CN106228091A - A kind of safe firmware validation update method - Google Patents
A kind of safe firmware validation update method Download PDFInfo
- Publication number
- CN106228091A CN106228091A CN201610554448.7A CN201610554448A CN106228091A CN 106228091 A CN106228091 A CN 106228091A CN 201610554448 A CN201610554448 A CN 201610554448A CN 106228091 A CN106228091 A CN 106228091A
- Authority
- CN
- China
- Prior art keywords
- firmware
- file
- firmware file
- update method
- storage medium
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Abstract
The invention discloses a kind of safe firmware validation update method, it comprises the following steps: S1, in firmware compilation process, adds ID and identifies and encrypted authentication algorithm, makes the firmware file ultimately generated can verify that identification;Before controller is finally given operating system by the startup of S2, firmware, storage medium is set as write-protected lock-out state;S3, refresh firmware program in add the parsing to firmware file, by the legitimacy of decryption verification firmware file, and identified that by ID verifying mating between firmware file with mainboard, the firmware file of the most legal coupling could allow by brush enters.The method that the present invention provides, can stop Malware for the destruction of storage medium or attack, can retain again the approach of user's legal renewal firmware, and its safety is high, cracks difficulty big, low cost.
Description
Technical field
The present invention relates to a kind of safe firmware validation update method.
Background technology
At present, the storage medium of the firmware in computer develops into SPI interface from the interface of LPC/FWH, Gu
Part manufacturer is all to update firmware content in storage medium to provide the instrument under various operating system, for factory and follow-up use
Family updates firmware and provides convenience, but storage medium so certainly will be made to be in an erasable state, and this erasable state will
Firmware is placed in a breakneck condition, and it becomes the important channel of such as CIH, BMW virus attack firmware, pacifies to system
Full reliability and information security bring great hidden danger.
To this end, chip manufacturer proposes the solution of locking, the last point i.e. run at firmware, in call operation system
Before system, firmware storage media (such as SPI ROM) being set as Lockmode, this pattern is equal at this follow-up time end started shooting
Can not again be modified, only after system restarts, Lock mode just can be unlocked, and user is just the most under an operating system
Firmware cannot be updated by instrument, also it is prevented that CIH, BMW are similar to the approach of virus attack, but maximum the asking of do so
Topic is that system just cannot update firmware after dispatching from the factory and (unless taken off from mainboard by storage medium, refresh with cd-rom recorder solid
Part, but this way is difficulty with for domestic consumer), and after system shipment, occur that bug needs by updating firmware
The demand solved is of common occurrence, so this solution well prevents the approach of destroyed attack, but blocks also
The normal demand updating firmware, has the most inflexible suspicion unavoidably.
It is therefore necessary to a kind of method of design, Malware can be stoped for the destruction of storage medium or attack, again can
Retain the approach of user's legal renewal firmware.
Summary of the invention
The technical problem to be solved in the present invention is the defect overcoming prior art, it is provided that a kind of safe firmware validation updates
Method.
In order to solve above-mentioned technical problem, the invention provides following technical scheme:
A kind of safe firmware validation update method of the present invention, it comprises the following steps:
S1, in firmware compilation process, add ID identify and encrypted authentication algorithm, making the firmware file ultimately generated is can
Checking identifies;Do so can ensure that the firmware file write with a brush dipped in Chinese ink in the future is not maliciously tampered, and does not also have in master
The situation that the firmware file that plate does not corresponds is write with a brush dipped in Chinese ink;
Before controller is finally given operating system by the startup of S2, firmware, storage medium is set as write-protected locking
State, so prevents the attack of other Malwares or virus;
S3, in the program refreshing firmware, add the parsing to firmware file, legal by decryption verification firmware file
Property, and identified by ID and verify mating between firmware file with mainboard, the firmware file of the most legal coupling could be permitted
Permitted to be entered by brush.
Further, in step s3, the program of described refreshing firmware is nested in inside original firmware, and user can be
Firmware start-up course is called, or is refreshed the program code of firmware by this section of the instrument activation under operating system, be allowed to
Can automatically be performed after restarting.
The present invention is reached to provide the benefit that:
The method that the present invention provides, can stop Malware for the destruction of storage medium or attack, can retain again use
The approach of the legal renewal in family firmware, its safety is high, cracks difficulty big, low cost.
Accompanying drawing explanation
Accompanying drawing is for providing a further understanding of the present invention, and constitutes a part for description, with the reality of the present invention
Execute example together for explaining the present invention, be not intended that limitation of the present invention.In the accompanying drawings:
Fig. 1 is refresh flow figure under BIOS Setup interface;
Fig. 2 is refresh flow figure under operating system.
Detailed description of the invention
Below in conjunction with accompanying drawing, the preferred embodiments of the present invention are illustrated, it will be appreciated that preferred reality described herein
Execute example be merely to illustrate and explain the present invention, be not intended to limit the present invention.
As depicted in figs. 1 and 2, UEFIBIOS is added BIOS ID and AES, makes the UEFI of encryption
BIOS file;Before being refreshed, before the refurbishing procedure calling existing UEFI BIOS, verify the legal of this UEFI BIOS file
Property, confirm that this file was not tampered with, and carry out contrasting to confirm not have by the ID of BIOS existing on mainboard
The wrong file of choosing.Existing firmware completes the action write with a brush dipped in Chinese ink in specific link, completes the renewal of firmware.
1, BIOS be maintained at startup operating system before SPI ROM is placed in write-protected lock state;
2, BIOS file adds ID encryption when compiling generates;
The BIOS file inputted is verified and checks ID before refreshing by 3, BIOS refurbishing procedures;
In 4, BIOS, the activation of refurbishing procedure now has been developed over two ways:
A) provide, under BIOS setup interface, the function write with a brush dipped in Chinese ink, BIOS first provide FAT, NTFS, EXT, EXT2,
EXT3, etc. the support of file format, provide user to select the function of BIOS file under setup interface, then user selected
File carry out encrypted authentication said before and ID verification, confirm errorless after, the function of writing with a brush dipped in Chinese ink calling SPIROM completes
Update the action of BIOS;
B) updating software under operating system realizes the function of writing with a brush dipped in Chinese ink activating in BIOS, after updating software reads encryption
BIOS file is also put in internal memory, carry out encrypted authentication said before and ID verification, confirm errorless after, by specific machine
System record BIOS file position in internal memory, and arrange notice BIOS next time start in call refresh function, complete this
After a little records, allow system roll-back once, after current BIOS sees special sign record, call BIOS refreshing code and complete
The work that BIOS updates.
Finally it is noted that the foregoing is only the preferred embodiments of the present invention, it is not limited to the present invention,
Although being described in detail the present invention with reference to previous embodiment, for a person skilled in the art, it still may be used
So that the technical scheme described in foregoing embodiments to be modified, or wherein portion of techniques feature is carried out equivalent.
All within the spirit and principles in the present invention, any modification, equivalent substitution and improvement etc. made, should be included in the present invention's
Within protection domain.
Claims (2)
1. the firmware validation update method of a safety, it is characterised in that comprise the following steps:
S1, in firmware compilation process, add ID identify and encrypted authentication algorithm, making the firmware file ultimately generated is to can verify that
Identify;
Before controller is finally given operating system by the startup of S2, firmware, storage medium is set as write-protected lock-out state;
S3, refresh firmware program in add the parsing to firmware file, by the legitimacy of decryption verification firmware file, and
Identified by ID and verify that mating between firmware file with mainboard, the firmware file of the most legal coupling could allow to be brushed
Enter.
A kind of safe firmware validation update method the most according to claim 1, it is characterised in that in step s3, institute
The program stating refreshing firmware is nested in inside original firmware, and user can call in firmware start-up course, or passes through
This section of instrument activation under operating system refreshes the program code of firmware, is allowed to after restarting automatically to be performed.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610554448.7A CN106228091A (en) | 2016-07-14 | 2016-07-14 | A kind of safe firmware validation update method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610554448.7A CN106228091A (en) | 2016-07-14 | 2016-07-14 | A kind of safe firmware validation update method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106228091A true CN106228091A (en) | 2016-12-14 |
Family
ID=57520425
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610554448.7A Pending CN106228091A (en) | 2016-07-14 | 2016-07-14 | A kind of safe firmware validation update method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106228091A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110502250A (en) * | 2019-07-12 | 2019-11-26 | 苏州浪潮智能科技有限公司 | A kind of upgrade method and baseboard management controller |
CN111142912A (en) * | 2019-12-29 | 2020-05-12 | 山东英信计算机技术有限公司 | BIOS refreshing method, device and equipment |
CN113360914A (en) * | 2021-05-14 | 2021-09-07 | 山东英信计算机技术有限公司 | BIOS updating method, system, equipment and medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101464933A (en) * | 2007-12-18 | 2009-06-24 | 中国长城计算机深圳股份有限公司 | BIOS write protection method and system |
CN102467626A (en) * | 2010-11-10 | 2012-05-23 | 鸿富锦精密工业(深圳)有限公司 | Computer system data protection device and method |
CN104572168A (en) * | 2014-09-10 | 2015-04-29 | 中电科技(北京)有限公司 | BIOS (Basic Input/Output System) self-updating protection system and BIOS self-updating protection method |
-
2016
- 2016-07-14 CN CN201610554448.7A patent/CN106228091A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101464933A (en) * | 2007-12-18 | 2009-06-24 | 中国长城计算机深圳股份有限公司 | BIOS write protection method and system |
CN102467626A (en) * | 2010-11-10 | 2012-05-23 | 鸿富锦精密工业(深圳)有限公司 | Computer system data protection device and method |
CN104572168A (en) * | 2014-09-10 | 2015-04-29 | 中电科技(北京)有限公司 | BIOS (Basic Input/Output System) self-updating protection system and BIOS self-updating protection method |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110502250A (en) * | 2019-07-12 | 2019-11-26 | 苏州浪潮智能科技有限公司 | A kind of upgrade method and baseboard management controller |
CN111142912A (en) * | 2019-12-29 | 2020-05-12 | 山东英信计算机技术有限公司 | BIOS refreshing method, device and equipment |
CN113360914A (en) * | 2021-05-14 | 2021-09-07 | 山东英信计算机技术有限公司 | BIOS updating method, system, equipment and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8001596B2 (en) | Software protection injection at load time | |
CN106020865B (en) | System upgrading method and device | |
CN102630320B (en) | Information processing device and method for preventing unauthorized application cooperation | |
US20050085222A1 (en) | Software updating process for mobile devices | |
JP2010128824A (en) | Client control system utilizing policy group identifier | |
CN104252377B (en) | Virtualized host ID keys are shared | |
JP2015222474A (en) | Method, computer program and computer for repairing variable set | |
CN102915415B (en) | Safety control method and system of mobile terminal | |
US9448785B1 (en) | System and method updating full disk encryption software | |
CN106228091A (en) | A kind of safe firmware validation update method | |
WO2012031567A1 (en) | Fault tolerance method and device for file system | |
CN101520830A (en) | Method for startup identity authentication of computer capable of protecting hard disk data | |
KR20190080591A (en) | Behavior based real- time access control system and control method | |
JP2023518127A (en) | Methods for Safely Using Cryptographic Materials | |
CN100507850C (en) | Method for embedding inner core drive program in Window operation system by USB apparatus start-up | |
CN112148314A (en) | Mirror image verification method, device, equipment and storage medium of embedded system | |
CN112613011B (en) | USB flash disk system authentication method and device, electronic equipment and storage medium | |
CN101477603A (en) | Computer security information card based on expanded BIOS technique and operation method thereof | |
JP2008192126A (en) | Information processor and program | |
CN104361298B (en) | The method and apparatus of Information Security | |
CN101226494A (en) | Method for backupping and recovering computer system | |
CN101236498B (en) | Method for embedding inner core drive program in Window operation system by PCI card start-up | |
CN102855421A (en) | Method for protecting BIOS (basic input and output system) program from being embezzled, basic input and output system and computing device | |
CN102426592A (en) | Method for initializing database based on dynamic password | |
CN116775145A (en) | Method, device, equipment and storage medium for starting and recovering server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161214 |
|
RJ01 | Rejection of invention patent application after publication |