入所述数据保护区中的所述基站预装版本;After the reliability check of the data stored in the data protection area is passed, the BIOS preloads the pre-installed version of the base station in the data protection area by using the Boot Loader code loading;
启动执行所述BOOT代码,对所述基站的嵌入式系统进行硬件初始化,创建文件系统,并对文件系统进行可信认证;Starting to execute the BOOT code, performing hardware initialization on the embedded system of the base station, creating a file system, and performing trusted authentication on the file system;
在完成对所述文件系统的可信认证后,从所述基站预装版本中提取并加载安全操作系统映像,将可信环境控制权传递至安全操作系统。After the trusted authentication of the file system is completed, the secure operating system image is extracted and loaded from the pre-installed version of the base station, and the trusted environment control is transferred to the secure operating system.
可选地,所述BIOS在硬件自检结束后,对所述基站的数据保护区中存储的数据的可信度进行检查的步骤之后,还包括:Optionally, after the step of checking the credibility of the data stored in the data protection area of the base station after the hardware self-test is completed, the BIOS further includes:
所述BIOS在所述数据保护区中存储的数据的可信度检查未通过时,触发基站重启复位。The BIOS triggers the base station to restart resetting when the reliability check of the data stored in the data protection zone fails.
可选地,在完成对所述文件系统的可信认证后,从所述基站预装版本中提取安全操作系统的映像,将可信环境控制权传递至安全操作系统包括:Optionally, after the trusted authentication of the file system is completed, extracting an image of the secure operating system from the pre-installed version of the base station, and transferring the control of the trusted environment to the secure operating system includes:
根据所述版本切换标识,确定基站预装版本,从所述基站预装版本中提取安全操作系统的映像;Determining, according to the version switching identifier, a pre-installed version of the base station, and extracting an image of the secure operating system from the pre-installed version of the base station;
对所述安全操作系统的映像进行可信认证;Trusted authentication of the image of the secure operating system;
在所述安全操作系统的映像通过可信认证后,加载该安全操作系统的映 像,将可信环境控制权传递至所述安全操作系统。After the image of the secure operating system passes the trusted authentication, the image of the secure operating system is loaded. For example, pass the trusted environment control to the secure operating system.
可选地,根据所述版本切换标识,确定基站预装版本,从所述基站预装版本中提取安全操作系统的映像包括:Optionally, determining, according to the version switching identifier, a pre-installed version of the base station, and extracting an image of the secure operating system from the pre-installed version of the base station includes:
在所述版本切换标识指示所述文件系统数据区中的基站预装版本时,直接从所述版本切换标识指示的基站预装版本中提取对应的安全操作系统映像;When the version switch identifier indicates the pre-installed version of the base station in the file system data area, extract the corresponding secure operating system image directly from the pre-installed version of the base station indicated by the version switch identifier;
在所述版本切换标识指示所述数据保护区中的基站预装版本时,将该基站预装版本恢复至所述文件系统数据区,再从所述文件系统数据区的基站预装版本中提取安全操作系统映像。When the version switching identifier indicates a pre-installed version of the base station in the data protection area, the pre-installed version of the base station is restored to the file system data area, and then extracted from the pre-installed version of the base station in the file system data area. Secure operating system image.
可选地,对所述安全操作系统的映像进行可信认证的步骤之后,还包括:Optionally, after the step of performing trusted authentication on the image of the secure operating system, the method further includes:
在所述安全操作系统的映像未通过可信认证后,触发基站重启复位,将所述版本切换标识的数值强制置位为指示其他基站预装版本,所述其他基站预装版本存储于所述文件系统数据区或数据保护区。After the image of the security operating system fails to pass the trusted authentication, the base station is triggered to restart the reset, and the value of the version switch identifier is forcibly set to indicate that the other base station is pre-installed, and the other base station pre-installed version is stored in the File system data area or data protection area.
可选地,所述安全操作系统加载软件环境,创建可信环境包括:Optionally, the security operating system loads the software environment, and the creation of the trusted environment includes:
启动所述安全操作系统,从所述基站预装版本中提取并加载所述应用软件,挂接所述可信网络软件库。The security operating system is started, and the application software is extracted and loaded from the pre-installed version of the base station, and the trusted network software library is attached.
可选地,该方法还包括:Optionally, the method further includes:
在所述安全操作系统启动后,所述基站向远程控制端请求认证;After the security operating system is started, the base station requests authentication from the remote control terminal;
所述基站在通过所述远程控制端认证后,接收该远程控制端下发的新的基站预装版本及配套密钥集;Receiving, by the remote control end, the base station receives a new pre-installed version of the base station and a set of matching keys issued by the remote control end;
所述基站将所述新的基站预装版本写入所述数据保护区及所述文件系统数据区,并将所述配套密钥集写入该基站的TPM硬件;The base station writes the new base station pre-installed version into the data protection area and the file system data area, and writes the matching key set into the TPM hardware of the base station;
所述基站更改版本切换标识的值为指示所述新的基站预装版本,并发起复位,在复位后加载所述新的基站预装版本。The value of the base station changing version switch identifier indicates that the new base station is pre-installed, and initiates a reset, and loads the new base station pre-installed version after reset.
本发明实施例还提供了一种基站异常恢复方法,包括:The embodiment of the invention further provides a base station abnormality recovery method, including:
在基站的可信环境中,对所述基站进行可信风险度检查; Performing a credential risk check on the base station in a trusted environment of the base station;
在可信风险度检查中发现基站异常时,将所述基站复位并恢复至可信的基站预装版本。When the base station is abnormal in the reliability risk check, the base station is reset and restored to the trusted base station pre-installed version.
可选地,所述基站的可信环境由运行于该基站的安全操作系统、可信的服务软件库和可信的网络服务系统构成,该方法还包括:Optionally, the trusted environment of the base station is configured by a security operating system running on the base station, a trusted service software library, and a trusted network service system, where the method further includes:
预先向所述基站的非易失存储的数据保护区和文件系统数据区均写入版本切换标识及基站预装版本,所述基站预装版本包括可信的Boot Loader代码、BOOT代码、安全操作系统的映像、可信网络软件库和应用软件;Writing a version switch identifier and a pre-installed version of the base station to the non-volatile storage data protection area and the file system data area of the base station in advance, the base station pre-installed version including a trusted Boot Loader code, a BOOT code, and a security operation System image, trusted network software library and application software;
预先向所述基站的TPM硬件中写入与所述基站预装版本使用配套的密钥集和BIOS代码。A key set and a BIOS code associated with the pre-installed version of the base station are written in advance to the TPM hardware of the base station.
可选地,所述在基站的可信环境中,对所述基站进行可信风险度检查,对所述基站进行可信风险度检查包括:Optionally, in the trusted environment of the base station, performing a trusted risk check on the base station, and performing a trusted risk check on the base station includes:
所述安全操作系统与所述应用软件、可信网络软件库相配合,周期性的对系统硬件、存储系统、网络通信、软件行为进行自检;The security operating system cooperates with the application software and the trusted network software library to periodically perform self-test on system hardware, storage system, network communication, and software behavior;
对自检识别得到的数据进行风险评估决策,判定是否发生基站异常。A risk assessment decision is made on the data obtained by the self-test identification to determine whether a base station abnormality has occurred.
可选地,所述安全操作系统与所述应用软件、可信网络软件库相配合,周期性的对系统硬件、存储系统、网络通信、软件行为进行自检包括:Optionally, the security operating system cooperates with the application software and the trusted network software library, and periodically performs self-checking on system hardware, storage system, network communication, and software behavior, including:
所述安全操作系统与所述应用软件相配合,周期性对所述基站的系统硬件、存储系统进行自检,收集静态可信性评估数据,所述静态可信性评估数据至少包含以下任一或任意多个基站异常事件的数据:The security operating system cooperates with the application software to periodically perform self-test on the system hardware and the storage system of the base station, and collect static credibility evaluation data, where the static credibility evaluation data includes at least one of the following Or data of any number of base station anomalies:
识别硬件失效,版本非法更换;Identify hardware failure and illegally replace the version;
通过所述可信网络软件库的基础服务功能,实时对网络通信进行认证,通过应用软件周期性向操作系统认证,收集系统动态可信性评估数据,所述系统动态可信性评估数据至少包含以下任一或任意多个基站异常事件的数据:Through the basic service function of the trusted network software library, the network communication is authenticated in real time, and the application system periodically authenticates to the operating system to collect system dynamic credibility evaluation data, and the system dynamic credibility evaluation data includes at least the following Data for any or any number of base station anomalies:
网络非授权访问,网络劫持;Network unauthorized access, network hijacking;
通过所述应用软件收到的业务指令类别进行外部指令集中度数据检查,收集非授权行为特征的数据,所述非授权行为特征数据至少包含以下任一或任意多个基站异常事件的数据: The external instruction concentration data check is performed by the service instruction category received by the application software, and the data of the unauthorized behavior feature is collected, and the unauthorized behavior feature data includes at least data of any one or any of the following base station abnormal events:
文件非授权删除,文件非授权拷贝,严重危及设备安全的非授权操作。Unauthorized deletion of files, unauthorized copying of files, and unauthorized operations that seriously endanger the security of the device.
可选地,对自检识别得到的风险进行评估决策,判定所述风险是否为基站异常包括:Optionally, an assessment decision is made on the risk obtained by the self-test identification, and determining whether the risk is a base station abnormality includes:
使用加权线性贝叶斯决策算法,对自检识别得到的静态可信性评估数据、系统动态可信性评估数据、和非授权行为特征的数据进行评估决策;Using the weighted linear Bayesian decision algorithm, the static credibility assessment data obtained by the self-test identification, the system dynamic credibility assessment data, and the data of the unauthorized behavior characteristics are evaluated and determined;
在决策结果为发生基站异常时,作出基站复位方案并同步更新所述数据保护区保存的版本切换标识。When the result of the decision is that a base station abnormality occurs, a base station resetting scheme is made and the version switching identifier saved by the data protection area is synchronously updated.
可选地,使用加权线性贝叶斯决策算法,对自检识别得到的静态可信性评估数据、系统动态可信性评估数据、和非授权行为特征的数据进行评估决策包括:Optionally, using the weighted linear Bayesian decision algorithm to evaluate the static credibility assessment data, the system dynamic credibility assessment data, and the data of the unauthorized behavior characteristics of the self-test identification includes:
在使用加权线性贝叶斯决策算法对静态可信性评估数据或系统动态可信性评估数据或非授权行为特征的数据进行计算后得到的权值高于所述权值数据中对应的阈值时,决策发生基站异常。After using the weighted linear Bayesian decision algorithm to calculate the static credibility evaluation data or the system dynamic credibility evaluation data or the data of the unauthorized behavior characteristics, the weight obtained is higher than the corresponding threshold in the weight data. The decision occurs that the base station is abnormal.
可选地,该方法还包括:Optionally, the method further includes:
所述基站在通过远程控制端的认证后,接收该远程控制端下发的新的基站版本及配套密钥集;Receiving, by the remote control end, the base station receives a new base station version and a matching key set delivered by the remote control end;
所述基站将所述新的基站版本写入所述数据保护区,并将所述配套密钥集写入该基站的TPM硬件;Transmitting, by the base station, the new base station version into the data protection zone, and writing the set of matching keys to the TPM hardware of the base station;
所述基站更改版本切换标识的值为指示所述新的基站预装版本,并发起复位,在复位后加载所述新的基站预装版本The value of the base station changing version switch identifier indicates that the new base station is pre-installed, and initiates a reset, and loads the new base station pre-installed version after reset.
本发明实施例还提供了一种可信环境创建装置,包括:The embodiment of the invention further provides a trusted environment creation device, including:
BIOS启动模块,其设置为:在基站首次上电后,运行预写入所述基站的TPM硬件的BIOS代码,将可信环境控制权转移给BIOS;a BIOS startup module, configured to: after the base station is powered on for the first time, run a BIOS code of the TPM hardware pre-written to the base station, and transfer the control of the trusted environment to the BIOS;
BIOS,其设置为:控制进行操作系统的加载,将所述可信环境控制权转移至安全操作系统;a BIOS, configured to: control loading of the operating system, and transfer the control of the trusted environment to the secure operating system;
安全操作系统,其设置为:加载软件环境,创建可信环境。 A secure operating system that is set up to load a software environment and create a trusted environment.
可选地,该装置还包括:Optionally, the device further includes:
初始化模块,其设置为:在所述基站出厂前进行对该基站的所述TPM硬件和非易失存储进行初始化,所述非易失存储包括数据保护区和文件系统数据区,包括:And an initialization module, configured to: initialize the TPM hardware and non-volatile storage of the base station before the base station leaves the factory, the non-volatile storage includes a data protection area and a file system data area, including:
向所述数据保护区及所述文件系统数据区均写入版本切换标识及基站预装版本,所述基站预装版本包括可信的Boot Loader代码、BOOT代码、安全操作系统的映像、可信网络软件库、应用软件和权值数据,Writing a version switch identifier and a pre-installed version of the base station to the data protection area and the file system data area, where the pre-installed version of the base station includes a trusted Boot Loader code, a BOOT code, an image of a secure operating system, and a trusted Network software library, application software and weight data,
将与所述基站预装版本使用配套的密钥集、所述BIOS代码写入所述TPM硬件,所述密钥集包含多个密钥。The key set and the BIOS code associated with the pre-installed version of the base station are written into the TPM hardware, and the key set includes a plurality of keys.
可选地,所述BIOS包括:Optionally, the BIOS includes:
可信度检查单元,其设置为:在硬件自检结束后,对所述基站的数据保护区中存储的数据的可信度进行检查;a credibility checking unit, configured to: after the end of the hardware self-test, check the credibility of the data stored in the data protection area of the base station;
版本加载单元,其设置为:在所述数据保护区中存储的数据的可信度检查通过后,通过所述Boot Loader代码加载预写入所述数据保护区中的所述基站预装版本;a version loading unit, configured to: after the credibility check of the data stored in the data protection zone is passed, preloading the pre-installed version of the base station in the data protection zone by loading the Boot Loader code;
文件系统创建单元,其设置为:启动执行所述BOOT代码,对所述基站的嵌入式系统进行硬件初始化,创建文件系统,并对文件系统进行可信认证;a file system creation unit, configured to: start executing the BOOT code, perform hardware initialization on the embedded system of the base station, create a file system, and perform trusted authentication on the file system;
映像加载单元,其设置为:在完成对所述文件系统的可信认证后,从所述基站预装版本中提取安全操作系统映像,将可信环境控制权传递至安全操作系统。An image loading unit is configured to: after completing the trusted authentication of the file system, extract a secure operating system image from the pre-installed version of the base station, and transfer the trusted environment control right to the secure operating system.
可选地,所述BIOS,还包括:Optionally, the BIOS further includes:
重启单元,其设置为:在所述数据保护区中存储的数据的可信度检查未通过时,触发基站重启复位。And a restarting unit, configured to: when the credibility check of the data stored in the data protection zone fails, trigger the base station to restart the reset.
可选地,所述映像加载单元包括:Optionally, the image loading unit includes:
版本选择子单元,其设置为:根据所述版本切换标识,确定基站预装版本,从所述基站预装版本中提取安全操作系统的映像;a version selection subunit, configured to: determine a pre-installed version of the base station according to the version switching identifier, and extract an image of the security operating system from the pre-installed version of the base station;
认证子单元,其设置为:对所述安全操作系统的映像进行可信认证; An authentication subunit, configured to: perform trusted authentication on an image of the secure operating system;
加载子单元,其设置为:在所述安全操作系统的映像通过可信认证后,加载该安全操作系统的映像,将可信环境控制权传递至所述安全操作系统。The loading subunit is configured to: after the image of the security operating system passes the trusted authentication, load the image of the secure operating system, and transfer the trusted environment control right to the secure operating system.
可选地,所述版本选择子单元,是设置为:在所述版本切换标识指示所述文件系统数据区中的基站预装版本时,直接从所述版本切换标识指示的基站预装版本中提取对应的安全操作系统映像,Optionally, the version selection subunit is configured to: directly, when the version switching identifier indicates a pre-installed version of the base station in the file system data area, directly from the pre-installed version of the base station indicated by the version switching identifier Extract the corresponding secure operating system image,
在所述版本切换标识指示所述数据保护区中的基站预装版本时,将该基站预装版本恢复至所述文件系统数据区,再从所述文件系统数据区的基站预装版本中提取安全操作系统映像。When the version switching identifier indicates a pre-installed version of the base station in the data protection area, the pre-installed version of the base station is restored to the file system data area, and then extracted from the pre-installed version of the base station in the file system data area. Secure operating system image.
可选地,所述版本选择子单元,还设置为:在所述安全操作系统的映像未通过可信认证后,触发基站重启复位,将所述版本切换标识的数值强制置位为指示其他基站预装版本,所述其他基站预装版本存储于所述文件系统数据区或数据保护区。Optionally, the version selection sub-unit is further configured to: after the image of the security operating system fails to pass the trusted authentication, trigger the base station to restart the reset, and forcibly set the value of the version switching identifier to indicate another base station. The pre-installed version is stored in the file system data area or the data protection area.
可选地,该装置还包括:Optionally, the device further includes:
远端认证模块,其设置为:在所述安全操作系统启动后,所述基站向远程控制端请求认证;a remote authentication module, configured to: after the security operating system is started, the base station requests authentication from the remote control terminal;
版本下载模块,其设置为:在通过所述远程控制端认证后,接收该远程控制端下发的新的基站预装版本及配套密钥集;a version downloading module, configured to receive a new pre-installed version of the base station and a set of supporting keys issued by the remote control terminal after being authenticated by the remote control terminal;
存储模块,其设置为:将所述新的基站预装版本写入所述数据保护区及所述文件系统数据区,并将所述配套密钥集写入该基站的TPM硬件;a storage module, configured to: write the new base station pre-installed version into the data protection area and the file system data area, and write the matching key set into the TPM hardware of the base station;
复位模块,其设置为:更改版本切换标识的值为指示所述新的基站预装版本,并发起复位,在复位后加载所述新的基站预装版本。And a reset module, configured to: change the value of the version switch identifier to indicate the pre-installed version of the new base station, and initiate a reset, and load the new base station pre-installed version after the reset.
本发明实施例还提供了一种基站异常恢复装置,包括:The embodiment of the invention further provides a base station abnormality recovery device, including:
检查模块,其设置为:在基站的可信环境中,对所述基站进行可信风险度检查;An checking module, configured to perform a trusted risk check on the base station in a trusted environment of the base station;
异常恢复模块,其设置为:在可信风险度检查中发现基站异常时,将所述基站复位并恢复至可信的基站预装版本。 The abnormality recovery module is configured to reset and restore the base station to a trusted pre-installed version of the base station when the base station is abnormal in the reliability risk check.
可选地,所述基站的可信环境由运行于该基站的安全操作系统、可信的服务软件库和可信的网络服务系统构成,该装置还包括:Optionally, the trusted environment of the base station is composed of a security operating system running on the base station, a trusted service software library, and a trusted network service system, and the device further includes:
第一配置模块,其设置为:预先向所述基站的非易失存储的数据保护区和文件系统数据区均写入版本切换标识及基站预装版本,所述基站预装版本包括可信的Boot Loader代码、BOOT代码、安全操作系统的映像、可信网络软件库和应用软件;a first configuration module, configured to: write a version switch identifier and a pre-installed version of the base station to the data protection area and the file system data area of the non-volatile storage of the base station in advance, where the pre-installed version of the base station includes a trusted Boot Loader code, BOOT code, image of secure operating system, trusted network software library and application software;
第二配置模块,其设置为:预先向所述基站的TPM硬件中写入与所述基站预装版本使用配套的密钥集和BIOS代码。And a second configuration module, configured to: write a key set and a BIOS code matched with the pre-installed version of the base station to the TPM hardware of the base station in advance.
可选地,所述检查模块包括:Optionally, the checking module includes:
自检单元,其设置为:控制所述安全操作系统与所述应用软件、可信网络软件库相配合,周期性的对系统硬件、存储系统、网络通信、软件行为进行自检;a self-checking unit, configured to: control the security operating system to cooperate with the application software and the trusted network software library, and periodically perform self-checking on system hardware, storage system, network communication, and software behavior;
异常判定单元,其设置为:对自检识别得到的数据进行风险评估决策,判定是否发生基站异常。The abnormality determining unit is configured to: perform risk assessment decision on the data obtained by the self-test identification, and determine whether a base station abnormality occurs.
可选地,所述自检单元包括:Optionally, the self-test unit includes:
硬件自检子单元,其设置为:控制所述安全操作系统与所述应用软件相配合,周期性对所述基站的系统硬件、存储系统进行自检,收集静态可信性评估数据,所述静态可信性评估数据至少包含以下任一或任意多个基站异常事件的数据:a hardware self-test sub-unit, configured to: control the security operating system to cooperate with the application software, periodically perform self-test on the system hardware and the storage system of the base station, and collect static credibility evaluation data, The static credibility assessment data contains at least data of any one or any of the following base station anomaly events:
识别硬件失效,版本非法更换;Identify hardware failure and illegally replace the version;
网络自检子单元,其设置为:通过所述可信网络软件库的基础服务功能,实时对网络通信进行认证,通过应用软件周期性向操作系统认证,收集系统动态可信性评估数据,所述系统动态可信性评估数据至少包含以下任一或任意多个基站异常事件的数据:a network self-checking sub-unit, configured to: authenticate the network communication in real time through the basic service function of the trusted network software library, periodically authenticate the operating system through the application software, and collect system dynamic credibility evaluation data, The system dynamic credibility assessment data includes at least data of any one or any of the following base station anomaly events:
网络非授权访问,网络劫持;Network unauthorized access, network hijacking;
软件自检子单元,其设置为:通过所述应用软件收到的业务指令类别进行外部指令集中度数据检查,收集非授权行为特征的数据,所述非授权行为特征数据至少包含以下任一或任意多个基站异常事件的数据: a software self-test sub-unit, configured to: perform external command concentration data check by the service instruction category received by the application software, and collect data of an unauthorized behavior feature, where the non-authorized behavior feature data includes at least one of the following or Data for any number of base station exception events:
文件非授权删除,文件非授权拷贝,严重危及设备安全的非授权操作。Unauthorized deletion of files, unauthorized copying of files, and unauthorized operations that seriously endanger the security of the device.
可选地,所述异常判定单元包括:Optionally, the abnormality determining unit includes:
决策子单元,其设置为:使用加权线性贝叶斯决策算法,对自检识别得到的静态可信性评估数据、系统动态可信性评估数据、和非授权行为特征的数据进行评估决策;The decision subunit is configured to: use a weighted linear Bayesian decision algorithm to evaluate and determine the static credibility evaluation data, the system dynamic credibility evaluation data, and the data of the unauthorized behavior characteristics obtained by the self-test identification;
方案确定单元,其设置为:在决策结果为发生基站异常时,作出基站复位方案并同步更新所述数据保护区保存的版本切换标识。The solution determining unit is configured to: when the decision result is that the base station abnormality occurs, make a base station resetting scheme and synchronously update the version switching identifier saved by the data protection zone.
可选地,该装置还包括:Optionally, the device further includes:
版本下载模块,其设置为:在所述基站通过远程控制端的认证后,接收该远程控制端下发的新的基站版本及配套密钥集;a version downloading module, configured to: after the base station is authenticated by the remote control end, receive a new base station version and a matching key set delivered by the remote control end;
存储模块,其设置为:将所述新的基站版本写入所述数据保护区,并将所述配套密钥集写入该基站的TPM硬件;a storage module, configured to: write the new base station version into the data protection zone, and write the matching key set into the TPM hardware of the base station;
复位模块,其设置为:更改版本切换标识的值为指示所述新的基站预装版本,并发起复位,在复位后加载所述新的基站预装版本a reset module, configured to: change a value of the version switch identifier to indicate the pre-installed version of the new base station, and initiate a reset, and load the new base station pre-installed version after resetting
本发明实施例还提供一种计算机程序,包括程序指令,当该程序指令被计算机执行时,使得该计算机可执行上面所述的方法。Embodiments of the present invention also provide a computer program comprising program instructions that, when executed by a computer, cause the computer to perform the method described above.
本发明实施例还提供一种载有所述计算机程序的计算机可读存储介质。Embodiments of the present invention also provide a computer readable storage medium carrying the computer program.
本发明实施例提供了一种可信环境创建方法和装置及基站异常恢复方法和装置,创建基站的可信环境,在基站的可信环境中,对所述基站进行可信风险度检查,在可信风险度检查中发现基站异常时,将所述基站复位并恢复至可信的基站预装版本。实现了基站基于可信环境的异常自检与自动恢复,解决了可信计算技术方案为基站提供可靠的异常恢复功能的问题。An embodiment of the present invention provides a method and device for creating a trusted environment, and a method and device for recovering an abnormality of a base station, creating a trusted environment of the base station, and performing a trusted risk check on the base station in a trusted environment of the base station. When the base station is abnormal in the trusted risk check, the base station is reset and restored to the trusted base station pre-installed version. The abnormal self-test and automatic recovery of the base station based on the trusted environment are realized, and the problem that the trusted computing technology scheme provides a reliable abnormal recovery function for the base station is solved.
附图概述BRIEF abstract
图1为本发明的实施例一提供的一种基站异常恢复方法流程图;FIG. 1 is a flowchart of a base station abnormality recovery method according to Embodiment 1 of the present invention;
图2为本发明的实施例一提供的一种可信环境创建方法的流程图; 2 is a flowchart of a method for creating a trusted environment according to Embodiment 1 of the present invention;
图3为图2中步骤203的具体流程图;3 is a specific flowchart of step 203 in FIG. 2;
图4为基站版本更新流程图;4 is a flowchart of a base station version update;
图5为图1中步骤102的具体流程图;Figure 5 is a specific flow chart of step 102 in Figure 1;
图6为本发明的实施例二提供的一种可信环境创建装置的结构示意图;FIG. 6 is a schematic structural diagram of a trusted environment creation apparatus according to Embodiment 2 of the present invention;
图7为图6中BIOS 602的结构示意图;7 is a schematic structural diagram of a BIOS 602 of FIG. 6;
图8为图7中映像加载单元704的结构示意图;FIG. 8 is a schematic structural diagram of the image loading unit 704 of FIG. 7;
图9为本发明的实施例二提供的一种基站异常恢复装置的结构示意图;FIG. 9 is a schematic structural diagram of a base station abnormality recovery apparatus according to Embodiment 2 of the present invention;
图10为图9中自检查模块901的结构示意图;FIG. 10 is a schematic structural diagram of the self-checking module 901 of FIG. 9;
图11为图10中自检单元1001的结构示意图;11 is a schematic structural view of the self-test unit 1001 of FIG. 10;
图12为图11中异常判定单元1102的结构示意图;FIG. 12 is a schematic structural diagram of the abnormality determining unit 1102 of FIG. 11;
图13为通用移动通讯系统组成示意图;Figure 13 is a schematic diagram of the composition of a universal mobile communication system;
图14为演进型UTRAN组成示意图;14 is a schematic diagram of an evolved UTRAN composition;
图15为使用可信计算技术的基站构成示意图;15 is a schematic diagram showing the structure of a base station using trusted computing technology;
图16为TPM固件的主要组成部分示意图;Figure 16 is a schematic diagram of the main components of the TPM firmware;
图17为基站非易失存储的空间分配示意图。17 is a schematic diagram of space allocation of non-volatile storage of a base station.
本发明的较佳实施方式Preferred embodiment of the invention
应用于通信基站的可信计算相关技术方案,在嵌入式计算系统有限资源条件下应用受到限制,且不能提供适应基站运行要求的可信数据备份机制以及各种失效风险的综合分析,从而无法为基站提供可靠的对异常进行主动恢复的功能。The trusted computing related technical solution applied to the communication base station is limited in application of the limited resources of the embedded computing system, and cannot provide a reliable data backup mechanism adapted to the operation requirements of the base station and comprehensive analysis of various failure risks, thereby failing to The base station provides reliable ability to actively recover from anomalies.
为了解决上述问题,本发明的实施例提供了一种基站异常恢复依法和装置。下文中将结合附图对本发明的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。In order to solve the above problem, an embodiment of the present invention provides a base station abnormal recovery law and apparatus. Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
首先结合附图,对本发明的实施例一进行说明。 First, the first embodiment of the present invention will be described with reference to the accompanying drawings.
本发明实施例提供了一种基于可信环境的基站异常恢复方法,使用该方法完成基站对异常的自检及恢复的流程如图1所示,包括:The embodiment of the present invention provides a base station abnormality recovery method based on a trusted environment. The process of performing self-test and recovery of the abnormality of the base station by using the method is as shown in FIG. 1 , and includes:
步骤101、创建基站的可信环境;Step 101: Create a trusted environment of the base station.
本发明实施例提供了一种可信环境创建方法,其流程如图2所示,包括:An embodiment of the present invention provides a method for creating a trusted environment, and the process is as shown in FIG. 2, including:
步骤201、在所述基站出厂前进行对该基站的所述TPM硬件和非易失存储进行初始化,所述非易失存储包括数据保护区和文件系统数据区,创建可信环境的第一个完整源点;Step 201: Initialize, by the base station, the TPM hardware and non-volatile storage of the base station, where the non-volatile storage includes a data protection zone and a file system data zone, and create a first one of the trusted environment. Complete source point;
包括:include:
1、将版本切换标识及基站预装版本写入所述数据保护区及文件系统数据区,所述基站预装版本包括可信的启动加载(Boot Loader)代码、启动(BOOT)代码、安全操作系统映像、可信网络软件库、应用软件和权值数据。1. The version switch identifier and the pre-installed version of the base station are written into the data protection area and the file system data area, and the pre-installed version of the base station includes a trusted boot loader code, a boot (BOOT) code, and a security operation. System image, trusted network software library, application software, and weight data.
文件系统数据区为安全操作系统运行时可变更的存储区域,在出厂时,文件系统数据区与数据保护区内的存储内容一致。The file system data area is a storage area that can be changed when the security operating system is running. At the time of shipment, the file system data area is consistent with the storage content in the data protection area.
版本切换标识指向一基站预装版本。需要说明的是,在数据保护区及文件系统数据区内均可能存在一个或多个基站预装版本,版本切换标识的值可以指向数据保护区内的任一基站预装版本,也可指向文件系统数据区内的任一基站预装版本。The version switch identifier points to a pre-installed version of the base station. It should be noted that one or more pre-installed versions of the base station may exist in the data protection area and the file system data area, and the value of the version switch identifier may point to a pre-installed version of any base station in the data protection zone, or may point to a file. A pre-installed version of any base station in the system data area.
可信网络软件库是安全操作系统访问硬件存储信息使用的函数库。The Trusted Network Software Library is a function library used by the secure operating system to access hardware storage information.
权值数据作为后续决策时的判定标准,至少包含判定事件是否发生的阈值。The weight data is used as a criterion for determining the subsequent decision, and at least includes a threshold for determining whether an event has occurred.
2、将与所述基站预装版本使用配套的密钥集、基本输入输出系统(basic input output system,BIOS)代码写入所述TPM硬件,创建可信环境的第一个完整源点。其中,密钥集包含多个密钥,每个密钥具有一个索引号,在与其他设备使用密钥进行认证时,可根据对方发送的索引选择相应的密钥进行认证,也可选择密钥后将该密钥的索引发送给对方以进行认证。2. Write a key set and a basic input output system (BIOS) code associated with the pre-installed version of the base station to the TPM hardware to create a first complete source point of the trusted environment. The key set includes a plurality of keys, and each key has an index number. When the other device uses the key for authentication, the key may be selected according to the index sent by the other party for authentication, or the key may be selected. The index of the key is then sent to the other party for authentication.
Boot loader代码和BOOT代码与预装版本并列地放置在数据保护区中。The Boot loader code and BOOT code are placed side by side in the data protection area along with the pre-installed version.
步骤202、在所述基站首次上电后,运行预写入所述基站的TPM硬件的BIOS代码,将可信环境控制权转移给BIOS; Step 202: After the base station is powered on for the first time, run the BIOS code of the TPM hardware pre-written to the base station, and transfer the control of the trusted environment to the BIOS.
本步骤中,基站上电TPM硬件BIOS执行。基站在线运行过程可信环境创建,从基站任意一次上电过程开始。基站上电后,硬件电路使得TPM硬件BIOS接管系统控制权,首先进行硬件自检。In this step, the base station powers up the TPM hardware BIOS. The trusted environment of the base station online operation process is created, starting from any power-on process of the base station. After the base station is powered on, the hardware circuit enables the TPM hardware BIOS to take over control of the system, first performing a hardware self-test.
步骤203、BIOS控制进行操作系统的加载,将所述可信环境控制权转移至安全操作系统;Step 203: The BIOS controls to load the operating system, and transfers the control of the trusted environment to the security operating system.
本步骤如图3所示,包括:This step is shown in Figure 3 and includes:
步骤301、所述BIOS在硬件自检结束后,对所述基站的数据保护区中存储的数据的可信度进行检查;Step 301: After the hardware self-test ends, the BIOS checks the credibility of the data stored in the data protection area of the base station.
本步骤中,BIOS对数据保护区的可信认证。BIOS在硬件自检结束后,使用约定的密钥对基站的数据保护区数据的可信度进行检查。In this step, the BIOS authenticates the data protection zone. After the hardware self-test is completed, the BIOS checks the reliability of the data protection zone data of the base station by using the agreed key.
步骤302、所述BIOS在所述数据保护区中存储的数据的可信度检查通过后,通过所述Boot Loader代码加载预写入所述数据保护区中的所述基站预装版本内的安全操作系统映像;Step 302: After the reliability check of the data stored in the data protection zone is passed, the BIOS loads the security pre-installed in the pre-installed version of the base station in the data protection zone by using the Boot Loader code loading. Operating system image;
本步骤中,BIOS在对数据保护区的可信度检查通过后方可通过可信的Boot Loader代码开始操作系统的加载,对数据保护区的可信度检查不通过,则通过基站告警指示灯提示,基站重启复位。In this step, after the BIOS checks the credibility of the data protection zone, the operating system can be loaded by the trusted Boot Loader code. If the credibility check of the data protection zone fails, the alarm indicator of the base station is prompted. The base station restarts reset.
步骤303、启动执行所述BOOT代码,对所述基站的嵌入式系统进行硬件初始化,创建文件系统,并对文件系统进行可信认证;Step 303: Start executing the BOOT code, perform hardware initialization on the embedded system of the base station, create a file system, and perform trusted authentication on the file system.
本步骤中,BOOT启动执行。BOOT首先对嵌入式系统进行硬件初始化。In this step, BOOT starts execution. BOOT first performs hardware initialization on the embedded system.
BOOT创建文件系统,并对文件系统进行可信认证。BOOT creates a file system and performs trusted authentication on the file system.
步骤304、在完成对所述文件系统的可信认证后,从所述基站预装版本中提取安全操作系统映像,可信环境控制权传递至安全操作系统;Step 304: After completing the trusted authentication of the file system, extract a secure operating system image from the pre-installed version of the base station, and pass the trusted environment control right to the secure operating system.
本步骤中,根据数据保护区中的版本切换标识,选择对应的安全操作系统映像进行加载。如果版本切换标识的数值指示从基站的文件系统区加载安全操作系统映像,则加载流程直接进入步骤204。如果是指示从数据保护区加载,则在TPM支持下,将数据保护区版本恢复到文件系统后,准备加载操作系统映像。In this step, according to the version switching identifier in the data protection zone, the corresponding security operating system image is selected for loading. If the value of the version switch identifier indicates that the secure operating system image is loaded from the file system area of the base station, the load flow proceeds directly to step 204. If it is instructed to load from the data protection zone, after the data protection zone version is restored to the file system with TPM support, the operating system image is ready to be loaded.
在对安全操作系统映像可信认证通过时,则直接加载该安全操作系统的 映像,在对安全操作系统映像可信认证不通过时,强制置位版本切换标识数值为从数据保护区加载基站预装版本(可选的,在文件系统数据区中保存有至少一个基站预装版本时,也可将版本切换标识的值置为指示加载该文件系统数据区中另一个基站预装版本。具体可根据需要设置版本切换标识的数据变更规则,本发明对此不作限定,凡能保证在认为一基站预存版本不可信的情况下更换其他基站预装版本进行加载的方式,均在本发明的保护范围内),基站复位。When the trusted operating system image of the secure operating system passes, the security operating system is directly loaded. Image, when the trusted authentication of the secure operating system image fails, the value of the version switch identifier is forcibly set to load the pre-installed version of the base station from the data protection zone (optionally, at least one base station is pre-installed in the file system data area) In the version, the value of the version switch identifier may be set to indicate that another base station pre-installed version in the data area of the file system is loaded. The data change rule of the version switch identifier may be set according to requirements, and the present invention does not limit this. It is ensured that the manner in which the pre-installed version of the other base station is replaced without being trusted is considered to be within the protection scope of the present invention), and the base station is reset.
步骤204、所述安全操作系统加载软件环境,创建可信环境Step 204: The security operating system loads a software environment and creates a trusted environment.
所述安全操作系统从所述基站预装版本中提取并执行应用软件,完成对所述可信网络软件库的挂接,加载所述可信网络软件库,将可信环境控制权传递至所述应用软件和所述可信网络软件库。The secure operating system extracts and executes the application software from the pre-installed version of the base station, completes the hooking of the trusted network software library, loads the trusted network software library, and transfers the control of the trusted environment to the The application software and the trusted network software library.
可选的,基站进行安全操作系统映像的加载,安全操作系统接管可信环境控制权,完成TPM驱动、可信网络软件库(均包含在基站预装版本中)调用的挂接。Optionally, the base station performs loading of the security operating system image, and the secure operating system takes over the control of the trusted environment, and completes the hook invoked by the TPM driver and the trusted network software library (both included in the pre-installed version of the base station).
将操作系统自带的可信网络软件库加载执行。Load and execute the trusted network software library that comes with the operating system.
安全操作系统对应用软件的可信认证。如果认证通过,刚继续加载执行所述应用软件;如果认证不通过,置位版本切换标识后基站复位。Trusted authentication of the application software by the secure operating system. If the authentication is passed, the application software is just loaded and loaded; if the authentication fails, the base station is reset after the version switching identifier is set.
基站在线运行过程可信环境创建,还包括基站的版本升级后可信环境的可信传递。基站运行过程中的版本升级和基站的数据保护区动态升级更新相配合。基站版本的动态升级更新基于可信环境提供的可信网络服务,由基站控制端通过远程交互进行。The trusted environment creation of the base station online operation process also includes the trusted delivery of the trusted environment after the version upgrade of the base station. The version upgrade during the operation of the base station is coordinated with the dynamic upgrade of the data protection area of the base station. The dynamic upgrade update of the base station version is based on the trusted network service provided by the trusted environment, and is performed by the base station control terminal through remote interaction.
在安全操作系统完成启动后,即可检测是否需要对当前的基站预装版本进行更新,并在需要更新时执行更新,如图4所示,包括:After the security operating system is started, it can detect whether the current pre-installed version of the base station needs to be updated, and perform the update when it needs to be updated, as shown in Figure 4, including:
步骤401、首先基站和远程控制端进行会话的密钥认证,此处所用密钥为前述密钥集中的密钥。Step 401: First, the base station and the remote control end perform key authentication of the session, where the key used is the key in the foregoing key set.
步骤402、所述基站在通过远程控制端的认证后,接收该远程控制端下发的新的基站预装版本及配套密钥集;Step 402: After the base station is authenticated by the remote control end, the base station receives a new pre-installed version of the base station and a set of matching keys issued by the remote control terminal.
步骤403、基站将收到的可信的基站预装版本写入数据保护区,并将新 的基站预装版本配套的密钥集写入TPM硬件存储区域。Step 403: The base station writes the received pre-installed version of the trusted base station to the data protection zone, and the new The key set of the pre-installed version of the base station is written into the TPM hardware storage area.
步骤404、所述基站更改版本切换标识并发起复位,在复位后加载所述新的基站预装版本。Step 404: The base station changes the version switching identifier and initiates a reset, and loads the new base station pre-installed version after the reset.
本步骤中,基站更改版本切换标识并发起复位,在复位后加载升级基站版本。In this step, the base station changes the version switching identifier and initiates a reset, and loads the upgraded base station version after the reset.
通过以上步骤的顺序执行,可信环境控制权被传递到安全操作系统,并最终传递到可信网络软件库,为应用软件提供可信服务,在可信应用软件启动成功后,可信环境创建成功。Through the sequence of the above steps, the trusted environment control is passed to the secure operating system and finally passed to the trusted network software library to provide trusted services for the application software. After the trusted application software is successfully launched, the trusted environment is created. success.
在完成可信环境的创建后,即可继续进行对基站异常的检测。After the creation of the trusted environment is completed, the detection of the abnormality of the base station can be continued.
步骤102、在基站的可信环境中,对所述基站进行可信风险度检查;Step 102: Perform a trusted risk check on the base station in a trusted environment of the base station.
基站运行过程中的异常风险识别。基站运行过程中,所述安全操作系统与所述应用软件、可信网络软件库相配合,周期性的对系统硬件、存储系统、网络通信、软件行为进行自检,获得静态可信性评估数据;系统通过可信服务库的基础服务功能,实时对网络通信进行认证,通过应用软件周期性向操作系统认证,收集系统动态可信性评估数据;通过应用软件收到的业务指令类别进行外部指令集中度数据检查,以识别软件行为特征和外部执行特征。Identification of abnormal risks during operation of the base station. During the operation of the base station, the security operating system cooperates with the application software and the trusted network software library, periodically performs self-test on the system hardware, the storage system, the network communication, and the software behavior, and obtains the static credibility evaluation data. The system authenticates the network communication in real time through the basic service function of the trusted service library, periodically authenticates to the operating system through the application software, collects the system dynamic credibility evaluation data, and performs external command concentration through the service instruction category received by the application software. Data check to identify software behavior characteristics and external execution characteristics.
然后,对自检识别得到的数据进行风险评估决策,判定是否发生基站异常。具体的,基站运行风险的综合决策。对识别的硬件失效风险、软件失效风险、人为失效风险、可信度度量风险统一送入决策器,决策器使用加权线性贝叶斯决策算法进行评估决策,其中权值数据存放在软件版本中,可以跟随版本进行升级。如果决策器给出基站复位方案中要求基站复位,则同步更新基站数据保护区保存的版本切换标识后基站复位;如果基站不需要复位,则继续基站正常工作。Then, a risk assessment decision is made on the data obtained by the self-test identification to determine whether a base station abnormality has occurred. Specifically, the comprehensive decision of the base station operation risk. The identified hardware failure risk, software failure risk, human failure risk, and credibility measurement risk are uniformly sent to the decision maker, and the decision maker uses the weighted linear Bayesian decision algorithm to make the evaluation decision, wherein the weight data is stored in the software version. You can follow the version to upgrade. If the decision maker gives a base station reset in the base station reset scheme, the base station resets after the version switch identifier saved by the base station data protection area is synchronously updated; if the base station does not need to reset, the base station continues to work normally.
本步骤如图5所示,包括:This step is shown in Figure 5 and includes:
步骤501、基站运行过程中,由安全操作系统、可信应用软件配合,周期性对系统硬件、存储系统进行自检,识别硬件失效、版本非法更换等风险,获得静态可信性评估数据,所述静态可信性评估数据至少包含以下任一或任意多个基站异常事件的数据: Step 501: During the operation of the base station, the security operating system and the trusted application software cooperate to periodically perform self-test on the system hardware and the storage system, identify risks such as hardware failure and illegal version replacement, and obtain static credibility evaluation data. The static credibility evaluation data includes at least data of any one or any of the following base station abnormal events:
识别硬件失效,版本非法更换;Identify hardware failure and illegally replace the version;
步骤502、系统通过可信网络软件库的基础服务功能,实时对网络通信进行认证,通过应用软件周期性向操作系统认证,识别网络非授权访问、网络劫持等风险,收集系统动态可信性评估数据,所述系统动态可信性评估数据至少包含以下任一或任意多个基站异常事件的数据:Step 502: The system authenticates the network communication in real time through the basic service function of the trusted network software library, periodically authenticates to the operating system through the application software, identifies the network unauthorized access, network hijacking, and the like, and collects the system dynamic credibility evaluation data. The system dynamic credibility evaluation data includes at least data of any one or any of the following base station abnormal events:
网络非授权访问,网络劫持;Network unauthorized access, network hijacking;
步骤503、通过应用软件收到的业务指令类别进行外部指令集中度数据检查,非授权行为特征的数据,所述非授权行为特征数据至少包含以下任一或任意多个基站异常事件的数据:Step 503: Perform external command concentration data check, data of the non-authorized behavior feature by using the service instruction category received by the application software, where the unlicensed behavior feature data includes at least data of any one or any of the following base station abnormal events:
文件非授权删除,文件非授权拷贝,严重危及设备安全的非授权操作。Unauthorized deletion of files, unauthorized copying of files, and unauthorized operations that seriously endanger the security of the device.
以预防文件非授权删除/copy、严重危及设备安全的非授权操作等风险。Risks such as unauthorized file deletion/copy, unauthorized operation that seriously jeopardizes device security.
需要说明的是,上述步骤501至503之间并无严格时序限制。It should be noted that there is no strict timing constraint between the above steps 501 to 503.
步骤504、使用加权线性贝叶斯决策算法,对自检识别得到的静态可信性评估数据、系统动态可信性评估数据、软件行为特征和外部执行特征进行评估决策;Step 504: Using a weighted linear Bayesian decision algorithm to evaluate the static credibility evaluation data, the system dynamic credibility evaluation data, the software behavior characteristics, and the external execution characteristics of the self-test identification;
在使用加权线性贝叶斯决策算法对静态可信性评估数据或系统动态可信性评估数据或非授权行为特征的数据进行计算后得到的权值高于所述权值数据中对应的阈值时,决策发生基站异常。权值数据存放在基站预装版本中,可以跟随版本进行升级。After using the weighted linear Bayesian decision algorithm to calculate the static credibility evaluation data or the system dynamic credibility evaluation data or the data of the unauthorized behavior characteristics, the weight obtained is higher than the corresponding threshold in the weight data. The decision occurs that the base station is abnormal. The weight data is stored in the pre-installed version of the base station and can be upgraded following the version.
步骤505、在决策结果为发生基站异常时,作出基站复位方案并同步更新所述数据保护区保存的版本切换标识;Step 505: When the result of the decision is that the base station is abnormal, perform a base station resetting scheme and synchronously update the version switching identifier saved by the data protection zone.
本步骤中,在确认发生基站异常时,决策器给出基站复位方案并同步更新非易失存储数据保护区保存的版本切换标识,确保基站复位后能实现异常的主动恢复。In this step, when it is confirmed that a base station abnormality occurs, the decision maker gives a base station reset scheme and synchronously updates the version switching identifier saved in the non-volatile storage data protection area to ensure abnormal active recovery after the base station is reset.
步骤103、在可信风险度检查中发现基站异常时,将所述基站复位并恢复至可信的基站预装版本;Step 103: When the base station is abnormal in the reliability risk check, the base station is reset and restored to a pre-installed version of the trusted base station.
本步骤是将基站恢复至当前的版本切换标识的值指示的基站预装版本。 This step is to restore the base station to the pre-installed version of the base station indicated by the value of the current version switch identifier.
下面对本发明实施例中所涉及的可信认证方法进行说明,是基于密钥匹配和密文比对的可信认证。具体的认证算法为:The trusted authentication method involved in the embodiment of the present invention is described below, and is a trusted authentication based on key matching and ciphertext comparison. The specific authentication algorithm is:
第一步,待认证方提供36字节认证数据(RND)。其中前4字节为待认证数据生成时确定的随机数(RND1),其后的16字节数据为经过密钥加密的校验数据(RND2),最后16字节为待校验数据(RND3)。In the first step, the authenticator provides 36 bytes of authentication data (RND). The first 4 bytes are the random number (RND1) determined when the data to be authenticated is generated, and the 16 bytes of data are the key-encrypted check data (RND2), and the last 16 bytes are the data to be checked (RND3). ).
第二步,认证方根据认证数据RND选取加密密钥。In the second step, the authenticator selects an encryption key based on the authentication data RND.
本步骤分为以下几步:This step is divided into the following steps:
1)取RND1第四字节(从左至右)与“0X26”进行“与”操作1) Take the fourth byte of RND1 (from left to right) and perform an AND operation with "0X26"
2)再对其结果取模3的值,模3的结果(0~2之间)即为所要选择的认证密钥的索引号。2) Then take the value of modulo 3 for the result, and the result of modulo 3 (between 0 and 2) is the index number of the authentication key to be selected.
3)根据认证密钥索引号从“密钥集”中选中“认证密钥”,用TPM序列号和RND1作为分散因子进行两级分散得到“认证会话密钥”(16字节)。3) Select "Authentication Key" from the "Key Set" according to the authentication key index number, and use the TPM serial number and RND1 as the dispersion factor to perform the two-level dispersion to obtain the "Authentication Session Key" (16 bytes).
第三步,认证方用“认证会话密钥”对RND的最后16字节(称为RND3)进行3DES_ECB_ENC加密,得到密文数据(16字节)。In the third step, the authenticator encrypts the last 16 bytes of the RND (called RND3) with 3DES_ECB_ENC using the "authentication session key" to obtain ciphertext data (16 bytes).
____
第四步,将密文数据和RND2进行比对。比对通过,则认证通过;比对不通过,则认证失败。In the fourth step, the ciphertext data is compared with RND2. If the comparison is passed, the authentication is passed; if the comparison fails, the authentication fails.
对于步骤301来说,BIOS为认证方,数据保护区为被认证方;对于步骤303来说,BOOT代码为认证方,文件系统为被认证方;对于步骤304来说,BOOT代码为认证方,安全操作系统的映像为被认证方;对于步骤204来说,安全操作系统为认证方,应用软件为被认证方;对于图4所示基站预装版本更新流程来说,远程控制端为认证方,基站为被认证方。For step 301, the BIOS is the authenticator, and the data protection zone is the authenticated party; for step 303, the BOOT code is the authenticator, and the file system is the authenticated party; for step 304, the BOOT code is the authenticator. The image of the secure operating system is the authenticated party; for step 204, the secure operating system is the authenticator and the application software is the authenticated party; for the base station preinstalled version update process shown in FIG. 4, the remote control end is the authenticator. The base station is the authenticated party.
下面结合附图,对本发明的实施例二进行说明。Embodiment 2 of the present invention will be described below with reference to the accompanying drawings.
本发明实施例提供了一种可信环境创建装置,可在基站内部创建可信环境,该装置的结构如图6所示,包括:The embodiment of the invention provides a trusted environment creation device, which can create a trusted environment inside the base station. The structure of the device is as shown in FIG. 6 and includes:
BIOS启动模块601,设置为在基站首次上电后,运行预写入所述基站的 TPM硬件的BIOS代码,将可信环境控制权转移给BIOS;The BIOS startup module 601 is configured to run a pre-write to the base station after the base station is powered on for the first time. The BIOS code of the TPM hardware transfers the control of the trusted environment to the BIOS;
BIOS 602,设置为控制进行操作系统的加载,将所述可信环境控制权转移至安全操作系统;The BIOS 602 is configured to control loading of the operating system, and transfer the control of the trusted environment to the secure operating system;
安全操作系统603,设置为加载软件环境,创建可信环境。The secure operating system 603 is configured to load a software environment and create a trusted environment.
可选地,该装置还包括:Optionally, the device further includes:
初始化模块604,设置为在所述基站出厂前进行对该基站的所述TPM硬件和非易失存储进行初始化,所述非易失存储包括数据保护区和文件系统数据区,具体包括:The initialization module 604 is configured to initialize the TPM hardware and the non-volatile storage of the base station before the base station is shipped from the factory. The non-volatile storage includes a data protection area and a file system data area, and specifically includes:
向所述数据保护区及所述文件系统数据区均写入版本切换标识及基站预装版本,所述基站预装版本包括可信的Boot Loader代码、BOOT代码、安全操作系统的映像、可信网络软件库、应用软件和权值数据,Writing a version switch identifier and a pre-installed version of the base station to the data protection area and the file system data area, where the pre-installed version of the base station includes a trusted Boot Loader code, a BOOT code, an image of a secure operating system, and a trusted Network software library, application software and weight data,
将与所述基站预装版本使用配套的密钥集、所述BIOS代码写入所述TPM硬件,所述密钥集包含多个密钥。The key set and the BIOS code associated with the pre-installed version of the base station are written into the TPM hardware, and the key set includes a plurality of keys.
可选地,所述BIOS 602的结构如图7所示,包括:Optionally, the structure of the BIOS 602 is as shown in FIG. 7, and includes:
可信度检查单元701,设置为在硬件自检结束后,对所述基站的数据保护区中存储的数据的可信度进行检查;The credibility checking unit 701 is configured to check the credibility of the data stored in the data protection area of the base station after the hardware self-test ends;
版本加载单元702,设置为在所述数据保护区中存储的数据的可信度检查通过后,通过所述Boot Loader代码加载预写入所述数据保护区中的所述基站预装版本;The version loading unit 702 is configured to pre-write the pre-installed version of the base station in the data protection area by using the Boot Loader code after the credibility check of the data stored in the data protection area is passed;
文件系统创建单元703,设置为启动执行所述BOOT代码,对所述基站的嵌入式系统进行硬件初始化,创建文件系统,并对文件系统进行可信认证;The file system creating unit 703 is configured to start executing the BOOT code, perform hardware initialization on the embedded system of the base station, create a file system, and perform trusted authentication on the file system;
映像加载单元704,设置为在完成对所述文件系统的可信认证后,从所述基站预装版本中提取安全操作系统映像,将可信环境控制权传递至安全操作系统。The image loading unit 704 is configured to, after completing the trusted authentication of the file system, extract a secure operating system image from the pre-installed version of the base station, and transfer the trusted environment control right to the secure operating system.
可选地,所述BIOS 602还包括:Optionally, the BIOS 602 further includes:
重启单元705,设置为在所述数据保护区中存储的数据的可信度检查未通过时,触发基站重启复位。 The restarting unit 705 is configured to trigger the base station to restart the reset when the credibility check of the data stored in the data protection zone fails.
可选地,所述映像加载单元704的结构如图8所示,包括:Optionally, the image loading unit 704 is configured as shown in FIG. 8 and includes:
版本选择子单元801,设置为根据所述版本切换标识,确定基站预装版本,从所述基站预装版本中提取安全操作系统的映像;The version selection subunit 801 is configured to determine a pre-installed version of the base station according to the version switching identifier, and extract an image of the security operating system from the pre-installed version of the base station;
认证子单元802,设置为对所述安全操作系统的映像进行可信认证;The authentication subunit 802 is configured to perform trusted authentication on the image of the secure operating system;
加载子单元803,设置为在所述安全操作系统的映像通过可信认证后,加载该安全操作系统的映像,将可信环境控制权传递至所述安全操作系统。The loading sub-unit 803 is configured to load the image of the secure operating system after the image of the secure operating system passes the trusted authentication, and transfer the trusted environment control right to the secure operating system.
可选地,所述版本选择子单元801,是设置为在所述版本切换标识指示所述文件系统数据区中的基站预装版本时,直接从所述版本切换标识指示的基站预装版本中提取对应的安全操作系统映像,Optionally, the version selection sub-unit 801 is configured to directly use the pre-installed version of the base station indicated by the version switching identifier when the version switching identifier indicates a pre-installed version of the base station in the file system data area. Extract the corresponding secure operating system image,
在所述版本切换标识指示所述数据保护区中的基站预装版本时,将该基站预装版本恢复至所述文件系统数据区,再从所述文件系统数据区的基站预装版本中提取安全操作系统映像。When the version switching identifier indicates a pre-installed version of the base station in the data protection area, the pre-installed version of the base station is restored to the file system data area, and then extracted from the pre-installed version of the base station in the file system data area. Secure operating system image.
可选地,所述版本选择子单元801,还设置为在所述安全操作系统的映像未通过可信认证后,触发基站重启复位,将所述版本切换标识的数值强制置位为指示其他基站预装版本,所述其他基站预装版本存储于所述文件系统数据区或数据保护区。Optionally, the version selection sub-unit 801 is further configured to: after the image of the security operating system fails to pass the trusted authentication, trigger the base station to restart the reset, and forcibly set the value of the version switching identifier to indicate another base station. The pre-installed version is stored in the file system data area or the data protection area.
可选地,该装置还包括:Optionally, the device further includes:
远端认证模块605,设置为在所述安全操作系统启动后,所述基站向远程控制端请求认证;The remote authentication module 605 is configured to: after the security operating system is started, the base station requests authentication from the remote control terminal;
版本下载模块606,设置为在通过所述远程控制端认证后,接收该远程控制端下发的新的基站预装版本及配套密钥集;The version downloading module 606 is configured to receive a new base station pre-installed version and a matching key set delivered by the remote control end after being authenticated by the remote control end;
存储模块607,设置为将所述新的基站预装版本写入所述数据保护区及所述文件系统数据区,并将所述配套密钥集写入该基站的TPM硬件;The storage module 607 is configured to write the new base station pre-installed version into the data protection area and the file system data area, and write the matching key set into the TPM hardware of the base station;
复位模块608,设置为更改版本切换标识的值为指示所述新的基站预装版本,并发起复位,在复位后加载所述新的基站预装版本。The reset module 608 is configured to change the value of the version switch identifier to indicate the pre-installed version of the new base station, and initiate a reset, and load the new base station pre-installed version after the reset.
本发明实施例还提供了一种基站异常恢复装置,该装置的结构如图9所 示,包括:The embodiment of the invention further provides a base station abnormality recovery device, and the structure of the device is as shown in FIG. Show, including:
检查模块901,设置为在基站的可信环境中,对所述基站进行可信风险度检查;The checking module 901 is configured to perform a trusted risk check on the base station in a trusted environment of the base station;
异常恢复模块902,设置为在可信风险度检查中发现基站异常时,将所述基站复位并恢复至可信的基站预装版本。The abnormality recovery module 902 is configured to reset and restore the base station to a trusted base station pre-installed version when a base station abnormality is found in the trusted risk check.
可选地,所述基站的可信环境由运行于该基站的安全操作系统、可信的服务软件库和可信的网络服务系统构成,该装置还包括:Optionally, the trusted environment of the base station is composed of a security operating system running on the base station, a trusted service software library, and a trusted network service system, and the device further includes:
第一配置模块903,设置为预先向所述基站的非易失存储的数据保护区和文件系统数据区均写入版本切换标识及基站预装版本,所述基站预装版本包括可信的Boot Loader代码、BOOT代码、安全操作系统的映像、可信网络软件库和应用软件;The first configuration module 903 is configured to write a version switching identifier and a pre-installed version of the base station to the data protection area and the file system data area of the non-volatile storage of the base station in advance, where the pre-installed version of the base station includes a trusted boot. Loader code, BOOT code, image of secure operating system, trusted network software library and application software;
第二配置模块904,用于预先向所述基站的TPM硬件中写入与所述基站预装版本使用配套的密钥集和BIOS代码。The second configuration module 904 is configured to write a key set and a BIOS code associated with the pre-installed version of the base station to the TPM hardware of the base station in advance.
可选地,所述检查模块901的结构如图10所示,包括:Optionally, the structure of the check module 901 is as shown in FIG. 10, and includes:
自检单元1001,设置为控制所述安全操作系统与所述应用软件、可信网络软件库相配合,周期性的对系统硬件、存储系统、网络通信、软件行为进行自检;The self-checking unit 1001 is configured to control the security operating system to cooperate with the application software and the trusted network software library, and periodically perform self-checking on system hardware, storage system, network communication, and software behavior;
异常判定单元1002,设置为对自检识别得到的数据进行风险评估决策,判定是否发生基站异常。The abnormality determining unit 1002 is configured to perform a risk assessment decision on the data obtained by the self-test identification, and determine whether a base station abnormality has occurred.
可选地,所述自检单元1001的结构如图11所示,包括:Optionally, the structure of the self-test unit 1001 is as shown in FIG. 11 and includes:
硬件自检子单元1101,设置为控制所述安全操作系统与所述应用软件相配合,周期性对所述基站的系统硬件、存储系统进行自检,收集静态可信性评估数据,所述静态可信性评估数据至少包含以下任一或任意多个基站异常事件的数据:The hardware self-test sub-unit 1101 is configured to control the security operating system to cooperate with the application software, periodically perform self-test on the system hardware and the storage system of the base station, and collect static credibility evaluation data, where the static The credibility assessment data contains at least data of any one or any of the following base station anomaly events:
识别硬件失效,版本非法更换;Identify hardware failure and illegally replace the version;
网络自检子单元1102,设置为通过所述可信网络软件库的基础服务功能,实时对网络通信进行认证,通过应用软件周期性向操作系统认证,收集系统动态可信性评估数据,所述系统动态可信性评估数据至少包含以下任一或任 意多个基站异常事件的数据:The network self-test sub-unit 1102 is configured to authenticate the network communication in real time through the basic service function of the trusted network software library, periodically authenticate the operating system through the application software, and collect system dynamic credibility evaluation data, the system Dynamic credibility assessment data includes at least one of the following Data for multiple base station anomalies:
网络非授权访问,网络劫持;Network unauthorized access, network hijacking;
软件自检子单元1103,设置为通过所述应用软件收到的业务指令类别进行外部指令集中度数据检查,收集非授权行为特征的数据,所述非授权行为特征数据至少包含以下任一或任意多个基站异常事件的数据:The software self-test sub-unit 1103 is configured to perform external command concentration data check by the service instruction category received by the application software, and collect data of an unauthorized behavior feature, where the non-authorized behavior feature data includes at least one of the following or any Data for multiple base station anomalies:
文件非授权删除,文件非授权拷贝,严重危及设备安全的非授权操作。Unauthorized deletion of files, unauthorized copying of files, and unauthorized operations that seriously endanger the security of the device.
可选地,所述异常判定单元1102的结构如图12所示,包括:Optionally, the structure of the abnormality determining unit 1102 is as shown in FIG. 12, and includes:
决策子单元1201,设置为使用加权线性贝叶斯决策算法,对自检识别得到的静态可信性评估数据、系统动态可信性评估数据、和非授权行为特征的数据进行评估决策;The decision subunit 1201 is configured to use the weighted linear Bayesian decision algorithm to evaluate the static credibility evaluation data, the system dynamic credibility evaluation data, and the data of the unauthorized behavior characteristics obtained by the self-test identification;
方案确定单元1202,设置为在决策结果为发生基站异常时,作出基站复位方案并同步更新所述数据保护区保存的版本切换标识。The solution determining unit 1202 is configured to: when the decision result is that the base station abnormality occurs, make a base station resetting scheme and synchronously update the version switching identifier saved by the data protection zone.
可选地,该装置还包括:Optionally, the device further includes:
版本下载模块905,设置为在所述基站通过远程控制端的认证后,接收该远程控制端下发的新的基站版本及配套密钥集;The version downloading module 905 is configured to receive a new base station version and a matching key set delivered by the remote control end after the base station is authenticated by the remote control end;
存储模块906,设置为将所述新的基站版本写入所述数据保护区,并将所述配套密钥集写入该基站的TPM硬件;The storage module 906 is configured to write the new base station version into the data protection zone, and write the set of matching keys to the TPM hardware of the base station;
复位模块907,设置为更改版本切换标识的值为指示所述新的基站预装版本,并发起复位,在复位后加载所述新的基站预装版本。The reset module 907 is configured to change the value of the version switch identifier to indicate that the new base station is pre-installed, and initiate a reset, and load the new base station pre-installed version after the reset.
上述可信环境创建装置和基站异常恢复装置可集成于基站设备中,由基站设备完成相应功能。The trusted environment creation device and the base station abnormality recovery device may be integrated into the base station device, and the base station device performs the corresponding function.
本发明的实施例提供的技术方案中,在基站上电阶段由固件完成初始化及硬件测试后,将信任传递给操作系统,继而在操作系统接管系统后通过可信软件服务库为应用程序提供可信计算功能。通过TPM固件基础支持,在嵌入式硬件平台基础上,实现了包括硬件系统、软件系统、网络服务的轻量级 综合可信服务。In the technical solution provided by the embodiment of the present invention, after the initialization and hardware testing of the firmware is completed in the power-on phase of the base station, the trust is transmitted to the operating system, and then the operating system takes over the system and provides the application through the trusted software service library. Letter calculation function. Lightweight level including hardware system, software system and network service based on embedded hardware platform through TPM firmware basic support Integrated trusted service.
基于可信环境的数据保护服务,实现嵌入式系统中的非易失存储数据保护区及保护区更新机制,用于确保保护区存放的基站配置数据及备份版本可信度。The data protection service based on the trusted environment realizes the non-volatile storage data protection area and the protection area update mechanism in the embedded system, and is used for ensuring the base station configuration data and the backup version credibility stored in the protection area.
通过将基站的非易失存储进行分区,划分出数据保护区和文件系统数据区,并在TPM固件和可信服务的保护下,确保基站出厂可信环境完整性及运行过程中版本更新后可信环境的完整性。基站非易失存储的数据保护区,始终保存可信的基站版本、数据备份。By partitioning the non-volatile storage of the base station, the data protection zone and the file system data zone are divided, and under the protection of the TPM firmware and the trusted service, the integrity of the base station's factory trusted environment and the version update after the operation are ensured. The integrity of the letter environment. The data protection area of the non-volatile storage of the base station always keeps the trusted base station version and data backup.
在非易失存储的数据保护区保存版本切换标识,用于在基站启动过程中选择可信版本。版本切换标识由异常决策算法更新,且同样受到可信环境的保护。该方法可以保证基站在识别出异常风险后,通过更改版本切换标识并进而通过复位基站来恢复可信版本,以确保基站的可信工作。A version switch identifier is stored in the data protection area of the non-volatile storage for selecting a trusted version during base station startup. The version switch identifier is updated by the exception decision algorithm and is also protected by the trusted environment. The method can ensure that the base station recovers the trusted version by changing the version switching identifier and then resetting the base station after identifying the abnormal risk, so as to ensure the trusted operation of the base station.
基站运行过程中,收集硬件自检检测结果、静态可信评估结果、软件运行行为特征、外部指令特征识别、动态可信评估结果等信息,对识别的硬件失效风险、软件失效风险、人为失效风险、可信度度量风险统一送入决策器,决策器使用加权线性贝叶斯决策算法进行评估决策,给出基站复位方案并同步更新非易失存储保存版本切换标识,确保基站复位后能实现异常的主动恢复。During the operation of the base station, collect hardware self-test detection results, static trusted evaluation results, software operation behavior characteristics, external command feature identification, dynamic trusted evaluation results, etc., identification of hardware failure risks, software failure risks, and human failure risks. The credibility metric risk is sent to the decision maker, and the decision maker uses the weighted linear Bayesian decision algorithm to make the evaluation decision. The base station reset scheme is given and the non-volatile storage-storing version switching identifier is updated synchronously to ensure that the base station can be abnormal after reset. Active recovery.
本发明的实施例提供了一种基站异常恢复方法和装置,可以应用于通用移动通讯系统(UMTS,Universal Mobile Telecommunications System),一般由基带处理单元(BBU)和射频拉远单元(RRU)组成,如图13所示。也可以应用于演进型UTRAN结构(E-UTRAN),E-UTRAN主要由演进型NodeB(eNodeB)一层构成,如图14所示。The embodiment of the present invention provides a base station abnormality recovery method and device, which can be applied to a Universal Mobile Telecommunications System (UMTS), and is generally composed of a baseband processing unit (BBU) and a radio remote unit (RRU). As shown in Figure 13. It can also be applied to an evolved UTRAN architecture (E-UTRAN), which is mainly composed of a layer of an evolved NodeB (eNodeB), as shown in FIG.
使用了可信计算技术中数据保护、密钥及分散技术,在TPM固件支持下,实现了轻量级的可信环境建立。装置由硬件主板(含TPM固件及嵌入式硬件电路)、安全操作系统、可信网络软件库三部分组成,各个组成部分之间的关系如图15所示。 The use of data protection, key and decentralized technology in trusted computing technology, with the support of TPM firmware, enables the establishment of a lightweight trusted environment. The device consists of three parts: hardware motherboard (including TPM firmware and embedded hardware circuit), secure operating system, and trusted network software library. The relationship between the components is shown in Figure 15.
其中TPM固件作为系统中的可信源点,用于提供硬件级密码学计算与密钥保护和小容量的数据存储,其组成部分如附图16所示。在TPM的存储器中存放用于嵌入式系统启动的BIOS,主要是完成硬件自检及嵌入式系统中非易失存储的可信度检查。TPM存储中的BIOS不能被更新,可以保证BIOS可信,但是TPM模块中存放的密钥可以在可信环境建立后在线更新。The TPM firmware is used as a trusted source point in the system to provide hardware level cryptography calculation and key protection and small capacity data storage, and its components are shown in FIG. 16. The BIOS for the embedded system startup is stored in the TPM memory, mainly to complete the hardware self-test and the credibility check of the non-volatile storage in the embedded system. The BIOS in the TPM storage cannot be updated to ensure that the BIOS is trusted, but the key stored in the TPM module can be updated online after the trusted environment is established.
嵌入式硬件平台的非易失存储空间,被划分为数据保护区和文件系统数据区,空间分配示意图见图17所示。其中数据保护区用于存放基站的执行版本和重要配置数据的备份、Boot Loader代码、BOOT代码,仅仅能够通过块设备访问来操作,并且访问操作受到TPM的保护,以确保仅有授权的操作才能更新保护区的数据。文件系统数据区由操作系统文件系统的控制、访问,同样受到可信环境的保护。因为基站运行版本在运行过程中一般通过文件系统进行数据访问,所以数据保护区可以很大程度预防软件失效带来的改写风险,提高了系统备份数据的可靠性。The non-volatile storage space of the embedded hardware platform is divided into a data protection area and a file system data area. The space allocation diagram is shown in FIG. The data protection area is used to store the execution version of the base station and the backup of important configuration data, the Boot Loader code, the BOOT code, and can only be operated by block device access, and the access operation is protected by the TPM to ensure only authorized operations. Update the data of the protected area. The file system data area is controlled and accessed by the operating system file system and is also protected by a trusted environment. Because the running version of the base station generally accesses data through the file system during the running process, the data protection area can greatly prevent the risk of rewriting caused by software failure and improve the reliability of the system backup data.
安全操作系统基于嵌入式linux,对内核的网络通信服务进行了随机可信认证更改,增加了TPM驱动和认证服务。可信网络软件库则对安全操作系统提供的基础可信认证服务进行封装,提供友好的调用接口,提供事物级的可信认证服务等可信服务功能。The secure operating system is based on embedded linux, which performs random and trusted authentication changes to the kernel's network communication services, adding TPM driver and authentication services. The trusted network software library encapsulates the basic trusted authentication service provided by the secure operating system, provides a friendly calling interface, and provides trusted service functions such as transaction-level trusted authentication services.
本发明的实施例提供了可信环境创建方法和装置及基站异常恢复方法和装置,创建基站的可信环境,在基站的可信环境中,对所述基站进行可信风险度检查,在可信风险度检查中发现基站异常时,将所述基站复位并恢复至可信的基站预装版本。实现了基站基于可信环境的异常自检与自动恢复,解决了现有可信计算技术方案为基站提供可靠的异常恢复功能的问题。Embodiments of the present invention provide a trusted environment creation method and apparatus, and a base station abnormality recovery method and apparatus, which create a trusted environment of a base station, and perform a trusted risk check on the base station in a trusted environment of the base station. When the base station is abnormal in the risk check, the base station is reset and restored to the trusted base station pre-installed version. The abnormal self-test and automatic recovery of the base station based on the trusted environment are realized, which solves the problem that the existing trusted computing technology scheme provides a reliable abnormal recovery function for the base station.
采用本发明的实施例提供的技术方案,完全依赖通信基站的能力,即可实现可信运行环境的创建、异常风险的识别和综合决策以及基站主动异常恢复,不需要其他系统或者网元的干预、配合。By adopting the technical solution provided by the embodiment of the present invention, the creation of the trusted operating environment, the identification of the abnormal risk and the comprehensive decision, and the active abnormal recovery of the base station can be realized by completely relying on the capability of the communication base station, and no intervention by other systems or network elements is required. Cooperation.
本发明实施例能够在嵌入式硬件上完成硬件、软件、服务的轻量级综合可信环境的有效建立,使得基站具备一定的主动安全防御能力;通过创造性的数据保护区机制,在可信数据保护的基础上,支持了正常版本升级和异常场景版本切换的统一;并通过对基站各种异常风险的识别和综合判决,使得 异常恢复更加主动、有效,达到了提高基站可用性的效果,可以降低运营商的维护成本并改善用户体验。The embodiment of the invention can effectively establish a lightweight integrated trusted environment of hardware, software and service on the embedded hardware, so that the base station has certain active security defense capabilities; and the trusted data is created through a creative data protection zone mechanism. On the basis of protection, it supports the unification of normal version upgrade and abnormal scene version switching; and through the identification and comprehensive judgment of various abnormal risks of base stations, The abnormal recovery is more active and effective, and the effect of improving the availability of the base station is achieved, which can reduce the maintenance cost of the operator and improve the user experience.
本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序流程来实现,所述计算机程序可以存储于一计算机可读存储介质中,所述计算机程序在相应的硬件平台上(如系统、设备、装置、器件等)执行,在执行时,包括方法实施例的步骤之一或其组合。One of ordinary skill in the art will appreciate that all or a portion of the steps of the above-described embodiments can be implemented using a computer program flow, which can be stored in a computer readable storage medium, such as on a corresponding hardware platform (eg, The system, device, device, device, etc. are executed, and when executed, include one or a combination of the steps of the method embodiments.
可选地,上述实施例的全部或部分步骤也可以使用集成电路来实现,这些步骤可以被分别制作成一个个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。Alternatively, all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve. Thus, the invention is not limited to any specific combination of hardware and software.
上述实施例中的各装置/功能模块/功能单元可以采用通用的计算装置来实现,它们可以集中在单个的计算装置上,也可以分布在多个计算装置所组成的网络上。The devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
上述实施例中的各装置/功能模块/功能单元以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。上述提到的计算机可读取存储介质可以是只读存储器,磁盘或光盘等。When each device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. The above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
工业实用性Industrial applicability
本发明实施例实现了基站基于可信环境的异常自检与自动恢复,解决了可信计算技术方案为基站提供可靠的异常恢复功能的问题。 The embodiment of the invention implements the abnormal self-test and automatic recovery of the base station based on the trusted environment, and solves the problem that the trusted computing technology solution provides a reliable abnormal recovery function for the base station.

Claims (32)

  1. 一种可信环境创建方法,包括:A method for creating a trusted environment, including:
    在基站首次上电后,运行预写入所述基站的可信平台模块(TPM)硬件的基本输入输出系统(BIOS)代码,将可信环境控制权转移给BIOS;After the base station is powered on for the first time, running a basic input/output system (BIOS) code pre-written to the Trusted Platform Module (TPM) hardware of the base station, and transferring the control of the trusted environment to the BIOS;
    所述BIOS控制进行安全操作系统的加载,将所述可信环境控制权转移至所述安全操作系统;The BIOS controls loading of the secure operating system, and transferring the trusted environment control right to the secure operating system;
    所述安全操作系统加载软件环境,创建可信环境。The secure operating system loads the software environment and creates a trusted environment.
  2. 根据权利要求1所述的可信环境创建方法,在基站首次上电后,运行预写入所述基站的TPM硬件的BIOS代码,将可信环境控制权转移给BIOS的步骤之前,该方法还包括:The trusted environment creation method according to claim 1, after the base station is powered on for the first time, before the step of pre-writing the BIOS code of the TPM hardware of the base station to transfer the control of the trusted environment to the BIOS, the method further include:
    在所述基站出厂前进行对该基站的所述TPM硬件和非易失存储进行初始化,所述非易失存储包括数据保护区和文件系统数据区,Initializing the TPM hardware and non-volatile storage of the base station before the base station leaves the factory, the non-volatile storage includes a data protection area and a file system data area,
    对该基站的非易失存储进行初始化包括:向所述数据保护区及所述文件系统数据区均写入版本切换标识及基站预装版本,所述基站预装版本包括可信的Boot Loader代码、BOOT代码、安全操作系统的映像、可信网络软件库、应用软件和权值数据,Initializing the non-volatile storage of the base station includes: writing a version switch identifier and a pre-installed version of the base station to the data protection area and the file system data area, where the pre-installed version of the base station includes a trusted Boot Loader code , BOOT code, image of secure operating system, trusted network software library, application software and weight data,
    对该基站的所述TPM硬件进行初始化包括:将与所述基站预装版本使用配套的密钥集、所述BIOS代码写入所述TPM硬件,所述密钥集包含多个密钥。Initializing the TPM hardware of the base station includes: writing a key set and a BIOS code associated with the pre-installed version of the base station to the TPM hardware, where the key set includes a plurality of keys.
  3. 根据权利要求2所述的可信环境创建方法,其中,所述BIOS控制进行安全操作系统的加载,将所述可信环境控制权转移至所述安全操作系统包括:The trusted environment creation method according to claim 2, wherein the BIOS controls to perform loading of the secure operating system, and transferring the trusted environment control right to the secure operating system comprises:
    所述BIOS在硬件自检结束后,对所述基站的数据保护区中存储的数据的可信度进行检查;After the hardware self-test ends, the BIOS checks the credibility of the data stored in the data protection area of the base station;
    所述BIOS在所述数据保护区中存储的数据的可信度检查通过后,通过所述Boot Loader代码加载预写入所述数据保护区中的所述基站预装版本;After the reliability check of the data stored in the data protection area is passed, the BIOS preloads the pre-installed version of the base station in the data protection area by using the Boot Loader code loading;
    启动执行所述BOOT代码,对所述基站的嵌入式系统进行硬件初始化, 创建文件系统,并对文件系统进行可信认证;Starting execution of the BOOT code, performing hardware initialization on the embedded system of the base station, Create a file system and perform trusted authentication on the file system;
    在完成对所述文件系统的可信认证后,从所述基站预装版本中提取并加载安全操作系统映像,将可信环境控制权传递至安全操作系统。After the trusted authentication of the file system is completed, the secure operating system image is extracted and loaded from the pre-installed version of the base station, and the trusted environment control is transferred to the secure operating system.
  4. 根据权利要求3所述的可信环境创建方法,所述BIOS在硬件自检结束后,对所述基站的数据保护区中存储的数据的可信度进行检查的步骤之后,该方法还包括:The method for creating a trusted environment according to claim 3, after the step of checking the credibility of the data stored in the data protection area of the base station after the hardware self-test is completed, the method further includes:
    所述BIOS在所述数据保护区中存储的数据的可信度检查未通过时,触发所述基站重启复位。The BIOS triggers the base station to restart resetting when the reliability check of the data stored in the data protection zone fails.
  5. 根据权利要求3所述的可信环境创建方法,其中,在完成对所述文件系统的可信认证后,从所述基站预装版本中提取安全操作系统的映像,将可信环境控制权传递至安全操作系统包括:The trusted environment creation method according to claim 3, wherein after the trusted authentication of the file system is completed, an image of the secure operating system is extracted from the pre-installed version of the base station, and the control of the trusted environment is transmitted. To the secure operating system includes:
    根据所述版本切换标识,确定基站预装版本,从所述基站预装版本中提取安全操作系统的映像;Determining, according to the version switching identifier, a pre-installed version of the base station, and extracting an image of the secure operating system from the pre-installed version of the base station;
    对所述安全操作系统的映像进行可信认证;Trusted authentication of the image of the secure operating system;
    在所述安全操作系统的映像通过可信认证后,加载该安全操作系统的映像,将可信环境控制权传递至所述安全操作系统。After the image of the secure operating system passes the trusted authentication, the image of the secure operating system is loaded, and the trusted environment control is transferred to the secure operating system.
  6. 根据权利要求5所述的可信环境创建方法,其中,根据所述版本切换标识,确定基站预装版本,从所述基站预装版本中提取安全操作系统的映像包括:The trusted environment creation method according to claim 5, wherein determining a pre-installed version of the base station according to the version switching identifier, and extracting an image of the secure operating system from the pre-installed version of the base station comprises:
    在所述版本切换标识指示所述文件系统数据区中的基站预装版本时,直接从所述版本切换标识指示的基站预装版本中提取对应的安全操作系统映像;When the version switch identifier indicates the pre-installed version of the base station in the file system data area, extract the corresponding secure operating system image directly from the pre-installed version of the base station indicated by the version switch identifier;
    在所述版本切换标识指示所述数据保护区中的基站预装版本时,将该基站预装版本恢复至所述文件系统数据区,再从所述文件系统数据区的基站预装版本中提取安全操作系统映像。When the version switching identifier indicates a pre-installed version of the base station in the data protection area, the pre-installed version of the base station is restored to the file system data area, and then extracted from the pre-installed version of the base station in the file system data area. Secure operating system image.
  7. 根据权利要求5所述的可信环境创建方法,对所述安全操作系统的映像进行可信认证的步骤之后,所述方法还包括: The trusted environment creation method according to claim 5, after the step of performing trusted authentication on the image of the secure operating system, the method further includes:
    在所述安全操作系统的映像未通过可信认证时,触发基站重启复位,将所述版本切换标识的数值强制置位为指示其他基站预装版本,所述其他基站预装版本存储于所述文件系统数据区或数据保护区。When the image of the security operating system fails to pass the trusted authentication, the base station is triggered to restart the reset, and the value of the version switch identifier is forcibly set to indicate that the other base station is pre-installed, and the other base station pre-installed version is stored in the File system data area or data protection area.
  8. 根据权利要求3所述的可信环境创建方法,其中,所述安全操作系统加载软件环境,创建可信环境包括:The trusted environment creation method according to claim 3, wherein the secure operating system loads the software environment, and the creation of the trusted environment comprises:
    启动所述安全操作系统,从所述基站预装版本中提取并加载所述应用软件,挂接所述可信网络软件库。The security operating system is started, and the application software is extracted and loaded from the pre-installed version of the base station, and the trusted network software library is attached.
  9. 根据权利要求1所述的可信环境创建方法,该方法还包括:The trusted environment creation method according to claim 1, further comprising:
    在所述安全操作系统启动后,所述基站向远程控制端请求认证;After the security operating system is started, the base station requests authentication from the remote control terminal;
    所述基站在通过所述远程控制端认证后,接收该远程控制端下发的新的基站预装版本及配套密钥集;Receiving, by the remote control end, the base station receives a new pre-installed version of the base station and a set of matching keys issued by the remote control end;
    所述基站将所述新的基站预装版本写入所述数据保护区及所述文件系统数据区,并将所述配套密钥集写入该基站的TPM硬件;The base station writes the new base station pre-installed version into the data protection area and the file system data area, and writes the matching key set into the TPM hardware of the base station;
    所述基站更改版本切换标识的值为指示所述新的基站预装版本,并发起复位,在复位后加载所述新的基站预装版本。The value of the base station changing version switch identifier indicates that the new base station is pre-installed, and initiates a reset, and loads the new base station pre-installed version after reset.
  10. 一种基站异常恢复方法,包括:A base station abnormal recovery method includes:
    在基站的可信环境中,对所述基站进行可信风险度检查;Performing a credential risk check on the base station in a trusted environment of the base station;
    在可信风险度检查中发现基站异常时,将所述基站复位并恢复至可信的基站预装版本。When the base station is abnormal in the reliability risk check, the base station is reset and restored to the trusted base station pre-installed version.
  11. 根据权利要求10所述的基站异常恢复方法,其中,所述基站的可信环境由运行于该基站的安全操作系统、可信的服务软件库和可信的网络服务系统构成,该方法还包括:The base station abnormality recovery method according to claim 10, wherein the trusted environment of the base station is composed of a secure operating system running on the base station, a trusted service software library, and a trusted network service system, and the method further includes :
    预先向所述基站的非易失存储的数据保护区和文件系统数据区均写入版本切换标识及基站预装版本,所述基站预装版本包括可信的Boot Loader代码、BOOT代码、安全操作系统的映像、可信网络软件库和应用软件;Writing a version switch identifier and a pre-installed version of the base station to the non-volatile storage data protection area and the file system data area of the base station in advance, the base station pre-installed version including a trusted Boot Loader code, a BOOT code, and a security operation System image, trusted network software library and application software;
    预先向所述基站的可信平台模块(TPM)硬件中写入与所述基站预装版本使用配套的密钥集和基本输入输出系统(BIOS)代码。 A key set and a basic input/output system (BIOS) code associated with the pre-installed version of the base station are written in advance to the Trusted Platform Module (TPM) hardware of the base station.
  12. 根据权利要求11所述的基站异常恢复方法,其中,所述在基站的可信环境中,对所述基站进行可信风险度检查,对所述基站进行可信风险度检查包括:The base station abnormality recovery method according to claim 11, wherein in the trusted environment of the base station, performing a trusted risk check on the base station, and performing a trusted risk check on the base station includes:
    所述安全操作系统与所述应用软件、可信网络软件库相配合,周期性的对系统硬件、存储系统、网络通信、软件行为进行自检;The security operating system cooperates with the application software and the trusted network software library to periodically perform self-test on system hardware, storage system, network communication, and software behavior;
    对自检识别得到的数据进行风险评估决策,判定是否发生基站异常。A risk assessment decision is made on the data obtained by the self-test identification to determine whether a base station abnormality has occurred.
  13. 根据权利要求12所述的基站异常恢复方法,其中,所述安全操作系统与所述应用软件、可信网络软件库相配合,周期性的对系统硬件、存储系统、网络通信、软件行为进行自检包括:The base station abnormality recovery method according to claim 12, wherein the security operating system cooperates with the application software and the trusted network software library, and periodically performs system hardware, storage system, network communication, and software behavior. The inspection includes:
    所述安全操作系统与所述应用软件相配合,周期性对所述基站的系统硬件、存储系统进行自检,收集静态可信性评估数据,所述静态可信性评估数据至少包含以下任一或任意多个基站异常事件的数据:The security operating system cooperates with the application software to periodically perform self-test on the system hardware and the storage system of the base station, and collect static credibility evaluation data, where the static credibility evaluation data includes at least one of the following Or data of any number of base station anomalies:
    识别硬件失效,版本非法更换;Identify hardware failure and illegally replace the version;
    通过所述可信网络软件库的基础服务功能,实时对网络通信进行认证,通过应用软件周期性向操作系统认证,收集系统动态可信性评估数据,所述系统动态可信性评估数据至少包含以下任一或任意多个基站异常事件的数据:Through the basic service function of the trusted network software library, the network communication is authenticated in real time, and the application system periodically authenticates to the operating system to collect system dynamic credibility evaluation data, and the system dynamic credibility evaluation data includes at least the following Data for any or any number of base station anomalies:
    网络非授权访问,网络劫持;Network unauthorized access, network hijacking;
    通过所述应用软件收到的业务指令类别进行外部指令集中度数据检查,收集非授权行为特征的数据,所述非授权行为特征数据至少包含以下任一或任意多个基站异常事件的数据:The external instruction concentration data check is performed by the service instruction category received by the application software, and the data of the unauthorized behavior feature is collected, and the unauthorized behavior feature data includes at least data of any one or any of the following base station abnormal events:
    文件非授权删除,文件非授权拷贝,严重危及设备安全的非授权操作。Unauthorized deletion of files, unauthorized copying of files, and unauthorized operations that seriously endanger the security of the device.
  14. 根据权利要求12所述的基站异常恢复方法,其中,对自检识别得到的风险进行评估决策,判定所述风险是否为基站异常包括:The base station abnormality recovery method according to claim 12, wherein the risk assessment of the self-test identification is performed, and determining whether the risk is a base station abnormality comprises:
    使用加权线性贝叶斯决策算法,对自检识别得到的静态可信性评估数据、系统动态可信性评估数据、和非授权行为特征的数据进行评估决策;Using the weighted linear Bayesian decision algorithm, the static credibility assessment data obtained by the self-test identification, the system dynamic credibility assessment data, and the data of the unauthorized behavior characteristics are evaluated and determined;
    在决策结果为发生基站异常时,作出基站复位方案并同步更新所述数据保护区保存的版本切换标识。 When the result of the decision is that a base station abnormality occurs, a base station resetting scheme is made and the version switching identifier saved by the data protection area is synchronously updated.
  15. 根据权利要求14所述的基站异常恢复方法,其中,使用加权线性贝叶斯决策算法,对自检识别得到的静态可信性评估数据、系统动态可信性评估数据、和非授权行为特征的数据进行评估决策包括:The base station abnormality recovery method according to claim 14, wherein the static credibility evaluation data, the system dynamic credibility evaluation data, and the unauthorized behavior characteristics of the self-test identification are used by using a weighted linear Bayesian decision algorithm. Data evaluation decisions include:
    在使用加权线性贝叶斯决策算法对静态可信性评估数据或系统动态可信性评估数据或非授权行为特征的数据进行计算后得到的权值高于所述权值数据中对应的阈值时,决策发生基站异常。After using the weighted linear Bayesian decision algorithm to calculate the static credibility evaluation data or the system dynamic credibility evaluation data or the data of the unauthorized behavior characteristics, the weight obtained is higher than the corresponding threshold in the weight data. The decision occurs that the base station is abnormal.
  16. 根据权利要求11所述的基站异常恢复方法,该方法还包括:The base station abnormality recovery method according to claim 11, further comprising:
    所述基站在通过远程控制端的认证后,接收该远程控制端下发的新的基站版本及配套密钥集;Receiving, by the remote control end, the base station receives a new base station version and a matching key set delivered by the remote control end;
    所述基站将所述新的基站版本写入所述数据保护区,并将所述配套密钥集写入该基站的TPM硬件;Transmitting, by the base station, the new base station version into the data protection zone, and writing the set of matching keys to the TPM hardware of the base station;
    所述基站更改版本切换标识的值为指示所述新的基站预装版本,并发起复位,在复位后加载所述新的基站预装版本。The value of the base station changing version switch identifier indicates that the new base station is pre-installed, and initiates a reset, and loads the new base station pre-installed version after reset.
  17. 一种可信环境创建装置,包括:A trusted environment creation device, comprising:
    基本输入输出系统(BIOS)启动模块,其设置为:在基站首次上电后,运行预写入所述基站的可信平台模块(TPM)硬件的BIOS代码,将可信环境控制权转移给BIOS;A basic input/output system (BIOS) startup module is configured to: after the base station is powered on for the first time, run a BIOS code of a Trusted Platform Module (TPM) hardware pre-written to the base station, and transfer the control of the trusted environment to the BIOS. ;
    BIOS,其设置为:控制进行操作系统的加载,将所述可信环境控制权转移至安全操作系统;以及a BIOS, configured to: control loading of an operating system, and transfer control of the trusted environment to a secure operating system;
    安全操作系统,其设置为:加载软件环境,创建可信环境。A secure operating system that is set up to load a software environment and create a trusted environment.
  18. 根据权利要求1所述的可信环境创建装置,该装置还包括:The trusted environment creation device of claim 1, further comprising:
    初始化模块,其设置为:在所述基站出厂前进行对该基站的所述TPM硬件和非易失存储进行初始化,所述非易失存储包括数据保护区和文件系统数据区,An initialization module, configured to: initialize the TPM hardware and non-volatile storage of the base station before the base station leaves the factory, the non-volatile storage includes a data protection area and a file system data area,
    对该基站的非易失存储进行初始化包括:向所述数据保护区及所述文件系统数据区均写入版本切换标识及基站预装版本,所述基站预装版本包括可信的Boot Loader代码、BOOT代码、安全操作系统的映像、可信网络软件库、应用软件和权值数据, Initializing the non-volatile storage of the base station includes: writing a version switch identifier and a pre-installed version of the base station to the data protection area and the file system data area, where the pre-installed version of the base station includes a trusted Boot Loader code , BOOT code, image of secure operating system, trusted network software library, application software and weight data,
    对该基站的所述TPM硬件进行初始化包括:将与所述基站预装版本使用配套的密钥集、所述BIOS代码写入所述TPM硬件,所述密钥集包含多个密钥。Initializing the TPM hardware of the base station includes: writing a key set and a BIOS code associated with the pre-installed version of the base station to the TPM hardware, where the key set includes a plurality of keys.
  19. 根据权利要求18所述的可信环境创建装置,其中,所述BIOS包括:The trusted environment creation device of claim 18, wherein the BIOS comprises:
    可信度检查单元,其设置为:在硬件自检结束后,对所述基站的数据保护区中存储的数据的可信度进行检查;a credibility checking unit, configured to: after the end of the hardware self-test, check the credibility of the data stored in the data protection area of the base station;
    版本加载单元,其设置为:在所述数据保护区中存储的数据的可信度检查通过后,通过所述Boot Loader代码加载预写入所述数据保护区中的所述基站预装版本;a version loading unit, configured to: after the credibility check of the data stored in the data protection zone is passed, preloading the pre-installed version of the base station in the data protection zone by loading the Boot Loader code;
    文件系统创建单元,其设置为:启动执行所述BOOT代码,对所述基站的嵌入式系统进行硬件初始化,创建文件系统,并对文件系统进行可信认证;a file system creation unit, configured to: start executing the BOOT code, perform hardware initialization on the embedded system of the base station, create a file system, and perform trusted authentication on the file system;
    映像加载单元,其设置为:在完成对所述文件系统的可信认证后,从所述基站预装版本中提取安全操作系统映像,将可信环境控制权传递至安全操作系统。An image loading unit is configured to: after completing the trusted authentication of the file system, extract a secure operating system image from the pre-installed version of the base station, and transfer the trusted environment control right to the secure operating system.
  20. 根据权利要求19所述的可信环境创建装置,其中,所述BIOS,还包括:The trusted environment creation device according to claim 19, wherein the BIOS further comprises:
    重启单元,其设置为:在所述数据保护区中存储的数据的可信度检查未通过时,触发基站重启复位。And a restarting unit, configured to: when the credibility check of the data stored in the data protection zone fails, trigger the base station to restart the reset.
  21. 根据权利要求19所述的可信环境创建装置,其中,所述映像加载单元包括:The trusted environment creation device according to claim 19, wherein the image loading unit comprises:
    版本选择子单元,其设置为:根据所述版本切换标识,确定基站预装版本,从所述基站预装版本中提取安全操作系统的映像;a version selection subunit, configured to: determine a pre-installed version of the base station according to the version switching identifier, and extract an image of the security operating system from the pre-installed version of the base station;
    认证子单元,其设置为:对所述安全操作系统的映像进行可信认证;An authentication subunit, configured to: perform trusted authentication on an image of the secure operating system;
    加载子单元,其设置为:在所述安全操作系统的映像通过可信认证后,加载该安全操作系统的映像,将可信环境控制权传递至所述安全操作系统。The loading subunit is configured to: after the image of the security operating system passes the trusted authentication, load the image of the secure operating system, and transfer the trusted environment control right to the secure operating system.
  22. 根据权利要求21所述的可信环境创建装置,其中,The trusted environment creation device according to claim 21, wherein
    所述版本选择子单元,是设置为:在所述版本切换标识指示所述文件系 统数据区中的基站预装版本时,直接从所述版本切换标识指示的基站预装版本中提取对应的安全操作系统映像,The version selection subunit is configured to: in the version switching identifier, indicate the file system When the version of the base station in the data area is pre-installed, the corresponding security operating system image is directly extracted from the pre-installed version of the base station indicated by the version switching identifier.
    在所述版本切换标识指示所述数据保护区中的基站预装版本时,将该基站预装版本恢复至所述文件系统数据区,再从所述文件系统数据区的基站预装版本中提取安全操作系统映像。When the version switching identifier indicates a pre-installed version of the base station in the data protection area, the pre-installed version of the base station is restored to the file system data area, and then extracted from the pre-installed version of the base station in the file system data area. Secure operating system image.
  23. 根据权利要求21所述的可信环境创建装置,其中,The trusted environment creation device according to claim 21, wherein
    所述版本选择子单元,还设置为:在所述安全操作系统的映像未通过可信认证后,触发基站重启复位,将所述版本切换标识的数值强制置位为指示其他基站预装版本,所述其他基站预装版本存储于所述文件系统数据区或数据保护区。The version selection sub-unit is further configured to: after the image of the security operating system fails to pass the trusted authentication, trigger the base station to restart the reset, and forcibly set the value of the version switching identifier to indicate that the other base station is pre-installed. The other base station pre-installed version is stored in the file system data area or the data protection area.
  24. 根据权利要求1所述的可信环境创建装置,该装置还包括:The trusted environment creation device of claim 1, further comprising:
    远端认证模块,其设置为:在所述安全操作系统启动后,所述基站向远程控制端请求认证;a remote authentication module, configured to: after the security operating system is started, the base station requests authentication from the remote control terminal;
    版本下载模块,其设置为:在通过所述远程控制端认证后,接收该远程控制端下发的新的基站预装版本及配套密钥集;a version downloading module, configured to receive a new pre-installed version of the base station and a set of supporting keys issued by the remote control terminal after being authenticated by the remote control terminal;
    存储模块,其设置为:将所述新的基站预装版本写入所述数据保护区及所述文件系统数据区,并将所述配套密钥集写入该基站的TPM硬件;以及a storage module, configured to: write the new base station pre-installed version into the data protection zone and the file system data zone, and write the set of matching keys to the TPM hardware of the base station;
    复位模块,其设置为:更改版本切换标识的值为指示所述新的基站预装版本,并发起复位,在复位后加载所述新的基站预装版本。And a reset module, configured to: change the value of the version switch identifier to indicate the pre-installed version of the new base station, and initiate a reset, and load the new base station pre-installed version after the reset.
  25. 一种基站异常恢复装置,其中,包括:A base station abnormality recovery device, comprising:
    检查模块,其设置为:在基站的可信环境中,对所述基站进行可信风险度检查;以及An inspection module configured to: perform a trusted risk check on the base station in a trusted environment of the base station;
    异常恢复模块,其设置为:在可信风险度检查中发现基站异常时,将所述基站复位并恢复至可信的基站预装版本。The abnormality recovery module is configured to reset and restore the base station to a trusted pre-installed version of the base station when the base station is abnormal in the reliability risk check.
  26. 根据权利要求25所述的基站异常恢复装置,其中,所述基站的可信环境由运行于该基站的安全操作系统、可信的服务软件库和可信的网络服务系统构成,该装置还包括: The base station abnormality recovery device according to claim 25, wherein the trusted environment of the base station is composed of a secure operating system running on the base station, a trusted service software library, and a trusted network service system, and the device further includes :
    第一配置模块,其设置为:预先向所述基站的非易失存储的数据保护区和文件系统数据区均写入版本切换标识及基站预装版本,所述基站预装版本包括可信的Boot Loader代码、BOOT代码、安全操作系统的映像、可信网络软件库和应用软件;以及a first configuration module, configured to: write a version switch identifier and a pre-installed version of the base station to the data protection area and the file system data area of the non-volatile storage of the base station in advance, where the pre-installed version of the base station includes a trusted Boot Loader code, BOOT code, image of a secure operating system, trusted network software library, and application software;
    第二配置模块,其设置为:预先向所述基站的可信平台模块(TPM)硬件中写入与所述基站预装版本使用配套的密钥集和基本输入输出系统(BIOS)代码。And a second configuration module, configured to: write a key set and a basic input/output system (BIOS) code associated with the pre-installed version of the base station to the Trusted Platform Module (TPM) hardware of the base station in advance.
  27. 根据权利要求26所述的基站异常恢复装置,其中,所述检查模块包括:The base station abnormality recovery apparatus according to claim 26, wherein the inspection module comprises:
    自检单元,其设置为:控制所述安全操作系统与所述应用软件、可信网络软件库相配合,周期性的对系统硬件、存储系统、网络通信、软件行为进行自检;以及a self-checking unit, configured to: control the security operating system to cooperate with the application software and the trusted network software library, and periodically perform self-checking on system hardware, storage system, network communication, and software behavior;
    异常判定单元,其设置为:对自检识别得到的数据进行风险评估决策,判定是否发生基站异常。The abnormality determining unit is configured to: perform risk assessment decision on the data obtained by the self-test identification, and determine whether a base station abnormality occurs.
  28. 根据权利要求27所述的基站异常恢复装置,其中,所述自检单元包括:The base station abnormality recovery device according to claim 27, wherein the self-test unit comprises:
    硬件自检子单元,其设置为:控制所述安全操作系统与所述应用软件相配合,周期性对所述基站的系统硬件、存储系统进行自检,收集静态可信性评估数据,所述静态可信性评估数据至少包含以下任一或任意多个基站异常事件的数据:a hardware self-test sub-unit, configured to: control the security operating system to cooperate with the application software, periodically perform self-test on the system hardware and the storage system of the base station, and collect static credibility evaluation data, The static credibility assessment data contains at least data of any one or any of the following base station anomaly events:
    识别硬件失效,版本非法更换;Identify hardware failure and illegally replace the version;
    网络自检子单元,其设置为:通过所述可信网络软件库的基础服务功能,实时对网络通信进行认证,通过应用软件周期性向操作系统认证,收集系统动态可信性评估数据,所述系统动态可信性评估数据至少包含以下任一或任意多个基站异常事件的数据:a network self-checking sub-unit, configured to: authenticate the network communication in real time through the basic service function of the trusted network software library, periodically authenticate the operating system through the application software, and collect system dynamic credibility evaluation data, The system dynamic credibility assessment data includes at least data of any one or any of the following base station anomaly events:
    网络非授权访问,网络劫持;Network unauthorized access, network hijacking;
    软件自检子单元,其设置为:通过所述应用软件收到的业务指令类别进行外部指令集中度数据检查,收集非授权行为特征的数据,所述非授权行为 特征数据至少包含以下任一或任意多个基站异常事件的数据:a software self-test sub-unit, configured to: perform external command concentration data check by the service instruction category received by the application software, and collect data of an unauthorized behavior feature, the non-authorized behavior The feature data contains at least data of any one or any of the following base station anomaly events:
    文件非授权删除,文件非授权拷贝,严重危及设备安全的非授权操作。Unauthorized deletion of files, unauthorized copying of files, and unauthorized operations that seriously endanger the security of the device.
  29. 根据权利要求27所述的基站异常恢复装置,其中,所述异常判定单元包括:The base station abnormality recovery apparatus according to claim 27, wherein said abnormality determining unit comprises:
    决策子单元,其设置为:使用加权线性贝叶斯决策算法,对自检识别得到的静态可信性评估数据、系统动态可信性评估数据、和非授权行为特征的数据进行评估决策;The decision subunit is configured to: use a weighted linear Bayesian decision algorithm to evaluate and determine the static credibility evaluation data, the system dynamic credibility evaluation data, and the data of the unauthorized behavior characteristics obtained by the self-test identification;
    方案确定单元,其设置为:在决策结果为发生基站异常时,作出基站复位方案并同步更新所述数据保护区保存的版本切换标识。The solution determining unit is configured to: when the decision result is that the base station abnormality occurs, make a base station resetting scheme and synchronously update the version switching identifier saved by the data protection zone.
  30. 根据权利要求26所述的基站异常恢复装置,该装置还包括:The base station abnormality recovery device according to claim 26, further comprising:
    版本下载模块,其设置为:在所述基站通过远程控制端的认证后,接收该远程控制端下发的新的基站版本及配套密钥集;a version downloading module, configured to: after the base station is authenticated by the remote control end, receive a new base station version and a matching key set delivered by the remote control end;
    存储模块,其设置为:将所述新的基站版本写入所述数据保护区,并将所述配套密钥集写入该基站的TPM硬件;以及a storage module, configured to: write the new base station version into the data protection zone, and write the set of matching keys to the TPM hardware of the base station;
    复位模块,其设置为:更改版本切换标识的值为指示所述新的基站预装版本,并发起复位,在复位后加载所述新的基站预装版本。And a reset module, configured to: change the value of the version switch identifier to indicate the pre-installed version of the new base station, and initiate a reset, and load the new base station pre-installed version after the reset.
  31. 一种计算机程序,包括程序指令,当该程序指令被计算机执行时,使得该计算机可执行权利要求1-16任一项所述的方法。A computer program comprising program instructions which, when executed by a computer, cause the computer to perform the method of any of claims 1-16.
  32. 一种载有权利要求31所述计算机程序的计算机可读存储介质。 A computer readable storage medium carrying the computer program of claim 31.
PCT/CN2014/093999 2014-09-25 2014-12-16 Method and device for creating trusted environment, and method and device for restoration after base station fault WO2015131607A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410499824.8A CN105516967A (en) 2014-09-25 2014-09-25 Trusted environment creating method and device and base station abnormity handling method and device
CN201410499824.8 2014-09-25

Publications (1)

Publication Number Publication Date
WO2015131607A1 true WO2015131607A1 (en) 2015-09-11

Family

ID=54054479

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/093999 WO2015131607A1 (en) 2014-09-25 2014-12-16 Method and device for creating trusted environment, and method and device for restoration after base station fault

Country Status (2)

Country Link
CN (1) CN105516967A (en)
WO (1) WO2015131607A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3608821A1 (en) * 2018-08-08 2020-02-12 Quanta Computer Inc. Methods and apparatus for authenticating a firmware settings input file
CN113204355A (en) * 2021-05-20 2021-08-03 山东英信计算机技术有限公司 Method, system, terminal and storage medium for pre-installing software of domestic system
CN113760384A (en) * 2021-01-04 2021-12-07 北京沃东天骏信息技术有限公司 Application environment switching method and device, computer system and readable storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102177678A (en) * 2008-10-10 2011-09-07 微软公司 Trusted and confidential remote TPM initialization
CN102396251A (en) * 2009-04-15 2012-03-28 交互数字专利控股公司 Validation and/or authentication of device for communication with network

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102436566B (en) * 2012-01-12 2014-07-09 冶金自动化研究设计院 Dynamic trusted measurement method and safe embedded system
US8793504B2 (en) * 2012-02-22 2014-07-29 International Business Machines Corporation Validating a system with multiple subsystems using trusted platform modules and virtual platform modules

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102177678A (en) * 2008-10-10 2011-09-07 微软公司 Trusted and confidential remote TPM initialization
CN102396251A (en) * 2009-04-15 2012-03-28 交互数字专利控股公司 Validation and/or authentication of device for communication with network

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3608821A1 (en) * 2018-08-08 2020-02-12 Quanta Computer Inc. Methods and apparatus for authenticating a firmware settings input file
US10867046B2 (en) 2018-08-08 2020-12-15 Quanta Computer Inc. Methods and apparatus for authenticating a firmware settings input file
CN113760384A (en) * 2021-01-04 2021-12-07 北京沃东天骏信息技术有限公司 Application environment switching method and device, computer system and readable storage medium
CN113204355A (en) * 2021-05-20 2021-08-03 山东英信计算机技术有限公司 Method, system, terminal and storage medium for pre-installing software of domestic system

Also Published As

Publication number Publication date
CN105516967A (en) 2016-04-20

Similar Documents

Publication Publication Date Title
US10284375B2 (en) Trust service for a client device
US10454916B2 (en) Systems and methods for implementing security
CN110892691B (en) Secure execution platform cluster
US10084598B2 (en) Authenticating features of virtual server system
US9870477B2 (en) Security engine for a secure operating environment
US10212147B2 (en) Extending shrouding capability of hosting system
EP2681689B1 (en) Protecting operating system configuration values
EP2812842B1 (en) Security policy for device data
US8028172B2 (en) Systems and methods for updating a secure boot process on a computer with a hardware security module
US8588422B2 (en) Key management to protect encrypted data of an endpoint computing device
US7506380B2 (en) Systems and methods for boot recovery in a secure boot process on a computer with a hardware security module
US20170230183A1 (en) Systems and methods for implementing computer security
US10956575B2 (en) Determine malware using firmware
US20180359264A1 (en) Systems and methods for implementing intrusion prevention
US11323259B2 (en) Version control for trusted computing
JP2015181045A (en) Securing customer virtual machines in multi-tenant cloud
JP2013519929A (en) Information processing apparatus, information processing system, software routine execution method, and remote authentication method
CA2939599A1 (en) Approaches for a location aware client
US20120151200A1 (en) Remote management of endpoint computing device with full disk encryption
GB2512376A (en) Secure execution of software modules on a computer
US20220060317A1 (en) Data at rest encryption (dare) using credential vault
CN102880828A (en) Intrusion detection and recovery system aiming at virtualization support environment
CN110245495B (en) BIOS checking method, configuration method, device and system
CN113039542A (en) Secure counting in cloud computing networks
WO2015131607A1 (en) Method and device for creating trusted environment, and method and device for restoration after base station fault

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14884984

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14884984

Country of ref document: EP

Kind code of ref document: A1