CN103679059A - Secure starting-up method and computer system - Google Patents
Secure starting-up method and computer system Download PDFInfo
- Publication number
- CN103679059A CN103679059A CN201210313814.1A CN201210313814A CN103679059A CN 103679059 A CN103679059 A CN 103679059A CN 201210313814 A CN201210313814 A CN 201210313814A CN 103679059 A CN103679059 A CN 103679059A
- Authority
- CN
- China
- Prior art keywords
- starting
- central processing
- processing unit
- procedure code
- flash memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
Abstract
A secure starting-up method for a computer system includes the steps that a control signal of a first state is set by a central processor and output to a memory controller to enable a flash memory in which an encryption starting-up program code is stored to be in a read-only state; according to the encryption starting-up program code, the central processor outputs a chip identity and a verification secret key to a verification unit so that whether both the chip identity and the verification secret key are correct or not can be judged through the verification unit; if both the chip identity and the verification secret key are correct, a control signal of a zeroth state is set by the central processor and output to the memory controller, so that the flash memory is in a read-write state; a decryption motion is carried out on the encryption starting-up program code through the verification unit, and the decrypted starting-up program code is stored in the flash memory.
Description
Technical field
The present invention refers to a kind of safety opening terminal method and computer system, espespecially a kind of starting up procedure code after encrypting is stored in flash memory, with improving information safety and the safety opening terminal method reducing costs and computer system.
Background technology
Along with the function of computer system is strengthened day by day, the required signature verification of carrying out in booting computer program, the isoparametric setting of hardware initialization are also increasingly sophisticated.Specifically, after computer system boot-strap, by Basic Input or Output System (BIOS) (Basic Input/Output System), read starting up procedure code, carry out follow-up start step, as the selftest of starting shooting (Power on Self Test, POST), plug and play is tested (Plug and Play test), hardware is set actions such as (Hardware Configuration), to enter operating system.Therefore, starting up procedure code almost cannot admit of wrong in wherein, because any minor error all may cause the computer system cannot normal boot-strap in start process, is absorbed in and pauses or the state of undesired shutdown.
Be used for traditionally storing the storer of starting up procedure code, common are sequential/combinational logic circuit (Sequential/combination Logic Cell), light shield ROM (read-only memory) (Mask Read-Only Memory, MROM) or Extra-permanent Memory (eXtra Permanent Memory, XPM) etc.Logical circuit is to see through semiconductor technology, directly starting up procedure code is programmed in logical circuit, once logical circuit manufacture completes, cannot modify to starting up procedure code.Therefore, before computer product is produced, must complete the design of starting up procedure code, if find mistake after production, need to replace whole logical circuit, so limit construction cycle and the design flexibility of starting up procedure code.Light shield ROM (read-only memory) is a kind of storer that can overprogram, can utilize the technology such as focused ion beam (Focused Ion Beam, FIB) to repeat to be programmed into data, therefore can there is higher design flexibility, but relatively its security is lower, easily suffer hacker to attack, alter content wherein.Its price of Extra-permanent Memory is high and have unsettled defect, thereby is not common on market.
Therefore, how increasingly sophisticated starting up procedure code is stored in suitable storer, simultaneously collocation design is a kind of has high design flexibility, high security and a starting-up method cheaply, and real is one of important topic of this area.
Summary of the invention
Therefore, fundamental purpose of the present invention is to provide a kind of safety opening terminal method and computer system, the starting up procedure code after encrypting is stored in flash memory, with improving information safety and reduce production costs.
The present invention discloses a kind of safety opening terminal method, for a computer system, this safety opening terminal method includes by a central processing unit to be set the control signal of one first state and exports a Memory Controller to, so that a flash memory that stores an encryption starting up procedure code is a read states; According to this, encrypt starting up procedure code, this central processing unit is exported a chip identity and authentication secret to authentication unit, to judge that through this authentication unit whether this chip identity and this authentication secret be all correct; If correct, this central processing unit is set the control signal of a zero condition and is exported this Memory Controller to, so that this flash memory is read-write state; And see through this authentication unit to this encryption starting up procedure code execution decryption acts, and the starting up procedure code after this deciphering is stored in this flash memory.
A kind of computer system of the another exposure of the present invention, includes a central processing unit; One flash memory, is used for storing an encryption starting up procedure code; One Memory Controller, is coupled to this flash memory and this central processing unit, is used for according to the control signal of one first state of this central processing unit setting, and controlling this flash memory is a read states, so that this central processing unit reads this encryption starting up procedure code; Or the control signal of a zero condition of setting according to this central processing unit, making this flash memory is read-write state; So that this central processing unit reads this encryption starting up procedure code and writes a deciphering starting up procedure code; An and authentication unit, be coupled to this central processing unit and this flash memory, be used for according to a chip identity and an authentication secret of this central processing unit output, judge whether, by central processing unit, this encryption starting up procedure code is carried out to a decryption acts, to produce and to store this deciphering starting up procedure code in this flash memory.
Accompanying drawing explanation
Fig. 1 is the schematic diagram of the embodiment of the present invention one computer system;
Fig. 2 is the schematic diagram of another computer system of the embodiment of the present invention;
Fig. 3 is the schematic diagram of the embodiment of the present invention one safety opening terminal flow process.
Main element symbol description
10,20 computer systems
11 central processing units
12 flash memories
13 Memory Controllers
14 random access memory
15 authentication units
26 ROM (read-only memory)
OTP_BIT control signal
ID chip identity
KEY authentication secret
BootROM, BootROM_ori starting up procedure code
0,1,2 states
30 safety opening terminal flow processs
301,302,303,304,305,306 steps
Embodiment
Please refer to Fig. 1, Fig. 1 is the schematic diagram of the embodiment of the present invention one computer system 10.Computer system 10 can be any electronic installation that need to carry out boot program, such as box on PC, mobile phone, personal digital assistant, servomechanism or numerical digit machine etc.Computer system 10 includes a central processing unit 11, a flash memory (Flash Memory) 12, one Memory Controller 13, a random access memory (Random Access Memory, RAM) 14 and one authentication unit 15.
As shown in Figure 1, flash memory 12 preferably can be a system in package serial flash (System in Package Serial Flash MemoRY, SiP SFLASH) or the serial flash of employing one Hard Macro technique etc.Flash memory 12 can be used to store a starting up procedure code BootROM, for central processing unit 11, reads to carry out boot program.Memory Controller 13 is coupled to flash memory 12, and is coupled to central processing unit 11 through writing and read bus, is used for, according to the control signal OTP_BIT of central processing unit 11 outputs, controlling the authority that central processing unit 11 read or write flash memory 12.For instance, when control signal OTP_BIT is preset as state 0(zero condition) time, central processing unit 11 can freely read or data be write in flash memory 12.When control signal OTP_BIT is set as state 1(the first state) time, central processing unit 11 can only read the content of flash memory 12, and limits its write activity.Authentication unit 15 is coupled to central processing unit 11, flash memory 12 and random access memory 14, be used for according to chip identity ID and the authentication secret KEY of central processing unit 11 outputs, starting up procedure code BootROM is carried out to decryption acts, and the starting up procedure code BootROM after deciphering is stored in to flash memory 12.Central processing unit 11 sees through random access memory 14 and reads the starting up procedure code BootROM after deciphering, to carry out boot program.
Specifically, before computer system 10 power-on prepare to carry out boot program, central processing unit 11 setup control signal OTP_BIT are 1, make Memory Controller 13 restrictions write the action of flash memory 12 and enter read-only state.Central processing unit 11 reads the encryption starting up procedure code BootROM being stored in flash memory 12, and pio chip identity ID and authentication secret KEY are to authentication unit 15 according to this.If authentication unit 15 judgement chip identity ID and authentication secret KEY are all correct, the starting up procedure code BootROM encrypting are carried out to decryption acts, and the starting up procedure code BootROM after deciphering is stored in flash memory 12.It is pointed out that in computer system, any command operating is to be carried out by central processing unit after all, and therefore the above-mentioned action that starting up procedure code BootROM is decrypted also need to be completed through authentication unit 15 by central processing unit 11; Concrete, central processing unit 11 first setup control signal OTP_BIT is 0, make flash memory 12 enter read-write state, then according to the decryption instructions of authentication unit 15, with random access memory 14, from flash memory 12, extract the starting up procedure code BootROM encrypting, carry out decryption oprerations, and the starting up procedure code BootROM that completes deciphering is write back in flash memory 12 again.When authentication unit 15 completes the decryption acts of above-mentioned starting up procedure code BootROM, 11 of central processing units see through random access memory 14 and read the starting up procedure code BootROM after deciphering, to carry out boot program.
In brief, due to the cheap of the unit storage volume of flash memory 12 and have easy renewal, the present invention is stored in starting up procedure code BootROM in flash memory 12, to reach the object of saving cost and high design flexibility.And in order to improve the security of starting up procedure code BootROM, the arranged in pairs or groups verification step of starting up procedure code BootROM of the present invention, to prevent that starting up procedure code BootROM from attacked by hacker, reaches the object of information protection.
In addition, the starting-up method that Fig. 1 describes can with the nearly step of existing starting-up method combination, using as standby start scheme.Please refer to Fig. 2, Fig. 2 is the schematic diagram of the embodiment of the present invention one computer system 20.The difference of Fig. 2 and Fig. 1 is, when the control signal OTP_BIT of central processing unit 11 outputs is state 2(the second state) time, can directly read the starting up procedure code BootROM_ori that another memory read 26 stores, carry out boot program.Wherein ROM (read-only memory) 26 can be the ROM (read-only memory) of arbitrary form, One Time Programmable (One Time Programmable for example, OTP) ROM (read-only memory), the electronics formula of erasing can be made carbon copies ROM (read-only memory) (Electrically Erasable Programmable ROM, EEPROM) etc.If in the process of computer system 20 volume productions or after volume production, find that starting up procedure code BootROM_ori has mistake, the starting up procedure code BootROM that deviser can complete debug is stored in flash memory 12, and to set the control signal OTP_BIT that central processing unit 11 exports before carrying out boot program be state 1, to start standby start scheme.So can make computer system 20 there is maintenanceability after producing, not be required to be modification starting up procedure code BootROM_ori and replace ROM (read-only memory) 26.
Function mode about above-mentioned computer system 10,20 can be summarized as a safety opening terminal flow process 30, and as shown in Figure 3, safety opening terminal flow process 30 includes following steps:
Step 300: start.
Step 301: output control signal OTP_BIT is state 1, to read the encryption starting up procedure code BootROM being stored in flash memory 12.
Step 302: according to encrypting starting up procedure code BootROM, pio chip identity ID and authentication secret KEY, to authentication unit 15, to judge that through authentication unit 15 whether chip identity ID and authentication secret KEY be all correct, if so, carry out steps 303; If not, carry out step 305.
Step 303: output control signal OTP_BIT is state 0, carries out decryption acts to encrypting starting up procedure code BootROM, and the starting up procedure code BootROM after deciphering is stored in flash memory 12.
Step 304: see through random access memory 14 and read the starting up procedure code BootROM after deciphering, to carry out boot program.
Step 305: carry out shutdown programm.
Step 306: finish.
Detailed embodiment about safety opening terminal flow process 30 can, with reference to aforementioned, not repeat in this.
In sum, because the function that computer system can be supported is become stronger day by day, so in startup process of computer system, required starting up procedure code is also increasingly sophisticated.The present invention mainly, according to the cheap of the unit storage volume of flash memory and the feature with easy renewal, is stored in starting up procedure code in flash memory, to reach the object of saving cost and high design flexibility.And in order to improve the security of starting up procedure code, the arranged in pairs or groups verification step of starting up procedure code of the present invention, to prevent that starting up procedure code from attacked by hacker, reaches the object of information protection.Therefore, the present invention not only can provide the more development time of deviser, realize customized function, even can in computer system volume production process, upgrade at any time starting up procedure code, reaches good, the high Information Security of design flexibility and effect cheaply.
The foregoing is only preferred embodiment of the present invention, all equalizations of doing according to the present patent application the scope of the claims change and modify, and all should belong to covering scope of the present invention.
Claims (12)
1. a safety opening terminal method, for a computer system, this safety opening terminal method includes:
By a central processing unit, set the control signal of one first state and export a Memory Controller to, so that a flash memory that stores an encryption starting up procedure code is a read states;
According to this, encrypt starting up procedure code, this central processing unit is exported a chip identity and authentication secret to authentication unit, to judge that through this authentication unit whether this chip identity and this authentication secret be all correct;
If correct, this central processing unit is set the control signal of a zero condition and is exported this Memory Controller to, so that this flash memory is read-write state; And
See through this authentication unit this is encrypted to starting up procedure code execution decryption acts, and the starting up procedure code after this deciphering is stored in this flash memory.
2. safety opening terminal method as claimed in claim 1, wherein when this authentication unit judges that this chip identity and this authentication secret are all correct, this central processing unit sees through a random access memory and reads this starting up procedure code after deciphering, to carry out a boot program.
3. safety opening terminal method as claimed in claim 1, wherein, when this authentication unit judges that in this chip identity and this authentication secret, at least one is incorrect, this central processing unit is carried out a shutdown programm.
4. safety opening terminal method as claimed in claim 1, wherein this flash memory is the serial flash that a system in package serial flash (System in Package Serial Flash Memory, SiP SFLASH) or adopts Hard Macro technique.
5. safety opening terminal method as claimed in claim 1, wherein this computer system separately includes a ROM (read-only memory), is used for storing an original starting up procedure code.
6. safety opening terminal method as claimed in claim 5, wherein separately includes:
By a central processing unit, set the control signal of one second state and transfer to this Memory Controller, making one, to store the ROM (read-only memory) of an original starting up procedure code readable, and read this original starting up procedure code, carries out an original boot program.
7. a computer system, includes:
One central processing unit;
One flash memory, is used for storing an encryption starting up procedure code;
One Memory Controller, is coupled to this flash memory and this central processing unit, is used for according to the control signal of one first state of this central processing unit setting, and controlling this flash memory is a read states, so that this central processing unit reads this encryption starting up procedure code; Or the control signal of a zero condition of setting according to this central processing unit, making this flash memory is read-write state; So that this central processing unit reads this encryption starting up procedure code and writes a deciphering starting up procedure code; And
One authentication unit, be coupled to this central processing unit and this flash memory, be used for according to a chip identity and an authentication secret of this central processing unit output, judge whether, by central processing unit, this encryption starting up procedure code is carried out to a decryption acts, to produce and to store this deciphering starting up procedure code in this flash memory.
8. computer system as claimed in claim 7, wherein when this authentication unit judges that this chip identity and this authentication secret are all correct, this central processing unit sees through this deciphering starting up procedure code that a random access memory reads this flash memory stores, to carry out a boot program.
9. computer system as claimed in claim 7, wherein, when this authentication unit judges that in this chip identity and this authentication secret, at least one is incorrect, this central processing unit is carried out a shutdown programm.
10. computer system as claimed in claim 7, wherein this flash memory is the serial flash that a system in package serial flash (System in Package Serial Flash Memory, SiP SFLASH) or adopts Hard Macro technique.
11. computer systems as claimed in claim 7, it separately includes a ROM (read-only memory), is used for storing an original starting up procedure code.
12. computer systems as claimed in claim 11, wherein, when this central processing unit is set the control signal of one second state, this central processing unit reads this original starting up procedure code that is stored in this ROM (read-only memory), to carry out an original boot program.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210313814.1A CN103679059A (en) | 2012-08-29 | 2012-08-29 | Secure starting-up method and computer system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210313814.1A CN103679059A (en) | 2012-08-29 | 2012-08-29 | Secure starting-up method and computer system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN103679059A true CN103679059A (en) | 2014-03-26 |
Family
ID=50316566
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210313814.1A Pending CN103679059A (en) | 2012-08-29 | 2012-08-29 | Secure starting-up method and computer system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103679059A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107103935A (en) * | 2017-05-19 | 2017-08-29 | 惠州佰维存储科技有限公司 | The data for solving Nand flash memories keep the method and its system made a mistake |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6202152B1 (en) * | 1998-01-27 | 2001-03-13 | Philips Semiconductors, Inc. | System and method for accessing information decrypted in multiple-byte blocks |
US20060179302A1 (en) * | 2005-02-07 | 2006-08-10 | Sony Computer Entertainment Inc. | Methods and apparatus for providing a secure booting sequence in a processor |
CN101399076A (en) * | 2007-09-28 | 2009-04-01 | 智多星电子科技有限公司 | Electronic data flash memory card, method for control and method for determining type of flash memory |
CN101673206A (en) * | 2008-09-11 | 2010-03-17 | 联发科技股份有限公司 | Programmable device and booting method |
-
2012
- 2012-08-29 CN CN201210313814.1A patent/CN103679059A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6202152B1 (en) * | 1998-01-27 | 2001-03-13 | Philips Semiconductors, Inc. | System and method for accessing information decrypted in multiple-byte blocks |
US20060179302A1 (en) * | 2005-02-07 | 2006-08-10 | Sony Computer Entertainment Inc. | Methods and apparatus for providing a secure booting sequence in a processor |
CN101399076A (en) * | 2007-09-28 | 2009-04-01 | 智多星电子科技有限公司 | Electronic data flash memory card, method for control and method for determining type of flash memory |
CN101673206A (en) * | 2008-09-11 | 2010-03-17 | 联发科技股份有限公司 | Programmable device and booting method |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107103935A (en) * | 2017-05-19 | 2017-08-29 | 惠州佰维存储科技有限公司 | The data for solving Nand flash memories keep the method and its system made a mistake |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108269605B (en) | Security device state apparatus and method | |
KR102453780B1 (en) | Apparatuses and methods for securing an access protection scheme | |
WO2020037612A1 (en) | Embedded program secure boot method, apparatus and device, and storage medium | |
CN102063591B (en) | Methods for updating PCR (Platform Configuration Register) reference values based on trusted platform | |
CN104156642B (en) | A kind of security password input system and method based on safe touch screen control chip | |
TWI447583B (en) | Data protecting method, memory controller and memory storage device | |
US20170255384A1 (en) | Efficient secure boot carried out in information processing apparatus | |
CN112446054B (en) | Memory authentication | |
JP7101318B2 (en) | Data attestation in memory | |
CN103745167A (en) | IAP method and device of single chip microcomputer | |
EP3080744A1 (en) | Storage module with authenticated storage access | |
CN109977702A (en) | A kind of FPGA device encrypted authentication system and method based on DS2432 chip | |
CN112069551A (en) | Electronic circuit | |
CN103257938A (en) | Data protection method, memory controller and memory storage device | |
CN106919858B (en) | Chip, and data protection device and method of chip | |
US8621643B2 (en) | Semiconductor device | |
CN112560120B (en) | Secure memory bank and method for starting secure memory bank | |
US20210211281A1 (en) | Apparatus and method for securely managing keys | |
CN108664280A (en) | A kind of embedded system start method and device | |
CN103679059A (en) | Secure starting-up method and computer system | |
CN108229196B (en) | SOC chip with physical protection mechanism of storage unit and method | |
CN103020538A (en) | Terminal data protection method and terminal | |
JP2013037417A (en) | Memory system, information processor, memory device, and memory system operation method | |
CN113557500A (en) | Multi-mode protected memory | |
CN103220578B (en) | A kind of high safe machine top box and production method, system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140326 |