CN109784061A - The method and device for starting that control server is credible - Google Patents
The method and device for starting that control server is credible Download PDFInfo
- Publication number
- CN109784061A CN109784061A CN201811545202.9A CN201811545202A CN109784061A CN 109784061 A CN109784061 A CN 109784061A CN 201811545202 A CN201811545202 A CN 201811545202A CN 109784061 A CN109784061 A CN 109784061A
- Authority
- CN
- China
- Prior art keywords
- reference value
- bios
- code block
- bmc
- destination server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The embodiment of the present invention provides a kind of method and device of credible starting of control server, the described method includes: if there are the BIOS integrality a reference values of destination server in the BMC Flash of destination server, operation is then decrypted to a reference value in BMC Flash based on SM4 symmetric cryptographic algorithm, a reference value after obtaining decryption;Wherein, integrality a reference value carries out measurement acquisition by the complete code block in advance to BIOS;Operation is carried out based on current execution code block of the SM3 hash algorithm to BIOS in destination server, obtains the current metric for executing code block;If the metric for currently executing code block is identical as a reference value after decryption, started using the BMC guidance BIOS in destination server.Present invention method is simple, can effective guarantee BIOS starting when it is credible, without increasing any hardware spending just, it is constant to be able to maintain the original hardware configuration of BIOS, has universal adaptability.
Description
Technical field
The embodiment of the present invention belongs to computer security technical field, opens more particularly, to a kind of control server is credible
Dynamic method and device.
Background technique
Nowadays computer system is widely used in daily life.The start-up course of computer is to run first
BIOS (Basic Input Output System, basic input output system), detects computer system and is configured,
Then loading operation system and bottom firmware is run.BIOS in computer, which is generally stored inside this non-volatile memories of flash memory, to be held
In device, and BIOS is often the object of virus, hacker attack.At the same time, server is as a kind of mainframe computer, BIOS
It is faced with safety problem, with the arrival of big data and cloud computing, the safety problem of BIOS is especially prominent.
The security threat of BIOS is divided into inside threat and outside threat.Inside threat such as BIOS dysfunction, configuration loophole,
Information leakage etc..Outside threat such as BIOS physical attacks, BIOS malicious code insertion etc., attack pattern are by executing code
BIOS is modified, so that BIOS or operating system be caused to be destroyed.The inside threats such as BIOS functional fault, information leakage belong to normally
Defect existing for program or software module, and outside threat is by destroying bios code or data integrity to BIOS system and meter
Calculation machine system is attacked and is destroyed then as abnormal defect.
The mode for being currently typically based on credible measurement detects BIOS integrity failure.Protection based on credible measurement to BIOS
It is broadly divided into based on TPM (Trusted Platform Module, credible platform module), TCM (Trusted
Cryptography Module, credible password module) or the hardware such as other trusted firmwares protection, in BIOS start-up course
By calling the cryptographic algorithm inside hardware to verify the code inside BIOS, such method depends in use
Additional hardware module needs to increase additional reliable hardware module, this will will increase hardware spending and cost, or even needs to repair
Change server bottom architecture, increases development difficulty.
Summary of the invention
To overcome the problems, such as that the credible starting of above-mentioned existing control server needs to rely on additional hardware module or at least
It partly solves the above problems, the embodiment of the present invention provides a kind of method and device of credible starting of control server.
According to a first aspect of the embodiments of the present invention, a kind of method of credible starting of control server is provided, comprising:
If being based in the BMC Flash of destination server there are the BIOS integrality a reference value of the destination server
Operation is decrypted to a reference value in the BMC Flash in SM4 symmetric cryptographic algorithm, a reference value after obtaining decryption;Wherein,
Integrality a reference value in the BMC Flash passes through the complete code block degree of progress in advance to BIOS in the destination server
Amount obtains;
Operation is carried out based on current execution code block of the SM3 hash algorithm to BIOS in the destination server, obtains institute
State the current metric for executing code block;
If the current metric for executing code block is identical as a reference value after the decryption, taken using the target
The BMC being engaged in device guides the BIOS starting.
Second aspect according to embodiments of the present invention provides a kind of device of credible starting of control server, comprising:
Crypto module, for the BIOS integrality in the BMC Flash of destination server there are the destination server
When a reference value, operation is decrypted to a reference value in the BMC Flash based on SM4 symmetric cryptographic algorithm, after obtaining decryption
A reference value;Wherein, the integrality a reference value in the BMC Flash by advance in the destination server BIOS it is complete
Whole code block carries out measurement acquisition;
Metric module, for based on SM3 hash algorithm to the current execution code block of BIOS in the destination server into
Row operation obtains the current metric for executing code block;
Correction verification module, if identical as a reference value after the decryption for the current metric for executing code block,
The BIOS is guided to start using the BMC in the destination server.
In terms of third according to an embodiment of the present invention, a kind of electronic equipment is also provided, comprising:
At least one processor;And
At least one processor being connect with the processor communication, in which:
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to refer to
Order is able to carry out in the various possible implementations of first aspect control service provided by any possible implementation
The method for starting that device is credible.
4th aspect according to an embodiment of the present invention, also provides a kind of non-transient computer readable storage medium, described
Non-transient computer readable storage medium stores computer instruction, and the computer instruction makes the computer execute first aspect
Various possible implementations in the credible starting of control server provided by any possible implementation method.
The embodiment of the present invention provides a kind of method and device of credible starting of control server, and this method is by making BMC
For the root of trust of credible starting chain, the trust chain of BMC to BIOS starting is established using integrity verification and symmetric cryptosystem,
Call SM4 symmetric cryptographic algorithm that fortune is decrypted to the BIOS integrality a reference value in BMC Flash before BMC starting BIOS
It calculates, then carries out operation using current execution code block of the SM3 hash algorithm to BIOS, BIOS is currently executed to the measurement of code
Value is compared with a reference value after decryption, compare it is consistent after start BIOS, thus realize BIOS is currently executed code block into
Row integrality and authenticity verification, on the one hand, ensure to be the integrality of BIOS and be not implanted malicious code, effective guarantee
It is credible when BIOS starts, it ensure that the credible of system platform performing environment, help to improve security of system;On the other hand,
Method is simple, can be effectively protected expected metric without increasing any hardware spending, be able to maintain the original hardware of BIOS
Structure is constant, has universal adaptability.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair
Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the method overall flow schematic diagram of the credible starting of control server provided in an embodiment of the present invention;
Fig. 2 is the method flow schematic diagram for the credible starting of control server that further embodiment of this invention provides;
Fig. 3 is the apparatus structure schematic diagram of the credible starting of control server provided in an embodiment of the present invention;
Fig. 4 is electronic equipment overall structure diagram provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
A kind of method of credible starting of control server is provided in one embodiment of the invention, and Fig. 1 is that the present invention is real
The method overall flow schematic diagram of the credible starting of control server of example offer is provided, this method comprises: S101, if destination server
BMC Flash in there are the BIOS integrality a reference values of the destination server, then based on SM4 symmetric cryptographic algorithm to described
Operation is decrypted in a reference value in BMC Flash, a reference value after obtaining decryption;Wherein, complete in the BMC Flash
Property a reference value carries out measurement acquisition by the complete code block in advance to BIOS in the destination server;S102 is miscellaneous based on SM3
The algorithm that gathers carries out operation to the current execution code block of BIOS in the destination server, obtains the current execution code block
Metric;S103 uses the mesh if the current metric for executing code block is identical as a reference value after the decryption
It marks the BMC in server and guides the BIOS starting.
Wherein, destination server is the server for needing to carry out credible starting.As shown in Fig. 2, to destination server into
When row starting, first to the BMC of destination server (Baseboard Management Controller, substrate management control
Device) it is powered on, completeness check is equipped with inside BMC, so that it is guaranteed that BMC is believable.In the flash memory Flash for reading BMC
BIOS a reference value.BIOS integrality a reference value is the encryption obtained after being measured and encrypted by the complete code block to BIOS
Metric.If the BIOS a reference value in Flash is sky, illustrate that BMC starts BIOS for the first time, needs to calculate BMC starting BIOS process
A reference value.If the BIOS a reference value in Flash is not sky, BMC guidance BIOS normally starts.
When BMC is during guiding BIOS load, i.e., when BIOS a reference value is not sky in BMC Flash, need pair
BIOS currently executes code block and is measured and carry out integrity verification.Detailed process is to call SM4 symmetric cryptographic algorithm to depositing
Operation is decrypted in the BIOS a reference value stored up in Flash, a reference value after being decrypted, and then calls SM3 hash algorithm pair
The current execution code block of BIOS carries out that metric is calculated.Finally the current metric for executing code block is obtained with decryption
The a reference value of BIOS complete code block is compared, and compares complete, the current BIOS that unanimously illustrates that BIOS currently executes code block
State is credible, and BMC guides BIOS starting;Otherwise illustrate that current BIOS is insincere, do not start BIOS, return abnormal.Wherein SM3 is miscellaneous
It gathers algorithm and SM4 symmetric cryptographic algorithm is the commercial cipher algorithm in China, system can be guaranteed using the combination of two kinds of algorithms
Safety.
The present embodiment is by utilizing integrity verification and symmetric cryptosystem using BMC as the root of trust of credible starting chain
The trust chain for establishing BMC to BIOS starting calls SM4 symmetric cryptographic algorithm in BMC Flash before BMC starts BIOS
Operation is decrypted in BIOS integrality a reference value, is then transported using current execution code block of the SM3 hash algorithm to BIOS
It calculates, the metric that BIOS is currently executed to code is compared with a reference value after decryption, consistent rear starting BIOS is compared, thus
Realization currently executes code block to BIOS and carries out integrality and authenticity verification, on the one hand, ensures to be the integrality of BIOS and do not have
It is implanted malicious code, it is credible when effective guarantee BIOS starts, it ensure that the credible of system platform performing environment, facilitate
Improve security of system;On the other hand, method is simple, can be effectively protected expected measurement without increasing any hardware spending
Value, it is constant to be able to maintain the original hardware configuration of BIOS, has universal adaptability.
On the basis of the above embodiments, if there are the targets in the BMC Flash of destination server in the present embodiment
The BIOS a reference value of server is then decrypted the BIOS a reference value in the BMC Flash based on SM4 symmetric cryptographic algorithm
The step of operation, a reference value after being decrypted further include: if the BIOS a reference value is not present in the BMC Flash,
Operation is carried out based on backup code block of the SM3 hash algorithm to BIOS in the destination server, obtains the BIOS's
The metric of backup code block, using the metric of the backup code block as a reference value of the BIOS;Based on described SM4 pairs
Claim cryptographic algorithm to carry out cryptographic calculation to a reference value, obtains encrypted a reference value;The encrypted a reference value is deposited
It stores up in the BMC Flash.
Wherein, the backup code block of BIOS is the complete code block of BIOS backup, is not altered, and is had very high complete
Property.Start BIOS for the first time, needs to collect a reference value of BMC starting BIOS process, call SM3 hash algorithm to back up BIOS at this time
Code block carries out hash operation, obtains 256 a reference values.SM4 symmetric cryptographic algorithm is called to carry out cryptographic calculation to a reference value,
Obtain encrypted a reference value.By the storage of encrypted a reference value into BMC Flash, so as to when starting after server,
A reference value is obtained directly from BMC Flash carries out credible judgement.
On the basis of the above embodiments, in the present embodiment based on the SM4 symmetric cryptographic algorithm to a reference value into
Row cryptographic calculation, the step of obtaining encrypted a reference value, specifically include:
SM4 encryption key and SM4 decruption key are generated based on the SM4 symmetric cryptographic algorithm;According to administrator's input
The SM4 encryption key carries out cryptographic calculation to a reference value using the SM4 symmetric cryptographic algorithm, obtains encrypted
A reference value;Correspondingly, operation is decrypted to a reference value in the BMC Flash based on SM4 symmetric cryptographic algorithm, obtains solution
The step of a reference value after close, specifically includes: the SM4 decruption key inputted according to administrator, symmetrically close using the SM4
Operation is decrypted to the BIOS a reference value in the BMC Flash in code algorithm, a reference value after obtaining decryption.
Specifically, it is in advance based on SM4 symmetric cryptographic algorithm and generates a pair of secret keys, is i.e. SM4 encryption key and SM4 decryption is close
Key.When collecting a reference value of BMC starting BIOS process, administrator is needed to input SM4 encryption key.SM3 hash is being called to calculate
After method obtains a reference value to the progress hash operation of BIOS backup code block.SM4 symmetric cryptographic algorithm is called to use SM4 encryption key
Cryptographic calculation is carried out to a reference value, obtains encrypted a reference value.Need administrator defeated during BMC guidance BIOS starting
Enter SM4 decruption key, calls SM4 symmetric cryptographic algorithm that operation is decrypted to a reference value using SM4 decruption key, obtain decryption
A reference value afterwards, the metric that a reference value after decryption is currently executed to code block with BIOS are compared, so that it is determined that
BIOS currently executes whether code block is complete, and whether BIOS is credible, is determined whether to start BIOS according to definitive result.
A kind of device of credible starting of control server is provided in another embodiment of the present invention, and the device is for real
Method in existing foregoing embodiments.Therefore, the description in each embodiment of the method for the credible starting of aforementioned control server
And definition, it can be used for the understanding of each execution module in the embodiment of the present invention.Fig. 3 is control provided in an embodiment of the present invention clothes
The device overall structure diagram of the business credible starting of device, which includes crypto module 301, metric module 302 and correction verification module
303;Wherein:
Crypto module 301 is for there are the BIOS of the destination server is complete in the BMC Flash of destination server
Property a reference value when, operation is decrypted to a reference value in the BMC Flash based on SM4 symmetric cryptographic algorithm, obtains decryption
A reference value afterwards;Wherein, the integrality a reference value in the BMC Flash passes through in advance to BIOS in the destination server
Complete code block carries out measurement acquisition;Metric module 302 is used for based on SM3 hash algorithm to BIOS in the destination server
The current code block that executes carries out operation, obtains the current metric for executing code block;If correction verification module 303 is worked as described
The preceding metric for executing code block is identical as a reference value after the decryption, then is guided using the BMC in the destination server
The BIOS starting.
Wherein, destination server is the server for needing to carry out credible starting.As shown in Fig. 2, to destination server into
When row starting, first to the BMC of destination server (Baseboard Management Controller, substrate management control
Device) it is powered on, completeness check is equipped with inside BMC, so that it is guaranteed that BMC is believable.In the flash memory Flash for reading BMC
BIOS a reference value.BIOS integrality a reference value is the encryption obtained after being measured and encrypted by the complete code block to BIOS
Metric.If the BIOS a reference value in Flash is sky, illustrate that BMC starts BIOS for the first time, needs to calculate BMC starting BIOS process
A reference value.If the BIOS a reference value in Flash is not sky, BMC guidance BIOS normally starts.
When BMC is during guiding BIOS load, i.e., when BIOS a reference value is not sky in BMC Flash, need pair
BIOS currently executes code block and is measured and carry out integrity verification.Detailed process is that crypto module 301 calls SM4 symmetrically close
Operation is decrypted to the BIOS a reference value being stored in Flash in code algorithm, a reference value after being decrypted, then metric module
302 calling SM3 hash algorithms to the current execution code block of BIOS carry out that metric is calculated.Terminal check module 303 will
The current metric for executing code block is compared with a reference value that decryption obtains BIOS complete code block, compares consistent explanation
BIOS currently executes that code block is complete, and current BIOS state is credible, and BMC guides BIOS starting;Otherwise illustrate current BIOS not
It is credible, do not start BIOS, returns abnormal.Wherein SM3 hash algorithm and SM4 symmetric cryptographic algorithm are that the commercial cipher in China is calculated
Method can guarantee the safety of system using the combination of two kinds of algorithms.
The present embodiment is by utilizing integrity verification and symmetric cryptosystem using BMC as the root of trust of credible starting chain
The trust chain for establishing BMC to BIOS starting calls SM4 symmetric cryptographic algorithm in BMC Flash before BMC starts BIOS
Operation is decrypted in BIOS integrality a reference value, is then transported using current execution code block of the SM3 hash algorithm to BIOS
It calculates, the metric that BIOS is currently executed to code is compared with a reference value after decryption, consistent rear starting BIOS is compared, thus
Realization currently executes code block to BIOS and carries out integrality and authenticity verification, on the one hand, ensures to be the integrality of BIOS and do not have
It is implanted malicious code, it is credible when effective guarantee BIOS starts, it ensure that the credible of system platform performing environment, facilitate
Improve security of system;On the other hand, method is simple, can be effectively protected expected measurement without increasing any hardware spending
Value, it is constant to be able to maintain the original hardware configuration of BIOS, has universal adaptability.
It on the basis of the above embodiments, further include a reference value generation module in the present embodiment, in the BMC
When the BIOS a reference value being not present in Flash, the backup based on the SM3 hash algorithm to BIOS in the destination server
Code block carry out operation, obtain the metric of the backup code block of the BIOS, using the metric of the backup code block as
The a reference value of the BIOS;Cryptographic calculation is carried out to a reference value based on the SM4 symmetric cryptographic algorithm, is obtained encrypted
A reference value;By the encrypted a reference value storage into the BMC Flash.
On the basis of the above embodiments, crypto module is specifically used in the present embodiment: being calculated based on the SM4 symmetric cryptography
Method generates SM4 encryption key and SM4 decruption key;According to the SM4 encryption key that administrator inputs, described SM4 pairs is used
Claim cryptographic algorithm to carry out cryptographic calculation to the BIOS a reference value in the BMC Flash, obtains encrypted a reference value;According to pipe
Reason person input the SM4 decruption key, using the SM4 symmetric cryptographic algorithm to a reference value in the BMC Flash into
Row decryption operation, a reference value after obtaining decryption.
On the basis of the various embodiments described above, correction verification module is also used in the present embodiment: in the current execution code block
Metric and the decryption after a reference value it is not identical when, show the incredible information of presently described BIOS, and described in stopping
The starting of destination server.
The present embodiment provides a kind of electronic equipment, Fig. 4 is electronic equipment overall structure provided in an embodiment of the present invention signal
Figure, which includes: at least one processor 401, at least one processor 402 and bus 403;Wherein,
Processor 401 and memory 402 pass through bus 403 and complete mutual communication;
Memory 402 is stored with the program instruction that can be executed by processor 401, and the instruction of processor caller is able to carry out
Method provided by above-mentioned each method embodiment, for example, if there are target clothes in the BMC Flash of destination server
The BIOS integrality a reference value of business device, then be decrypted a reference value in the BMC Flash based on SM4 symmetric cryptographic algorithm
Operation, a reference value after obtaining decryption;Based on SM3 hash algorithm to the current execution code block of BIOS in the destination server
Operation is carried out, the current metric for executing code block is obtained;If the current metric for executing code block and the solution
A reference value after close is identical, then guides the BIOS to start using the BMC in the destination server.
The present embodiment provides a kind of non-transient computer readable storage medium, non-transient computer readable storage medium storages
Computer instruction, computer instruction make computer execute method provided by above-mentioned each method embodiment, for example, if target
There are the BIOS integrality a reference values of the destination server in the BMC Flash of server, then are based on SM4 symmetric cryptographic algorithm
Operation is decrypted to a reference value in the BMC Flash, a reference value after obtaining decryption;Based on SM3 hash algorithm to institute
The current execution code block for stating BIOS in destination server carries out operation, obtains the current metric for executing code block;If
The current metric for executing code block is identical as a reference value after the decryption, then using in the destination server
BMC guides the BIOS starting.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through
The relevant hardware of program instruction is completed, and program above-mentioned can be stored in a computer readable storage medium, the program
When being executed, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes: ROM, RAM, magnetic disk or light
The various media that can store program code such as disk.
The apparatus embodiments described above are merely exemplary, wherein described, unit can as illustrated by the separation member
It is physically separated with being or may not be, component shown as a unit may or may not be physics list
Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs
In some or all of the modules achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness
Labour in the case where, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should
Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used
To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features;
And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and
Range.
Claims (10)
1. a kind of method of the credible starting of control server characterized by comprising
If there are the BIOS integrality a reference values of the destination server in the BMC Flash of destination server, it is based on SM4 pairs
Claim cryptographic algorithm that operation is decrypted to a reference value in the BMC Flash, a reference value after obtaining decryption;Wherein, described
Integrality a reference value in BMC Flash carries out measurement by the complete code block in advance to BIOS in the destination server and obtains
It takes;
Operation is carried out based on current execution code block of the SM3 hash algorithm to BIOS in the destination server, is worked as described in acquisition
The preceding metric for executing code block;
If the current metric for executing code block is identical as a reference value after the decryption, the destination server is used
In BMC guide BIOS starting.
2. the method according to claim 1, wherein if there are the mesh in the BMC Flash of destination server
The BIOS a reference value for marking server, then solve the BIOS a reference value in the BMC Flash based on SM4 symmetric cryptographic algorithm
The step of close operation, a reference value after being decrypted further include:
If the BIOS a reference value is not present in the BMC Flash, based on the SM3 hash algorithm to the destination service
The backup code block of BIOS carries out operation in device, the metric of the backup code block of the BIOS is obtained, by the backup code
A reference value of the metric of block as the BIOS;
Cryptographic calculation is carried out to a reference value based on the SM4 symmetric cryptographic algorithm, obtains encrypted a reference value;
By the encrypted a reference value storage into the BMC Flash.
3. according to the method described in claim 2, it is characterized in that, based on the SM4 symmetric cryptographic algorithm to a reference value
The step of carrying out cryptographic calculation, obtaining encrypted a reference value specifically includes:
SM4 encryption key and SM4 decruption key are generated based on the SM4 symmetric cryptographic algorithm;
According to the SM4 encryption key that administrator inputs, using the SM4 symmetric cryptographic algorithm in the BMC Flash
BIOS a reference value carry out cryptographic calculation, obtain encrypted a reference value;
Correspondingly, operation is decrypted to a reference value in the BMC Flash based on SM4 symmetric cryptographic algorithm, obtains decryption
The step of rear a reference value, specifically includes:
According to the SM4 decruption key that administrator inputs, using the SM4 symmetric cryptographic algorithm in the BMC Flash
A reference value be decrypted operation, a reference value after obtaining decryption.
4. method according to claim 1 to 3, which is characterized in that if it is described it is current execute code block metric with
The step of a reference value after the decryption is identical, then guides the BIOS to start using the BMC in the destination server is also wrapped
It includes:
If the current metric for executing code block and a reference value after the decryption be not identical, presently described BIOS is shown
Incredible information, and stop the starting of the destination server.
5. a kind of device of the credible starting of control server characterized by comprising
Crypto module, for the BIOS integrality benchmark in the BMC Flash of destination server there are the destination server
When value, operation is decrypted to a reference value in the BMC Flash based on SM4 symmetric cryptographic algorithm, the base after obtaining decryption
Quasi- value;Wherein, the integrality a reference value in the BMC Flash passes through in advance to the complete generation of BIOS in the destination server
Code block carries out measurement acquisition;
Metric module, for being transported based on current execution code block of the SM3 hash algorithm to BIOS in the destination server
It calculates, obtains the current metric for executing code block;
Correction verification module uses if identical as a reference value after the decryption for the current metric for executing code block
BMC in the destination server guides the BIOS starting.
6. device according to claim 5, which is characterized in that further include a reference value generation module, be used for:
When the BIOS a reference value being not present in the BMC Flash, based on the SM3 hash algorithm to the destination service
The backup code block of BIOS carries out operation in device, the metric of the backup code block of the BIOS is obtained, by the backup code
A reference value of the metric of block as the BIOS;
Cryptographic calculation is carried out to a reference value based on the SM4 symmetric cryptographic algorithm, obtains encrypted a reference value;
By the encrypted a reference value storage into the BMC Flash.
7. device according to claim 6, which is characterized in that crypto module is specifically used for:
SM4 encryption key and SM4 decruption key are generated based on the SM4 symmetric cryptographic algorithm;
According to the SM4 encryption key that administrator inputs, using the SM4 symmetric cryptographic algorithm in the BMC Flash
BIOS a reference value carry out cryptographic calculation, obtain encrypted a reference value;
According to the SM4 decruption key that administrator inputs, using the SM4 symmetric cryptographic algorithm in the BMC Flash
A reference value be decrypted operation, a reference value after obtaining decryption.
8. according to any device of claim 5-7, which is characterized in that correction verification module is also used to: in the current execution
When a reference value after the metric of code block and the decryption is not identical, the incredible information of presently described BIOS is shown, and stop
The only starting of the destination server.
9. a kind of electronic equipment characterized by comprising
At least one processor, at least one processor and bus;Wherein,
The processor and memory complete mutual communication by the bus;
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to instruct energy
Enough methods executed as described in Claims 1-4 is any.
10. a kind of non-transient computer readable storage medium, which is characterized in that the non-transient computer readable storage medium is deposited
Computer instruction is stored up, the computer instruction makes the computer execute the method as described in Claims 1-4 is any.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811545202.9A CN109784061A (en) | 2018-12-17 | 2018-12-17 | The method and device for starting that control server is credible |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811545202.9A CN109784061A (en) | 2018-12-17 | 2018-12-17 | The method and device for starting that control server is credible |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109784061A true CN109784061A (en) | 2019-05-21 |
Family
ID=66498150
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811545202.9A Pending CN109784061A (en) | 2018-12-17 | 2018-12-17 | The method and device for starting that control server is credible |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109784061A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111046392A (en) * | 2019-11-26 | 2020-04-21 | 深圳中电长城信息安全系统有限公司 | BIOS (basic input output System) credibility measuring method and device and terminal equipment |
| CN111258805A (en) * | 2020-01-10 | 2020-06-09 | 苏州浪潮智能科技有限公司 | Hard disk state monitoring method and device for server and computer device |
| CN114546745A (en) * | 2022-03-02 | 2022-05-27 | 北京工业大学 | Method for distinguishing fault program section in trusted starting process |
| CN114595097A (en) * | 2022-03-04 | 2022-06-07 | 北京工业大学 | Method for identifying fault starting program in trusted starting process |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104850792A (en) * | 2015-05-20 | 2015-08-19 | 浪潮电子信息产业股份有限公司 | Establishment method and apparatus of trust chain of server |
| CN106127056A (en) * | 2016-06-20 | 2016-11-16 | 浪潮电子信息产业股份有限公司 | A kind of method for designing of domestic BMC chip trusted firmware |
| CN106384052A (en) * | 2016-08-26 | 2017-02-08 | 浪潮电子信息产业股份有限公司 | BMC U-boot trusted starting control method |
| CN107145802A (en) * | 2017-05-09 | 2017-09-08 | 郑州云海信息技术有限公司 | A kind of BIOS integrity measurement methods, baseboard management controller and system |
| CN107169379A (en) * | 2017-05-19 | 2017-09-15 | 郑州云海信息技术有限公司 | A kind of method and server that integrity measurement is carried out based on BMC and TCM |
-
2018
- 2018-12-17 CN CN201811545202.9A patent/CN109784061A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104850792A (en) * | 2015-05-20 | 2015-08-19 | 浪潮电子信息产业股份有限公司 | Establishment method and apparatus of trust chain of server |
| CN106127056A (en) * | 2016-06-20 | 2016-11-16 | 浪潮电子信息产业股份有限公司 | A kind of method for designing of domestic BMC chip trusted firmware |
| CN106384052A (en) * | 2016-08-26 | 2017-02-08 | 浪潮电子信息产业股份有限公司 | BMC U-boot trusted starting control method |
| CN107145802A (en) * | 2017-05-09 | 2017-09-08 | 郑州云海信息技术有限公司 | A kind of BIOS integrity measurement methods, baseboard management controller and system |
| CN107169379A (en) * | 2017-05-19 | 2017-09-15 | 郑州云海信息技术有限公司 | A kind of method and server that integrity measurement is carried out based on BMC and TCM |
Non-Patent Citations (2)
| Title |
|---|
| 张焕国 等著: "《可信计算》", 31 August 2011, 武汉大学出版社 * |
| 陈泽茂 等著: "《信息系统安全》", 30 April 2014, 武汉大学出版社 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111046392A (en) * | 2019-11-26 | 2020-04-21 | 深圳中电长城信息安全系统有限公司 | BIOS (basic input output System) credibility measuring method and device and terminal equipment |
| CN111258805A (en) * | 2020-01-10 | 2020-06-09 | 苏州浪潮智能科技有限公司 | Hard disk state monitoring method and device for server and computer device |
| CN114546745A (en) * | 2022-03-02 | 2022-05-27 | 北京工业大学 | Method for distinguishing fault program section in trusted starting process |
| CN114546745B (en) * | 2022-03-02 | 2024-03-22 | 北京工业大学 | Method for distinguishing fault program section in trusted starting process |
| CN114595097A (en) * | 2022-03-04 | 2022-06-07 | 北京工业大学 | Method for identifying fault starting program in trusted starting process |
| CN114595097B (en) * | 2022-03-04 | 2024-03-26 | 北京工业大学 | Method for identifying fault starting program in trusted starting process |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10601807B2 (en) | Systems and methods for providing container security | |
| US10484185B2 (en) | Method and system for distributing attestation key and certificate in trusted computing | |
| CN109784061A (en) | The method and device for starting that control server is credible | |
| Pereida García et al. | Make sure DSA signing exponentiations really are constant-time | |
| Xiao et al. | Security and privacy in cloud computing | |
| US20190146778A1 (en) | Device-driven auto-recovery using multiple recovery sources | |
| CN107111713B (en) | Automatic validation of software systems | |
| Brengel et al. | Identifying key leakage of bitcoin users | |
| Mavroudis et al. | A touch of evil: High-assurance cryptographic hardware from untrusted components | |
| CN103888251A (en) | Virtual machine credibility guaranteeing method in cloud environment | |
| EP3937045B1 (en) | Hash updating methods and apparatuses of blockchain integrated station | |
| US11489823B2 (en) | Network enclave attestation for network and compute devices | |
| US20120311341A1 (en) | Centralized kernal module loading | |
| EP3333747A1 (en) | Methods and systems for detecting rollback attacks | |
| US20200074122A1 (en) | Cryptographic operation processing method, apparatus, and system, and method for building measurement for trust chain | |
| Koutroumpouchos et al. | Secure edge computing with lightweight control-flow property-based attestation | |
| US10073980B1 (en) | System for assuring security of sensitive data on a host | |
| Kreutz et al. | ANCHOR: Logically centralized security for software-defined networks | |
| CN109889477A (en) | Server based on trusted cryptography's engine starts method and device | |
| Jayaraman et al. | Decentralized certificate authorities | |
| Ma et al. | CARAF: crypto agility risk assessment framework | |
| Dauterman et al. | {SafetyPin}: Encrypted backups with {Human-Memorable} secrets | |
| CN111585995A (en) | Method and device for transmitting and processing safety wind control information, computer equipment and storage medium | |
| CN111859379B (en) | Processing method and device for protecting data model | |
| Crowther et al. | Securing Over-the-Air Firmware Updates (FOTA) for Industrial Internet of Things (IIOT) Devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 101121 3rd floor, 12 Yunjing South Street, Tongzhou District, Beijing Applicant after: Beijing Xiding Zhonghe Technology Co., Ltd Address before: 100036 room 1129, building 5, lianhuayuan, Haidian District, Beijing Applicant before: BEIJING TEAMSUN INFORMATION TECHNOLOGY DEVELOPMENT Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190521 |
|
| RJ01 | Rejection of invention patent application after publication |