CN107665308B

CN107665308B - TPCM system for building and maintaining trusted operating environment and corresponding method

Info

Publication number: CN107665308B
Application number: CN201610604485.4A
Authority: CN
Inventors: 黄坚会
Original assignee: Huada Semiconductor Co ltd
Current assignee: Huada Semiconductor Co ltd
Priority date: 2016-07-28
Filing date: 2016-07-28
Publication date: 2023-04-07
Anticipated expiration: 2036-07-28
Also published as: CN107665308A

Abstract

The invention relates to a TPCM system for building and maintaining a trusted operating environment, comprising: a power supply control unit connected with a power supply, wherein a standby voltage is provided to the power supply control unit by the power supply as an operating voltage of the TPCM system; a boot code measurement module connected to and controlling power supply to a boot code flash memory of a computer motherboard via a master control bus, the module being configured to read a boot code from the boot code flash memory after the TPCM system is powered on and generate a first hash value of the boot code and compare it with a first reference hash value and send a power-on signal to the power control unit if they are identical; a platform environment metrics module; and a dynamic metric module. The invention also relates to a method. The invention can improve the reliability of the trusted platform, reduce the cost, prevent the starting code chip from tampering hardware, prevent the tampered hardware from constructing the trusted running environment and dynamically ensure the trusted running environment.

Description

TPCM system for building and maintaining trusted operating environment and corresponding method

Technical Field

The present invention generally relates to the field of information security, and more particularly, to a TPCM (Trusted Platform Control Module) system for building and maintaining a Trusted operating environment and a corresponding method.

Background

A Trusted Platform Module (TPM) is a hardware device that interfaces with a computer motherboard for authenticating and processing variables used by the computer in a Trusted computing environment. The TPM and the data stored therein are typically separate from all other components of the computer.

The trusted platform module in the prior art is a single module governed by the motherboard, and therefore cannot guarantee the integrity of the boot code (such as BIOS code) of the motherboard itself. However, in today that the motherboard boot code is more and more vulnerable to attack and tampering, the traditional TPM cannot guarantee the trustworthiness of the computer platform. The credibility monitoring capability of a dynamic system cannot be provided, and the credibility of the running environment of the computer is protected in real time.

Furthermore, the trusted platform modules in the prior art do not well prevent tamper replacement of important components such as USB interfaces, hard disks, memory, etc. since most do not have secure verification of boot code levels such as BIOS code, android critical code, etc. The method cannot prevent the adoption of a tampered hardware device to construct a trusted operating environment or dynamically modify the system memory in real time, which brings great threats to the reliability of the hardware and the security of the system.

In addition, in the prior art, software applications such as antivirus software are generally used to monitor the security of the operating environment and monitor malicious intrusion, but monitoring at the software level requires a large amount of CPU resources to perform scanning comparison, and due to the dependence on the CPU and the system memory, it is impossible to fundamentally prevent virus injection at the hardware platform level. Even if the above disadvantages are ignored, the protection software itself is easy to be attacked by virus and tampered maliciously due to the lack of the underlying trusted foundation support, so that the operation environment monitoring means still cannot satisfactorily guarantee the safe operation environment.

Disclosure of Invention

Starting from the prior art, the task of the invention is to design three physical channel measurement modules, namely a three-order three-way scheme for short, based on three phases of the startup and operation of a generalized computer, namely to provide a TPCM system and a corresponding method for constructing and maintaining a trusted operation environment.

In a first aspect of the present invention, this task is solved by a TPCM system for building and maintaining a trusted operating environment, comprising:

a power control unit connected with a power supply, wherein the power control unit is provided with a standby power as an operating voltage of the TPCM system by the power supply, and the power control unit is configured to instruct the power supply to power on a power module of the computer motherboard when receiving a power-on signal from the boot code measurement module;

a boot code measurement module connected with a boot code flash memory of a computer motherboard through a main control bus and controlling power supply of the boot code flash memory, the boot code measurement module configured to read a boot code from the boot code flash memory after the TPCM system is powered on and generate a first hash value of the boot code and compare the first hash value with a first reference hash value and transmit a power-on signal to the power control unit if the first hash value is consistent with the first reference hash value;

a platform environment metrics module coupled to a system of computers via a low-speed slave bus, the platform environment metrics module configured to:

after a power supply module of a computer mainboard is powered on, platform information is collected through a trusted boot code, and a second hash value of the platform information is generated;

comparing the second hash value to the second reference hash value and reading the operating system load code if the second hash value is consistent with the second reference hash value;

generating a third hash value of the operating system load code and comparing the third hash value to the third reference hash value and running the operating system load code if the third hash value is consistent with the third reference hash value; and

reading the operating system kernel and generating a fourth hash value of the operating system kernel and comparing the fourth hash value with the fourth reference hash value and running the operating system and putting the computer into a trusted operating mode if the fourth hash value is consistent with the fourth reference hash value; and

a dynamic metrics module connected with a dynamic memory through a high-speed master bus, the dynamic metrics module configured to:

proactively dynamically reading from dynamic memory the contents of the boot storage area, such as the operating system kernel code, and generating a fifth hash value of the operating system kernel; and

the fifth hash value is compared with a fifth reference hash value and the computer is kept in a trusted operating mode if the fifth hash value coincides with the fifth reference hash value.

With the TPCM system for building and maintaining a trusted operating environment according to the invention, at least the following advantages can be achieved: (1) The TPCM is controlled to be independently powered by the starting code measurement module of the TPCM through a corresponding control bus interface, the TPCM can be powered on before the starting code flash memory, and the TPCM can effectively prevent other untrusted hardware equipment from being powered on by mistake due to the fact that only the starting code flash memory such as the BIOS flash memory is independently powered on, but not the whole starting code circuit such as the BIOS circuit, and therefore the reliability of realizing a trusted platform is improved; (2) In the invention, by adopting the running environment monitoring of the hardware level, the safe running environment can be ensured from the hardware level, therefore, compared with the software, the hardware is more difficult to tamper, and the higher system safety compared with the software monitoring means can be realized; (3) In the invention, the TPCM dynamic memory module adopts the master control function of the bus to actively and directly read the data content of the system memory without transferring by the system CPU, thereby preventing the cheating and counterfeiting risks existing in the reading, transferring and sending processes of the memory by the CPU; (4) The active dynamic memory (module) monitoring process is basically irrelevant to the execution of the CPU, and is completely an autonomous defense behavior, so that the consumption of system resources, particularly the occupation of the CPU resources, is greatly reduced; (5) In the invention, the TPCM utilizes the kernel of a trusted operating system or a trusted software base program which is subjected to trust check and real-time protection in the previous stage to collect the physical characteristics of the equipment of the computer for real-time dynamic monitoring, if any abnormal behavior beyond expectation, such as pulling out of a specific USB equipment or accessing of an unknown USB equipment, the TPCM reports according to a protection strategy, cuts off a physical interface of the TPCM, even forcibly shuts down the TPCM, and protects the trusted execution environment of the system in real time.

It should be noted herein that the term "computer" in the present application should be understood broadly, covering servers, desktop computers, laptop computers, personal digital assistants, tablet computers, smart terminals, and the like electronic devices. For example, the present invention may be applied to various computing devices of the x86 architecture, powerPC architecture, MIPS architecture, and ARM architecture, although other devices are also contemplated.

In one embodiment of the invention, it is provided that the boot code comprises: BIOS code in the case of the x86 architecture, boot code in the case of the PowerPC architecture, boot code in the case of the MIPS architecture or the ARM architecture. Through the extension scheme, the trusted running environment which is constructed in various computing devices with different architectures can be realized. For example, boot code in the case of the PowerPC architecture and boot code in the case of the ARM architecture are boot code stored in boot code flash or firmware for the lowest level functions such as power-on of hardware.

In one embodiment of the invention, it is provided that the platform information comprises one or more of the following: CPU hardware information, dynamic memory hardware information, hard disk hardware information, north-south bridge chip hardware information, sound card hardware information, display card hardware information, network card hardware information, USB equipment hardware information and the guide information of a hard disk guide area. Through the extension scheme, the boot code chip can be prevented from tampering important hardware devices and a boot zone of the computer, and the important hardware devices and the boot zone which are tampered are prevented from being used for building a trusted operating environment.

In a further embodiment of the invention, it is provided that the platform information can bind different users, for example one or more of the following: CPU hardware information, dynamic memory hardware information, hard disk hardware information, north-south bridge chip hardware information, sound card hardware information, display card hardware information, network card hardware information, USB equipment hardware information and the guide information of a hard disk guide area. Through the extension scheme, the binding relationship between the hardware equipment and the user can be strictly controlled, and the trusted operating environment facing different users is constructed.

In a further embodiment of the invention, it is provided that the boot code measurement module is further configured to, if the first hash value does not correspond to the first reference hash value, enter the computer into an untrusted operating mode or power down or restart the computer; and/or

The platform environment metrics module is further configured to cause the computer to enter an untrusted mode of operation or to cause the computer to power down or reboot if the second hash value is inconsistent with the second reference hash value and/or if the third hash value is inconsistent with the third reference hash value and/or if the fourth hash value is inconsistent with the fourth reference hash value; and/or

The dynamic metrics module is further configured to cause the computer to enter an untrusted mode of operation or to power down or reboot the computer if the fifth hash value does not coincide with the fifth reference hash value.

By the extension scheme, an exception handling process can be realized, wherein an administrator or a user can select the handling operation of the exception condition according to the requirement, such as the computer is enabled to enter an infeasible working mode or the computer is powered off or restarted.

In a further embodiment of the invention, it is provided that the boot code is x86 BIOS code in the case of the ATX architecture, and that the power supply control unit is further configured to:

instructing the ATX power supply to provide a standby voltage (5 VSB) to the ATX power module of the computer motherboard and unblocking the PW-OK signal upon receiving a power-on signal from the boot code metric module, an

And after receiving the PS-ON signal from the ATX power supply module, sending the PS-ON signal to the ATX power supply to enable the computer mainboard to enter a running state.

Through the extended scheme, the power-on control of the mainboard can be easily realized by controlling the time sequence signal of the ATX power supply without changing the mainboard. In a preferred embodiment of the invention, it is provided that a diode is provided in the connection of the boot code circuit for supplying the boot code flash memory with power for unidirectional power supply of the boot code flash memory. By the preferred scheme, unidirectional power supply of the boot code flash memory can be realized at low cost, so that electric energy is better prevented from flowing backwards from the boot code flash memory to other hardware devices.

In another embodiment of the present invention, it is specified that, similarly to the active metric control method of the server system, it is necessary to add metric control before power-up execution to the BMC (Baseboard Management Controller), that is, after the metric verification is performed on the two flash memory chips storing the BMC and the start code by using the above-mentioned method for starting metric control, the power-up control circuit (for example, CPLD) is notified to perform power control. By analogy, the method can be used for measuring and controlling a plurality of flash memory chips. The measurement control process may be concurrent or may have the measurement and power control processes that bear the relationship one after the other.

In a further preferred embodiment of the invention, it is provided that the dynamic measurement module is further configured to:

issuing an instruction through the trusted software base to request the TPCM dynamic measurement module to acquire a key code or key data of an application program from a system memory and generate a sixth hash value of the key code; and

comparing the sixth hash value with the sixth reference hash value and issuing a reminder to the user or causing the computer to enter an untrusted mode of operation if the sixth hash value does not coincide with the sixth reference hash value.

By means of the preferred solution, the reliability of each software running in the trusted operating environment can be additionally ensured, so that the security of the operating environment is better ensured. Here, the trusted software base may be, for example, a basic management software program, which is used to extract key codes of each application program and perform monitoring control on software and a system according to a management policy. In other embodiments, the software base may be implemented as management software that is independently trusted protected by the TPCM module. In other embodiments, a separate CPU core in a multi-core CPU may also be used to load and run a trusted software base (i.e., the CPU core is dedicated to loading and running a trusted software base), thereby implementing dynamic monitoring of the trusted computing environment independently (i.e., separately from other software and hardware of the system). The operating system and the application software kernel ensure the credible safety of the operating system and the application software kernel through the credible software base. In other embodiments, the trusted software base and the operating system kernel can be bound into a trusted operating system, so as to perform real-time monitoring and management on the application software and the trusted environment.

In one embodiment of the invention, the platform environment metrology module is connected to the computer system via a low-speed slave bus. Through the extension scheme, necessary communication between the platform measurement module and each hardware can be simply realized. The low-speed slave bus may be, for example, an SPI bus, an I2C bus, a serial port, even a GPIO, or the like.

In a further embodiment of the invention, it is provided that the dynamic metrology module is connected to the system via a high-speed bus. With this embodiment, the necessary communication between the dynamic metrology module and the dynamic memory can be implemented in a simple manner. The high-speed bus may be, for example, a USB bus or the like.

In a preferred embodiment of the invention, it is provided that the dynamic measurement module is connected to the dynamic memory via a high-speed master bus. Through the expansion scheme, the dynamic measurement module can actively access the dynamic memory. The high-speed master bus may be, for example, a PCIe bus or the like.

In a preferred embodiment of the invention, it is provided that the boot code measurement module is further configured to configure the access rights of the user to the physical port in accordance with the rights information of the user. By the preferred scheme, the TPCM system as a trusted root can reliably set the access right item of the user to the physical port, thereby realizing higher security and reliability compared with the method that the user access right is set by starting a code system, an operating system or software or other non-trusted sources.

In a further preferred embodiment of the invention, it is provided that the platform environment module is further configured to determine whether the user has access to the computer platform or is authorized to enter a trusted operating mode of the computer platform by comparing the hardware configuration information bound by the user with the collected platform information. By the preferred scheme, the user access right management can be reliably realized.

In a second aspect of the present invention, the aforementioned task is solved by a method for building and maintaining a trusted operating environment by a TPCM system, wherein said TPCM system is connected to and powers a boot code flash memory of a computer motherboard via a master bus, wherein the method comprises the steps of:

providing the working voltage of the TPCM system by a power supply;

controlling, by the TPCM system, power supply to the boot code flash after the TPCM system is powered on and reading the boot code from the boot code flash and generating a first hash value of the boot code;

comparing the first hash value to a first reference hash value and powering up a power module of the computer motherboard if the first hash value is consistent with the first reference hash value;

collecting platform information and generating a second hash value of the platform information;

generating a third hash value of the operating system load code and comparing the third hash value to the third reference hash value and running the operating system load code if the third hash value is consistent with the third reference hash value;

reading the operating system kernel and generating a fourth hash value of the operating system kernel and comparing the fourth hash value with the fourth reference hash value and running the operating system and putting the computer into a trusted operating mode if the fourth hash value is consistent with the fourth reference hash value;

dynamically reading the operating system kernel from the dynamic memory and generating a fifth hash value of the operating system kernel; and

the fifth hash value is compared with the fifth reference hash value and the computer is kept in the trusted operating mode if the fifth hash value corresponds with the fifth reference hash value.

By the method according to the present invention, the same advantages as those of the TPCM system according to the present invention can be achieved, the reliability of establishing a trusted platform can be improved, the installation cost and the hardware cost can be reduced, and at the same time, the boot code chip is prevented from tampering hardware and constructing a trusted operating environment using tampered hardware, and a secure operating environment can be dynamically ensured.

In one embodiment of the invention, it is provided that the boot code comprises: BIOS code in the case of the x86 architecture, powerPC architecture, or ARM architecture, MIPS architecture, etc. Through the extension scheme, the trusted running environment which is constructed in various computing devices with different architectures can be realized. For example, boot code in the case of the PowerPC architecture and boot code in the case of the ARM architecture are boot code stored in boot code flash or firmware for the lowest level functions such as power on of hardware.

In a further embodiment of the invention, it is provided that the method further comprises at least one of the following steps:

if the first hash value is inconsistent with the first reference hash value, the computer is enabled to enter an untrusted working mode or the computer is powered down or restarted;

entering the computer into an untrusted mode of operation or powering down or restarting the computer if the second hash value does not correspond to the second reference hash value and/or if the third hash value does not correspond to the third reference hash value and/or if the fourth hash value does not correspond to the fourth reference hash value; and

and in the event that the fifth hash value does not correspond to the fifth reference hash value, causing the computer to enter an untrusted mode of operation or causing the computer to power down or reboot.

Through the extension scheme, an exception handling process can be realized, wherein an administrator or a user can select handling operation for exception conditions according to needs, such as enabling the computer to enter a non-feasible working mode or powering off or restarting the computer.

In a preferred embodiment of the invention, it is provided that the method further comprises the following steps:

obtaining, by the trusted software base, a key code of an application from the dynamic memory and generating a sixth hash value of the key code; and

comparing the sixth hash value to the sixth reference hash value and issuing a reminder to the user or causing the computer to enter an untrusted mode of operation if the sixth hash value does not correspond to the sixth reference hash value.

By means of the preferred solution, the reliability of each software running in the trusted operating environment can be additionally ensured, so that the security of the operating environment is better ensured. Here, the trusted software base may be, for example, a software program that functions to extract key codes of each application program and monitor and control the software and the system according to a management policy. In other embodiments, the software base may be implemented as underlying software, firmware, or dedicated hardware. In some embodiments, the trusted software base may also be loaded and run using an independent CPU core in a multi-core CPU, thereby implementing dynamic monitoring of the trusted computing environment independently (i.e., separately from other software and hardware of the system).

Drawings

The invention will be further elucidated with reference to specific embodiments in the following description, in conjunction with the drawing.

FIG. 1 is a block diagram illustrating a system environment of a TPCM system in accordance with the present invention; and

fig. 2 shows a flow chart of a method according to the invention.

Detailed Description

Fig. 1 shows a block diagram of a system environment of a TPCM system 100 according to the present invention. The system environment in fig. 1 includes a power grid 104, an ATX power supply 103, a computer motherboard 106, and a TPCM system 100. It should be noted that although the embodiments of the present invention are illustrated with respect to a computer having an x86 architecture, i.e., including a BIOS flash memory, the present invention is not limited thereto, but may also be applied to computers based on other architectures, such as PowerPC architecture, ARM architecture, MIPS architecture, and the like. It should also be noted that in this block diagram, other components are omitted for simplicity.

The grid 104 is used to supply power to a power supply 103, the power supply 103 is, for example, an ATX power supply, and the grid 104 is, for example, a 220V ac grid. It should be noted that although the system environment herein includes a power grid, in other embodiments, the system environment may also include other power supply devices, such as batteries.

The power supply 103 is used to obtain power from the power grid 104 and supply it to the TPCM module 100 and the computer motherboard 106, and to convert the power, such as ac-dc conversion, or current or voltage conversion, as necessary. The power supply 103 may include a timing control circuit 105 configured to transmit and receive timing signals for power-up.

The computer motherboard 106 includes a power supply module 107, a flash memory 108, a dynamic memory 113, and a hard disk 114. It should be noted that only some components are shown here and others are omitted. The power supply module 107 is configured to receive timing signals from the timing control circuit 105 in order to power up the computer motherboard 106. Boot code flash 108 stores boot code, such as BIOS code or other code for the lowest level of hardware control. In other architecture based embodiments, the flash memory 108 stores boot code for the underlying functions, such as powering on hardware.

The TPCM system 100 according to the present invention includes a power control unit 101, a boot code metric module 102, a platform metric module 111, and a dynamic metric module 112.

The power control unit 101 is connected to a power supply 103, wherein a standby voltage (e.g., 5 VSB) 110 is supplied from the power supply 103 to the power control unit 101 as an operating voltage of the TPCM system 100. The standby voltage 110 is, for example, a 5V dc voltage. The power control unit 101 is configured to instruct the power supply 103 to power up the power module 107 of the computer motherboard 106 upon receiving a power-up signal from the boot code measurement module 102. For example, the power control unit 101 may be connected to the timing control circuit 105 of the power supply 103 and obtain the standby voltage 110 from the timing control circuit 105, and the power module 107 receives the power-on signal from the timing control circuit 105.

The boot code measurement module 102 is connected to the boot code flash memory 108 via a master bus 109, for example an SPI bus, and supplies only the boot code flash memory 108 with a supply voltage, for example a 3.3V dc voltage. In one embodiment, a diode may be provided in the connection in the boot code circuit that powers the flash memory for uni-directionally powering the boot code flash memory 108, wherein by the uni-directionally powering, power may be better prevented from flowing back from the flash memory 108 to other hardware devices, such as the hard disk 114 and the dynamic memory 113 (e.g., memory, including SDRAM, DDR, etc.). Therefore, the hardware device can be prevented from being tampered by malicious boot codes after the whole boot code chip is powered on. The boot code metrics module 102 is configured to read the boot code from the flash memory 108 after the TPCM system 100 is powered on and generate a first hash value of the boot code and compare the first hash value to a first reference hash value and send a power-on signal to the power control unit 101 if the first hash value is consistent with the first reference hash value. The boot code is here optionally a key code in the boot code stored in the BIOS flash memory, for example a boot code for controlling the powering up of the respective hardware, but a complete boot code may also be measured. Of course, other boot codes, such as boot codes relating to system security, are also contemplated. Furthermore, the boot code metrics module 102 may optionally be further configured to perform an exception handling procedure, i.e., to cause the computer to enter an untrusted mode of operation or to power down or reboot the computer if the first hash value does not correspond to the first reference hash value. In the untrusted mode of operation, the operation of the application and the access rights of the user are restricted and other security measures are taken against the untrusted source.

In addition, the boot code measurement module 102 may be further configured to configure the user's access rights to the physical port according to the user's rights information. For example, the boot code measurement module 102 selectively powers the corresponding physical port after measuring the boot code. Thus, unauthorized access is prevented from the source.

The platform metrics module 111 interfaces with the hardware device (here, the hard disk 114) through a low-speed slave bus (here, an I2C bus). Here, it should be noted that the platform metric module 111 may also be connected with other hardware devices, such as a CPU, a memory, a hard disk, a north-south bridge chip, a sound card, a video card, a network card, a USB device, etc., through other low-speed slave device buses, such as an SPI bus, to obtain hardware information of these hardware devices.

Platform metrics module 111 is configured to perform the following actions:

(1) After the power module 107 of the computer motherboard 106 is powered on, platform information, such as hardware information of the hard disk 114 and boot information in the boot area thereof, is collected, and a second hash value of the platform information is generated, where it should be noted that in other embodiments, the platform information may also be other information, such as CPU hardware information, dynamic storage (e.g., memory) hardware information, hard disk hardware information, north-south bridge chip hardware information, sound card hardware information, video card hardware information, network card hardware information, and USB device hardware information;

(2) Comparing the second hash value to the second reference hash value and reading the operating system load code if the second hash value is consistent with the second reference hash value;

(3) Generating a third hash value of the operating system load code and comparing the third hash value with the third reference hash value and running the operating system load code if the third hash value is consistent with the third reference hash value, wherein by performing metric analysis on the operating system load code, it is possible to prevent the operating system at a wrong location, which is likely tampered, from being loaded due to execution of malicious load code; and

(4) Reading the operating system kernel and generating a fourth hash value of the operating system kernel and comparing the fourth hash value with the fourth reference hash value and running the operating system and putting the computer into a trusted operating mode if the fourth hash value is consistent with the fourth reference hash value, wherein by performing metric analysis on the operating system kernel, running of a tampered operating system can be prevented, thereby threatening system security.

Furthermore, the platform environment metrics module 111 may optionally be further configured to perform an exception handling procedure, i.e. to put the computer into an untrusted mode of operation or to power down or restart the computer in case the second hash value does not coincide with the second reference hash value and/or in case the third hash value does not coincide with the third reference hash value and/or in case the fourth hash value does not coincide with the fourth reference hash value.

In addition, the platform environment measurement module 111 may also implement user access authority management, that is, comparing the hardware configuration information of the user with the collected platform information to determine whether the user may access the computer platform or may enter a trusted operating mode of the computer platform, for example: user a has a drive but no USB interface, if the platform environment metrics module 111 finds out after checking the collected platform information: if the computer platform does not have a CD driver or a USB interface, the A user is judged to have no authority to access the platform or to access the credible working mode of the platform, so that the computer platform is powered off or enters an unreliable mode.

The dynamic metrics module 112 is connected to the dynamic memory 113 through a high speed master bus (here, a PCIe bus) 116. It should be noted that in other embodiments, other high-speed master buses, such as PCIe buses, etc., may be used, and in addition, if the requirement on the security protection level is not high and the influence of dynamic monitoring on the system resources is ignored, a non-master bus may be used to connect the computer system, such as a USB bus, etc.

The dynamic metrics module 112 is configured to perform the following actions:

(1) Dynamically reading the operating system kernel from the dynamic memory 113 and generating a fifth hash value of the operating system kernel; and

(2) The fifth hash value is compared with a fifth reference hash value and the computer is kept in a trusted operating mode if the fifth hash value coincides with the fifth reference hash value.

Here, "dynamic reading" means reading in real time when needed, for example, periodically, or upon request, or the like.

By dynamically measuring the operating system kernel, the integrity of the operating system can be verified at any time, so that processing can be performed even after the operating system is tampered or corrupted.

The dynamic metrics module 112 may optionally be further configured to perform the following actions:

(3) And acquiring key codes of the application programs from the dynamic memory through a trusted software base, and generating a sixth hash value of the key codes, wherein the trusted software base can be a software program and is used for extracting the key codes of the application programs and monitoring and controlling the software and the system according to the management strategy. In other embodiments, the software base may be implemented as basic software, firmware, or special purpose hardware; and

(4) Comparing the sixth hash value to the sixth reference hash value and issuing a reminder to the user or causing the computer to enter an untrusted mode of operation if the sixth hash value does not correspond to the sixth reference hash value.

By measuring the key code of the analysis application, the reliability of each piece of software running in the trusted running environment can be additionally ensured, so that the safety of the running environment is better ensured. Moreover, since the dynamic measurement module 112 measures the key code of the kernel and the application program of the operating system from the hardware level, it has higher reliability and security compared with the system security monitoring method implemented purely in software. In a preferred embodiment, the dynamic metrology module 112 reads system memory directly through the master function of the high speed bus without being forwarded through the CPU. Therefore, the reading of the memory by the CPU can be prevented, the risk of cheating and counterfeiting existing in the unloading and sending processes is prevented, and meanwhile, the consumption of system resources, particularly the occupation of CPU resources, is greatly reduced. The dynamic memory (module) monitoring process of the dynamic measurement module 112 is basically independent of CPU execution and is completely an autonomous defense behavior.

It should be noted that the power control unit 101, the boot code metrology module 102, the platform metrology module 111, and the dynamic metrology module 112 may be implemented by programming a processor or a microcontroller, or may be implemented by hardware such as a Field Programmable Gate Array (FPGA) or an Application Specific Integrated Circuit (ASIC).

With the TPCM system for building and maintaining a trusted operating environment according to the invention, at least the following advantages can be achieved: (1) The TPCM is controlled to be independently powered by the starting code measurement module of the TPCM through a corresponding control bus interface, the TPCM can be powered on before the starting code flash memory, and the TPCM can effectively prevent other untrusted hardware equipment from being powered on by mistake due to the fact that only the starting code flash memory such as the BIOS flash memory is independently powered on, but not the whole starting code circuit such as the BIOS circuit, and therefore the reliability of realizing a trusted platform is improved; (2) In the present invention, by adopting the monitoring of the operating environment at the hardware level, the secure operating environment can be ensured from the hardware level, so that the hardware is more difficult to tamper with compared with the software, and higher system security can be realized compared with the software monitoring means; (3) In the preferred scheme of the invention, the TPCM dynamic memory module adopts the main control function of the bus to actively and directly read the data content of the system memory without transferring the data content by a system CPU. The risk of cheating and counterfeiting existing in the processes of reading, transferring and sending the memory through the CPU is prevented; (4) The dynamic memory (module) monitoring process is basically irrelevant to the execution of a CPU (central processing unit), and is completely an autonomous defense behavior. This greatly reduces the consumption of system resources, especially the occupation of CPU resources; (5) In the invention, the TPCM utilizes the kernel of the trusted operating system or the trusted software base program which is subjected to trust inspection and real-time protection in the previous stage to collect the physical characteristics of the equipment of the computer for real-time dynamic monitoring, any abnormal behavior beyond expectation, such as the pulling-out of a specific USB equipment or the access of an unknown USB equipment, is present, the TPCM reports according to a protection strategy, even cuts off the physical interface of the TPCM, and protects the trusted execution environment of the system in real time.

Fig. 2 shows a flow chart 200 of a method according to the invention.

At step 202, the operating voltage (e.g., 5 VSB) of the TPCM system 100 is provided by the power supply 103. The operating voltage is, for example, 5V dc voltage.

At step 204, the flash memory 108 is powered by the TPCM system 100 after the TPCM system is powered on and the boot code is read from the flash memory 108 and a first hash value of the boot code is generated.

At step 206, the first hash value is compared to the first reference hash value and the power module 107 of the computer motherboard 106 is powered up if the first hash value matches the first reference hash value.

At step 208, platform information is collected and a second hash value of the platform information is generated. The platform information may include, for example, one or more of the following: CPU hardware information, dynamic memory (such as internal memory) hardware information, hard disk hardware information, north-south bridge chip hardware information, sound card hardware information, display card hardware information, network card hardware information, USB equipment hardware information and boot information of a hard disk boot area.

At step 210, the second hash value is compared to the second reference hash value and the operating system load code is read if the second hash value matches the second reference hash value.

At step 212, a third hash value of the operating system load code is generated and compared to the third reference hash value and the operating system load code is executed if the third hash value is consistent with the third reference hash value.

At step 214, the operating system kernel is read and a fourth hash value of the operating system kernel is generated and the fourth hash value is compared to the fourth reference hash value and the operating system is run and the computer is put into a trusted operating mode if the fourth hash value is consistent with the fourth reference hash value. To this point, a trusted operating environment has been established for the computer.

At step 216, the operating system kernel is dynamically retrieved from dynamic storage (e.g., memory) and a fifth hash value for the operating system kernel is generated.

At step 218, the fifth hash value is compared to the fifth reference hash value and the computer is maintained in the trusted operating mode if the fifth hash value matches the fifth reference hash value.

Here, the method may optionally further include (not shown): obtaining, by the trusted software base, a key code of an application from the dynamic memory and generating a sixth hash value of the key code; and

Furthermore, the method according to the invention may also comprise an exception handling procedure, in particular comprising one or more of the following steps:

Although some embodiments of the present invention have been described herein, it will be obvious to those skilled in the art that such embodiments are provided by way of example only. Numerous variations, substitutions and modifications will occur to those skilled in the art without departing from the scope of the invention. It is intended that the following claims define the scope of the invention and that methods and structures within the scope of these claims and their equivalents be covered thereby.

Claims

1. A TPCM system for building and maintaining a trusted operating environment, comprising:

a boot code measurement module connected with a boot code flash memory of a computer motherboard through a main control bus and controlling power supply of the boot code flash memory, the boot code measurement module configured to read a boot code from the boot code flash memory after the TPCM system is powered on and generate a first hash value of the boot code and compare the first hash value with a first reference hash value and transmit a power-on signal to the power control unit if the first hash value is identical with the first reference hash value, wherein the boot code flash memory is a BI OS flash memory;

a platform environment metrics module connected with respective hardware of the computer, the platform environment metrics module configured to:

collecting platform information and generating a second hash value of the platform information after a power module of a computer mainboard is powered on;

comparing the second hash value to a second reference hash value and reading the operating system load code if the second hash value is consistent with the second reference hash value;

a dynamic metrics module coupled to the dynamic memory, the dynamic metrics module configured to:

the fifth hash value is compared with the fifth reference hash value and the computer is kept in the trusted operating mode if the fifth hash value coincides with the fifth reference hash value.

2. The TPCM system of claim 1, the boot code comprising: b I OS code in the case of the x86 architecture, boot code in the case of the PowerPC architecture, boot code in the case of the M IPS architecture, or boot code in the case of the ARM architecture, as well as firmware code for use in a server baseboard management controller.

3. The TPCM system of claim 1, wherein the platform information includes one or more of: CPU hardware information, dynamic memory hardware information, hard disk hardware information, north-south bridge chip hardware information, sound card hardware information, display card hardware information, network card hardware information, USB equipment hardware information and the guide information of a hard disk guide area.

4. The TPCM system of claim 1, wherein the boot code metrics module is further configured to cause the computer to enter an untrusted mode of operation or to power down or reboot the computer if the first hash value does not coincide with the first reference hash value; and/or

The dynamic metrics module is further configured to cause the computer to enter an untrusted mode of operation or to cause the computer to power down or reboot if the fifth hash value is inconsistent with the fifth reference hash value.

5. The TPCM system of claim 1, wherein the boot code is B I OS code in the case of an x86 architecture, and the power control unit is further configured to:

instructing a power supply to supply a standby voltage to a power supply module of a computer motherboard and unlock a PW-OK signal upon receiving a power-on signal from a boot code metric module, an

And after receiving the PS-ON signal from the power supply module, sending the PS-ON signal to a power supply to enable the computer mainboard to enter a running state.

6. The TPCM system of claim 1, wherein a diode is provided in a connection in the boot code circuit that powers the boot code flash for unidirectional powering of the boot code flash.

7. The TPCM system of claim 1, wherein the dynamic metrics module is further configured to:

8. The TPCM system of claim 1, wherein the platform environment metrics module is connected to corresponding hardware of the computer through a low speed slave bus.

9. The TPCM system of claim 1, wherein the dynamic metrics module is coupled to the dynamic memory via a high-speed master bus.

10. The TPCM system of claim 1, wherein the boot code metrics module is further configured to configure the user's access rights to the physical port in accordance with the user's rights information.

11. The TPCM system of claim 1, wherein the platform environment metrics module is further configured to determine whether the user has access to the local computer platform or is authorized to enter a trusted mode of operation of the local computer platform by comparing hardware configuration information of the user with the collected platform information.

12. A method for building and maintaining a trusted operating environment through a TPCM system, wherein the TPCM system is connected to and powers boot code flash memory of a computer motherboard through a master control bus, the method comprising the steps of:

providing an operating voltage of the TPCM system by a power supply;

controlling, by the TPCM system, power supply to the boot code flash memory after the TPCM system is powered on and reading the boot code from the boot code flash memory and generating a first hash value of the boot code, wherein the boot code flash memory is a B I OS flash memory;

13. The method of claim 12, the boot code comprising: b I OS code in the case of the x86 architecture, boot code in the case of the PowerPC architecture, or boot code in the case of the ARM architecture.

14. The method of claim 12, wherein the platform information comprises one or more of: CPU hardware information, dynamic memory hardware information, hard disk hardware information, north-south bridge chip hardware information, sound card hardware information, display card hardware information, network card hardware information, USB equipment hardware information and the guide information of a hard disk guide area.

15. The method of claim 12, further comprising at least one of:

16. The method of claim 12, further comprising the steps of: