CN103927490A - OS secure startup method and device - Google Patents
OS secure startup method and device Download PDFInfo
- Publication number
- CN103927490A CN103927490A CN201410172838.9A CN201410172838A CN103927490A CN 103927490 A CN103927490 A CN 103927490A CN 201410172838 A CN201410172838 A CN 201410172838A CN 103927490 A CN103927490 A CN 103927490A
- Authority
- CN
- China
- Prior art keywords
- operating system
- tolerance result
- hash algorithm
- tolerance
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
Abstract
The embodiment of the invention provides an OS secure startup method and device. The method includes the steps that signature verification is conducted on the UEFI BIOS, and signature verification is conducted on guidance programs of an OS if the UEFI BIOS passes the signature verification; the guidance programs, passing the signature verification, of the OS are measured through a secure hash algorithm, and the obtained measurement result serves as a trust root; the trust root serves as an initial value, and multiple configuration files of the OS are sequentially measured; the obtained final measurement result is compared with an expected secure value, and whether the OS is safely started or not is verified. By means of the OS secure startup method and device, security is verified through the method that the guidance programs of the OS pass the digital signature verification, the guidance programs, measured to be secure, of the OS generate the trust root, the OS is measured level by level according to the trust root, a trusted chain extends to the OS from the BIOS, and the problem that in the prior art, security of programs started after the Boot Loader can not be ensured is solved.
Description
Technical field
The embodiment of the present invention relates to field of computer technology, relates in particular to a kind of operating system security starting method and device.
Background technology
In the current information age, protection information safety, provides a reliable computing environment to become informationalized inevitable requirement.Along with the quick differentiation of Malware; Malware is by Basic Input or Output System (BIOS) (Basic Input Output System; be called for short BIOS) as first-selected target of attack; the more difficult defence of virus that bottom firmware and start-up routine are attacked, so the credible and security of protection calculation machine start-up course is particularly important.
BIOS is solidificated in a read-only memory (Read-Only Memory on computer motherboard, be called for short ROM) in chip, program, startup self-detection program and system self-triggered program, the editmenu of the most important basic input and output of its in store computing machine.Its major function provides the bottom, the most direct hardware setting, control and access for computing machine.Clean boot is the unified fixed interface expanded (Unified Extensible Firmware Interface, be called for short UEFI) a kind of firmware validation method of standard specification definition, specification description how Administrative Security certificate, firmware validation of platform firmware, and interface between firmware and operating system, object is the intrusion that prevents Malware.Clean boot adopts the authentication method of data signature and key.When mainboard dispatches from the factory, can more built-in reliable PKIs, anyly want the operating system or the hardware drive program that load on this piece mainboard, all must be by the certification of these keys, that is to say, these softwares must be signed with corresponding private key, otherwise mainboard refusal loads.
The start-up course of whole operating system roughly can be divided into BIOS startup, start-up loading device BootLoader startup, os starting.Boot Loader is operating system nucleus operation one section of small routine of operation before, be positioned at Main Boot Record (Master Boot Record, be called for short MBR) in, be booting operating system program, after BIOS has started, control transferred to the loading initiating task of BootLoader complete operation system.Clean boot can only ensure the credible of BIOS and BootLoader program in start-up course, cannot ensure the safety of start-up routine after BootLoader.
Summary of the invention
The embodiment of the present invention provides a kind of operating system security starting method and device, cannot ensure the BootLoader safety of start-up routine afterwards to overcome in prior art.
First aspect, the embodiment of the present invention provides a kind of operating system security starting method, comprising:
Unified Extensible Firmware Interface Basic Input or Output System (BIOS) UEFI BIOS is carried out to signature authentication, after passing through if authenticate, booting operating system program is carried out to signature authentication;
Use Secure Hash Algorithm to certification by after described booting operating system program measure, using the tolerance result drawing as trusted root;
Using described trusted root as initial value, measure successively multiple operating system configuration files;
Obtain final tolerance result and the safety value of expectation and compare, verify operating system described in whether clean boot.
In conjunction with first aspect, in the possible implementation of the first of first aspect, described using described trusted root as initial value, measure successively multiple operating system configuration files, comprising:
Use Secure Hash Algorithm to measure to described operating system configuration file, tolerance result and described initial value are measured again as the input value of Secure Hash Algorithm, using the value drawing as tolerance result, and using described tolerance result as new initial value, next operating system configuration file is measured, until all operations CONFIG.SYS has been measured.
In conjunction with the possible implementation of the first of first aspect, first aspect, in the possible implementation of the second of first aspect, describedly obtain final tolerance result and the safety value of expectation compares, verify operating system described in whether clean boot, comprising:
If final described tolerance result is consistent with the safety value of described expectation, operating system described in clean boot; If inconsistent, do not start described operating system.
In conjunction with the possible implementation of the second of first aspect, in the third possible implementation of first aspect, also comprise:
On credible platform module TPM, carry out the tolerance of Secure Hash Algorithm;
In platform configuration register PCR by described tolerance result store in described TPM.
Second aspect, the embodiment of the present invention provides a kind of operating system security starter gear, comprising:
Signature verification module, carries out signature authentication for the Extensible Firmware Interface Basic Input or Output System (BIOS) UEFI BIOS to unified, after passing through, booting operating system program is carried out to signature authentication if authenticate;
Metric module, for use Secure Hash Algorithm to certification by after described booting operating system program measure, using the tolerance result drawing as trusted root;
Described metric module, also, for using described trusted root as initial value, measures multiple operating system configuration files successively;
Authentication module, compares for obtaining final tolerance result and the safety value of expectation, verifies operating system described in whether clean boot.
In conjunction with second aspect, in the possible implementation of the first of second aspect, described metric module, specifically for:
Use Secure Hash Algorithm to measure to described operating system configuration file, tolerance result and described initial value are measured again as the input value of Secure Hash Algorithm, using the value drawing as tolerance result, and using described tolerance result as new initial value, next operating system configuration file is measured, until all operations CONFIG.SYS has been measured.
In conjunction with the possible implementation of the first of second aspect, second aspect, in the possible implementation of the second of second aspect, described authentication module, specifically for:
If final described tolerance result is consistent with the safety value of described expectation, operating system described in clean boot; If inconsistent, do not start described operating system.
In conjunction with the possible implementation of the second of second aspect, in the third possible implementation of second aspect, described metric module comprises credible platform module TPM, for carry out the tolerance of Secure Hash Algorithm on described TPM;
Described device also comprises: platform configuration register PCR, and for storing described tolerance result.
Embodiment of the present invention operating system security starting method and device, by UEFI BIOS is carried out to signature authentication, after passing through, carry out signature authentication to booting operating system program if authenticate; Use Secure Hash Algorithm to certification by after described booting operating system program measure, using the tolerance result drawing as trusted root; Using described trusted root as initial value, measure successively multiple operating system configuration files; Obtaining final tolerance result and the safety value of expectation compares, verify operating system described in whether clean boot, realize booting operating system program by the method verification security of digital signature identification, measure safe booting operating system program and produce trusted root, according to trusted root metric operations system OS step by step, chain-of-trust is extended to OS by BIOS, solve and cannot ensure after BootLoader that start-up routine is the safety of OS start-up routine in prior art.
Brief description of the drawings
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the process flow diagram of operating system security starting method embodiment mono-of the present invention;
Figure 1A is the implementation schematic diagram of operating system security starting method embodiment mono-of the present invention;
Fig. 2 is the structural representation of operating system security starter gear embodiment mono-of the present invention;
Fig. 3 is the structural representation of operating system security starting outfit embodiment mono-of the present invention.
Embodiment
For making object, technical scheme and the advantage of the embodiment of the present invention clearer, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiment.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
Fig. 1 is the process flow diagram of operating system security starting method embodiment mono-of the present invention.Figure 1A is the implementation schematic diagram of operating system security starting method embodiment mono-of the present invention.The executive agent of the present embodiment is operating system security starter gear, and this device can be realized by software and/or hardware.As shown in Figure 1, the method for the present embodiment can comprise:
Step 101, unified Extensible Firmware Interface Basic Input or Output System (BIOS) UEFI BIOS is carried out to signature authentication, if after certification passes through, booting operating system program is carried out to signature authentication.
Particularly, as shown in Figure 1A, when os starting, first UEFI BIOS is carried out to signature authentication, after certification is passed through, the booting operating system program in reading disk, carries out signature authentication.Signature authentication can adopt CA digital signature identification.Use the security of the method guarantee BIOS of clean boot, signature authentication transparent procedures, user's acceptance is high.
Multiple operating system start-up routine (GRand Unified Bootloader is called for short GRUB) is a kind of booting operating system program.Be used for guiding different system, as windows, linux etc.GRUB is the realizations that start specification more, and it allows user can in computing machine, have multiple operating system simultaneously, and in the time of computer starting, selects to wish the operating system of operation.GRUB can be used for selecting the different kernels on operating system partition, also can be used for transmitting start-up parameter to these kernels.
In the time of UEFI BIOS signature authentication, can authenticate Option Rom signature simultaneously, hardware single board can compatible third party's network interface card and Redundant Array of Independent Disks (RAID) (Redundant Array of Independent Disks, be called for short RAID) peripheral hardware such as card grade, and the manufacturer of add-on card all can provide traditional Option Rom binary file or Extensible Firmware Interface (Extensible Firmware Interface is called for short EFI) driver to operating system UEFI BIOS, in os starting process, UEFI BIOS can complete by calling Option Rom code the initialization of add-on card.
Step 102, use Secure Hash Algorithm to certification by after booting operating system program measure, using the tolerance result drawing as trusted root.
Particularly, Secure Hash Algorithm (Secure Hash Algorithm, be called for short SHA) thought be receive one section of plaintext, then convert it to one section of (conventionally less) ciphertext in the irreversible mode of one, also can simply be interpreted as and get a string input code (being called preliminary mapping or information), and they are converted into the output sequence that length is shorter, figure place is fixing is the process of hashed value (also referred to as informative abstract or message authentication codes).
Use Secure Hash Algorithm to certification by after booting operating system program measure, show that informative abstract measure result, as trusted root, further operating system nucleus file etc. is measured.
Step 103, using trusted root as initial value, measure successively multiple operating system configuration files.
Alternatively, using trusted root as initial value, measure successively multiple operating system configuration files, comprising:
Use Secure Hash Algorithm to measure to operating system configuration file, tolerance result and initial value are measured again as the input value of Secure Hash Algorithm, using the value drawing as tolerance result, and tolerance result is measured next operating system configuration file as new initial value, until all operations CONFIG.SYS has been measured.
Particularly, as shown in Figure 1A, operating system configuration file comprises virtual machine monitor Xen, operating system nucleus file is as linux Kernel, root file system Initrd, module Module, critical system file etc., multiple operating system configuration files are measured and can be adopted with the following method: using trusted root as initial value N0, use Secure Hash Algorithm to measure to first operating system configuration file, tolerance result VALUE and initial value N0 are measured again as the input value of Secure Hash Algorithm, using the value drawing as tolerance result N1, and store this tolerance result, can adopt formula N1=SHA (N0+VALUE), and tolerance result is measured next operating system configuration file as new initial value, even N0=N1, carry out said process, until all operations CONFIG.SYS has been measured, and preserve the tolerance result of all operations CONFIG.SYS tolerance.
Step 104, obtain final tolerance result and the safety value of expectation compares, verify whether clean boot operating system.
Alternatively, obtain final tolerance result and the safety value of expectation and compare, verify and comprise whether clean boot operating system:
If final tolerance result is consistent with the safety value of expectation, clean boot operating system; If inconsistent, do not start the operating system.
Particularly, in obtaining step 103, the final tolerance result of storage and the safety value of predefined expectation compare, if consistent, clean boot operating system; If inconsistent, do not start the operating system.
Alternatively, the method for the present embodiment, can also comprise:
On credible platform module TPM, carry out the tolerance of Secure Hash Algorithm;
In platform configuration register PCR by tolerance result store in TPM.
Particularly, can adopt creditable calculation modules (Trusted Platform Module, be called for short TPM) 2.0 carry out the tolerance of Secure Hash Algorithm, TPM2.0 chip meets the TPM standard criterion of credible computation organization (Trusted Computing Group is called for short TCG) definition.Tolerance result in metrics process can be stored in the platform configuration register (Platform Configuration Registers is called for short PCR) in TPM.
The present embodiment, by basic input-output system BIOS is carried out to signature authentication, after passing through, carries out signature authentication to booting operating system program if authenticate; Use Secure Hash Algorithm to certification by after described booting operating system program measure, using the tolerance result drawing as trusted root; Using described trusted root as initial value, measure successively multiple operating system configuration files; Obtaining final tolerance result and the safety value of expectation compares, verify operating system described in whether clean boot, realize booting operating system program by the method verification security of digital signature identification, measure safe booting operating system program and produce trusted root, according to trusted root metric operations system OS step by step, chain-of-trust is extended to OS by BIOS, solve and cannot ensure after BootLoader that start-up routine is the safety of OS start-up routine in prior art.
Fig. 2 is the structural representation of operating system security starter gear embodiment mono-of the present invention, as shown in Figure 2, the operating system security starter gear 20 of the present embodiment can comprise: signature verification module 201, metric module 202, authentication module 203, wherein, signature verification module 201, for unified Extensible Firmware Interface Basic Input or Output System (BIOS) UEFI BIOS is carried out to signature authentication, after passing through if authenticate, booting operating system program is carried out to signature authentication; Metric module 202, for use Secure Hash Algorithm to certification by after described booting operating system program measure, using the tolerance result drawing as trusted root; Metric module 202, also, for using described trusted root as initial value, measures multiple operating system configuration files successively; Authentication module 203, compares for obtaining final tolerance result and the safety value of expectation, verifies operating system described in whether clean boot.
Alternatively, metric module 202, specifically for:
Use Secure Hash Algorithm to measure to described operating system configuration file, tolerance result and described initial value are measured again as the input value of Secure Hash Algorithm, using the value drawing as tolerance result, and using described tolerance result as new initial value, next operating system configuration file is measured, until all operations CONFIG.SYS has been measured.
Alternatively, authentication module 203, specifically for:
If final described tolerance result is consistent with the safety value of described expectation, operating system described in clean boot; If inconsistent, do not start described operating system.
Alternatively, metric module 202 can comprise credible platform module TPM2020, for carry out the tolerance of Secure Hash Algorithm on described TPM;
Operating system security starter gear 20 can also comprise: platform configuration register PCR204, and for storing described tolerance result.
The device of the present embodiment, can be for the technical scheme of embodiment of the method shown in execution graph 1, and it realizes principle and technique effect is similar, repeats no more herein.
Fig. 3 is the structural representation of operating system security starting outfit embodiment mono-of the present invention.As shown in Figure 3, the operating system security starting outfit 30 that the present embodiment provides comprises processor 301 and storer 302.Operating system security starting outfit 30 can also comprise transmitter 303, receiver 304.Transmitter 303 can be connected with processor 301 with receiver 304.On hardware is realized, transmitter, receiver, processor can be closed to a chip, or realize with a chip respectively.Wherein, transmitter 303 is for sending data or information, receiver 304 is for receiving data or information, instruction is carried out in storer 302 storages, in the time that operating system security starting outfit 30 moves, between processor 301 and storer 302, communicates by letter, processor 301 calls the execution instruction in storer 302, for the technical scheme described in manner of execution embodiment mono-, it realizes principle and technique effect is similar, repeats no more herein.
In the several embodiment that provide in the application, should be understood that disclosed equipment and method can realize by another way.For example, apparatus embodiments described above is only schematic, for example, the division of described unit or module, be only that a kind of logic function is divided, when actual realization, can have other dividing mode, for example multiple unit or module can in conjunction with or can be integrated into another system, or some features can ignore, or do not carry out.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, the indirect coupling of equipment or module or communication connection can be electrically, machinery or other form.
The described module as separating component explanation can or can not be also physically to separate, and the parts that show as module can be or can not be also physical modules, can be positioned at a place, or also can be distributed in multiple network element.Can select according to the actual needs some or all of module wherein to realize the object of the present embodiment scheme.
One of ordinary skill in the art will appreciate that: all or part of step that realizes above-mentioned each embodiment of the method can complete by the relevant hardware of programmed instruction.Aforesaid program can be stored in a computer read/write memory medium.This program, in the time carrying out, is carried out the step that comprises above-mentioned each embodiment of the method; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CDs.
Finally it should be noted that: above each embodiment, only in order to technical scheme of the present invention to be described, is not intended to limit; Although the present invention is had been described in detail with reference to aforementioned each embodiment, those of ordinary skill in the art is to be understood that: its technical scheme that still can record aforementioned each embodiment is modified, or some or all of technical characterictic is wherein equal to replacement; And these amendments or replacement do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.
Claims (8)
1. an operating system security starting method, is characterized in that, comprising:
Unified Extensible Firmware Interface Basic Input or Output System (BIOS) UEFI BIOS is carried out to signature authentication, after passing through if authenticate, booting operating system program is carried out to signature authentication;
Use Secure Hash Algorithm to certification by after described booting operating system program measure, using the tolerance result drawing as trusted root;
Using described trusted root as initial value, measure successively multiple operating system configuration files;
Obtain final tolerance result and the safety value of expectation and compare, verify operating system described in whether clean boot.
2. method according to claim 1, is characterized in that, described using described trusted root as initial value, measures successively multiple operating system configuration files, comprising:
Use Secure Hash Algorithm to measure to described operating system configuration file, tolerance result and described initial value are measured again as the input value of Secure Hash Algorithm, using the value drawing as tolerance result, and using described tolerance result as new initial value, next operating system configuration file is measured, until all operations CONFIG.SYS has been measured.
3. method according to claim 1 and 2, is characterized in that, described in obtain final tolerance result and the safety value of expectation compares, verify operating system described in whether clean boot, comprising:
If final described tolerance result is consistent with the safety value of described expectation, operating system described in clean boot; If inconsistent, do not start described operating system.
4. method according to claim 3, is characterized in that, also comprises:
On credible platform module TPM, carry out the tolerance of Secure Hash Algorithm;
In platform configuration register PCR by described tolerance result store in described TPM.
5. an operating system security starter gear, is characterized in that, comprising:
Signature verification module, carries out signature authentication for the Extensible Firmware Interface Basic Input or Output System (BIOS) UEFIBIOS to unified, after passing through, booting operating system program is carried out to signature authentication if authenticate;
Metric module, for use Secure Hash Algorithm to certification by after described booting operating system program measure, using the tolerance result drawing as trusted root;
Described metric module, also, for using described trusted root as initial value, measures multiple operating system configuration files successively;
Authentication module, compares for obtaining final tolerance result and the safety value of expectation, verifies operating system described in whether clean boot.
6. device according to claim 5, is characterized in that, described metric module, specifically for:
Use Secure Hash Algorithm to measure to described operating system configuration file, tolerance result and described initial value are measured again as the input value of Secure Hash Algorithm, using the value drawing as tolerance result, and using described tolerance result as new initial value, next operating system configuration file is measured, until all operations CONFIG.SYS has been measured.
7. according to the device described in claim 5 or 6, it is characterized in that, described authentication module, specifically for:
If final described tolerance result is consistent with the safety value of described expectation, operating system described in clean boot; If inconsistent, do not start described operating system.
8. device according to claim 7, is characterized in that, described metric module comprises credible platform module TPM, for carry out the tolerance of Secure Hash Algorithm on described TPM;
Described device also comprises: platform configuration register PCR, and for storing described tolerance result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410172838.9A CN103927490A (en) | 2014-04-25 | 2014-04-25 | OS secure startup method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410172838.9A CN103927490A (en) | 2014-04-25 | 2014-04-25 | OS secure startup method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103927490A true CN103927490A (en) | 2014-07-16 |
Family
ID=51145708
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410172838.9A Pending CN103927490A (en) | 2014-04-25 | 2014-04-25 | OS secure startup method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103927490A (en) |
Cited By (40)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104331666A (en) * | 2014-11-10 | 2015-02-04 | 成都卫士通信息产业股份有限公司 | Trusted measurement method for computer systems |
| CN104809398A (en) * | 2015-04-21 | 2015-07-29 | 深圳怡化电脑股份有限公司 | Tamper-proof method and tamper-proof device for bootstrap firmware of password keyboard |
| CN104866768A (en) * | 2015-05-15 | 2015-08-26 | 深圳怡化电脑股份有限公司 | Startup control method and device for ATM (Automatic Teller Machine) operating system |
| CN104866392A (en) * | 2015-05-20 | 2015-08-26 | 浪潮电子信息产业股份有限公司 | Virtual machine security protection method and apparatus |
| CN104966022A (en) * | 2015-06-12 | 2015-10-07 | 浪潮电子信息产业股份有限公司 | Chain-of-trust construction method and device based on chip |
| CN105447391A (en) * | 2015-12-09 | 2016-03-30 | 浪潮电子信息产业股份有限公司 | Operating system secure startup method, startup manager and operating system secure startup system |
| CN106095468A (en) * | 2016-07-20 | 2016-11-09 | 杭州华澜微电子股份有限公司 | A kind of computer starting method and device |
| CN106250760A (en) * | 2016-07-26 | 2016-12-21 | 浪潮电子信息产业股份有限公司 | A kind of U Boot based on TPM2.0 chip credible startup method |
| CN106341224A (en) * | 2016-07-20 | 2017-01-18 | 国网安徽省电力公司信息通信分公司 | Customized server-based TCM application system and system guidance method |
| CN106506166A (en) * | 2016-10-26 | 2017-03-15 | 泰山医学院 | Trusted end-user plateform system under cloud computing environment |
| CN106548063A (en) * | 2016-11-01 | 2017-03-29 | 广东浪潮大数据研究有限公司 | A kind of credible tolerance methods, devices and systems |
| CN106845243A (en) * | 2016-12-13 | 2017-06-13 | 北京元心科技有限公司 | Improve the method and system for starting safety |
| CN106886473A (en) * | 2017-04-24 | 2017-06-23 | 郑州云海信息技术有限公司 | A kind of startup method of server, device and server |
| WO2017133559A1 (en) * | 2016-02-05 | 2017-08-10 | 中兴通讯股份有限公司 | Secure boot method and device |
| CN107357908A (en) * | 2017-07-17 | 2017-11-17 | 浪潮(北京)电子信息产业有限公司 | A kind of detection method and device of dummy machine system file |
| CN107870788A (en) * | 2016-09-26 | 2018-04-03 | 展讯通信(上海)有限公司 | The startup method and terminal device of terminal device under more credible performing environment |
| WO2018090823A1 (en) * | 2016-11-21 | 2018-05-24 | 惠州Tcl移动通信有限公司 | Method and system for protecting system partition key data, and terminal |
| CN108256330A (en) * | 2016-12-29 | 2018-07-06 | 联想(上海)信息技术有限公司 | Facility information safeguard method and device |
| WO2018176125A1 (en) * | 2017-03-28 | 2018-10-04 | Sierra Wireless, Inc. | Method and apparatus for secure computing device start up |
| CN108804325A (en) * | 2018-06-08 | 2018-11-13 | 郑州云海信息技术有限公司 | A kind of test method to Secure Boot |
| CN109508535A (en) * | 2018-10-30 | 2019-03-22 | 百富计算机技术(深圳)有限公司 | Firmware safety certifying method, device and payment terminal |
| CN109598126A (en) * | 2018-12-03 | 2019-04-09 | 贵州华芯通半导体技术有限公司 | A kind of safety startup of system methods, devices and systems based on national secret algorithm |
| CN109684849A (en) * | 2017-10-18 | 2019-04-26 | 佳能株式会社 | Information processing unit, its control method and storage medium |
| CN109997140A (en) * | 2018-09-10 | 2019-07-09 | 深圳市汇顶科技股份有限公司 | Accelerate the low-power-consumption embedded equipment of clean boot from the sleep state of equipment using write-once register |
| CN110543769A (en) * | 2019-08-29 | 2019-12-06 | 武汉大学 | Trusted starting method based on encrypted TF card |
| CN111046392A (en) * | 2019-11-26 | 2020-04-21 | 深圳中电长城信息安全系统有限公司 | BIOS (basic input output System) credibility measuring method and device and terminal equipment |
| CN111045743A (en) * | 2019-12-12 | 2020-04-21 | 海光信息技术有限公司 | Safe starting method, management method, device and equipment of operating system |
| CN111241548A (en) * | 2020-01-07 | 2020-06-05 | 天津飞腾信息技术有限公司 | Computer starting method |
| CN112016090A (en) * | 2019-05-30 | 2020-12-01 | 阿里巴巴集团控股有限公司 | Secure computing card, and measurement method and system based on secure computing card |
| CN112464271A (en) * | 2021-01-27 | 2021-03-09 | 信联科技(南京)有限公司 | Method and system for constructing high-reliability execution environment of power Internet of things edge Internet of things agent |
| CN112487435A (en) * | 2020-11-06 | 2021-03-12 | 麒麟软件有限公司 | Secure starting method based on X86 architecture |
| CN112560011A (en) * | 2021-02-07 | 2021-03-26 | 浙江地芯引力科技有限公司 | External adapter equipment safety authentication system and method based on encryption chip |
| CN112636928A (en) * | 2020-12-29 | 2021-04-09 | 广东国腾量子科技有限公司 | Decentralized trusted authentication method based on block chain, storage device and mobile terminal |
| CN112800429A (en) * | 2021-01-28 | 2021-05-14 | 北京工业大学 | Method for protecting driver in UEFI BIOS firmware system based on foundation |
| CN113051584A (en) * | 2021-05-31 | 2021-06-29 | 武汉深之度科技有限公司 | System secure starting method and device, computing equipment and readable storage medium |
| CN113190853A (en) * | 2021-03-24 | 2021-07-30 | 中国电力科学研究院有限公司 | Computer credibility authentication system, method, equipment and readable storage medium |
| CN113420299A (en) * | 2021-04-15 | 2021-09-21 | 麒麟软件有限公司 | Computer system safe starting and guiding method based on SM3 cryptographic algorithm |
| CN113553108A (en) * | 2021-07-12 | 2021-10-26 | 华东师范大学 | System for checking front software of operating system |
| CN113553109A (en) * | 2021-07-12 | 2021-10-26 | 华东师范大学 | Method for checking front software of operating system |
| CN114201747A (en) * | 2021-11-29 | 2022-03-18 | 海光信息技术股份有限公司 | Dynamic measurement root implementation method, device, system and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101038556A (en) * | 2007-04-30 | 2007-09-19 | 中国科学院软件研究所 | Trusted bootstrap method and system thereof |
| CN101576944A (en) * | 2008-11-20 | 2009-11-11 | 武汉大学 | Computer secure startup system based on trusted platform module |
| CN101599025A (en) * | 2009-07-07 | 2009-12-09 | 武汉大学 | Safety virtualization method of trusted crypto module |
| US20120151223A1 (en) * | 2010-09-20 | 2012-06-14 | Conde Marques Ricardo Nuno De Pinho Coelho | Method for securing a computing device with a trusted platform module-tpm |
-
2014
- 2014-04-25 CN CN201410172838.9A patent/CN103927490A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101038556A (en) * | 2007-04-30 | 2007-09-19 | 中国科学院软件研究所 | Trusted bootstrap method and system thereof |
| CN101576944A (en) * | 2008-11-20 | 2009-11-11 | 武汉大学 | Computer secure startup system based on trusted platform module |
| CN101599025A (en) * | 2009-07-07 | 2009-12-09 | 武汉大学 | Safety virtualization method of trusted crypto module |
| US20120151223A1 (en) * | 2010-09-20 | 2012-06-14 | Conde Marques Ricardo Nuno De Pinho Coelho | Method for securing a computing device with a trusted platform module-tpm |
Non-Patent Citations (5)
| Title |
|---|
| 刘东丽: ""基于UEFI的信任链设计及TPM驱动程序实现"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 师俊芳,李小将,李新明: ""基于TPM的安全操作系统的设计研究"", 《装备指挥技术学院学报》 * |
| 韦荣,鞠磊,方勇,杨波: ""可信计算度量机制在信任链中的应用"", 《网络安全技术与应用》 * |
| 黄海彬: ""基于EFI固件文件系统的平台安全策略研究与实现"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 黄涛,沈昌祥: ""一种基于可信服务器的可信引导方案"", 《武汉大学学报(理学版)》 * |
Cited By (52)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104331666A (en) * | 2014-11-10 | 2015-02-04 | 成都卫士通信息产业股份有限公司 | Trusted measurement method for computer systems |
| CN104809398A (en) * | 2015-04-21 | 2015-07-29 | 深圳怡化电脑股份有限公司 | Tamper-proof method and tamper-proof device for bootstrap firmware of password keyboard |
| CN104866768A (en) * | 2015-05-15 | 2015-08-26 | 深圳怡化电脑股份有限公司 | Startup control method and device for ATM (Automatic Teller Machine) operating system |
| CN104866392A (en) * | 2015-05-20 | 2015-08-26 | 浪潮电子信息产业股份有限公司 | Virtual machine security protection method and apparatus |
| CN104966022A (en) * | 2015-06-12 | 2015-10-07 | 浪潮电子信息产业股份有限公司 | Chain-of-trust construction method and device based on chip |
| CN105447391A (en) * | 2015-12-09 | 2016-03-30 | 浪潮电子信息产业股份有限公司 | Operating system secure startup method, startup manager and operating system secure startup system |
| WO2017133559A1 (en) * | 2016-02-05 | 2017-08-10 | 中兴通讯股份有限公司 | Secure boot method and device |
| CN106095468B (en) * | 2016-07-20 | 2019-07-19 | 杭州华澜微电子股份有限公司 | A kind of computer starting method and device |
| CN106095468A (en) * | 2016-07-20 | 2016-11-09 | 杭州华澜微电子股份有限公司 | A kind of computer starting method and device |
| CN106341224A (en) * | 2016-07-20 | 2017-01-18 | 国网安徽省电力公司信息通信分公司 | Customized server-based TCM application system and system guidance method |
| CN106250760A (en) * | 2016-07-26 | 2016-12-21 | 浪潮电子信息产业股份有限公司 | A kind of U Boot based on TPM2.0 chip credible startup method |
| CN107870788B (en) * | 2016-09-26 | 2020-10-02 | 展讯通信(上海)有限公司 | Starting method of terminal equipment under multiple trusted execution environments and terminal equipment |
| CN107870788A (en) * | 2016-09-26 | 2018-04-03 | 展讯通信(上海)有限公司 | The startup method and terminal device of terminal device under more credible performing environment |
| CN106506166A (en) * | 2016-10-26 | 2017-03-15 | 泰山医学院 | Trusted end-user plateform system under cloud computing environment |
| CN106506166B (en) * | 2016-10-26 | 2020-02-11 | 泰山医学院 | Terminal trusted platform system under cloud computing environment |
| CN106548063A (en) * | 2016-11-01 | 2017-03-29 | 广东浪潮大数据研究有限公司 | A kind of credible tolerance methods, devices and systems |
| WO2018090823A1 (en) * | 2016-11-21 | 2018-05-24 | 惠州Tcl移动通信有限公司 | Method and system for protecting system partition key data, and terminal |
| US11057216B2 (en) | 2016-11-21 | 2021-07-06 | Huizhou Tcl Mobile Communication Co., Ltd. | Protection method and protection system of system partition key data and terminal |
| CN106845243A (en) * | 2016-12-13 | 2017-06-13 | 北京元心科技有限公司 | Improve the method and system for starting safety |
| CN108256330A (en) * | 2016-12-29 | 2018-07-06 | 联想(上海)信息技术有限公司 | Facility information safeguard method and device |
| WO2018176125A1 (en) * | 2017-03-28 | 2018-10-04 | Sierra Wireless, Inc. | Method and apparatus for secure computing device start up |
| US11048801B2 (en) | 2017-03-28 | 2021-06-29 | Sierra Wireless, Inc. | Method and apparatus for secure computing device start up |
| CN106886473A (en) * | 2017-04-24 | 2017-06-23 | 郑州云海信息技术有限公司 | A kind of startup method of server, device and server |
| CN107357908A (en) * | 2017-07-17 | 2017-11-17 | 浪潮(北京)电子信息产业有限公司 | A kind of detection method and device of dummy machine system file |
| CN107357908B (en) * | 2017-07-17 | 2020-07-03 | 浪潮(北京)电子信息产业有限公司 | Method and device for detecting system file of virtual machine |
| CN109684849A (en) * | 2017-10-18 | 2019-04-26 | 佳能株式会社 | Information processing unit, its control method and storage medium |
| CN108804325A (en) * | 2018-06-08 | 2018-11-13 | 郑州云海信息技术有限公司 | A kind of test method to Secure Boot |
| CN109997140A (en) * | 2018-09-10 | 2019-07-09 | 深圳市汇顶科技股份有限公司 | Accelerate the low-power-consumption embedded equipment of clean boot from the sleep state of equipment using write-once register |
| CN109508535A (en) * | 2018-10-30 | 2019-03-22 | 百富计算机技术(深圳)有限公司 | Firmware safety certifying method, device and payment terminal |
| CN109598126A (en) * | 2018-12-03 | 2019-04-09 | 贵州华芯通半导体技术有限公司 | A kind of safety startup of system methods, devices and systems based on national secret algorithm |
| CN112016090A (en) * | 2019-05-30 | 2020-12-01 | 阿里巴巴集团控股有限公司 | Secure computing card, and measurement method and system based on secure computing card |
| CN112016090B (en) * | 2019-05-30 | 2024-01-23 | 阿里巴巴集团控股有限公司 | Secure computing card, and measuring method and system based on secure computing card |
| CN110543769A (en) * | 2019-08-29 | 2019-12-06 | 武汉大学 | Trusted starting method based on encrypted TF card |
| CN110543769B (en) * | 2019-08-29 | 2023-09-15 | 武汉大学 | Trusted starting method based on encrypted TF card |
| CN111046392A (en) * | 2019-11-26 | 2020-04-21 | 深圳中电长城信息安全系统有限公司 | BIOS (basic input output System) credibility measuring method and device and terminal equipment |
| CN111045743B (en) * | 2019-12-12 | 2024-02-13 | 海光信息技术股份有限公司 | Operating system safe starting method, management method, device and equipment |
| CN111045743A (en) * | 2019-12-12 | 2020-04-21 | 海光信息技术有限公司 | Safe starting method, management method, device and equipment of operating system |
| CN111241548B (en) * | 2020-01-07 | 2022-09-09 | 飞腾信息技术有限公司 | Computer starting method |
| CN111241548A (en) * | 2020-01-07 | 2020-06-05 | 天津飞腾信息技术有限公司 | Computer starting method |
| CN112487435A (en) * | 2020-11-06 | 2021-03-12 | 麒麟软件有限公司 | Secure starting method based on X86 architecture |
| CN112636928A (en) * | 2020-12-29 | 2021-04-09 | 广东国腾量子科技有限公司 | Decentralized trusted authentication method based on block chain, storage device and mobile terminal |
| CN112636928B (en) * | 2020-12-29 | 2023-01-17 | 广东国腾量子科技有限公司 | Decentralized trusted authentication method based on block chain, storage device and mobile terminal |
| CN112464271A (en) * | 2021-01-27 | 2021-03-09 | 信联科技(南京)有限公司 | Method and system for constructing high-reliability execution environment of power Internet of things edge Internet of things agent |
| CN112800429A (en) * | 2021-01-28 | 2021-05-14 | 北京工业大学 | Method for protecting driver in UEFI BIOS firmware system based on foundation |
| CN112560011B (en) * | 2021-02-07 | 2021-06-01 | 浙江地芯引力科技有限公司 | External adapter equipment safety authentication system and method based on encryption chip |
| CN112560011A (en) * | 2021-02-07 | 2021-03-26 | 浙江地芯引力科技有限公司 | External adapter equipment safety authentication system and method based on encryption chip |
| CN113190853A (en) * | 2021-03-24 | 2021-07-30 | 中国电力科学研究院有限公司 | Computer credibility authentication system, method, equipment and readable storage medium |
| CN113420299A (en) * | 2021-04-15 | 2021-09-21 | 麒麟软件有限公司 | Computer system safe starting and guiding method based on SM3 cryptographic algorithm |
| CN113051584A (en) * | 2021-05-31 | 2021-06-29 | 武汉深之度科技有限公司 | System secure starting method and device, computing equipment and readable storage medium |
| CN113553108A (en) * | 2021-07-12 | 2021-10-26 | 华东师范大学 | System for checking front software of operating system |
| CN113553109A (en) * | 2021-07-12 | 2021-10-26 | 华东师范大学 | Method for checking front software of operating system |
| CN114201747A (en) * | 2021-11-29 | 2022-03-18 | 海光信息技术股份有限公司 | Dynamic measurement root implementation method, device, system and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103927490A (en) | OS secure startup method and device | |
| US8892858B2 (en) | Methods and apparatus for trusted boot optimization | |
| CN107025406B (en) | Motherboard, computer-readable storage device, and firmware verification method | |
| EP2962241B1 (en) | Continuation of trust for platform boot firmware | |
| US8904162B2 (en) | Methods and apparatus for performing secure BIOS upgrade | |
| US11579893B2 (en) | Systems and methods for separate storage and use of system BIOS components | |
| US11281768B1 (en) | Firmware security vulnerability verification service | |
| US20090210456A1 (en) | Methods, Systems and Media for TPM Recovery Key Backup and Restoration | |
| US10592661B2 (en) | Package processing | |
| US20190138730A1 (en) | System and Method to Support Boot Guard for Original Development Manufacturer BIOS Development | |
| US11755739B2 (en) | Update signals | |
| US11675908B2 (en) | Unattended deployment of information handling systems | |
| US11416607B2 (en) | Security risk indicator and method therefor | |
| US11803454B2 (en) | Chained loading with static and dynamic root of trust measurements | |
| US11809876B2 (en) | Trusted platform module protection for non-volatile memory express (NVMe) recovery | |
| US11657158B2 (en) | Systems and methods for extending boot security trust chaining to state changes between boot sessions | |
| US11907375B2 (en) | System and method for signing and interlocking a boot information file to a host computing system | |
| CN115906046A (en) | Trusted computing system and measurement method based on trusted computing system | |
| CN114692159A (en) | Computer system, trusted functional component and operation method | |
| CN115130106A (en) | Method and related device for realizing trusted boot through fTPM | |
| Jyothi et al. | TPM based Secure Boot in Embedded Systems | |
| US11960372B2 (en) | Verified callback chain for bios security in an information handling system | |
| US11748485B2 (en) | System and method for booting using HSM integrated chain of trust certificates | |
| US11669618B2 (en) | Systems and methods for securing and loading bios drivers and dependencies in a predefined and measured load order | |
| US20230401316A1 (en) | Pre-authorized virtualization engine for dynamic firmware measurement |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140716 |
|
| RJ01 | Rejection of invention patent application after publication |