CN103679059A - Secure starting-up method and computer system - Google Patents

Secure starting-up method and computer system Download PDF

Info

Publication number
CN103679059A
CN103679059A CN 201210313814 CN201210313814A CN103679059A CN 103679059 A CN103679059 A CN 103679059A CN 201210313814 CN201210313814 CN 201210313814 CN 201210313814 A CN201210313814 A CN 201210313814A CN 103679059 A CN103679059 A CN 103679059A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
boot
flash memory
program code
central processor
memory
Prior art date
Application number
CN 201210313814
Other languages
Chinese (zh)
Inventor
胡德才
Original Assignee
珠海扬智电子科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits

Abstract

A secure starting-up method for a computer system includes the steps that a control signal of a first state is set by a central processor and output to a memory controller to enable a flash memory in which an encryption starting-up program code is stored to be in a read-only state; according to the encryption starting-up program code, the central processor outputs a chip identity and a verification secret key to a verification unit so that whether both the chip identity and the verification secret key are correct or not can be judged through the verification unit; if both the chip identity and the verification secret key are correct, a control signal of a zeroth state is set by the central processor and output to the memory controller, so that the flash memory is in a read-write state; a decryption motion is carried out on the encryption starting-up program code through the verification unit, and the decrypted starting-up program code is stored in the flash memory.

Description

安全开机方法及电脑系统 Secure boot method and computer systems

技术领域 FIELD

[0001] 本发明是指一种安全开机方法及电脑系统,尤指一种将加密后的开机程序码储存于闪存中,以提升信息安全以及降低成本的安全开机方法及电脑系统。 [0001] The present invention refers to a secure boot method and computer systems, especially of the kind of the encrypted boot program code stored in the flash memory, to enhance information security and reduce the cost of secure boot method and computer system.

背景技术 Background technique

[0002] 随着电脑系统的功能日益强化,在电脑开机程序中所需要进行的签名验证、硬体初始化等参数的设定也日趋复杂。 [0002] As the functions of the computer system is increasingly strengthened, signature verification, hardware initialization parameters set in the computer boot process as needed are becoming increasingly complex. 具体来说,在电脑系统开机后,由基本输入输出系统(Basic Input/Output System)读取开机程序码,执行后续开机步骤,如开机自我测试(Power on Self Test, POST)、随插即用测试(Plug and Play test)、硬体设定(HardwareConfiguration)等动作,以进入作业系统。 Specifically, after the computer system is turned on, read by the basic input output system (Basic Input / Output System) program code for the boot, the boot performs subsequent steps, such as POST (Power on Self Test, POST), Plug test (Plug and Play test), hardware configurations (HardwareConfiguration) other actions to enter the operating system. 因此,开机程序码几乎无法容许有错误于其中,因为在开机过程中任何的小错误都可能导致电脑系统无法正常开机,陷入停顿或不正常关机的状态。 Therefore, the boot program code is almost impossible to tolerate errors in it, because during the boot process any small mistake can cause the computer system can not boot normally, stalled or abnormal shutdown state.

[0003] 传统上用来储存开机程序码的存储器,常见的有时序/组合逻辑电路(Sequential/combination Logic Cell)、光罩只读存储器(Mask Read-Only Memory,MROM)或超级永久性存储器(eXtra Permanent Memory,XPM)等。 [0003] traditionally used to store the boot program code memory, a common timing / combinational logic circuit (Sequential / combination Logic Cell), mask ROM (Mask Read-Only Memory, MROM) or a super-volatile memory ( eXtra Permanent Memory, XPM) and so on. 逻辑电路是透过半导体工艺,直接将开机程序码编写入逻辑电路中,一旦逻辑电路制造完成,则无法对开机程序码进行修改。 A logic circuit through a semiconductor process, the boot program code written directly into the logic circuit, the logic circuit upon completion of manufacture, the boot can not be modified program code. 因此,在电脑产品生产之前必须完成开机程序码的设计,若在产品生产之后发现错误,则需替换整个逻辑电路,如此即限制了开机程序码的开发周期以及设计弹性。 Accordingly, the boot program code must be completed prior to the design of computer products, if an error is found after the production, need to replace the entire logic circuit, i.e., thus limiting the development of the boot program code cycle and design flexibility. 光罩只读存储器为一种可重复编程的存储器,可利用聚集离子束(Focused 1n Beam,FIB)等技术重复编写入数据,因此可具有较高的设计弹性,但相对地其安全性较低,容易遭骇客攻击、窜改其中的内容。 Mask ROM as a reprogrammable memory, using focused ion beam (Focused 1n Beam, FIB) technology is repeated to write the data, and therefore may have high design flexibility, but relatively low safety , vulnerable to hacker attacks, tampering with its contents. 超级永久性存储器其价格高昂并存有不稳定的缺陷,因而不常见于市场上。 Super-volatile memory which is expensive coexistence of unstable defects, which are not common in the market.

[0004] 因此,如何将日趋复杂的开机程序码储存于适当的存储器中,同时搭配设计一种具有高设计弹性、高安全性以及低成本的开机方法,实为本领域的重要课题之一。 [0004] Thus, the increasing complexity of how the boot program code stored in a suitable memory, but with an important subject to design a high design flexibility, high safety and low cost method of power, the real art.

发明内容 SUMMARY

[0005] 因此,本发明的主要目的在于提供一种安全开机方法及电脑系统,将加密后的开机程序码储存于闪存中,以提升信息安全以及降低生产成本。 [0005] Accordingly, the main object of the present invention is to provide a method and a computer system, a secure boot, the boot program code stored encrypted in the flash memory, to enhance information security and reduce production costs.

[0006] 本发明揭露一种安全开机方法,用于一电脑系统,该安全开机方法包含有藉由一中央处理器设定一第一状态的控制信号并输出至一存储器控制器,以使得一储存有一加密开机程序码的闪存为只读状态;根据该加密开机程序码,该中央处理器输出一芯片身份以及一验证密钥至一验证单元,以透过该验证单元判断该芯片身份以及该验证密钥是否皆正确;若正确,该中央处理器设定一第零状态的控制信号并输出至该存储器控制器,以使得该闪存为可读写状态;以及透过该验证单元对该加密开机程序码执行解密动作,并将该解密后的开机程序码储存于该闪存中。 [0006] The present invention discloses a secure booting method for a computer system, the secure booting method comprises a central processing unit by setting a first state of a control signal and outputs it to a memory controller, such that a a boot program stored encryption codes flash read-only state; booting process in accordance with the encrypted code, the central processor outputs an identification chip and a verification key to a verification unit to determine the identity of the chip through the verification unit and verify key are correct; if correct, the central processing unit setting a first control signal is output to zero state and the memory controller, so that the flash memory is a read-write; and the encrypted verification unit through the the boot code performs a decryption operation program, the boot program code after the decryption and stored in the flash memory.

[0007] 本发明另揭露一种电脑系统,包含有一中央处理器;一闪存,用来储存一加密开机程序码;一存储器控制器,耦接于该闪存以及该中央处理器,用来根据该中央处理器设定的一第一状态的控制信号,控制该闪存为只读状态,以便该中央处理器读取该加密开机程序码;或根据该中央处理器设定的一第零状态的控制信号,使得该闪存为可读写状态;以便该中央处理器读取该加密开机程序码以及写入一解密开机程序码;以及一验证单元,耦接于该中央处理器以及该闪存,用来根据该中央处理器输出的一芯片身份及一验证密钥,判断是否由中央处理器对该加密开机程序码执行一解密动作,以产生并储存该解密开机程序码于该闪存。 [0007] The present invention further discloses a computer system comprising a central processing unit; a flash memory for storing a boot program code encryption; a memory controller, coupled to the flash memory, and the central processor, according to the a first state of a control signal of the central processing set, controlling the flash memory is read-only, so that the central processor reads the boot program code encryption; or controlled according to a state of the zeroth set of central processor signal, so that the flash memory is a read-write; so that the central processor reads the boot program code, and the encrypted decryption start writing a program code; and a verification unit, coupled to the processor and the flash memory for the identity of the chip a central processing unit and outputs a verification key, determines whether to perform a decrypting operation of the encrypted boot program code by the central processor, to generate and store the decrypted boot code in the Flash program.

附图说明 BRIEF DESCRIPTION

[0008] 图1为本发明实施例一电脑系统的示意图; [0008] FIG. 1 is a schematic diagram of a computer system according to the present invention;

[0009] 图2为本发明实施例另一电脑系统的示意图; [0009] FIG. 2 is a schematic of another embodiment of a computer system of the present invention;

[0010] 图3为本发明实施例一安全开机流程的示意图。 [0010] FIG. 3 is a schematic diagram of a secure boot process embodiment of the present invention.

[0011] 主要元件符号说明 [0011] Main reference numerals DESCRIPTION

[0012] 10、20 电脑系统 [0012] Computer system 10,20

[0013] 11 中央处理器 [0013] The central processing unit 11

[0014] 12 闪存 [0014] Flash 12

[0015] 13 存储器控制器 [0015] The memory controller 13

[0016] 14 随机存取存储器 [0016] 14 a random access memory

[0017] 15 验证单元 [0017] The verification unit 15

`[0018] 26 只读存储器 `[0018] 26 Read Only Memory

[0019] 0ΤΡ_ΒΙΤ 控制信号 [0019] 0ΤΡ_ΒΙΤ control signal

[0020] ID 芯片身份 [0020] ID chip identity

[0021] KEY 验证密钥 [0021] KEY authentication key

[0022] BootROM、BootR0M_ori 开机程序码 [0022] BootROM, BootR0M_ori boot program code

[0023] 0、1、2 状态 [0023] 0,1,2 state

[0024] 30 安全开机流程 [0024] 30 secure boot process

[0025] 301、302、303、304、305、306 步骤 [0025] Step 301,302,303,304,305,306

具体实施方式 detailed description

[0026] 请参考图1,图1为本发明实施例一电脑系统10的示意图。 [0026] Please refer to FIG 1, FIG. 1 is a schematic diagram of a computer system 10 of the embodiment of the invention. 电脑系统10可以是任何需要执行开机程序的电子装置,例如个人电脑、行动电话、个人数位助理、伺服器或数位机上盒等。 Computer system 10 may be any electronic device needs to perform a boot program, such as personal computers, mobile phones, personal digital assistants, servers or digital set-top boxes and so on. 电脑系统10包含有一中央处理器11、一闪存(Flash Memory) 12、一存储器控制器13、一随机存取存储器(Random Access Memory, RAM) 14以及一验证单元15。 Computer system 10 includes a central processor 11, a flash memory (Flash Memory) 12, a memory controller 13, a random access memory (Random Access Memory, RAM) 14, and a verification unit 15.

[0027] 如图1所示,闪存12较佳地可为一系统级封装串行闪存(System in PackageSerial Flash MemoRY,SiP SFLASH)或是采用一Hard Macro工艺的串行闪存等。 [0027] As shown in FIG. 1, a flash memory 12 is preferably a system in package may be a serial flash memory (System in PackageSerial Flash MemoRY, SiP SFLASH) or using a Hard Macro Technology serial flash memory. 闪存12可用来储存一开机程序码BootROM,以供中央处理器11读取来执行开机程序。 A flash memory 12 used to store a boot program code BootROM, the central processor 11 for reading the boot process is performed. 存储器控制器13耦接于闪存12,并且透过写入以及读取总线耦接于中央处理器11,用来根据中央处理器11输出的控制信号0ΤΡ_ΒΙΤ,控制中央处理器11读取或写入闪存12的权限。 The memory controller 13 is coupled to the flash memory 12, and writing and reading through the bus coupled to the central processing unit 11 for the control signal output from the central processor 0ΤΡ_ΒΙΤ 11, control of the central processor 11 reads or writes Flash rights 12. 举例来说,当控制信号0ΤΡ_ΒΙΤ预设为状态O (第零状态)时,中央处理器11可自由读取或将数据写入闪存12中。 For example, when the control signal 0ΤΡ_ΒΙΤ default state O (zeroth state), the central processor 11 may be freely read or write data to the flash memory 12. 当控制信号0ΤΡ_ΒΙΤ设定为状态I (第一状态)时,中央处理器11只能读取闪存12的内容,而限制其写入动作。 When the control signal is set to the state 0ΤΡ_ΒΙΤ I (first state), the central processor 11 can be read from the flash memory 12, limit its write operation. 验证单元15耦接于中央处理器11、闪存12以及随机存取存储器14,用来根据中央处理器11输出的芯片身份ID以及验证密钥KEY,对开机程序码BootROM执行解密动作,并将解密后的开机程序码BootROM储存于闪存12。 Verification unit 15 is coupled to the central processing unit 11, a flash memory 12 and a random access memory 14, according to the identity of the chip central processing unit 11 outputs the ID and the authentication key KEY, the boot program performs a decryption operation of the BootROM code, and decrypting after the boot program code stored in BootROM 12 flash. 中央处理器11透过随机存取存储器14读取解密后的开机程序码BootROM,以执行开机程序。 The central processor 11 through the boot process BootROM code 14 reads the decryption random access memory, to execute the boot program.

[0028] 具体来说,当电脑系统10开启电源准备执行开机程序之前,中央处理器11设定控制信号0TP_BIT为1,使得存储器控制器13限制写入闪存12的动作并进入只读状态。 [0028] Specifically, when the power is turned on before the computer system 10 is ready to execute the boot program, the central processor 11 setting control signal 0TP_BIT 1, so that the memory controller 13 restricts operation and written into the flash memory 12 is read-only state. 中央处理器11读取储存于闪存12中的加密开机程序码BootROM,据以输出芯片身份ID以及验证密钥KEY至验证单元15。 Encryption BootROM boot program code stored in the central processor 11 reads the flash memory 12 according to the output of the chip ID and the identity authentication verification unit 15 to the key KEY. 若验证单元15判断芯片身份ID以及验证密钥KEY皆正确无误,则对加密的开机程序码BootROM执行解密动作,并将解密后的开机程序码BootROM储存于闪存12中。 If the verification unit 15 determines the identity of the chip ID and the authentication key KEY are correct, operation is executed to decrypt the encrypted program code BootROM boot, and the boot program code stored in the BootROM decrypted the flash memory 12. 需要指出的是,在电脑系统中,任何指令操作归根结底是由中央处理器执行,因此上述对开机程序码BootROM进行解密的动作也需要由中央处理器11透过验证单元15完成;具体的,中央处理器11首先设定控制信号0TP_BIT为0,使得闪存12进入可读写状态,然后依照验证单元15的解密指令,藉助随机存取存储器14,从闪存12中提取加密的开机程序码BootROM,执行解密操作,并将完成解密的开机程序码BootROM再写回闪存12中。 It is noted that, in the computer system, any operation instruction is ultimately executed by the central processor, so the above procedure to boot BootROM code decrypting operation also need to be completed by the central processor 11 through the verification unit 15; in particular, the central the processor 11 first sets the control signal 0TP_BIT is 0, such that the flash memory 12 into the read-write, then the instruction in accordance with the decryption verification unit 15, by means of a random access memory 14, flash memory 12 extracts the encrypted boot in the BootROM program code, executed from a decryption operation, and the completion of the booting process the decrypted code BootROM 12 flash write back. 当验证单元15完成上述开机程序码BootROM的解密动作,中央处理器11则透过随机存取存储器14读取解密后的开机程序码BootROM,以执行开机程序。 When the verification unit 15 decrypts the completion of the operation of the boot program code BootROM, the central processor 11 through the boot process BootROM code 14 reads the decryption random access memory, to execute the boot program.

[0029] 简言之,由于闪存12的单位储存容量的价格低廉以及具有易更新的特点,本发明主要系将开机程序码BootROM储存于闪存12中,以达到节省成本以及高设计弹性的目的。 [0029] Briefly, the flash unit 12 because of its low price and a storage capacity characteristics easily updated, the object of the present invention is mainly BootROM boot program code stored in the flash memory 12, in order to achieve cost savings and high design flexibility. 并且,为了提高开机程序码BootROM的安全性,本发明搭配了开机程序码BootROM的验证步骤,以防止开机程序码BootROM遭受骇客攻击,达到信息保护的目的。 Furthermore, in order to improve the security of the boot process of the BootROM code, a verification step of the present invention with the boot program code in BootROM, the boot program code to prevent hackers BootROM subjected, the purpose of information protection.

[0030] 除此之外,图1描述的开机方法可与现有的开机方法近一步地结合,以作为备用的开机方案。 [0030] In addition, the boot process described in Figure 1 may be integrated with existing closer booting method, as a backup boot program. 请参考图2,图2为本发明实施例一电脑系统20的示意图。 Please refer to FIG. 2, FIG. 2 schematic diagram of a computer system 20 of the embodiment of the present invention. 图2与图1的差异在于,当中央处理器11输出的控制信号0TP_BIT为状态2 (第二状态)时,可直接读取另一只读存储器26储存的开机程序码BootR0M_ori,进行开机程序。 Difference between Figure 2 and Figure 1 in that, when the control signal outputted from the central processing 0TP_BIT 11 2 state (second state), the program codes can be read directly BootR0M_ori boot ROM 26 stored in the other, the booting process. 其中只读存储器26可为任意形式的只读存储器,例如一次性可编程(One Time Programmable, OTP)只读存储器、电子抹除式可复写只读存储器(Electrically Erasable Programmable ROM,EEPR0M)等。 Wherein the read only memory 26 may be any form of a read only memory, for example, one time programmable (One Time Programmable, OTP) read-only memory, electrically erasable rewritable read-only memory (Electrically Erasable Programmable ROM, EEPR0M) and the like. 若在电脑系统20量产的过程中或是量产之后,发现开机程序码BootR0M_ori存有错误,则设计者可将除错完成的开机程序码BootROM储存入闪存12中,并设定中央处理器11在执行开机程序前输出的控制信号0TP_BIT为状态1,以启动备用的开机方案。 If the computer system 20 process the amount of the production or after production, the boot program code found there BootR0M_ori error, the designer can complete the boot program debug code in BootROM stored into the flash memory 12, and sets the central processor control signal 0TP_BIT 11 before execution of the boot program output state 1, the boot program to start the backup. 如此可使电脑系统20在生产之后具有可维修性,不需为了修改开机程序码BootR0M_ori而替换只读存储器26。 Thus enables computer system 20 having maintainability after production, without modifying the boot program code for replacing the read only memory 26 BootR0M_ori.

[0031] 关于上述电脑系统10、20的运作方式可归纳为一安全开机流程30,如图3所示,安全开机流程30包含有以下步骤: [0031] The above description of how the computer system 10, 20 can be summarized as a secure boot process 30, as shown in FIG, 3 secure boot process 30 includes the following steps:

[0032] 步骤300:开始。 [0032] Step 300: Start.

[0033] 步骤301:输出控制信号0TP_BIT为状态I,以读取储存于闪存12中的加密开机程序码BootROM。 [0033] Step 301: the state of the output control signal 0TP_BIT I, to read the boot program encrypted code stored in the BootROM 12 in the flash memory.

[0034] 步骤302:根据加密开机程序码BootROM,输出芯片身份ID以及验证密钥KEY至验证单元15,以透过验证单元15判断芯片身份ID以及验证密钥KEY是否皆正确,若是,则进行步骤303 ;若否,则进行步骤305。 [0034] Step 302: According to the BootROM code encryption booting process, the output of the chip ID and the authentication key KEY identity to the authentication unit 15 through the authentication unit 15 determines to chip ID and the authentication key KEY identity are correct if, and if yes, for step 303; if not, step 305 is performed. [0035] 步骤303:输出控制信号0ΤΡ_ΒΙΤ为状态0,对加密开机程序码BootROM执行解密动作,并将解密后的开机程序码BootROM储存于闪存12中。 [0035] Step 303: the output control signal 0ΤΡ_ΒΙΤ state 0, the act of decrypting the encrypted program code BootROM boot, the boot program code and the decrypted BootROM stored in the flash memory 12.

[0036] 步骤304:透过随机存取存储器14读取解密后的开机程序码BootROM,以执行开机程序。 [0036] Step 304: Through the booting process BootROM code 14 reads the decryption random access memory, to execute the boot program.

[0037] 步骤305:执行关机程序。 [0037] Step 305: the shutdown program.

[0038] 步骤306:结束。 [0038] Step 306: End.

[0039] 关于安全开机流程30的详细实施方式可参考前述,于此不赘述。 [0039] in detail about the embodiments of a secure boot process may be referred to the above 30, not described herein.

[0040] 综上所述,由于电脑系统可支援的功能日益强大,因此电脑系统开机过程中所需的开机程序码也日趋复杂。 [0040] In summary, the computer system can support more powerful, and therefore the required computer system boot process, the boot program code are becoming increasingly complex. 本发明主要根据闪存的单位储存容量的价格低廉以及具有易更新的特点,将开机程序码储存于闪存中,以达到节省成本以及高设计弹性的目的。 The present invention is mainly based on a flash memory unit storage capacity and a low cost easy to update features, the boot program code stored in the flash memory, in order to achieve cost saving and high design flexibility. 并且,为了提高开机程序码的安全性,本发明搭配了开机程序码的验证步骤,以防止开机程序码遭受骇客攻击,达到信息保护的目的。 Furthermore, in order to improve the security of the boot program code, with the present invention, the boot program code verification step, in order to prevent the boot program code subjected to hack, to achieve the purpose of information protection. 因此,本发明不仅可提供设计者更多的开发时间、实现客制化功能,甚至可以在电脑系统量产过程中随时更新开机程序码,达到设计灵活性佳、高信息安全性以及低成本的功效。 Accordingly, the present invention not only can provide designers more time to develop, implement custom functions, or even update the boot program code in the computer system at any time in the production process to achieve good design flexibility, high security, and low-cost information effect.

[0041] 以上所述仅为本发明的较佳实施例,凡依本发明申请专利范围所做的均等变化与修饰,皆应属本发明的涵盖范围。 [0041] The foregoing is only preferred embodiments of the present invention, where the application under this invention, modifications and alterations made to the scope of the patent, also belong to the scope of the present invention.

Claims (12)

  1. 1.一种安全开机方法,用于一电脑系统,该安全开机方法包含有: 藉由一中央处理器设定一第一状态的控制信号并输出至一存储器控制器,以使得一储存有一加密开机程序码的闪存为只读状态; 根据该加密开机程序码,该中央处理器输出一芯片身份以及一验证密钥至一验证单元,以透过该验证单元判断该芯片身份以及该验证密钥是否皆正确; 若正确,该中央处理器设定一第零状态的控制信号并并输出至该存储器控制器,以使得该闪存为可读写状态;以及透过该验证单元对该加密开机程序码执行解密动作,并将该解密后的开机程序码储存于该闪存中。 A secure boot method for a computer system, the secure booting method comprising: a central processing unit by setting a first state of a control signal and outputs it to a memory controller, so that there is a store an encryption flash the boot program code is read-only; booting process in accordance with the encrypted code, the central processor outputs an identification chip and a verification key to a verification unit to determine the identity of the chip and through the verification key verification unit whether are correct; if correct, the central processing unit sets a zeroth state and a control signal and outputs it to the memory controller, so that the flash memory is a read-write; and the encrypted verification unit through the booting process performing a decryption operation code and the decrypted boot program code stored in the flash memory.
  2. 2.如权利要求1所述的安全开机方法,其中当该验证单元判断该芯片身份以及该验证密钥皆正确时,则该中央处理器透过一随机存取存储器读取解密后的该开机程序码,以执行一开机程序。 After the boot 2. The secure boot method according to claim 1, wherein when the verification unit determines the identity of the chip, and the verification key are correct, the central processor reads the decryption random access memory through a program code to perform a boot procedure.
  3. 3.如权利要求1所述的安全开机方法,其中当该验证单元判断该芯片身份以及该验证密钥中至少一者不正确时,则该中央处理器执行一关机程序。 Secure boot method according to claim 1, wherein when the verification unit determines the identity of the chip, and when at least one of the key is not correct, then the central processor executing a shutdown procedure of the verification.
  4. 4.如权利要求1所述的安全开机方法,其中该闪存是一系统级封装串行闪存(Systemin Package Serial Flash Memory, SiP SFLASH)或是一米用Hard Macro 工艺的串行闪存。 4. The secure boot method according to claim 1, wherein the flash memory is a serial flash memory system in package (Systemin Package Serial Flash Memory, SiP SFLASH) or one meter by serial flash Hard Macro Technology.
  5. 5.如权利要求1所述的安全开机方法,其中该电脑系统另包含有一只读存储器,用来储存一原始开机程序码。 5. The secure boot method according to claim 1, wherein the computer system further includes a read only memory for storing a boot program of the original code.
  6. 6.如权利要求5所述的安全开机方法,其中另包含有: 藉由一中央处理器设定一第二状态的控制信号并传输至该存储器控制器,使得一存储有一原始开机程序码的只读存储器可读,并读取该原始开机程序码,执行一原始开机程序。 6. The secure boot method according to claim 5, wherein further comprising: a central processing unit by setting the control signal to a second state and transmitted to the memory controller, so that a memory having a boot program code of the original ROM read, and reads the original boot program code, executing a original boot.
  7. 7.一种电脑系统,包含有: 一中央处理器; 一闪存,用来储存一加密开机程序码; 一存储器控制器,耦接于该闪存以及该中央处理器,用来根据该中央处理器设定的一第一状态的控制信号,控制该闪存为只读状态,以便该中央处理器读取该加密开机程序码;或根据该中央处理器设定的一第零状态的控制信号,使得该闪存为可读写状态;以便该中央处理器读取该加密开机程序码以及写入一解密开机程序码;以及一验证单元,耦接于该中央处理器以及该闪存,用来根据该中央处理器输出的一芯片身份及一验证密钥,判断是否由中央处理器对该加密开机程序码执行一解密动作,以产生并储存该解密开机程序码于该闪存。 A computer system, comprising: a central processor; a flash memory for storing a boot program code encryption; a memory controller, coupled to the flash memory, and the central processor, the central processor used in accordance with a first state of the control signal set for controlling the flash memory is read-only, so that the central processor reads the encrypted boot code program; a first control signal or the zero state is set to the central processor, such that the flash memory is a read-write; so that the central processor reads the boot program code, and the encrypted decryption start writing a program code; and a verification unit, coupled to the processor and the flash memory, according to the central the processor outputs a chip identity and an authentication key, determines whether to perform a boot operation of the decryption the encrypted program code by the central processor, to generate and store the decrypted boot code in the Flash program.
  8. 8.如权利要求7所述的电脑系统,其中当该验证单元判断该芯片身份以及该验证密钥皆正确时,则该中央处理器透过一随机存取存储器读取该闪存储存的该解密开机程序码,以执行一开机程序。 8. The computer system according to claim 7, wherein when the verification unit determines the identity of the chip, and the verification key are correct, the central processor reads the decrypted stored into the flash memory through a random access memory boot program code to perform a boot procedure.
  9. 9.如权利要求7所述的电脑系统,其中当该验证单元判断该芯片身份以及该验证密钥中至少一者不正确时,则该中央处理器执行一关机程序。 9. The computer system according to claim 7, wherein when the verification unit determines the identity of the chip, and when at least one of the key is not correct, then the central processor executing a shutdown procedure of the verification.
  10. 10.如权利要求7所述的电脑系统,其中该闪存是一系统级封装串行闪存(System inPackage Serial Flash Memory, SiP SFLASH)或是一米用Hard Macro 工艺的串行闪存。 10. The computer system according to claim 7, wherein the flash memory is a serial flash memory system in package (System inPackage Serial Flash Memory, SiP SFLASH) or one meter by serial flash Hard Macro Technology.
  11. 11.如权利要求7所述的电脑系统,其另包含有一只读存储器,用来储存一原始开机程序码。 11. The computer system according to claim 7, which further includes a read only memory for storing a boot program of the original code.
  12. 12.如权利要求11所述的电脑系统,其中当该中央处理器设定一第二状态的控制信号时,该中央处理器读取储存于该只读存储器的该原始开机程序码,以执行一原始开机程序。 12. The computer system of claim 11, wherein the central processor when setting a control signal of a second state, the original central processor reads the boot program code stored in the ROM to perform an original boot.
CN 201210313814 2012-08-29 2012-08-29 Secure starting-up method and computer system CN103679059A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201210313814 CN103679059A (en) 2012-08-29 2012-08-29 Secure starting-up method and computer system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201210313814 CN103679059A (en) 2012-08-29 2012-08-29 Secure starting-up method and computer system

Publications (1)

Publication Number Publication Date
CN103679059A true true CN103679059A (en) 2014-03-26

Family

ID=50316566

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201210313814 CN103679059A (en) 2012-08-29 2012-08-29 Secure starting-up method and computer system

Country Status (1)

Country Link
CN (1) CN103679059A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6202152B1 (en) * 1998-01-27 2001-03-13 Philips Semiconductors, Inc. System and method for accessing information decrypted in multiple-byte blocks
US20060179302A1 (en) * 2005-02-07 2006-08-10 Sony Computer Entertainment Inc. Methods and apparatus for providing a secure booting sequence in a processor
CN101399076A (en) * 2007-09-28 2009-04-01 智多星电子科技有限公司 Electronic data flash memory card, method for control and method for determining type of flash memory
CN101673206A (en) * 2008-09-11 2010-03-17 联发科技股份有限公司 Programmable device and booting method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6202152B1 (en) * 1998-01-27 2001-03-13 Philips Semiconductors, Inc. System and method for accessing information decrypted in multiple-byte blocks
US20060179302A1 (en) * 2005-02-07 2006-08-10 Sony Computer Entertainment Inc. Methods and apparatus for providing a secure booting sequence in a processor
CN101399076A (en) * 2007-09-28 2009-04-01 智多星电子科技有限公司 Electronic data flash memory card, method for control and method for determining type of flash memory
CN101673206A (en) * 2008-09-11 2010-03-17 联发科技股份有限公司 Programmable device and booting method

Similar Documents

Publication Publication Date Title
Suh et al. AEGIS: A single-chip secure processor
US20050141717A1 (en) Apparatus, system, and method for sealing a data repository to a trusted computing platform
US20120210115A1 (en) Secure Boot Method and Method for Generating a Secure Boot Image
US20050262571A1 (en) System and method to support platform firmware as a trusted process
US8171309B1 (en) Secure memory controlled access
US20070237325A1 (en) Method and apparatus to improve security of cryptographic systems
US20060177064A1 (en) Secure memory card with life cycle phases
US20090257595A1 (en) Single Security Model In Booting A Computing Device
US20140082724A1 (en) Methods and apparatus to protect memory regions during low-power states
US20090222653A1 (en) Computer system comprising a secure boot mechanism
US20140089651A1 (en) Computing device boot software authentication
US20080205651A1 (en) Secure processor system without need for manufacturer and user to know encryption information of each other
US20130124840A1 (en) Secure boot up of a computer based on a hardware based root of trust
US20060015754A1 (en) E-fuses for storing security version data
US20100268967A1 (en) Information processing apparatus, and method and computer program product for verification
US20140089617A1 (en) Trust Zone Support in System on a Chip Having Security Enclave Processor
JP2006018528A (en) Secure processor and program for the same
US20070188183A1 (en) Secure memory card with life cycle phases
US20080159541A1 (en) Methods and apparatus for protecting data
US20130159733A1 (en) Memory device which protects secure data, method of operating the memory device, and method of generating authentication information
US8572410B1 (en) Virtualized protected storage
JP2004096666A (en) Semiconductor device having encryption part, semiconductor device having external interface, and contents reproducing method
CN104346587A (en) Non-volatile memory element capable of being authenticated, and operating and manufacturing methods thereof
US8281229B2 (en) Firmware verification using system memory error check logic
US20070083768A1 (en) Program loader operable to verify if load-destination information has been tampered with, processor including the program loader, data processing device including the processor, program loading method, and integrated circuit

Legal Events

Date Code Title Description
C10 Entry into substantive examination
WD01