CN102339368A - IP (Internet Protocol) core for measuring BIOS (Basic Input Output System) and measurement method - Google Patents
IP (Internet Protocol) core for measuring BIOS (Basic Input Output System) and measurement method Download PDFInfo
- Publication number
- CN102339368A CN102339368A CN2011101959197A CN201110195919A CN102339368A CN 102339368 A CN102339368 A CN 102339368A CN 2011101959197 A CN2011101959197 A CN 2011101959197A CN 201110195919 A CN201110195919 A CN 201110195919A CN 102339368 A CN102339368 A CN 102339368A
- Authority
- CN
- China
- Prior art keywords
- bios
- hash
- module
- message
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses an IP (Internet Protocol) core for measuring BIOS (Basic Input Output System) and a measurement method. The IP core comprises an LPC (Low Pin Count) interface module, a high-speed asynchronous FIFO (First-In, First-Out) module, a hash operation module, a measurement value comparison module and an Avalon interface module. The iterative time of a hash algorithm adopted for measuring the BIOS in the four-round iteration process is consistent; and the measurement value comparison module is responsible for comparing the hash result obtained by the hash operation module with an expectant hash value and informing the comparison result of a safety chip main processor through the Avalon interface. The measurement method is operated in parallel by two layers, wherein one layer is in input parallel and the other layer is in hash parallel. The BIOS measurement module disclosed by the invention can be used for processing tasks together with the safety chip, thus the multi-task processing capacity of the system is improved; compared with the prior art, the IP core adopts the streamline design, further has stronger data processing capacity and multi-task processing capacity and can be used for greatly reducing the influence on the system caused by BIOS measurement in the start process of the system.
Description
Technical field
The present invention relates to a kind of IP kernel of BIOS tolerance, particularly a kind of BIOS tolerance IP kernel towards Trusted Computing.
Background technology
On credible platform, trust chain is a unidirectional delivery chain, and any therebetween node goes wrong, and especially trusted root goes wrong, and will cause whole trusted environment to set up failure.In the common credible platform, BIOS becomes the emphasis of attack as credible tolerance root.Many novel attack meanses like kernel BIOS Rootkit, mainly through malicious code being inserted in the expansion module among the BIOS, start along with the operation of BIOS at present, obtain the control of system.Along with the application gradually of the stronger UEFI BIOS of extendability, BIOS Rootkit also will have more variation, be difficult to more detect and take precautions against.These attack methods, mode are very hidden, are difficult to find, if malicious code enters into kernel or BIOS, and obtain the system management authority, can't prevent system is destroyed or steal canned data in the system.
Summary of the invention
The object of the invention is to provide a kind of IP kernel of the BIOS of having metric function, credible tolerance root is put into safety chip inside carry out physical protection, in the start-up course of system, accomplishes the tolerance verification to BIOS, guarantees the complete transmission of system's trust chain.
The present invention adopts following technological means to realize:
A kind of IP kernel with BIOS metric function is made up of LPC interface module, high-speed asynchronous fifo module, hash computing module, metric comparison module, Avalon interface module; The LPC interface is responsible for reading the BIOS data through lpc bus, and accomplishes the data width conversion, is 32 bit wide data with the data-switching of 4 bit widths of input, and the BIOS data that read are write high-speed asynchronous fifo module; High-speed asynchronous fifo module coupling upstream and downstream data reading speed and translation data width; The input data width of high-speed asynchronous fifo module is 32, and the output data width is 512; The hash computing module carries out the hash computing from disposable 512 bit data of reading in of high-speed asynchronous fifo module, when the hash computing is accomplished, the HASHFIN signal is put 1, and deposits the hash computing in the metric comparison module; The time of the iteration of hash algorithm in the four-wheel iterative process that BIOS tolerance adopts is consistent; The hash result that the metric comparison module is responsible for the hash computing module is obtained and the Hash Value of expection compare, and with comparative result through Avalon interface notice safety chip primary processor.
The level Four streamline is adopted in aforesaid hash computing, and every level production line is accomplished one and taken turns interative computation, and deal with data is passed through the level Four streamline successively, utilize between every level production line with the wide register of data as the data temporarily providing room.
A kind of measure with BIOS metric function divides the two-layer parallel work-flow of carrying out, and wherein one deck is parallel for input, and another layer is parallel for hash; May further comprise the steps:
1, to the input parallel work-flow; The bigger characteristics of quantity of message such as the file of measuring to the needs in the credible platform, code, data; After these compartment, calculate the message digest value of multiple messages simultaneously concurrently with a plurality of hash computing modules;
2, carry out the hash parallel work-flow, the message of each input is divided into a plurality of fixed-size message blocks: piece 1, piece 2...... piece M is if last message blocks less than fixed size, then fills it into fixed size; Then these pieces are carried out the hash computing concurrently, can select simultaneously several message blocks to be carried out the hash computing this moment, rather than the entire message piece of this message; Earlier several message blocks are handled, after its eap-message digest storage, remaining message blocks is proceeded to handle, all handle until whole M message blocks;
3, the M that a calculates eap-message digest is combined into a new message, the new information after the combination is carried out the hash computing, the digest value of its digest value as the message of input.
The present invention compared with prior art has following remarkable advantages and beneficial effect:
The 1BIOS metric module can with the safety chip parallel processing task, improve the multitasking ability of system;
2 adopt The pipeline design, can effectively improve BIOS tolerance speed, reduce the influence of BIOS tolerance to system start-up.
Description of drawings
Fig. 1 forms structural drawing for BIOS tolerance IP kernel;
Fig. 2 calculates synoptic diagram for parallel hash.
Embodiment
Below in conjunction with Figure of description specific embodiment of the present invention is explained:
See also shown in Figure 1ly, be that BIOS tolerance IP kernel forms structural drawing.As can be seen from the figure, this BIOS tolerance IP kernel is made up of LPC interface module, high-speed asynchronous fifo module, hash computing module, metric comparison module, Ava lon interface module.
Computer starting, safety chip are grasped the access control power of BIOS, read the total data of BIOS then, accomplish the hash computing, and compare with BIOS integrity measurement desired value.In BIOS completeness check process; Safety chip can't carry out other initialization operation, in order to reduce the influence of BIOS completeness check to system start-up as far as possible, adopts hardware to realize the BIOS metric module; Accelerate the toggle speed of system on the one hand through the verification speed of accelerating BIOS; The BIOS metrics process is accomplished separately by the BIOS metric module fully on the other hand, and safety chip can other task of parallel processing, effectively improves the multitasking ability of safety chip.
LPC interface module: be responsible for reading the BIOS data, and accomplish the data width conversion, be 32 bit wide data with the data-switching of 4 bit widths of input, and the BIOS data that read are write high-speed asynchronous FIFO through lpc bus.
High-speed asynchronous fifo module: mainly be coupling upstream and downstream data reading speed and translation data width.The input data width of high-speed asynchronous FIFO is 32, and the output data width is 512, and once input just in time makes the hash computing module accomplish a hash computing.
Hash computing module: carry out the hash computing from disposable 512 bit data of reading in of high-speed asynchronous FIFO, when the hash computing is accomplished, the HASHFIN signal is put 1, and deposit the hash computing in the metric comparison module.The hash algorithm that BIOS tolerance adopts is SHA-1, takes turns in the iterative process 4, though every function difference of taking turns iterative process, the time of iteration is almost completely consistent.In order to improve BIOS tolerance speed, the design of 4 level production lines is adopted in hash computing wherein, and every level production line is accomplished one and taken turns interative computation, and deal with data is successively through 4 level production lines, utilize between every level production line with the wide register of data as the data temporarily providing room.Though the practical operation of each message block still needs 80 clock period like this, from whole module, handling a message block but only needs 20 clock period.This makes that under the situation that does not change other hardware configurations the throughput of system has improved four times.
The metric comparison module: the hash result who is responsible for the hash computing module is obtained compares with the Hash Value of expection, and notifies the safety chip primary processor with comparative result through the Avalon interface.
In order further to improve the verification speed of BIOS, bring into play the advantage of FPGA parallel processing simultaneously better, under the situation that does not change hash algorithm, shorten the proving time of BIOS through concurrent designing.To be that branch is two-layer carry out parallel processing to the thinking of this degree of parallelism metering method, shown in accompanying drawing 2.
fixes the hash computing of importing length for having among the figure,
for exporting the combination operation of regular length.
Concrete steps are following:
1, to the parallel processing of message of input.The bigger characteristics of quantity of message such as the file of measuring to the needs in the credible platform, code, data after these compartment, are calculated the message digest value of multiple messages simultaneously concurrently with a plurality of hash computing modules;
2, the second layer then is that message with each input is divided into a plurality of fixed-size message blocks: piece 1, piece 2...... piece M is if last message blocks less than fixed size, then fills it into fixed size.Then these pieces are carried out the hash computing concurrently, can select simultaneously several message blocks to be carried out the hash computing this moment, rather than the entire message piece of this message.Earlier several message blocks are handled, after its eap-message digest storage, remaining message blocks is proceeded to handle, all handle until whole M message blocks.
3, the M that a calculates eap-message digest is combined into a new message, and the new information after the combination is carried out the hash computing, with the digest value of its digest value as the message of input.
Claims (4)
1. the IP kernel with BIOS metric function is made up of LPC interface module, high-speed asynchronous fifo module, hash computing module, metric comparison module, Avalon interface module;
Described LPC interface is responsible for reading the BIOS data through lpc bus, and accomplishes the data width conversion, is 32 bit wide data with the data-switching of 4 bit widths of input, and the BIOS data that read are write high-speed asynchronous fifo module;
Described high-speed asynchronous fifo module coupling upstream and downstream data reading speed and translation data width; The input data width of high-speed asynchronous fifo module is 32, and the output data width is 512;
Described hash computing module carries out the hash computing from disposable 512 bit data of reading in of high-speed asynchronous fifo module, when the hash computing is accomplished, the HASHFIN signal is put 1, and deposits the hash computing in the metric comparison module; The time of the iteration of the hash algorithm that BIOS tolerance adopts in many wheel iterative process is consistent;
The hash result that described metric comparison module is responsible for the hash computing module is obtained and the Hash Value of expection compare, and with comparative result through Avalon interface notice safety chip primary processor.
2. a kind of IP kernel with BIOS metric function according to claim 1 is characterized in that: described many wheel iterative process are the four-wheel iteration.
3. a kind of IP kernel according to claim 1 with BIOS metric function; It is characterized in that: the level Four streamline is adopted in described hash computing; Every level production line is accomplished one and is taken turns interative computation; Deal with data is successively through 4 level production lines, utilize between every level production line with the wide register of data as the data temporarily providing room.
4. measure with BIOS metric function, it is characterized in that branch is two-layer carries out parallel work-flow, and wherein one deck is parallel for input, and another layer walks abreast for hash; May further comprise the steps:
4.1, to the input parallel work-flow; The bigger characteristics of quantity of message such as the file of measuring to the needs in the credible platform, code, data; After these compartment, calculate the message digest value of multiple messages simultaneously concurrently with a plurality of hash computing modules;
4.2, carry out the hash parallel work-flow, the message of each input is divided into a plurality of fixed-size message blocks: piece 1, piece 2...... piece M is if last message blocks less than fixed size, then fills it into fixed size; Then these pieces are carried out the hash computing concurrently, can select simultaneously several message blocks to be carried out the hash computing this moment, rather than the entire message piece of this message; Earlier several message blocks are handled, after its eap-message digest storage, remaining message blocks is proceeded to handle, all handle until whole M message blocks;
4.3, the M that a calculates eap-message digest is combined into a new message, the new information after the combination is carried out the hash computing, with the digest value of message of its digest value as input.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110195919.7A CN102339368B (en) | 2011-07-13 | 2011-07-13 | IP (Internet Protocol) core for measuring BIOS (Basic Input Output System) and measurement method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110195919.7A CN102339368B (en) | 2011-07-13 | 2011-07-13 | IP (Internet Protocol) core for measuring BIOS (Basic Input Output System) and measurement method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102339368A true CN102339368A (en) | 2012-02-01 |
| CN102339368B CN102339368B (en) | 2014-03-05 |
Family
ID=45515094
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110195919.7A Expired - Fee Related CN102339368B (en) | 2011-07-13 | 2011-07-13 | IP (Internet Protocol) core for measuring BIOS (Basic Input Output System) and measurement method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102339368B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080250406A1 (en) * | 2007-04-04 | 2008-10-09 | Microsoft Corporation | Virtual Machine Support for Metered Computer Usage |
| CN101295340A (en) * | 2008-06-20 | 2008-10-29 | 北京工业大学 | Credible platform module and active measurement method thereof |
| CN101877040A (en) * | 2009-12-07 | 2010-11-03 | 中国航天科工集团第二研究院七○六所 | High-reliability computing platform |
-
2011
- 2011-07-13 CN CN201110195919.7A patent/CN102339368B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080250406A1 (en) * | 2007-04-04 | 2008-10-09 | Microsoft Corporation | Virtual Machine Support for Metered Computer Usage |
| CN101295340A (en) * | 2008-06-20 | 2008-10-29 | 北京工业大学 | Credible platform module and active measurement method thereof |
| CN101877040A (en) * | 2009-12-07 | 2010-11-03 | 中国航天科工集团第二研究院七○六所 | High-reliability computing platform |
Non-Patent Citations (2)
| Title |
|---|
| 张兴等: "一种新的可信平台控制模块设计方案", 《武汉大学学报 信息科学版》 * |
| 王斌等: "基于安全控制模块的高可信计算机研究", 《系统工程与电子技术》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102339368B (en) | 2014-03-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102708022B (en) | Performing a cyclic redundancy checksum operation responsive to a user-level instruction | |
| CN102629258B (en) | Repeating data deleting method and device | |
| EP3519938A1 (en) | Low energy consumption mantissa multiplication for floating point multiply-add operations | |
| CN105844210B (en) | Hardware efficient fingerprinting | |
| WO2017048406A1 (en) | Error-checking compressed streams in hetergeneous compression accelerators | |
| WO2022120995A1 (en) | Device computing power evaluation method and system based on pow consensus mechanism | |
| US20140195785A1 (en) | Formal verification of a logic design | |
| US8830714B2 (en) | High speed large scale dictionary matching | |
| Liu et al. | Design methodology of variable latency adders with multistage function speculation | |
| CN102339368B (en) | IP (Internet Protocol) core for measuring BIOS (Basic Input Output System) and measurement method | |
| RU2666303C1 (en) | Method and device for calculating hash function | |
| JP2020057362A (en) | Information processing apparatus, information processing circuit, information processing system, and information processing method | |
| US8745118B2 (en) | Verifying floating point square root operation results | |
| CN105653390A (en) | SoC system verification method | |
| US20170344373A1 (en) | Distance-based branch prediction and detection | |
| US10459689B2 (en) | Calculation of a number of iterations | |
| US8626816B2 (en) | Method, system and computer program product for detecting errors in fixed point division operation results | |
| US20090216823A1 (en) | Method, system and computer program product for verifying floating point divide operation results | |
| EP3051699B1 (en) | Hardware efficient rabin fingerprints | |
| US20070294330A1 (en) | Systems, methods and computer program products for providing a combined moduli-9 and 3 residue generator | |
| Bai et al. | VLSI implementation of high-speed SHA-256 | |
| Meyer et al. | Rapid, tunable error detection with execution fingerprinting | |
| CN102222204A (en) | MD5 (Message Digest 5) all-pipelining hardware encryption method based on fault tolerance | |
| Shen et al. | cuML-DSA: Optimized Signing Procedure and Server-Oriented GPU Design for ML-DSA | |
| CN106934293B (en) | Collision calculation device and method for digital abstract |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140305 Termination date: 20150713 |
|
| EXPY | Termination of patent right or utility model |