CN110990840A - Method and device for starting equipment - Google Patents
Method and device for starting equipment Download PDFInfo
- Publication number
- CN110990840A CN110990840A CN201911157556.0A CN201911157556A CN110990840A CN 110990840 A CN110990840 A CN 110990840A CN 201911157556 A CN201911157556 A CN 201911157556A CN 110990840 A CN110990840 A CN 110990840A
- Authority
- CN
- China
- Prior art keywords
- data
- hash value
- changed
- external storage
- storage device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 83
- 230000008569 process Effects 0.000 claims abstract description 30
- 238000012360 testing method Methods 0.000 claims abstract description 11
- 238000012795 verification Methods 0.000 claims description 53
- 238000004590 computer program Methods 0.000 claims description 6
- 230000010365 information processing Effects 0.000 claims description 5
- 239000007787 solid Substances 0.000 description 7
- 230000002093 peripheral effect Effects 0.000 description 5
- 230000008859 change Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000013500 data storage Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The embodiment of the invention discloses a method and a device for starting up equipment, wherein the method comprises the following steps: when the device is started, judging whether the starting-up data is changed or not in the process of executing power-on self-test POST by a basic input and output system BIOS; and when the boot data is not changed, continuing to execute the boot program of the equipment. Therefore, the starting safety of the equipment can be improved.
Description
Technical Field
The embodiment of the invention relates to a Basic Input Output System (BIOS) starting technology, in particular to a method and a device for starting up a device.
Background
At present, when a computer device is started, a BIOS firmware is generally used to complete the start of an operating system. Therefore, the security verification process of the computer equipment in the starting process is not enough, once a hacker invades the computer equipment, the starting program can be normally executed, and the risk of information leakage exists.
Disclosure of Invention
In view of this, an embodiment of the present invention provides a method for booting a device, including:
when the device is started, judging whether the starting-up data is changed or not in the process of executing power-on self-test POST by a basic input and output system BIOS;
and when the boot data is not changed, continuing to execute the boot program of the equipment.
The embodiment of the invention also provides a device for starting up equipment, which comprises:
the judgment unit is used for judging whether the startup data is changed or not in the process that the BIOS executes the power-on self-test POST when the equipment is started;
and the control unit is used for continuously executing the starting program of the equipment when the starting data is not changed.
The embodiment of the invention also provides a device for starting up equipment, which comprises: the device comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, the method for starting the device is realized.
The embodiment of the invention also provides a computer readable storage medium, wherein an information processing program is stored on the computer readable storage medium, and the information processing program realizes the steps of the method for starting the equipment when being executed by the processor.
The technical scheme provided by the embodiment of the invention can improve the starting safety of the equipment.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. Other advantages of the application may be realized and attained by the instrumentalities and combinations particularly pointed out in the specification, claims, and drawings.
Drawings
The accompanying drawings are included to provide an understanding of the present disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the examples serve to explain the principles of the disclosure and not to limit the disclosure.
Fig. 1 is a flowchart illustrating a method for booting a device according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention;
fig. 3 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention;
fig. 4 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention;
fig. 5 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention;
fig. 6 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention;
fig. 7 is a schematic structural diagram of an apparatus for booting a device according to an embodiment of the present invention.
Detailed Description
The present application describes embodiments, but the description is illustrative rather than limiting and it will be apparent to those of ordinary skill in the art that many more embodiments and implementations are possible within the scope of the embodiments described herein. Although many possible combinations of features are shown in the drawings and discussed in the detailed description, many other combinations of the disclosed features are possible. Any feature or element of any embodiment may be used in combination with or instead of any other feature or element in any other embodiment, unless expressly limited otherwise.
The present application includes and contemplates combinations of features and elements known to those of ordinary skill in the art. The embodiments, features and elements disclosed in this application may also be combined with any conventional features or elements to form a unique inventive concept as defined by the claims. Any feature or element of any embodiment may also be combined with features or elements from other inventive aspects to form yet another unique inventive aspect, as defined by the claims. Thus, it should be understood that any of the features shown and/or discussed in this application may be implemented alone or in any suitable combination. Accordingly, the embodiments are not limited except as by the appended claims and their equivalents. Furthermore, various modifications and changes may be made within the scope of the appended claims.
Further, in describing representative embodiments, the specification may have presented the method and/or process as a particular sequence of steps. However, to the extent that the method or process does not rely on the particular order of steps set forth herein, the method or process should not be limited to the particular sequence of steps described. Other orders of steps are possible as will be understood by those of ordinary skill in the art. Therefore, the particular order of the steps set forth in the specification should not be construed as limitations on the claims. Further, the claims directed to the method and/or process should not be limited to the performance of their steps in the order written, and one skilled in the art can readily appreciate that the sequences may be varied and still remain within the spirit and scope of the embodiments of the present application.
Fig. 1 is a schematic flowchart of a method for booting a device according to an embodiment of the present invention, as shown in fig. 1, the method includes:
101, when the device is started, judging whether starting data is changed or not in the process of executing power-on self-test POST by a basic input output system BIOS;
and step 102, when the boot data is not changed, continuing to execute the boot program of the equipment.
Wherein, the judging whether the boot data is changed comprises:
calculating a first hash value of the boot data by using a hash algorithm;
comparing whether the first hash value is the same as the security verification information stored in the external storage;
when the starting data are different, judging that the starting data are changed;
if so, judging that the starting-up data is not changed;
the security verification information is a hash value obtained by calculating original boot data by using the hash algorithm in advance.
Wherein the boot data comprises at least one of:
data in the BIOS firmware, data in a storage device that holds the operating system.
When the boot data includes data in the BIOS firmware, determining whether the data in the BIOS firmware is modified, including:
calculating a first hash value of data in the BIOS firmware using a hash algorithm;
comparing whether the first hash value is the same as a second hash value stored in an external storage;
when the BIOS firmware is different from the BIOS firmware, judging that the data in the BIOS firmware is changed;
if so, judging that the data in the BIOS firmware is not changed;
the second hash value is obtained by calculating original data in the BIOS firmware by using the hash algorithm in advance;
when the boot-up data includes data in the storage device, determining whether the data in the storage device is changed, including:
calculating a third hash value of the data in the storage device using a hash algorithm;
comparing whether the third hash value is the same as a fourth hash value stored in an external storage;
when the data in the storage device is different from the data in the storage device, judging that the data in the storage device is changed;
when the data in the storage device is the same, judging that the data in the storage device is not changed;
and the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using the hash algorithm.
When the second hash value is stored in the external storage after being encrypted by the encryption and decryption algorithm, the comparing whether the first hash value is the same as the second hash value stored in the external storage includes:
decrypting the second hash value using the encryption and decryption algorithm;
comparing whether the first hash value is the same as the decrypted second hash value;
when the fourth hash value is stored in the external storage after being encrypted by the encryption and decryption algorithm, the comparing whether the third hash value is the same as the fourth hash value stored in the external storage includes:
decrypting the fourth hash value using the encryption and decryption algorithm;
and comparing whether the third hash value is the same as the decrypted fourth hash value.
Before determining whether the boot data is changed, the method further includes:
checking whether the storage device and an external storage holding security authentication information are connected to the device;
checking whether security authentication information exists in the external storage when the storage device and the external storage are connected to the device;
and judging whether the boot data is changed or not when the security verification information exists.
Wherein, the method also comprises:
when the boot data is changed, or when the storage device or the external storage is not connected to the device, or when no security verification information exists in the external storage, the execution of the boot program of the device is stopped.
Wherein, the method also comprises:
when the boot data is changed, or when the storage device or the external storage is not connected to the device, or when no security verification information exists in the external storage, displaying corresponding error information on a screen of the device.
The technical scheme provided by the embodiment of the invention can improve the starting safety of the equipment.
Fig. 2 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention, as shown in fig. 2, the method includes:
the storage device may be any storage device for storing an operating system, for example, a Non-Volatile Memory host controller interface specification (NVMe SSD), a Solid state disk (NVMe SSD), and the like.
The external storage may be any existing storage device, such as a USB mass storage (USB mass storage), etc.
When the storage device or the external storage is not connected to the device, the execution of the boot program of the device is stopped, and corresponding error information can be displayed on the screen of the device.
When the storage device and the external storage are connected to the device, executing step 202; when the storage device or external storage is not connected to the device, step 205 is performed.
the external storage is used for pre-storing the security verification information, and the security verification information is a hash value obtained by pre-calculating original boot data by using the hash algorithm.
Specifically, the security verification information includes a second hash value and/or a fourth hash value;
the second hash value is obtained by calculating original data in the BIOS firmware in advance by using a hash algorithm; the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using a hash algorithm.
When the boot data comprises data in BIOS firmware, the security verification information comprises a second hash value; when the boot data comprises data in a storage device for storing an operating system, the security verification information comprises a fourth hash value; when the boot data includes data in the BIOS firmware and data in a storage device storing an operating system, the security verification information includes a second hash value and a fourth hash value.
Specifically, the security verification information may be stored in a form of a security verification file, for example, the second hash value is stored in an external storage in a form of a BIOS encryption file, and the BIOS encryption file may be stored after being encrypted by a private key through an encryption and decryption algorithm; when the storage device is an NVMe SSD, the fourth hash value is stored in an external storage in an NVMeencryptes file form, and the NVMe encryptes file can be stored after being encrypted by a private key through an encryption and decryption algorithm.
Specifically, the Hash algorithm may be any existing Hash algorithm, such as secure Hash algorithm sha (secure Hash algorithm), etc.
In particular, the encryption and decryption algorithm may be any one of the existing encryption and decryption algorithms, such as the RSA algorithm and the like.
When the security verification information exists in the external storage, step 203 is executed, and when the security verification information exists in the external storage, step 205 is executed.
wherein, the judging whether the boot data is changed comprises:
calculating a first hash value of the boot data by using a hash algorithm;
comparing whether the first hash value is the same as the security verification information stored in the external storage;
when the starting data are different, judging that the starting data are changed;
if so, judging that the starting-up data is not changed;
the security verification information is a hash value obtained by calculating original boot data by using the hash algorithm in advance.
The original boot data is only boot data that has not been altered.
Wherein the boot data comprises at least one of:
data in the BIOS firmware, data in a storage device that holds the operating system.
Specifically, the data in the BIOS firmware may be data in any storage device that stores the BIOS firmware, for example, data in a serial peripheral interface read only memory SPI ROM.
The data in the storage device for storing the operating system may be data in any storage device for storing the operating system, for example, data in a non-volatile memory host controller interface specification (NVMe SSD) solid state disk.
When the boot data includes data in the BIOS firmware, determining whether the data in the BIOS firmware is changed, including:
calculating a first hash value of data in the BIOS firmware using a hash algorithm;
comparing whether the first hash value is the same as a second hash value stored in an external storage;
when the BIOS firmware is different from the BIOS firmware, judging that the data in the BIOS firmware is changed;
if so, judging that the data in the BIOS firmware is not changed;
the second hash value is a hash value obtained by calculating original data in the BIOS firmware in advance by using the hash algorithm.
When the boot-up data comprises data in the storage device, judging whether the data in the storage device is changed or not, wherein the judging comprises the following steps:
calculating a third hash value of the data in the storage device using a hash algorithm;
comparing whether the third hash value is the same as a fourth hash value stored in an external storage;
when the data in the storage device is different from the data in the storage device, judging that the data in the storage device is changed;
when the data in the storage device is the same, judging that the data in the storage device is not changed;
and the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using the hash algorithm.
The hash value obtained by the raw data in the BIOS firmware may be calculated in advance using the hash algorithm and stored in the external storage, and the hash value obtained by the raw data in the storage device may be calculated in advance using the hash algorithm and stored in the external storage.
When the second hash value is stored in an external storage after being encrypted by a private key of an encryption and decryption algorithm, the comparing whether the first hash value is the same as the second hash value stored in the external storage includes:
performing public key decryption on the second hash value by using the encryption and decryption algorithm;
comparing whether the first hash value is the same as the decrypted second hash value;
when the fourth hash value is stored in an external storage after being encrypted by a private key of an encryption and decryption algorithm, the comparing whether the third hash value is the same as the fourth hash value stored in the external storage includes:
performing public key decryption on the fourth hash value by using the encryption and decryption algorithm;
and comparing whether the third hash value is the same as the decrypted fourth hash value.
The hash value obtained by computing the original data in the BIOS firmware by using the hash algorithm may be stored in an external storage after private key encryption is performed on the hash value by using the encryption and decryption algorithm, and the hash value obtained by computing the original data in the storage device by using the hash algorithm may be stored in the external storage after private key encryption is performed on the hash value by using the encryption and decryption algorithm.
When the boot data is not changed, step 204 is executed, and when the boot data is changed, step 205 is executed.
When the boot data comprises data in the BIOS firmware, the boot data is not changed into the data in the BIOS firmware; the boot data is changed to the data in the BIOS firmware;
when the boot data comprises data in a storage device of a storage operating system, the boot data is not changed into data in the storage device of the storage operating system; the boot data is changed into the data in the storage device for storing the operating system;
when the boot data includes data in the BIOS firmware and data in a storage device storing an operating system, the boot data is changed to data in the BIOS firmware or data in the storage device storing the operating system is changed.
wherein the continuing to execute the boot program of the device comprises: and continuously executing the POST process, the subsequent bootstrap program and other processes to finally finish starting the operating system in the storage device.
In this step, the execution of the boot program of the device is stopped, and simultaneously, the corresponding error information can be displayed on the screen of the device.
For example, when the storage device or the external storage is not connected to the device, it may be displayed that the storage device or the external storage is not present. When the security authentication information exists inside the external storage, it may be displayed that the security authentication information does not exist. When the boot data is altered, the boot data storage error may be displayed. And so on.
According to the technical scheme provided by the embodiment of the invention, the Hash algorithm is utilized to verify whether the data in the BIOS firmware and/or the data in the storage device for storing the operating system are changed or not, so that the starting safety can be improved in the starting process, and the information leakage caused by starting can be avoided after the data are changed (such as hacker intrusion); and once the data is changed, the system user can immediately be made aware of the data change.
According to the embodiment of the invention, the method can be completed only by adding external storage and modifying BIOS firmware, and the cost is low. And the data in the external storage can be encrypted by using an encryption and decryption algorithm, so that the security of the data in the external storage can be ensured.
Fig. 3 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention, as shown in fig. 3, the method includes:
the external storage may be any existing storage device, such as a USB mass storage (USB mass storage).
When the external storage is not connected with the equipment, the starting program of the equipment is stopped being executed, and corresponding error information can be displayed on the screen of the equipment.
When the external storage is connected to the device, executing step 302; when the external storage is not connected to the device, step 305 is performed.
the external storage is used for pre-storing the security verification information, and the security verification information comprises a second hash value;
the second hash value is obtained by calculating original data in the BIOS firmware in advance by using a hash algorithm.
Specifically, the security verification information may be stored in a form of a security verification file, for example, the second hash value may be stored in an external storage in a form of a BIOS encryption file, and the BIOS encryption file may be stored after being encrypted by a private key through an encryption and decryption algorithm.
Specifically, the Hash algorithm may be any existing Hash algorithm, such as secure Hash algorithm sha (secure Hash algorithm), etc.
In particular, the encryption and decryption algorithm may be any one of the existing encryption and decryption algorithms, such as the RSA algorithm and the like.
When the security authentication information exists in the external storage, step 303 is executed, and when the security authentication information exists in the external storage, step 305 is executed.
specifically, the data in the BIOS firmware may be data in any storage device that stores the BIOS firmware, for example, data in a serial peripheral interface read only memory SPI ROM.
When the boot data includes data in the BIOS firmware, determining whether the data in the BIOS firmware is changed, including:
calculating a first hash value of data in the BIOS firmware using a hash algorithm;
comparing whether the first hash value is the same as a second hash value stored in an external storage;
when the BIOS firmware is different from the BIOS firmware, judging that the data in the BIOS firmware is changed;
if so, judging that the data in the BIOS firmware is not changed;
the second hash value is a hash value obtained by calculating original data in the BIOS firmware in advance by using the hash algorithm.
The hash value obtained by calculating the raw data in the BIOS firmware using the hash algorithm may be stored in an external storage in advance.
When the second hash value is stored in an external storage after being encrypted by a private key of an encryption and decryption algorithm, the comparing whether the first hash value is the same as the second hash value stored in the external storage includes:
performing public key decryption on the second hash value by using the encryption and decryption algorithm;
and comparing whether the first hash value is the same as the decrypted second hash value.
The hash value obtained by calculating the original data in the BIOS firmware by using the hash algorithm may be obtained in advance, and then the encryption and decryption algorithm is used to encrypt the hash value by using a private key and store the encrypted hash value in an external storage.
When the data in the BIOS firmware is not changed, step 304 is performed, and when the data in the BIOS firmware is changed, step 305 is performed.
wherein the continuing to execute the boot program of the device comprises: and continuously executing the POST process, the subsequent bootstrap program and other processes to finally finish starting the operating system in the storage device.
In this step, the execution of the boot program of the device is stopped, and simultaneously, the corresponding error information can be displayed on the screen of the device.
For example, a data error in the BIOS firmware may be displayed. And so on.
According to the technical scheme provided by the embodiment of the invention, whether the data in the BIOS firmware is changed or not is verified by utilizing the Hash algorithm, so that the starting safety can be improved in the starting process, and the information leakage caused by starting can be avoided after the data is changed (such as hacker intrusion); and once the data is changed, the system user can immediately be made aware of the data change.
According to the embodiment of the invention, the method can be completed only by adding external storage and modifying BIOS firmware, and the cost is low. And the data in the external storage can be encrypted by using an encryption and decryption algorithm, so that the security of the data in the external storage can be ensured.
Fig. 4 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention, as shown in fig. 4, the method includes:
the storage device may be any storage device for storing an operating system, for example, a Non-Volatile Memory host controller interface specification (NVMe SSD), a Solid state disk (NVMe SSD), and the like.
The external storage may be any existing storage device, such as a USB mass storage (USB mass storage), etc.
When the storage device or the external storage is not connected to the device, the execution of the boot program of the device is stopped, and corresponding error information can be displayed on the screen of the device.
When the storage device and external storage are connected to the device, performing step 402; when the storage device or external storage is not connected to the device, step 405 is performed.
the external storage is used for pre-storing the security verification information, and the security verification information comprises a fourth hash value;
the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using a hash algorithm.
Specifically, the security authentication information may be stored in a form of a security authentication file, for example, when the storage device is an NVMe SSD, the fourth hash value is stored in an external storage in a form of an NVMe encryption file, and the NVMe encryption file may be stored after being encrypted by a private key through an encryption and decryption algorithm.
Specifically, the Hash algorithm may be any existing Hash algorithm, such as secure Hash algorithm sha (secure Hash algorithm), etc.
In particular, the encryption and decryption algorithm may be any one of the existing encryption and decryption algorithms, such as the RSA algorithm and the like.
When the security verification information exists in the external storage, step 403 is executed, and when the security verification information exists in the external storage, step 405 is executed.
specifically, the data in the storage device storing the operating system may be data in any storage device storing the operating system, for example, data in a non-volatile memory host controller interface specification (NVMe SSD) solid state disk.
When the boot-up data comprises data in the storage device, judging whether the data in the storage device is changed or not, wherein the judging comprises the following steps:
calculating a third hash value of the data in the storage device using a hash algorithm;
comparing whether the third hash value is the same as a fourth hash value stored in an external storage;
when the data in the storage device is different from the data in the storage device, judging that the data in the storage device is changed;
when the data in the storage device is the same, judging that the data in the storage device is not changed;
and the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using the hash algorithm.
Wherein, the hash value obtained by the raw data in the storage device can be calculated in advance by using the hash algorithm and stored in the external storage.
When the fourth hash value is stored in an external storage after being encrypted by a private key of an encryption and decryption algorithm, the comparing whether the third hash value is the same as the fourth hash value stored in the external storage includes:
performing public key decryption on the fourth hash value by using the encryption and decryption algorithm;
and comparing whether the third hash value is the same as the decrypted fourth hash value.
The hash value obtained by calculating the original data in the storage device by using the hash algorithm in advance can be stored in an external storage after the private key encryption is carried out on the hash value by using the encryption and decryption algorithm.
When the data in the storage device has not been changed, step 404 is performed, and when the data in the storage device has been changed, step 405 is performed.
wherein the continuing to execute the boot program of the device comprises: and continuously executing the POST process, the subsequent bootstrap program and other processes to finally finish starting the operating system in the storage device.
In this step, the execution of the boot program of the device is stopped, and simultaneously, the corresponding error information can be displayed on the screen of the device.
For example, a data error in the storage device may be displayed.
According to the technical scheme provided by the embodiment of the invention, the Hash algorithm is utilized to verify whether the data in the storage equipment for storing the operating system is changed or not, so that the starting safety can be improved in the starting process, and the information leakage caused by starting can be avoided after the data is changed (such as hacker intrusion); and once the data is changed, the system user can immediately be made aware of the data change.
According to the embodiment of the invention, the method can be completed only by adding external storage and modifying BIOS firmware, and the cost is low. And the data in the external storage can be encrypted by using an encryption and decryption algorithm, so that the security of the data in the external storage can be ensured.
Fig. 5 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention, as shown in fig. 5, the method includes:
the storage device may be any storage device for storing an operating system, for example, a Non-Volatile Memory host controller interface specification (NVMe SSD), a Solid state disk (NVMe SSD), and the like.
The external storage may be any existing storage device, such as a USB mass storage (USB mass storage), etc.
When the storage device or the external storage is not connected to the device, the execution of the boot program of the device is stopped, and corresponding error information can be displayed on the screen of the device.
When the storage device and external storage are connected to the device, perform step 502; when the storage device or external storage is not connected to the device, step 505 is performed.
the external storage is used for pre-storing the security verification information, and the security verification information comprises a second hash value and a fourth hash value;
the second hash value is obtained by calculating original data in the BIOS firmware in advance by using a hash algorithm; the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using a hash algorithm.
Specifically, the security verification information may be stored in a form of a security verification file, for example, the second hash value is stored in an external storage in a form of a BIOS encryption file, and the BIOS encryption file may be stored after being encrypted by a private key through an encryption and decryption algorithm; when the storage device is an NVMe SSD, the fourth hash value is stored in an external storage in an NVMeencryptes file form, and the NVMe encryptes file can be stored after being encrypted by a private key through an encryption and decryption algorithm.
Specifically, the Hash algorithm may be any existing Hash algorithm, such as secure Hash algorithm sha (secure Hash algorithm), etc.
In particular, the encryption and decryption algorithm may be any one of the existing encryption and decryption algorithms, such as the RSA algorithm and the like.
When the security verification information exists in the external storage, step 503 is executed, and when the security verification information exists in the external storage, step 505 is executed.
specifically, the data in the BIOS firmware may be data in any storage device that stores the BIOS firmware, for example, data in a serial peripheral interface read only memory SPI ROM.
The data in the storage device for storing the operating system may be data in any storage device for storing the operating system, for example, data in a non-volatile memory host controller interface specification (NVMe SSD) solid state disk.
When the boot data includes data in the BIOS firmware, determining whether the data in the BIOS firmware is changed, including:
calculating a first hash value of data in the BIOS firmware using a hash algorithm;
comparing whether the first hash value is the same as a second hash value stored in an external storage;
when the BIOS firmware is different from the BIOS firmware, judging that the data in the BIOS firmware is changed;
if so, judging that the data in the BIOS firmware is not changed;
the second hash value is a hash value obtained by calculating original data in the BIOS firmware in advance by using the hash algorithm.
When the boot-up data comprises data in the storage device, judging whether the data in the storage device is changed or not, wherein the judging comprises the following steps:
calculating a third hash value of the data in the storage device using a hash algorithm;
comparing whether the third hash value is the same as a fourth hash value stored in an external storage;
when the data in the storage device is different from the data in the storage device, judging that the data in the storage device is changed;
when the data in the storage device is the same, judging that the data in the storage device is not changed;
and the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using the hash algorithm.
The hash value obtained by the raw data in the BIOS firmware may be calculated in advance using the hash algorithm and stored in the external storage, and the hash value obtained by the raw data in the storage device may be calculated in advance using the hash algorithm and stored in the external storage.
When the second hash value is stored in an external storage after being encrypted by a private key of an encryption and decryption algorithm, the comparing whether the first hash value is the same as the second hash value stored in the external storage includes:
performing public key decryption on the second hash value by using the encryption and decryption algorithm;
comparing whether the first hash value is the same as the decrypted second hash value;
when the fourth hash value is stored in an external storage after being encrypted by a private key of an encryption and decryption algorithm, the comparing whether the third hash value is the same as the fourth hash value stored in the external storage includes:
performing public key decryption on the fourth hash value by using the encryption and decryption algorithm;
and comparing whether the third hash value is the same as the decrypted fourth hash value.
The hash value obtained by computing the original data in the BIOS firmware by using the hash algorithm may be stored in an external storage after private key encryption is performed on the hash value by using the encryption and decryption algorithm, and the hash value obtained by computing the original data in the storage device by using the hash algorithm may be stored in the external storage after private key encryption is performed on the hash value by using the encryption and decryption algorithm.
When the data in the BIOS firmware and the data in the storage device storing the operating system are not changed, step 504 is performed, and when the data in the BIOS firmware or the data in the storage device storing the operating system are changed, step 505 is performed.
wherein the continuing to execute the boot program of the device comprises: and continuously executing the POST process, the subsequent bootstrap program and other processes to finally finish starting the operating system in the storage device.
In this step, the execution of the boot program of the device is stopped, and simultaneously, the corresponding error information can be displayed on the screen of the device.
For example, when data in the BIOS firmware or data in a storage device that stores an operating system is changed, a data error in the BIOS firmware or data in a storage device that stores an operating system may be displayed.
According to the technical scheme provided by the embodiment of the invention, the Hash algorithm is utilized to verify whether the data in the BIOS firmware and/or the data in the storage device for storing the operating system are changed or not, so that the starting safety can be improved in the starting process, and the information leakage caused by starting can be avoided after the data are changed (such as hacker intrusion); and once the data is changed, the system user can immediately be made aware of the data change.
According to the embodiment of the invention, the method can be completed only by adding external storage and modifying BIOS firmware, and the cost is low. And the data in the external storage can be encrypted by using an encryption and decryption algorithm, so that the security of the data in the external storage can be ensured.
Fig. 6 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention.
The embodiment is applied to the BIOS POST startup program of the x86 operating system.
In this embodiment, the BIOS firmware is stored in a serial peripheral Interface Read Only Memory SPI ROM (serial peripheral Interface Read-Only Memory), and the x86 operating system is stored in a non-volatile Memory host controller Interface specification solid state disk NVMe SSD.
In this embodiment, the hash algorithm uses the SHA256 algorithm, and the encryption and decryption algorithm uses the RSA algorithm.
In this embodiment, the external storage is a USB mass storage.
As shown in fig. 6, the method includes:
when neither the NVMe SSD nor the USB mass storage is connected to the computer, step 606 is executed, and when both the NVMe SSD and the USB mass storage are connected to the computer, step 602 is executed.
before the boot, the security verification files BIOSencrypt file and NVMe encrypt file may be stored in the USB mass storage in advance.
The method comprises the steps of calculating original data in the BIOS SPI ROM by using an SHA256 algorithm in advance to obtain a second SHA value, encrypting the second SHA value by using an RSA encryption algorithm through a private key, and storing the second SHA value in a USB mass storage in the form of a BIOS encryption file.
The method comprises the steps of calculating original data in the NVMe SSD by using an SHA256 algorithm in advance to obtain a fourth SHA value, carrying out private key encryption on the fourth SHA value by using an RSA encryption algorithm, storing the fourth SHA value in a USB mass storage in an NVMe encryption file form, and then decrypting the fourth SHA value by using a public key to achieve the function of digital signature.
Specifically, the USB mass storage stores two files, one is a file obtained by the SHA256 calculating the output generated by the BIOS spool and encrypting with the RSA key, and the other is a file obtained by the SHA256 calculating the output generated by the NVMe SSD and encrypting with the RSA key.
The original data refers to data when the BIOS SPI ROM or the NVMe SSD is not changed.
When neither the BIOS encryption file nor the NVMe encryption file exists, step 606 is executed, and when both the BIOS encryption file and the NVMe encryption file exist, step 603 is executed.
when the first SHA value and the second SHA value are the same, step 604 is executed, and when the first SHA value and the second SHA value are not the same, step 606 is executed.
when the third SHA value is the same as the fourth SHA value, step 605 is executed, and when the third SHA value is not the same as the fourth SHA value, step 606 is executed.
Specifically, the BIOS encryption file and NVMe encryption file are decrypted by using RSA public key.
in this step, the system completes the boot program and can boot to the x86 operating system of the NVMe SSD.
In this step, when the boot program is forcibly stopped, the corresponding error information may be displayed on the computer screen. For example, when either the NVMe SSD or the USB mass storage is not connected to the computer, it is displayed that the NVMe SSD or the USB mass storage is not present. And when the BIOS encryption file or the NVMe encryption file does not exist, displaying that the BIOS encryption file or the NVMe encryption file does not exist. And when the first SHA value is different from the second SHA value, displaying data errors in the BIOS SPI ROM. When the third and fourth SHA values are not the same, displaying a data error in the NVMe SSD.
According to the technical scheme provided by the embodiment, in a BIOS POST boot program of an x86 operating system, the cooperation of the SHA256 secure hash algorithm and the RSA asymmetric encryption algorithm is applied, and meanwhile, data in BIOS firmware and storage equipment (NVMe SSD) are verified, so that the security and the correctness of boot data can be ensured, and the risk of information leakage caused by the fact that a hacker can normally execute the boot program of an x86 system after invading the data is avoided.
According to the technical scheme provided by the embodiment, before the operating system is not entered, as long as the data in the BIOS SPI ROM or the NVMeSSD is changed, the boot program of the x86 system is immediately stopped, and the functions of reminding and preventing hackers can be achieved. In addition, by displaying error information, the user can confirm the system to check the reason for the changed data.
Fig. 7 is a schematic structural diagram of an apparatus for booting a device according to an embodiment of the present invention. As shown in fig. 7, the apparatus includes:
the judgment unit is used for judging whether the startup data is changed or not in the process that the BIOS executes the power-on self-test POST when the equipment is started;
and the control unit is used for continuously executing the starting program of the equipment when the starting data is not changed.
Wherein, the judging whether the boot data is changed comprises:
calculating a first hash value of the boot data by using a hash algorithm;
comparing whether the first hash value is the same as the security verification information stored in the external storage;
when the starting data are different, judging that the starting data are changed;
if so, judging that the starting-up data is not changed;
the security verification information is a hash value obtained by calculating original boot data by using the hash algorithm in advance.
Wherein the boot data comprises at least one of:
data in the BIOS firmware, data in a storage device that holds the operating system.
The determining unit is specifically configured to determine whether the data in the BIOS firmware is changed when the boot data includes the data in the BIOS firmware, and includes:
calculating a first hash value of data in the BIOS firmware using a hash algorithm;
comparing whether the first hash value is the same as a second hash value stored in an external storage;
when the BIOS firmware is different from the BIOS firmware, judging that the data in the BIOS firmware is changed;
if so, judging that the data in the BIOS firmware is not changed;
the second hash value is obtained by calculating original data in the BIOS firmware by using the hash algorithm in advance;
the determining unit is specifically configured to determine whether the data in the storage device is changed when the boot data includes the data in the storage device, and includes:
calculating a third hash value of the data in the storage device using a hash algorithm;
comparing whether the third hash value is the same as a fourth hash value stored in an external storage;
when the data in the storage device is different from the data in the storage device, judging that the data in the storage device is changed;
when the data in the storage device is the same, judging that the data in the storage device is not changed;
and the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using the hash algorithm.
The determining unit is specifically configured to decrypt the second hash value using an encryption and decryption algorithm when the second hash value is encrypted by the encryption and decryption algorithm and then stored in an external storage; comparing whether the first hash value is the same as the decrypted second hash value;
the judgment unit is specifically configured to decrypt the fourth hash value by using an encryption and decryption algorithm when the fourth hash value is stored in an external storage after being encrypted by the encryption and decryption algorithm; and comparing whether the third hash value is the same as the decrypted fourth hash value.
The device also comprises a checking unit, a judging unit and a judging unit, wherein the checking unit is used for checking whether the storage equipment and an external storage for storing the security verification information are connected with the equipment or not before judging whether the startup data are changed or not;
checking whether security authentication information exists in the external storage when the storage device and the external storage are connected to the device;
and when the safety verification information exists, informing the judging unit to judge whether the startup data is changed.
The control unit is further configured to stop executing the boot program of the device when the boot data is changed, or when the storage device or the external storage is not connected to the device, or when no security verification information exists in the external storage.
The device also comprises a display unit used for displaying corresponding error information on the screen of the equipment when the boot data is changed, or when the storage equipment or the external storage is not connected with the equipment, or when the safety verification information does not exist in the external storage.
The embodiment of the invention also provides a device for safely starting up equipment, which comprises: the device comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, the method for starting up the device is realized.
The embodiment of the invention also provides a computer readable storage medium, wherein an information processing program is stored on the computer readable storage medium, and when the information processing program is executed by a processor, the steps of the method for starting up the equipment are realized.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
Claims (10)
1. A method for booting a device, comprising:
when the device is started, judging whether the starting-up data is changed or not in the process of executing power-on self-test POST by a basic input and output system BIOS;
and when the boot data is not changed, continuing to execute the boot program of the equipment.
2. The method of claim 1, wherein determining whether the boot data is altered comprises:
calculating a first hash value of the boot data by using a hash algorithm;
comparing whether the first hash value is the same as the security verification information stored in the external storage;
when the starting data are different, judging that the starting data are changed;
if so, judging that the starting-up data is not changed;
the security verification information is a hash value obtained by calculating original boot data by using the hash algorithm in advance.
3. The method of claim 2,
the boot data includes at least one of:
data in BIOS firmware, data in storage equipment for storing an operating system;
when the boot data includes data in the BIOS firmware, determining whether the data in the BIOS firmware is modified, including:
calculating a first hash value of data in the BIOS firmware using a hash algorithm;
comparing whether the first hash value is the same as a second hash value stored in an external storage;
when the BIOS firmware is different from the BIOS firmware, judging that the data in the BIOS firmware is changed;
if so, judging that the data in the BIOS firmware is not changed;
the second hash value is obtained by calculating original data in the BIOS firmware by using the hash algorithm in advance;
when the boot-up data includes data in the storage device, determining whether the data in the storage device is changed, including:
calculating a third hash value of the data in the storage device using a hash algorithm;
comparing whether the third hash value is the same as a fourth hash value stored in an external storage;
when the data in the storage device is different from the data in the storage device, judging that the data in the storage device is changed;
when the data in the storage device is the same, judging that the data in the storage device is not changed;
and the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using the hash algorithm.
4. The method of claim 3,
when the second hash value is stored in the external storage after being encrypted by the encryption and decryption algorithm, the comparing whether the first hash value is the same as the second hash value stored in the external storage includes:
decrypting the second hash value using the encryption and decryption algorithm;
comparing whether the first hash value is the same as the decrypted second hash value;
when the fourth hash value is stored in the external storage after being encrypted by the encryption and decryption algorithm, the comparing whether the third hash value is the same as the fourth hash value stored in the external storage includes:
decrypting the fourth hash value using the encryption and decryption algorithm;
and comparing whether the third hash value is the same as the decrypted fourth hash value.
5. The method of claim 2, wherein prior to determining whether the boot data is altered, the method further comprises:
checking whether the storage device and an external storage holding security authentication information are connected to the device;
checking whether security authentication information exists in the external storage when the storage device and the external storage are connected to the device;
and judging whether the boot data is changed or not when the security verification information exists.
6. The method of claim 5, further comprising:
when the boot data is changed, or when the storage device or the external storage is not connected to the device, or when no security verification information exists in the external storage, the boot program of the device is stopped from being executed.
7. The method of claim 6, further comprising:
when the boot data is changed, or when the storage device or the external storage is not connected to the device, or when no security verification information exists in the external storage, displaying corresponding error information on a screen of the device.
8. An apparatus for booting a device, comprising:
the judgment unit is used for judging whether the startup data is changed or not in the process that the BIOS executes the power-on self-test POST when the equipment is started;
and the control unit is used for continuously executing the starting program of the equipment when the starting data is not changed.
9. An apparatus for booting a device, comprising: memory, processor and computer program stored on the memory and executable on the processor, which computer program, when executed by the processor, implements a method of powering on the device according to any one of claims 1 to 7.
10. A computer-readable storage medium, having stored thereon an information processing program which, when executed by a processor, performs the steps of a method of powering on a device as claimed in any one of claims 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911157556.0A CN110990840A (en) | 2019-11-22 | 2019-11-22 | Method and device for starting equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911157556.0A CN110990840A (en) | 2019-11-22 | 2019-11-22 | Method and device for starting equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110990840A true CN110990840A (en) | 2020-04-10 |
Family
ID=70086076
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911157556.0A Withdrawn CN110990840A (en) | 2019-11-22 | 2019-11-22 | Method and device for starting equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110990840A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2021212735A1 (en) * | 2020-04-23 | 2021-10-28 | 苏州浪潮智能科技有限公司 | Method, apparatus, and device for starting server securely, and medium |
-
2019
- 2019-11-22 CN CN201911157556.0A patent/CN110990840A/en not_active Withdrawn
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2021212735A1 (en) * | 2020-04-23 | 2021-10-28 | 苏州浪潮智能科技有限公司 | Method, apparatus, and device for starting server securely, and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9881162B2 (en) | System and method for auto-enrolling option ROMS in a UEFI secure boot database | |
EP2681689B1 (en) | Protecting operating system configuration values | |
US8375437B2 (en) | Hardware supported virtualized cryptographic service | |
US9021244B2 (en) | Secure boot administration in a Unified Extensible Firmware Interface (UEFI)-compliant computing device | |
CN109710315B (en) | BIOS (basic input output System) flash writing method and BIOS mirror image file processing method | |
KR101702289B1 (en) | Continuation of trust for platform boot firmware | |
EP2668566B1 (en) | Authenticate a hypervisor with encoded information | |
US20130067210A1 (en) | System and method for recovering from an interrupted encryption and decryption operation performed on a volume | |
US10803176B2 (en) | Bios security | |
JP6846457B2 (en) | Automatic verification method and system | |
EP3076324A1 (en) | Information processing apparatus and method of controlling the apparatus | |
CN112148314B (en) | Mirror image verification method, device and equipment of embedded system and storage medium | |
US11397815B2 (en) | Secure data protection | |
US20210367781A1 (en) | Method and system for accelerating verification procedure for image file | |
US10482278B2 (en) | Remote provisioning and authenticated writes to secure storage devices | |
US11068599B2 (en) | Secure initialization using embedded controller (EC) root of trust | |
WO2020037613A1 (en) | Security upgrade method, apparatus and device for embedded program, and storage medium | |
US20120011353A1 (en) | Information processing apparatus having verification capability of configuration change | |
CN110874467A (en) | Information processing method, device, system, processor and storage medium | |
US9448888B2 (en) | Preventing a rollback attack in a computing system that includes a primary memory bank and a backup memory bank | |
US20160350537A1 (en) | Central processing unit and method to verify mainboard data | |
CN110990840A (en) | Method and device for starting equipment | |
CN112231649A (en) | Firmware encryption processing method, device, equipment and medium | |
US9064118B1 (en) | Indicating whether a system has booted up from an untrusted image | |
KR20210024070A (en) | Safe operation method and system of stored data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20200410 |