CN110990840A - Method and device for starting equipment - Google Patents

Method and device for starting equipment Download PDF

Info

Publication number
CN110990840A
CN110990840A CN201911157556.0A CN201911157556A CN110990840A CN 110990840 A CN110990840 A CN 110990840A CN 201911157556 A CN201911157556 A CN 201911157556A CN 110990840 A CN110990840 A CN 110990840A
Authority
CN
China
Prior art keywords
data
hash value
changed
external storage
storage device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201911157556.0A
Other languages
Chinese (zh)
Inventor
蔡文成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Inspur Intelligent Technology Co Ltd
Original Assignee
Suzhou Inspur Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Inspur Intelligent Technology Co Ltd filed Critical Suzhou Inspur Intelligent Technology Co Ltd
Priority to CN201911157556.0A priority Critical patent/CN110990840A/en
Publication of CN110990840A publication Critical patent/CN110990840A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/572Secure firmware programming, e.g. of basic input output system [BIOS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The embodiment of the invention discloses a method and a device for starting up equipment, wherein the method comprises the following steps: when the device is started, judging whether the starting-up data is changed or not in the process of executing power-on self-test POST by a basic input and output system BIOS; and when the boot data is not changed, continuing to execute the boot program of the equipment. Therefore, the starting safety of the equipment can be improved.

Description

Method and device for starting equipment
Technical Field
The embodiment of the invention relates to a Basic Input Output System (BIOS) starting technology, in particular to a method and a device for starting up a device.
Background
At present, when a computer device is started, a BIOS firmware is generally used to complete the start of an operating system. Therefore, the security verification process of the computer equipment in the starting process is not enough, once a hacker invades the computer equipment, the starting program can be normally executed, and the risk of information leakage exists.
Disclosure of Invention
In view of this, an embodiment of the present invention provides a method for booting a device, including:
when the device is started, judging whether the starting-up data is changed or not in the process of executing power-on self-test POST by a basic input and output system BIOS;
and when the boot data is not changed, continuing to execute the boot program of the equipment.
The embodiment of the invention also provides a device for starting up equipment, which comprises:
the judgment unit is used for judging whether the startup data is changed or not in the process that the BIOS executes the power-on self-test POST when the equipment is started;
and the control unit is used for continuously executing the starting program of the equipment when the starting data is not changed.
The embodiment of the invention also provides a device for starting up equipment, which comprises: the device comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, the method for starting the device is realized.
The embodiment of the invention also provides a computer readable storage medium, wherein an information processing program is stored on the computer readable storage medium, and the information processing program realizes the steps of the method for starting the equipment when being executed by the processor.
The technical scheme provided by the embodiment of the invention can improve the starting safety of the equipment.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. Other advantages of the application may be realized and attained by the instrumentalities and combinations particularly pointed out in the specification, claims, and drawings.
Drawings
The accompanying drawings are included to provide an understanding of the present disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the examples serve to explain the principles of the disclosure and not to limit the disclosure.
Fig. 1 is a flowchart illustrating a method for booting a device according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention;
fig. 3 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention;
fig. 4 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention;
fig. 5 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention;
fig. 6 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention;
fig. 7 is a schematic structural diagram of an apparatus for booting a device according to an embodiment of the present invention.
Detailed Description
The present application describes embodiments, but the description is illustrative rather than limiting and it will be apparent to those of ordinary skill in the art that many more embodiments and implementations are possible within the scope of the embodiments described herein. Although many possible combinations of features are shown in the drawings and discussed in the detailed description, many other combinations of the disclosed features are possible. Any feature or element of any embodiment may be used in combination with or instead of any other feature or element in any other embodiment, unless expressly limited otherwise.
The present application includes and contemplates combinations of features and elements known to those of ordinary skill in the art. The embodiments, features and elements disclosed in this application may also be combined with any conventional features or elements to form a unique inventive concept as defined by the claims. Any feature or element of any embodiment may also be combined with features or elements from other inventive aspects to form yet another unique inventive aspect, as defined by the claims. Thus, it should be understood that any of the features shown and/or discussed in this application may be implemented alone or in any suitable combination. Accordingly, the embodiments are not limited except as by the appended claims and their equivalents. Furthermore, various modifications and changes may be made within the scope of the appended claims.
Further, in describing representative embodiments, the specification may have presented the method and/or process as a particular sequence of steps. However, to the extent that the method or process does not rely on the particular order of steps set forth herein, the method or process should not be limited to the particular sequence of steps described. Other orders of steps are possible as will be understood by those of ordinary skill in the art. Therefore, the particular order of the steps set forth in the specification should not be construed as limitations on the claims. Further, the claims directed to the method and/or process should not be limited to the performance of their steps in the order written, and one skilled in the art can readily appreciate that the sequences may be varied and still remain within the spirit and scope of the embodiments of the present application.
Fig. 1 is a schematic flowchart of a method for booting a device according to an embodiment of the present invention, as shown in fig. 1, the method includes:
101, when the device is started, judging whether starting data is changed or not in the process of executing power-on self-test POST by a basic input output system BIOS;
and step 102, when the boot data is not changed, continuing to execute the boot program of the equipment.
Wherein, the judging whether the boot data is changed comprises:
calculating a first hash value of the boot data by using a hash algorithm;
comparing whether the first hash value is the same as the security verification information stored in the external storage;
when the starting data are different, judging that the starting data are changed;
if so, judging that the starting-up data is not changed;
the security verification information is a hash value obtained by calculating original boot data by using the hash algorithm in advance.
Wherein the boot data comprises at least one of:
data in the BIOS firmware, data in a storage device that holds the operating system.
When the boot data includes data in the BIOS firmware, determining whether the data in the BIOS firmware is modified, including:
calculating a first hash value of data in the BIOS firmware using a hash algorithm;
comparing whether the first hash value is the same as a second hash value stored in an external storage;
when the BIOS firmware is different from the BIOS firmware, judging that the data in the BIOS firmware is changed;
if so, judging that the data in the BIOS firmware is not changed;
the second hash value is obtained by calculating original data in the BIOS firmware by using the hash algorithm in advance;
when the boot-up data includes data in the storage device, determining whether the data in the storage device is changed, including:
calculating a third hash value of the data in the storage device using a hash algorithm;
comparing whether the third hash value is the same as a fourth hash value stored in an external storage;
when the data in the storage device is different from the data in the storage device, judging that the data in the storage device is changed;
when the data in the storage device is the same, judging that the data in the storage device is not changed;
and the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using the hash algorithm.
When the second hash value is stored in the external storage after being encrypted by the encryption and decryption algorithm, the comparing whether the first hash value is the same as the second hash value stored in the external storage includes:
decrypting the second hash value using the encryption and decryption algorithm;
comparing whether the first hash value is the same as the decrypted second hash value;
when the fourth hash value is stored in the external storage after being encrypted by the encryption and decryption algorithm, the comparing whether the third hash value is the same as the fourth hash value stored in the external storage includes:
decrypting the fourth hash value using the encryption and decryption algorithm;
and comparing whether the third hash value is the same as the decrypted fourth hash value.
Before determining whether the boot data is changed, the method further includes:
checking whether the storage device and an external storage holding security authentication information are connected to the device;
checking whether security authentication information exists in the external storage when the storage device and the external storage are connected to the device;
and judging whether the boot data is changed or not when the security verification information exists.
Wherein, the method also comprises:
when the boot data is changed, or when the storage device or the external storage is not connected to the device, or when no security verification information exists in the external storage, the execution of the boot program of the device is stopped.
Wherein, the method also comprises:
when the boot data is changed, or when the storage device or the external storage is not connected to the device, or when no security verification information exists in the external storage, displaying corresponding error information on a screen of the device.
The technical scheme provided by the embodiment of the invention can improve the starting safety of the equipment.
Fig. 2 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention, as shown in fig. 2, the method includes:
step 201, when the device is started, in the process of executing power-on self-test POST by BIOS, checking whether a storage device for storing an operating system and an external storage for storing security verification information are connected to the device;
the storage device may be any storage device for storing an operating system, for example, a Non-Volatile Memory host controller interface specification (NVMe SSD), a Solid state disk (NVMe SSD), and the like.
The external storage may be any existing storage device, such as a USB mass storage (USB mass storage), etc.
When the storage device or the external storage is not connected to the device, the execution of the boot program of the device is stopped, and corresponding error information can be displayed on the screen of the device.
When the storage device and the external storage are connected to the device, executing step 202; when the storage device or external storage is not connected to the device, step 205 is performed.
Step 202, checking whether security verification information exists in the external storage;
the external storage is used for pre-storing the security verification information, and the security verification information is a hash value obtained by pre-calculating original boot data by using the hash algorithm.
Specifically, the security verification information includes a second hash value and/or a fourth hash value;
the second hash value is obtained by calculating original data in the BIOS firmware in advance by using a hash algorithm; the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using a hash algorithm.
When the boot data comprises data in BIOS firmware, the security verification information comprises a second hash value; when the boot data comprises data in a storage device for storing an operating system, the security verification information comprises a fourth hash value; when the boot data includes data in the BIOS firmware and data in a storage device storing an operating system, the security verification information includes a second hash value and a fourth hash value.
Specifically, the security verification information may be stored in a form of a security verification file, for example, the second hash value is stored in an external storage in a form of a BIOS encryption file, and the BIOS encryption file may be stored after being encrypted by a private key through an encryption and decryption algorithm; when the storage device is an NVMe SSD, the fourth hash value is stored in an external storage in an NVMeencryptes file form, and the NVMe encryptes file can be stored after being encrypted by a private key through an encryption and decryption algorithm.
Specifically, the Hash algorithm may be any existing Hash algorithm, such as secure Hash algorithm sha (secure Hash algorithm), etc.
In particular, the encryption and decryption algorithm may be any one of the existing encryption and decryption algorithms, such as the RSA algorithm and the like.
When the security verification information exists in the external storage, step 203 is executed, and when the security verification information exists in the external storage, step 205 is executed.
Step 203, judging whether the startup data is changed;
wherein, the judging whether the boot data is changed comprises:
calculating a first hash value of the boot data by using a hash algorithm;
comparing whether the first hash value is the same as the security verification information stored in the external storage;
when the starting data are different, judging that the starting data are changed;
if so, judging that the starting-up data is not changed;
the security verification information is a hash value obtained by calculating original boot data by using the hash algorithm in advance.
The original boot data is only boot data that has not been altered.
Wherein the boot data comprises at least one of:
data in the BIOS firmware, data in a storage device that holds the operating system.
Specifically, the data in the BIOS firmware may be data in any storage device that stores the BIOS firmware, for example, data in a serial peripheral interface read only memory SPI ROM.
The data in the storage device for storing the operating system may be data in any storage device for storing the operating system, for example, data in a non-volatile memory host controller interface specification (NVMe SSD) solid state disk.
When the boot data includes data in the BIOS firmware, determining whether the data in the BIOS firmware is changed, including:
calculating a first hash value of data in the BIOS firmware using a hash algorithm;
comparing whether the first hash value is the same as a second hash value stored in an external storage;
when the BIOS firmware is different from the BIOS firmware, judging that the data in the BIOS firmware is changed;
if so, judging that the data in the BIOS firmware is not changed;
the second hash value is a hash value obtained by calculating original data in the BIOS firmware in advance by using the hash algorithm.
When the boot-up data comprises data in the storage device, judging whether the data in the storage device is changed or not, wherein the judging comprises the following steps:
calculating a third hash value of the data in the storage device using a hash algorithm;
comparing whether the third hash value is the same as a fourth hash value stored in an external storage;
when the data in the storage device is different from the data in the storage device, judging that the data in the storage device is changed;
when the data in the storage device is the same, judging that the data in the storage device is not changed;
and the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using the hash algorithm.
The hash value obtained by the raw data in the BIOS firmware may be calculated in advance using the hash algorithm and stored in the external storage, and the hash value obtained by the raw data in the storage device may be calculated in advance using the hash algorithm and stored in the external storage.
When the second hash value is stored in an external storage after being encrypted by a private key of an encryption and decryption algorithm, the comparing whether the first hash value is the same as the second hash value stored in the external storage includes:
performing public key decryption on the second hash value by using the encryption and decryption algorithm;
comparing whether the first hash value is the same as the decrypted second hash value;
when the fourth hash value is stored in an external storage after being encrypted by a private key of an encryption and decryption algorithm, the comparing whether the third hash value is the same as the fourth hash value stored in the external storage includes:
performing public key decryption on the fourth hash value by using the encryption and decryption algorithm;
and comparing whether the third hash value is the same as the decrypted fourth hash value.
The hash value obtained by computing the original data in the BIOS firmware by using the hash algorithm may be stored in an external storage after private key encryption is performed on the hash value by using the encryption and decryption algorithm, and the hash value obtained by computing the original data in the storage device by using the hash algorithm may be stored in the external storage after private key encryption is performed on the hash value by using the encryption and decryption algorithm.
When the boot data is not changed, step 204 is executed, and when the boot data is changed, step 205 is executed.
When the boot data comprises data in the BIOS firmware, the boot data is not changed into the data in the BIOS firmware; the boot data is changed to the data in the BIOS firmware;
when the boot data comprises data in a storage device of a storage operating system, the boot data is not changed into data in the storage device of the storage operating system; the boot data is changed into the data in the storage device for storing the operating system;
when the boot data includes data in the BIOS firmware and data in a storage device storing an operating system, the boot data is changed to data in the BIOS firmware or data in the storage device storing the operating system is changed.
Step 204, continuing to execute a starting program of the equipment;
wherein the continuing to execute the boot program of the device comprises: and continuously executing the POST process, the subsequent bootstrap program and other processes to finally finish starting the operating system in the storage device.
Step 205, stop executing the boot program of the device.
In this step, the execution of the boot program of the device is stopped, and simultaneously, the corresponding error information can be displayed on the screen of the device.
For example, when the storage device or the external storage is not connected to the device, it may be displayed that the storage device or the external storage is not present. When the security authentication information exists inside the external storage, it may be displayed that the security authentication information does not exist. When the boot data is altered, the boot data storage error may be displayed. And so on.
According to the technical scheme provided by the embodiment of the invention, the Hash algorithm is utilized to verify whether the data in the BIOS firmware and/or the data in the storage device for storing the operating system are changed or not, so that the starting safety can be improved in the starting process, and the information leakage caused by starting can be avoided after the data are changed (such as hacker intrusion); and once the data is changed, the system user can immediately be made aware of the data change.
According to the embodiment of the invention, the method can be completed only by adding external storage and modifying BIOS firmware, and the cost is low. And the data in the external storage can be encrypted by using an encryption and decryption algorithm, so that the security of the data in the external storage can be ensured.
Fig. 3 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention, as shown in fig. 3, the method includes:
step 301, when the device is powered on, in the process of the BIOS executing the power-on self-test POST, checking whether an external storage for storing the security verification information is connected to the device;
the external storage may be any existing storage device, such as a USB mass storage (USB mass storage).
When the external storage is not connected with the equipment, the starting program of the equipment is stopped being executed, and corresponding error information can be displayed on the screen of the equipment.
When the external storage is connected to the device, executing step 302; when the external storage is not connected to the device, step 305 is performed.
Step 302, checking whether security verification information exists in the external storage;
the external storage is used for pre-storing the security verification information, and the security verification information comprises a second hash value;
the second hash value is obtained by calculating original data in the BIOS firmware in advance by using a hash algorithm.
Specifically, the security verification information may be stored in a form of a security verification file, for example, the second hash value may be stored in an external storage in a form of a BIOS encryption file, and the BIOS encryption file may be stored after being encrypted by a private key through an encryption and decryption algorithm.
Specifically, the Hash algorithm may be any existing Hash algorithm, such as secure Hash algorithm sha (secure Hash algorithm), etc.
In particular, the encryption and decryption algorithm may be any one of the existing encryption and decryption algorithms, such as the RSA algorithm and the like.
When the security authentication information exists in the external storage, step 303 is executed, and when the security authentication information exists in the external storage, step 305 is executed.
Step 303, judging whether data in the BIOS firmware is changed;
specifically, the data in the BIOS firmware may be data in any storage device that stores the BIOS firmware, for example, data in a serial peripheral interface read only memory SPI ROM.
When the boot data includes data in the BIOS firmware, determining whether the data in the BIOS firmware is changed, including:
calculating a first hash value of data in the BIOS firmware using a hash algorithm;
comparing whether the first hash value is the same as a second hash value stored in an external storage;
when the BIOS firmware is different from the BIOS firmware, judging that the data in the BIOS firmware is changed;
if so, judging that the data in the BIOS firmware is not changed;
the second hash value is a hash value obtained by calculating original data in the BIOS firmware in advance by using the hash algorithm.
The hash value obtained by calculating the raw data in the BIOS firmware using the hash algorithm may be stored in an external storage in advance.
When the second hash value is stored in an external storage after being encrypted by a private key of an encryption and decryption algorithm, the comparing whether the first hash value is the same as the second hash value stored in the external storage includes:
performing public key decryption on the second hash value by using the encryption and decryption algorithm;
and comparing whether the first hash value is the same as the decrypted second hash value.
The hash value obtained by calculating the original data in the BIOS firmware by using the hash algorithm may be obtained in advance, and then the encryption and decryption algorithm is used to encrypt the hash value by using a private key and store the encrypted hash value in an external storage.
When the data in the BIOS firmware is not changed, step 304 is performed, and when the data in the BIOS firmware is changed, step 305 is performed.
Step 304, continuing to execute the boot program of the equipment;
wherein the continuing to execute the boot program of the device comprises: and continuously executing the POST process, the subsequent bootstrap program and other processes to finally finish starting the operating system in the storage device.
Step 305, stopping executing the boot program of the device.
In this step, the execution of the boot program of the device is stopped, and simultaneously, the corresponding error information can be displayed on the screen of the device.
For example, a data error in the BIOS firmware may be displayed. And so on.
According to the technical scheme provided by the embodiment of the invention, whether the data in the BIOS firmware is changed or not is verified by utilizing the Hash algorithm, so that the starting safety can be improved in the starting process, and the information leakage caused by starting can be avoided after the data is changed (such as hacker intrusion); and once the data is changed, the system user can immediately be made aware of the data change.
According to the embodiment of the invention, the method can be completed only by adding external storage and modifying BIOS firmware, and the cost is low. And the data in the external storage can be encrypted by using an encryption and decryption algorithm, so that the security of the data in the external storage can be ensured.
Fig. 4 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention, as shown in fig. 4, the method includes:
step 401, when the device is powered on, in the process of the BIOS executing the power-on self-test POST, checking whether a storage device for storing an operating system and an external storage for storing security verification information are connected to the device;
the storage device may be any storage device for storing an operating system, for example, a Non-Volatile Memory host controller interface specification (NVMe SSD), a Solid state disk (NVMe SSD), and the like.
The external storage may be any existing storage device, such as a USB mass storage (USB mass storage), etc.
When the storage device or the external storage is not connected to the device, the execution of the boot program of the device is stopped, and corresponding error information can be displayed on the screen of the device.
When the storage device and external storage are connected to the device, performing step 402; when the storage device or external storage is not connected to the device, step 405 is performed.
Step 402, checking whether security verification information exists in the external storage;
the external storage is used for pre-storing the security verification information, and the security verification information comprises a fourth hash value;
the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using a hash algorithm.
Specifically, the security authentication information may be stored in a form of a security authentication file, for example, when the storage device is an NVMe SSD, the fourth hash value is stored in an external storage in a form of an NVMe encryption file, and the NVMe encryption file may be stored after being encrypted by a private key through an encryption and decryption algorithm.
Specifically, the Hash algorithm may be any existing Hash algorithm, such as secure Hash algorithm sha (secure Hash algorithm), etc.
In particular, the encryption and decryption algorithm may be any one of the existing encryption and decryption algorithms, such as the RSA algorithm and the like.
When the security verification information exists in the external storage, step 403 is executed, and when the security verification information exists in the external storage, step 405 is executed.
Step 403, judging whether data in a storage device for storing the operating system is changed;
specifically, the data in the storage device storing the operating system may be data in any storage device storing the operating system, for example, data in a non-volatile memory host controller interface specification (NVMe SSD) solid state disk.
When the boot-up data comprises data in the storage device, judging whether the data in the storage device is changed or not, wherein the judging comprises the following steps:
calculating a third hash value of the data in the storage device using a hash algorithm;
comparing whether the third hash value is the same as a fourth hash value stored in an external storage;
when the data in the storage device is different from the data in the storage device, judging that the data in the storage device is changed;
when the data in the storage device is the same, judging that the data in the storage device is not changed;
and the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using the hash algorithm.
Wherein, the hash value obtained by the raw data in the storage device can be calculated in advance by using the hash algorithm and stored in the external storage.
When the fourth hash value is stored in an external storage after being encrypted by a private key of an encryption and decryption algorithm, the comparing whether the third hash value is the same as the fourth hash value stored in the external storage includes:
performing public key decryption on the fourth hash value by using the encryption and decryption algorithm;
and comparing whether the third hash value is the same as the decrypted fourth hash value.
The hash value obtained by calculating the original data in the storage device by using the hash algorithm in advance can be stored in an external storage after the private key encryption is carried out on the hash value by using the encryption and decryption algorithm.
When the data in the storage device has not been changed, step 404 is performed, and when the data in the storage device has been changed, step 405 is performed.
Step 404, continuing to execute the boot program of the device;
wherein the continuing to execute the boot program of the device comprises: and continuously executing the POST process, the subsequent bootstrap program and other processes to finally finish starting the operating system in the storage device.
Step 405, stopping executing the boot program of the device.
In this step, the execution of the boot program of the device is stopped, and simultaneously, the corresponding error information can be displayed on the screen of the device.
For example, a data error in the storage device may be displayed.
According to the technical scheme provided by the embodiment of the invention, the Hash algorithm is utilized to verify whether the data in the storage equipment for storing the operating system is changed or not, so that the starting safety can be improved in the starting process, and the information leakage caused by starting can be avoided after the data is changed (such as hacker intrusion); and once the data is changed, the system user can immediately be made aware of the data change.
According to the embodiment of the invention, the method can be completed only by adding external storage and modifying BIOS firmware, and the cost is low. And the data in the external storage can be encrypted by using an encryption and decryption algorithm, so that the security of the data in the external storage can be ensured.
Fig. 5 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention, as shown in fig. 5, the method includes:
step 501, when the device is started, in the process of executing power-on self-test POST by BIOS, checking whether a storage device for storing an operating system and an external storage for storing security verification information are connected to the device;
the storage device may be any storage device for storing an operating system, for example, a Non-Volatile Memory host controller interface specification (NVMe SSD), a Solid state disk (NVMe SSD), and the like.
The external storage may be any existing storage device, such as a USB mass storage (USB mass storage), etc.
When the storage device or the external storage is not connected to the device, the execution of the boot program of the device is stopped, and corresponding error information can be displayed on the screen of the device.
When the storage device and external storage are connected to the device, perform step 502; when the storage device or external storage is not connected to the device, step 505 is performed.
Step 502, checking whether security verification information exists in the external storage;
the external storage is used for pre-storing the security verification information, and the security verification information comprises a second hash value and a fourth hash value;
the second hash value is obtained by calculating original data in the BIOS firmware in advance by using a hash algorithm; the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using a hash algorithm.
Specifically, the security verification information may be stored in a form of a security verification file, for example, the second hash value is stored in an external storage in a form of a BIOS encryption file, and the BIOS encryption file may be stored after being encrypted by a private key through an encryption and decryption algorithm; when the storage device is an NVMe SSD, the fourth hash value is stored in an external storage in an NVMeencryptes file form, and the NVMe encryptes file can be stored after being encrypted by a private key through an encryption and decryption algorithm.
Specifically, the Hash algorithm may be any existing Hash algorithm, such as secure Hash algorithm sha (secure Hash algorithm), etc.
In particular, the encryption and decryption algorithm may be any one of the existing encryption and decryption algorithms, such as the RSA algorithm and the like.
When the security verification information exists in the external storage, step 503 is executed, and when the security verification information exists in the external storage, step 505 is executed.
Step 503, determining whether the data in the BIOS firmware and the data in the storage device storing the operating system are changed;
specifically, the data in the BIOS firmware may be data in any storage device that stores the BIOS firmware, for example, data in a serial peripheral interface read only memory SPI ROM.
The data in the storage device for storing the operating system may be data in any storage device for storing the operating system, for example, data in a non-volatile memory host controller interface specification (NVMe SSD) solid state disk.
When the boot data includes data in the BIOS firmware, determining whether the data in the BIOS firmware is changed, including:
calculating a first hash value of data in the BIOS firmware using a hash algorithm;
comparing whether the first hash value is the same as a second hash value stored in an external storage;
when the BIOS firmware is different from the BIOS firmware, judging that the data in the BIOS firmware is changed;
if so, judging that the data in the BIOS firmware is not changed;
the second hash value is a hash value obtained by calculating original data in the BIOS firmware in advance by using the hash algorithm.
When the boot-up data comprises data in the storage device, judging whether the data in the storage device is changed or not, wherein the judging comprises the following steps:
calculating a third hash value of the data in the storage device using a hash algorithm;
comparing whether the third hash value is the same as a fourth hash value stored in an external storage;
when the data in the storage device is different from the data in the storage device, judging that the data in the storage device is changed;
when the data in the storage device is the same, judging that the data in the storage device is not changed;
and the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using the hash algorithm.
The hash value obtained by the raw data in the BIOS firmware may be calculated in advance using the hash algorithm and stored in the external storage, and the hash value obtained by the raw data in the storage device may be calculated in advance using the hash algorithm and stored in the external storage.
When the second hash value is stored in an external storage after being encrypted by a private key of an encryption and decryption algorithm, the comparing whether the first hash value is the same as the second hash value stored in the external storage includes:
performing public key decryption on the second hash value by using the encryption and decryption algorithm;
comparing whether the first hash value is the same as the decrypted second hash value;
when the fourth hash value is stored in an external storage after being encrypted by a private key of an encryption and decryption algorithm, the comparing whether the third hash value is the same as the fourth hash value stored in the external storage includes:
performing public key decryption on the fourth hash value by using the encryption and decryption algorithm;
and comparing whether the third hash value is the same as the decrypted fourth hash value.
The hash value obtained by computing the original data in the BIOS firmware by using the hash algorithm may be stored in an external storage after private key encryption is performed on the hash value by using the encryption and decryption algorithm, and the hash value obtained by computing the original data in the storage device by using the hash algorithm may be stored in the external storage after private key encryption is performed on the hash value by using the encryption and decryption algorithm.
When the data in the BIOS firmware and the data in the storage device storing the operating system are not changed, step 504 is performed, and when the data in the BIOS firmware or the data in the storage device storing the operating system are changed, step 505 is performed.
Step 504, continuing to execute the boot program of the equipment;
wherein the continuing to execute the boot program of the device comprises: and continuously executing the POST process, the subsequent bootstrap program and other processes to finally finish starting the operating system in the storage device.
Step 505, stopping executing the boot program of the device.
In this step, the execution of the boot program of the device is stopped, and simultaneously, the corresponding error information can be displayed on the screen of the device.
For example, when data in the BIOS firmware or data in a storage device that stores an operating system is changed, a data error in the BIOS firmware or data in a storage device that stores an operating system may be displayed.
According to the technical scheme provided by the embodiment of the invention, the Hash algorithm is utilized to verify whether the data in the BIOS firmware and/or the data in the storage device for storing the operating system are changed or not, so that the starting safety can be improved in the starting process, and the information leakage caused by starting can be avoided after the data are changed (such as hacker intrusion); and once the data is changed, the system user can immediately be made aware of the data change.
According to the embodiment of the invention, the method can be completed only by adding external storage and modifying BIOS firmware, and the cost is low. And the data in the external storage can be encrypted by using an encryption and decryption algorithm, so that the security of the data in the external storage can be ensured.
Fig. 6 is a flowchart illustrating a method for booting a device according to another embodiment of the present invention.
The embodiment is applied to the BIOS POST startup program of the x86 operating system.
In this embodiment, the BIOS firmware is stored in a serial peripheral Interface Read Only Memory SPI ROM (serial peripheral Interface Read-Only Memory), and the x86 operating system is stored in a non-volatile Memory host controller Interface specification solid state disk NVMe SSD.
In this embodiment, the hash algorithm uses the SHA256 algorithm, and the encryption and decryption algorithm uses the RSA algorithm.
In this embodiment, the external storage is a USB mass storage.
As shown in fig. 6, the method includes:
step 601, in a BIOS POST startup program, checking whether NVMe SSD and USB mass storage are connected to a computer;
when neither the NVMe SSD nor the USB mass storage is connected to the computer, step 606 is executed, and when both the NVMe SSD and the USB mass storage are connected to the computer, step 602 is executed.
Step 602, checking whether the USB mass storage has security verification files BIOS encryption file and NVMe encryption file;
before the boot, the security verification files BIOSencrypt file and NVMe encrypt file may be stored in the USB mass storage in advance.
The method comprises the steps of calculating original data in the BIOS SPI ROM by using an SHA256 algorithm in advance to obtain a second SHA value, encrypting the second SHA value by using an RSA encryption algorithm through a private key, and storing the second SHA value in a USB mass storage in the form of a BIOS encryption file.
The method comprises the steps of calculating original data in the NVMe SSD by using an SHA256 algorithm in advance to obtain a fourth SHA value, carrying out private key encryption on the fourth SHA value by using an RSA encryption algorithm, storing the fourth SHA value in a USB mass storage in an NVMe encryption file form, and then decrypting the fourth SHA value by using a public key to achieve the function of digital signature.
Specifically, the USB mass storage stores two files, one is a file obtained by the SHA256 calculating the output generated by the BIOS spool and encrypting with the RSA key, and the other is a file obtained by the SHA256 calculating the output generated by the NVMe SSD and encrypting with the RSA key.
The original data refers to data when the BIOS SPI ROM or the NVMe SSD is not changed.
When neither the BIOS encryption file nor the NVMe encryption file exists, step 606 is executed, and when both the BIOS encryption file and the NVMe encryption file exist, step 603 is executed.
Step 603, calculating data in the BIOS SPI ROM by using an SHA256 algorithm to obtain a first SHA value, decrypting the BIOS encryption file by using an RSA algorithm to obtain a second SHA value, and comparing whether the first SHA value is the same as the second SHA value;
when the first SHA value and the second SHA value are the same, step 604 is executed, and when the first SHA value and the second SHA value are not the same, step 606 is executed.
Step 604, calculating data in the NVMe SSD by using an SHA256 algorithm to obtain a third SHA value, decrypting the NVMe encrypt file by using an RSA algorithm to obtain a fourth SHA value, and comparing whether the third SHA value is the same as the fourth SHA value;
when the third SHA value is the same as the fourth SHA value, step 605 is executed, and when the third SHA value is not the same as the fourth SHA value, step 606 is executed.
Specifically, the BIOS encryption file and NVMe encryption file are decrypted by using RSA public key.
Step 605, continuing to execute the boot program;
in this step, the system completes the boot program and can boot to the x86 operating system of the NVMe SSD.
Step 605, forcibly stop the boot process.
In this step, when the boot program is forcibly stopped, the corresponding error information may be displayed on the computer screen. For example, when either the NVMe SSD or the USB mass storage is not connected to the computer, it is displayed that the NVMe SSD or the USB mass storage is not present. And when the BIOS encryption file or the NVMe encryption file does not exist, displaying that the BIOS encryption file or the NVMe encryption file does not exist. And when the first SHA value is different from the second SHA value, displaying data errors in the BIOS SPI ROM. When the third and fourth SHA values are not the same, displaying a data error in the NVMe SSD.
According to the technical scheme provided by the embodiment, in a BIOS POST boot program of an x86 operating system, the cooperation of the SHA256 secure hash algorithm and the RSA asymmetric encryption algorithm is applied, and meanwhile, data in BIOS firmware and storage equipment (NVMe SSD) are verified, so that the security and the correctness of boot data can be ensured, and the risk of information leakage caused by the fact that a hacker can normally execute the boot program of an x86 system after invading the data is avoided.
According to the technical scheme provided by the embodiment, before the operating system is not entered, as long as the data in the BIOS SPI ROM or the NVMeSSD is changed, the boot program of the x86 system is immediately stopped, and the functions of reminding and preventing hackers can be achieved. In addition, by displaying error information, the user can confirm the system to check the reason for the changed data.
Fig. 7 is a schematic structural diagram of an apparatus for booting a device according to an embodiment of the present invention. As shown in fig. 7, the apparatus includes:
the judgment unit is used for judging whether the startup data is changed or not in the process that the BIOS executes the power-on self-test POST when the equipment is started;
and the control unit is used for continuously executing the starting program of the equipment when the starting data is not changed.
Wherein, the judging whether the boot data is changed comprises:
calculating a first hash value of the boot data by using a hash algorithm;
comparing whether the first hash value is the same as the security verification information stored in the external storage;
when the starting data are different, judging that the starting data are changed;
if so, judging that the starting-up data is not changed;
the security verification information is a hash value obtained by calculating original boot data by using the hash algorithm in advance.
Wherein the boot data comprises at least one of:
data in the BIOS firmware, data in a storage device that holds the operating system.
The determining unit is specifically configured to determine whether the data in the BIOS firmware is changed when the boot data includes the data in the BIOS firmware, and includes:
calculating a first hash value of data in the BIOS firmware using a hash algorithm;
comparing whether the first hash value is the same as a second hash value stored in an external storage;
when the BIOS firmware is different from the BIOS firmware, judging that the data in the BIOS firmware is changed;
if so, judging that the data in the BIOS firmware is not changed;
the second hash value is obtained by calculating original data in the BIOS firmware by using the hash algorithm in advance;
the determining unit is specifically configured to determine whether the data in the storage device is changed when the boot data includes the data in the storage device, and includes:
calculating a third hash value of the data in the storage device using a hash algorithm;
comparing whether the third hash value is the same as a fourth hash value stored in an external storage;
when the data in the storage device is different from the data in the storage device, judging that the data in the storage device is changed;
when the data in the storage device is the same, judging that the data in the storage device is not changed;
and the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using the hash algorithm.
The determining unit is specifically configured to decrypt the second hash value using an encryption and decryption algorithm when the second hash value is encrypted by the encryption and decryption algorithm and then stored in an external storage; comparing whether the first hash value is the same as the decrypted second hash value;
the judgment unit is specifically configured to decrypt the fourth hash value by using an encryption and decryption algorithm when the fourth hash value is stored in an external storage after being encrypted by the encryption and decryption algorithm; and comparing whether the third hash value is the same as the decrypted fourth hash value.
The device also comprises a checking unit, a judging unit and a judging unit, wherein the checking unit is used for checking whether the storage equipment and an external storage for storing the security verification information are connected with the equipment or not before judging whether the startup data are changed or not;
checking whether security authentication information exists in the external storage when the storage device and the external storage are connected to the device;
and when the safety verification information exists, informing the judging unit to judge whether the startup data is changed.
The control unit is further configured to stop executing the boot program of the device when the boot data is changed, or when the storage device or the external storage is not connected to the device, or when no security verification information exists in the external storage.
The device also comprises a display unit used for displaying corresponding error information on the screen of the equipment when the boot data is changed, or when the storage equipment or the external storage is not connected with the equipment, or when the safety verification information does not exist in the external storage.
The embodiment of the invention also provides a device for safely starting up equipment, which comprises: the device comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, the method for starting up the device is realized.
The embodiment of the invention also provides a computer readable storage medium, wherein an information processing program is stored on the computer readable storage medium, and when the information processing program is executed by a processor, the steps of the method for starting up the equipment are realized.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.

Claims (10)

1. A method for booting a device, comprising:
when the device is started, judging whether the starting-up data is changed or not in the process of executing power-on self-test POST by a basic input and output system BIOS;
and when the boot data is not changed, continuing to execute the boot program of the equipment.
2. The method of claim 1, wherein determining whether the boot data is altered comprises:
calculating a first hash value of the boot data by using a hash algorithm;
comparing whether the first hash value is the same as the security verification information stored in the external storage;
when the starting data are different, judging that the starting data are changed;
if so, judging that the starting-up data is not changed;
the security verification information is a hash value obtained by calculating original boot data by using the hash algorithm in advance.
3. The method of claim 2,
the boot data includes at least one of:
data in BIOS firmware, data in storage equipment for storing an operating system;
when the boot data includes data in the BIOS firmware, determining whether the data in the BIOS firmware is modified, including:
calculating a first hash value of data in the BIOS firmware using a hash algorithm;
comparing whether the first hash value is the same as a second hash value stored in an external storage;
when the BIOS firmware is different from the BIOS firmware, judging that the data in the BIOS firmware is changed;
if so, judging that the data in the BIOS firmware is not changed;
the second hash value is obtained by calculating original data in the BIOS firmware by using the hash algorithm in advance;
when the boot-up data includes data in the storage device, determining whether the data in the storage device is changed, including:
calculating a third hash value of the data in the storage device using a hash algorithm;
comparing whether the third hash value is the same as a fourth hash value stored in an external storage;
when the data in the storage device is different from the data in the storage device, judging that the data in the storage device is changed;
when the data in the storage device is the same, judging that the data in the storage device is not changed;
and the fourth hash value is a hash value obtained by calculating the original data in the storage device in advance by using the hash algorithm.
4. The method of claim 3,
when the second hash value is stored in the external storage after being encrypted by the encryption and decryption algorithm, the comparing whether the first hash value is the same as the second hash value stored in the external storage includes:
decrypting the second hash value using the encryption and decryption algorithm;
comparing whether the first hash value is the same as the decrypted second hash value;
when the fourth hash value is stored in the external storage after being encrypted by the encryption and decryption algorithm, the comparing whether the third hash value is the same as the fourth hash value stored in the external storage includes:
decrypting the fourth hash value using the encryption and decryption algorithm;
and comparing whether the third hash value is the same as the decrypted fourth hash value.
5. The method of claim 2, wherein prior to determining whether the boot data is altered, the method further comprises:
checking whether the storage device and an external storage holding security authentication information are connected to the device;
checking whether security authentication information exists in the external storage when the storage device and the external storage are connected to the device;
and judging whether the boot data is changed or not when the security verification information exists.
6. The method of claim 5, further comprising:
when the boot data is changed, or when the storage device or the external storage is not connected to the device, or when no security verification information exists in the external storage, the boot program of the device is stopped from being executed.
7. The method of claim 6, further comprising:
when the boot data is changed, or when the storage device or the external storage is not connected to the device, or when no security verification information exists in the external storage, displaying corresponding error information on a screen of the device.
8. An apparatus for booting a device, comprising:
the judgment unit is used for judging whether the startup data is changed or not in the process that the BIOS executes the power-on self-test POST when the equipment is started;
and the control unit is used for continuously executing the starting program of the equipment when the starting data is not changed.
9. An apparatus for booting a device, comprising: memory, processor and computer program stored on the memory and executable on the processor, which computer program, when executed by the processor, implements a method of powering on the device according to any one of claims 1 to 7.
10. A computer-readable storage medium, having stored thereon an information processing program which, when executed by a processor, performs the steps of a method of powering on a device as claimed in any one of claims 1 to 7.
CN201911157556.0A 2019-11-22 2019-11-22 Method and device for starting equipment Withdrawn CN110990840A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911157556.0A CN110990840A (en) 2019-11-22 2019-11-22 Method and device for starting equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911157556.0A CN110990840A (en) 2019-11-22 2019-11-22 Method and device for starting equipment

Publications (1)

Publication Number Publication Date
CN110990840A true CN110990840A (en) 2020-04-10

Family

ID=70086076

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911157556.0A Withdrawn CN110990840A (en) 2019-11-22 2019-11-22 Method and device for starting equipment

Country Status (1)

Country Link
CN (1) CN110990840A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021212735A1 (en) * 2020-04-23 2021-10-28 苏州浪潮智能科技有限公司 Method, apparatus, and device for starting server securely, and medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021212735A1 (en) * 2020-04-23 2021-10-28 苏州浪潮智能科技有限公司 Method, apparatus, and device for starting server securely, and medium

Similar Documents

Publication Publication Date Title
US9881162B2 (en) System and method for auto-enrolling option ROMS in a UEFI secure boot database
EP2681689B1 (en) Protecting operating system configuration values
US8375437B2 (en) Hardware supported virtualized cryptographic service
US9021244B2 (en) Secure boot administration in a Unified Extensible Firmware Interface (UEFI)-compliant computing device
CN109710315B (en) BIOS (basic input output System) flash writing method and BIOS mirror image file processing method
KR101702289B1 (en) Continuation of trust for platform boot firmware
EP2668566B1 (en) Authenticate a hypervisor with encoded information
US20130067210A1 (en) System and method for recovering from an interrupted encryption and decryption operation performed on a volume
US10803176B2 (en) Bios security
JP6846457B2 (en) Automatic verification method and system
EP3076324A1 (en) Information processing apparatus and method of controlling the apparatus
CN112148314B (en) Mirror image verification method, device and equipment of embedded system and storage medium
US11397815B2 (en) Secure data protection
US20210367781A1 (en) Method and system for accelerating verification procedure for image file
US10482278B2 (en) Remote provisioning and authenticated writes to secure storage devices
US11068599B2 (en) Secure initialization using embedded controller (EC) root of trust
WO2020037613A1 (en) Security upgrade method, apparatus and device for embedded program, and storage medium
US20120011353A1 (en) Information processing apparatus having verification capability of configuration change
CN110874467A (en) Information processing method, device, system, processor and storage medium
US9448888B2 (en) Preventing a rollback attack in a computing system that includes a primary memory bank and a backup memory bank
US20160350537A1 (en) Central processing unit and method to verify mainboard data
CN110990840A (en) Method and device for starting equipment
CN112231649A (en) Firmware encryption processing method, device, equipment and medium
US9064118B1 (en) Indicating whether a system has booted up from an untrusted image
KR20210024070A (en) Safe operation method and system of stored data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20200410