Invention content
To solve the above-mentioned problems, the application embodiment provides a kind of partition method and its dress of multiple operating system
It sets, to prevent the mutual access of file system between different operating system, improves the safety of operating system.
The partition method of multiple operating system that the application embodiment provides includes:
In the partition table of the entry address information of storage file system, cancel at least one file system in partition table
Mapping relations between entry address information and the subregion of at least one file system actual storage are cancelled mapping to realize
Isolation of the corresponding operating system of file system of relationship relative to other operating systems, the file for being cancelled mapping relations
The corresponding operating system of system is installed on same equipment with other operating systems.
Preferably, the method further includes:
In the corresponding operating system carry file system of the file system that is cancelled mapping relations, it is cancelled and is reflected according to this
It is raw in the partition table of storage file system address information to penetrate the configuration file in the corresponding operating system of file system of relationship
At the mapping relations.
Preferably, in the cancellation partition table at least one file system address information and at least one file system it
Between mapping relations be specially:
Cancel the mapping relations between All Files system address information and respective file system in partition table.
Preferably, the method further includes:Actual storage is encrypted at least one file system on subregion,
File system is decrypted before using file system.
Preferably, actual storage is encrypted at least one file system on subregion and is specifically included:
According to the data generator matrix that at least one file system being stored on subregion is formed, the element of the matrix is text
An area byte in the block for the data that part system is formed;
The key corresponding with encrypted second leg of cycle of each byte in matrix is done into XOR operation;
The result of XOR operation is replaced with into corresponding numerical value by non-linear replacement function, forms new matrix;
Cyclic shift is carried out to each byte of every a line of the new matrix;
Four bytes of each column are mixed.
Preferably, described file system is decrypted before using file system is specifically included:
File system is decrypted in the file system that operating system carry is encrypted.
Embodiment further provides a kind of isolating device of multiple operating system, the devices to include by the application:Positioning unit and
Cancel unit, wherein:
The positioning unit, the partition table of the entry address information for navigating to storage file system;
The cancellation unit, in the partition table of the entry address information of storage file system, cancelling in partition table
Mapping between the entry address information of at least one file system and the subregion of at least one file system actual storage is closed
System, it is described to realize isolation of the corresponding operating system of file system for being cancelled mapping relations relative to other operating systems
The corresponding operating system of file system and other operating systems for being cancelled mapping relations are installed on same equipment.
Preferably, described device further includes:Generation unit, in the corresponding behaviour of file system for being cancelled mapping relations
When making system carry file system, the configuration file that is cancelled according to this in corresponding operating system of file system of mapping relations
The mapping relations are generated in the partition table of storage file system address information.
Preferably, the cancellation unit is specifically used for cancelling All Files system address information and respective file in partition table
Mapping relations between system.
Preferably, described device further includes:Encryption unit and decryption unit, the encryption unit be used for actual storage in
At least one file system on subregion is encrypted, the decryption unit, is used for before using file system to file system
System is decrypted.
Preferably, the encryption unit include matrix generate subelement, XOR operation subelement, numerical value replace subelement and
Cyclic shift subelement and mixing subelement, wherein:
The matrix generates subelement, the data life for being formed according at least one file system being stored on subregion
At matrix, the element of the matrix is an area byte in the block for the data that file system is formed;
The XOR operation subelement is used for the key corresponding with encrypted second leg of cycle of each byte in matrix
Do XOR operation;
The numerical value replaces subelement, for being replaced with the result of XOR operation accordingly by non-linear replacement function
Numerical value forms new matrix;
The cyclic shift subelement, each byte for every a line to the new matrix carry out cyclic shift;
The mixing subelement is mixed for four bytes to each column.
Preferably, the decryption unit is specifically used in the file system that operating system carry is encrypted to file system
It is decrypted.
The application embodiment cancels file system in partition table in the partition table of the file system address information of storage
Mapping relations between address information and the subregion of this document system actual storage.Compared with prior art, due in partition table
Address information and actual storage locations between mapping relations " broken ", even if other operating systems can find subregion
Table can not determine the district location of file system actual storage according to the partition table, be closed to can not achieve to cancelling mapping
The access of the file system of system, under this situation, when security breaches occur in other operating systems, by means of other operating systems
Also it can not access to the operating system for the file system for cancelling mapping relations, to which safety problem is limited to other operations
In system, so realize cancel mapping relations file system operating system relative to other operating systems safety every
From improving the overall security for the multiple operating systems being installed in same equipment.
Specific implementation mode
The principle and spirit of the invention are described below with reference to several illustrative embodiments.It should be appreciated that providing this
A little embodiments are used for the purpose of making those skilled in the art can better understand that realizing the present invention in turn, and be not with any
Mode limits the scope of the invention.On the contrary, these embodiments are provided so that the disclosure is more thorough and complete, and energy
It is enough that the scope of the present disclosure is completely communicated to those skilled in the art.
As previously mentioned, there are file system, the address information of file system to be stored in partition table in an operating system
In, it when operating system needs carry file system, needs first to determine the partition table where file system, then according to partition table
The address information of instruction finds the subregion of file system actual storage, and then obtains file system and carry out relevant work.Subregion
Table is generally positioned in master boot sector, master boot sector be generally electronic equipment booting after access disk needs read it is first
Sector, the three-dimensional address on disk are (cylinder, magnetic head, sector)=(0,0,1).Referring to Fig. 1 a, the figure shows one kind point
The structure (standard MBR structures) of area's table.In the partition table, including a partition table plans that section, the section are interior to disk space root
It is divided according to address, forms multiple main partitions.Partition table shown in figure has indicated four main partitions using 64 bytes
Entrance, can find corresponding district location according to these entry addresses, to get the data of the storage on subregion, than
Such as in the file system of subregion fixed position storage.
Partition table has quantitative limitation to the division of subregion, it can be seen that partition table in fig 1 a is by disk space
Four subregions are divided into, in fact, in actual application, four subregions may not be able to be met the requirements, for this purpose, at certain points
In area's table, although being also divided into four subregions, extension subregion is set to for the last one subregion, extension subregion is resonable
By can above be divided into numerous logical partition, in each logical partition, there are one extend leader record.In addition, certain subregions
There is also the limitations of capacity for division of the table to subregion.For example, the maximum capacity of one subregion of limitation is 2T, the starting of each subregion
Cylinder must in the preceding 2T of disk, in this way, if now hard disk have 3T, should at least be drawn according to above-mentioned limitation
It is divided into 2 subregions, and the initial sector of the last one subregion will be located in the preceding spaces 2T of hard disk.This to capacity limit
In the case of, the space of entire disk is also limited simultaneously, at this moment also needs to improve partition table.For example, taking globally unique identifier
Partition table (GPT), shown in Fig. 1 b, location information is stored in the head of the partition table by this partition table, on each disk
The number of partitions it is theoretically unrestricted, unless the limitation from operating system itself, for example, since partition table itself needs to occupy
Certain space, when initially planned fdisk, the space for leaving partition table for determines and can have up to how many a subregions, in IA-
Subregion at most can be 128 in 64 editions Windows.In addition, partition table also has backup partition table such as Fig. 1 b, to improve
The integrality of partitioned data organization.
Based on the above-mentioned narration to partition table, if being equipped with multiple operating systems on some terminal device, this Shen
Please the partition method of multiple operating system that provides of embodiment may include:In point of the entry address information of storage file system
In area's table, cancel the subregion of at least one file system entries address information and a file system actual storage in partition table
Between mapping relations.Referring to Fig. 2, this method is after navigating to partition table (step S21), by already existing text in partition table
Contacting between part system entry address information and the subregion of file system actual storage gives interruption (step S22), in this way, if
Another operating system (hereinafter referred to as access operation system) attempts to access that the corresponding behaviour of file system for interrupting mapping relations
When making system (hereinafter referred to as accessed operating system), access operation system from first sector above-mentioned although can find point
Area's table, still, the mapping relations of the file system actual storage locations in partition table to accessed operating system have been interrupted, this
Sample access operation system just cannot find the file system of accessed operating system, be accessed to cannot achieve.If be mounted on
There are security breaches there are one operating system in multiple operating systems in same equipment, for example, being attacked by hacker, quilt
Some virus such as controls at the situations, then hacker, it is viral be also only capable of in the operating system that this security breaches occurs " wreaking havoc ",
And its " devil's clutches " cannot be stretched to other operating systems in the equipment, to which the destructiveness of hacker, virus are limited in currently
In this operating system, the overall security of multiple operating system is just improved in this way.
For the above embodiment, Railway Project is worth under explanation:First, what is referred in the application embodiment is " multiple
Operating system ", " multiple " here are often referred to two or more, that is to say, that define operating system quantity here
Lower limit, without limiting the upper limit, in fact, theoretically, the quantity of operating system depends on the equipment of carrying operating system itself
The hardware resource having number, as long as the hardware resource of the equipment can be supported, then quantity can not have to too many limitation;
Here operating system can be various types of operating systems, and the application is also without particular limitation to this, as long as these are operated
System is mounted in the same equipment and itself can not clash.Second is that " cancellation " that is referred in the application embodiment
Concrete form, in fact, in this application, the mode of which kind of specific " cancellation " mapping relations no matter is taken, as long as can reach
The mapping relations between the entry address information and this document system actual storage locations of the file system in partition table are interrupted,
The realization of the present application purpose is not interfered.Typically, it is real on some subregion that file system is stored on disk space
Really existing, as long as this interruption to mapping relations must not prevent according to partition table from finding file system
File system is transferred to stored in elsewhere, therefore, the application embodiment limits the work of " cancellation " mapping relations
In the partition table of the entry address information of storage file system.In this way, a variety of concrete forms can be taken to realize to mapping
" cancellation " of relationship.For example, directly by the entry address information deletion of some file system in partition table, without file system
Entry address information, its corresponding file system can not be found naturally, to block the access to this document system.Also compare
Such as, entry address information is revised as an address blank, then during according to the address search file system, will obtained
One " sky " as a result, so that real file system can not be found.For another example, the pointer of entry address is directed toward and accesses behaviour
The file system for making system oneself, the file system to find is the file system of oneself, and the associated documents being accessed also are
The file of oneself.The method that those skilled in the art can obtain other similar " cancellation " mapping relations on this basis.Three
Be in the application the above embodiment, for the corresponding operating system of file system for eliminating mapping relations, although
This operating system cannot be accessed in other operating systems, that is, realizes this operating system relative to being installed on same equipment
The isolation of other operating systems is not meant to that the file system of other operating systems cannot be accessed in this operating system, this takes
Certainly the mapping relations in other operating systems between file system entries address information and the district location of its actual storage are
It is no to be cancelled, if eliminated, isolation of other operating systems relative to this operating system is realized certainly, to realize
The file system of other operating systems can be equally accessed in " two-way isolation ", otherwise, this operating system, it is, this feelings
It under shape, only realizes " one-way isolation ".
For above-mentioned content thirdly, illustrate further below.
First, " two-way isolation " is transitioned by " one-way isolation " will can previously have two accessed with accessed relationship
The mapping relations of operating system are eliminated to realize, since no longer normal presence, an operation have been respective mapping relations
System, which is want to access to the file system of another operating system, to be just no longer possibly realized.In order to realize installation on the same device
All operationss system can not mutually access between any two, a kind of extreme way is will to cancel "at least one" mapping relations
Expand to all mapping relations having on partition table, that is, cancel in partition table the entry address information of All Files system with
Mapping relations between the subregion of respective file system actual storage.
Secondly, at " one-way isolation " to during " two-way isolation ", if cancelling mapping relations not over to same
All operating systems in equipment are closed then just not interfering with the normal operation of the equipment because those do not delete mapping
The operating system of system still can normally start, to normally access the file of itself.But when in same equipment
In the case that the mapping relations of all operating systems are deleted, consider according to general thinking, although being solved under this situation
Isolating problem between operating system, will accompanying problem is that the equipment can not normal operation because without that
Operating system is capable of the file system of normal carry oneself.
Again, in this case, the application embodiment has also been proposed new solution.This method is to be taken
When the corresponding operating system carry file system of the file system of the mapping relations that disappear, the file system of mapping relations is cancelled according to this
Configuration file in corresponding operating system of uniting generates the mapping relations in the partition table of storage file system address information.
That is, through the above way by the mapping relations cancelled from partition table again in the file system pair for being cancelled mapping relations
Restore in operating system (hereinafter referred to as this operating system) range answered, to which this operating system again can be by means of the mapping
Access of the relational implementation to the file system of its own, does not interfere with the normal operation of this operating system.Here it is worth explanation
It is that the recoveries of the mapping relations is restored in this operating system range, that is to say, that restore in this case
Mapping relations are not written in partition table, and only this operating system oneself is known.Other operating systems are to this operating system
The access of file system is carried out by partition table, and the mapping relations of recovery are not present in partition table, so other are operated
System also just cannot achieve the access to this operating system.Briefly, presently filed embodiment mapping in global sense
The relationship of penetrating is cancelled, and then restores mapping relations on local sense again, this " cancellation " one " recovery " on the one hand blocks
The mutual access being installed between the different operating system in same equipment, on the other hand to the normal of current operation system
Operation does not generate bad influence.Furthermore, it is necessary to explanation, above-mentioned configuration file can be the included file of operating system, should
Information of subregion where configuration file contains file system, including subregion index ID, subregion initial address, partition size etc.,
These information exist in the form of executable binary file.
The above process can be realized (including unidirectional to the isolation between multiple operating systems for being installed in the same equipment
Isolation and two-way isolation), for the sake of more insuring, the application can also take measures that operation is encrypted to file system, i.e.,
Actual storage is encrypted at least one file system on subregion, certainly, the file system after encrypting, when needs make
It should be decrypted in used time.Can be any time point to the encrypted time point of file system, because of file system actual storage
" fact " on some subregion because of above-mentioned cancellation mapping relations and/or recovery mapping relations there is no changing, then can
To think that the suitable time takes it encrypted operation in user.Similarly, for decryption oprerations, as long as in file system reality
Border is decrypted before use, can be met the requirements.In actual application, a kind of desirable mode is in operating system
When carry file system, the carry process and decrypting process of file system can be combined in this way, it is complete without being used in carry
Operation is individually decrypted after file system, so as to save time and resource.
It, can there are ways to realize for the cryptographic operation to file system.For example, block cipher mode is taken,
A kind of mode of the pattern is the block (insufficient then polishing) for being divided into block length equal ciphertext, is then individually added one by one
Close, output one by one forms ciphertext;After another way is the ciphertext of previous grouping and the plaintext xor operation of current group
It re-encrypts, this way, which can enhance, cracks difficulty.Although cipher mode is numerous, for example, the encryptions sides such as ECB, CBC may be used
Formula, ECB, CBC belong to block cipher mode, the former is a kind of cipher mode on basis, and ciphertext is divided into block length phase
Deng block (insufficient polishing), then individually encrypt one by one, one by one output composition ciphertext;The latter is a kind of circulation pattern, preceding
It is re-encrypted after the plaintext xor operation of one ciphertext being grouped and current group.The application can add as follows
Close (referring to Fig. 3):
Step S31:According to the data generator matrix that at least one file system for being stored on subregion is formed, the matrix
Element is an area byte in the block for the data that file system is formed;
Step S32:The key corresponding with encrypted second leg of cycle of each byte in matrix is done into XOR operation;
In this step, the corresponding key of this second leg (i.e. bout key) can merge with original matrix.In each encryption
In cycle, all can by master key generate " " bout key, this " " bout cipher key size can as original matrix, with original
Each corresponding byte makees exclusive or (⊕) operation in matrix.
Step S33:The result of XOR operation is replaced with into corresponding numerical value by non-linear replacement function, forms new square
Battle array;
This step provides the nonlinear ability to transform of enciphered method.It is each in matrix in a kind of mode of specific implementation
Byte is converted by one 8 S-box, and (S-box is related with the multiplication antielement on GF (28), with good non-
Linear characteristic).In order to avoid the attack of simple algebraic property, S-box can be reversible affine in conjunction with multiplication antielement and one
Transformation matrix construction forms.In addition, in construction S-box, fixed point and anti-fixed point can also be deliberately avoided, i.e., with S-box
The result of wrong row can be equivalent to by replacing the result of byte.
Step S34:Cyclic shift is carried out to each byte of every a line of the new matrix;
In this step, cyclic shift can be each byte cycle displacement to the left per a line, displacement in matrix
Then as line number can incrementally increase.Can be specifically that the first row remains unchanged (i.e. displacement is 0), each of in the second row
Byte all one lattice of loopy moving to the left.Similarly, the offset of the third line and fourth line cyclic shift to the left is just 2 and 3 respectively.It is logical
Shifting function is crossed, each perpendicular row are all made of the element in each different lines in input matrix in matrix.
Step S35:Four bytes of each column are mixed.
Involved in above-mentioned ciphering process to block length can be fixed as 128 bits, key length can be then 128,
192 or 256 bits.It is of course also possible to be other modes, for example, key and block length can be 32 integral multiples, with
128 are lower limit, the 256 bit upper limits.
The above describes the various embodiments of the partition method of the multiple operating system of the application in detail, similar
Ground, present invention also provides the embodiments of the isolating device of multiple operating system.Referring to Fig. 4, the figure shows the more of the application
The composed structure block diagram of one embodiment of the isolating device of operating system.The embodiment includes:Positioning unit 41 and cancellation are single
Member 42, wherein:
Positioning unit 41, the partition table for navigating to storage file system address information;
Cancel unit 42, in the partition table of the entry address information of the file system of storage, cancelling in partition table
Mapping relations between the entry address information and the subregion of a file system actual storage of at least one file system, with
Realize isolation of the corresponding operating system of file system for being cancelled mapping relations relative to other operating systems, it is described to be cancelled
The corresponding operating system of file system of mapping relations is installed on same equipment with other operating systems.
The course of work of present apparatus embodiment is the partition table that positioning unit 41 navigates to storage file system address information,
Then by cancellation unit 42 in the partition table of the entry address information of the file system of storage, cancel at least one in partition table
Mapping relations between the entry address information and the subregion of a file system actual storage of file system.Pass through the present apparatus
Embodiment can equally obtain the technique effect with preceding method embodiment, to avoid repeating, no longer superfluous words here.
In above-mentioned apparatus embodiment, cancels unit and can be used for cancelling one or more mapping relations, certainly, according to need
It wants to cancel between the entry address information of All Files system in partition table and respective file system actual storage subregion
Mapping relations.In addition, cancelling unit cancels mapping relations although the technical issues of can solving the application, it is cancelled
The operating system of mapping relations is in carrying out file access process, it is also necessary to use the mapping relations.For this purpose, above-mentioned apparatus is real
It applies example and can further include generation unit 43, for being hung in the corresponding operating system of file system for being cancelled mapping relations
When carrying file system, the configuration file in the corresponding operating system of file system of mapping relations is cancelled according to this in storage text
The mapping relations are generated in the partition table of part system address information.Here configuration file is included in each operating system
There is this document, only in the case of with partition table, which is simultaneously not used.
According to the actual application, above-mentioned apparatus embodiment can also include:Encryption unit 44 and decryption unit 45, encryption
For actual storage to be encrypted at least one file system on subregion, decryption unit 45 is used for using text unit 44
File system is decrypted before part system.The internal structure of encryption unit described herein is according to realizing encrypted mode not
It is same and different.For example, the encryption unit 44 of the application, which may include matrix, generates subelement 441, XOR operation subelement
442, numerical value replaces subelement 443 and cyclic shift subelement 444 and mixing subelement 445, wherein:
Matrix generates subelement 441, the data life for being formed according at least one file system being stored on subregion
At matrix, the element of the matrix is an area byte in the block for the data that file system is formed;
XOR operation subelement 442 is used for the key corresponding with encrypted second leg of cycle of each byte in matrix
Do XOR operation;
Numerical value replaces subelement 443, for being replaced with the result of XOR operation accordingly by non-linear replacement function
Numerical value forms new matrix;
Cyclic shift subelement 444, each byte for every a line to the new matrix carry out cyclic shift;
Subelement 445 is mixed, is mixed for four bytes to each column.
For decryption unit, decryption oprerations can carried out using any time point before file operating system (when
So, should be after encryption), in this application, preferably in the file system that operating system carry is encrypted to file system
It is decrypted.The influence that these operations use user operating system can be reduced in this way, to imperceptible in user level
It is abnormal, to improve user experience.
It should be noted that although being referred to several units of multiple operating system isolating device in above-detailed,
This division is not enforceable.In fact, according to the embodiment of the present invention, the spy of two or more above-described units
Function of seeking peace can embody in one apparatus, can also be embodied in different devices.Also, on the contrary, retouching above
The feature and function for the unit stated can be further divided into be embodied by multiple subelements.
In addition, although the operation of the method for the present invention is described with particular order in the accompanying drawings, this do not require that or
Hint must execute these operations according to the particular order, or have to carry out shown in whole operation could realize it is desired
As a result.Additionally or alternatively, it is convenient to omit multiple steps are merged into a step and executed by certain steps, and/or by one
Step is decomposed into execution of multiple steps.
Although by reference to several spirit and principle that detailed description of the preferred embodimentsthe present invention has been described, it should be appreciated that, this
It is not limited to the specific embodiments disclosed for invention, does not also mean that the feature in these aspects cannot to the division of various aspects
Combination is this to divide the convenience merely to statement to be benefited.The present invention is directed to cover appended claims spirit and
Included various modifications and equivalent arrangements in range.