CN103597493B - The safety utilizing trust computing group platform depositor guides - Google Patents
The safety utilizing trust computing group platform depositor guides Download PDFInfo
- Publication number
- CN103597493B CN103597493B CN201280023439.5A CN201280023439A CN103597493B CN 103597493 B CN103597493 B CN 103597493B CN 201280023439 A CN201280023439 A CN 201280023439A CN 103597493 B CN103597493 B CN 103597493B
- Authority
- CN
- China
- Prior art keywords
- configuration register
- platform configuration
- value
- measuring table
- binding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000005259 measurement Methods 0.000 claims description 17
- 238000003672 processing method Methods 0.000 claims 1
- 238000004590 computer program Methods 0.000 abstract description 11
- 238000000034 method Methods 0.000 description 16
- 102100009344 TPM2 Human genes 0.000 description 7
- 101700045252 TPM2 Proteins 0.000 description 7
- 101700044482 MTM1 Proteins 0.000 description 6
- 102100005807 MTM1 Human genes 0.000 description 6
- 101700045387 MTM2 Proteins 0.000 description 6
- 230000000875 corresponding Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000009825 accumulation Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000001808 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000003745 diagnosis Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000006011 modification reaction Methods 0.000 description 2
- 241000208340 Araliaceae Species 0.000 description 1
- 241000196324 Embryophyta Species 0.000 description 1
- 210000003127 Knee Anatomy 0.000 description 1
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- 230000000712 assembly Effects 0.000 description 1
- 230000001413 cellular Effects 0.000 description 1
- 230000023298 conjugation with cellular fusion Effects 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 238000005314 correlation function Methods 0.000 description 1
- 230000002708 enhancing Effects 0.000 description 1
- 230000002349 favourable Effects 0.000 description 1
- 235000005035 ginseng Nutrition 0.000 description 1
- 235000008434 ginseng Nutrition 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 230000013011 mating Effects 0.000 description 1
- 238000007639 printing Methods 0.000 description 1
- 230000000717 retained Effects 0.000 description 1
- 230000003068 static Effects 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 230000001052 transient Effects 0.000 description 1
- 230000021037 unidirectional conjugation Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 238000005303 weighing Methods 0.000 description 1
Abstract
Disclose a kind of method, comprising: provide at least two platform configuration register, wherein the first platform configuration register be measuring table configuration register and wherein the second platform configuration register be resettable binding configuration platform configuration register;Guidance according to credible engine performs to authorize chain to perform mandate, and the value of wherein said measuring table configuration register is included as precondition;Described binding platform configuration register is extended by the value implemented by described mandate;And the confirmation result of described binding platform configuration register is such as monitored with trusted operating system.Also disclose the device realizing described method and the computer program instructions implemented in computer-readable medium.
Description
Technical field
Exemplary and the non-limiting example of the present invention relate generally to data handling system, method,
Equipment and computer program, and more particularly to secure boot process, trust computing group (TCG)
Technology and credible platform module.
Background technology
This part aims to provide background or the context of the present invention described in detail in the claims.Herein
Description potentially include the concept that can be investigated, but had already envisaged for, realized or described before being not necessarily
Concept.Therefore, unless otherwise indicated, otherwise content described in this part is not this Shen
The prior art of the description and claims in please, and do not held by being included in this part
Recognizing is prior art.
The following abbreviation that may find in description and/or accompanying drawing is defined as follows:
MRTM moves remote owner trusted module
MTM mobile trusted module
PCR platform configuration register
RIM quote integrity metrics
RoV verifies trusted root
RTM measures trusted root
RTS stores trusted root
RTV verifies trusted root
RVAI root certifying organization information
TCG trust computing group
TPM credible platform module
Can be in " Mobile Trusted Environment (MTM)-an introduction " (letter
-Eric 〃 Ekberg, Marko storehouse 〃 Ji Lanpa, Nokia research center NRC-TR-2007-015,
2007 Nokias) in find the introduction to MTM.
Herein, Fig. 1 has reproduced TCG mobile trusted module specification (specification version 1.0, revised edition
On April 29th, 7.02,2010) Fig. 2.Fig. 1 shows the simple reality that how can use MRTM
Example.MRTM itself will be made up of plus one group of new mobile particular command the subset of TPM v1.2, this group
New mobile particular command is designed to support requirement (the mobile phone work set by trust computing group
Group use case situation, specification version 2.7,2005).It addition, checking trusted root (RTV)
To be first executable program operationally run in environment with measuring trusted root (RTM) module.
RTV+RTM module is measured first recording its diagnosis realized.After diagnosis extends, RTV+RTM
Use MRTM is measured also confirmatory measurement and checking and acts on behalf of executable program (executable) by module,
Control is passed to this executable program the most again.Then, this measurement and checking agency measure also again
Verification operation system image, passes to operating system by control the most again.This structure allow for safety
The realization guided.
In mobile specification " the TCG mobile trusted module specification " version 1 being generally noted above, MTM has
There are the specific command for supporting the safety of mobile device to guide and function set.Revising to version 2
In the context of this specification, by PC(baseline) specification supplement for have for access to so-called put down
The function controlling to update of platform control depositor (PCR), in order to attempt directly propping up in Baseline Profiles
Hold safe guiding.
Summary of the invention
The present invention first is exemplary and in non-limiting example, it is provided that a kind of method, its bag
Include: providing at least two platform configuration register, wherein the first platform configuration register is measuring table
The binding configuration platform configuration that configuration register and wherein the second platform configuration register are resettable is deposited
Device;Guidance according to credible engine performs to authorize chain to perform mandate, and wherein said measuring table configures
The value of depositor is included as precondition;Tie up described in the value extension implemented by described mandate
Fixed platform configuration register;And monitor the confirmation of described binding platform configuration register
(validation) result.
In the most exemplary of the present invention and non-limiting example, it is provided that a kind of device,
Comprising: at least one processor and at least one memorizer, described memorizer includes computer program
Code.At least one memorizer described and computer program code are configured at least one described in utilization
Processor promotes described device to provide at least two platform configuration register, and wherein the first platform configuration is posted
Storage is measuring table configuration register and binding that wherein the second platform configuration register is resettable is joined
Put platform configuration register;Guidance according to credible engine perform to authorize chain to perform mandate, Qi Zhongsuo
The value stating measuring table configuration register is included as precondition;Implemented with by described mandate
Value extend described binding platform configuration register;And monitor described binding platform configuration register
Confirm result.
In the another exemplary of the present invention and non-limiting example, it is provided that a kind of device, its bag
Include: for providing the component of at least two platform configuration register, wherein the first platform configuration register
For measuring table configuration register and wherein the second platform configuration register be resettable binding configuration put down
Platform configuration register;For performing, according to instructing of credible engine, the component that mandate chain authorizes with execution,
The value of wherein said measuring table configuration register is included as precondition;For with by described
The value implemented is authorized to extend the component of described binding platform configuration register;For using trusted operations system
System monitors the component of the confirmation result of described binding platform configuration register;And in response to wherein
The confirmation result of described binding platform configuration register indicates successful condition, described with fiducial value extension
Measuring table configuration register otherwise extends the configuration of described measuring table with predetermined improper value and deposits
The component of device.
Accompanying drawing explanation
In the accompanying drawings,
Fig. 1 has reproduced TCG mobile trusted module specification (specification version 1.0, revised edition 7.02)
Fig. 2, and show the simplified example that how can use MRTM.
Fig. 2 shows quote integrity metrics.
Fig. 3 is the frame of the equipment (such as mobile device) of the exemplary embodiment that can be used to realize the present invention
Figure.
Fig. 4 is to illustrate according to for providing the exemplary enforcement of the present invention of the safe path of navigation of equipment
The operation of the method for example and the logical flow chart of the execution result of computer program instructions.
Detailed description of the invention
High-level, what TPM2 was given specifies self to be not sufficient to build in order to meet following premise bar
The system (such as, for MTM2) quoting depositor is extended conditionally during part:
Loaded trust authentication key;
Depositor has correct initial value;
There is the certificate updated for depositor;
Signed with can verify that by the trust authentication cipher key pair certificate being loaded into;
Certificate comprises the value in depositor to be expanded to;And
If certificate precondition keeps, extended register value conditionally.
On the contrary, the system of two PCR must dispose to realize identical purpose in a specific way.Overcome
Particular problem be TPM2_PolicyAuthorize(policy authorization) precondition include PCR value.
If guiding chain changes PCR value, and TPM2_PolicyAuthorize fails to carry out and appoints, then by
Making new signature in the PCR value changed rather than the entity being delegated, the initial point of mandate must produce
New mandate.
More technically: in order to walk around " closely " authorizing binding, order
TPM2_PolicyAuthorize exists.Assuming that the strategy of approvedPolicy(approval) and work as
Front policyHash(strategy hashed value) coupling, this order allows to reset policyHash(also
Add a new value policyRef(strategy for it to quote)).Operation is by unsymmetrical key (keySign)
Be tied to external signature, just as at PolicySigned(Sign Policies) in.But,
Using of PolicyAuthorize will use different from the MTM1 of RIM certificate, and wherein RIM certificate is certainly
Stiffness of the body lockmaking location survey amount PCR.Mean by means of " measurement " equipment status sections be stored in this
In PCR.
In the version 1 of specification, MTM guides safely support to utilize specific command to carry out.Recognize
To the needs to this function, it has system operation needs meet (to demonstrate,prove for integrity protection token
Book) one group of basic premise condition of confirmation.
TPM2 specification with the addition of order for this, i.e. to support that safety guides.But, if extension
Order is simply applied in (can be by these order application) peace with given depositor as target
Complete guide, then system may result in wherein certificate be not appoint authority (occur if changed, can be with thing
After be applied to safety and guide the authority of operating system) setting rather than wherein can list at equipment
All certifications and the strict setting these certifications mated with MTM state must be carried out in advance before.
This does not meets the initial concept of safe bootstrapping architecture, in this initial concept, (guides for safety
The code in path carries out signing) authority is delegated as the part of integration of equipments process.
Some uses of the various exemplary embodiments of the present invention make it possible to appoint draw for safety afterwards
The assembly of guiding path.This completes by using two PCR register: corresponding at MTM version 1
The measurement PCR of the PCR of middle use and as quoting weighing of (binding) depositor for certification
If PCR register (reseting feature by certain).Reset feature to allow to release from PCR value
Authorize (quoting of depositor of binding is always 0, because it is resettable).Although posting additionally, measure
The value of storage is included as precondition, but performs mandate in the context of binding depositor.Separately
Outward, when authorizing chain to complete, the credible OS(operating system outside MTM version 2) component monitors ties up
Determine the confirmation result of depositor, and if it is confirmed that success, it extends with fiducial value measure depositor,
Otherwise measure depositor with NULL value extension.
System is enabled to bind precondition PCR value in the shielded mode of integrity, quote more
New value and the most one or more enumerator so that the data for confirming are not existed and attacks under line
Hit probability.
At TPM2(TPM version 2), for constructing the necessary base of authorized PCR update mechanism
This structure block is to obtain as a part for Baseline Profiles.Therefore, RIM certificate, authentication secret and
The data structure of related notion (verifiedPCRs) is not specific in the version 2 of TPM specification
MTM's.
Described below is the quote command sequence of corresponding function in the version 2 realizing specification.
VerifiedPCRs list be command by TPM2_PCR_SetAuthPolicy(its restriction PCR or
PCR group is to require to authorize) and for setting the fiducial value of the authorisation session of given PCR set
TPM2_PCR_SetAuthValue substitutes.In MTM2, minimum function set can be assumed that these set
Surely it is implicit expression and is realized by code or configure defining.
Due to the most little difference, the authorisation session that RIM certificate is expanded substitutes.For reality
Existing necessary apparatus bound, MTM1 use RVAI as trusted root (such as, PKI hashed value),
This trusted root is using the state storage of the root of the PKI as checking RIM certificate.In default situations, RVAI
It is bound to authorisation session, because the PKI of authorization key (hashed value) is included in authorisation session
In policyHash.
Such as, one simple may step be to have permission to having the single PCR of set-point more
Newly (single) RIM certificate of (assuming that same PCR has given preceding value).Although this is base
This example, althoughs note that and connects possibility between being directly extended to several RIM renewal is only:
The authValue of PCR X is set to by the policyHash with accumulation of issuing orders:
+ PolicyPCR(is tied to the value earlier of PCR)
+ PolicySigned(is tied to external signature).Owing to the PKI hashed value of key is accumulated
In policyHash, so by authValue(authorization value) rather than by specific RVAI
Bind specific key to be used.
+ PolicyCpHash(is tied to order and parameter value).This authorizes constraint by renewal to PCR
In value, i.e. the command parameter of TPM2_Event is fixed.
For traditional RIM certificate, in the case of simple case above, there is several shortcoming.
Such as, the renewal next time of PCR can not occur immediately, because the authValue of PCR is fixing.
This can get around by using PolicyOr:s, wherein formulates and allows a series of renewals are tied to PCR
Strategy be possible (assuming that known signature key and PCR value when MTM disposes).Although in reality
In trampling, this situation can not occur, but is including that the next one that two PCR of continuous print update is non-limiting
Example investigates the method:
The authValue of PCR X is set to by the policyHash with accumulation of issuing orders:
+ PolicyOr(accepts any one in following two set):
Set 1:
+ PolicyPCR(is tied to the original value of PCR)
+ PolicySigned(is tied to external signature).Owing to the PKI hashed value of key is accumulated
In policyHash, so binding and to make by authValue rather than by specific RVAI
Specific key.
+ PolicyCpHash(is tied to order and parameter value).This authorizes constraint to will expand to PCR
In value.It is assumed that after extension, PCR will have value Y at this.
Set 2:
+ PolicyPCR(is tied to value Y of PCR)
+ PolicySigned(is tied to external signature)
+ PolicyCpHash(is tied to order and parameter value)
It is noted that in above two examples, the use of signature is uncorrelated.Although they provide
Authorize, but the content (PCR value) authorized is fixed in advance.The purpose of RIM certificate is by checking
The mode of key appoints authorized organization to set these values, and this purpose achieves.It addition, one
The most acceptable eight PolicyOR in individual TPM, thus it is converted into a series of renewals of most eight.
Although for given PCR, this is probably satisfactorily in some cases, but generally speaking this will not
It it is optimum realization.
In order to walk around the stringency authorizing binding, use order TPM2_PolicyAuthorize.Assuming that
ApprovedPolicy mates with current policyHash, and this order allows to reset policyHash
(and adding new value policyRef for it).Operation is tied up by unsymmetrical key (keySign)
Surely external signature is arrived, just as in PolicySigned.But, PolicyAuthorize's
Using the MTM1 that will differ from RIM certificate to use, wherein RIM certificate self positive lock measures PCR.
By " measurement ", it is meant that be stored in this PCR the status sections of equipment.
In the maximally related context of the exemplary embodiment of the present invention, quote and resettable binding
PCR is locked, but measures PCR(and will comprise the PCR of the state of guided equipment) can be traditional
PCR(such as, the PCR that can be extended by any PCR).Therefore, if by using binding PCR
Feature assess signed mandate, then during secure boot process, mark value is inserted into measurement
It PCR is the responsibility of certain " measurement before execution " process.
Refer to Fig. 2, Fig. 2 exemplary draw for illustrate in accordance with a non-limiting embodiment of the present invention
Use integrity measurement.In fig. 2 it is shown that checking root (credible engine) 10, authorisation session 12
With two PCR, wherein store the measurement PCR14 of guiding event and be used as the binding PCR of depositor
16。
Although being not especially relevant with this discussion, but can note using PolicyAuthorize(ginseng
See that the step 6) in Fig. 2 is the process of two steps, first use
TPM2_verifySignature () (see the step 5) in Fig. 2 and confirm the signature to " certificate ",
Produce ticket, and only this ticket the most just can be used to dispose PolicyAuthorize.
Due to the mode of PolicyAuthorize operation, carried in MTM1 compared to authentication secret
The mode entered, PCR16 is the most mapped in binding.
Process carries out as follows.Note, describe in fig. 2 and the process of order described below can be regarded
For describing the logic flow process of the method for the exemplary embodiment according to the present invention.
Himself guiding through checking and conduct outside the checking i.e. MTM of trusted root (RoV) 10(
The computer generation chip segment of a part for chain or module) perform below in operation shown in figure 2
Step:
+ RoV10 measures next fragment code or some data (M).
The authValue of+binding PCR16 comprises use key (RVAI) application
The result of PolicyAuthorize.
+ RoV10 resets the step 1) in binding PCR16(Fig. 2.
+ authorisation session 12 starts to award in response to step 2(TPM2_StartAuthSession(TPM2_
Power session)) authorize binding PCR16(note, be not measure PCR14) renewal.
PolicyPCR is applied to measure PCR14(to be tied to PCR by+RoV10 in step 3
Original value).
+ RoV10 applies PolicyCpHash(in step 4 to be tied to order and parameter value).
Here, it can be noted that difference, because this process binding parameter value (significantly, is put the most at last
Event/hashed value M in measuring PCR14), to guarantee (by means of by PolicyAuthorize
Implicit expression formed " certificate ") M coupling expected from quote.But, this binding technology is for tying up
Determine the final updated of PCR16 rather than for the measurement PCR14 as final goal.
+ in step 5TPM2_VerifySignature(checking signature) after, in step 6,
RoV10 application PolicyAuthorize(policy authorization).Due to current policyHash's
Relatively, the value of the currency of PCR14 is measured in this indirect review, and PolicyCpHash guarantees value
M is updated.
+ RoV10 value M updates binding PCR16.Owing to signature key title is by for new strategy
The part of hashed value, so it ensure that general with mating of the policyAuth in binding PCR16
Correct key is used for authorizing.M will be checked, and if therefore updated (in step according to authorizing
TPM2_Event(TPM2_ event is used in 7)) success, RoV10 can be ensured that the current of equipment
State correct (measuring the currency of PCR14), just as updated value.
+ last, RoV10 updates with value M and measures PCR14.But, if binding PCR16
Update unsuccessfully, then RoV10 updates with known error labelling (such as, NULL) and measures PCR14.
Note, although this process is than two order LoadVerification the most simpler of application
Key(loads authentication secret) and follow-up VerifyRIMCert(verify RIM certificate) (as
Situation in MTM1) more complicated, but this process achieves and target identical in MTM1.More
For body, the correct integrity measurement in whichever stage of bootup process divides with directed code
Open, and code can be independent of be used alone and strengthen.Additionally, the enhancing of boot policy is not required to
MTM2 to be changed configures.Additionally, according to design, correct integrity measurement with the ability of self is
Integrity is shielded.It is to say, correct integrity measurement is (actually
PolicyAuthorize ticket) in any medium being not protected of being storable in equipment, and do not have
There is any risk being tampered.
It is now discussed with enumerator binding, in order to realize embodiments of the invention are more fully understood from.
In TPM2, enumerator supported by non-volatile (NV) memorizer, and these can be by life
In making PolicyNV be tied to authorize.This is particularly suited for PCR authValue(authorization value) and
PolicyAuthorize(policy authorization) approvedPolicy(approved strategy)." good
" authorize to arrange and would be required to these values and include that the comparison with Counter Value is (more than nominal value
(operandB), its proof will be included in mandate).
In order to make secure guiding system can apply across one group of equipment, predefine and will be used for enumerator (especially
It is the Bootstrap(bootstrap in MTM version 1) enumerator and RIMCert enumerator
Equivalent) NV index.Therefore, following NV index is considered as retained and is predefined in MTM
In version 2:
0x01 0x00 0x00 0x00: bootstrap enumerator.It is initialized to enumerator
(TPMA_NV_COUNTER).But, the maximum number of the required step of this enumerator is 32, makes
Obtain and such as can realize this enumerator by electrical fuse.
0x01 0x00 0x00 0x01:RimCert enumerator.It is initialized to enumerator
(TPMA_NV_COUNTER).But, the maximum number of the required step of this enumerator is 4095.
Preferably, utilize TPM2_NV_Increment () to use these enumerators mandate be with
The application of PolicyAuthorize is that condition (uses certain from the level that binding PCR is formed close
Key), the same NV index that wherein approvedHash at least includes to increment being applied to previous
The binding of individual Counter Value.So, each enumerator updates the mandate being intended to look for novelty.
Fig. 3 is the block diagram of the equipment 20 of the exemplary embodiment that can be used for realizing the present invention.Equipment 20
Including with at least one memory devices 24(such as, dynamic ram, static RAM, disk, FLASH
In one or more) be connected at least one data processor 22, memory devices 24 storage bag
Including operating system (OS) 24A and the programmed instruction of secure boot software (SW) 24B, safety guides
Software (SW) 24B operates according to exemplary embodiment as described above and as shown in figure 4 below.
Memorizer 24 can also include nonvolatile memory (NVM) equipment or part 26.Above mentioned
At least some in enumerator is storable in NVM26.Measuring PCR14 and binding PCR16 can
It is embodied as MLME counter in such as data processor 22 or elsewhere, or they can be implemented
For the position in memorizer 24 or NVM26.
Equipment 20 can be wireless device, such as " smart phone ", PC or tablet device, on knee
Computer, or any kind of calculating that can benefit from the use of secure boot process as herein described sets
Standby.In certain embodiments, equipment 20 can be mobile device and can include for use any properly
Radio frequency and radio frequency protocol (including the cellular protocol as two limiting examples and WiFi agreement)
Carry out at least one wireless transceiver 28 of two-way wireless communication.
By at least one data processor 22 perform secure boot software 24B may result in meet TCG move
Dynamic trusted module specification specification version 1.0(is as limiting examples) and such as showing by the present invention
The process making subsequent editions (such as version 2) for strengthening of example embodiment and the execution of algorithm.
OS24A can be the operating system of any suitable type, as based onOr(make
For limiting examples) an operating system.As described above, in mobile device embodiment,
Equipment 20 can be cell phone or smart phone, or has any kind of of wireless communication ability
Portable equipment.
As should be understood, the use of the exemplary embodiment of the present invention provides a lot of advantages and technique effect.
Such as, the use of exemplary embodiment makes MTM2 can become (for command set) TPM2's
Proper subclass.It is the most favourable, because this is a described target of specification activity.Additionally, MTM2 can
To realize (as driving together with the calculating equipment equipped with the such as PC and laptop computer of TPM2
Dynamic program), thus generally definition is applied not only to mobile device to be also used for PC(non-moving) safety
Bootstrapping architecture.It addition, this mechanism can be included in MTM2 as the default mechanism guided for realizing safety
In specification.Note, it is unclear that the reality of alternative mechanism (not to the interpolation of existing TPM2 order)
The most feasible.
Fig. 4 is operation and the computer program of the method illustrating the exemplary embodiment according to the present invention
The logical flow chart of the execution result of instruction.According to these exemplary embodiments, a kind of method provides
Safe path of navigation for equipment.At block 4A, it is provided with at least two platform configuration register (PCR)
Step, wherein a PCR be measure PCR and wherein the 2nd PCR be (to tie up for quoting of certification
Fixed) PCR, wherein binding PCR quotes and resettable is established as zero to quote.At block 4B, have
In the context of binding PCR, the execution of instructing according to credible engine (RoV) authorizes the step of chain, its
The middle value using measurement PCR includes as precondition.In block 4C, the useful value implemented by mandate
The step of expanded binding PCR.Under normal conditions, this is will to be extended to measure PCR in block 4E
In identical value.The operating result of the step of block 4C is imported into decision block 4D, at decision block 4D,
Have be performed to monitor (as with outside trusted operating system) binding PCR when completing the execution authorizing chain
The step of confirmation result.If it is confirmed that result indicates successfully (Y-is), then draw block 4E is useful
The step of PCR is measured with value M extension.On the contrary, if it is confirmed that result indicates unsuccessfully (N-is no),
The step of PCR is then measured in the extension of block 4F useful known error value.
The different masses that figure 4 illustrates can be considered method step and/or from computer program code
Operate the operation obtained and/or be configured to perform the logic circuit component of multiple connections of correlation function.
Therefore, exemplary embodiment also includes the non-transient computer-readable comprising software program instructions
Medium, is wherein performed, by least one data processor, the method that software program instructions causes including Fig. 4
The execution of operation of execution.
Generally speaking, can realize respectively with hardware or special circuit, software, logic or its any combination
Plant exemplary embodiment.For example, it is possible to hardware realizes some aspect, and with can be by controller, micro-
Firmware or software that processor or other calculating equipment perform realize other aspects, although the present invention is not
It is limited to this.Although each side of the exemplary embodiment of the present invention can be illustrated and be depicted as block diagram, stream
Journey figure or use certain other illustrate and describe, it should be understood that these blocks described herein, dress
Put, system, techniques or methods can with hardware, software, firmware, special circuit or logic, general firmly
Part or controller or other calculate equipment or its certain combination (as limiting examples) realizes.
Therefore, exemplary embodiment is possibly together with including at least one processor and at least one memorizer
Device, described memorizer includes computer program code.This memorizer and computer program code are joined
Put and utilize described processor to promote device to provide at least two platform configuration register (PCR), its
In a PCR be measure PCR and wherein the 2nd PCR be to quote (binding) PCR for certification,
Wherein binding PCR quotes and resettable is established as zero to quote.This memorizer and computer program generation
Code is further configured to utilize described processor to promote device, and in the context of binding PCR, basis can
The guidance of letter engine (RoV) performs to authorize chain, wherein measures the value of PCR as precondition quilt
Including, and when completing the execution authorizing chain, monitor (as with outside trusted operating system) binding
The confirmation result of PCR.This memorizer and computer program code are further configured to utilize described place
Reason device promotes device to measure PCR, otherwise really when confirmation result indicates successfully with fiducial value M extension
Recognize when result indicates failure on the contrary and measure PCR with NULL value extension.
Device can be embodied as mobile or non-mobile device.
It will be understood, therefore, that this can be implemented with various assemblies (such as IC chip and module)
At least some of aspect of bright exemplary embodiment, and can come as the device that integrated circuit embeds
Realize the exemplary embodiment of the present invention.Integrated circuit can include being configurable to according to this for enforcement
Invention exemplary embodiment operate data processor, digital signal processor, baseband circuit and
The circuit (and firmware possibly) of at least one or more in radio circuit.
In view of noted earlier, various equivalent modifications can appear to when reading in conjunction with the accompanying this and describing
To the various amendments of the foregoing example embodiment of the present invention with adjust.But, any and all modifications
The scope of the non-limiting and exemplary embodiment of the present invention will be fallen into.
Being only used as an example, can measuring table configuration register (measuring PCR14) be updated awards
Power is configured to be limited by the Successful authorization of binding platform configuration register (binding PCR16), Qi Zhongshi
Execute the part (such as, as the part of RoV10) being implemented as trusted module or engine.
It should be noted that term " connects " or that its any variant refers between two or more elements is straight
Connect or the most any connection, and may be included between " connection " two elements together
Individual or the existence of multiple intermediary element.Connection between element can be physics, logic or a combination thereof.
As it is used herein, by using one or more line, cable and/or printing electrical connection and leading to
Cross use electromagnetic energy and (such as there is radio frequency field, microwave region and optics (visible and invisible both)
The electromagnetic energy of the wavelength in region (as several non-limiting and non-exhaustive examples)), two units
Part can be considered " connection " together.
Further, for the parameter described and element (such as, M, measurement PCR, binding PCR etc.)
Various titles be not configured to limit in any way, because these parameters and element can be by appointing
What suitably title identifies.
Additionally, some feature of the various non-limiting and exemplary embodiments of the present invention can be used to provide
Advantage, and without the corresponding use of other features.Therefore, should only description above be considered as right
The explanation of the principle of the present invention, teaching and exemplary embodiment rather than limitation ot it.
Claims (23)
1. a data processing method, comprising:
Thering is provided at least two platform configuration register, wherein the first platform configuration register is measuring table
Configuration register and wherein the second platform configuration register are resettable binding platform configuration register;
Guidance according to credible engine performs to authorize chain to perform mandate, and wherein said measuring table configures
The value of depositor is included as precondition;
Described binding platform configuration register is extended by the value implemented by described mandate;And
Monitor the confirmation result of described binding platform configuration register.
Method the most according to claim 1, if the most described binding platform configuration register
Confirm that result indicates successfully, then farther include to extend described measuring table configuration register with fiducial value,
And if the most described confirmation result indicates unsuccessfully, then farther include to use predetermined improper value
Extend described measuring table configuration register.
3., according to the method according to any one of claim 1 and 2, wherein monitor described confirmation result
Including using trusted operating system.
4. according to the method according to any one of claim 1-2, at least in part by checking trusted root
Performing, wherein said binding platform configuration register comprises the result using key application strategy mandate,
And wherein said checking trusted root resets described binding platform configuration register.
Method the most according to claim 4, it farther includes to authorize described binding platform configuration
The renewal of depositor, and using the described result of this mandate as being used for measuring table configuration register more
New strategy is applied, to be tied to the original value of described measuring table configuration register.
Method the most according to claim 4, wherein said checking trusted root is operable to application
Strategy hashed value function using by order and parameter value as described binding platform configuration register final the most more
Newly arrive binding.
Method the most according to claim 4, wherein said checking trusted root checks that described measurement is put down
The currency of platform configuration register is to verify that correct key is used for institute to determine by value M to be updated
State mandate.
Method the most according to claim 7, it farther includes described checking trusted root with described
Value M updates described binding platform configuration register.
Method the most according to claim 8, it farther includes described checking trusted root and carries out it
One of: if unless the renewal failure of described binding platform configuration register, using predetermined mistake
Value updates described measuring table configuration register by mistake, otherwise updates described measuring table by described value M and joins
Put depositor.
10., according to the method according to any one of claim 1-2, wherein said measuring table configures
The mandate that depositor updates is configured to be limited by the Successful authorization of described binding platform configuration register,
Wherein implement to be implemented as a part for described credible engine.
11. 1 kinds of data processing equipments, comprising:
For providing the component of at least two platform configuration register, wherein the first platform configuration register
Join for measuring table configuration register and binding platform that wherein the second platform configuration register is resettable
Put depositor;
For performing to authorize chain to perform the component authorized, wherein said survey according to instructing of credible engine
The value of amount platform configuration register is included as precondition;
For extending the component of described binding platform configuration register by the value implemented by described mandate;
And
For monitoring the component of the confirmation result of described binding platform configuration register.
12. devices according to claim 11, it farther includes: be used for putting down in described binding
Extend the configuration of described measuring table with fiducial value when the confirmation result of platform configuration register indicates successfully to deposit
Device, and extend described survey when described confirmation result indicates failure on the contrary with predetermined improper value
The component of amount platform configuration register.
13., according to the device according to any one of claim 11 and 12, wherein monitor described confirmation
Result includes using trusted operating system.
14. according to the device according to any one of claim 11-12, and it farther includes for reality
Now verify that the component of trusted root, wherein said binding platform configuration register comprise use key application plan
The result slightly authorized, and wherein said checking trusted root resets described binding platform configuration register.
15. devices according to claim 14, it farther includes: be used for authorizing described binding
The renewal of platform configuration register, and using the described result of this mandate as being used for described measuring table
The strategy of config-register update is applied, to be tied to the original of described measuring table configuration register
The component of value.
16. devices according to claim 14, wherein said checking trusted root is operable to should
By strategy hashed value function using final as described binding platform configuration register by order and parameter value
More newly arrive binding.
17. devices according to claim 14, wherein said checking trusted root checks described measurement
The currency of platform configuration register is to verify value M to be updated, in order to determine by correct key
For described mandate.
18. devices according to claim 17, it farther includes: credible for described checking
Root updates the component of described binding platform configuration register with described value M.
19. devices according to claim 18, it farther includes: credible for described checking
Root implements the component of one below: if unless the renewal of described binding platform configuration register is failed,
Then update described measuring table configuration register with predetermined improper value;Otherwise with described value M more
New described measuring table configuration register.
20. join according to the device according to any one of claim 11-12, wherein said measuring table
The mandate putting depositor renewal is configured to be limited by the Successful authorization of described binding platform configuration register,
Wherein implement to be implemented as a part for described credible engine.
21. according to the device according to any one of claim 11-12, and it includes Wireless Telecom Equipment
A part.
22. 1 kinds of data processing equipments, comprising:
For providing the component of at least two platform configuration register, wherein the first platform configuration register
Join for measuring table configuration register and binding platform that wherein the second platform configuration register is resettable
Put depositor;
For performing to authorize chain to perform the component authorized, wherein said survey according to instructing of credible engine
The value of amount platform configuration register is included as precondition;
For extending the component of described binding platform configuration register by the value implemented by described mandate;
For monitoring the component of the confirmation result of described binding platform configuration register with trusted operating system;
And
Successful condition is indicated for the confirmation result in response to wherein said binding platform configuration register
Described measuring table configuration register is extended otherwise described with the extension of predetermined improper value with fiducial value
The component of measuring table configuration register.
23. devices according to claim 22, wherein said measuring table config-register update
Mandate be configured to be limited by the Successful authorization of described binding platform configuration register, wherein implement quilt
It is embodied as a part for described credible engine.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US201161519278P | 2011-05-18 | 2011-05-18 | |
| US61/519,278 | 2011-05-18 | ||
| PCT/FI2012/050467 WO2012156586A2 (en) | 2011-05-18 | 2012-05-15 | Secure boot with trusted computing group platform registers |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103597493A CN103597493A (en) | 2014-02-19 |
| CN103597493B true CN103597493B (en) | 2016-11-30 |
Family
ID=
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101576944A (en) * | 2008-11-20 | 2009-11-11 | 武汉大学 | Computer secure startup system based on trusted platform module |
| CN101901319A (en) * | 2010-07-23 | 2010-12-01 | 北京工业大学 | Trusted computing platform and method for verifying trusted chain transfer |
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101576944A (en) * | 2008-11-20 | 2009-11-11 | 武汉大学 | Computer secure startup system based on trusted platform module |
| CN101901319A (en) * | 2010-07-23 | 2010-12-01 | 北京工业大学 | Trusted computing platform and method for verifying trusted chain transfer |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8060748B2 (en) | Secure end-of-life handling of electronic devices | |
| US8694762B2 (en) | Secure boot with trusted computing group platform registers | |
| KR101904303B1 (en) | Security software authentication and verification | |
| KR20170095163A (en) | Hardware device and authenticating method thereof | |
| US8539610B2 (en) | Software security | |
| US20060143446A1 (en) | System and method to lock TPM always 'on' using a monitor | |
| US20140359268A1 (en) | Methods of Securely Changing the Root Key of a Chip, and Related Electronic Devices and Chips | |
| EP2727040B1 (en) | A secure hosted execution architecture | |
| CN113841355B (en) | Apparatus and system for securely monitoring using a blockchain | |
| US10936722B2 (en) | Binding of TPM and root device | |
| US20180204009A1 (en) | Method and apparatus for controlling secure boot of board, and method and apparatus for upgrading software package | |
| Mansor et al. | Don't brick your car: firmware confidentiality and rollback for vehicles | |
| WO2017050186A1 (en) | Application permission management method and smart pos terminal | |
| Petri et al. | Evaluation of lightweight TPMs for automotive software updates over the air | |
| CN105893837A (en) | Application program installation method, security encryption chip and terminal | |
| US11270003B2 (en) | Semiconductor device including secure patchable ROM and patch method thereof | |
| CN101908115B (en) | Method for realizing software trusted execution based on trusted platform module | |
| US20170286665A1 (en) | Devices and methods for facilitating software signing by more than one signing authority | |
| Kent et al. | Assuring vehicle update integrity using asymmetric public key infrastructure (PKI) and public key cryptography (PKC) | |
| CN103597493B (en) | The safety utilizing trust computing group platform depositor guides | |
| CN102843237A (en) | Authorization token, operation token, and method and system for remotely authorizing dynamic password token | |
| Schneider et al. | Cyber Security in the Automotive Domain–An Overview | |
| CN111381846A (en) | Data verification method for electronic controller safe refreshing | |
| CN116827544B (en) | Method and system for replacing on-board OBU trust root | |
| JP5398845B2 (en) | Information processing apparatus and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20151231 Address after: Espoo, Finland Applicant after: Technology Co., Ltd. of Nokia Address before: Espoo, Finland Applicant before: Nokia Oyj |
|
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20161130 Termination date: 20170515 |