CN106156635A - Method for starting terminal and device - Google Patents
Method for starting terminal and device Download PDFInfo
- Publication number
- CN106156635A CN106156635A CN201610613787.8A CN201610613787A CN106156635A CN 106156635 A CN106156635 A CN 106156635A CN 201610613787 A CN201610613787 A CN 201610613787A CN 106156635 A CN106156635 A CN 106156635A
- Authority
- CN
- China
- Prior art keywords
- file
- safety chip
- loaded
- operating system
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to a kind of method for starting terminal and device, the method, when terminal enabled instruction being detected, starts read only memory and the safety chip of terminal;Whether the key information between checking read only memory safety chip mates;If so, os starting process is performed;Calculate the hash value of the file to be loaded of operating system;The hash value of file to be loaded is sent in safety chip, when the hash value that matching result is file to be loaded mates with security measurement value in safety chip, load file to be loaded, read-only attribute due to read only memory, by mating of read only memory and security chip key information, whether can verify that safety chip is the chip authorized, the loading of other hardware and the loading certification of operating system is carried out on the basis of reliably at safety chip, achieve the Starting mode being measured certification subordinate by the higher level of hardware to operating system, it is higher that terminal starts safety certification intensity.
Description
Technical field
The present invention relates to safety communication technology field, particularly relate to a kind of method for starting terminal and device.
Background technology
Along with the development of science and technology, mountain vallage enterprise also gets more and more, and a lot of electronic products are all easy to be imitated, such as electricity
Depending on, computer, the equipment such as pad or mobile phone, electronic product, by the imitated production of mountain vallage enterprise, can bring bigger loss to enterprise.
Checking to terminal unit in conventional art, it is common that carry out safe recognizing by fail-safe software after terminal starts
Card, or be only the relevant hardware of configuration and software data, will can start terminal after software and hardware all configuration successful and transport
OK, safety in terminal start-up course it cannot be guaranteed that, and then the security performance after whole terminal operating more can not ensure.
Summary of the invention
Based on this, it is necessary to for above-mentioned problem, it is provided that a kind of higher method for starting terminal of safety certification intensity and
Device.
A kind of method for starting terminal, described method includes:
When the enabled instruction of terminal being detected, start read only memory and the safety chip of described terminal;
Obtain the key information in described safety chip, it is judged that described key information whether with the testing of described read only memory
Card information matches, if so, performs os starting process;
Calculate the hash value of the file to be loaded of operating system;
The hash value of file to be loaded is sent in described safety chip so that described safety chip is by described published article to be added
The security measurement value that the hash value of part prestores with safety chip is mated;
Obtain the matching result that safety chip obtains, when the hash value that described matching result is file to be loaded and safe core
During the coupling of security measurement value described in sheet, load described file to be loaded, until completing the loading of the All Files of operating system,
System start-up completes.
In one embodiment, described judge described key information whether with the checking information of described read only memory
Join;If so, the step of os starting process is carried out, including:
Obtain the safety chip signature value and characteristic quantity data prestored in described safety chip, wherein, described safety chip
Signature value is the hardware identification private key signature value to described characteristic quantity data;
Obtain the hardware identification PKI in described read only memory;
Judge that described hardware identification PKI is the most corresponding with described safety chip signature value with described characteristic quantity data;
The most described read only memory and described safety chip are the terminal hardware authorized, and perform to carry out operating system
Startup process.
In one embodiment, described operating system is embedded OS, the file to be loaded of described operating system
Bottom document and the executable file of operating system including operating system.
In one embodiment, described security measurement value includes the file signature value of operating system, wherein, described file label
Name value refers to the system authentication private key hash value precalculated signature value to each normative document of operating system;
When the hash value that described matching result is file to be loaded mates with security measurement value described in safety chip, add
The step carrying described file to be loaded is:
Obtain described system authentication PKI, it is judged that the Hash of the file described to be loaded of described system authentication PKI and calculating
It is worth the most corresponding with described signature value;
The most then perform the step of the described file to be loaded of described loading.
In one embodiment, after system start-up completes, described method also includes:
System application to be loaded and third-party application are carried out safety certification.
A kind of terminal starter, described device includes:
Terminal powers on module, for when the enabled instruction of terminal being detected, start described terminal read only memory and
Safety chip;
Safety chip security authentication module, for obtaining the key information in described safety chip, it is judged that described key is believed
Breath whether with the checking information matches of read only memory, if so, perform os starting process;
System file hash value computing module, for calculating the hash value of the file to be loaded of operating system;
Data match module, for the hash value of file to be loaded being sent in described safety chip so that described safe core
The security measurement value that the hash value of described file to be loaded prestores with safety chip is mated by sheet;
System start-up module, for obtaining the matching result that safety chip obtains, when described matching result is published article to be added
When the hash value of part mates with security measurement value described in safety chip, load described file to be loaded, until completing operation system
The loading of the All Files of system, system start-up completes.
In one embodiment, described safety chip security authentication module includes:
Safety chip data acquisition module, for obtaining the safety chip signature value and feature prestored in described safety chip
Amount data, wherein, described safety chip signature value is the hardware identification private key signature value to described characteristic quantity data;
ROM data acquisition module, for obtaining the hardware identification PKI in described read only memory;
Security authentication module, be used for judging described hardware identification PKI and described characteristic quantity data whether with described safe core
Sheet signature value is corresponding;The most described read only memory and described safety chip are the terminal hardware authorized, and perform to operate
System start-up process.
In one embodiment, described operating system is embedded OS, the file to be loaded of described operating system
Bottom document and the executable file of operating system including operating system.
In one embodiment, described security measurement value includes file signature value, wherein, described file signature value refer to be
The system certification private key hash value precalculated signature value to each normative document of operating system;
System start-up module, is additionally operable to obtain described system authentication PKI, it is judged that described system authentication PKI and calculating
The hash value of described file to be loaded is the most corresponding with described signature value;
The most then perform the step of the described file to be loaded of described loading.
In one embodiment, after the system file of operating system has loaded, described method also includes:
Application authorization module, for carrying out safety certification to system application to be loaded and third-party application.
Above-mentioned method for starting terminal and device, when terminal enabled instruction being detected, start terminal read only memory and
Safety chip;Whether the key information between checking read only memory safety chip mates;If so, perform os starting to enter
Journey;Calculate the hash value of the file to be loaded of operating system;The hash value of file to be loaded is sent in safety chip so that pacifying
The security measurement value that the hash value of file to be loaded prestores with safety chip is mated by full chip;Acquisition safety chip obtains
Matching result, when the hash value that matching result is file to be loaded mates with security measurement value in safety chip, loading is treated
Load document, until completing the loading of the All Files of operating system, system start-up completes, due to the read-only spy of read only memory
Property, by mating of read only memory and security chip key information, it may be verified that whether safety chip is the chip authorized,
Safety chip carries out the loading of other hardware and the loading certification of operating system on the basis of reliably, it is achieved that by hardware to behaviour
The higher level making system measures the Starting mode of certification subordinate, additionally by the checking of the safety chip storage operating system after checking
Data, further ensure that the reliability of operating system security certification, and then ensure that whole terminal hardware and systems soft ware
Safety.
Accompanying drawing explanation
Fig. 1 is the flow chart of method for starting terminal in an embodiment;
Fig. 2 is the flow chart of executable file safety certifying method in an embodiment;
Fig. 3 is the flow chart of safety chip safety certifying method in an embodiment;
Fig. 4 is the structured flowchart of terminal starter in an embodiment;
Fig. 5 is the structured flowchart of safety chip security authentication module in an embodiment;
Fig. 6 is the structured flowchart of terminal starter in another embodiment.
Detailed description of the invention
In order to make the purpose of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, right
The present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, and
It is not used in the restriction present invention.
In one embodiment, as shown in Figure 1, it is provided that a kind of method for starting terminal, the method includes:
Step S102: when terminal enabled instruction being detected, starts read only memory and the safety chip of terminal.
When terminal is powered on, will start the Bootstrap Commissioning Program in terminal handler, processor performs this and is booted up
Program starts control to carry out terminal.Concrete, when terminal is powered on, start the read only memory in terminal and safety chip,
Wherein, terminal 110 is mobile terminal, and mobile terminal can be specifically panel computer, smart mobile phone or personal digital assistant.
Concrete, when the power on signal of terminal is terminal enabling signal, when the enabling signal of terminal being detected, load
(Read-Only Memory is called for short: ROM) read only memory in terminal.ROM stored data, is usually and loads thing before complete machine
First finish writing, whole working can only read.
Safety chip is embedded on terminal mainboard, and safety chip can independently carry out the generation of key, encrypt and decipher, internal
There is independent processor and memorizer, key and characteristic can be stored, provide encryption and Security Authentication Service for terminal.Peace
Full chip can carry out the encryption of high reliability to the data of chip internal storage, it is possible to the data effectively preventing storage are stolen
Or crack.
Step S104: obtain the key information in safety chip, it is judged that key information whether with the checking of read only memory
Information matches, if so, performs os starting process.
Concrete, safety chip is previously stored with key information, is previously stored with checking information in read only memory, obtains
Key information in safety chip and the checking information in read only memory, and both are mated, if the match is successful, then
Safety chip is the safety chip authorized, and is not maliciously altered.If mating unsuccessful, the key letter in safety chip is described
Breath does not mates with checking information, and the safety chip of this checking is unauthorized safety chip, stores in this unauthorized safety chip
The key information for follow-up operating system be unsafe.
In one embodiment, the key information in safety chip and the checking information in read only memory can be to set
The character string of length, both can be set to identical, it is also possible to is set as difference, as long as both can mutually be identified and test
Demonstrate,prove.Such as, the key information in safety chip is ABC, set its coupling data as 123, as long as in read only memory
Checking information be 123, be i.e. verified.
In the present embodiment, by the checking information in ROM, safety chip is verified, due to malice assaulter less
Easily take the checking information in ROM, also safety chip cannot be forged, and the safety chip forged is verified
Time also will not be proved to be successful, the above-mentioned verification method to safety chip can effectively guarantee the credibility of safety chip, ensure
The safety verification of subsequent operation system.
Step S106: calculate the hash value of the file to be loaded of operating system.
Concrete, also including before step S106: after safety chip is verified, terminal will start other hardware,
Such as some input equipment, outut device etc..
Wherein, Hash (hash) is exactly the input (being called again preliminary mapping pre-image) random length, is calculated by hash
Method, is transformed into the output of regular length, and this output is exactly hash value (hashed value).
In one embodiment, system is embedded OS, and system file includes system bottom file and can perform
File, wherein the bottom document of operating system includes BootLoader and Kernel (operating system nucleus).
Step S108: the hash value of file to be loaded is sent in safety chip so that safety chip is by file to be loaded
The security measurement value that hash value prestores with safety chip is mated.
Concrete, safety chip prestores the security measurement value of the file that operating system is comprised.Due to safety chip
For authenticated credible hardware root of trust, in addition, the safety chip data to being stored in carry out the encryption of high reliability,
The data or the amendment data that crack safety chip acquisition storage are extremely difficult.Therefore, the data prestored in this safety chip are also
It is trusty, uses the safety chip having verified that the file of operating system is carried out safety certification, safety certification intensity
Higher.
Step S110: obtain the matching result that obtains of safety chip, when the hash value that matching result is file to be loaded with
In safety chip during security measurement value coupling, loading file to be loaded, until completing the loading of the All Files of operating system, being
System startup completes.
Concrete, when in hash value and the safety chip of file to be loaded to should the security measurement value one of file to be loaded
During cause, in the loading carrying out file to be loaded.
In the present embodiment, the data file to be loaded to operating system of storage in safety chip is used to verify, effectively
Ensure that the reliability of operating system security certification.
In the present embodiment, by mating of read only memory and security chip key information, it may be verified that safety chip be
The no chip for authorizing, the loading of the loading and operating system that carry out other hardware on the basis of safety chip is reliable is recognized
Card, it is achieved that measured the Starting mode of certification subordinate by the higher level of hardware to operating system, additionally by the safe core after checking
The checking data of sheet storage operating system, further ensure that the reliability of operating system security certification, and then ensure that whole
Terminal hardware and the safety of systems soft ware.
In one embodiment, operating system is embedded OS, and the file to be loaded of operating system includes operation
The bottom document of system and the executable file of operating system.Method for starting terminal includes the bottom document to operating system
BootLoader and Kernel carries out verifying and verifying the executable file of operating system.
Concrete, to the load mode of bottom document BootLoader and Kernel of operating system it is:
First, the hash value of bottom document BootLoader is calculated.
Here it is to be calculated the hash value of BootLoader by hash function.
Security measurement value corresponding with BootLoader in safety chip for the hash value of this BootLoader is contrasted,
If identical, then it is verified, system file BootLoader is loaded.Wherein, in safety chip here
Security measurement value corresponding for BootLoader is the BootLoader to the standard that the BootLoader trusty assert calculates
Hash value, the hash value of the BootLoader of this standard is mated, i.e. with the hash value of BootLoader to be loaded
Can determine whether out that the hash value of BootLoader to be loaded is the most complete, if be modified, wherein, the standard of its Plays
BootLoader is BootLoader trusty, complete, that be not modified.
After bottom document BootLoader checking, carry out the checking of bottom document Kernel, concrete verification method with
BootLoader is identical, i.e. calculates the hash value of bottom document Kernel, by the hash value of this Kernel and safety chip
Security measurement value corresponding for Kernel contrasts, if identical, is then verified, and loads system file Kernel.
Executable file is verified after having verified by bottom document one by one, concrete verification method and BootLoader
Identical with Kernel, i.e. calculate the hash value of executable file to be loaded, by hash value and the peace of this executable file to be loaded
In full chip, the security measurement value corresponding with executable file to be loaded contrasts, if identical, is then verified, and loads
This executable file to be loaded.
In one embodiment, the security measurement value of system file includes system file signature value, wherein, system file
Signature value refers to the system authentication private key hash value precalculated signature value to the file to be loaded of each standard.At another
In embodiment, the above-mentioned private key that system authentication private key is safety chip, corresponding system authentication PKI is safety chip PKI.
Checking to system file, the checking including system bottom file and executable file can also use with lower section
Method:
Obtain system authentication PKI, it is judged that whether the file hash value to be loaded of system authentication PKI and calculating is with to be loaded
The signature value of file is corresponding;The most then confirm that file hash value to be loaded mates with the security measurement value of storage in safety chip,
Perform to load the step of file to be loaded.
Concrete, use the signature value that system authentication public key decryptions file to be loaded is corresponding, obtain the standard in signature value
File hash value, contrasts the file hash value to be loaded of this normative document hash value with calculating, if identical, then illustrates
This file to be loaded is identical with normative document, is not modified, and can carry out the loading of this file to be loaded, and to be added to the next one
Published article part is verified, until all system files have loaded, os starting completes, and wherein, normative document is credible
Appoint, system file complete, that be not modified.
In one embodiment, system authentication PKI is obtained, it is judged that system authentication PKI and the file to be loaded of calculating
Hash value is the most corresponding with the signature value of file to be loaded can also be: by system authentication PKI, the file to be loaded of calculating
The first component in hash value and signature value participates in calculating as the parameter of computational algorithm, obtains result of calculation, by result of calculation
Contrast with the second component in signature value, if both are consistent, then illustrate that this file to be loaded is identical with normative document, do not have
It is modified, the loading of this file to be loaded can be carried out.In the present embodiment, security measurement value is to encrypt through security chip key
Signature value, further enhance the safety of security measurement value.
In another embodiment, owing to the executable file quantity of operating system is more, if by executable file
Security measurement value is stored in safety chip, it will the access pressure causing chip is excessive.Therefore, adopt with the following method to behaviour
The executable file making system carries out safety verification, as shown in Figure 2:
The security measurement value of executable file is stored in the memorizer of terminal, wherein, security measurement file here
For the signature value of executable file, wherein, the signature value of executable file is the valve system certification private key the performed literary composition to standard
The signature value of part hash value.In another embodiment, the above-mentioned private key that system authentication private key is safety chip, be accordingly
System certification PKI is safety chip PKI.
Step S202: obtain executable file to be loaded, calculates the hash value of the executable file obtained.
Step S204: prestore in acquisition safety chip PKI and acquisition memorizer is corresponding with executable file to be loaded
Signature value.
Step S206: the signature value using safety chip public key decryptions to obtain, obtains performing of the standard in signature value
The hash value of file, it is right the hash value of the executable file of this standard and the executable file hash value to be loaded of calculating to be carried out
Ratio, if identical, then this executable file to be loaded is identical with the executable file of standard, is not modified, and after being verified, adds
Carry this executable file to be loaded, and next executable file to be loaded is verified, until all executable files add
Load completes, and os starting completes.Wherein, the executable file of standard is trusty, complete, holding of not being modified
Style of writing part.
The proof procedure of step S206 can also use the first component of signature value and the mode of second component to carry out equally
Checking.
In the present embodiment, the security measurement value of executable file is stored in memorizer, can effectively alleviate safety chip
Storage pressure and accessed pressure.Due to security measurement value for storage in memory, for guaranteeing that security measurement value is not modified,
Have employed the mode of security chip key encryption, executable file hash value is carried out the encryption of safety chip private key, by
Private key information can not had to will be unable to generate signature by acquired in other people, effectively prevent security measurement value in this system private key
By malicious modification.
In one embodiment, as shown in Figure 3, it is judged that key information whether with the checking information matches of read only memory;
If so, the step of os starting process is carried out, including:
Step S302: obtain the safety chip signature value and characteristic quantity data prestored in safety chip, wherein, safety chip
Signature value is the hardware identification private key signature value to characteristic quantity data.
Step S304: obtain the hardware identification PKI in read only memory.
Step S306: judge that hardware identification PKI is the most corresponding with safety chip signature value with characteristic quantity data;The most then
Read only memory and safety chip are the terminal hardware authorized, and perform os starting process.
Concrete, safety chip presets characteristic quantity data, uses hardware identification private key to enter this feature amount data
Row signature obtains the signature value of safety chip.Hardware identification PKI is stored in ROM.
When safety chip is verified, obtain safety chip signature value and the safety of storage in safety chip to be verified
The characteristic quantity data of chip, the signature value of hardware verification this safety chip of public key encryption in the ROM that use is read, obtain signature
The characteristic quantity data that this feature amount data and safety chip individually store are contrasted by value characteristic of correspondence amount data, if
Coupling, then safety chip is trusted safety chip.
In the present embodiment, the signature that the characteristic quantity data in safety chip carry out private key processes, and the private key of this signature is not
Can be known by other people, even if the checking information in read only memory (hardware identification PKI) is stolen, owing to appropriator can not obtain
To signature private key, and then the signature in safety chip can not be copied, further enhance safety chip proof strength, test
The credibility of the safety chip after card improves further.
In one embodiment, method for starting terminal also includes: treats loading system application program after system start-up and treats
The safety certification of the third party application installed.
Concrete, before installing including third party application, the installation kit to application carries out security measurement and answers system
Install with the loading of program and the third party application having passed through security measurement.
The method that the installation kit of third-party application carries out security measurement includes:
Application authorization private key it is generated in advance to issuing the signature value of third party's PKI or the signature file of application, by these label
In the packaging file of the application that name value or signature file are stored in download.Before installing APP, first terminal reads signature value
Or signature file, and the publisher's PKI in the packaging file of application authorization this download of public key verifications is used whether to sign
PKI is consistent, if unanimously, then it is assumed that being to authorize release process, system can normal mounting.Should for third-party application and system
Installation identical with the mounting means of operating system, referring in particular to installation method of operating system.
In the present embodiment, the signature verification that the PKI of publisher is carried out, it is therefore prevented that close by amendment rights issuer
Key information, unauthorized application also can be by checking.
In one embodiment, as shown in Figure 4, it is provided that a kind of terminal starter, device includes:
Terminal powers on module 410, for when terminal enabled instruction being detected, starts read only memory and the safety of terminal
Chip.
Safety chip security authentication module 420, for obtaining the key information in safety chip, it is judged that whether key information
With the checking information matches of read only memory, if so, perform os starting process.
System file hash value computing module 430, for calculating the hash value of the file to be loaded of operating system.
Data match module 440, for sending into the hash value of file to be loaded in safety chip so that safety chip will
The security measurement value that the hash value of file to be loaded prestores with safety chip is mated.
System start-up module 450, for obtaining the matching result that safety chip obtains, when matching result is file to be loaded
Hash value with when in safety chip, security measurement value is mated, load file to be loaded, until completing all literary compositions of operating system
The loading of part, system start-up completes.
In one embodiment, safety chip security authentication module 420 includes:
Safety chip data acquisition module 510, for obtaining the safety chip signature value and feature prestored in safety chip
Amount data, wherein, safety chip signature value is the hardware identification private key signature value to characteristic quantity data.
ROM data acquisition module 520, for obtaining the hardware identification PKI in read only memory.
Security authentication module 530, be used for judging hardware identification PKI and characteristic quantity data whether with safety chip signature value
Corresponding;The most then read only memory and safety chip are the terminal hardware authorized, and perform to carry out os starting process.
In one embodiment, the file to be loaded of operating system includes the bottom document of operating system and operating system
Executable file.
In one embodiment, security measurement value includes the file signature value of operating system, and wherein, file signature value refers to
The system authentication private key hash value precalculated signature value to each normative document of operating system.
System start-up module 450 is additionally operable to obtain system authentication PKI, it is judged that system authentication PKI and calculating to be loaded
The hash value of file is the most corresponding with signature value;
The most then perform to load the step of file to be loaded.
In one embodiment, after the system file of operating system has loaded, method also includes:
Application authorization module 610, for carrying out safety certification to system application to be loaded and third-party application.
Each technical characteristic of above example can combine arbitrarily, for making description succinct, not to above-described embodiment
In all possible combination of each technical characteristic be all described, but, as long as there is not lance in the combination of these technical characteristics
Shield, is all considered to be the scope that this specification is recorded.
Above example only have expressed the several embodiments of the present invention, and it describes more concrete and detailed, but can not
Therefore it is construed as limiting the scope of the patent.It should be pointed out that, for the person of ordinary skill of the art,
On the premise of present inventive concept, it is also possible to make some deformation and improvement, these broadly fall into protection scope of the present invention.
Therefore, the protection domain of patent of the present invention should be as the criterion with claims.
Claims (10)
1. a method for starting terminal, described method includes:
When the enabled instruction of terminal being detected, start read only memory and the safety chip of described terminal;
Obtain the key information in described safety chip, it is judged that the whether checking with described read only memory of described key information is believed
Breath coupling, if so, performs os starting process;
Calculate the hash value of the file to be loaded of operating system;
The hash value of file to be loaded is sent in described safety chip so that described safety chip is by described file to be loaded
The security measurement value that hash value prestores with safety chip is mated;
Obtain the matching result that safety chip obtains, when in the hash value that described matching result is file to be loaded with safety chip
During described security measurement value coupling, load described file to be loaded, until completing the loading of the All Files of operating system, system
Startup completes.
Method the most according to claim 1, it is characterised in that: described judge that whether described key information read-only is deposited with described
The checking information matches of reservoir;If so, the step of os starting process is carried out, including:
Obtaining the safety chip signature value and characteristic quantity data prestored in described safety chip, wherein, described safety chip is signed
Value is the hardware identification private key signature value to described characteristic quantity data;
Obtain the hardware identification PKI in described read only memory;
Judge that described hardware identification PKI is the most corresponding with described safety chip signature value with described characteristic quantity data;
The most described read only memory and described safety chip are the terminal hardware authorized, and perform to carry out os starting
Process.
Method the most according to claim 1, it is characterised in that:
Described operating system is embedded OS, and the file to be loaded of described operating system includes the bottom literary composition of operating system
Part and the executable file of operating system.
Method the most according to claim 1, it is characterised in that: described security measurement value includes the file signature of operating system
Value, wherein, described file signature value refers to that the hash value of each normative document of operating system is precalculated by system authentication private key
Signature value;
When the hash value that described matching result is file to be loaded mates with security measurement value described in safety chip, load institute
The step stating file to be loaded is:
Obtain described system authentication PKI, it is judged that the hash value of the file described to be loaded of described system authentication PKI and calculating is
No and described signature value is corresponding;
The most then perform the step of the described file to be loaded of described loading.
Method the most according to claim 1, it is characterised in that: after system start-up completes, described method also includes:
System application to be loaded and third-party application are carried out safety certification.
6. a terminal starter, it is characterised in that described device includes:
Terminal powers on module, for when the enabled instruction of terminal being detected, starts read only memory and the safety of described terminal
Chip;
Safety chip security authentication module, for obtaining the key information in described safety chip, it is judged that described key information is
The no checking information matches with read only memory, if so, performs os starting process;
System file hash value computing module, for calculating the hash value of the file to be loaded of operating system;
Data match module, for sending into the hash value of file to be loaded in described safety chip so that described safety chip will
The security measurement value that the hash value of described file to be loaded prestores with safety chip is mated;
System start-up module, for obtaining the matching result that safety chip obtains, when described matching result is file to be loaded
When hash value mates with security measurement value described in safety chip, load described file to be loaded, until completing operating system
The loading of All Files, system start-up completes.
Device the most according to claim 6, it is characterised in that: described safety chip security authentication module includes:
Safety chip data acquisition module, for obtaining the safety chip signature value and characteristic quantity number prestored in described safety chip
According to, wherein, described safety chip signature value is the hardware identification private key signature value to described characteristic quantity data;
ROM data acquisition module, for obtaining the hardware identification PKI in described read only memory;
Security authentication module, be used for judging described hardware identification PKI and described characteristic quantity data whether with described safety chip label
Name-value pair should;The most described read only memory and described safety chip are the terminal hardware authorized, and perform to carry out operating system
Startup process.
Device the most according to claim 6, it is characterised in that:
Described operating system is embedded OS, and the file to be loaded of described operating system includes the bottom literary composition of operating system
Part and the executable file of operating system.
Device the most according to claim 6, it is characterised in that: described security measurement value includes file signature value, wherein, institute
State file signature value and refer to the system authentication private key hash value precalculated signature value to each normative document of operating system;
System start-up module, is additionally operable to obtain described system authentication PKI, it is judged that described system authentication PKI and calculating described
The hash value of file to be loaded is the most corresponding with described signature value;
The most then perform the step of the described file to be loaded of described loading.
Device the most according to claim 6, it is characterised in that: after the system file of operating system has loaded, described
Method also includes:
Application authorization module, for carrying out safety certification to system application to be loaded and third-party application.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610613787.8A CN106156635A (en) | 2016-07-29 | 2016-07-29 | Method for starting terminal and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610613787.8A CN106156635A (en) | 2016-07-29 | 2016-07-29 | Method for starting terminal and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106156635A true CN106156635A (en) | 2016-11-23 |
Family
ID=57327844
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610613787.8A Pending CN106156635A (en) | 2016-07-29 | 2016-07-29 | Method for starting terminal and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106156635A (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106778380A (en) * | 2016-11-28 | 2017-05-31 | 昆山国显光电有限公司 | The lighting method and system of screen |
| CN108228263A (en) * | 2016-12-12 | 2018-06-29 | 北京小米移动软件有限公司 | The method and device that system starts |
| CN108734014A (en) * | 2017-04-20 | 2018-11-02 | 深圳兆日科技股份有限公司 | Cryptographic data authentication method and apparatus, code data guard method and device |
| CN109840409A (en) * | 2018-12-29 | 2019-06-04 | 北京深思数盾科技股份有限公司 | Core board and core board start method |
| CN110521166A (en) * | 2017-04-05 | 2019-11-29 | 西门子股份公司 | For ensuring method, computer program, computer readable storage medium and the device of the authenticity of at least one device attribute value |
| CN110691265A (en) * | 2019-10-10 | 2020-01-14 | 四川虹微技术有限公司 | Television payment method and system based on voiceprint recognition |
| CN111541553A (en) * | 2020-07-08 | 2020-08-14 | 支付宝(杭州)信息技术有限公司 | Trusted starting method and device of block chain all-in-one machine |
| CN111538996A (en) * | 2020-07-08 | 2020-08-14 | 支付宝(杭州)信息技术有限公司 | Trusted starting method and device of block chain all-in-one machine |
| CN112269609A (en) * | 2020-11-20 | 2021-01-26 | 深圳市友华通信技术有限公司 | Safe starting method and device of embedded linux equipment |
| CN112328326A (en) * | 2020-11-16 | 2021-02-05 | 北京智芯微电子科技有限公司 | Embedded operating system trusted starting method based on security chip and master control system |
| CN112395021A (en) * | 2020-10-26 | 2021-02-23 | 中国电力科学研究院有限公司 | Electric power metering equipment application software loading control method and device |
| CN114756905A (en) * | 2022-06-13 | 2022-07-15 | 惠州大亚湾华北工控实业有限公司 | Method and device for realizing mainboard anti-counterfeiting and BIOS protection and control mainboard |
| US11616636B2 (en) | 2020-07-08 | 2023-03-28 | Alipay (Hangzhou) Information Technology Co., Ltd. | Hash updating methods and apparatuses of blockchain integrated station |
| CN117272317A (en) * | 2023-09-25 | 2023-12-22 | 中汽智联技术有限公司 | System safety starting method, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050076225A1 (en) * | 2001-12-05 | 2005-04-07 | Talstra Johan Cornelis | Method and apparatus for verifying the intergrity of system data |
| CN101122936A (en) * | 2007-09-21 | 2008-02-13 | 武汉大学 | Embed type platform guiding of credible mechanism |
| CN102244684A (en) * | 2011-07-29 | 2011-11-16 | 电子科技大学 | EFI (Extensible Firmware Interface) trusted Cloud chain guiding method based on USBKey |
| CN103200008A (en) * | 2013-02-28 | 2013-07-10 | 山东超越数控电子有限公司 | Linux identity authentication system and Linux identity authentication method |
-
2016
- 2016-07-29 CN CN201610613787.8A patent/CN106156635A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050076225A1 (en) * | 2001-12-05 | 2005-04-07 | Talstra Johan Cornelis | Method and apparatus for verifying the intergrity of system data |
| CN101122936A (en) * | 2007-09-21 | 2008-02-13 | 武汉大学 | Embed type platform guiding of credible mechanism |
| CN102244684A (en) * | 2011-07-29 | 2011-11-16 | 电子科技大学 | EFI (Extensible Firmware Interface) trusted Cloud chain guiding method based on USBKey |
| CN103200008A (en) * | 2013-02-28 | 2013-07-10 | 山东超越数控电子有限公司 | Linux identity authentication system and Linux identity authentication method |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106778380B (en) * | 2016-11-28 | 2019-11-19 | 昆山国显光电有限公司 | The lighting method and system of screen |
| CN106778380A (en) * | 2016-11-28 | 2017-05-31 | 昆山国显光电有限公司 | The lighting method and system of screen |
| CN108228263A (en) * | 2016-12-12 | 2018-06-29 | 北京小米移动软件有限公司 | The method and device that system starts |
| US11256796B2 (en) | 2017-04-05 | 2022-02-22 | Siemens Aktiengesellschaft | Ensuring authenticity of at least one value of a device property |
| CN110521166A (en) * | 2017-04-05 | 2019-11-29 | 西门子股份公司 | For ensuring method, computer program, computer readable storage medium and the device of the authenticity of at least one device attribute value |
| CN110521166B (en) * | 2017-04-05 | 2021-09-10 | 西门子股份公司 | Method, apparatus and computer storage medium for ensuring authenticity of at least one run value of a device attribute |
| CN108734014A (en) * | 2017-04-20 | 2018-11-02 | 深圳兆日科技股份有限公司 | Cryptographic data authentication method and apparatus, code data guard method and device |
| CN109840409A (en) * | 2018-12-29 | 2019-06-04 | 北京深思数盾科技股份有限公司 | Core board and core board start method |
| CN110691265B (en) * | 2019-10-10 | 2021-04-20 | 四川虹微技术有限公司 | Television payment method and system based on voiceprint recognition |
| CN110691265A (en) * | 2019-10-10 | 2020-01-14 | 四川虹微技术有限公司 | Television payment method and system based on voiceprint recognition |
| CN111538996A (en) * | 2020-07-08 | 2020-08-14 | 支付宝(杭州)信息技术有限公司 | Trusted starting method and device of block chain all-in-one machine |
| CN111541553A (en) * | 2020-07-08 | 2020-08-14 | 支付宝(杭州)信息技术有限公司 | Trusted starting method and device of block chain all-in-one machine |
| US11604633B2 (en) | 2020-07-08 | 2023-03-14 | Alipay (Hangzhou) Information Technology Co., Ltd. | Trusted startup methods and apparatuses of blockchain integrated station |
| US11616636B2 (en) | 2020-07-08 | 2023-03-28 | Alipay (Hangzhou) Information Technology Co., Ltd. | Hash updating methods and apparatuses of blockchain integrated station |
| CN112395021A (en) * | 2020-10-26 | 2021-02-23 | 中国电力科学研究院有限公司 | Electric power metering equipment application software loading control method and device |
| CN112395021B (en) * | 2020-10-26 | 2024-03-19 | 中国电力科学研究院有限公司 | Power metering equipment application software loading control method and device |
| CN112328326A (en) * | 2020-11-16 | 2021-02-05 | 北京智芯微电子科技有限公司 | Embedded operating system trusted starting method based on security chip and master control system |
| CN112328326B (en) * | 2020-11-16 | 2022-01-14 | 北京智芯微电子科技有限公司 | Embedded operating system trusted starting method based on security chip and master control system |
| CN112269609A (en) * | 2020-11-20 | 2021-01-26 | 深圳市友华通信技术有限公司 | Safe starting method and device of embedded linux equipment |
| CN114756905A (en) * | 2022-06-13 | 2022-07-15 | 惠州大亚湾华北工控实业有限公司 | Method and device for realizing mainboard anti-counterfeiting and BIOS protection and control mainboard |
| CN117272317A (en) * | 2023-09-25 | 2023-12-22 | 中汽智联技术有限公司 | System safety starting method, electronic equipment and storage medium |
| CN117272317B (en) * | 2023-09-25 | 2024-02-23 | 中汽智联技术有限公司 | System safety starting method, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106156635A (en) | Method for starting terminal and device | |
| CN109951489B (en) | Digital identity authentication method, equipment, device, system and storage medium | |
| KR101548041B1 (en) | Validation and/or authentication of a device for communication with a network | |
| US9276752B2 (en) | System and method for secure software update | |
| CN107430658B (en) | Security software certification and verifying | |
| US20150113618A1 (en) | Verifying the security of a remote server | |
| CN113168476A (en) | Access control for personalized cryptography security in operating systems | |
| CN110795126A (en) | Firmware safety upgrading system | |
| CN107194237B (en) | Method and device for application program security authentication, computer equipment and storage medium | |
| CN108496323B (en) | Certificate importing method and terminal | |
| CN101377803B (en) | Method and system for implementing start-up protection | |
| JP6387908B2 (en) | Authentication system | |
| CN102456102A (en) | Method for carrying out identity recertification on particular operation of information system by using Usb key technology | |
| US20150013003A1 (en) | Verification application, method, electronic device and computer program | |
| CN114257376A (en) | Digital certificate updating method and device, computer equipment and storage medium | |
| CN110730079B (en) | System for safe starting and trusted measurement of embedded system based on trusted computing module | |
| CN109474431A (en) | Client certificate method and computer readable storage medium | |
| CN111600701A (en) | Private key storage method and device based on block chain and storage medium | |
| CN103281188A (en) | Method and system for backing up private key in electronic signature token | |
| CN116032484A (en) | Method and device for safely starting communication equipment and electronic equipment | |
| CN106100853B (en) | Mobile terminal safety authentication method and device | |
| CN106599619A (en) | Verification method and device | |
| CN101377804A (en) | Method and system for implementing start-up protection | |
| CN106533685B (en) | Identity authentication method, device and system | |
| CN114329522A (en) | Private key protection method, device, system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161123 |
|
| RJ01 | Rejection of invention patent application after publication |