CN110334512A - The staticametric method and apparatus of credible calculating platform based on binary system structure - Google Patents

Abstract

The invention discloses a kind of staticametric method and apparatus of credible calculating platform based on binary system structure.Wherein, this method comprises: when electric on computers, the hardware resource of computer is divided into protection hardware resource and computing hardware resource, wherein, the permission of computing hardware resource is accessed by protection hardware resource and cannot access protection hardware resource, protect hardware resource for running protection subsystem, computing hardware resource is for running computing subsystem；Control protection hardware resource starts prior to computing hardware resource, and during computing hardware resource starts computing subsystem, measures to the startup stage of computing hardware resource.The present invention solves the lower technical problem of computer security in the related technology.

Description

The staticametric method and apparatus of credible calculating platform based on binary system structure

Technical field

The present invention relates to internet security fields, flat in particular to a kind of trust computing based on binary system structure The staticametric method and apparatus of platform.

Background technique

Current cyberspace is extremely fragile, shake net, extort viral (such as Wannacry), Mirai virus cause it is larger The assault of influence emerges one after another, and is becoming increasingly rampant, and traces sth. to its source, and is that there is no the essence from network security risk Reason, which is started with, to be solved the problems, such as, uses " blocking killing " with " firewall ", " checking and killing virus ", " intrusion detection " etc. for representative simply Passive Defence means, it is impossible to guard against, especially in the attack initiated in face of the loophole for goal systems, can not effectively it prevent at all It is imperial.

International TCG tissue (full name in English Trusted Computing Group, the entitled Trusted Computing Group of Chinese) proposes Trusted computing chip TPM be that external equipment as computer is sent out in a manner of passively mounting by host software calling The effect of waving is only capable of carrying out staticametric to resources such as the firmware of computer and executable programs.That is realized in a manner of TPM is credible Computing platform is substantially single system framework, and TPM has limitation in resource access, control, and security capabilities places one's entire reliance upon The safety of host system, it is difficult to which the attack for defending hacker to carry out using host system loophole can not substantially promote calculating The Initiative Defense ability of machine system.

To solve current network space safety problems faced, international TCG tissue proposes the method for trust computing, proposes Using TPM and BIOS initial code as root of trust, level metric level-one, and then build the trust chain of computer, protection calculates Machine valuable source is not illegally distorted and is destroyed, and preferable effect is played.But TPM is substantially one on computer The external equipment passively mounted only can just be played a role by mainframe program calling, once host is controlled by attacker, TPM's Effect will have no way of playing, and the trust computing framework of TCG is caused to attack in face of hacker using computer system logic flaw It when hitting, is difficult to resist substantially, such as Windows 10 fully achieves the trust computing framework of TCG, but fails to prevent Wannacry extorts the attack of virus.

In addition, the credible calculating platform realized in a manner of TPM is substantially single system framework, TPM is in the money to computer There is limitation in source access, control.And TPM is only capable of carrying out static state degree to resources such as the firmware of computer and executable programs Amount can not carry out dynamic measurement to application execution and its performing environment relied on.

It is substantially single system framework, the firmware of TPM and executable journey for the credible calculating platform realized in a manner of TPM The resources such as sequence carry out staticametric, can not carry out dynamic measurement to application execution and its performing environment relied on, and TPM is being provided Source access has limitation in control, and the security capabilities of TPM places one's entire reliance upon the safety of host system.

For above-mentioned problem, currently no effective solution has been proposed.

Summary of the invention

The embodiment of the invention provides a kind of staticametric method of credible calculating platform based on binary system structure and dresses It sets, at least to solve the lower technical problem of computer security in the related technology.

According to an aspect of an embodiment of the present invention, a kind of the quiet of the credible calculating platform based on binary system structure is provided State measure, comprising: when electric on computers, the hardware resource of computer is divided into protection hardware resource and computing hardware Resource, wherein computing hardware resource allows to be accessed and cannot be accessed by protection hardware resource protection hardware resource, protection hardware money Source is for running protection subsystem, and computing hardware resource is for running computing subsystem；Control protection hardware resource is prior to calculating Hardware resource starting, and during computing hardware resource starts computing subsystem, to the startup stage of computing hardware resource It is measured.

According to another aspect of an embodiment of the present invention, a kind of credible calculating platform based on binary system structure is additionally provided Staticametric device, comprising: when for electricity on computers, it is hard to be divided into protection by division unit for the hardware resource of computer Part resource and computing hardware resource, wherein computing hardware resource allows to be accessed and cannot be accessed by protection hardware resource protection hard Part resource, protection hardware resource is for running protection subsystem, and computing hardware resource is for running computing subsystem；Measurement is single Member starts for controlling protection hardware resource prior to computing hardware resource, and in computing hardware resource starting computing subsystem In the process, the startup stage of computing hardware resource is measured.

According to another aspect of an embodiment of the present invention, a kind of storage medium is additionally provided, which includes storage Program, program execute above-mentioned method when running.

According to another aspect of an embodiment of the present invention, it additionally provides a kind of electronic device, including memory, processor and deposits The computer program that can be run on a memory and on a processor is stored up, processor executes above-mentioned side by computer program Method.

In embodiments of the present invention, the calculating unit of processor CPU internal build security isolation (including computing hardware money Source) with protecting component (including protecting hardware resource) and the binary system structure deposited, calculating unit can not access the money of protecting component Source, protecting component may have access to all resources of calculating unit, and both sides can be interacted by the designated lane of safety, protecting component As core and source point can be trusted using credible platform control module TPCM, can started prior to calculating unit processor, to calculation part Part resource and bus carry out initial configuration, and access all resources of host by direct internal bus shared mechanism, carry out static It verifies and measures with dynamic credible, can start or continue to execute by verifying, otherwise be alarmed and controlled, actively resist invasion Behavior, and can generate the credible report of host in real time reports to credible and secure management platform and carries out further association analysis, can be with It solves the lower technical problem of computer security in the related technology, and then reaches the technology effect for improving computer security Fruit.

Detailed description of the invention

The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:

Fig. 1 is a kind of static degree of credible calculating platform optionally based on binary system structure according to an embodiment of the present invention The flow chart of amount method；

Fig. 2 is a kind of schematic diagram of optional binary system structure according to an embodiment of the present invention；

Fig. 3 is a kind of schematic diagram of optional CPU internal resource according to an embodiment of the present invention；

Fig. 4 is a kind of flow chart of optional computer power up according to an embodiment of the present invention；

Fig. 5 is a kind of schematic diagram of optional dynamic measurement frame according to an embodiment of the present invention；

Fig. 6 is a kind of schematic diagram of optional dynamic measurement scheme according to an embodiment of the present invention；

Fig. 7 is a kind of schematic diagram of optional dynamic measurement functional module according to an embodiment of the present invention；

Fig. 8 is a kind of flow chart of optional kernel key data structure measurement according to an embodiment of the present invention；

Fig. 9 is a kind of flow chart of optional system process measurement according to an embodiment of the present invention；

Figure 10 is a kind of flow chart of optional kernel-driven measurement according to an embodiment of the present invention；

Figure 11 is a kind of flow chart of optional system core memory block measurement according to an embodiment of the present invention；

Figure 12 is a kind of flow chart of optional command interaction according to an embodiment of the present invention；

Figure 13 is a kind of optional flow chart for sending notice according to an embodiment of the present invention；

Figure 14 is a kind of static state of credible calculating platform optionally based on binary system structure according to an embodiment of the present invention The schematic diagram of measurement apparatus；And

Figure 15 is a kind of structural block diagram of terminal according to an embodiment of the present invention.

Specific embodiment

In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction in the embodiment of the present invention Attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is only The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people The model that the present invention protects all should belong in member's every other embodiment obtained without making creative work It encloses.

It should be noted that description and claims of this specification and term " first " in above-mentioned attached drawing, " Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way Data be interchangeable under appropriate circumstances, so as to the embodiment of the present invention described herein can in addition to illustrating herein or Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover Cover it is non-exclusive include, for example, the process, method, system, product or equipment for containing a series of steps or units are not necessarily limited to Step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, product Or other step or units that equipment is intrinsic.

Firstly, the part noun or term that occur during the embodiment of the present invention is described are suitable for as follows It explains:

TCM: credible password module, the hardware module of credible calculating platform provide crypto-operation function for credible calculating platform Can, there is shielded memory space.

TPCM: credible platform control module, one kind are integrated in credible calculating platform, for establishing and ensureing trust source point Hardware core module, provide integrity measurement, secure storage, credible report and the functions such as cryptographic service for trust computing.

TSB: trusted software base, for credible calculating platform credibility provide support software element set.

" basic input that BIOS: being the initialism of English " Basic Input Output System ", and Chinese is exactly Output system ", it is a kind of firmware interface of industrywide standard in PC compatible system.

One side according to an embodiment of the present invention provides a kind of static state of credible calculating platform based on binary system structure The embodiment of the method for measure.

This application provides a kind of trust computing binary system structures constructed based on CPU isomorphism mode, are based on multi-core CPU frame CPU core, memory and I/O are divided into mutually isolated trusted component and protecting component two parts by structure, the application, and protecting component is used In carrying out active measurement and active control, and the accessible calculating unit of protecting component to calculating unit, but calculating unit can not To access protecting component.

It can control Booting sequence by TPCM elder generation using the basic firmware of multi-core CPU based on trust computing binary system structure Start in calculating unit, so that TPCM first can carry out measurement protection to calculating unit.TPCM can be to the starting of calculating unit Process is measured step by step, establishes static trust chain.

Based on trust computing binary system structure, in the operational process of calculating unit, TSB can also be right according to credible strategy Calculating unit carries out dynamic measurement, and carries out corresponding control processing to calculating unit according to measurement results.

Based on trust computing binary system structure, protecting component can be carried out with calculating unit by Special safety interaction channel Communication interaction, three main classes can be divided by interacting mode between the two: order, notice and resource access.

Fig. 1 is a kind of static degree of credible calculating platform optionally based on binary system structure according to an embodiment of the present invention The flow chart of amount method, as shown in Figure 1, this method may comprise steps of:

The hardware resource of computer when electric on computers, be divided into protection hardware resource and calculated hard by step S102 Part resource, computing hardware resource allow to be accessed and cannot be accessed protection hardware resource by protection hardware resource, protect hardware resource Subsystem is protected for running, computing hardware resource is for running computing subsystem.

Optionally, by the hardware resource of computer be divided into protection hardware resource and computing hardware resource include: for count When calculation machine powers on, the processor of computer is divided into first processor core and second processor core, wherein hardware resource includes The processor of computer；It is measured using the basic firmware of first processor collation process device；In the basic firmware of processor The believable situation of measurement results under, the memory source of computer and input/output interface resource are subdivided into protection hardware resource Or computing hardware resource, wherein the memory source that protection hardware resource and computing hardware resource include is different, included input Output interface is different.

In above-described embodiment, carrying out measurement using the basic firmware of first processor collation process device includes: to pass through execution The instruction activation first processor core being stored in the read-only memory of computer, first processor core is using verification public key to place The signature for managing the basic firmware of device is verified.

Step S104, control protection hardware resource starts prior to computing hardware resource, and starts in computing hardware resource and count During Operator Systems, the startup stage of computing hardware resource is measured.

Optionally, before computing hardware resource starts computing subsystem, processor is executed by first processor core Protection subsystem is measured in instruction in basic firmware；In the believable situation of measurement results to protection subsystem, It is loaded on first processor core and runs protection subsystem.

Optionally, after being loaded on first processor core and running protection subsystem, using protection subsystem to can Letter platform control module is initialized.

Optionally, carrying out measurement to the startup stage of computing hardware resource includes: to complete just in credible platform control module After beginningization, the second processor core of the processor of computer is activated, wherein the second processor core after activation is based on starting Operator Systems；It is measured using multiple startup stages of the credible platform control module to computing subsystem.

In the above-described embodiments, multiple startup stages include the multistage starting mirror image of starting in sequence, wherein are utilized credible It includes: currently to load in multistage starting mirror image that platform control module, which carries out measurement to multiple startup stages of computing subsystem, First order starting mirror image is measured；In the believable situation of measurement results to first order starting mirror image, the load first order is opened Index glass picture；Second level starting mirror image in multistage starting mirror image is measured, wherein second level starting mirror image opens for the first order The next stage of index glass picture starts mirror image；In the believable situation of measurement results to second level starting mirror image, the load second level is opened Index glass picture；Credible in the measurement results to multistage starting mirror image and in the case where completing load, setting can in computing subsystem Believe software base agency, wherein trusted software base agency completes computing subsystem fortune for matching with credible platform control module Measurement during row.

Above-mentioned protection subsystem may include hardware components (protection hardware resource) and software section (trusted operating system with TSB), computing subsystem include also include hardware components (computing hardware resource) and software section (computer operating system and respectively Kind application program, such as office)；Computer is measured using credible platform control module TPCM, can refer to TPCM Subsystem is exactly protected, TPCM includes hardware components (protection hardware resource) and software section (trusted operating system and TSB).

The process of above-mentioned staticametric includes computing hardware resource, computer operating system start-up course, application program Start-up course etc..

Through the above steps, in the calculating unit (i.e. computing subsystem) of processor CPU internal build security isolation and anti- Binary system structure shield component (i.e. protection subsystem) and deposited, calculating unit can not access the resource of protecting component, protecting component It may have access to all resources of calculating unit, both sides can be interacted by the designated lane of safety, and protecting component can be with credible flat Platform control module TPCM is core and trusts source point, can be started prior to calculating unit processor, to calculating unit resource and always Line carries out initial configuration, and accesses all resources of host by direct internal bus shared mechanism, carries out static and dynamic credible Verifying measurement can be started or be continued to execute by verifying, otherwise be alarmed and controlled, actively resist intrusion behavior, and energy The credible report for generating host in real time reports to credible and secure management platform and carries out further association analysis, can solve phase The lower technical problem of computer security in the technology of pass, and then reach the technical effect for improving computer security.

As a kind of optional embodiment, the technical side of the application is described in further detail below with reference to specific embodiment Case, protecting component specifically may include credible password module TCM, credible platform control module TPCM, credible embedded operating system Basic components such as (i.e. trusted operating systems), for credible password module as password gene, TPCM is the specific of active immunity mechanism Executing agency, credible embedded operating system management TPCM local physical resource and access and dispatching host machine resource and TCM are provided Source.To sum up, trust computing binary system structure is that the basis of active immunity defence and trust computing 3.0 are different from other safety The core feature of preventing mechanism, TPCM and TCM constitute trusted root, and trusted root possesses the software and hardware resources independently of host, And the implementation of all resource support trust authentication mechanism of host can be actively accessed, it is the source of entire active immunity defense system Point.

The resource isolation and interaction mechanism that are there is provided based on CPU multicore architecture are constructed trust computing Dual system frame by the present invention Structure.Binary system structure is that a protecting component is run parallel with calculating unit, realizes the counting system structure of active immunity；It is counted It calculates component and is responsible for finishing service calculating task, protecting component is responsible for that calculating unit is monitored and is protected, it is ensured that business meter The execution of calculation task meets expection.Protecting component is according to credible and secure strategy, using password as gene, passes through identification, state A series of means such as measurement, state analysis, dynamic sensing, response control, kept secure and security control can for calculating unit It escorts by operation.

The computer hardware resources such as CPU core, memory headroom and I/O peripheral hardware can be divided into two groups of moneys by multiple nuclear CPU framework Source collection is merged into row isolation control, and provides security protection and the ability being in communication with each other.The present invention utilizes the characteristic of CPU, by CPU Core (CPU has multiple cores, 4 common cores, 8 cores, 16 cores and 64 cores), memory headroom (memory headroom in piece, outside piece) and I/O peripheral hardware is divided into two groups of hardware resources of calculating unit and protecting component.And by corresponding configuration, it can flexibly change protection department The resource allocation of part and calculating unit, while the calculating of protecting component and external complex being made to be environmentally isolated out, become a phase To closed environment, i.e. protecting component resource is not accessible externally to, the resource of calculating unit also inaccessible protecting component, from And the resource of protecting component is made to be effectively protected, security level is higher.By corresponding configuration, it can also make protecting component can be with The resource of calculating unit is accessed, to be monitored and to protect to it；Calculating unit and protecting component pass through dedicated interactive machine System and special interface are communicated, and while providing interaction capabilities, protect protecting component not by calculating unit to the greatest extent Interference and destruction.

It is illustrated in figure 2 trust computing Dual system configuration diagram, in trust computing binary system structure, original computer System becomes calculating unit, and it is protecting component that credible platform, which controls mould (TPCM),.Protecting component is run parallel with calculating unit, is prevented Component is protected independently of calculating unit, resource is protected (such as expansion bus, controller, administrative unit etc.) by hardware mechanisms, no By calculating unit and external interference and destruction.In turn, TPCM actively initiates the degree to calculating unit according to itself strategy Amount and security protection (setting highest for the security level of protecting component and priority in the design of CPU).In addition, credible peace Full management platform is responsible for managing credible strategy and a reference value etc..

In above-mentioned trust computing binary system structure:

1) CPU provide resource isolation, resource access, resources control, the communication mechanism between protecting component and calculating unit, The hardware support of security protection etc..

2) CPU basic firmware is configured resource isolation protection, and control Booting sequence is opened by TPCM prior to calculating unit It is dynamic, so that TPCM carries out measurement protection to calculating unit.CPU basic firmware is also responsible for establishing between calculating unit and protecting component Communication mechanism.

3) protecting component hardware resource include credible dedicated cpu core (one or more CPU cores, configurable number), it is close in piece Persistent storage, dedicated region of memory, real random number generator, clock, counter etc., onboard persistent storage, I/ in code engine, piece O device, onboard special network adapter and expansible credible password module (TCM) etc..

4) TPCM OS is the operating system of trusted component, is operation system of the continuous service on credible dedicated CPU core System works at the same time with the operating system (i.e. computer operating system) calculated on core, provides necessary ring for trusted service function Border.Including the general task schedule of operating system, driving and basic service.It also include the distinctive credible password module of trust computing (TCM) internal to realize that (if there is the cipher engine of hardware inside CPU, TCM is drawn by the software and hardware password of TPCM operating system Hold up composition, TCM can be completed by the software of TPCM operating system if not having cipher engine in CPU), resource access driving, it is credible Communication driving, credible control etc..The trust computing service logic of TPCM needs to access host side resources, needs to manage and use Storage resource and cryptographic calculations resource inside TPCM.These business that operating system and its internal drive module are TPCM calculate Necessary support is provided.

5) TSB realizes the main business logic of trust computing, carries out when being included in startup stage and operation to calculating unit Measurement and control, and record measurement results, assessment trusted status, generation reliable journal, authority and report.TSB is using strategy Its function of language definition executes, and provides maximum flexibility and adaptability.Policy language degree of defining when measure is assorted , how to judge, how be controlled and protected, TSB policy execution engine parse implementation strategy language.Due to policy language Flexibility, we can by many business of calculating unit with it is credible measurement combine, such as log in, open some file, It executes some program, connect some network, using some equipment etc., can neatly combine with credible measurement.TSB The foundation judged when using pattern library as measurement.Strategy and pattern library are issued to TPCM by credible and secure management platform.Measurement Log and report are generated by TSB and are uploaded to credible and secure management platform, and authority transmits the requestor for needing authority.The degree of TSB Amount includes static starting measurement and dynamic measurement.Static state starting is since calculating unit starting, and measurement starts the mould in each stage Block establishes a complete trust chain such as BIOS, BootLoader.Dynamic measurement real-time monitoring system, it is ensured that calculating unit fortune Row order section is credible.

6) TSB agency is located among calculating unit, but logically belongs to TPCM, and TSB Agent on behalf TSB executes some and meter Calculate the task of component environment tight association.These tasks due to going deep into calculating unit software inhouse, TPCM can not or it is inconvenient It is directly executed from external.For example obtain OS behavior relevant information, intercept the tasks such as behavior, kill process, it is difficult to outside computer Portion executes, these tasks will be executed by TSB Agent on behalf TSB.Since TSB agency is measured and is protected by TPCM in itself, by It is also that can trust that TSB agency, which executes these tasks,.The main task of TSB agency is to obtain and control system behavior, acquisition System action and context related data assist to execute control, credible connection negotiation and control.It is wherein credible that be connected to node credible On the basis of establish trustable network environment.

7) credible and secure management platform is responsible for managing credible strategy and a reference value etc..TPCM is credible immune binary system structure Core component, be responsible for carrying out credible measurement and protection to calculating unit, and generate reliable journal and data reporting.TPCM includes Reliable hardware resource, trusted operating system, built-in TCM and trusted software base.

Trusted operating system provides necessary underlying services and running environment for trusted function, and TPCM operating system is by basic Layer and functional layer are constituted.Primary layer includes that the normal operating systems such as task schedule, local resource and system service access are due Basic function.Functional layer includes the driving of host resource access control, main-machine communication driving, password resource access driving, state note The trust computings service-specific such as record, credible authority and report, strategy and benchmarking.

TSB is the kernel software layer for realizing trusted service function, is responsible for measurement, security protection and correlation log, report It generates.TSB have basic trust base, active monitoring mechanism (including controlling mechanism, tolerance mechanism, judgment mechanism), credible pattern library, Supporting mechanism and coordination mechanism and synergistic mechanism composition.Basic trust base is realized in TSB start-up course and is tested other mechanism Card and load.The system that active monitoring mechanism intercepts application is called, realized under TPCM support to system call relevant main body, Object, operation and the active of environment measurement and control.TSB realizes the access to TPCM resource by supporting mechanism；TSB passes through association Make mechanism realization to interact with the strategy of credible and secure management platform and audit information, and between other computing platform TSB Trusted collaboration.Controlling mechanism is the entrance that active monitoring mechanism plays a role, and the system of application is actively intercepted and captured according to control strategy Behavior, and control is implemented according to judgement result.Control strategy include the range at system control point, system control point obtain information and Controlling mechanism response determines the processing mode etc. of result.Control process includes hooking system service call behavior, and it is relevant to obtain behavior The information such as main body, object, operation, environment send information to tolerance mechanism according to control strategy and are measured, and receive judgement The judgement of mechanism is as a result, carry out relevant control.Tolerance mechanism measures measure object according to Metric policy.Metric policy It is made of measure object, measure etc..Measure object includes procedure, data and behavior etc..Measure includes measure object The setting of middle metric point, the opportunity of measurement, algorithm of measurement etc..Metrics process includes transmitting according to Metric policy to controlling mechanism Relevant main body, object, operation, the information such as environment are measured, and measurement results are sent to decision mechanism.Decision mechanism Measurement results are determined according to decision plan.Decision plan includes the manner of comparison, not unison of measurement results and a reference value Measure weighted value, the comprehensive calculation method etc. of result.Decision process includes utilizing credible pattern library and measurement knot according to decision plan Fruit carries out comprehensive judgement, and will determine that result sends controlling mechanism.TSB interactive interface includes internal interactive interface and outside interaction Interface.Interaction between the internal interactive interface support each mechanism of TSB；External interactive interface supports TSB and TPCM, host basis Interaction between software and credible and secure management platform.

TCM provides the password support of trust computing.TPCM hardware resource includes a set of dedicated CPU, storage, password list Member and may pass through the TCM module of external extension at I/O device.Isolation, protection and interaction mechanism are provided by CPU, it can be right The hardware resource of TPCM is isolated and is protected, and realizes the ability that calculating unit and trusted node are in communication with each other.

It is CPU internal resource schematic diagram according to an embodiment of the present invention that Fig. 3, which is shown, and CPU is supported based on insulation blocking All software and hardware resources are divided into trusted resource or computing resource inside CPU by trusted infrastructure, the embodiment of the present invention.CPU Internal resource as shown in figure 3, in system starting CPU be by core progress this core of load operating CPU basic firmware can Believe core (i.e. first processor core), CPU basic firmware can set credible for part core by the value being stored in register Core, credible core are in higher level of privilege, can access all address spaces, and calculating core (i.e. second processor core) is in lower Level of privilege can only access the address space for calculating environment.Credible core only runs trusted code, constructs trusted context, calculates core fortune Code (program code of service application, non-safety-related) except row trusted code.CPU can pass through bus extension mode Increase credible bit identification, credible bit identification indicates corresponding access request and belongs to credible core or calculate core.In conjunction with each money Resouce controller inside source realizes resource isolation and access control.

Memory source controller is provided in memory source, which can incite somebody to action according to CPU basic firmware Memory is divided into credible memory and calculates memory.When memory source controller is when receiving access request, if trusted bit mark Know the access request that instruction is credible core, then memory source controller allows the access request to execute, if credible bit identification refers to Showing it is the access request for calculating core, then memory source controller can check whether access address space is calculating in memory headroom, If allow if the access request execute, if do not forbid if the access request execute.Credible memory can also be divided into Multiple inter-trust domain, each inter-trust domain have independent read and write access permission.In system starting, CPU basic firmware can be by portion Point memory is divided into credible memory, this partial memory be to the OS of calculating unit it is sightless, the OS of calculating unit will not divide again With using these memory headrooms, while credible memory source controller will filter calculating unit and access the request of credible memory.

Similarly, I/O can also be divided into credible I/O according to CPU basic firmware and calculate I/O by I/O resouce controller, when I/O resouce controller is when receiving access request, if the instruction of credible bit identification is the access request of credible core, I/O money Source controller allows the access request to execute, if the instruction of credible bit identification is to calculate the access request of core, I/O resources control Device can check whether access address space is calculating in input/output space, if allowing the access request to execute if, if not if The access request is forbidden to execute.It should be noted that if there is no memory source controller and I/O resouce controller inside CPU, The division of memory and I/O and the filtering of access request can be realized by configuring corresponding bridge device.

The credible of I/O is guaranteed by the credible control register in the controller of some Bridges or peripheral hardware.On piece Bus control unit (controller, filter or bridge device can judge whether resource request has permission according to the extension bits in bus, To realize credible perception) it is credible perception, it can recognize trusted request and computation requests.The peripheral hardwares such as PCIE, network it is credible Attribute is configurable, and dynamically can set it into credible state by credible caryogamy.(I/O controller filter turns I/O interface Send out bridge, NOC) access request will be checked according to corresponding credible attribute, credible I/O peripheral hardware is protected in filtering unauthorized access request Safety.

The comparison that the present invention passes through increase trusted identities position, it can be ensured that trusted resource cannot be obtained by calculating core, and guarantee can Believe the safety of resource.Dma device is when carrying out DMA request simultaneously, it is also necessary to credible access characteristics is specified, if it is meter The DMA in environment is calculated, then cannot access believable address space.

Protecting component inherently safe performance in the application is preferable, is mainly reflected in following four aspect:

1, itself is environmentally isolated, and processor completely supports the trusted infrastructure based on domain separation, can provide all software and hardwares Source is divided into trusted resource or computing resource, and protecting component and calculating unit is returned to use respectively.When system starts, protecting component (TPCM) starting operation first, completes division to physical resource, and to calculating unit associated firmware or software verification after, meter Calculating component host CPU can just bring into operation, and realize the isolation of start-up course.When system is run, protecting component and calculating unit energy Enough parallel operations, support both sides' running environment based on CPU core and bus realize completely isolated when operation, the resource packet of isolation CPU core, memory, I/O equipment etc. are included, resource used in protecting component cannot be accessed by calculating unit, and protecting component can The access to all resources of calculating unit is initiated with active.Calculating unit can only be carried out by dedicated interaction channel and protecting component Communication.In short, protecting component is all run in completely isolated environment when system starts and when operation, and actively to calculation part Part carries out trust authentication, is greatly reduced system attack face, even if the operating system of host computer side is captured, hacker is also difficult to seep Saturating protecting component, it is ensured that TPCM is measurable and controllable to host whole process, lays foundation for the building of integral protection system.

2, interaction channel safety, is communicated between calculating unit and TPCM by dedicated internuclear interaction channel, is used Interrupt notification and shared drive parameter transfer mode, TPCM do not provide external service interface, eliminate attacker and connect to service The direct attack of mouth.Meanwhile TPCM carries out stringent format checking and filtering to the parameter of input, because of the logical process ratio of TPCM Penetration attack relatively fixed, that such maximizing prevents hacker from carrying out using parameter transmitting.

3, data safety, the data of protecting component (TPCM) mainly include three aspects, and first is stored in Local data, such as policy data, code data etc., second is the network data interacted with credible management platform, and third is The data loaded in TPCM running space.Local datastore in FLASH outside piece, all data be based in piece OTP key into Row encryption guarantees that the data in FLASH are always ciphertext, and is decrypted automatically when data are loaded into memory.Network data It is that generation, including the upload of policy distribution, audit log, credible report upload etc. are interacted by protecting component and credible management platform, Data transmission is whole to be encrypted using SSL/TLS, it is ensured that the safety of data network transport-layer.TPCM should be able to be by important number when operation It is bound according to metric, realizes data packaging protection.Protected data can only be in the platform of binding TPCM and specific complete It can be just unsealed under character state.TPCM should have the function of secure data migration, backup and restore that migration, backup and recovery are grasped Make to carry out under the premise of guaranteeing the confidentiality and integrity of data.

4, the O&M operation of O&M safe operation, protecting component includes local software or firmware upgrade, trouble shooting etc., Double factor authentication is carried out when O&M, i.e., after only operation management person carries out authentication with Ukey, can just log into Enter system and carry out upgrading or trouble shooting, operation management person's audits into carefully controlled and operation is whole.Meanwhile for rise The software or firmware of grade first have to carry out signature verification, determine that source or version no problem can just execute updating operation, maximize Prevent O&M and operates introduced security risk.

Based on above-mentioned trust computing binary system structure, the process that protecting component carries out staticametric to calculating unit can be retouched It states are as follows:

When computer powers on, system resource is divided in advance by configuring, is divided into trusted resource and computing resource.It can Letter resource includes a part of CPU core (credible core), credible memory and credible I/O equipment, constitutes trusted context for realizing TPCM； Computing resource includes another part CPU core (calculating core), calculates memory and calculate I/O equipment, constitutes and calculates environment for completing Calculating task.The resource for calculating the calculating inaccessible trusted context of core of environment is run on, the credible core of trusted context is run on, It may have access to trusted context and calculate all resources of environment.Start-up course further includes the measurement step by step of entire starting chain, is constituted One complete trust chain ensures that starting enters a believable calculating environment later.

Be illustrated in figure 4 computer starting process flow diagram flow chart, Booting sequence the following steps are included:

Step S401, after system power-up, ROM Code is credible, and core measures CPU basic firmware, and system is powered on ChipRom first Measurement verifying is carried out to CPU basic firmware using ROM Code, then branches to CPU basic firmware entry code.In view of CPU Basic firmware may upgrade, and carry out signature verification based on start-up portion mirror image of the public key in piece to CPU basic firmware.Verification process It is completed by credible core (TPCM core), calculates core waiting and be waken up.

Trusted resource (memory and I/O device) is arranged in step S402, credible core.

Step S403, CPU basic firmware measures credible OS mirror image, and credible core executes CPU underlying firmware code and measures TPCM OS mirror image, then load and execution TPCM OS.

Step S404 starts credible OS and TSB, and TPCM OS completes TPCM itself initialization, then TPCM metric calculation ring Border OS starts mirror image.

Step S405, TSB metric calculation environment Bootloader.

Step S406, TSB, which wakes up, calculates core, calculates core load and execution and calculates environment Bootloader, calls out after the completion of measurement It wakes up and calculates core, calculate core load and execution and calculate environment OS starting mirror image.

Step S407, TSB measure starting mirror image step by step and execute next stage according to measurement results, until calculating OS and TSB Agency completes starting, calculates environment starting mirror image and is generally multistage starting mirror image (such as BIOS- > GRUB- > OS or UBOOT- > OS), After the completion of previous starting mirror image executes, under load when level-one starting mirror image, notice measurement TPCM measurement next stage is opened Index glass picture.Environment is calculated after the completion of measurement and executes next stage starting mirror image, until operating system and TSB agency complete starting.

TPCM is after previous step receives and calculates the measurement notice that environment Booting sequence is sent, to each link degree of progress of starting Amount.TPCM records measurement results, starts believable foundation as environment is calculated.Also it can be used as the foundation of clean boot control.

Step S408, TSB agency sends calculating environment essential information and gives TPCM (code, data distribution), calculates ring TSB agency in the OS of border, which sends, calculates environmental metrics object-related information and status data to TPCM.

Step S409, TSB metric record calculates environment essential information.

Step S410 according to strategy and calculates environmental information dynamic measurement, after TPCM receives the data information for calculating environment In conjunction with credible strategy, start active dynamic measurement, is monitored in real time and protected to environment is calculated.Environment is calculated later to start to hold Row business processing.

Based on above-mentioned trust computing binary system structure, trusted software base TSB can be with to the dynamic measurement process of calculating unit Description are as follows: dynamic measurement is the important component of trusted software base and the important content of credible security.

It is credible that trusted software base can guarantee that system runs object initial state by staticametric function.On this basis, it moves State metric function will be directed to different measure objects, suitable measurement opportunity be selected, using reasonable measure, in system The operation conditions of measure object is measured, and the characteristic according to strategy and different measure objects, to changed measurement pair It is sent to controlling mechanism as being reported, and by measurement results, while taking update measurement desired value or trusted recovery measure, from And ensure the credible of system running state, support is provided for access control mechanisms and credible proof mechanism.

All critical processes, module, execution code, data structure, important jump in dynamic measurement module real-time monitoring system Turn table etc., real-time metrics and control carried out to the access behavior of the resource of process, be safeguards system safe operation, security mechanism not by The core component for bypassing and distorting.Dynamic measurement module is directed to different measure objects, and using reasonable measure, selection is closed Suitable measurement opportunity carries out overall measure to the operation of system, it is ensured that system is secure and trusted.Dynamic measurement is that the core of system is protected Barrier is the key that supervisory control system running state, measurement process behavior, analysis system credibility.

The operating mechanism of dynamic measurement, which realizes, is monitored the important node of system, effectively blocks malicious code to being System invasion.

It is illustrated in figure 5 the dynamic measurement block schematic illustration of the embodiment of the present invention, is illustrated in figure 6 the embodiment of the present invention The measurement overall plan of dynamic measurement.

Firstly, Editing Strategy language, configuration control point information (intercept and capture concrete operations behavior: opening, reading including file/ It writes, the execution of program, the load of dynamic base, drive load etc.).Generation dynamic measurement regulative strategy (including the choosing of Dynamic Degree engine It selects, the selection etc. of specific measure object)；

Secondly, TSB agency (TSB agency be mainly original TSB in controlling mechanism) interception system call behavior, obtain master/ Object information, operation behavior configure according to strategy and call corresponding dynamic measurement engine and specific metric operations (such as: system Process metric, kernel module measurement, syscall_table subsystem call table measurement, idt interrupt descriptors metric table, internet pricing Amount, file system measurement, kernel code section measurement), dynamic measurement engine calling TPCM carries out hash operation and calculates specific measurement The digest value of object is simultaneously compared with pattern library；

Finally, measurement results are returned to TSB controlling mechanism, controlling mechanism comprehensive measurement result generates final control knot Fruit.

It is illustrated in figure 7 dynamic measurement the functional block diagram according to an embodiment of the present invention, dynamic measurement module is main Including dynamic measurement control submodule, dynamic measurement engine submodule, dynamic measurement report submodule and dynamic measurement pattern library Submodule etc..

Measurement control submodule includes engine control, period measurement, triggering measurement.Engine control is responsible for measuring the note of engine Volume, according to the corresponding measurement engine of the demand registration of product emphasis difference and client；Periodicity measurement is according to safe plan Whether the time interval radix set in slightly, the condition metric for then periodically detecting dynamic measurement meet, once detection is full Sufficient metric requirements then carry out characteristic value inspection to it.If detecting exception, measurement report is generated, credible report is sent to Mechanism；Triggering measurement triggers corresponding measurement engine by strategy by TSB controlling mechanism and is measured.

Measurement engine submodule is the nucleus module to dynamic measurement module.It will complete to dynamic measurement list object into Row trigger-type or periodically measurement.Be divided into two parts in measurement engine submodule: a part is dynamically that it will start one A kernel process, it will periodically detect the measurement period of modules, once measurement the period arrive, then will to the module into Row measurement；Another part be it is static, it will passively wait TSB controlling mechanism triggering.Once TSB controlling mechanism sends finger Enable, then trigger measurement engine will according to strategy call not homometric(al) engine measure.These metric datas can be one it is right As or a group objects, be also possible to whole measure objects.

Dynamic measurement is divided into four classes, including kernel key data structure measurement for the difference of measure object, metric form, System process measurement, kernel-driven measurement, system core memory block measurement.It is illustrated in figure 8 kernel key data structure measurement Flow chart.

Wherein, measure object such as idt interrupt-descriptor table, syscall_table subsystem call table；File system key behaviour Make function fs- > mount, fs- > kill_sb, superblock key operation function sb- > s_op；Network address race pf- > family, Pf- > create, protocol suite proto；Measurement opportunity: controlling mechanism triggering measurement, policy control period measurement.

As shown in figure 8, measurement process can include:

Step S801, the starting of dynamic measurement system-critical data structure tolerance mechanism；

Step S802 records system-critical data structure content, key operation function address；

Step S803 calls TPCM to calculate its a reference value；

Step S804, storage reference value to a reference value library；

Step S805, starts and loading system key structure measures engine；

Step S806, TSB controlling mechanism intercepts and captures application program system and calls behavior；

Step S807, TSB controlling mechanism calls corresponding measurement engine according to master/object information of intercepting and capturing；

Step S808 measures the specific metric operations of engine calling；

Step S809 calls TPCM calculating benchmark value；

Step S810 is compared with a reference value in pattern library；

Step S811 returns to measurement results and gives TSB controlling mechanism.

It is illustrated in figure 9 process metric flow chart according to the system in the embodiment of the present invention.Measure object: system process code Section, read-only data section, the relevant shared library of process.Measurement opportunity: controlling mechanism triggering measurement, policy control period measurement.

As shown in figure 9, measurement process includes:

Step S901, the starting of dynamic measurement process metric mechanism；

Step S902, the process chained list that scanning system has been turned on；

Step S903 calls TPCM to calculate its a reference value；

Step S904, storage reference value to a reference value library；

Step S905 starts and loads process metric engine；

Step S906, TSB controlling mechanism intercepts and captures application program system and calls behavior；

Step S907, starting monitoring dynamic base load/unload service；

Step S908 calls TPCM calculating benchmark value；

Step S909 updates a reference value to a reference value library；

Step S910, TSB controlling mechanism calls corresponding measurement engine according to master/object information of intercepting and capturing；

Step S911 measures the specific metric operations of engine calling；

Step S912 calls TPCM calculating benchmark value；

Step S913 is compared with a reference value in pattern library；

Step S914 returns to measurement results and gives TSB controlling mechanism.

As shown in Figure 10 for according to the kernel-driven of embodiment of the present invention measurement flow chart.Measure object: kernel module Code segment.Measurement opportunity: controlling mechanism triggering measurement, policy control period measurement；

As shown in Figure 10, measurement process includes:

Step S1001, the starting of dynamic measurement module tolerance mechanism；

Step S1002, the module chained list that scanning system has loaded；

Step S1003 calls TPCM to calculate its a reference value；

Step S1004, storage reference value to a reference value library；

Step S1005, starting monitoring kernel module load/unload service, calls TPCM calculating benchmark value；

Step S1006 updates a reference value to a reference value library；

Step S1007, starting kernel measure engine；

Step S1008, TSB controlling mechanism intercepts and captures application program system and calls behavior；

Step S1009, TSB controlling mechanism calls corresponding measurement engine according to master/object information of intercepting and capturing；

Step S1010 measures the specific metric operations of engine calling；

Step S1011 calls TPCM calculating benchmark value；

Step S1012 is compared with a reference value in pattern library；

Step S1013 returns to measurement results and gives TSB controlling mechanism；

As shown in figure 11 for according to the system core memory block of embodiment of the present invention measurement flow chart.

Measure object: kernel code section kernel_section.Measurement opportunity: controlling mechanism triggering measurement, policy control Period measurement.

As shown in figure 11, measurement process includes:

Step S1101, the starting of dynamic measurement system core memory block tolerance mechanism；

Step S1102 records system core RAM card first and last address；

Step S1103 calls TPCM to calculate its a reference value；

Step S1104, storage reference value to a reference value library；

Step S1105, activation system key memory block measure engine；

Step S1106, TSB controlling mechanism intercepts and captures application program system and calls behavior；

Step S1107, TSB controlling mechanism calls corresponding measurement engine according to master/object information of intercepting and capturing；

Step S1108 measures the specific metric operations of engine calling；

Step S1109 calls TPCM calculating benchmark value；

Step S1110 is compared with a reference value in pattern library；

Step S1111 returns to measurement results and gives TSB controlling mechanism.

Dynamic measurement reports that submodule, measurement report submodule include measurement report and two parts of measurement results.Its Middle measurement function of reporting is the period metric data that will measure engine generation, generates measurement report, and be sent to the credible report of TSB Function is analyzed；Measurement results are will to measure after the triggering measurement results that engine generates arrange to be sent to controlling mechanism, are controlled Making mechanism is controlled according to measurement results.

Dynamic measurement pattern library submodule, measuring standard library submodule are stored as static state according to the difference of measure object respectively A reference value and dynamic benchmark value.Static base value: a reference value, interrupt descriptors a reference value, network protocol base are called including system Quasi- value, file system a reference value, kernel code section a reference value etc..Dynamic benchmark value: the benchmark of subsequent launching process measure object The a reference value of the kernel-driven object of value and subsequent load.

Based on above-mentioned trust computing binary system structure, the interactive process between protecting component and calculating unit can be described Are as follows: the interactive mode for calculating environment and TPCM is divided into three classes by the present invention: order, notice and resource directly access.

Order is the interactive mode (really being initiated by the TSB agency that insertion calculates environment) initiated by calculating environment. Including being acted on behalf of from TSB to TPCM sends host essential information, notice, distributing policy and a reference value are measured in transmission, obtain credible number According to (state, authority, report, log etc.).Notice is the interactive mode initiated by TPCM, is sent from TPCM to calculating environment logical Know and (is actually sent to TSB agency).The notice of the notice, auxiliary control completed including command process.Resource directly accesses, The resource for calculating environment is directly accessed by TPCM, direct resource access is not related to interacting with calculating environment software layer.(this is main It is functional mechanism realized by CPU interior design and that multi-core CPU itself has, is staticametric and dynamic measurement Core support)

It as shown in figure 12, is that command interaction flow diagram is sent to TPCM according to the calculating environment of the embodiment of the present invention.

The mode for sending order is divided into synchronous transmission and asynchronous transmission.It is synchronous to send order, sender CPU send order with Enter wait state afterwards, until command process is completed.Synchronous transmission order is generally used for sending some simple commands, this kind of order Time very short order is handled, can be completed in interrupting context.Since command processing time is shorter, it is likely less than CPU tune The dynamic time cycle needed, such case does not dispatch sender CPU, and it is more suitable to allow sender CPU to do short wait.It is asynchronous It sends and orders, after sender CPU transmission order and command process completion (only Wait Orders being waited to be successfully transmitted) is not to wait for, at order During reason, sender CPU can execute other tasks.This mode is generally used for sending processing time longer order, in this way The computing capability of CPU can be made full use of.

As shown in figure 12, CPU0 indicates to calculate core, and CPU1 indicates credible core, and process is as follows:

Step S1201, TSB proxy requests send order

Shared drive is written in order by step S1202, host computer side driving.

Step S1203, host computer side drive and send traps to credible CPU.

Step S1204, host side drive wheel askes return value label, until return value non-empty.

Step S1205, while TPCM communication driving, save original execution context, into interrupt processing function.

Step S1206, TPCM driving handle function, command processing function meeting from shared drive reading order, call instruction Brief order is handled in interrupting context, for handling the longer asynchronous command of event, order is only discharged into team by driving Column just return immediately.

Shared drive is written in return value after command process or after being queued up by step S1207, TPCM driving, and is arranged Return value label.

Step S1208, TPCM driving restores the original task of TPCMCPU, i.e. recovery context, continues to execute.Due to possible New task is inserted in queue, TPCM may will start to execute new task.

Step S1209, step S1207 will lead to host computer side CPU end of polling(EOP), and host computer side CPU is returned from shared drive reading Value is returned, and empties return value label.

Processing result is returned to TSB agency by step S1210, host computer side communication driving.

Step S1211, TSB agency continues to execute.

Flow diagram to send notice to calculating environment according to the TPCM of the embodiment of the present invention as shown in figure 13.Notice The notice of the notice and auxiliary control completed including command process.Process is as follows:

Step S1301 passes through when TSB needs TSB agency to assist to be controlled or when TSB has handled asynchronous command TPCM communication driving sends notice to environment is calculated.

Step S1302, TPCM communication driving poll notification indicia, until notification indicia is sky, the previous notice of expression is It is received by host computer side.Notification indicia is arranged in TPCM.

Shared drive region is written in content of announcement by step S1303, TPCM communication driving.

Step S1304, TPCM communication driving is interrupted to environment CPU transmission is calculated.

Step S1305, TPCMCPU continue to execute TSB subsequent tasks.

Step S1306, meanwhile, calculation side CPU is interrupted, and saves context, is driven into calculation side and is executed notifier processes Function, i.e. calling interrupt processing function.

Step S1307, the notifier processes function of calculation side communication driving is read from shared drive to be notified, and removes notice mark Subsequent notice can be transmitted in note, the hereafter side TPCM driving.

Step S1308, calculation side communication driving notice TSB act on behalf of processing notification.If it is asynchronous command completion notice, TSB acts on behalf of the process of wake-up waiting.Otherwise TSB proxy call notifier processes function.

Step S1309, host computer side CPU restore to continue to execute original task up and down.Original task may under certain conditions It is preempted.

It is communicated between calculating unit and TPCM by dedicated internuclear interaction channel, using interrupt notification and is shared interior Parameter transfer mode is deposited, TPCM does not provide external service interface, eliminates direct attack of the attacker to service interface.Together When, TPCM carries out stringent format checking and filtering to the parameter of input, in this way can be most because the logical process of TPCM is relatively more fixed Big chemoprevention stops the penetration attack that hacker is carried out using parameter transmitting.

It should be noted that for the various method embodiments described above, for simple description, therefore, it is stated as a series of Combination of actions, but those skilled in the art should understand that, the present invention is not limited by the sequence of acts described because According to the present invention, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art should also know It knows, the embodiments described in the specification are all preferred embodiments, and related actions and modules is not necessarily of the invention It is necessary.

Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation The method of example can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but it is very much In the case of the former be more preferably embodiment.Based on this understanding, technical solution of the present invention is substantially in other words to existing The part that technology contributes can be embodied in the form of software products, which is stored in a storage In medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, calculate Machine, server or network equipment etc.) execute method described in each embodiment of the present invention.

Other side according to an embodiment of the present invention additionally provides a kind of above-mentioned based on binary system structure for implementing The staticametric device of the credible calculating platform based on binary system structure of the staticametric method of credible calculating platform.Figure 14 is A kind of signal of the staticametric device of credible calculating platform optionally based on binary system structure according to an embodiment of the present invention Figure, as shown in figure 14, the apparatus may include:

The hardware resource of computer is divided into protection hardware resource when for electricity on computers by division unit 1401 With computing hardware resource, wherein computing hardware resource allows to access and cannot access protection hardware resource by protection hardware resource, Protect hardware resource for running protection subsystem, computing hardware resource is for running computing subsystem；

Metric element 1403 starts for controlling protection hardware resource prior to computing hardware resource, and provides in computing hardware During source starts computing subsystem, the startup stage of computing hardware resource is measured.

It should be noted that the division unit 1401 in the embodiment can be used for executing the step in the embodiment of the present application S102, the metric element 1403 in the embodiment can be used for executing the step S104 in the embodiment of the present application.

Herein it should be noted that above-mentioned module is identical as example and application scenarios that corresponding step is realized, but not It is limited to above-described embodiment disclosure of that.It should be noted that above-mentioned module can pass through software as a part of of device It realizes, hardware realization can also be passed through.

By above-mentioned module, in the calculating unit (including computing hardware resource) of processor CPU internal build security isolation With binary system structure protecting component (including protecting hardware resource) and deposited, calculating unit can not access the resource of protecting component, Protecting component may have access to all resources of calculating unit, and both sides can be interacted by the designated lane of safety, and protecting component can As core and source point is trusted using credible platform control module TPCM, can be started prior to calculating unit processor, to calculating unit Resource and bus carry out initial configuration, and access all resources of host by direct internal bus shared mechanism, carry out it is static with Dynamic credible verifying measurement, can be started or be continued to execute by verifying, otherwise be alarmed and controlled, and actively resist invasion row For, and the credible report of host can be generated in real time, it reports to credible and secure management platform and carries out further association analysis, can solve The lower technical problem of the computer security determined in the related technology, and then reach the technology effect for improving computer security Fruit.

Optionally, division unit includes: the first division module, for when powering on for computer, by the processing of computer Device is divided into first processor core and second processor core, wherein hardware resource includes the processor of computer；First measurement mould Block, for being measured using the basic firmware of first processor collation process device；Second division module, in processor In the believable situation of the measurement results of basic firmware, the memory source of computer and input/output interface resource are subdivided into protection Hardware resource or computing hardware resource, wherein the memory source that protection hardware resource and computing hardware resource include is different, is wrapped The input/output interface included is different.

Optionally, the first metric module is also used to: being swashed by executing the instruction being stored in the read-only memory of computer First processor core living, first processor core are verified using signature of the verification public key to the basic firmware of processor.

Optionally, metric element is also used to, and before computing hardware resource starts computing subsystem, passes through first processor Core executes the instruction in the basic firmware of processor, measures to protection subsystem；In the measurement results to protection subsystem In believable situation, is loaded on first processor core and run protection subsystem.

Optionally, after metric element is also used to load and run on first processor core protection subsystem, using anti- Shield subsystem initializes credible platform control module.

Optionally, metric element is also used to: after credible platform control module completes initialization, activating the place of computer Manage the second processor core of device, wherein the second processor core after activation is for starting computing subsystem；Utilize credible platform control Molding block measures multiple startup stages of computing subsystem.

Optionally, metric element is measured using multiple startup stages of the credible platform control module to computing subsystem When, the first order starting mirror image currently loaded in multistage starting mirror image can be measured；In the degree to first order starting mirror image In the case where measuring credible result, the load first order starts mirror image；Mirror image degree of progress is started to the second level in multistage starting mirror image Amount, wherein it is the next stage starting mirror image that the first order starts mirror image that the second level, which starts mirror image,；In the degree to second level starting mirror image In the case where measuring credible result, the load second level starts mirror image；The case where completing the measurement and load to multistage starting mirror image Under, in computing subsystem be arranged trusted software base act on behalf of, wherein trusted software base agency for credible platform control module Match complete computing subsystem operational process in measurement, trusted software base agency for obtain the relevant information of computer with And computer is controlled.

Herein it should be noted that above-mentioned module is identical as example and application scenarios that corresponding step is realized, but not It is limited to above-described embodiment disclosure of that.It should be noted that above-mentioned module can pass through software as a part of of device It realizes, hardware realization can also be passed through, wherein hardware environment includes network environment.

Other side according to an embodiment of the present invention additionally provides a kind of above-mentioned based on binary system structure for implementing The server or terminal of the staticametric method of credible calculating platform.

Figure 15 is a kind of structural block diagram of terminal according to an embodiment of the present invention, and as shown in figure 15, which may include: One or more (one is only shown in figure) processors 1501, memory 1503 and transmitting device 1505, as shown in figure 15, The terminal can also include input-output equipment 1507.

Wherein, memory 1503 can be used for storing software program and module, as in the embodiment of the present invention based on binary Corresponding program instruction/the module of the staticametric method and apparatus of the credible calculating platform of system structure, processor 1501 pass through fortune The software program and module that row is stored in memory 1503, thereby executing various function application and data processing, i.e., in fact The staticametric method of the existing above-mentioned credible calculating platform based on binary system structure.Memory 1503 may include that high speed is deposited at random Reservoir, can also include nonvolatile memory, such as one or more magnetic storage device, flash memory or other are non-volatile Property solid-state memory.In some instances, memory 1503 can further comprise depositing relative to processor 1501 is remotely located Reservoir, these remote memories can pass through network connection to terminal.The example of above-mentioned network includes but is not limited to internet, enterprise Industry intranet, local area network, mobile radio communication and combinations thereof.

Above-mentioned transmitting device 1505 is used to that data to be received or sent via network, can be also used for processor with Data transmission between memory.Above-mentioned network specific example may include cable network and wireless network.In an example, Transmitting device 1505 includes a network adapter (Network Interface Controller, NIC), can pass through cable It is connected with other network equipments with router so as to be communicated with internet or local area network.In an example, transmission dress 1505 are set as radio frequency (Radio Frequency, RF) module, is used to wirelessly be communicated with internet.

Wherein, specifically, memory 1503 is for storing application program.

The application program that processor 1501 can call memory 1503 to store by transmitting device 1505, it is following to execute Step:

When electric on computers, the hardware resource of computer is divided into protection hardware resource and computing hardware resource, In, computing hardware resource allows to be accessed and cannot be accessed by protection hardware resource protection hardware resource, and protection hardware resource is used for Operation protection subsystem, computing hardware resource is for running computing subsystem；

Control protection hardware resource starts prior to computing hardware resource, and in computing hardware resource starting computing subsystem In the process, the startup stage of computing hardware resource is measured.

Optionally, the specific example in the present embodiment can be with reference to example described in above-described embodiment, the present embodiment Details are not described herein.

It will appreciated by the skilled person that structure shown in figure 15 is only to illustrate, terminal can be smart phone (such as Android phone, iOS mobile phone), tablet computer, palm PC and mobile internet device (Mobile Internet Devices, MID), the terminal devices such as PAD.Figure 15 it does not cause to limit to the structure of above-mentioned electronic device.For example, terminal is also May include than shown in Figure 15 more perhaps less component (such as network interface, display device) or have and Figure 15 institute Show different configurations.

Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can It is completed with instructing the relevant hardware of terminal device by program, which can store in a computer readable storage medium In, storage medium may include: flash disk, read-only memory (Read-Only Memory, ROM), random access device (Random Access Memory, RAM), disk or CD etc..

The embodiments of the present invention also provide a kind of storage mediums.Optionally, in the present embodiment, above-mentioned storage medium can With the program code of the staticametric method for executing the credible calculating platform based on binary system structure.

Optionally, in the present embodiment, above-mentioned storage medium can be located at multiple in network shown in above-described embodiment On at least one network equipment in the network equipment.

Optionally, in the present embodiment, storage medium is arranged to store the program code for executing following steps:

When electric on computers, the hardware resource of computer is divided into protection hardware resource and computing hardware resource, In, computing hardware resource allows to be accessed and cannot be accessed by protection hardware resource protection hardware resource, and protection hardware resource is used for Operation protection subsystem, computing hardware resource is for running computing subsystem；

Control protection hardware resource starts prior to computing hardware resource, and in computing hardware resource starting computing subsystem In the process, the startup stage of computing hardware resource is measured.

Optionally, the specific example in the present embodiment can be with reference to example described in above-described embodiment, the present embodiment Details are not described herein.

Optionally, in the present embodiment, above-mentioned storage medium can include but is not limited to: USB flash disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or The various media that can store program code such as CD.

The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.

If the integrated unit in above-described embodiment is realized in the form of SFU software functional unit and as independent product When selling or using, it can store in above-mentioned computer-readable storage medium.Based on this understanding, skill of the invention Substantially all or part of the part that contributes to existing technology or the technical solution can be with soft in other words for art scheme The form of part product embodies, which is stored in a storage medium, including some instructions are used so that one Platform or multiple stage computers equipment (can be personal computer, server or network equipment etc.) execute each embodiment institute of the present invention State all or part of the steps of method.

In the above embodiment of the invention, it all emphasizes particularly on different fields to the description of each embodiment, does not have in some embodiment The part of detailed description, reference can be made to the related descriptions of other embodiments.

In several embodiments provided herein, it should be understood that disclosed client, it can be by others side Formula is realized.Wherein, the apparatus embodiments described above are merely exemplary, such as the division of the unit, and only one Kind of logical function partition, there may be another division manner in actual implementation, for example, multiple units or components can combine or It is desirably integrated into another system, or some features can be ignored or not executed.Another point, it is shown or discussed it is mutual it Between coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or communication link of unit or module It connects, can be electrical or other forms.

The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.

It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of software functional units.

The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered It is considered as protection scope of the present invention.

Claims (10)

1. a kind of staticametric method of the credible calculating platform based on binary system structure characterized by comprising

When electric on computers, the hardware resource of the computer is divided into protection hardware resource and computing hardware resource, In, the computing hardware resource allows to be accessed by the protection hardware resource and cannot access the protection hardware resource, described Protect hardware resource for running protection subsystem, the computing hardware resource is for running computing subsystem；

The protection hardware resource is controlled to start prior to the computing hardware resource, and the computing hardware resource starting described in During computing subsystem, the startup stage of the computing hardware resource is measured.

2. the method according to claim 1, wherein the hardware resource of the computer is divided into protection hardware Resource and computing hardware resource include:

When powering on for the computer, the processor of the computer is divided into first processor core and second processor Core, wherein the hardware resource includes the processor of the computer；

It is measured using the basic firmware that the first processor checks the processor；

In the believable situation of measurement results of the basic firmware of the processor, by the memory source of the computer and input Output interface resource is subdivided into the protection hardware resource or the computing hardware resource, wherein the protection hardware resource and Different, the included input/output interface resource of the memory source that the computing hardware resource includes is different.

3. according to the method described in claim 2, it is characterized in that, checking the base of the processor using the first processor Plinth firmware carries out measurement

The instruction activation first processor core being stored in the read-only memory of the computer by execution, described first Processor core is verified using signature of the verification public key to the basic firmware of the processor.

4. the method according to claim 1, which is characterized in that start in the computing hardware resource Before the computing subsystem, the method also includes:

The instruction in the basic firmware of processor is executed by first processor core, and the protection subsystem is measured；

In the believable situation of measurement results of the protection subsystem, loads and run described on the first processor core Protect subsystem.

5. according to the method described in claim 4, it is characterized in that, loading and running described anti-on the first processor core It protects after subsystem, the method also includes:

Credible platform control module is initialized using the protection subsystem.

6. according to the method described in claim 5, it is characterized in that, being measured to the startup stage of the computing hardware resource Include:

After the credible platform control module completes initialization, the second processor of the processor of the computer is activated Core, wherein the second processor core after activation is for starting the computing subsystem；

It is measured using the multiple startup stages of the credible platform control module to the computing subsystem.

7. according to the method described in claim 6, it is characterized in that, multiple startup stages include that starting in sequence is multistage Start mirror image, wherein measure using multiple startup stages of the credible platform control module to the computing subsystem Include:

The first order starting mirror image currently loaded in the multistage starting mirror image is measured；

In the believable situation of measurement results of first order starting mirror image, loads and execute the first order starting mirror image；

Second level starting mirror image in the multistage starting mirror image is measured, wherein the second level starting mirror image is institute State the next stage starting mirror image of first order starting mirror image；

In the believable situation of measurement results of second level starting mirror image, loads and execute the second level starting mirror image；

It, can using what is be arranged in the computing subsystem in the case where completing the measurement and load to the multistage starting mirror image Believe software base agency, the measurement completed in the computing subsystem operational process matched with the credible platform control module, The trusted software base agency is for obtaining the relevant information of the computer and controlling the computer.

8. a kind of staticametric device of the credible calculating platform based on binary system structure characterized by comprising

The hardware resource of the computer is divided into protection hardware resource and meter when for electricity on computers by division unit Calculate hardware resource, wherein the computing hardware resource allows to be accessed by the protection hardware resource and cannot access the protection Hardware resource, the protection hardware resource calculate subsystem for running for running protection subsystem, the computing hardware resource System；

Metric element starts for controlling the protection hardware resource prior to the computing hardware resource, and calculates firmly described During part resource starts the computing subsystem, the startup stage of the computing hardware resource is measured.

9. a kind of storage medium, which is characterized in that the storage medium includes the program of storage, wherein when described program is run Execute method described in 1 to 7 any one of the claims.

10. a kind of electronic device, including memory, processor and it is stored on the memory and can transports on the processor Capable computer program, which is characterized in that the processor executes the claims 1 to 7 by the computer program Method described in one.