CN105893833B - A kind of hardware interface for firmware security management - Google Patents
A kind of hardware interface for firmware security management Download PDFInfo
- Publication number
- CN105893833B CN105893833B CN201610196395.6A CN201610196395A CN105893833B CN 105893833 B CN105893833 B CN 105893833B CN 201610196395 A CN201610196395 A CN 201610196395A CN 105893833 B CN105893833 B CN 105893833B
- Authority
- CN
- China
- Prior art keywords
- safety detection
- firmware
- safety
- detection module
- interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
The present invention discloses a kind of hardware interface for firmware security management, belongs to firmware management technical field;Hardware interface of the invention, in startup stage access safety detection module, calls safety verification function, the integrality of key hardware the device and operating system core document is measured and verified for computer;Hardware layer interface is provided for the trusted module of firmware safety, firmware path is configured in equipment initial power-on, by safety verification, equipment just can normally start, hardware interface i.e. through the invention realizes the purpose to provide a favorable security to the safety of computer firmware.
Description
Technical field
The present invention discloses a kind of hardware interface for firmware security management, belongs to firmware management technical field.
Background technique
With the development of electronic information technology, computer application field has penetrated into all trades and professions of society, is changing
Become traditional work, studying and living mode, pushes the development of society.Due to the spies such as arithmetic speed is fast, computational accuracy is high
Point, multi rack structure, multi-platform computer equipment play key player in routine work, life and production.Therefore computer
The safety of equipment attracts people's attention further.The introducing of the security software of multiple types has ensured the software security of equipment,
But most security softwares are played a role based on operating system, are difficult to provide help to the safety of computer firmware.
The present invention is directed to this case, a kind of hardware interface for firmware security management is provided, for firmware safety
Trusted module provide hardware layer interface, firmware path is configured in equipment initial power-on, passes through safety verification, equipment
It just can normally start, i.e., hardware interface through the invention, realize the mesh to provide a favorable security to the safety of computer firmware
's.
Summary of the invention
The present invention in view of the shortcomings of the prior art and problem, provides a kind of hardware for firmware security management and connects
Mouthful, firmware path is configured in equipment initial power-on, by safety verification, equipment just can normally start, that is, pass through this
The hardware interface of invention realizes the purpose to provide a favorable security to the safety of computer firmware.
A kind of hardware interface for firmware security management of the present invention, the concrete scheme of proposition is:
A kind of hardware interface for firmware security management, the hardware interface, which is accessed for computer in startup stage, pacifies
Full detection module calls safety verification function, measures to the integrality of key hardware the device and operating system core document
And verifying;
Computer calls the process of safety detection module by the hardware interface are as follows: calls and opens equipment interface, realizes
Access to safety detection module;It will be stored in safety detection module after accessing successfully by safety detection program loading interface
Interface routine be loaded into memory;Trust authentication interface is called to realize to the setting of desired value, update, deletion and to be verified
The verifying of data;Access is exited finally by pass hull closure interface, and discharges related resource.
It calls when opening equipment interface, firmware path is configured in equipment initial power-on, when passing through safety verification
When, equipment normally starts, otherwise equipment alarm, can not start.
The hardware interface is suitable for the calling of UEFI BIOS.
A method of using firmware security management hardware interface, computer is appointed in startup stage by claim 1-3
Hardware interface access safety detection module described in one calls safety verification function, to key hardware the device and operating system
The integrality of core document is measured and is verified;
Computer calls the process of safety detection module by the hardware interface are as follows: calls and opens equipment interface, realizes
Access to safety detection module;It will be stored in safety detection module after accessing successfully by safety detection program loading interface
Interface routine be loaded into memory;Trust authentication interface is called to realize to the setting of desired value, update, deletion and to be verified
The verifying of data;Access is exited finally by pass hull closure interface, and discharges related resource.
Usefulness of the present invention is:
Hardware interface of the invention, in startup stage access safety detection module, calls safety verification function for computer
Can, the integrality of key hardware the device and operating system core document is measured and verified;For firmware safety can
Believe that module provides hardware layer interface, firmware path is configured in equipment initial power-on, by safety verification, equipment just may be used
Normal starting, i.e., hardware interface through the invention realize the purpose to provide a favorable security to the safety of computer firmware.
Detailed description of the invention
The hardware circuit schematic diagram of lpc bus in Fig. 1 firmware of the present invention;
Safety detection module hardware interface circuit schematic diagram in Fig. 2 present invention.
Specific embodiment
A kind of hardware interface for firmware security management, the hardware interface, which is accessed for computer in startup stage, pacifies
Full detection module calls safety verification function, measures to the integrality of key hardware the device and operating system core document
And verifying;
Computer calls the process of safety detection module by the hardware interface are as follows: calls and opens equipment interface, realizes
Access to safety detection module;It will be stored in safety detection module after accessing successfully by safety detection program loading interface
Interface routine be loaded into memory;Trust authentication interface is called to realize to the setting of desired value, update, deletion and to be verified
The verifying of data;Access is exited finally by pass hull closure interface, and discharges related resource.
According to above-mentioned hardware interface and summary of the invention, in conjunction with attached drawing, the present invention will be further described.
The hardware interface, suitable for the calling of UEFI BIOS, the hardware interface can be used for computer and open in BIOS
Dynamic stage access safety detection module, calls safety verification function, to the complete of key hardware the device and operating system core document
Whole property is measured and is verified;
Computer calls the process of safety detection module by the hardware interface are as follows: calls and opens equipment interface, realizes
Access to safety detection module;It will be stored in safety detection module after accessing successfully by safety detection program loading interface
Interface routine be loaded into memory;Trust authentication interface is called to realize to the setting of desired value, update, deletion and to be verified
The verifying of data;Access is exited finally by pass hull closure interface, and discharges related resource;
It wherein calls when opening equipment interface, firmware path is configured in equipment initial power-on, when passing through safety
When verifying, equipment normally starts, otherwise equipment alarm, can not start.With reference to firmware hardware path selecting circuit in attached drawing 1:
When equipment initial power-on, TPM_EN=0, U84 disconnect, at this time the lpc bus of firmware can not access process device, because
This equipment alarm can not start;
After firmware passes through safety detection, safety detection module controls TPM_EN=1, variable connector conducting, and firmware passes through
The normal access process device of lpc bus and memory, equipment alarm release, can normal boot starting.
And safety detection module hardware interface circuit by STM_EN signal as shown in Fig. 2, enable or close firmware safety
Detection function:
As STM_EN=0, firmware safety detection function is forbidden, at this time TPM_EN pull-up be high level, equipment firmware without
Cross safety detection starting;
As STM_EN=1, firmware safety detection function, the preferential input value safety detection mould of the lpc bus of firmware are enabled
Block, when firmware does not pass through or is carrying out safety detection, safety detection module sets low TPM_EN signal, equipment alarm, nothing
Method enters Booting sequence.When passing through safety detection, TPM_EN signal is set into height by safety detection module, equipment normally starts.
Wherein safety detection module can utilize PCI-E 4X signal, can be adjusted as needed.
I.e. computer calls safety verification function in startup stage by the hardware interface access safety detection module
Can, the integrality of key hardware the device and operating system core document is measured and verified.
Claims (3)
1. a kind of hardware interface for firmware security management, it is characterized in that the hardware interface is for computer in startup stage
Access safety detection module calls safety verification function, to the complete of key hardware facility information and operating system kernel file
Property is measured and is verified;
Computer calls the process of safety detection module by the hardware interface are as follows: when calling opening equipment interface, in equipment
Firmware path is configured when initial power-on,
Firmware hardware path selecting circuit includes TPM, specifically:
When equipment initial power-on, safety detection controls signal TPM_EN=0, and U84 is disconnected, and the lpc bus of firmware can not at this time
Access process device, equipment alarm can not start;
After firmware passes through safety detection, safety detection module controls safety detection and controls signal TPM_EN=1, and variable connector is led
Logical, firmware is released by the normal access process device of lpc bus and memory, equipment alarm, can normal boot starting, realize to safety
The access of detection module,
Wherein safety detection module enables or closes firmware safety detection by safety verification function enable signal STM_EN signal
Function,
Wherein in safety detection module hardware interface circuit, as safety verification function enable signal STM_EN=0, firmware safety
Detection function is forbidden, and the signal TPM_EN pull-up of safety detection control at this time is high level, and equipment firmware is opened without safety detection
It is dynamic;As safety verification function enable signal STM_EN=1, firmware safety detection function is enabled, the lpc bus of firmware is preferentially defeated
Enter value to safety detection module, when firmware does not pass through or is carrying out safety detection, safety detection module is by TPM_EN signal
It sets low, equipment alarm cannot be introduced into Booting sequence;When passing through safety detection, TPM_EN signal is set by safety detection module
Height, equipment normally start;
It will be stored in safety detection module to after the access success of safety detection module by safety detection program loading interface
Interface routine be loaded into memory;Trust authentication interface is called to realize to the setting of desired value, update, deletion and to be verified
The verifying of data;Access is exited finally by pass hull closure interface, and discharges related resource.
2. hardware interface according to claim 1, it is characterized in that the hardware interface is suitable for the tune of UEFI BIOS
With.
3. a kind of method using firmware security management hardware interface, it is characterized in that computer passes through claim in startup stage
Hardware interface access safety detection module described in 1 or 2 calls safety verification function, to key hardware facility information and operation
The integrality of system core file is measured and is verified;
Computer calls the process of safety detection module by the hardware interface are as follows: when calling opening equipment interface, in equipment
Firmware path is configured when initial power-on,
Firmware hardware path selecting circuit includes TPM, specifically:
When equipment initial power-on, safety detection controls signal TPM_EN=0, and U84 is disconnected, and the lpc bus of firmware can not at this time
Access process device, equipment alarm can not start;
After firmware passes through safety detection, safety detection module controls safety detection and controls signal TPM_EN=1, and variable connector is led
Logical, firmware is released by the normal access process device of lpc bus and memory, equipment alarm, can normal boot starting, realize to safety
The access of detection module,
Wherein safety detection module enables or closes firmware safety detection by safety verification function enable signal STM_EN signal
Function,
Wherein in safety detection module hardware interface circuit, as safety verification function enable signal STM_EN=0, firmware safety
Detection function is forbidden, and the signal TPM_EN pull-up of safety detection control at this time is high level, and equipment firmware is opened without safety detection
It is dynamic;As safety verification function enable signal STM_EN=1, firmware safety detection function is enabled, the lpc bus of firmware is preferentially defeated
Enter value to safety detection module, when firmware does not pass through or is carrying out safety detection, safety detection module is by TPM_EN signal
It sets low, equipment alarm cannot be introduced into Booting sequence;When passing through safety detection, TPM_EN signal is set by safety detection module
Height, equipment normally start;
It will be stored in safety detection module to after the access success of safety detection module by safety detection program loading interface
Interface routine be loaded into memory;Trust authentication interface is called to realize to the setting of desired value, update, deletion and to be verified
The verifying of data;Access is exited finally by pass hull closure interface, and discharges related resource.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610196395.6A CN105893833B (en) | 2016-03-31 | 2016-03-31 | A kind of hardware interface for firmware security management |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610196395.6A CN105893833B (en) | 2016-03-31 | 2016-03-31 | A kind of hardware interface for firmware security management |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105893833A CN105893833A (en) | 2016-08-24 |
| CN105893833B true CN105893833B (en) | 2019-07-05 |
Family
ID=57011721
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610196395.6A Active CN105893833B (en) | 2016-03-31 | 2016-03-31 | A kind of hardware interface for firmware security management |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105893833B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110472421B (en) * | 2019-07-22 | 2021-08-20 | 深圳中电长城信息安全系统有限公司 | Mainboard and firmware safety detection method and terminal equipment |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1952885A (en) * | 2005-10-19 | 2007-04-25 | 联想(北京)有限公司 | A computer system and method to check completely |
| CN101079003A (en) * | 2006-05-23 | 2007-11-28 | 北京金元龙脉信息科技有限公司 | System and method for carrying out safety risk check to computer BIOS firmware |
| CN101488177A (en) * | 2009-03-02 | 2009-07-22 | 中国航天科工集团第二研究院七○六所 | BIOS based computer security control system and method thereof |
| CN102279914A (en) * | 2011-07-13 | 2011-12-14 | 中国人民解放军海军计算技术研究所 | Unified extensible firmware interface (UEFI) trusted supporting system and method for controlling same |
| CN103034510A (en) * | 2012-10-26 | 2013-04-10 | 中国航天科工集团第二研究院七〇六所 | UEFI and BIOS (unified extensible firmware interface and basic input output system) rapidly and safely starting method capable of being dynamically adjusted as requirements |
| CN103729219A (en) * | 2013-12-25 | 2014-04-16 | 合肥联宝信息技术有限公司 | Method and system for framing UEFI BIOS (unified extensible firmware interface basic input/output system) |
| CN104008342A (en) * | 2014-06-06 | 2014-08-27 | 山东超越数控电子有限公司 | Method for achieving safe and trusted authentication through BIOS and kernel |
| CN105335264A (en) * | 2015-11-12 | 2016-02-17 | 浪潮电子信息产业股份有限公司 | Computer PCIE adapter card function test method based on UEFI |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1627680A (en) * | 2003-12-10 | 2005-06-15 | 华为技术有限公司 | Method of mutual security verification between supervisor and agent in network transmission |
-
2016
- 2016-03-31 CN CN201610196395.6A patent/CN105893833B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1952885A (en) * | 2005-10-19 | 2007-04-25 | 联想(北京)有限公司 | A computer system and method to check completely |
| CN101079003A (en) * | 2006-05-23 | 2007-11-28 | 北京金元龙脉信息科技有限公司 | System and method for carrying out safety risk check to computer BIOS firmware |
| CN101488177A (en) * | 2009-03-02 | 2009-07-22 | 中国航天科工集团第二研究院七○六所 | BIOS based computer security control system and method thereof |
| CN102279914A (en) * | 2011-07-13 | 2011-12-14 | 中国人民解放军海军计算技术研究所 | Unified extensible firmware interface (UEFI) trusted supporting system and method for controlling same |
| CN103034510A (en) * | 2012-10-26 | 2013-04-10 | 中国航天科工集团第二研究院七〇六所 | UEFI and BIOS (unified extensible firmware interface and basic input output system) rapidly and safely starting method capable of being dynamically adjusted as requirements |
| CN103729219A (en) * | 2013-12-25 | 2014-04-16 | 合肥联宝信息技术有限公司 | Method and system for framing UEFI BIOS (unified extensible firmware interface basic input/output system) |
| CN104008342A (en) * | 2014-06-06 | 2014-08-27 | 山东超越数控电子有限公司 | Method for achieving safe and trusted authentication through BIOS and kernel |
| CN105335264A (en) * | 2015-11-12 | 2016-02-17 | 浪潮电子信息产业股份有限公司 | Computer PCIE adapter card function test method based on UEFI |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105893833A (en) | 2016-08-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI559167B (en) | A unified extensible firmware interface(uefi)-compliant computing device and a method for administering a secure boot in the uefi-compliant computing device | |
| US11194586B2 (en) | Secure boot override in a computing device equipped with unified-extensible firmware interface (UEFI)-compliant firmware | |
| KR101974188B1 (en) | Firmware-based trusted platform module for arm® trustzone™ implementations | |
| US9292302B2 (en) | Allowing bypassing of boot validation in a computer system having secure boot enabled by default only under certain circumstances | |
| US7941861B2 (en) | Permitting multiple tasks requiring elevated rights | |
| US9710652B1 (en) | Verifying boot process of electronic device | |
| US20080222407A1 (en) | Monitoring Bootable Busses | |
| CN103324506A (en) | Method and mobile phone for controlling installation of Android applications | |
| US9436828B2 (en) | Systems and methods for command-based entry into basic input/output system setup from operating system | |
| US20170255775A1 (en) | Software verification systems with multiple verification paths | |
| CN106874771A (en) | A kind of method and device for building reliable hardware trust chain | |
| US10599848B1 (en) | Use of security key to enable firmware features | |
| CN111488589A (en) | Safe and trusted boot and firmware upgrade system and method based on hardware write protection | |
| CN106126206A (en) | A kind of information processing method and electronic equipment | |
| US8688933B2 (en) | Firmware component modification | |
| CN105893833B (en) | A kind of hardware interface for firmware security management | |
| CN101751519B (en) | Method for improving information security of computer system and relative computer system thereof | |
| CN101639877A (en) | Electronic device and method for updating basic input and output system thereof | |
| US9778936B1 (en) | Booting a computing system into a manufacturing mode | |
| CN106155682A (en) | A kind of linux system based on SDMA controller starts method and system | |
| CN114417301A (en) | Information processing method, information processing device, electronic equipment and storage medium | |
| CN107077343A (en) | Ignore the input in WOL's guiding | |
| Paul et al. | Take control of your PC with UEFI secure boot | |
| RU129674U1 (en) | COMPUTER PROTECTED FROM UNAUTHORIZED ACCESS | |
| EP3440585A1 (en) | System and method for establishing a securely updatable core root of trust for measurement |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |