CN110334512B - Static measurement method and device of trusted computing platform based on dual-system architecture - Google Patents

Abstract

The invention discloses a static measurement method and a static measurement device of a trusted computing platform based on a dual-system architecture. Wherein, the method comprises the following steps: when a computer is powered on, dividing hardware resources of the computer into protection hardware resources and computing hardware resources, wherein the computing hardware resources allow the protected hardware resources to access and cannot access the protection hardware resources, the protection hardware resources are used for operating a protection subsystem, and the computing hardware resources are used for operating the computing subsystem; the control protection hardware resource is started before the calculation hardware resource, and the starting stage of the calculation hardware resource is measured in the process of starting the calculation subsystem by the calculation hardware resource. The invention solves the technical problem of lower computer security in the related art.

Description

Static measurement method and device of trusted computing platform based on dual-system architecture

Technical Field

The invention relates to the field of internet security, in particular to a static measurement method and a static measurement device of a trusted computing platform based on a dual-system architecture.

Background

The current network space is extremely fragile, and the network attack events which cause great influence by a seismic network, Lesso virus (such as Wannacry), Mirai virus and the like are endless and increasingly rampant, and the root cause thereof is that the problem is not solved from the essential reason of network security risk, so that a passive defense means of 'blocking, checking and killing' represented by 'firewall', 'virus checking and killing', 'intrusion detection' and the like is adopted once, the defense is not sufficient, and the defense cannot be effectively realized at all particularly when the attack initiated aiming at the loophole of a target system is faced.

The Trusted Computing chip TPM proposed by the international TCG organization (named Trusted Computing Group in chinese) is an external device of a computer, and functions by calling host software in a passive hooking manner, and can only perform static measurement on resources such as firmware and executable programs of the computer. The trusted computing platform realized in the TPM mode is essentially a single-system architecture, the TPM has limitations in resource access and control, the security capability of the TPM completely depends on the security of the host system, and the TPM is difficult to defend attacks performed by hackers by utilizing vulnerabilities of the host system and cannot actually improve the active defense capability of the computer system.

In order to solve the problem of the security of the current network space, the international TCG organization provides a trusted computing method, and provides a method which takes TPM and BIOS initial codes as trust roots and measures the trust by one level, thereby constructing a trust chain of a computer, protecting important resources of the computer from being illegally tampered and damaged, and achieving a better effect. However, the TPM is essentially only a passively hooked external device on the computer, and only functions when called by a host program, and once the host is controlled by an attacker, the function of the TPM is played indiscriminately, so that the trusted computing architecture of the TCG is basically difficult to defend when a hacker attacks with logic defects of a computer system, for example, Windows 10 fully implements the trusted computing architecture of the TCG, but fails to prevent the attack of Wannacry lasso virus.

In addition, the trusted computing platform implemented by the TPM is essentially a single system architecture, and the TPM has limitations in terms of resource access and control of the computer. Moreover, the TPM can only perform static measurements on resources such as firmware and executable programs of the computer, and cannot perform dynamic measurements on application execution and the execution environment on which the application depends.

Aiming at the fact that a trusted computing platform realized in a TPM mode is essentially a single system architecture, resources such as firmware and executable programs of the TPM are statically measured, dynamic measurement cannot be carried out on application execution and execution environments depending on the application execution, the TPM is limited in resource access and control, and the safety capability of the TPM is completely dependent on the safety of a host system.

In view of the above problems, no effective solution has been proposed.

Disclosure of Invention

The embodiment of the invention provides a static measurement method and a static measurement device of a trusted computing platform based on a dual-system architecture, which at least solve the technical problem of low computer security in the related technology.

According to an aspect of the embodiments of the present invention, there is provided a static measurement method for a trusted computing platform based on a dual-lineage architecture, including: when a computer is powered on, dividing hardware resources of the computer into protection hardware resources and computing hardware resources, wherein the computing hardware resources allow the protected hardware resources to access and cannot access the protection hardware resources, the protection hardware resources are used for operating a protection subsystem, and the computing hardware resources are used for operating the computing subsystem; the control protection hardware resource is started before the calculation hardware resource, and the starting stage of the calculation hardware resource is measured in the process of starting the calculation subsystem by the calculation hardware resource.

According to another aspect of the embodiments of the present invention, there is also provided a static measurement apparatus for a trusted computing platform based on a dual-lineage architecture, including: the system comprises a dividing unit, a protection subsystem and a protection subsystem, wherein the dividing unit is used for dividing hardware resources of the computer into protection hardware resources and computing hardware resources when the computer is powered on, the computing hardware resources allow the protected hardware resources to access and cannot access the protection hardware resources, the protection hardware resources are used for operating the protection subsystem, and the computing hardware resources are used for operating the computing subsystem; and the measurement unit is used for controlling the protection hardware resources to be started before the calculation hardware resources are started, and measuring the starting stage of the calculation hardware resources in the process of starting the calculation subsystem by the calculation hardware resources.

According to another aspect of the embodiments of the present invention, there is also provided a storage medium including a stored program which, when executed, performs the above-described method.

According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor executes the above method through the computer program.

In the embodiment of the invention, a double-system architecture with security isolated computing components (including computing hardware resources) and protection components (including protection hardware resources) coexisting is built in a CPU (central processing unit), the computing components cannot access the resources of the protection components, the protection components can access all the resources of the computing components, the two parts can interact through a secure dedicated channel, the protection components can take a Trusted Platform Control Module (TPCM) as a core and a trusted source point, can be started before a processor of the computing components, carry out initialization configuration on the resources and buses of the computing components, access all the resources of a host through a direct internal bus sharing mechanism, carry out static and dynamic trusted verification measurement, can be started or continuously executed through a verifier, otherwise carry out alarm and control, actively resist intrusion behaviors, can generate a trusted report of the host in real time, report the trusted report to a trusted security management platform for further association analysis, the technical problem of low computer safety in the related art can be solved, and the technical effect of improving the computer safety is achieved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:

FIG. 1 is a flow chart of an alternative method for static measurement of a trusted computing platform based on a dual-lineage architecture according to an embodiment of the invention;

FIG. 2 is a schematic diagram of an alternative dual-frame architecture in accordance with embodiments of the present invention;

FIG. 3 is a diagram of an alternative CPU internal resource according to an embodiment of the present invention;

FIG. 4 is a flow chart of an alternative computer power-up procedure in accordance with an embodiment of the present invention;

FIG. 5 is a schematic diagram of an alternative dynamic metrology framework in accordance with embodiments of the present invention;

FIG. 6 is a schematic diagram of an alternative dynamic metrology scheme in accordance with embodiments of the present invention;

FIG. 7 is a schematic diagram of an alternative dynamic metrology function module, in accordance with embodiments of the present invention;

FIG. 8 is a flow diagram of an alternative kernel critical data structure metric according to an embodiment of the present invention;

FIG. 9 is a flow diagram of an alternative system process metric according to an embodiment of the present invention;

FIG. 10 is a flow diagram of an alternative kernel driven metric according to an embodiment of the present invention;

FIG. 11 is a flow diagram of an alternative system critical memory chunk metric, according to an embodiment of the invention;

FIG. 12 is a flow diagram of an alternative command interaction in accordance with an embodiment of the present invention;

FIG. 13 is a flow diagram of an alternative notification delivery according to an embodiment of the present invention;

FIG. 14 is a schematic diagram of an alternative dual-lineage architecture-based static metrology device for a trusted computing platform, according to an embodiment of the invention; and

fig. 15 is a block diagram of a terminal according to an embodiment of the present invention.

Detailed Description

In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

First, partial terms or terms appearing in the description of the embodiments of the present invention are applied to the following explanations:

the TCM comprises a trusted cryptographic module and a hardware module of the trusted computing platform, provides cryptographic operation function for the trusted computing platform and has protected storage space.

TPCM, a trusted platform control module, a hardware core module integrated in the trusted computing platform for establishing and guaranteeing the trusted source point, and providing functions of integrity measurement, safe storage, trusted report and cipher service for trusted computing.

TSB, trusted software base, a collection of software elements that provide support for the trustworthiness of a trusted computing platform.

BIOS: the System is an abbreviation of the English Basic Input Output System, the Chinese name is the Basic Input Output System, and the System is a firmware interface of the industry standard on a PC compatible System.

According to an aspect of the embodiments of the present invention, an embodiment of a method for a static measurement method of a trusted computing platform based on a dual-lineage architecture is provided.

The application provides a trusted computing dual-system architecture constructed based on a CPU isomorphic mode, based on a multi-core CPU architecture, a CPU core, a memory and an I/O are divided into a trusted component and a protection component which are isolated from each other, the protection component is used for performing active measurement and active control on the computing component, and the protection component can access the computing component but cannot access the protection component.

Based on the trusted computing dual system architecture, the basic firmware of the multi-core CPU can control the starting process to enable the TPCM to be started before the computing component, so that the TPCM can perform measurement protection on the computing component first. The TPCM can measure the starting process of the computing component step by step and establish a static trust chain.

Based on the trusted computing dual-system architecture, in the operation process of the computing component, the TSB can also perform dynamic measurement on the computing component according to a trusted strategy, and perform corresponding control processing on the computing component according to a measurement result.

Based on a trusted computing dual-system architecture, the protection component and the computing component can perform communication interaction through a special secure interaction channel, and the interaction modes between the protection component and the computing component can be divided into three main classes: commands, notifications, and resource accesses.

Fig. 1 is a flowchart of an alternative static measurement method for a trusted computing platform based on a dual-lineage architecture according to an embodiment of the present invention, and as shown in fig. 1, the method may include the following steps:

step S102, when the computer is powered on, dividing the hardware resources of the computer into protection hardware resources and computing hardware resources, wherein the computing hardware resources allow the protected hardware resources to access and cannot access the protection hardware resources, the protection hardware resources are used for operating the protection subsystem, and the computing hardware resources are used for operating the computing subsystem.

Optionally, dividing the hardware resources of the computer into guard hardware resources and computing hardware resources comprises: when a computer is powered on, a processor of the computer is divided into a first processor core and a second processor core, wherein the hardware resource comprises the processor of the computer; measuring basic firmware of the processor by using the first processor core; under the condition that the measurement result of the basic firmware of the processor is credible, the memory resource and the input/output interface resource of the computer are divided into protection hardware resources or calculation hardware resources, wherein the protection hardware resources and the calculation hardware resources comprise different memory resources and different input/output interfaces.

In the above embodiment, the measuring the basic firmware of the processor by using the first processor core includes: the first processor core is activated by executing instructions stored in a read-only memory of the computer, and the first processor core verifies a signature of the basic firmware of the processor with a verification public key.

And step S104, controlling the protection hardware resource to start before the calculation hardware resource, and measuring the starting stage of the calculation hardware resource in the process of starting the calculation subsystem by the calculation hardware resource.

Optionally, before the computing hardware resource starts the computing subsystem, the first processor core executes an instruction in the basic firmware of the processor to measure the protection subsystem; and loading and running the protection subsystem on the first processor core under the condition that the measurement result of the protection subsystem is credible.

Optionally, after the protection subsystem is loaded and run on the first processor core, the trusted platform control module may be initialized with the protection subsystem.

Optionally, the measuring the startup phase of the computing hardware resource comprises: after the trusted platform control module completes initialization, activating a second processor core of a processor of the computer, wherein the activated second processor core is used for starting a computing subsystem; a plurality of boot phases of the computing subsystem are measured using the trusted platform control module.

In the above embodiment, the multiple boot stages include sequentially booting a multi-stage boot image, wherein the measuring the multiple boot stages of the computing subsystem with the trusted platform control module includes: measuring a first-stage boot image loaded currently in the multi-stage boot images; loading the first-stage boot image under the condition that the measurement result of the first-stage boot image is credible; measuring a second-stage boot image in the multi-stage boot images, wherein the second-stage boot image is a next-stage boot image of the first-stage boot image; loading the second-stage boot image under the condition that the measurement result of the second-stage boot image is credible; and under the condition that the measurement result of the multi-stage boot image is credible and loading is completed, setting a credible software base agent in the computing subsystem, wherein the credible software base agent is used for matching with the credible platform control module to complete measurement in the running process of the computing subsystem.

The protection subsystem may include a hardware part (protecting hardware resources) and a software part (trusted operating system and TSB), and the computing subsystem includes a hardware part (computing hardware resources) and a software part (computer operating system and various applications, such as office); the measurement of the computer is carried out by using a Trusted Platform Control Module (TPCM), wherein the TPCM can be a protection subsystem, and comprises a hardware part (protecting hardware resources) and a software part (a trusted operating system and a trusted TSB).

The static measurement process includes a hardware resource calculation process, a computer operating system starting process, an application program starting process and the like.

Through the steps, a dual-system architecture with a security isolated computing component (namely, a computing subsystem) and a protection component (namely, a protection subsystem) coexisting is built in a CPU (Central processing Unit), the computing component cannot access the resources of the protection component, the protection component can access all the resources of the computing component, the two parties can interact through a secure dedicated channel, the protection component can take a Trusted Platform Control Module (TPCM) as a core and a trusted source point, can be started before a processor of the computing component, carry out initialization configuration on the resources and a bus of the computing component, access all the resources of a host through a direct internal bus sharing mechanism, carry out static and dynamic trusted verification measurement, can be started or continuously executed through a verifier, otherwise, carry out alarming and control, actively resist intrusion behaviors, can generate a trusted report of the host in real time, and report the trusted report to a trusted security management platform for further correlation analysis, the technical problem of low computer safety in the related art can be solved, and the technical effect of improving the computer safety is achieved.

As an optional embodiment, the following further details the technical solution of the present application with reference to a specific implementation manner, where the protection component may specifically include a trusted cryptography module TCM, a trusted platform control module TPCM, a trusted embedded operating system (i.e., a trusted operating system), and other basic components, the trusted cryptography module is used as a cryptogene, the TPCM is a specific execution mechanism of an active immunity mechanism, and the trusted embedded operating system manages local physical resources of the TPCM and accesses and schedules host resources and TCM resources. In conclusion, the trusted computing binary system architecture is the basis of active immune defense, and is also the core characteristic that trusted computing 3.0 is different from other security protection mechanisms, the TPCM and the TCM form a trusted root, the trusted root has software and hardware resources independent of a host, and can actively access all resources of the host to support the implementation of a trusted verification mechanism, and the trusted computing binary system architecture is the source point of the whole active immune defense system.

The invention constructs a trusted computing dual-system architecture based on a resource isolation and interaction mechanism provided by a CPU multi-core architecture. The double-system architecture is a computing system structure which realizes active immunity by parallel operation of a protection component and a computing component; the computing component is responsible for completing business computing tasks, and the protection component is responsible for monitoring and protecting the computing component to ensure that the execution of the business computing tasks meets expectations. The protection component uses the password as a gene according to a credible security strategy, and performs reliable operation, driving protection and navigation for the calculation component through a series of means such as identity recognition, state measurement, state analysis, dynamic perception, response control, secret storage and security control.

The multi-core CPU architecture can divide computer hardware resources such as CPU cores, memory spaces, I/O peripherals and the like into two groups of resource sets, perform isolation control, and provide safety protection and mutual communication capacity. The invention uses the characteristics of the CPU to divide CPU cores (one CPU has a plurality of cores, 4 cores, 8 cores, 16 cores and 64 cores are common), memory spaces (memory spaces inside and outside a chip) and I/O peripherals into two groups of hardware resources of a computing part and a protective part. Through corresponding configuration, resource allocation of the protection component and the computing component can be flexibly changed, and meanwhile, the protection component is isolated from an external complex computing environment to form a relatively closed environment, namely, the resource of the protection component cannot be accessed from the outside, and the resource of the protection component cannot be accessed by the computing component, so that the resource of the protection component is effectively protected, and the security level is higher. Through corresponding configuration, the protection component can also access the resource of the computing component so as to monitor and protect the resource; the computing component and the protection component communicate with a specific interface through a special interaction mechanism, and the protection component is protected from interference and damage of the computing component to the maximum extent while the interaction capability is provided.

As shown in fig. 2, which is a schematic diagram of a trusted computing dual-system architecture, in the trusted computing dual-system architecture, an original computer system becomes a computing component, and a Trusted Platform Control Module (TPCM) is a protection component. The guard component runs in parallel with the computing component, is independent of the computing component, and has resources protected by hardware mechanisms (such as an expansion bus, a controller, a management unit and the like) and not interfered and destroyed by the computing component and the outside. In turn, the TPCM proactively initiates metrics and security guards for the compute components according to its own policy (setting the security level and priority of the guard components to be highest in the design of the CPU). In addition, the trusted security management platform is responsible for managing trusted policies, reference values and the like.

In the above trusted computing dual architecture:

1) the CPU provides hardware support for resource isolation, resource access, resource control, communication mechanisms between the guard components and the compute components, security, and the like.

2) And the CPU basic firmware sets the resource isolation protection, controls the starting process to enable the TPCM to be started before the calculation component, so that the TPCM can perform measurement protection on the calculation component. The CPU base firmware is also responsible for establishing the communication mechanism between the compute component and the guard component.

3) The hardware resources of the protection component comprise a trusted special CPU core (1 or more CPU cores, configurable number), an on-chip cryptographic engine, an on-chip persistent storage, a special memory area, a true random number generator, a clock, a counter and the like, an on-board persistent storage, an I/O device, an on-board special network card, an extensible Trusted Cryptographic Module (TCM) and the like.

4) The TPCM OS is an operating system of a trusted component, is an operating system continuously running on a CPU core dedicated for trusted, and works simultaneously with an operating system (i.e., a computer operating system) on a computing core to provide a necessary environment for a trusted service function. Including task scheduling, drivers, and basic services common to operating systems. The method also comprises internal implementation of a Trusted Cryptography Module (TCM) unique to trusted computing (if a cryptographic engine of hardware is arranged in the CPU, the TCM is composed of software of a TPCM operating system and a hardware cryptographic engine, and if no cryptographic engine is arranged in the CPU, the TCM can be completed by the software of the TPCM operating system), resource access driving, trusted communication driving, trusted control and the like. The trusted computing service logic of the TPCM needs to access host-side resources, and needs to manage and use storage resources and cryptographic computing resources inside the TPCM. The operating system and its internal driver modules provide the necessary support for these business computations of the TPCM.

5) The TSB implements the main business logic of trusted computing, including metering and controlling computing components during the boot-up phase and runtime, as well as logging the metering results, evaluating the trusted status, generating trusted logs, credentials, and reports. The TSB employs a policy language to define its functional execution, providing maximum flexibility and adaptability. The policy language defines when metrics, what to measure, how to judge, how to control and guard, and the TSB policy enforcement engine parses the enforcement policy language. Because of the flexibility of the policy language, we can combine many businesses of a computing component with a measure of trustworthiness, such as logging in, opening a file, executing a program, connecting a network, using a device, etc., all of which can be flexibly combined with a measure of trustworthiness. The TSB adopts a reference library as a basis for judgment in measurement. The strategy and the reference library are issued to the TPCM by the credible security management platform. The measurement logs and reports are generated by the TSB and uploaded to a trusted security management platform, where the credentials are communicated to requestors that require the credentials. The metrics of the TSB include static launch metrics and dynamic metrics. Static start is to measure the modules at each stage of start, such as BIOS and BootLoader, and establish a complete trust chain from the start of the computing component. And the dynamic measurement real-time monitoring system ensures that the operation stage of the computing component is credible.

6) The TSB agent is located within the compute component but logically resides in the TPCM where it performs some tasks that are closely associated with the compute component environment on behalf of the TSB. These tasks cannot or cannot be easily performed directly from the outside by the TPCM due to their depth inside the computing component software. Tasks such as obtaining OS behavior related information, intercepting behavior, killing processes, etc., which are difficult to execute from outside the computer, are to be executed by the TSB agent on behalf of the TSB. Since the TSB agent itself is measured and protected by the TPCM, it may also be trusted to perform these tasks by the TSB agent. The primary tasks of the TSB agent are to acquire and control system behavior, acquire system behavior and context-related data, assist in performing control, trusted connection negotiation and control. Wherein the trusted connection establishes a trusted network environment on the basis that the node is trusted.

7) The trusted security management platform is responsible for managing trusted policies, reference values and the like. The TPCM is a core component of the trusted immune binary architecture and is responsible for performing trusted measurement and protection on a computing component and generating trusted logs and report data. The TPCM includes trusted hardware resources, a trusted operating system, a built-in TCM and a trusted software base.

The trusted operating system provides necessary bottom layer service and running environment for the trusted function, and the TPCM operating system is composed of a basic layer and a functional layer. The base layer includes basic functions that a common operating system should have, such as task scheduling, local resource and system service access. The functional layer comprises trusted computing special services such as host resource access control drive, host communication drive, password resource access drive, state record, trusted credential and report, policy and benchmark management and the like.

The TSB is a core software layer for realizing the function of trusted business and is responsible for measurement, safety protection and generation of related logs and reports. The TSB is composed of a basic trust base, an active monitoring mechanism (comprising a control mechanism, a measurement mechanism and a judgment mechanism), a trusted reference library, a support mechanism, a cooperation mechanism and a cooperation mechanism. The basic trust base implements verification and loading of other mechanisms during the TSB startup process. And the active monitoring mechanism intercepts the system call of the application and realizes active measurement and control of a subject, an object, operation and environment related to the system call under the support of the TPCM. The TSB realizes the access to TPCM resources through a support mechanism; the TSB realizes the interaction of the strategy and the audit information with a trusted security management platform and the trusted cooperation with other computing platforms TSB through a cooperation mechanism. The control mechanism is an entrance for actively monitoring the function of the mechanism, actively captures the system behavior of the application according to a control strategy, and implements control according to a judgment result. The control strategy comprises the range of the system control point, the processing mode of the system control point for acquiring information and the control mechanism for responding the judgment result, and the like. The control process comprises intercepting system call behaviors, acquiring information of subjects, objects, operations, environments and the like related to the behaviors, sending the information to a measurement mechanism for measurement according to a control strategy, receiving a judgment result of a judgment mechanism, and performing related control. And the measurement mechanism measures the measurement object according to the measurement strategy. The measurement strategy is composed of measurement objects, measurement methods and the like. The measurement objects include programs, data, behaviors, and the like. The measuring method comprises the steps of setting measuring points in the measuring object, measuring time, measuring algorithm and the like. The measurement process comprises measuring related information such as subjects, objects, operations, environments and the like transmitted by the control mechanism according to the measurement strategy, and transmitting a measurement result to the judgment mechanism. And the judgment mechanism judges the measurement result according to the judgment strategy. The judgment strategy comprises a comparison mode of the measurement result and a reference value, weight values of different measurement results, a comprehensive calculation method and the like. The judgment process comprises the steps of utilizing the credible reference library and the measurement result to carry out comprehensive judgment according to the judgment strategy, and sending the judgment result to the control mechanism. The TSB interactive interface comprises an internal interactive interface and an external interactive interface. The internal interaction interface supports interaction among all mechanisms of the TSB; the external interaction interface supports interaction between the TSB and the TPCM, the host base software and the trusted security management platform.

The TCM provides cryptographic support for trusted computing. The TPCM hardware resources comprise a set of special CPUs, storage, a password unit, IO equipment and a TCM module which is possibly externally extended. The CPU provides isolation, protection and interaction mechanisms, so that the hardware resources of the TPCM can be isolated and protected, and the capability of mutual communication between the computing component and the trusted node is realized.

Fig. 3 is a schematic diagram of internal resources of a CPU according to an embodiment of the present invention, where the CPU supports a trusted architecture based on isolation protection, and the embodiment of the present invention divides all software and hardware resources into trusted resources or computing resources inside the CPU. As shown in fig. 3, when the system is started, the CPU loads and runs the CPU basic firmware through a core, where the core is a trusted core (i.e., a first processor core), the CPU basic firmware may set part of the cores as trusted cores by using values stored in registers, the trusted cores are at a higher privilege level and can access all address spaces, and the computing core (i.e., a second processor core) is at a lower privilege level and can only access the address space of the computing environment. The trusted kernel only runs trusted code, constructs a trusted environment, and the computing kernel runs code (program code of business application, non-security related) other than the trusted code. The CPU can increase a credible bit identifier in a bus extension mode, and the credible bit identifier indicates whether the corresponding access request belongs to a credible core or a computing core. And the resource isolation and the access control are realized by combining the resource controllers in the resources.

The memory resource is provided with a memory resource controller, and the memory resource controller can divide the memory into a trusted memory and a computing memory according to the CPU basic firmware. When the memory resource controller receives an access request, if the trusted bit identifier indicates that the access request is an access request of a trusted core, the memory resource controller allows the access request to be executed, if the trusted bit identifier indicates that the access request is an access request of a computing core, the memory resource controller checks whether an access address space is in the computing memory space, if so, the memory resource controller allows the access request to be executed, and if not, the memory resource controller prohibits the access request from being executed. The trusted memory can be further divided into a plurality of trusted domains, and each trusted domain has independent read-write access authority. When the system is started, the CPU basic firmware can divide part of the memory into the trusted memory, the part of the memory is invisible to the OS of the computing unit, the OS of the computing unit cannot redistribute and use the memory space, and meanwhile, the trusted memory resource controller filters the request of the computing unit for accessing the trusted memory.

Similarly, the I/O resource controller may also divide the I/O into a trusted I/O and a computational I/O according to the CPU base firmware, and when the I/O resource controller receives an access request, if the trusted bit identifier indicates that the access request is an access request of a trusted core, the I/O resource controller allows the access request to be executed, and if the trusted bit identifier indicates that the access request is an access request of a computational core, the I/O resource controller checks whether an access address space is within the computational I/O space, and if so, allows the access request to be executed, and if not, prohibits the access request from being executed. It should be noted that, if there is no memory resource controller and no I/O resource controller inside the CPU, the memory and I/O partitioning and the filtering of the access request can be implemented by configuring corresponding bridge devices.

The trustworthiness of the I/O is guaranteed by a trusted control register within some controller of the translation bridge or peripheral. The on-chip bus controller (controller, filter or bridge device, which can judge whether the resource request has authority according to the extension bit on the bus, thereby realizing credible sensing) is credible sensing and can identify credible request and calculation request. The credible attributes of peripheral equipment such as PCIE, network and the like are configurable, and can be dynamically configured to enter a credible state through a credible core. The I/O interface (IO controller filter or forwarding bridge, NOC) will check the access request according to the corresponding trusted attributes, filter the unauthorized access request, and protect the security of the trusted I/O peripheral.

By adding the comparison of the trusted identification bits, the invention can ensure that the computing core can not obtain the trusted resources and ensure the security of the trusted resources. Meanwhile, when the DMA device carries out a DMA request, the trusted access characteristic must be specified, and if the DMA device is a DMA in a computing environment, the trusted address space cannot be accessed.

The safety performance of the protection component is good, and the protection component is mainly embodied in the following four aspects:

1. the self environment is isolated, the processor completely supports a trusted architecture based on domain isolation, all software and hardware resources can be divided into trusted resources or computing resources which are respectively used by the protection component and the computing component. When the system is started, The Protection Component (TPCM) is started to operate firstly, the division of physical resources is completed, and after the relevant firmware or software of the computing component is verified, the main CPU of the computing component can start to operate, thereby realizing the isolation of the starting process. When the system runs, the protection component and the computing component can run in parallel, complete running isolation is realized based on running environments of both sides supported by the CPU core and the bus, isolated resources comprise the CPU core, a memory, I/O equipment and the like, the resources used by the protection component cannot be accessed by the computing component, and the protection component can initiatively initiate access to all resources of the computing component. The computing component can only communicate with the guard component through a dedicated interaction channel. In a word, when the system is started and operated, the protection component operates in a completely isolated environment, and the calculation component is actively verified in a credible mode, so that the attack area of the system is greatly reduced, even if the operating system on the host side is attacked, a hacker is difficult to penetrate the protection component, the TPCM can be ensured to be controllable in the whole process of the host, and a foundation is laid for the construction of an integral protection system.

2. The interactive channel is safe, the computing component and the TPCM are communicated through a special inter-core interactive channel, an interrupt notification and shared memory parameter transmission mode is adopted, the TPCM does not provide an external service interface, and direct attack of an attacker on the service interface is eliminated. Meanwhile, the TPCM strictly checks and filters the format of the input parameters, and because the logic processing of the TPCM is fixed, the penetration attack of hackers by using parameter transmission can be prevented to the maximum extent.

3. The data security of The Protection Component (TPCM) is that the data of The Protection Component (TPCM) mainly includes three aspects, the first is data stored in the local, such as policy data, password data, etc., the second is network data interacting with the trusted management platform, and the third is data loaded in the TPCM running space. The local data is stored in the FLASH outside the chip, all the data is encrypted based on the OTP key inside the chip, the data in the FLASH is always kept as a ciphertext, and the data is automatically decrypted when being loaded into the memory. The network data is generated by interaction of the protection component and the trusted management platform and comprises strategy issuing, audit log uploading, trusted report uploading and the like, and the security of a data network transmission layer is ensured by adopting SSL/TLS encryption in the whole data transmission process. The TPCM can bind important data and the metric value during operation to realize data encapsulation protection. The protected data can only be decapsulated under the platform to which the TPCM is bound and under certain integrity states. The TPCM shall have the functions of safe data migration, backup and recovery, and migration, backup and recovery operations are carried out on the premise of ensuring confidentiality and integrity of data.

4. The operation and maintenance operation is safe, the operation and maintenance operation of the protection component comprises local software or firmware upgrading, fault checking and the like, double-factor identity authentication is carried out during operation and maintenance, namely, only after an operation and maintenance administrator carries out identity authentication by using Ukey, the operation and maintenance administrator can log in to enter the system to carry out upgrading or fault checking, the operation and maintenance administrator is strictly controlled to enter, and the operation and maintenance administrator is audited in the whole process. Meanwhile, the software or firmware to be upgraded is firstly subjected to signature verification, and the upgrading operation is executed only when the source or version is determined to have no problem, so that the safety risk caused by operation and maintenance operation is avoided to the maximum extent.

Based on the above trusted computing binary architecture, the process of the guard component performing static measurement on the computing component can be described as follows:

when the computer is powered on, system resources are divided into trusted resources and computing resources in advance through configuration. The trusted resource comprises a part of CPU (central processing unit) core (trusted core), a trusted memory and trusted I/O (input/output) equipment, and forms a trusted environment for realizing TPCM (tire pressure monitor cm); the computing resources include another portion of CPU cores (compute cores), compute memory, and compute I/O devices, forming a computing environment for completing computing tasks. The computing core running in the computing environment may not access resources of the trusted environment, the trusted core running in the trusted environment may access all resources of the trusted environment and the computing environment. The starting process also comprises the step-by-step measurement of the whole starting chain to form a complete trust chain, and the trusted computing environment is ensured to enter after the starting.

As shown in fig. 4, a flow chart of a computer boot process is shown, and the boot process includes the following steps:

step S401, after the system is powered on, the ROM Code credible kernel measures the CPU basic firmware, the system is powered on, the ChipRom firstly utilizes the ROM Code to measure and verify the CPU basic firmware, and then jumps to the CPU basic firmware entry Code. And considering that the CPU basic firmware can be upgraded, performing signature verification on the initial part image of the CPU basic firmware based on the on-chip public key. The verification process is completed by a trusted core (TPCM core) and the compute core waits to be woken up.

In step S402, the trusted core sets trusted resources (memory and IO devices).

In step S403, the CPU basic firmware measures the trusted OS image, the trusted core executes the CPU basic firmware code measures the TPCM OS image, and then loads and executes the TPCM OS.

Step S404, the trusted OS and the TSB are started, the TPCM OS completes the initialization of the TPCM, and then the TPCM measures the starting image of the computing environment OS.

Step S405, TSB measures computing environment Bootloader.

And step S406, the TSB wakes up the computing core, the computing core loads and executes the computing environment Bootloader, the computing core is woken up after the measurement is completed, and the computing core loads and executes the computing environment OS starting mirror image.

Step S407, the TSB measures the boot image step by step and executes the next stage according to the measurement result until the computing OS and the TSB agent finish booting, the computing environment boot image is generally a multi-stage boot image (such as BIOS- > GRUB- > OS or UBOOT- > OS), after the previous boot image is finished, when the next boot image is loaded, the measurement TPCM is notified to measure the next boot image. After the measurement is completed, the computing environment executes the next level of boot image until the operating system and the TSB agent complete booting.

And after the TPCM receives a measurement notice sent by the starting process of the computing environment in the previous step, measuring all starting links. The TPCM records the measurement results as evidence that the computing environment is booted up. And can also be used as the basis for the safe starting control.

In step S408, the TSB agent transmits the basic information of the computing environment to the TPCM (code, data distribution), and the TSB agent in the computing environment OS transmits the related information of the computing environment metric object and the status data to the TPCM.

In step S409, the TSB metric records the basic information of the computing environment.

Step S410, according to the strategy and the dynamic measurement of the computing environment information, the TPCM starts active dynamic measurement after receiving the data information of the computing environment and combining with the credible strategy, and carries out real-time monitoring and protection on the computing environment. The computing environment then begins performing business processes.

Based on the above trusted computing binary architecture, the dynamic measurement process of the trusted software base TSB on the computing component can be described as follows: the dynamic measurement is an important component of the trusted software base and is also an important content of the trust guarantee.

The trusted software base can ensure that the system operation object is initially trusted through the static measurement function. On the basis, the dynamic measurement function selects a proper measurement opportunity for different measurement objects, adopts a reasonable measurement method to measure the operation condition of the measurement objects in the system, reports the measurement objects which change according to the strategy and the characteristics of the different measurement objects, sends the measurement result to the control mechanism, and simultaneously adopts a measure-updating expected value or a credible recovery measure, thereby ensuring the credibility of the operation state of the system and providing support for an access control mechanism and a credible certification mechanism.

The dynamic measurement module monitors all key processes, modules, execution codes, data structures, important jump tables and the like in the system in real time, measures and controls the resource access behavior of the processes in real time, and is a core component for ensuring the safe operation of the system and preventing a safety mechanism from being bypassed and tampered. The dynamic measurement module adopts a reasonable measurement method aiming at different measurement objects, selects a proper measurement opportunity, and comprehensively measures the operation of the system to ensure the safety and credibility of the system. The dynamic measurement is the core guarantee of the system and is the key for monitoring the running state of the system, measuring the process behavior and analyzing the credibility of the system.

The operation mechanism of the dynamic measurement realizes monitoring on important nodes of the system and effectively blocks intrusion of malicious codes on the system.

Fig. 5 is a schematic diagram of a dynamic metrology framework according to an embodiment of the present invention, and fig. 6 is a general metrology scheme of dynamic metrology according to an embodiment of the present invention.

Firstly, a policy language is edited, and control point information is configured (intercepting specific operation behaviors including opening of files, reading/writing, execution of programs, loading of dynamic libraries, loading of drivers and the like). Generating a dynamic measurement calling strategy (including dynamic engine selection, selection of specific measurement objects and the like);

secondly, a TSB agent (the TSB agent is mainly a control mechanism in the original TSB) intercepts a system calling behavior, acquires host/object information and an operation behavior, calls a corresponding dynamic measurement engine and specific measurement operation (such as system process measurement, kernel module measurement, syscall _ table system calling table measurement, idt interrupt descriptor table measurement, network measurement, file system measurement and kernel code segment measurement) according to strategy configuration, and calls a TPCM (transport format memory) to perform hash operation to calculate a digest value of a specific measurement object and compare the digest value with a reference library;

and finally, returning the measurement result to a TSB control mechanism, and integrating the measurement result by the control mechanism to generate a final control result.

As shown in fig. 7, the dynamic metrology module mainly includes a dynamic metrology control sub-module, a dynamic metrology engine sub-module, a dynamic metrology report sub-module, and a dynamic metrology reference library sub-module.

The measurement control submodule comprises engine control, periodic measurement and triggering measurement. The engine control is responsible for registering the measurement engine, and corresponding measurement engines are registered according to different product emphasis points and the requirements of customers; the periodic measurement is according to the time interval base set in the security policy, then periodically detecting whether the measurement condition of the dynamic measurement is satisfied, and once the measurement requirement is satisfied, performing characteristic value check on the measurement. If the abnormal condition is detected, a measurement report is generated and sent to a credible report mechanism; the triggering measurement is measured by the TSB control mechanism through strategy triggering of a corresponding measurement engine.

The measurement engine submodule is a core module of the dynamic measurement module. It will perform triggered or periodic measurements on the dynamic metric object list. The measurement engine submodule is divided into two parts: one part is dynamic, it will start a kernel process, it will periodically detect the measurement period of each module, once the measurement period is up, it will measure the module; the other part is static, it will passively wait for the triggering of the TSB control mechanism. Once the TSB control mechanism issues an instruction, the trigger metric engine will invoke a different metric engine to perform the metric depending on the policy. The metric data may be one object, a group of objects, or all metric objects.

The dynamic measurement is divided into four categories aiming at the difference of measurement objects and measurement modes, including kernel key data structure measurement, system process measurement, kernel drive measurement and system key memory block measurement. Fig. 8 shows a core key data structure metric flow chart.

Wherein, the measurement object is the idt interrupt descriptor table, syscall _ table system call table; the file system key operation function fs- > mount, fs- > kill _ sb, and the superblock key operation function sb- > s _ op; network address family pf- > family, pf- > create, protocol family proto; measuring the opportunity: control mechanism trigger measurement, and strategy control period measurement.

As shown in fig. 8, the metric flow may include:

step S801, starting a key data structure measuring mechanism of a dynamic measuring system;

step S802, recording the key data structure content and the key operation function address of the system;

step S803, calling TPCM to calculate its reference value;

step S804, storing the reference value to a reference value base;

step S805, starting and loading a system key structure measurement engine;

step S806, the TSB control mechanism intercepts the application program system call behavior;

step S807, the TSB control mechanism calls a corresponding measurement engine according to the intercepted host/object information;

step S808, the measurement engine calls a specific measurement operation;

step S809, calling TPCM to calculate a reference value;

step S810, comparing with a reference value in a reference library;

step S811 returns the measurement result to the TSB control mechanism.

Fig. 9 is a flow chart illustrating system process measurement according to an embodiment of the present invention. The measurement object is: a system process code segment, a read-only data segment and a process related shared library. Measuring the opportunity: control mechanism trigger measurement, and strategy control period measurement.

As shown in fig. 9, the metric process includes:

step S901, a dynamic measurement process measurement mechanism is started;

step S902, scanning a process linked list started by the system;

step S903, calling TPCM to calculate its reference value;

step S904, storing the reference value to a reference value library;

step S905, starting and loading a process measurement engine;

step S906, the TSB control mechanism intercepts the system calling behavior of the application program;

step S907, starting a monitoring dynamic library loading/unloading service;

step S908, calling TPCM to calculate reference value;

step S909, updating the reference value to the reference value library;

step S910, the TSB control mechanism calls a corresponding measurement engine according to the intercepted host/object information;

step S911, the measurement engine calls concrete measurement operation;

step S912, calling TPCM to calculate reference value;

step S913, comparing with the reference value in the reference library;

step S914, the measurement result is returned to the TSB control mechanism.

FIG. 10 is a flowchart illustrating kernel-driven metrics according to an embodiment of the present invention. The measurement object is: a code segment of a kernel module. Measuring the opportunity: control mechanism trigger measurement and strategy control period measurement;

as shown in fig. 10, the measurement process includes:

step S1001, a dynamic measurement module measurement mechanism is started;

step S1002, scanning the module linked list loaded by the system;

step S1003, calling TPCM to calculate its reference value;

step S1004, storing the reference value to a reference value library;

step S1005, starting the loading/unloading service of the monitoring kernel module, and calling the TPCM to calculate a reference value;

step S1006, updating the reference value to a reference value base;

step 1007, starting a kernel measurement engine;

step S1008, the TSB control mechanism intercepts application program system calling behaviors;

step S1009, the TSB control mechanism calls a corresponding measurement engine according to the intercepted host/object information;

step S1010, the measurement engine calls specific measurement operation;

step S1011, calling TPCM to calculate a reference value;

step S1012, comparing with the reference value in the reference library;

step S1013, returning the measurement result to the TSB control mechanism;

fig. 11 is a flowchart illustrating a system critical memory chunk measurement process according to an embodiment of the present invention.

The measurement object is: the kernel _ section. Measuring the opportunity: control mechanism trigger measurement, and strategy control period measurement.

As shown in fig. 11, the metric process includes:

step S1101, starting a key memory block measurement mechanism of the dynamic measurement system;

step S1102, recording the first and last addresses of the key memory card of the system;

step S1103, calling TPCM to calculate its reference value;

step S1104, storing the reference value in a reference value library;

step S1105, starting a system key memory block measurement engine;

step S1106, the TSB control mechanism intercepts the system call behavior of the application program;

step S1107, the TSB control mechanism calls a corresponding measurement engine according to the intercepted host/object information;

step S1108, the measurement engine calls specific measurement operation;

step S1109, calling TPCM to calculate a reference value;

step S1110, comparing with a reference value in a reference library;

step S1111, return the measurement result to the TSB control mechanism.

And the dynamic measurement reporting submodule comprises a measurement report and a measurement result. The measurement report function is to generate a measurement report according to periodic measurement data generated by a measurement engine and send the measurement report to the TSB trusted report function for analysis; the measurement result is to arrange the triggering measurement result generated by the measurement engine and then send the measurement result to the control mechanism, and the control mechanism controls according to the measurement result.

And the measurement reference library submodule is respectively stored as a static reference value and a dynamic reference value according to different measurement objects. Static reference value: including a system call reference value, an interrupt descriptor reference value, a network protocol reference value, a file system reference value, a kernel code segment reference value, etc. Dynamic reference value: the reference value of the subsequent startup process metric object and the reference value of the subsequently loaded kernel driver object.

Based on the above trusted computing dual-system architecture, the interaction process between the guard component and the computing component can be described as: the invention divides the interaction modes of the computing environment and the TPCM into three types: commands, notifications and direct resource access.

The command is an interactive mode initiated by the computing environment (actually initiated by a TSB agent embedded in the computing environment). Including sending host base information, sending metric notifications, issuing policies and benchmark values, obtaining trusted data (status, credentials, reports, logs, etc.) by the TSB agent to the TPCM. Notifications are interactive means initiated by the TPCM, notifications sent by the TPCM to the computing environment (actually to the TSB agent). Including notification of completion of command processing, notification of auxiliary control. And the resources are directly accessed, the TPCM directly accesses the resources of the computing environment, and the direct resource access does not involve the interaction with a software layer of the computing environment. (this is realized mainly through the internal design of the CPU, and is the functional mechanism of the multi-core CPU itself, which is the core support of static measurement and dynamic measurement)

Fig. 12 is a schematic diagram illustrating an interaction flow of a computing environment sending a command to a TPCM according to an embodiment of the present invention.

The manner of transmitting commands is divided into synchronous transmission and asynchronous transmission. And synchronously sending the command, and enabling the CPU of the sender to enter a waiting state after sending the command until the command processing is completed. Synchronous send commands are typically used to send simple commands that can be processed in interrupt contexts with very short command processing times. Since the command processing time is short, and may be less than the time period required for the CPU to move, the sender CPU is not scheduled, and it is more appropriate to have the sender CPU wait for a short time. The command is sent asynchronously, the sending CPU does not wait for the completion of the command processing (only for the successful sending of the command) after sending the command, and the sending CPU can perform other tasks during the command processing. This approach is typically used to send commands with longer processing times, which can take full advantage of the computing power of the CPU.

As shown in fig. 12, CPU0 represents a compute core and CPU1 represents a trusted core, and the flow is as follows:

step S1201, the TSB agent requests to send a command

In step S1202, the host driver writes the command into the shared memory.

In step S1203, the host side drives and sends a soft interrupt to the trusted CPU.

In step S1204, the host side drives the polling return value flag until the return value is not null.

And step S1205, simultaneously TPCM communication drive, original execution context is saved, and an interrupt processing function is entered.

In step S1206, the TPCM driver reads the command from the shared memory and invokes the command processing function, the command processing function processes a short command in the interrupt context, and for an asynchronous command with a long processing event, the driver immediately returns the command after just queuing the command.

Step S1207, the TPCM driver writes the return value after the command processing or the queue queuing into the shared memory, and sets a return value flag.

In step S1208, the TPCM driver restores the original task of the TPCMCPU, i.e., restores the context, and continues to execute. The TPCM may begin executing a new task due to a possible insertion of a new task in the queue.

Step S1209, step S1207 will result in the end of the polling by the host-side CPU, and the host-side CPU reads the return value from the shared memory and clears the return value flag.

In step S1210, the host-side communication driver returns the processing result to the TSB agent.

In step S1211, the TSB agent continues to execute.

Fig. 13 is a flow chart illustrating a TPCM sending a notification to a computing environment according to an embodiment of the present invention. The notification includes a notification of completion of command processing and a notification of auxiliary control. The process is as follows:

step S1301, when the TSB needs the TSB agent to assist in controlling or when the TSB finishes processing the asynchronous command, the TSB sends a notification to the computing environment through the TPCM communication driver.

In step S1302, the TPCM communication drives the polling notification flag until the notification flag is empty, indicating that the previous notification has been received by the host side. The TPCM sets a notification flag.

In step S1303, the TPCM communication driver writes the notification content into the shared memory area.

In step S1304, the TPCM communication driver sends an interrupt to the computing environment CPU.

In step S1305, the TPCMCPU continues to execute the TSB successor task.

In step S1306, at the same time, the CPU on the computation side is interrupted, the context is saved, and the CPU enters the computation side driver execution notification processing function, that is, the interrupt processing function is called.

In step S1307, the notification processing function of the computation side communication driver reads the notification from the shared memory and clears the notification flag, and thereafter the TPCM side driver may send a subsequent notification.

In step S1308, the computation-side communication drive notification TSB processes the notification. If the command is asynchronous, the TSB agent wakes up the waiting process. Otherwise, the TSB agent calls a notification processing function.

In step S1309, the host CPU resumes executing the original task from the top and bottom. Under certain conditions the original task may be preempted.

The computing component and the TPCM are communicated through a special inter-core interaction channel, an interrupt notification and shared memory parameter transmission mode is adopted, the TPCM does not provide an external service interface, and direct attack of an attacker on the service interface is eliminated. Meanwhile, the TPCM strictly checks and filters the format of the input parameters, and because the logic processing of the TPCM is fixed, the penetration attack of hackers by using parameter transmission can be prevented to the maximum extent.

It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.

Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.

According to another aspect of the embodiments of the present invention, there is also provided a static measurement apparatus for a trusted computing platform based on a dual-lineage architecture, which is used for implementing the above static measurement method for a trusted computing platform based on a dual-lineage architecture. FIG. 14 is a schematic diagram of an alternative dual-lineage architecture-based static metrology apparatus for a trusted computing platform, as shown in FIG. 14, which may include:

a dividing unit 1401, configured to divide hardware resources of a computer into protection hardware resources and computing hardware resources when the computer is powered on, where the computing hardware resources allow the protected hardware resources to access and cannot access the protection hardware resources, the protection hardware resources are used to run a protection subsystem, and the computing hardware resources are used to run the computing subsystem;

a measurement unit 1403, configured to control the protection hardware resource to be started before the computing hardware resource is started, and measure the starting stage of the computing hardware resource in the process of starting the computing subsystem by the computing hardware resource.

It should be noted that the dividing unit 1401 in this embodiment may be configured to execute step S102 in this embodiment, and the measuring unit 1403 in this embodiment may be configured to execute step S104 in this embodiment.

It should be noted here that the modules described above are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the above embodiments. The modules may be implemented by software as part of the apparatus, or may be implemented by hardware.

Through the modules, a double-system architecture with security isolated computing components (including computing hardware resources) and protection components (including protection hardware resources) coexisting is built in a CPU (central processing unit), the computing components cannot access the resources of the protection components, the protection components can access all the resources of the computing components, the two parts can interact through a secure dedicated channel, the protection components can take a Trusted Platform Control Module (TPCM) as a core and a trusted source point, can be started before a processor of the computing components, carry out initialization configuration on the resources and buses of the computing components, access all the resources of a host through a direct internal bus sharing mechanism, carry out static and dynamic trusted verification measurement, can be started or continuously executed through a verifier, otherwise carry out alarm and control, actively resist intrusion behaviors, can generate a trusted report of the host in real time, and report the trusted report to a trusted security management platform for further association analysis, the technical problem of low computer safety in the related art can be solved, and the technical effect of improving the computer safety is achieved.

Optionally, the dividing unit includes: the first dividing module is used for dividing a processor of the computer into a first processor core and a second processor core when the computer is powered on, wherein the hardware resource comprises the processor of the computer; a first metric module for measuring basic firmware of the processor by using the first processor core; the second partitioning module is used for partitioning the memory resources and the input/output interface resources of the computer into protection hardware resources or computing hardware resources under the condition that the measurement result of the basic firmware of the processor is credible, wherein the protection hardware resources and the computing hardware resources comprise different memory resources and different input/output interfaces.

Optionally, the first metric module is further configured to: the first processor core is activated by executing instructions stored in a read-only memory of the computer, and the first processor core verifies a signature of the basic firmware of the processor with a verification public key.

Optionally, the measurement unit is further configured to, before the computing hardware resource starts the computing subsystem, perform, by the first processor core, measurement on the protection subsystem by executing an instruction in the basic firmware of the processor; and loading and running the protection subsystem on the first processor core under the condition that the measurement result of the protection subsystem is credible.

Optionally, the measurement unit is further configured to initialize the trusted platform control module with the protection subsystem after the protection subsystem is loaded and executed on the first processor core.

Optionally, the metric unit is further configured to: after the trusted platform control module completes initialization, activating a second processor core of a processor of the computer, wherein the activated second processor core is used for starting a computing subsystem; a plurality of boot phases of the computing subsystem are measured using the trusted platform control module.

Optionally, when the measurement unit measures a plurality of boot stages of the computing subsystem by using the trusted platform control module, the measurement unit may measure a first-stage boot image currently loaded in the multi-stage boot images; loading the first-stage boot image under the condition that the measurement result of the first-stage boot image is credible; measuring a second-stage boot image in the multi-stage boot images, wherein the second-stage boot image is a next-stage boot image of the first-stage boot image; loading the second-stage boot image under the condition that the measurement result of the second-stage boot image is credible; and under the condition of finishing measurement and loading of the multi-stage boot image, setting a trusted software base agent in the computing subsystem, wherein the trusted software base agent is used for matching with the trusted platform control module to finish measurement in the running process of the computing subsystem, and the trusted software base agent is used for acquiring related information of the computer and controlling the computer.

It should be noted here that the modules described above are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the above embodiments. The modules may be implemented by software as part of the apparatus, or may be implemented by hardware, where the hardware environment includes a network environment.

According to another aspect of the embodiment of the present invention, there is also provided a server or a terminal for implementing the static measurement method of the trusted computing platform based on the dual-lineage architecture.

Fig. 15 is a block diagram of a terminal according to an embodiment of the present invention, and as shown in fig. 15, the terminal may include: one or more processors 1501 (only one of which is shown), a memory 1503, and a transmission device 1505, as shown in fig. 15, the terminal may further include an input output device 1507.

The memory 1503 may be used to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for measuring static of a trusted computing platform based on a dual-gimbal architecture in the embodiment of the present invention, and the processor 1501 executes various functional applications and data processing by running the software programs and modules stored in the memory 1503, so as to implement the above-described method for measuring static of a trusted computing platform based on a dual-gimbal architecture. The memory 1503 may include high-speed random access memory and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 1503 may further include memory located remotely from processor 1501, which may be connected to a terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The transmission device 1505 is used for receiving or transmitting data via a network, and may also be used for data transmission between a processor and a memory. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 1505 includes a Network adapter (NIC) which can be connected to a router via a Network cable and other Network devices to communicate with the internet or a local area Network. In one example, the transmission device 1505 is a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.

Wherein, in particular, the memory 1503 is used for storing application programs.

Processor 1501 may call an application stored in memory 1503 via transfer device 1505 to perform the following steps:

when a computer is powered on, dividing hardware resources of the computer into protection hardware resources and computing hardware resources, wherein the computing hardware resources allow the protected hardware resources to access and cannot access the protection hardware resources, the protection hardware resources are used for operating a protection subsystem, and the computing hardware resources are used for operating the computing subsystem;

the control protection hardware resource is started before the calculation hardware resource, and the starting stage of the calculation hardware resource is measured in the process of starting the calculation subsystem by the calculation hardware resource.

Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.

It can be understood by those skilled in the art that the structure shown in fig. 15 is only an illustration, and the terminal may be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, and a Mobile Internet Device (MID), a PAD, etc. Fig. 15 is a diagram illustrating a structure of the electronic device. For example, the terminal may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 15, or have a different configuration than shown in FIG. 15.

Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.

The embodiment of the invention also provides a storage medium. Alternatively, in this embodiment, the storage medium may be a program code for executing a static metric method of a trusted computing platform based on a dual-lineage architecture.

Optionally, in this embodiment, the storage medium may be located on at least one of a plurality of network devices in a network shown in the above embodiment.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps:

when a computer is powered on, dividing hardware resources of the computer into protection hardware resources and computing hardware resources, wherein the computing hardware resources allow the protected hardware resources to access and cannot access the protection hardware resources, the protection hardware resources are used for operating a protection subsystem, and the computing hardware resources are used for operating the computing subsystem;

the control protection hardware resource is started before the calculation hardware resource, and the starting stage of the calculation hardware resource is measured in the process of starting the calculation subsystem by the calculation hardware resource.

Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.

Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.

The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.

The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing one or more computer devices (which may be personal computers, servers, network devices, etc.) to execute all or part of the steps of the method according to the embodiments of the present invention.

In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (10)

1. A static measurement method of a trusted computing platform based on a dual-system architecture is characterized by comprising the following steps:

when a computer is powered on, dividing hardware resources of the computer into protection hardware resources and computing hardware resources, wherein the computing hardware resources are allowed to be accessed by the protection hardware resources and cannot be accessed to the protection hardware resources, the protection hardware resources are used for operating a protection subsystem, the computing hardware resources are used for operating a computing subsystem, and the protection hardware resources and the computing hardware resources are the hardware resources in the same processor of the computer; controlling the protection hardware resource to start before the computing hardware resource, and measuring the starting stage of the computing hardware resource in the process of starting the computing subsystem by the computing hardware resource,

wherein dividing the hardware resources of the computer into guard hardware resources and computing hardware resources comprises: when the computer is powered on, dividing a processor of the computer into a first processor core and a second processor core, wherein the hardware resource comprises the processor of the computer, the processor adds a credible bit identifier in a bus extension mode, the credible bit identifier indicates whether a corresponding access request belongs to the first processor core or the second processor core,

the TPCM is the protection subsystem, the TPCM comprises a TSB and a TSB agent, the interaction between the computing environment and the TPCM comprises a command, a notification and a resource direct access, wherein the command is an interaction mode initiated by the computing environment, and the command comprises the steps of sending host basic information, sending a measurement notification, issuing a strategy, issuing a reference value and acquiring trusted data to the TPCM by the TSB agent; the notification is an interactive mode initiated by the TPCM, the notification is sent by the TPCM to the computing environment, and the notification comprises a notification of completion of the command processing and a notification of auxiliary control; the direct resource access directly accesses resources of the computing environment through the TPCM, the direct resource access not involving interaction with the computing environment software layer; the command sending mode comprises synchronous sending and asynchronous sending, the synchronous sending command is a sending mode in which a CPU (central processing unit) of a sender enters a waiting state after sending the command until the command is processed, the synchronous sending command is used for sending a simple command, the simple command is the command with short processing time, the synchronous sending command is completed in an interrupt context, and the CPU of the sender is not scheduled; the asynchronous sending command is a sending mode that the CPU of the sending party executes other tasks after sending the command and does not wait for the command to be processed to be completed, the asynchronous sending command is used for sending the command with long processing time,

the command interaction process comprises the following steps:

the TSB agent requests to send the command;

the host side driver writes the command into a shared memory;

the host side drives to send a soft interrupt to the trusted CPU;

the host side drives a polling return value mark until the return value is not null;

TPCM communication driver saves original execution context and enters into interrupt processing function;

the TPCM communication driver reads the command from the shared memory and calls a command processing function, the command processing function processes a short command in the interrupt context, and the TPCM communication driver immediately returns after the TPCM communication driver arranges an asynchronous command into a queue;

the TPCM communication driver writes the return value after processing the command or after discharging the command into the queue into the shared memory, and sets the return value mark;

the TPCM communication driver recovers the original task of the TPCM CPU, namely the context, is continuously executed, and the TPCM starts to execute a new task under the condition that the new task is inserted into the queue;

when the polling of the host side CPU is finished, the host side CPU reads the return value from the shared memory and clears the return value mark;

the host side driver returns a processing result to the TSB agent;

the TSB agent continues to execute the processing result,

the interactive process of the notification comprises the following steps:

when the TSB needs the TSB agent to assist in controlling or the TSB finishes processing the asynchronous command, the TSB sends the notice to the computing environment through the TPCM communication driver;

said TPCM communicatively driving a poll notification flag until said notification flag is empty, indicating that a previous said notification has been received by the host side, said TPCM setting said notification flag;

the TPCM communication driver writes the notification content into a shared memory area;

the TPCM communication driver sends an interrupt to a CPU of a computing environment;

the TPCM CPU continues to execute the subsequent tasks of the TSB, meanwhile, the CPU on the computing side is interrupted, the context is saved, and the TPCM enters the driving of the computing side to execute a notification processing function, wherein the notification processing function is the interrupt processing function;

the notice processing function reads the notice from the shared memory, clears the notice mark, and then the TPCM communication driver sends a subsequent notice;

the computing side driver informs the TSB agent of processing the notice, the TSB agent wakes up a waiting process under the condition that the asynchronous command completes the notice, otherwise, the TSB agent calls the notice processing function;

the host side CPU restores the context and continues to execute the original task,

the processor increases the comparison of the trusted identification bit to ensure that the second processor core can not acquire the trusted resource and ensure the security of the trusted resource, and simultaneously, the DMA device appoints the trusted access characteristic when performing the DMA request and can not access the trusted address space when the DMA is the DMA in the computing environment,

and under the condition that the software or the firmware needs to be upgraded, signature verification is carried out, and the upgrading operation is executed under the condition that the source or the version is determined to have no problem.

2. The method of claim 1, wherein partitioning hardware resources of the computer into guard hardware resources and compute hardware resources after partitioning a processor of the computer into a first processor core and a second processor core upon powering up the computer further comprises:

measuring, with the first processor core, a base firmware of the processor;

under the condition that the measurement result of the basic firmware of the processor is credible, dividing the memory resource and the input/output interface resource of the computer into the protection hardware resource or the computing hardware resource, wherein the protection hardware resource and the computing hardware resource comprise different memory resources and different input/output interface resources.

3. The method of claim 2, wherein measuring, with the first processor core, the base firmware of the processor comprises:

and activating the first processor core by executing an instruction stored in a read-only memory of the computer, wherein the first processor core verifies the signature of the basic firmware of the processor by using a verification public key.

4. The method of any of claims 1 to 3, wherein prior to the computing hardware resource launching the computing subsystem, the method further comprises:

performing, by a first processor core, a metric on the protection subsystem by executing instructions in a base firmware of a processor;

and loading and running the protection subsystem on the first processor core under the condition that the measurement result of the protection subsystem is credible.

5. The method of claim 4, wherein after the guard subsystem is loaded and executed on the first processor core, the method further comprises:

and initializing the trusted platform control module by utilizing the protection subsystem.

6. The method of claim 5, wherein measuring the startup phase of the computing hardware resource comprises:

after the trusted platform control module completes initialization, activating a second processor core of a processor of the computer, wherein the activated second processor core is used for starting the computing subsystem;

measuring a plurality of the boot phases of the computing subsystem with the trusted platform control module.

7. The method of claim 6, wherein a plurality of the boot phases comprises booting a multi-level boot image in a sequence, wherein measuring the plurality of boot phases of the computing subsystem with the trusted platform control module comprises:

measuring a first-stage boot image loaded currently in the multi-stage boot images;

loading and executing the first-level boot image under the condition that the measurement result of the first-level boot image is credible;

measuring a second-stage boot image in the multi-stage boot images, wherein the second-stage boot image is a next-stage boot image of the first-stage boot image;

loading and executing the second-stage boot image under the condition that the measurement result of the second-stage boot image is credible;

under the condition of finishing measurement and loading of the multistage starting mirror image, a trusted software base agent arranged in the computing subsystem is utilized to cooperate with the trusted platform control module to finish measurement in the running process of the computing subsystem, and the trusted software base agent is used for acquiring related information of the computer and controlling the computer.

8. A static measurement device of a trusted computing platform based on a dual-body architecture is characterized by comprising:

the system comprises a dividing unit, a processing unit and a processing unit, wherein the dividing unit is used for dividing hardware resources of a computer into protection hardware resources and computing hardware resources when the computer is powered on, the computing hardware resources are allowed to be accessed by the protection hardware resources and cannot be accessed to the protection hardware resources, the protection hardware resources are used for operating a protection subsystem, the computing hardware resources are used for operating a computing subsystem, and the protection hardware resources and the computing hardware resources are the hardware resources in the same processor of the computer;

a measurement unit, configured to control the protection hardware resource to be started before the computing hardware resource is started, and measure a starting stage of the computing hardware resource in a process of starting the computing subsystem by the computing hardware resource,

the dividing unit comprises a dividing module, the dividing module is used for dividing a processor of the computer into a first processor core and a second processor core when the computer is electrified, wherein the hardware resource comprises the processor of the computer, the processor is added with a credible bit identifier in a bus extension mode, and the credible bit identifier indicates whether a corresponding access request belongs to the first processor core or the second processor core,

the TPCM is the protection subsystem, the TPCM comprises a TSB and a TSB agent, the interaction between the computing environment and the TPCM comprises a command, a notification and a resource direct access, wherein the command is an interaction mode initiated by the computing environment, and the command comprises the steps of sending host basic information, sending a measurement notification, issuing a strategy, issuing a reference value and acquiring trusted data to the TPCM by the TSB agent; the notification is an interactive mode initiated by the TPCM, the notification is sent by the TPCM to the computing environment, and the notification comprises a notification of completion of the command processing and a notification of auxiliary control; the direct resource access directly accesses resources of the computing environment through the TPCM, the direct resource access not involving interaction with the computing environment software layer; the command sending mode comprises synchronous sending and asynchronous sending, the synchronous sending command is a sending mode in which a CPU (central processing unit) of a sender enters a waiting state after sending the command until the command is processed, the synchronous sending command is used for sending a simple command, the simple command is the command with short processing time, the synchronous sending command is completed in an interrupt context, and the CPU of the sender is not scheduled; the asynchronous sending command is a sending mode that the CPU of the sending party executes other tasks after sending the command and does not wait for the command to be processed to be completed, the asynchronous sending command is used for sending the command with long processing time,

the command interaction process comprises the following steps:

the TSB agent requests to send the command; the host side driver writes the command into a shared memory; the host side drives to send a soft interrupt to the trusted CPU; the host side drives a polling return value mark until the return value is not null; TPCM communication driver saves original execution context and enters into interrupt processing function; the TPCM communication driver reads the command from the shared memory and calls a command processing function, the command processing function processes a short command in the interrupt context, and the TPCM communication driver immediately returns after the TPCM communication driver arranges an asynchronous command into a queue; the TPCM communication driver writes the return value after processing the command or after discharging the command into the queue into the shared memory, and sets the return value mark; the TPCM communication driver recovers the original task of the TPCM CPU, namely the context, is continuously executed, and the TPCM starts to execute a new task under the condition that the new task is inserted into the queue; when the polling of the host side CPU is finished, the host side CPU reads the return value from the shared memory and clears the return value mark; the host side driver returns a processing result to the TSB agent; the TSB agent continues to execute the processing result,

the interactive process of the notification comprises the following steps:

when the TSB needs the TSB agent to assist in controlling or the TSB finishes processing the asynchronous command, the TSB sends the notice to the computing environment through the TPCM communication driver; said TPCM communicatively driving a poll notification flag until said notification flag is empty, indicating that a previous said notification has been received by the host side, said TPCM setting said notification flag; the TPCM communication driver writes the notification content into a shared memory area; the TPCM communication driver sends an interrupt to a CPU of a computing environment; the TPCM CPU continues to execute the subsequent tasks of the TSB, meanwhile, the CPU on the computing side is interrupted, the context is saved, and the TPCM enters the driving of the computing side to execute a notification processing function, wherein the notification processing function is the interrupt processing function; the notice processing function reads the notice from the shared memory, clears the notice mark, and then the TPCM communication driver sends a subsequent notice; the computing side driver informs the TSB agent of processing the notice, the TSB agent wakes up a waiting process under the condition that the asynchronous command completes the notice, otherwise, the TSB agent calls the notice processing function; the host side CPU restores the context and continues to execute the original task,

the static measurement device is used for comparing the added trusted identification bits of the processor so that the second processor core cannot acquire trusted resources and ensure the security of the trusted resources, and simultaneously, when DMA (direct memory access) equipment carries out a DMA request, the DMA equipment appoints a trusted access characteristic and cannot access a trusted address space when the DMA is in a computing environment,

the static measurement device is also used for signature verification under the condition that software or firmware needs to be upgraded, and executing upgrading operation under the condition that the source or version is determined to have no problem.

9. A storage medium, characterized in that the storage medium comprises a stored program, wherein the program when executed performs the method of any of the preceding claims 1 to 7.

10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the method of any of the preceding claims 1 to 7 by means of the computer program.

Images