CN107145802A - A kind of BIOS integrity measurement methods, baseboard management controller and system - Google Patents
A kind of BIOS integrity measurement methods, baseboard management controller and system Download PDFInfo
- Publication number
- CN107145802A CN107145802A CN201710321574.2A CN201710321574A CN107145802A CN 107145802 A CN107145802 A CN 107145802A CN 201710321574 A CN201710321574 A CN 201710321574A CN 107145802 A CN107145802 A CN 107145802A
- Authority
- CN
- China
- Prior art keywords
- reference value
- bios
- metric
- credible
- trusted status
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/4401—Bootstrapping
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Bioethics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a kind of BIOS integrity measurement methods, baseboard management controller and system, this method stores a reference value by collecting BIOS startup code Boot Black a reference value;When receiving startup request, the identification information of active flag position is read;Whether be for the first time start mark, if it is not, then the measurement startup code Boot Black, obtain metric if judging the identification information;The metric and a reference value of storage are contrasted, judge whether the metric is consistent with a reference value, if it is, setting the first trusted status to identify, determines that the BIOS is complete;Otherwise, set the second trusted status to identify, determine that the BIOS is imperfect.The scheme that the present invention is provided ensure that BMC clean boot.
Description
Technical field
The present invention relates to field of computer technology, more particularly to a kind of BIOS integrity measurement methods, substrate management control
Device and system.
Background technology
Baseboard management controller (BaseboardManagement Controller, BMC) it is main by virtual keyboard,
Mouse, interface and power supply etc. provide the temperature of each part of remote management capability such as monitoring server, voltage, wind for server
Fan the physical features such as working condition and power supply supply.And once BMC can influence the normal work of server by malicious attack.
Especially after malicious code is implanted in BMC start-up courses, can usually server be caused to run by BMC remotely administered servers
During security risk.Thus it is guaranteed that BMC clean boot turns into key issue urgently to be resolved hurrily.
The content of the invention
The embodiments of the invention provide a kind of BIOS integrity measurement methods, baseboard management controller and system, it is ensured that
BMC clean boot.
A kind of BIOS integrity measurement methods, collect BIOS startup code Boot Black a reference value, and store institute
State a reference value;Also include:
When receiving startup request, the identification information of active flag position is read;
Whether be for the first time start mark, if it is not, then the measurement startup code Boot if judging the identification information
Black, obtains metric;
The a reference value of the metric and storage is contrasted, judges whether are the metric and a reference value
Unanimously, if it is, setting the first trusted status to identify, determine that the BIOS is complete;Otherwise, the second trusted status mark is set
Know, determine that the BIOS is imperfect.
Preferably, the above method further comprises:SM3 hash algorithms are set;
The startup code Boot Black of collection BIOS a reference value, including:
When reading the identification information of active flag position to start mark first_boot_flag=1 for the first time, call
The SM3 hash algorithms, carry out hash computing to the startup code Boot Black, obtain 256bit a reference value.
Preferably, the above method further comprises:Build SM4 symmetry algorithms and SM4 encryption keys;
After the startup code Boot Black of collection BIOS a reference value, the storage a reference value it
Before, further comprise:Call the SM4 symmetry algorithms and SM4 encryption keys that a reference value is encrypted;
The storage a reference value, including:A reference value after storage encryption.
Preferably, the above method further comprises:Build the SM4 decruption key corresponding with the SM4 encryption keys;
In the measurement the startups code Boot Black, after obtaining metric, it is described by the metric and
Before a reference value of storage is contrasted, further comprise:
Call the SM4 symmetry algorithms and the SM4 decruption keys that a reference value after the encryption is decrypted.
Preferably,
Identify, after determining that the BIOS is complete, further comprise in the first trusted status of the setting:
The identification information is revised as first_boot_flag=0.
Preferably,
The first trusted status mark, including:Trust_flag=1;
The second trusted status mark, including:Trust_flag=0.
A kind of baseboard management controller, including:Credible metric element, memory cell and credible verification unit, wherein,
The credible metric element, a reference value of the startup code Boot Black for collecting BIOS;Opened when receiving
During dynamic request, the identification information of active flag position is read;Whether judge the identification information is to start mark for the first time, if
It is no, then the startup code Boot Black are measured, metric is obtained;
The memory cell, for storing a reference value that the credible metric element is collected;
The credible verification unit, for the metric for obtaining the credible metric element measurement and the storage
The a reference value of unit storage is contrasted, and judges whether the metric is consistent with a reference value, if it is, setting
First trusted status is identified, and determines that the BIOS is complete;Otherwise, set the second trusted status to identify, determine that the BIOS is endless
It is whole.
Preferably,
The credible metric element, is further used for setting SM3 hash algorithms;When the mark letter for reading active flag position
Cease to start for the first time during mark first_boot_flag=1, call the SM3 hash algorithms, to the startup code Boot
Black carries out hash computing, obtains 256bit a reference value.
Preferably,
The credible metric element, is further used for building SM4 symmetry algorithms and SM4 encryption keys;And by calling
State SM4 symmetry algorithms and a reference value is encrypted SM4 encryption keys, a reference value after storage encryption.
Preferably, aforesaid substrate Management Controller, further comprises:
Unit is revised, for being provided with the first trusted status mark when the credible verification unit, determines that the BIOS is complete
When whole, the identification information that the credible metric element is read is revised as first_boot_flag=0.
Preferably, aforesaid substrate Management Controller, further comprises:
Credible reporting unit, for first trusted status mark or described for setting the credible verification unit
Second trusted status mark is sent to the server of outside.
A kind of BIOS integrity measurements system, including:Any of the above-described described baseboard management controller and at least one clothes
Business device, wherein,
Each described server, the control for receiving the baseboard management controller can when receiving described first
It is normal to start when believing status indicator, it is determined that start safety;When receiving the second trusted status mark, it is determined that open
It is dynamic to be attacked, stop starting.
The embodiments of the invention provide a kind of BIOS integrity measurement methods, baseboard management controller and system, due to BMC
Start-up course be mainly BIOS startup code Boot Black running, and once start code Boot Black quilts
Malice is changed or attacked, then causes BIOS integrality to be destroyed, therefore, is obtained by the way that measurement is started into code Boot Black
Metric is contrasted with starting code Boot Black a reference value, when startup code Boot Black do not change,
Metric is consistent with a reference value, illustrates that BIOS is complete, is not tampered with, and once starts code Boot Black and change, and spends
Value is then inconsistent with a reference value, illustrates that BIOS is tampered, therefore, and the present invention is by BIOS integrity measurements, it is ensured that BMC
Clean boot.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are the present invention
Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
These accompanying drawings obtain other accompanying drawings.
Fig. 1 is a kind of flow chart for BIOS integrity measurement methods that one embodiment of the invention is provided;
Fig. 2 is a kind of flow chart for BIOS integrity measurement methods that another embodiment of the present invention is provided;
Fig. 3 is a kind of structural representation for baseboard management controller that one embodiment of the invention is provided;
Fig. 4 is a kind of structural representation for baseboard management controller that another embodiment of the present invention is provided;
Fig. 5 is a kind of structural representation for baseboard management controller that another embodiment of the invention is provided;
Fig. 6 is the structural representation for the BIOS integrity measurement systems that one embodiment of the invention is provided.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
A part of embodiment of the present invention, rather than whole embodiments, based on the embodiment in the present invention, those of ordinary skill in the art
The every other embodiment obtained on the premise of creative work is not made, belongs to the scope of protection of the invention.
As shown in figure 1, the embodiments of the invention provide a kind of BIOS integrity measurement methods, this method can include following
Step:
Step 101:BIOS startup code Boot Black a reference value is collected, and stores a reference value;
Step 102:When receiving startup request, the identification information of active flag position is read;
Step 103:Whether judge the identification information is to start mark for the first time, if it is, step 104 is performed, it is no
Then, step 105 is performed;
Step 104:The measurement startup code Boot Black, obtain a reference value, and terminate current process;
Step 105:The measurement startup code Boot Black, obtain metric;
Step 106:The metric and a reference value of storage are contrasted, the metric and the base is judged
Whether quasi- value is consistent, if it is, performing step 107;Otherwise, step 108 is performed;
Step 107:Set the first trusted status to identify, determine that the BIOS is complete, and terminate current process;
Step 108:Set the second trusted status to identify, determine that the BIOS is imperfect.
It is being embodiment shown in Fig. 1, because BMC start-up course is mainly BIOS startup code Boot Black
Running, and once start code Boot Black and be maliciously altered or attack, then cause BIOS integrality to be destroyed,
Therefore, a reference value progress pair that code Boot Black obtain metric and startup code Boot Black is started by that will measure
Than, when startup code Boot Black do not change, metric is consistent with a reference value, illustrates that BIOS is complete, is not tampered with,
And once start code Boot Black and change, metric and a reference value are then inconsistent, illustrate that BIOS is tampered, therefore,
The present invention is by BIOS integrity measurements, it is ensured that BMC clean boot.
In an embodiment of the invention, a reference value for starting code Boot Black, the above method are collected in order to realize
Further comprise:SM3 hash algorithms are set;The embodiment of step 101, including:When the mark for reading active flag position
Information is known to start for the first time during mark first_boot_flag=1, the SM3 hash algorithms is called, to the startup code
Boot Black carry out hash computing, obtain 256bit a reference value.It is BMC during dispatching from the factory that the first time, which starts mark to be,
Set, once the BMC is not to start for the first time, then starting mark for the first time can not be read into, so as to ensure a reference value
Accuracy.
In addition, in step 105, the process measured to starting code Boot Black also uses above-mentioned setting
SM3 hash algorithms, to ensure the uniformity of a reference value and measurement value metric.
Above-mentioned SM3 hash algorithms are l (l mainly to length<264) bit message m, it is raw by filling and Iteration Contraction
Into Hash Value, Hash Value length is 256bit.
Wherein, the filling process of SM3 hash algorithms is:
Assuming that the length of message m is lbit.Bit " 1 " is added to the end of message first, then added k " 0 ", k is full
Sufficient l+1+k ≡ 448mod512 minimum nonnegative integer.Then 64 Bit Strings are added again, and the Bit String is length l
Binary representation.Message m after filling ' bit length be 512 multiple.
Iteration Contraction process:
By the message m after filling ' be grouped by 512bit:M '=B (0) B (1) B (n-1)
Wherein n=(l+k+65)/512.
To m ' iteration in the following manner:
FOR i=0TO n-1
V(i+1)=CF (V(i),B(i))
ENDFOR
Wherein CF is compression function, V(0)For 256bit initial values IV, B(i)It is grouped for the message after filling, Iteration Contraction
As a result it is V(n)。
Then,
Message is grouped B(i)Extension generates 132 word W by the following method0,W1,···,W67,W′0,W′1,···,
W′63, for compression function CF:
A) message is grouped B(i)It is divided into 16 word W0,W1,···,W15。
B) FOR j=16 TO 67
Wj←P1(Wj-16⊕Wj-9⊕(Wj-3< < 15)) ⊕ (Wj-13< < 7) ⊕ Wj-6
ENDFOR
C) FOR j=0 TO 63
W′j=Wj⊕Wj+4
ENDFOR
It is word register to make A, B, C, D, E, F, G, H, SS1, SS2, and TT1, TT2 is intermediate variable, compression function Vi+1=CF
(V(i),B(i)),0≤i≤n-1。
Calculating process is described as follows:
ABCDEFGH←V(i)
FOR j=0 TO 63
SS1 ← ((A < < 12)+E+ (Tj < < j)) < < 7
SS2 ← SS1 ⊕ (A < < 12)
T T1 ← F Fj (A, B, C)+D+SS2+W 'j
T T2 ← GGj (E, F, G)+H+SS1+Wj
D ← CC ← B < < 9
B←A
A←T T1
H←G
G ← F < < 19
F←E
E←P0(T T2)
ENDFOR
V(i+1)←ABCDEFGH⊕V(i)
ABCDEFGH←V(n)
Export 256bit Hash Value y=ABCDEFGH.
In an embodiment of the invention, in order to avoid a reference value is arbitrarily changed, to ensure the security of a reference value, on
The method of stating further comprises:Build SM4 symmetry algorithms and SM4 encryption keys;In the startup code Boot of the collection BIOS
After Black a reference value, before the storage a reference value, further comprise:Call the SM4 symmetry algorithms and
The a reference value is encrypted SM4 encryption keys;The storage a reference value, including:A reference value after storage encryption.
In an embodiment of the invention, the above method further comprises:Build corresponding with the SM4 encryption keys
SM4 decruption keys;In the measurement startup code Boot Black, after obtaining metric, described by the measurement
Before value and a reference value of storage are contrasted, further comprise:The SM4 symmetry algorithms and the SM4 is called to decrypt
A reference value after the encryption is decrypted key.Ensure that can accurately read a reference value of storage.
In above-mentioned SM4 symmetry algorithms, AES and key schedule all take turns nonlinear iteration structure using 32.Decryption
Algorithm is identical with the structure of AES, and simply the use order of round key is on the contrary, decryption round key is the inverse of encryption round key
Sequence.
In an embodiment of the invention, in order to make identification information distinguish initial start-up and non-initial start-up,
Identify, after determining that the BIOS is complete, further comprise in the first trusted status of the setting:The identification information is changed
For first_boot_flag=0;When reading first_boot_flag=0 upon start up, then show that BMC is opened for the first time to be non-
It is dynamic.
In an embodiment of the invention, in order to by read trusted status mark would know that BMC start safely
Whether credible, then first trusted status is identified, including:Trust_flag=1;The second trusted status mark, including:
Trust_flag=0.
As shown in Fig. 2 the embodiments of the invention provide a kind of BIOS integrity measurement methods, this method can include following
Step:
Step 200:SM3 hash algorithms are set, and builds SM4 symmetry algorithms, SM4 encryption keys and adds with the SM4
The corresponding SM4 decruption keys of key;
The SM3 hash algorithms are l (l mainly to length<264) bit message m, by filling and Iteration Contraction, generation
Hash Value, Hash Value length is 256bit.
Wherein, the filling process of SM3 hash algorithms is:
Assuming that the length of message m is lbit.Bit " 1 " is added to the end of message first, then added k " 0 ", k is full
Sufficient l+1+k ≡ 448mod512 minimum nonnegative integer.Then 64 Bit Strings are added again, and the Bit String is length l
Binary representation.Message m after filling ' bit length be 512 multiple.
Iteration Contraction process:
By the message m after filling ' be grouped by 512bit:M '=B (0) B (1) B (n-1)
Wherein n=(l+k+65)/512.
To m ' iteration in the following manner:
FOR i=0 TO n-1
V(i+1)=CF (V(i),B(i))
ENDFOR
Wherein CF is compression function, V(0)For 256bit initial values IV, B(i)It is grouped for the message after filling, Iteration Contraction
As a result it is V(n)。
Then,
Message is grouped B(i)Extension generates 132 word W by the following method0,W1,···,W67,W′0,W′1,···,
W′63, for compression function CF:
A) message is grouped B(i)It is divided into 16 word W0,W1,···,W15。
B) FOR j=16 TO 67
Wj←P1(Wj-16⊕Wj-9⊕(Wj-3< < 15)) ⊕ (Wj-13< < 7) ⊕ Wj-6
ENDFOR
C) FOR j=0 TO 63
W′j=Wj⊕Wj+4
ENDFOR
It is word register to make A, B, C, D, E, F, G, H, SS1, SS2, and TT1, TT2 is intermediate variable, compression function Vi+1=CF
(V(i),B(i)),0≤i≤n-1。
Calculating process is described as follows:
ABCDEFGH←V(i)
FOR j=0 TO 63
SS1 ← ((A < < 12)+E+ (Tj < < j)) < < 7
SS2 ← SS1 ⊕ (A < < 12)
T T1 ← F Fj (A, B, C)+D+SS2+W 'j
T T2 ← GGj (E, F, G)+H+SS1+Wj
D ← C C ← B < < 9
B←A
A←T T1
H←G
G ← F < < 19
F←E
E←P0(T T2)
ENDFOR
V(i+1)←ABCDEFGH⊕V(i)
ABCDEFGH←V(n)
Export 256bit Hash Value y=ABCDEFGH.
In the SM4 symmetry algorithms, AES and key schedule all take turns nonlinear iteration structure using 32.Decryption is calculated
Method is identical with the structure of AES, and simply the use order of round key is on the contrary, decryption round key is the backward of encryption round key.
I.e. above-mentioned SM4 encryption keys and the SM4 decruption key corresponding with the SM4 encryption keys are obtained by SM4 symmetry algorithms
.
Step 201:When receiving startup request, the identification information of active flag position is read;
The identification information of active flag position can be configured when BMC dispatches from the factory, for example, may be configured as first_boot_
Flag=1.
Step 202:Whether be first_boot_flag=1, if it is, performing step if judging the identification information
203, otherwise, perform step 206;
Be that first_boot_flag=1 shows that BMC is initial start-up when reading identification information, be defaulted as it is believable, its
BIOS is complete, real, then can carry out the measurement of a reference value.It is not first_boot_flag when reading identification information
=1, then it is non-initial start-up to illustrate BMC.
Step 203:Call the SM3 hash algorithms;
Step 204:Hash computing is carried out to the startup code Boot Black using the SM3 hash algorithms, obtained
256bit a reference value;
Step 205:Call the SM4 symmetry algorithms and SM4 encryption keys that a reference value of the 256bit is encrypted,
And a reference value of the 256bit after encryption is stored, and perform step 209;
The process of above-mentioned steps 203 to step 205 is mainly the measurement for carrying out a reference value, encryption and stored, in case subsequently
Checking procedure is called.In BMC initial start-ups, acquiescence BIOS is complete, then step 209 is can perform, normally to start server.
Step 206:The measurement startup code Boot Black, obtain metric;
The metrics process of the step is also, by calling SM3 hash algorithms, to be measured using SM3 hash algorithms, to protect
Demonstrate,prove a reference value consistent with the metrics process of metric.
Step 207:The SM4 symmetry algorithms and the SM4 decruption keys are called to the base of the 256bit after the encryption
Quasi- value is decrypted;
A reference value is avoided by above-mentioned encrypting and decrypting arbitrarily to be changed, so as to ensure the comparison process of following step 208
Accuracy.
Step 208:256bit a reference value after the metric and decryption is contrasted, judge the metric and
Whether 256bit a reference value is consistent, if it is, performing step 209;Otherwise, step 211 is performed;
If BIOS startup code Boot Black are not maliciously altered, a reference value and measurement that the step is contrasted
Value is consistent, if be maliciously altered if starting code Boot Black, a reference value and metric that the step is contrasted are not
Unanimously.
Step 209:Set the first trusted status to identify, determine that the BIOS is complete, and the first trusted status is identified into hair
The server of outside is given, so that external server normally starts;
The first trusted status mark that the step is set can be trust_flag=1, i.e., when server gets this
It is normal that trust_flag=1 can then determine that BMC starts, then server will normally start.
Step 210:The identification information is revised as first_boot_flag=0, and terminates current process;
The step is primarily to change initial start-up is identified, can accurately react whether BMC is initial start-up.
Step 211:Set the second trusted status to identify, determine that the BIOS is imperfect, and the second trusted status is identified
The server of outside is sent to, to forbid external server to start;
Step 212:Send abnormal alarm report.
Abnormal alarm report can remind BMC keepers to be handled in time, to ensure that system operation is normal.
In addition, when BIOS startup code Boot Black update or upgraded, then repeating step 203 to step
205, to ensure upgrading in time for a reference value.
As shown in figure 3, the embodiment of the present invention provides a kind of baseboard management controller, including:Credible metric element 301, deposit
Storage unit 302 and credible verification unit 303, wherein,
The credible metric element 301, a reference value of the startup code Boot Black for collecting BIOS;When receiving
When starting request, the identification information of active flag position is read;Whether judge the identification information is to start mark for the first time, if
It is no, then the startup code Boot Black are measured, metric is obtained;
The memory cell 302, for storing a reference value that the credible metric element 301 is collected;
The credible verification unit 303, for the credible metric element 301 to be measured into the obtained metric and institute
The a reference value for stating the storage of memory cell 302 is contrasted, and judges whether the metric is consistent with a reference value, if
It is then to set the first trusted status to identify, determines that the BIOS is complete;Otherwise, the second trusted status is set to identify, it is determined that described
BIOS is imperfect.
In an alternative embodiment of the invention, the credible metric element 301, is further used for setting SM3 hash algorithms;When
The identification information of active flag position is read to start for the first time during mark first_boot_flag=1, calls the SM3 miscellaneous
Gather algorithm, hash computing is carried out to the startup code Boot Black, 256bit a reference value is obtained.
In still another embodiment of the process, the credible metric element 301, be further used for build SM4 symmetry algorithms and
SM4 encryption keys;And by calling the SM4 symmetry algorithms and SM4 encryption keys that a reference value is encrypted, storage adds
A reference value after close.
As shown in figure 4, in the another embodiment of the embodiment of the present invention, aforesaid substrate Management Controller further comprises:
Unit 401 is revised, for being provided with the first trusted status mark when the credible verification unit 303, it is determined that described
When BIOS is complete, the identification information that the credible metric element 301 is read is revised as first_boot_flag=0.
As shown in figure 5, in an alternative embodiment of the invention, aforesaid substrate Management Controller further comprises:
Credible reporting unit 501, for first trusted status mark that sets the credible verification unit 303 or
The second trusted status mark is sent to the server of outside described in person.
The contents such as the information exchange between each unit, implementation procedure in said apparatus, due to implementing with the inventive method
Example is based on same design, and particular content can be found in the narration in the inventive method embodiment, and here is omitted.
As shown in fig. 6, the embodiment of the present invention provides a kind of BIOS integrity measurements system, including:Described in any of the above-described
Baseboard management controller 601 and at least one server 602, wherein,
Each described server 602, the control for receiving the baseboard management controller 601 is described when receiving
It is normal to start when first trusted status is identified, it is determined that start safety;When receiving the second trusted status mark, then
Attacked it is determined that starting, stop starting.
According to such scheme, various embodiments of the present invention at least have the advantages that:
1. because BMC start-up course is mainly BIOS startup code Boot Black running, and once open
Dynamic code Boot Black are maliciously altered or attacked, then cause BIOS integrality to be destroyed, therefore, by the way that measurement is started
Code Boot Black obtain metric and contrasted with starting code Boot Black a reference value, as startup code Boot
When Black does not change, metric is consistent with a reference value, illustrates that BIOS is complete, is not tampered with, and once starts code Boot
Black changes, and metric is then inconsistent with a reference value, illustrates that BIOS is tampered, therefore, and the present invention is by complete to BIOS
Property measurement, it is ensured that BMC clean boot.
2. by SM3 hash algorithm measuring standard values and metric, and by SM4 symmetry algorithms and
A reference value is encrypted SM4 encryption keys, it is ensured that the security and accuracy of a reference value.
3. whether by changing identification information, it is initial start-up that can accurately react BMC, so as to ensure BIOS integralities
The accuracy of measurement;In addition, passing through different trusted status mark such as trust_flag=1, trust_flag=0, Ke Yizhi
The reversed integrality for reflecting BIOS, to control the startup of external server, so as to ensure the security of startup of server.
It should be noted that herein, such as first and second etc relational terms are used merely to an entity
Or operation makes a distinction with another entity or operation, and not necessarily require or imply exist between these entities or operation
Any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant be intended to it is non-
It is exclusive to include, so that process, method, article or equipment including a series of key elements not only include those key elements,
But also other key elements including being not expressly set out, or also include solid by this process, method, article or equipment
Some key elements.In the absence of more restrictions, the key element limited by sentence " including one ", is not arranged
Except also there is other identical factor in the process including the key element, method, article or equipment.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through
Programmed instruction related hardware is completed, and foregoing program can be stored in the storage medium of embodied on computer readable, the program
Upon execution, the step of including above method embodiment is performed;And foregoing storage medium includes:ROM, RAM, magnetic disc or light
Disk etc. is various can be with the medium of store program codes.
It is last it should be noted that:Presently preferred embodiments of the present invention is the foregoing is only, the skill of the present invention is merely to illustrate
Art scheme, is not intended to limit the scope of the present invention.Any modification for being made within the spirit and principles of the invention,
Equivalent substitution, improvement etc., are all contained in protection scope of the present invention.
Claims (10)
1. a kind of BIOS integrity measurement methods, it is characterised in that collect the BIOS a reference value for starting code BootBlack,
And store a reference value;Also include:
When receiving startup request, the identification information of active flag position is read;
Whether judge the identification information is to start mark for the first time, if it is not, then the measurement startup code Boot Black,
Obtain metric;
The a reference value of the metric and storage is contrasted, judge the metric and a reference value whether one
Cause, if it is, setting the first trusted status to identify, determine that the BIOS is complete;Otherwise, the second trusted status is set to identify,
Determine that the BIOS is imperfect.
2. according to the method described in claim 1, it is characterised in that further comprise:SM3 hash algorithms are set;
The startup code Boot Black of collection BIOS a reference value, including:
When reading the identification information of active flag position to start mark first_boot_flag=1 for the first time, call described
SM3 hash algorithms, carry out hash computing to the startup code Boot Black, obtain 256bit a reference value.
3. according to the method described in claim 1, it is characterised in that further comprise:Build SM4 symmetry algorithms and SM4 encryptions
Key;
After the startup code Boot Black of collection BIOS a reference value, before the storage a reference value,
Further comprise:Call the SM4 symmetry algorithms and SM4 encryption keys that a reference value is encrypted;
The storage a reference value, including:A reference value after storage encryption.
4. method according to claim 3, it is characterised in that further comprise:Build relative with the SM4 encryption keys
The SM4 decruption keys answered;
In the measurement the startups code Boot Black, after obtaining metric, it is described by the metric with storing
The a reference value contrasted before, further comprise:
Call the SM4 symmetry algorithms and the SM4 decruption keys that a reference value after the encryption is decrypted.
5. according to any described method of Claims 1-4, it is characterised in that
Identify, after determining that the BIOS is complete, further comprise in the first trusted status of the setting:
The identification information is revised as first_boot_flag=0;
And/or,
The first trusted status mark, including:Trust_flag=1;
The second trusted status mark, including:Trust_flag=0.
6. a kind of baseboard management controller, it is characterised in that including:Credible metric element, memory cell and credible verification unit,
Wherein,
The credible metric element, a reference value of the startup code Boot Black for collecting BIOS;Asked when receiving to start
When asking, the identification information of active flag position is read;Whether judge the identification information is to start mark for the first time, if it is not, then
The measurement startup code Boot Black, obtain metric;
The memory cell, for storing a reference value that the credible metric element is collected;
The credible verification unit, for the metric for obtaining the credible metric element measurement and the memory cell
The a reference value of storage is contrasted, and judges whether the metric is consistent with a reference value, if it is, setting first
Trusted status is identified, and determines that the BIOS is complete;Otherwise, set the second trusted status to identify, determine that the BIOS is imperfect.
7. baseboard management controller according to claim 6, it is characterised in that
The credible metric element, is further used for setting SM3 hash algorithms;When the identification information for reading active flag position is
When starting mark first_boot_flag=1 for the first time, the SM3 hash algorithms are called, to the startup code Boot
Black carries out hash computing, obtains 256bit a reference value;
And/or,
The credible metric element, is further used for building SM4 symmetry algorithms and SM4 encryption keys;And by calling the SM4
The a reference value is encrypted for symmetry algorithm and SM4 encryption keys, a reference value after storage encryption.
8. the baseboard management controller according to claim 6 or 7, it is characterised in that further comprise:
Unit is revised, for being provided with the first trusted status mark when the credible verification unit, when determining that the BIOS is complete,
The identification information that the credible metric element is read is revised as first_boot_flag=0.
9. according to any described baseboard management controller of claim 6 to 8, it is characterised in that further comprise:
Credible reporting unit, for first trusted status mark or described second for setting the credible verification unit
Trusted status mark is sent to the server of outside.
10. a kind of BIOS integrity measurements system, it is characterised in that including:Any described substrate management of claim 6 to 9
Controller and at least one server, wherein,
Each described server, the control for receiving the baseboard management controller, when receiving the described first credible shape
It is normal to start when state is identified, it is determined that start safety;When receiving the second trusted status mark, it is determined that start quilt
Attack, stops starting.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710321574.2A CN107145802A (en) | 2017-05-09 | 2017-05-09 | A kind of BIOS integrity measurement methods, baseboard management controller and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710321574.2A CN107145802A (en) | 2017-05-09 | 2017-05-09 | A kind of BIOS integrity measurement methods, baseboard management controller and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107145802A true CN107145802A (en) | 2017-09-08 |
Family
ID=59777020
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710321574.2A Pending CN107145802A (en) | 2017-05-09 | 2017-05-09 | A kind of BIOS integrity measurement methods, baseboard management controller and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107145802A (en) |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107729069A (en) * | 2017-10-12 | 2018-02-23 | 浪潮(北京)电子信息产业有限公司 | A kind of method, apparatus of clean boot video card, computer-readable recording medium |
CN107784208A (en) * | 2017-11-07 | 2018-03-09 | 湖南长城银河科技有限公司 | A kind of method and device of the empowerment management based on BMC |
CN108549551A (en) * | 2018-04-13 | 2018-09-18 | 浪潮(北京)电子信息产业有限公司 | A kind of the startup method, apparatus and equipment of server network interface card |
CN109144584A (en) * | 2018-07-27 | 2019-01-04 | 浪潮(北京)电子信息产业有限公司 | A kind of programmable logic device and its starting method, system and storage medium |
CN109586920A (en) * | 2018-12-05 | 2019-04-05 | 大唐高鸿信安(浙江)信息科技有限公司 | A kind of trust authentication method and device |
CN109743319A (en) * | 2019-01-03 | 2019-05-10 | 北京工业大学 | A kind of credible starting of network type private server and method for safe operation |
CN109740354A (en) * | 2019-01-03 | 2019-05-10 | 北京工业大学 | The method of BMC credible starting and recurrence after Networking private server lost contact |
CN109784061A (en) * | 2018-12-17 | 2019-05-21 | 北京华胜天成信息技术发展有限公司 | The method and device for starting that control server is credible |
CN110245495A (en) * | 2018-03-09 | 2019-09-17 | 阿里巴巴集团控股有限公司 | BIOS method of calibration, configuration method, equipment and system |
CN110502285A (en) * | 2019-08-27 | 2019-11-26 | 北京元安物联技术有限公司 | System start method, device, embedded device and readable storage medium storing program for executing |
CN110677237A (en) * | 2019-11-04 | 2020-01-10 | 郑州轻工业学院 | File encryption method with chaos-like characteristic |
CN110674494A (en) * | 2018-07-02 | 2020-01-10 | 阿里巴巴集团控股有限公司 | Process protection method, system and data processing method |
CN111310189A (en) * | 2018-12-11 | 2020-06-19 | 航天信息股份有限公司 | USBKEY credibility verification method and device |
CN111527724A (en) * | 2017-12-27 | 2020-08-11 | 株式会社索思未来 | Processing apparatus, semiconductor integrated circuit, and state monitoring method |
CN112363776A (en) * | 2020-11-13 | 2021-02-12 | 北京智芯微电子科技有限公司 | Terminal control method and device and terminal |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102270229A (en) * | 2011-07-13 | 2011-12-07 | 中国人民解放军海军计算技术研究所 | Measurement method for basic input/output system (BIOS)-level system file |
CN104850792A (en) * | 2015-05-20 | 2015-08-19 | 浪潮电子信息产业股份有限公司 | Establishment method and apparatus of trust chain of server |
CN106384052A (en) * | 2016-08-26 | 2017-02-08 | 浪潮电子信息产业股份有限公司 | BMC U-boot trusted starting control method |
-
2017
- 2017-05-09 CN CN201710321574.2A patent/CN107145802A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102270229A (en) * | 2011-07-13 | 2011-12-07 | 中国人民解放军海军计算技术研究所 | Measurement method for basic input/output system (BIOS)-level system file |
CN104850792A (en) * | 2015-05-20 | 2015-08-19 | 浪潮电子信息产业股份有限公司 | Establishment method and apparatus of trust chain of server |
CN106384052A (en) * | 2016-08-26 | 2017-02-08 | 浪潮电子信息产业股份有限公司 | BMC U-boot trusted starting control method |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107729069A (en) * | 2017-10-12 | 2018-02-23 | 浪潮(北京)电子信息产业有限公司 | A kind of method, apparatus of clean boot video card, computer-readable recording medium |
CN107784208A (en) * | 2017-11-07 | 2018-03-09 | 湖南长城银河科技有限公司 | A kind of method and device of the empowerment management based on BMC |
CN111527724B (en) * | 2017-12-27 | 2023-05-02 | 株式会社索思未来 | Processing device, semiconductor integrated circuit, and state monitoring method |
CN111527724A (en) * | 2017-12-27 | 2020-08-11 | 株式会社索思未来 | Processing apparatus, semiconductor integrated circuit, and state monitoring method |
CN110245495A (en) * | 2018-03-09 | 2019-09-17 | 阿里巴巴集团控股有限公司 | BIOS method of calibration, configuration method, equipment and system |
CN108549551A (en) * | 2018-04-13 | 2018-09-18 | 浪潮(北京)电子信息产业有限公司 | A kind of the startup method, apparatus and equipment of server network interface card |
CN110674494B (en) * | 2018-07-02 | 2023-04-11 | 阿里巴巴集团控股有限公司 | Process protection method, system and data processing method |
CN110674494A (en) * | 2018-07-02 | 2020-01-10 | 阿里巴巴集团控股有限公司 | Process protection method, system and data processing method |
CN109144584A (en) * | 2018-07-27 | 2019-01-04 | 浪潮(北京)电子信息产业有限公司 | A kind of programmable logic device and its starting method, system and storage medium |
CN109586920A (en) * | 2018-12-05 | 2019-04-05 | 大唐高鸿信安(浙江)信息科技有限公司 | A kind of trust authentication method and device |
CN111310189A (en) * | 2018-12-11 | 2020-06-19 | 航天信息股份有限公司 | USBKEY credibility verification method and device |
CN109784061A (en) * | 2018-12-17 | 2019-05-21 | 北京华胜天成信息技术发展有限公司 | The method and device for starting that control server is credible |
CN109740354B (en) * | 2019-01-03 | 2020-11-20 | 北京工业大学 | Method for trusted boot and regression of BMC (baseboard management controller) after disconnection of networked special server |
CN109743319B (en) * | 2019-01-03 | 2021-02-05 | 北京工业大学 | Trusted starting and safe operation method of networking type special server |
CN109740354A (en) * | 2019-01-03 | 2019-05-10 | 北京工业大学 | The method of BMC credible starting and recurrence after Networking private server lost contact |
CN109743319A (en) * | 2019-01-03 | 2019-05-10 | 北京工业大学 | A kind of credible starting of network type private server and method for safe operation |
CN110502285A (en) * | 2019-08-27 | 2019-11-26 | 北京元安物联技术有限公司 | System start method, device, embedded device and readable storage medium storing program for executing |
CN110677237A (en) * | 2019-11-04 | 2020-01-10 | 郑州轻工业学院 | File encryption method with chaos-like characteristic |
CN110677237B (en) * | 2019-11-04 | 2020-10-30 | 郑州轻工业学院 | File encryption method with chaos-like characteristic |
CN112363776A (en) * | 2020-11-13 | 2021-02-12 | 北京智芯微电子科技有限公司 | Terminal control method and device and terminal |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107145802A (en) | A kind of BIOS integrity measurement methods, baseboard management controller and system | |
CN110968844B (en) | Software authorization method in off-line state, server and readable storage medium | |
US6993648B2 (en) | Proving BIOS trust in a TCPA compliant system | |
US20200106775A1 (en) | Method, device, system for authenticating an accessing terminal by server, server and computer readable storage medium | |
CN107169379A (en) | A kind of method and server that integrity measurement is carried out based on BMC and TCM | |
WO2010134192A1 (en) | Electronic device, key generation program, recording medium, and key generation method | |
US20090290708A1 (en) | Generating and Securing Archive Keys | |
CN109190401A (en) | A kind of date storage method, device and the associated component of Qemu virtual credible root | |
CN112487042B (en) | Electric energy metering data processing method, device, computer equipment and storage medium | |
CN113569266B (en) | Host remote monitoring method based on chip level privacy calculation | |
CN105930733A (en) | Trust chain construction method and apparatus | |
CN116757447B (en) | Test task allocation method and system of intelligent quick-checking device | |
CN111585995A (en) | Method and device for transmitting and processing safety wind control information, computer equipment and storage medium | |
CN112580114B (en) | Information processing method, device, equipment and storage medium | |
CN110472429A (en) | Data verification method, device, electronic equipment and storage medium | |
WO2021139308A1 (en) | Cloud server monitoring method, apparatus and device, and storage medium | |
CN108256333A (en) | Execution method, system, equipment and the readable storage medium storing program for executing of BIOS/firmware | |
CN116112216B (en) | Cloud data verification method and device, electronic equipment and nonvolatile storage medium | |
CN115001700B (en) | Ecological environment supervision method and system based on blockchain | |
CN114448794B (en) | Method and device for safely upgrading firmware based on chip trusted root | |
CN111277601B (en) | Website security monitoring method and system | |
US20210111870A1 (en) | Authorizing and validating removable storage for use with critical infrastrcture computing systems | |
CN110874225B (en) | Data verification method and device, embedded equipment and storage medium | |
CN113572599B (en) | Power data transmission method, data source equipment and data access equipment | |
CN114095175B (en) | Gray-check-capable data confidentiality method, device and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170908 |