CN104200165B - A kind of active based on domestic CPU is credible measure - Google Patents
A kind of active based on domestic CPU is credible measure Download PDFInfo
- Publication number
- CN104200165B CN104200165B CN201410366234.8A CN201410366234A CN104200165B CN 104200165 B CN104200165 B CN 104200165B CN 201410366234 A CN201410366234 A CN 201410366234A CN 104200165 B CN104200165 B CN 104200165B
- Authority
- CN
- China
- Prior art keywords
- bios
- cpu
- tpcm
- credible
- measurement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
Abstract
The invention provides a kind of credible measure of the active based on domestic CPU.Under the premise of confirming that BIOS is believable, then implemented to key hardware information or the credible measurement of operating system kernel file, the safety problem that can effectively prevent calculating platform from being brought because BIOS is tampered by BIOS.Possesses physical security protective characteristic very high, while TPCM modules also have performance very high using the credible measurement and cryptographic algorithm of stone realization, the present invention can be very good to be applied in high safety grade calculating platform, realize the secure and trusted of system starting process.
Description
Technical field
It is more particularly to a kind of suitable for domestic the present invention relates to a kind of credible measure of the active based on domestic CPU
The credible measure of active of Loongson processor.
Background technology
In system starting process, it is stored in BIOS by execution in current x86 PC credible platform frameworks
Mensurable core root(Core Root of Trust for Measurement, CRTM)Initiate to key hardware information and operation
The credible measurement of system core file, therefore the CRTM parts of BIOS become the root of trust of system trust chain.Using it is this can
Credible platform module during letter measure(TPM)Passively call, therefore be referred to as passive credible measurement technology.Many institute's weeks
Know, because BIOS belongs to erasable FLASH devices, there is no the anti-tamper characteristic of physics, be easily written over, cause BIOS can not
Letter, using this passive credible measurement, it is difficult to ensure the credible of platform from root, once BIOS is implanted malicious code, will make
Whole trust chain collapse.
TPM is that a kind of root, cryptographic algorithm, parameter of measuring is stored in on-chip memory, and outside is cannot to obtain and usurp
Change, possess the hardware module of physical security characteristic very high.
Credible platform control module(TPCM)As can be connected with credible calculating platform mainboard with the module of independent operating, with
Platform motherboard(Containing credible BIOS)And the composition reliable hardware platform such as ancillary equipment, for trusted system software provides confidence level
Amount, trusted storage and credible report services are supported.TPCM system is also provided needed for digital signature, integrity verification, data add
The service such as decryption, and receive the management of password management system.TPCM modules are by hardware and the insertion being operated in module handler
Control program, and it is operated in the drive software composition on main frame.
The content of the invention
The technical problem to be solved in the present invention is to provide a kind of credible measure of the active based on domestic CPU.
The technical solution adopted by the present invention is as follows:A kind of active based on domestic CPU is credible measure, its feature exists
In:Under the premise of confirming that BIOS is believable, then implemented to the credible of key hardware information or operating system kernel file by BIOS
Measurement.
Preferably, methods described is with TPM as root of trust.
Preferably, specific method step is:First, CRTM is placed in inside TPCM, main frame power-up starts, and makes TPCM
Start first prior to CPU as trusted root, obtain credible measurement power;2nd, TPCM implements credible measurement to BIOS, verifies into
Work(, then discharge CPU and start control signal, and by transitive trust to BIOS;3rd, CPU is started and carried out BIOS to key hardware
Information and operating system loading device(Os Loader)Implement credible measurement, measure successfully, then by transitive trust to Os
Loader;4th, Os Loader implement credible measurement to operating system, and operating system is loaded after measuring successfully(OS), by trust chain
It is delivered to OS;5th, realized in OS start-up courses to executable code and require that the application code of checking implements credible measurement,
After start completion, will transitive trust to application program.So far transitive trust is completed, and trusted computation environment is set up.
Preferably, in the step one, CPU is held by active degree amount control circuit, make TPCM excellent as trusted root
Start first prior to CPU.
Preferably, the active degree amount control circuit is controlled the reset signal of CPU by TPCM by logic control circuit,
With the startup that CPU carrys out control system to the data access channel of BIOS;
When main frame is powered up to be started or reset, the reset signal that TPCM holds CPU first is at reset state, while
Access paths of the control CPU to BIOS;TPCM performs CRTM and implements actively credible measurement to bios code again, to logic control electricity
Road sends control information and cpu reset signal, and logic control circuit opens the access path of BIOS according to control information;Make CPU
Bios code can be performed by logic control circuit, beginning system normally starts.
Compared with prior art, the beneficial effects of the invention are as follows:Can effectively prevent calculating platform because BIOS is tampered band
The safety problem come.
Further beneficial effect is the present invention:Due to CRTM has been placed on inside TPCM, trusted as starting using TPCM
Root is performed prior to CPU, after actively credible measurement is implemented to BIOS, just performs follow-up startup by CPU.Due to whole actively credible
Metrics process is completed in TPCM inside modules, and all private informations related to measurement and cryptographic algorithm are stored in TPCM
In piece, possesses physical security protective characteristic very high, while credible measurement and cryptographic algorithm of the TPCM modules using stone realization
Also there is performance very high, the present invention can be very good to be applied in high safety grade calculating platform, realize system starting process
Secure and trusted.
Brief description of the drawings
Fig. 1 is that the trust chain of a wherein embodiment of the invention sets up process schematic.
Fig. 2 is the credible measurement control flow schematic diagram of active in embodiment illustrated in fig. 1.
Fig. 3 is active confidence level amount control circuit theory diagram in embodiment illustrated in fig. 1 of the present invention.
Fig. 4 is active confidence level amount control method functional block diagram in embodiment illustrated in fig. 3.
Specific embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, it is right below in conjunction with drawings and Examples
The present invention is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the present invention, not
For limiting the present invention.
This specification(Including any accessory claim, summary and accompanying drawing)Disclosed in any feature, except non-specifically is chatted
State, can alternative features equivalent by other or with similar purpose replaced.I.e., unless specifically stated otherwise, each feature
A simply example in a series of equivalent or similar characteristics.
A kind of active based on domestic CPU is credible measure, it is characterised in that:Under the premise of confirming that BIOS is believable,
Implemented to key hardware information or the credible measurement of operating system kernel file by BIOS again.
In this specific embodiment, the credible measure is, with TPM as root of trust, to confirm the believable premises of BIOS
Under, then implemented to key hardware information or the credible measurement of operating system kernel file by BIOS.In addition, having identical with TPM
Characteristic hardware module can also be used as the root of trust of credible measure of the invention.
As depicted in figs. 1 and 2, in this specific embodiment, specific method step is:First, CRTM is placed in TPCM
Inside, main frame power-up starts, and TPCM is started first prior to CPU as trusted root, obtains credible measurement power;2nd, TPCM pairs
BIOS implements credible measurement, is proved to be successful, then discharge CPU and start control signal, and by transitive trust to BIOS;3rd, CPU is opened
BIOS is moved and performed to key hardware information and operating system loading device(Os Loader)Implement credible measurement, measure successfully, then
By transitive trust to Os Loader;4th, Os Loader implement credible measurement to operating system, and operation is loaded after measuring successfully
System(OS), by transitive trust to OS;5th, the application program of checking is realized to executable code and required in OS start-up courses
Measurement that code implementation is credible, after start completion, will transitive trust to application program.So far transitive trust is completed, credible
Computing environment is set up.
The institute that TPCM realizes credible platform module is functional, and its function composition is essentially identical with TPM, but due to
The core measurement root CRTM of TPM is in BIOS, is not protected by TPM.Therefore, CRTM is placed in TPCM by TPCM
Inside, is real credible measure zero with TPCM while changing the boot sequence of TPCM and CPU, build it is real can
Reliability amount root.On this basis, the calculating platform trust chain with TPCM chips as root of trust is established, by TPCM chip controls
The startup of calculating platform processed, I/O Interface Controllers and system configuration etc..TPCM connects mainboard, with BIOS and ancillary equipment etc.
Composition reliable hardware platform, for systems soft ware and application software provide the service such as credible measurement, trusted storage and credible report.
In the step one, CPU is held by active degree amount control circuit, make TPCM first prior to CPU as trusted root
First start.
As shown in figure 3, active confidence level amount control circuit is connect by related on the logic control circuit in TPCM and mainboard
Mouth circuit composition.The active degree amount control circuit is controlled the reset signal of CPU, and CPU by TPCM by logic control circuit
Data access channel to BIOS carrys out the startup of control system.
When main frame is powered up to be started or reset, the reset signal that TPCM holds CPU first is at reset state, while
Access paths of the control CPU to BIOS;TPCM performs CRTM and implements actively credible measurement to bios code again, to logic control electricity
Road sends control information and cpu reset signal, and logic control circuit opens the access path of BIOS according to control information;Make CPU
Bios code can be performed by logic control circuit, beginning system normally starts.
Actively credible measurement control is driven by CRTM, BIOS/firmware, control signal generation module and logic control circuit drive
The module composition such as dynamic, module composition and workflow are shown in accompanying drawing 4.Actively credible measurement control is operated in TPCM modules, when being
When system resets, TPCM is first carried out CRTM, and CRTM calls credible measurement service to implement actively credible measurement to BIOS;Credible measurement
Control information and reset signal are sent to logic control circuit after completion, the reset and the execution to bios code of CPU is controlled.
Credible platform module TPM and the credible password module TCM of China that current X86 credible calculating platforms are used
The CRTM for being used is respectively positioned among BIOS, not by the physical protection of credible chip, and is started after CPU, it is difficult to
Real credible measurement root is formed, TPM/TCM is in the status of passive equipment, it is impossible to which master is implemented in startup and operation to system
Dynamic measurement and control.The present invention is proposed dependable chip design for TPM/TCM measurement starting points and the problem of passive measurement
It is the thought of active devices, changes the conventional thought as passive equipment, by credible platform control module(TPCM)It is right
Calculating platform implements actively credible measurement.TPCM is powered up at first in systems as the active devices of calculating platform, prior to
CPU starts, and builds the trust chain with TPCM modules as root of trust.By CRTM designs inside TPCM, strengthen to confidence level
Measure root safety protection problem so that trusted root all implantation chip internals, by stronger physical protection, solve due to
BIOS distorts the problems such as credible measurement root for causing is out of control, trust starting point is indefinite, enhances the security of credible measurement root.
Claims (1)
1. the credible measure of a kind of active based on domestic CPU, it is characterised in that:With TPM as root of trust, confirming that BIOS can
On the premise of letter, then implemented to key hardware information or the credible measurement of operating system kernel file by BIOS;
Specific method step is:First, CRTM is placed in inside TPCM, main frame power-up starts, and makes TPCM excellent as trusted root
Start first prior to CPU, obtain credible measurement power;2nd, TPCM implements credible measurement to BIOS, is proved to be successful, then discharge CPU and open
Dynamic control signal, and by transitive trust to BIOS;3rd, CPU is started and carried out BIOS to key hardware information and operating system
Loader implements credible measurement, measures successfully, then by transitive trust to Os Loader;4th, Os Loader are to operating system
Implement credible measurement, operating system is loaded after measuring successfully, by transitive trust to OS;5th, realization pair can in OS start-up courses
Perform code and require that the application code of checking implements credible measurement, after start completion, will transitive trust to applying
Program;
In the step one, CPU is held by active degree amount control circuit, TPCM is opened first prior to CPU as trusted root
It is dynamic;
The active degree amount control circuit is controlled the reset signal of CPU by TPCM by logic control circuit, and CPU is to BIOS's
Data access channel carrys out the startup of control system;
When main frame is powered up to be started or reset, the reset signal that TPCM holds CPU first is at reset state, while control
Access paths of the CPU to BIOS;TPCM performs CRTM and implements actively credible measurement to bios code again, is sent out to logic control circuit
Send control information and cpu reset signal, logic control circuit that the access path of BIOS is opened according to control information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410366234.8A CN104200165B (en) | 2014-07-30 | 2014-07-30 | A kind of active based on domestic CPU is credible measure |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410366234.8A CN104200165B (en) | 2014-07-30 | 2014-07-30 | A kind of active based on domestic CPU is credible measure |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104200165A CN104200165A (en) | 2014-12-10 |
| CN104200165B true CN104200165B (en) | 2017-06-30 |
Family
ID=52085456
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410366234.8A Active CN104200165B (en) | 2014-07-30 | 2014-07-30 | A kind of active based on domestic CPU is credible measure |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104200165B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107894905A (en) * | 2017-11-29 | 2018-04-10 | 郑州云海信息技术有限公司 | A kind of operating system file guard method based on BIOS |
Families Citing this family (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105718806A (en) * | 2016-01-26 | 2016-06-29 | 浪潮电子信息产业股份有限公司 | Method for achieving trusted active measurement based on domestic BMC and TPM2.0 |
| CN105678162B (en) * | 2016-02-03 | 2018-09-04 | 浪潮电子信息产业股份有限公司 | A kind of operating system security startup control method based on TPM |
| CN106295352A (en) * | 2016-07-29 | 2017-01-04 | 北京三未信安科技发展有限公司 | The method of credible tolerance, main frame and system under basic input output system environment |
| CN106649007A (en) * | 2016-11-18 | 2017-05-10 | 中国兵器装备集团自动化研究所 | Trusted verification method based on Loongson 3A system |
| CN106778282A (en) * | 2016-11-22 | 2017-05-31 | 国网江苏省电力公司南通供电公司 | Credible distribution terminal |
| CN110119624A (en) * | 2018-02-06 | 2019-08-13 | 威海创事特信息科技发展有限公司 | A kind of security measure method |
| CN108595964A (en) * | 2018-04-27 | 2018-09-28 | 北京可信华泰信息技术有限公司 | A kind of credible platform control module implementation method based on firmware |
| CN110659498A (en) * | 2018-06-29 | 2020-01-07 | 国民技术股份有限公司 | Trusted computing measurement method, system thereof and computer readable storage medium |
| CN110659497A (en) * | 2018-06-29 | 2020-01-07 | 国民技术股份有限公司 | Trusted boot control method and device and computer readable storage medium |
| CN109740349A (en) * | 2018-11-29 | 2019-05-10 | 天津七所精密机电技术有限公司 | Discretionary security portable computing equipment and its starting method based on Loongson processor |
| CN109740353A (en) * | 2019-01-03 | 2019-05-10 | 北京工业大学 | A kind of credible starting method of the BMC firmware of server |
| CN109992972B (en) * | 2019-04-10 | 2021-04-20 | 北京可信华泰信息技术有限公司 | Method and system for establishing trust chain in cloud environment |
| CN110321235B (en) * | 2019-07-08 | 2021-03-16 | 北京可信华泰信息技术有限公司 | System interaction method and device of trusted computing platform based on dual-system architecture |
| CN110929268A (en) * | 2020-02-03 | 2020-03-27 | 中软信息系统工程有限公司 | Safe operation method, device and storage medium |
| CN111950014A (en) * | 2020-08-27 | 2020-11-17 | 英业达科技有限公司 | Security measurement method and device for starting server system and server |
| CN112257071B (en) * | 2020-10-23 | 2022-09-27 | 江西畅然科技发展有限公司 | Credibility measurement control method based on state and behavior of sensing layer of Internet of things |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101901319B (en) * | 2010-07-23 | 2012-02-08 | 北京工业大学 | Trusted computing platform and method for verifying trusted chain transfer |
| CN101976320B (en) * | 2010-10-26 | 2012-01-11 | 中国航天科工集团第二研究院七○六所 | Credible computer platform |
| WO2012156586A2 (en) * | 2011-05-18 | 2012-11-22 | Nokia Corporation | Secure boot with trusted computing group platform registers |
-
2014
- 2014-07-30 CN CN201410366234.8A patent/CN104200165B/en active Active
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107894905A (en) * | 2017-11-29 | 2018-04-10 | 郑州云海信息技术有限公司 | A kind of operating system file guard method based on BIOS |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104200165A (en) | 2014-12-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104200165B (en) | A kind of active based on domestic CPU is credible measure | |
| US11093258B2 (en) | Method for trusted booting of PLC based on measurement mechanism | |
| TWI606396B (en) | Motherboard, computer-readable storage device and firmware verification method | |
| US8839236B2 (en) | Virtual machine support for metered computer usage | |
| CN110110526B (en) | Safety starting device and method based on safety chip | |
| Zhao et al. | Providing root of trust for ARM TrustZone using on-chip SRAM | |
| CN109992972B (en) | Method and system for establishing trust chain in cloud environment | |
| CN101281577B (en) | Dependable computing system capable of protecting BIOS and method of use thereof | |
| US10635821B2 (en) | Method and apparatus for launching a device | |
| CN102063591B (en) | Methods for updating PCR (Platform Configuration Register) reference values based on trusted platform | |
| CN107506663A (en) | Server security based on credible BMC starts method | |
| EP3207488B1 (en) | Identifying security boundaries on computing devices | |
| CN105718806A (en) | Method for achieving trusted active measurement based on domestic BMC and TPM2.0 | |
| CN105205401A (en) | Trusted computer system based on safe password chip and trusted guiding method thereof | |
| US20220067165A1 (en) | Security measurement method and security measurement device for startup of server system, and server | |
| US20210124829A1 (en) | Enhanced secure boot | |
| CN105046138A (en) | FT-processor based trust management system and method | |
| US10229272B2 (en) | Identifying security boundaries on computing devices | |
| CN104751063A (en) | Operation system trusted guide method based on real mode technology | |
| WO2022028057A1 (en) | Tpm-based apparatus and method for multi-layer protection of server asset information | |
| CN107480535A (en) | The reliable hardware layer design method and device of a kind of two-way server | |
| TW201944276A (en) | Computer system and method for initializing computer system | |
| CN106656915A (en) | Cloud security server based on trusted computing | |
| CN111125707A (en) | BMC (baseboard management controller) safe starting method, system and equipment based on trusted password module | |
| CN110781517B (en) | Method for realizing data interaction by BIOS and BMC communication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |