CN106599677A - Password control system and control method used for baseboard management controller - Google Patents
Password control system and control method used for baseboard management controller Download PDFInfo
- Publication number
- CN106599677A CN106599677A CN201611206630.XA CN201611206630A CN106599677A CN 106599677 A CN106599677 A CN 106599677A CN 201611206630 A CN201611206630 A CN 201611206630A CN 106599677 A CN106599677 A CN 106599677A
- Authority
- CN
- China
- Prior art keywords
- module
- password
- data
- credible
- management controller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
Abstract
The invention provides a password control system and a password control method used for a baseboard management controller. The system comprises a trusted cryptography module; the trusted cryptography module is connected with a password control module; the password control module is connected with an ARM processor of the baseboard management controller; and the password control module comprises a command register used for storing different command parameters required by the trusted cryptography module during calculation, a length register used for storing a total length of data waited to be sent to the trusted cryptography module, a control register of which corresponding status bits are set to control different operations of the trusted cryptography module, and an RAM data conversion module used for converting parallel to-be-calculated data to be sent to the trusted cryptography module into serial data. According to the scheme, the control on the trusted cryptography module is realized; the baseboard management controller on a server mainboard can be subjected to security enhancement; and an IIC interface is adopted, so that the design can be performed by utilizing a hardware description language conveniently.
Description
Technical field
The present invention relates to computer safety field, especially a kind of cipher control system based on baseboard management controller
System and control method.
Background technology
BMC is the baseboard management controller on server master board, and its effect is using virtual keyboard, interface, mouse, electricity
Source etc. provides remote management capability for server.User monitors the physical features of server using BMC, such as the temperature of each part,
Voltage, fan operating state, power supply supply and cabinet invasion etc..BMC is single as management control relatively independent in server
Such as unit has in itself security risk, implanted malicious code, and in addition user is carrying out remote management using BMC to server
When, may be improper because of security configuration, as dedicated network is not used, using weak authentication, the low dangerous behaviour of password complexity
Make, cause the security risk in running.
With the development and the raising of chip manufacturing process level of China's information technology, although China has possessed research and development, system
The ability of domestic BMC chip is made, but the safety of BMC firmware programs and credible is not ensured that in application process, it is possible to
It is tampered with and integrity violations.TCM is domestic credible password module, root of trust as system platform, possesses symmetrical, non-
The functions such as symmetric cryptographic algorithm, cryptographic Hash algorithm, key generation and storage.
Based on this, the present invention proposes a kind of method for designing of the TCM controllers based on domestic BMC IIC interfaces, in state
Produce and interacted with TCM modules using the TCM controllers of IIC interfaces in BMC, using TCM to each during BMC startup optimizations
Individual functional unit carries out the tolerance of integrality, it is ensured that the integrality of program and no implanted malicious code, is so as to ensure that
System platform performing environment it is credible, be favorably improved the core competitiveness of domestic BMC chip.
The content of the invention
The purpose of the present invention is aiming at the deficiency existing for prior art, and provides a kind of based on baseboard management controller
Password control system and control method, the program realizes the control to credible encrypting module, realizes to server master board
On baseboard management controller carry out security hardening, and using IIC interfaces, i.e. SDA data signal lines, be easy to be retouched using hardware
Predicate speech is designed.
This programme is achieved by the following technical measures:A kind of cipher control system for baseboard management controller
System, including credible password module, it is characterised in that:Credible password module is connected with cipher control module, cipher control module with
The arm processor connection of baseboard management controller.
Cipher control module is included such as lower module:Command register, needs during for depositing credible password module computing
Different command parameter, credible password module completes corresponding operation according to command parameter, and length register is pending for storage etc.
It is sent to the total length of the data of credible password module, unit is byte, control register, by arranging the corresponding shape of the register
State position controls the different operating of credible password module, RAM data conversion module, for being sent to treating for credible password module
Operational data, by parallel serial data is converted into, and with the single bus that will pass through IIC interfaces trusted cryptography's mould is sent to
Block;After the completion of credible password module computing, the serial data that the RAM data conversion module can return credible password module
Composition parallel data reads for arm processor;
Described command register length is 8bit.
The length of described length register is 8bit.
The length of described control register is 8bit.
The size of described RAM data conversion module is 1KB.
Described operation includes that encryption and decryption, hash algorithm, key are generated.
A kind of cipher control method for baseboard management controller, it is characterised in that comprise the steps:
1)System electrification, cipher control module enters idle condition, waits the instruction of arm processor;
2)Cipher control module is received after the sign on of arm processor, makes the output signal and input letter of cipher control module
Number synchronization,
3)Cipher control module to command register write credible password module computing specific instructions word, cipher control module to
Length register write is sent to the data length of credible password module,
4)Cipher control module writes RAM data conversion module, value of the cipher control module according to length register command word
The concrete data of computing are participated in credible password modules to be sent such as RAM data conversion module writes;
5)Data in RAM data conversion module are converted in the way of the output of bit positions by the form being input into by byte, are led to
The output of SDA data signal lines is crossed to credible encrypting module;
6)Credible encrypting module starts corresponding computing according to the command word and data that read, enters after the completion of computing and waits reading
According to state;
7)Cipher control module reads the operating structure of credible password module by SDA data signal lines, and writes data into
RAM data conversion module;
8)The data that cipher control module is stored in are combined into byte format by bit hytes, read for arm processor.
The beneficial effect of this programme can learn according to the narration to such scheme, due to cipher control module in this scenario
Including 3 registers and 1 RAM data shift zone, word length is 8 bit, realize with the data interaction of credible encrypting module, deposit
Storage and control, the present invention is compared with prior art, with prominent substantive distinguishing features and significantly progressive, the beneficial effect of its enforcement
Fruit is also obvious.
Description of the drawings
Fig. 1 is the structural representation of the specific embodiment of the invention.
Specific embodiment
It is right below by a specific embodiment, and with reference to its accompanying drawing clearly to illustrate the technical characterstic of this programme
This programme is illustrated.
By accompanying drawing as can be seen that a kind of password control system for baseboard management controller of this programme, including can
Letter crypto module, it is characterised in that:Credible password module is connected with cipher control module, and cipher control module is controlled with substrate management
The arm processor connection of device processed.Cipher control module(TCM controllers)Each holding wire and credible password module(TCM)Connection
Relation is:SCL signal line is connected with the clk pins of TCM modules;SDA signal line is connected with the GPIO pin of TCM modules;
NRESET holding wires are connected with the reset pins of TCM modules.
Cipher control module is included such as lower module:Command register, needs during for depositing credible password module computing
Different command parameter, credible password module completes corresponding operation according to command parameter, and length register is pending for storage etc.
It is sent to the total length of the data of credible password module, unit is byte, control register, by arranging the corresponding shape of the register
State position controls the different operating of credible password module, RAM data conversion module, for being sent to treating for credible password module
Operational data, by parallel serial data is converted into, and with the single bus that will pass through IIC interfaces trusted cryptography's mould is sent to
Block;After the completion of credible password module computing, the serial data that the RAM data conversion module can return credible password module
Composition parallel data reads for arm processor;Described command register length is 8bit.The length of described length register
For 8bit.The length of described control register is 8bit.The size of described RAM data conversion module is 1KB.Described behaviour
Work includes that encryption and decryption, hash algorithm, key are generated.
A kind of cipher control method for baseboard management controller based on said system, comprises the steps:
1)System electrification, cipher control module enters idle condition, waits the instruction of arm processor;
2)Cipher control module is received after the sign on of arm processor, makes the output signal and input letter of cipher control module
Number synchronization,
3)Cipher control module to command register write credible password module computing specific instructions word, cipher control module to
Length register write is sent to the data length of credible password module,
4)Cipher control module writes RAM data conversion module, value of the cipher control module according to length register command word
The concrete data of computing are participated in credible password modules to be sent such as RAM data conversion module writes;
5)Data in RAM data conversion module are converted in the way of the output of bit positions by the form being input into by byte, are passed through
The output of SDA data signal lines is to credible encrypting module;
6)Credible encrypting module starts corresponding computing according to the command word and data that read, enters after the completion of computing and waits reading
According to state;
7)Cipher control module reads the operating structure of credible password module by SDA data signal lines, and writes data into
RAM data conversion module;
8)The data that cipher control module is stored in are combined into byte format by bit hytes, read for arm processor.
The present invention is not limited in above-mentioned specific embodiment, essential scope of the those of ordinary skill in the art in the present invention
Change, remodeling, addition or the replacement inside made, should also belong to protection scope of the present invention.
Claims (7)
1. a kind of password control system for baseboard management controller, including credible password module, it is characterised in that:It is credible close
Code module is connected with cipher control module, and cipher control module is connected with the arm processor of baseboard management controller;
Cipher control module is included such as lower module:
Command register, the different command parameter needed during for depositing credible password module computing, credible password module according to
Command parameter completes corresponding operation,
Length register, the total length of the data of credible password module is sent to for storage etc., and unit is byte,
Control register, the different operating of credible password module is controlled by arranging the corresponding mode bit of the register,
RAM data conversion module, for treating operational data be sent to credible password module, by parallel serial is converted into
Data, with the single bus that will pass through IIC interfaces credible password module is sent to;After the completion of credible password module computing,
The serial data composition parallel data that the RAM data conversion module can return credible password module reads for arm processor.
2. the password control system for baseboard management controller according to claim 1, is characterized in that:Described order
Register capacity is 8bit.
3. the password control system for baseboard management controller according to claim 1 and 2, is characterized in that:Described
The length of length register is 8bit.
4. the password control system for baseboard management controller according to claim 1 and 2, is characterized in that:Described
The length of control register is 8bit.
5. the password control system for baseboard management controller according to claim 1 and 2, is characterized in that:Described
The size of RAM data conversion module is 1KB.
6. the password control system for baseboard management controller according to claim 1, is characterized in that:Described operation
Generate including encryption and decryption, hash algorithm, key.
7. a kind of cipher control method for baseboard management controller, it is characterised in that comprise the steps:
1)System electrification, cipher control module enters idle condition, waits the instruction of arm processor;
2)Cipher control module is received after the sign on of arm processor, makes the output signal and input letter of cipher control module
Number synchronization,
3)Cipher control module to command register write credible password module computing specific instructions word, cipher control module to
Length register write is sent to the data length of credible password module,
4)Cipher control module writes RAM data conversion module, value of the cipher control module according to length register command word
The concrete data of computing are participated in credible password modules to be sent such as RAM data conversion module writes;
5)Data in RAM data conversion module are converted in the way of the output of bit positions by the form being input into by byte, are passed through
The output of SDA data signal lines is to credible encrypting module;
6)Credible encrypting module starts corresponding computing according to the command word and data that read, enters after the completion of computing and waits reading
According to state;
7)Cipher control module reads the operating structure of credible password module by SDA data signal lines, and writes data into
RAM data conversion module;
8)The data that cipher control module is stored in are combined into byte format by bit hytes, read for arm processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611206630.XA CN106599677A (en) | 2016-12-23 | 2016-12-23 | Password control system and control method used for baseboard management controller |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611206630.XA CN106599677A (en) | 2016-12-23 | 2016-12-23 | Password control system and control method used for baseboard management controller |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106599677A true CN106599677A (en) | 2017-04-26 |
Family
ID=58601087
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611206630.XA Pending CN106599677A (en) | 2016-12-23 | 2016-12-23 | Password control system and control method used for baseboard management controller |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106599677A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107168904A (en) * | 2017-05-10 | 2017-09-15 | 郑州云海信息技术有限公司 | A kind of TCM control systems and method based on BMCSPI interfaces |
| CN110119623A (en) * | 2018-02-06 | 2019-08-13 | 北京可信华泰信息技术有限公司 | A kind of credible main board implementation method for realizing that firmware is actively measured using TPCM |
| CN110781527A (en) * | 2019-09-29 | 2020-02-11 | 苏州浪潮智能科技有限公司 | Control register protection method and device |
| CN117112474A (en) * | 2023-10-23 | 2023-11-24 | 湖南博匠信息科技有限公司 | Universal trusted substrate management method and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104200148A (en) * | 2014-08-25 | 2014-12-10 | 浪潮集团有限公司 | Smart card redundancy switching method based on independently domestic redundancy server |
| CN104486127A (en) * | 2014-12-22 | 2015-04-01 | 浪潮集团有限公司 | Redundancy trusted server management method based on trusted management unit |
| CN105550579A (en) * | 2016-02-02 | 2016-05-04 | 浪潮电子信息产业股份有限公司 | Method for measuring BMC integrity on basis of TPCM |
| CN106127056A (en) * | 2016-06-20 | 2016-11-16 | 浪潮电子信息产业股份有限公司 | A kind of method for designing of domestic BMC chip trusted firmware |
| CN106228088A (en) * | 2016-08-11 | 2016-12-14 | 浪潮电子信息产业股份有限公司 | A kind of method for designing of SM4 Algorithm IP based on domestic BMC chip |
-
2016
- 2016-12-23 CN CN201611206630.XA patent/CN106599677A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104200148A (en) * | 2014-08-25 | 2014-12-10 | 浪潮集团有限公司 | Smart card redundancy switching method based on independently domestic redundancy server |
| CN104486127A (en) * | 2014-12-22 | 2015-04-01 | 浪潮集团有限公司 | Redundancy trusted server management method based on trusted management unit |
| CN105550579A (en) * | 2016-02-02 | 2016-05-04 | 浪潮电子信息产业股份有限公司 | Method for measuring BMC integrity on basis of TPCM |
| CN106127056A (en) * | 2016-06-20 | 2016-11-16 | 浪潮电子信息产业股份有限公司 | A kind of method for designing of domestic BMC chip trusted firmware |
| CN106228088A (en) * | 2016-08-11 | 2016-12-14 | 浪潮电子信息产业股份有限公司 | A kind of method for designing of SM4 Algorithm IP based on domestic BMC chip |
Non-Patent Citations (1)
| Title |
|---|
| 沈昌祥 等: "基于国产密码体系的可信计算体系框架", 《密码学报》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107168904A (en) * | 2017-05-10 | 2017-09-15 | 郑州云海信息技术有限公司 | A kind of TCM control systems and method based on BMCSPI interfaces |
| CN110119623A (en) * | 2018-02-06 | 2019-08-13 | 北京可信华泰信息技术有限公司 | A kind of credible main board implementation method for realizing that firmware is actively measured using TPCM |
| CN110781527A (en) * | 2019-09-29 | 2020-02-11 | 苏州浪潮智能科技有限公司 | Control register protection method and device |
| CN110781527B (en) * | 2019-09-29 | 2022-02-22 | 苏州浪潮智能科技有限公司 | Control register protection method and device |
| CN117112474A (en) * | 2023-10-23 | 2023-11-24 | 湖南博匠信息科技有限公司 | Universal trusted substrate management method and system |
| CN117112474B (en) * | 2023-10-23 | 2024-01-02 | 湖南博匠信息科技有限公司 | Universal trusted substrate management method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105095772B (en) | Method and apparatus for safely saving and restoring computing platform state | |
| US10877806B2 (en) | Method and apparatus for securely binding a first processor to a second processor | |
| TWI550436B (en) | Using a trusted platform module for boot policy and secure firmware | |
| US8543838B1 (en) | Cryptographic module with secure processor | |
| CN106599677A (en) | Password control system and control method used for baseboard management controller | |
| US11644980B2 (en) | Trusted memory sharing mechanism | |
| CN106127056A (en) | A kind of method for designing of domestic BMC chip trusted firmware | |
| CN101908112B (en) | Test method and system of security chip | |
| US20190095351A1 (en) | Technologies for a memory encryption engine for multiple processor usages | |
| CN105718806A (en) | Method for achieving trusted active measurement based on domestic BMC and TPM2.0 | |
| CN104486355A (en) | Method and device for preventing malicious manipulation of codes | |
| US11921645B2 (en) | Securing data direct I/O for a secure accelerator interface | |
| TW201723804A (en) | Secure modular exponentiation processors, methods, systems, and instructions | |
| CN106228088A (en) | A kind of method for designing of SM4 Algorithm IP based on domestic BMC chip | |
| CN117688623A (en) | Trusted computing chip based on blockchain | |
| CN201820230U (en) | Computer and trusted-computing trusted root equipment for same | |
| CN104391813A (en) | SOC (system-on-chip) chip for embedded data security system | |
| CN203773549U (en) | Chip identifier-based software security application device | |
| CN106933764A (en) | A kind of credible password module and its method of work based on domestic TCM chips | |
| WO2023160705A1 (en) | Component authentication method and apparatus | |
| CN202205195U (en) | Equipment for reading and writing physical memory of computer through IEEE 1394 interface | |
| CN203982391U (en) | A kind of PCI-E encrypted card with network interface | |
| CN203300226U (en) | High-security secret key USB flash disk | |
| CN103150523A (en) | Simple embedded-type credible terminal system and method thereof | |
| CN102110066B (en) | Tax-control encryption card control method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170426 |
|
| RJ01 | Rejection of invention patent application after publication |