CN111046392A - BIOS (basic input output System) credibility measuring method and device and terminal equipment - Google Patents
BIOS (basic input output System) credibility measuring method and device and terminal equipment Download PDFInfo
- Publication number
- CN111046392A CN111046392A CN201911172259.3A CN201911172259A CN111046392A CN 111046392 A CN111046392 A CN 111046392A CN 201911172259 A CN201911172259 A CN 201911172259A CN 111046392 A CN111046392 A CN 111046392A
- Authority
- CN
- China
- Prior art keywords
- programmable logic
- logic unit
- bios
- measurement
- bios program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/4401—Bootstrapping
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the application is suitable for the field of terminal equipment safety protection, and provides a BIOS (basic input output System) credibility measuring method and device, terminal equipment and a computer readable storage medium. The method comprises the steps that a programmable logic unit obtains a starting-up request, the programmable logic unit responds to the starting-up request to obtain a BIOS program, and the programmable logic unit carries out credibility measurement on the BIOS program to obtain a measurement result. According to the embodiment of the application, the credibility measurement is directly carried out on the obtained BIOS program, the measurement result is obtained, the terminal equipment is started or stopped to be started according to the measurement result, the programmable logic unit is used for simultaneously carrying out the credibility measurement work and the starting work on the BIOS program, the BIOS degree can be measured without additionally arranging a measurement card, and the effect of saving the hardware cost of the terminal equipment is achieved.
Description
Technical Field
The application belongs to the field of terminal equipment safety protection, and particularly relates to a BIOS (basic input output System) credibility measuring method and device, terminal equipment and a computer readable storage medium.
Background
With the development of information technology, terminal devices such as computers face more and more security threats, and especially BIOS programs solidified on memories of main boards in the computers face the risk of being tampered. Because the BIOS program stores the most important basic input and output programs of the computer, the computer self-test program after power-on, and the system self-start program, if the tampered BIOS program is loaded to the processor of the computer, the computer is powered on, reset, and the like, so that after the computer is started, a third party tampering with the BIOS program can access the computer at will, and a series of security problems such as important information in the computer being leaked or lost can be caused.
In order to solve the above problems, in the prior art, a measurement card is additionally arranged in a computer to perform trusted measurement on a BIOS program, after a measurement result of the BIOS program is trusted, the trusted BIOS program is loaded to a processor of the computer, and then the computer is safely started after operations such as power-on, reset and the like are performed on the computer through a programmable logic unit.
However, in the prior art, the hardware cost of the computer is increased by adding a measurement card to perform the trusted measurement on the BIOS program.
Disclosure of Invention
In view of this, an embodiment of the present application provides a method for measuring a computer boot program, so as to solve the problem that in the prior art, a hardware cost of a terminal device is increased by adding a measurement card in a computer to perform trusted measurement on a BIOS program.
A first aspect of an embodiment of the present application provides a BIOS trusted measurement method, including:
the programmable logic unit acquires a starting-up request;
the programmable logic unit responds to the starting request and acquires a BIOS program;
and the programmable logic unit performs credible measurement on the BIOS program to obtain a measurement result, wherein the measurement result is used for indicating the programmable logic unit to start terminal equipment or stop starting the terminal equipment.
Optionally, the step of the programmable logic unit obtaining the BIOS program in response to the boot request includes:
and the programmable logic unit responds to the starting request to read the BIOS program from the memory based on a protocol of a preset interface access between the programmable logic unit and the memory.
Optionally, the measurement result is that the BIOS program is trusted or the BIOS program is not trusted;
the programmable logic unit performs credibility measurement on the BIOS program to obtain a measurement result, and the measurement result comprises the following steps:
the programmable logic unit carries out signature query on the BIOS program;
and if the result of the signature query is not signed, confirming that the measurement result is that the BIOS program is not credible.
Optionally, after the programmable logic unit performs signature query on the BIOS program, the method further includes:
if the result of the signature query is signed, the programmable logic unit carries out tamper detection on the BIOS program;
and if the tampering detection result is tampered, confirming that the measurement result is that the BIOS program is not credible.
Optionally, after the programmable logic unit performs the trusted measurement on the BIOS program and obtains the measurement result, the method further includes:
if the measurement result is that the BIOS program is credible, the programmable logic unit starts terminal equipment;
and if the measurement result is that the BIOS program is not credible, the programmable logic unit stops starting the terminal equipment.
Optionally, if the measurement result is trusted, the programmable logic unit starts the terminal device, including:
if the measurement result is credible, based on the gating relation of a preset interface passage between the programmable logic unit and the memory and the gating relation of a preset interface passage between the programmable logic unit and the processor, the programmable logic unit gates the preset interface passage between the memory and the processor;
and the programmable logic unit performs power-on reset on the terminal equipment.
Optionally, if the measurement result is trusted, based on a gating relationship of a preset interface path between the programmable logic unit and the memory and a gating relationship of a preset interface path between the programmable logic unit and the processor, the programmable logic unit gates the preset interface path between the memory and the processor, and the method includes:
if the measurement result is credible, the programmable logic unit generates a first flag bit;
the programmable logic unit judges whether the first zone bit is consistent with a preset zone bit;
if yes, the programmable logic unit conducts a preset interface passage between the memory and the processor.
A second aspect of an embodiment of the present application provides a BIOS trusted measurement apparatus, including:
the acquisition module is used for acquiring a starting request;
the response module is used for responding to the starting request to acquire the BIOS program;
and the measurement module is used for carrying out credible measurement on the BIOS program to obtain a measurement result, and the measurement result is used for indicating the programmable logic unit to start the terminal equipment or stop starting the terminal equipment.
Optionally, the obtaining module includes:
and the acquisition submodule is used for reading the BIOS program from the memory by the programmable logic unit in response to the starting request based on a protocol of a preset interface access between the acquisition submodule and the memory.
Optionally, the measurement result is that the BIOS program is trusted or the BIOS program is not trusted, and the measurement module includes:
the query submodule is used for carrying out signature query on the BIOS program;
and the first confirmation submodule is used for judging that the measurement result is that the BIOS program is not credible if the result of the signature query is not signed.
Optionally, the metric module further includes:
the detection submodule is used for detecting tampering of the BIOS program by the programmable logic unit if the result of the signature query is signed;
and the second confirming submodule is used for confirming that the measurement result is that the BIOS program is not credible if the tampering detection result is tampered.
Optionally, the apparatus may further include:
the starting module is used for starting the terminal equipment by the programmable logic unit if the measurement result is that the BIOS program is credible;
and the stop module is used for stopping starting the terminal equipment by the programmable logic unit if the measurement result is that the BIOS program is not credible.
Optionally, the starting module includes:
the gating submodule is used for gating the preset interface passage between the memory and the processor based on the gating relation of the preset interface passage between the programmable logic unit and the memory and the gating relation of the preset interface passage between the programmable logic unit and the processor if the measurement result is credible;
and the power-on reset submodule is used for carrying out power-on reset on the terminal equipment.
Optionally, the gating sub-module includes:
the generating unit is used for generating a first zone bit if the measurement result is credible;
the judging unit is used for judging whether the first zone bit is consistent with a preset zone bit or not;
and if yes, a preset interface passage between the memory and the processor is conducted.
A third aspect of an embodiment of the present application provides a terminal device, including: the system comprises a memory, a processor, a programmable logic unit and a computer program stored in the memory and capable of running on the programmable logic unit, wherein the programmable logic unit executes the computer program to realize the steps of the BIOS credibility measurement method.
A fourth aspect of an embodiment of the present application provides a computer-readable storage medium, including: the computer readable storage medium stores a computer program that, when executed by the programmable logic unit, performs the steps of the method for measuring, for example, the confidence level of the BIOS.
In a fifth aspect, an embodiment of the present application provides a computer program product, which, when run on a terminal device, causes the terminal device to execute the BIOS trust measurement method according to any one of the above first aspects.
It is understood that the beneficial effects of the second aspect to the fifth aspect can be referred to the related description of the first aspect, and are not described herein again.
Compared with the prior art, the embodiment of the application has the advantages that: according to the embodiment of the application, after the programmable logic unit obtains the starting-up request, the obtained BIOS program is directly subjected to credibility measurement, the measurement result is obtained, the purpose of simultaneously carrying out credibility measurement work and starting-up work on the BIOS program by utilizing the programmable logic unit is achieved, a measurement card is not required to be additionally arranged to carry out credibility measurement on the BIOS program, and the problem that in the prior art, the hardware cost of the terminal equipment is increased due to the fact that the measurement card is additionally arranged to carry out credibility measurement on the BIOS program is solved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
FIG. 1 is a block diagram of a prior art BIOS trusted measurement system;
FIG. 2 is a block diagram illustrating a structure of a BIOS trusted measurement system according to an embodiment of the present disclosure;
fig. 3 is a schematic flowchart of a BIOS trust measurement method according to a second embodiment of the present application;
fig. 4 is a schematic flowchart of an implementation of the method for measuring the confidence level of the BIOS in the third embodiment of the present application, in step S303 in fig. 3;
fig. 5 is another schematic flowchart of a BIOS trust measurement method according to the fourth embodiment of the present application;
FIG. 6 is a schematic structural diagram of a BIOS trusted measuring device according to a fifth embodiment of the present disclosure;
fig. 7 is a schematic diagram of a terminal device provided in a sixth embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
In order to explain the technical solution described in the present application, the following description will be given by way of specific examples.
In the prior art, a measurement card needs to be additionally arranged to perform credible measurement on a BIOS program.
Referring to fig. 1, a schematic block diagram of a prior art BIOS trusted measurement system, which may be specifically applied to a terminal device including, but not limited to, a computer, a mobile phone, etc., and may include a measurement card 11, a switch 12, a memory 13, a programmable logic unit 14, and a processor 15, where the switch 12 is connected between the measurement card 11, the memory 13, and the programmable logic unit 14 is connected between the measurement card 11 and the processor 15 in communication.
The memory is used for storing the BIOS program.
Wherein, the memory can be flash EPROM;
the programmable logic unit is used for acquiring a starting request and controlling the switch to gate a preset interface passage between the measurement card and the memory.
The programmable logic unit may refer to a Complex Programmable Logic Device (CPLD) or a programmable logic device (FGPA).
The measurement card is used for acquiring the BIOS program from the memory after a preset interface channel between the measurement card and the memory is gated, performing credibility measurement on the acquired BIOS program, and sending a measurement success signal to the programmable logic unit if the measurement result of the BIOS program is credible.
The measurement card can be a credible measurement chip;
the preset interface path may be a serial peripheral interface path (SPI).
And the programmable logic unit is used for controlling a preset interface passage between the selector switch gating memory and the processor after receiving the measurement success signal, carrying out power-on reset on the terminal equipment and starting the terminal equipment.
The selector switch is used for receiving a control signal of the programmable logic unit to gate a preset interface path between the measurement card and the memory and to gate a preset interface path between the memory and the processor.
The switch is switching hardware capable of gating the preset interface path according to the control signal of the programmable logic unit.
The processor is used for reading the BIOS program in the memory and operating the BIOS program after the preset interface channel between the processor and the memory is gated.
As can be seen from the above description, the BIOS trusted measurement system in the prior art can perform trusted measurement on the BIOS program by setting the measurement card before the terminal device is started, and restart the terminal device after the measurement result of the BIOS program is trusted, so that the purpose of performing trusted measurement on the BIOS program is achieved, but the problem of increase in hardware cost of the terminal device is caused.
In the embodiment of the application, after the programmable logic unit obtains the boot request, the obtained BIOS program is directly subjected to the credibility measurement to obtain the measurement result, namely, the programmable logic unit is used for simultaneously carrying out the credibility measurement work and the boot work on the BIOS program, and a measurement card is not required to be additionally arranged to carry out the credibility measurement on the BIOS program, so that the hardware cost is saved.
The technical solutions provided in the embodiments of the present application will be described below with specific embodiments.
Example one
Referring to fig. 2, a schematic block diagram of a structure of a BIOS trust measurement system provided in an embodiment of the present application, the system is applied to a terminal device, including but not limited to a computer, a mobile phone, and the like, and the system may include a programmable logic unit 22, a second memory 21 connected to the programmable logic unit, and a processor 23 connected to the programmable logic unit.
The programmable logic unit is used for obtaining a starting request, responding to the starting request to obtain a BIOS program, performing credibility measurement on the BIOS program, and obtaining a measurement result, wherein the measurement result is used for indicating the programmable logic unit to start the terminal equipment or stop starting the terminal equipment.
The programmable logic unit may refer to a Complex Programmable Logic Device (CPLD) or a programmable logic device (FGPA).
The memory is used for storing the BIOS program.
The memory may be a flash EPROM (flash EPROM).
The processor is used for reading the BIOS program from the memory after the programmable logic unit starts the terminal equipment.
In the embodiment of the application, after the programmable logic unit obtains the start-up request, the programmable logic unit directly performs the credibility measurement on the obtained BIOS program to obtain the measurement result, and then starts the terminal device or stops starting the terminal device according to the measurement result. Compared with the prior art that the BIOS program can be measured only by additionally arranging the measurement card, the BIOS program measuring method and the BIOS program measuring device have the advantages that the programmable logic unit is used for simultaneously bearing the work of credible measurement and starting up of the BIOS program, the BIOS degree can be measured without additionally arranging the measurement card, and the effect of saving the hardware cost of the terminal equipment is achieved.
Example two
Referring to fig. 3, a flowchart of a BIOS trust measurement method provided in the second embodiment of the present application is shown, where the method may be specifically applied to a terminal device, where the terminal device includes but is not limited to a computer, a mobile phone, and the method includes the following steps:
step S301, the programmable logic unit obtains a starting request.
The starting request refers to a request for starting the terminal device sent by a user through a preset interface of the terminal device, for example, the user presses a power key of the terminal device to send the request for starting the terminal device.
It can be understood that the step of obtaining the boot request is that the programmable logic unit performs subsequent steps of obtaining the BIOS program, performing the confidence measurement on the BIOS level, and until a trigger condition of starting the terminal device.
Step S302, the programmable logic unit responds to the boot request, and obtains the BIOS program.
The BIOS program is a program that is solidified inside the terminal device and stores a basic input/output function, a self-checking function after booting, and a system self-starting function that are finally required by the terminal device.
Specifically, the programmable logic unit reads the BIOS program from the memory in response to the power-on request based on a communication protocol of a preset interface path with the memory.
The memory refers to a memory in which a BIOS program is stored, such as a flash memory (flash eprom);
the preset interface path refers to a serial peripheral interface path (SPI).
It should be noted that the BIOS program in this embodiment is solidified in the flash memory of the terminal device;
under the condition that the preset interface path is an SPI interface path, the programmable logic unit of this embodiment is a master control device in a communication protocol of the SPI interface path, and the memory of this embodiment is a slave control device in the communication protocol of the SPI interface path.
It can be understood that the working mode of the SPI interface is a master-slave mode, that is, the programmable logic unit serving as the master control device can actively read the BIOS program in the memory serving as the slave control device, for example, the programmable logic unit sends an enable signal to the memory to select the memory as the slave control device, and the programmable logic unit sends a clock signal to the memory to read the BIOS program in the memory based on the master-slave relationship with the memory, which has the advantages of simple operation and high data transmission rate.
Step S303, the programmable logic unit measures the reliability of the BIOS program to obtain a measurement result.
The credibility measurement is to perform measurement calculation on feature information of software or hardware of the terminal device, such as a BIOS program, and verify whether the feature information is complete, that is, judge whether the feature information is credible through the measurement calculation;
the measurement result is used for indicating the programmable logic unit to start the terminal equipment or stop starting the terminal equipment;
the measurement result comprises that the BIOS program is credible or not credible.
It can be understood that the programmable logic unit according to the embodiment of the present application may directly perform the trusted measurement on the obtained BIOS program to obtain the measurement result, and then start the terminal device or stop starting the terminal device according to the measurement result.
It should be noted that the background of the invention of this embodiment is: in practical applications, the inventor finds that in the process of measuring the BIOS program in the prior art, the programmable logic unit only needs a small part of the logic operation units to undertake the work of starting the terminal device, and most of the logic operation units of the programmable logic unit are idle. After a large number of experimental tests, the invention concept of simultaneously measuring the work of the BIOS program and the subsequent work of starting the terminal equipment by using the programmable logic unit is provided under the condition of not increasing the hardware cost.
According to the embodiment of the application, the obtained BIOS program is directly subjected to credibility measurement through the programmable logic unit, the terminal equipment is started or stopped from being started subsequently through the programmable logic unit according to the measurement result, the programmable logic unit is used for simultaneously bearing the work of measuring the BIOS program and the subsequent work of starting the terminal equipment, a measurement card is not required to be additionally arranged for bearing the measurement on the BIOS, and the effect of saving the hardware cost of the terminal equipment is achieved.
EXAMPLE III
Referring to fig. 4, a flowchart of a specific implementation of step S303 in fig. 3 of a method for measuring a BIOS trust provided in the third embodiment of the present application is shown, where the method may be specifically applied to a terminal device, where the terminal device includes but is not limited to a computer, a mobile phone, and the method includes the following steps:
step S401, the programmable logic unit obtains a starting request.
Step S402, the programmable logic unit responds to the starting request and acquires the BIOS program.
It should be noted that steps S401 to S402 are the same as steps S301 to S302, and are not described again here.
And S403, the programmable logic unit performs signature query on the BIOS program.
The signature is a digital signature, that is, a section of digital string which can only be generated by the sender of the information and cannot be forged by people, and the digital string is also a valid proof of the authenticity of the information sent by the sender of the information.
It can be understood that the signature processing is performed before the BIOS program is solidified into the memory, so that the signature content after the signature processing is added to the BIOS program, so that the integrity of the BIOS program can be determined by the signature content of the BIOS program in the following, that is, whether the BIOS program is trusted is determined, and the programmable logic unit of this embodiment may determine whether the BIOS program is trusted by querying whether the BIOS program is signed.
By way of example and not limitation, before the BIOS program is solidified into the memory, each byte in the BIOS file is squared using a predetermined algorithm, such as the HASN algorithm, and then added to obtain the signature content.
Specifically, the programmable logic unit enables a preset authority such as a root authority, inputs a query instruction such as a keytool instruction, and queries whether the BIOS program is signed.
Step S404, if the result of the signature query is not signed, determining that the measurement result is that the BIOS program is not trusted.
It is understood that the plc signature query that the BIOS program is not signed indicates that the BIOS program is confirmed to have no integrity, i.e., the BIOS program is not trusted.
And S405, if the result of the signature query is signed, the programmable logic unit carries out tampering detection on the BIOS program.
It can be understood that, if the BIOS program is signed, the programmable logic unit may perform tamper detection on the BIOS to verify whether the BIOS program is tampered, for example, tampered by an implanted trojan horse, so as to further verify whether the BIOS program is authentic.
It should be noted that the BIOS program is a binary file.
Specifically, the programmable logic unit calculates the signature content to be verified of the BIOS program through a preset algorithm, such as a HASH algorithm, compares the consistency of the signature content to be verified and the signature content of the BIOS program, and if the signature content to be verified is consistent with the signature content of the BIOS program, it indicates that the tampering detection result of the BIOS program is not tampered; and if the signature content to be verified is inconsistent with the signature content of the BIOS program, the tampering detection result of the BIOS program is tampered.
By way of example and not limitation, the programmable logic unit squares each byte in the BIOS file by using the same preset algorithm, i.e., the HASN algorithm, as in step S403, and then adds the squared result to obtain the signature content to be verified.
Step S406, if the result of the tamper detection is tampered, determining that the measurement result is that the BIOS program is not trusted.
It can be understood that, if the tampering detection result of the BIOS program is tampered, it indicates that the BIOS program is confirmed to be incomplete, i.e., the BIOS program is not trusted.
In the embodiment of the application, the programmable logic unit measures the BIOS program through signature query or tamper detection to obtain the measurement result of the BIOS program, so that the purpose of judging whether the BIOS program is credible is achieved.
Example four
Referring to fig. 5, another schematic flow chart of a method for measuring a BIOS trust according to the fourth embodiment of the present application is shown, where the method may be specifically applied to a terminal device, where the terminal device includes but is not limited to a computer, a mobile phone, and the like, and the method includes the following steps:
step S501, the programmable logic unit obtains a boot request.
Step S502, the programmable logic unit obtains the BIOS program in response to the boot request.
Step S503, the programmable logic unit performs a trusted measurement on the BIOS program to obtain a measurement result, where the measurement result is used to instruct the programmable logic unit to start the terminal device or stop starting the terminal device.
It should be noted that steps S501 to S503 are the same as steps S301 to S303, and are not described again here.
And step S504, if the measurement result is credible, the programmable logic unit starts the terminal equipment.
Specifically, if the measurement result is credible, the programmable logic unit gates the preset interface path between the memory and the processor based on the gating relationship of the preset interface path between the programmable logic unit and the memory and the gating relationship of the preset interface path between the programmable logic unit and the processor, and the programmable logic unit performs power-on reset on the terminal device.
The preset interface path may be a serial peripheral interface path (SPI).
It should be noted that, under the condition that the preset interface path is the SPI interface path, the programmable logic unit of this embodiment is a master control device in the communication protocol of the SPI interface path, and the memory and the processor of this embodiment are respectively slave control devices in the communication protocol of the SPI interface path.
It can be understood that the operation mode of the SPI interface path is a master-slave mode, that is, the programmable logic unit serving as the master control device can gate the SPI interface path between the memory serving as the slave control device and the processor, so that the processor can read the BIOS program whose measurement result is authentic from the memory, and at the same time, the programmable logic unit performs power-on reset on the terminal device, thereby achieving the purpose of starting the terminal device.
For example, the gating relationship of the preset interface path between the programmable logic unit and the memory may be that the programmable logic unit selects the memory as the slave control device based on a manner of sending an enable signal to the memory;
the preset interface path between the programmable logic unit and the processor may be gated in such a manner that the programmable logic unit selects the processor as the slave control device based on a manner of sending an enable signal to the processor.
Specifically, if the measurement result is credible, based on the gating relationship of the preset interface path between the programmable logic unit and the memory and the gating relationship of the preset interface path between the programmable logic unit and the processor, the preset interface path between the programmable logic unit and the processor may be gated by the programmable logic unit:
first, if the measurement result is authentic, the programmable logic unit generates a first flag bit.
Wherein, the first flag bit may be 1 or 0.
It should be noted that, when the preset interface path between the programmable logic unit and the memory is gated and when the preset interface path between the programmable logic unit and the processor is gated, the default flag bit of the programmable logic unit is 0.
Then, the programmable logic unit judges whether the first flag bit is consistent with the preset flag bit.
Wherein, the predetermined flag bit may be 1.
And finally, if the first flag bit is consistent with the preset flag bit, the programmable logic unit conducts a preset interface channel between the memory and the processor.
It can be understood that, when the preset interface path between the programmable logic unit and the memory is gated, the default flag bit of the programmable logic unit is 0, and when the BIOS measurement result is trusted, and the programmable logic unit generates the first flag bit that is consistent with the preset flag bit, that is, the first flag bit is 1, the programmable logic unit conducts the preset interface path between the memory and the processor through a specific triggering method, for example, a bypass method.
And step S505, if the measurement result is not credible, the programmable logic unit stops starting the terminal equipment.
Specifically, if the measurement result is not trusted, the programmable logic unit stops power-on reset of the terminal device, so that the effect of preventing the processor from running an untrusted BIOS program and protecting the terminal device is achieved.
In the embodiment of the application, after the measurement result of the BIOS program is obtained, the terminal device may be subsequently started or stopped starting by the programmable logic unit based on the measurement result of the BIOS program.
EXAMPLE six
Next, a description will be given of a BIOS trusted measurement device provided in the sixth embodiment of the present application. The BIOS trusted measurement apparatus of this embodiment corresponds to the BIOS trusted measurement method described above.
Fig. 6 is a schematic structural diagram of a BIOS trusted measurement apparatus according to a sixth embodiment of the present application, where the apparatus may be specifically integrated in a programmable logic unit, where the programmable logic unit includes a CPLD programmable logic unit or an FPGA programmable logic unit, and the apparatus may include:
an obtaining module 61, configured to obtain a power-on request;
a response module 62, configured to respond to the power-on request and obtain a BIOS program;
and a measurement module 63, configured to perform trusted measurement on the BIOS program to obtain a measurement result, where the measurement result is used to instruct the programmable logic unit to start or stop starting the terminal device.
Optionally, the obtaining module includes:
and the acquisition submodule is used for reading the BIOS program from the memory by the programmable logic unit in response to the starting request based on a protocol of a preset interface access between the acquisition submodule and the memory.
Optionally, the measurement result is that the BIOS program is trusted or the BIOS program is not trusted, and the measurement module includes:
the query submodule is used for carrying out signature query on the BIOS program;
and the first confirmation submodule is used for judging that the measurement result is that the BIOS program is not credible if the result of the signature query is not signed.
Optionally, the metric module further includes:
the detection submodule is used for detecting tampering of the BIOS program by the programmable logic unit if the result of the signature query is signed;
and the second confirming submodule is used for confirming that the measurement result is that the BIOS program is not credible if the tampering detection result is tampered.
Optionally, the apparatus may further include:
the starting module is used for starting the terminal equipment by the programmable logic unit if the measurement result is that the BIOS program is credible;
and the stop module is used for stopping starting the terminal equipment by the programmable logic unit if the measurement result is that the BIOS program is not credible.
Optionally, the starting module includes:
the gating submodule is used for gating the preset interface passage between the memory and the processor based on the gating relation of the preset interface passage between the programmable logic unit and the memory and the gating relation of the preset interface passage between the programmable logic unit and the processor if the measurement result is credible;
and the power-on reset submodule is used for carrying out power-on reset on the terminal equipment.
Optionally, the gating sub-module includes:
the generating unit is used for generating a first zone bit if the measurement result is credible;
the judging unit is used for judging whether the first zone bit is consistent with a preset zone bit or not;
and if yes, a preset interface passage between the memory and the processor is conducted.
In the embodiment of the application, after the programmable logic unit obtains the start-up request, the programmable logic unit directly performs the credibility measurement on the obtained BIOS program to obtain the measurement result, and then starts the terminal device or stops starting the terminal device according to the measurement result. The implementation utilizes the programmable logic unit to simultaneously undertake the work of credibility measurement and the starting work of the BIOS program, and can measure the BIOS degree without additionally arranging a measurement card, thereby achieving the effect of saving the hardware cost of the terminal equipment.
EXAMPLE seven
Fig. 7 is a schematic diagram of a terminal device 7 provided in an embodiment of the present application. As shown in fig. 7, the terminal device 7 of this embodiment includes: a processor 70, a memory 71, a programmable logic unit 73, and a computer program 72, such as a metrology program, stored in the memory 71 and executable on the programmable logic unit 73. The programmable logic unit 73 implements the steps of the BIOS confidence measuring method embodiment described above, such as steps S301 to S303 shown in fig. 3, when executing the computer program 72. Alternatively, the programmable logic unit 73 implements the functions of the modules/units in the above-described device embodiments, for example, the functions of the modules 61 to 63 shown in fig. 6, when executing the computer program 72.
Illustratively, the computer program 72 may be partitioned into one or more modules/units that are stored in the memory 71 and executed by the programmable logic unit 70 to accomplish the present application. The one or more modules/units may be a series of computer program instruction segments capable of performing specific functions, which are used to describe the execution process of the computer program 72 in the terminal device 7. For example, the computer program 72 may be divided into an acquisition module, a response module, and a measurement module, and each module has the following specific functions:
the acquisition module is used for acquiring a starting request;
the response module is used for responding to the starting request and acquiring a BIOS program;
and the measurement module is used for carrying out credible measurement on the BIOS program to obtain a measurement result, and the measurement result is used for indicating the programmable logic unit to start the terminal equipment or stop starting the terminal equipment.
The terminal device 7 may be a desktop computer, a notebook, a palm computer, a cloud server, or other computing devices. The terminal device 7 may include, but is not limited to, a processor 70, a memory 71, and a programmable logic unit 73. It will be understood by those skilled in the art that fig. 7 is only an example of the terminal device 7, and does not constitute a limitation to the terminal device 7, and may include more or less components than those shown, or combine some components, or different components, for example, the terminal device 7 may further include an input-output device, a network access device, a bus, etc.
The Processor 70 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 71 may be an internal storage unit of the terminal device 7, such as a hard disk or a memory of the terminal device 7. The memory 71 may also be an external storage device of the terminal device 7, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the terminal device 7. Further, the memory 71 may also include both an internal storage unit and an external storage device of the terminal device 7. The memory 71 is used for storing the computer programs and other programs and data required by the terminal device 7. The memory 71 may also be used to temporarily store data that has been output or is to be output.
The programmable logic unit may be a Complex Programmable Logic Device (CPLD) or a programmable logic device (FGPA).
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-mentioned functions. Each functional unit and module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working processes of the units and modules in the system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed terminal device and method may be implemented in other ways. For example, the above-described terminal device embodiments are merely illustrative, and for example, the division of the modules or units is only one logical function division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated modules/units, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium. Based on such understanding, all or part of the processes in the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium and can implement the steps of the embodiments of the methods described above when the computer program is executed by a programmable logic unit. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present application and are intended to be included within the scope of the present application.
Claims (10)
1. A BIOS credibility measurement method is characterized by comprising the following steps:
the programmable logic unit acquires a starting-up request;
the programmable logic unit responds to the starting request and acquires a BIOS program;
and the programmable logic unit performs credible measurement on the BIOS program to obtain a measurement result, wherein the measurement result is used for indicating the programmable logic unit to start terminal equipment or stop starting the terminal equipment.
2. The BIOS trust measurement method of claim 1, wherein the programmable logic unit obtains the BIOS program in response to the boot request, comprising:
and the programmable logic unit responds to the starting request to read the BIOS program from the memory based on a protocol of a preset interface access between the programmable logic unit and the memory.
3. The BIOS trust measurement method of claim 1, wherein the measurement result is that the BIOS program is trusted or the BIOS program is not trusted;
the programmable logic unit performs credibility measurement on the BIOS program to obtain a measurement result, and the measurement result comprises the following steps:
the programmable logic unit carries out signature query on the BIOS program;
and if the result of the signature query is not signed, confirming that the measurement result is that the BIOS program is not credible.
4. The BIOS trust measurement method of claim 3, wherein after the programmable logic unit performs the signature query on the BIOS program, the method further comprises:
if the result of the signature query is signed, the programmable logic unit carries out tamper detection on the BIOS program;
and if the tampering detection result is tampered, confirming that the measurement result is that the BIOS program is not credible.
5. The BIOS trusted measurement method according to any one of claims 1 to 4, after the programmable logic unit performs trusted measurement on the BIOS program to obtain a measurement result, further comprising:
if the measurement result is that the BIOS program is credible, the programmable logic unit starts terminal equipment;
and if the measurement result is that the BIOS program is not credible, the programmable logic unit stops starting the terminal equipment.
6. The BIOS trusted measurement method of claim 5, wherein if the measurement result is trusted, the booting of the terminal device by the programmable logic unit comprises:
if the measurement result is credible, based on the gating relation of a preset interface passage between the programmable logic unit and the memory and the gating relation of a preset interface passage between the programmable logic unit and the processor, the programmable logic unit gates the preset interface passage between the memory and the processor;
and the programmable logic unit performs power-on reset on the terminal equipment.
7. The BIOS trusted measurement method of claim 6, wherein if the measurement result is trusted, based on a gating relationship of a preset interface path between a programmable logic unit and a memory and a gating relationship of a preset interface path between the programmable logic unit and a processor, the programmable logic unit gates the preset interface path between the memory and the processor, and the method comprises:
if the measurement result is credible, the programmable logic unit generates a first flag bit;
the programmable logic unit judges whether the first zone bit is consistent with a preset zone bit;
if yes, the programmable logic unit conducts a preset interface passage between the memory and the processor.
8. A device of a BIOS credibility measurement method is integrated in a programmable logic unit, and comprises the following steps:
the acquisition module is used for acquiring a starting request;
the response module is used for responding to the starting request to acquire the BIOS program;
and the measurement module is used for carrying out credible measurement on the BIOS program to obtain a measurement result, and the measurement result is used for indicating the programmable logic unit to start the terminal equipment or stop starting the terminal equipment.
9. Terminal device comprising a memory, a processor, a programmable logic unit and a computer program stored in said memory and executable on said programmable logic unit, characterized in that said programmable logic unit implements the steps of the BIOS trust metric method according to any of the claims 1 to 7 when executing said computer program.
10. Computer-readable storage medium, in which a computer program is stored, which, when being executed by a programmable logic unit, carries out the steps of the BIOS confidence measure method according to one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911172259.3A CN111046392A (en) | 2019-11-26 | 2019-11-26 | BIOS (basic input output System) credibility measuring method and device and terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911172259.3A CN111046392A (en) | 2019-11-26 | 2019-11-26 | BIOS (basic input output System) credibility measuring method and device and terminal equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111046392A true CN111046392A (en) | 2020-04-21 |
Family
ID=70233348
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911172259.3A Pending CN111046392A (en) | 2019-11-26 | 2019-11-26 | BIOS (basic input output System) credibility measuring method and device and terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111046392A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113138795A (en) * | 2021-05-11 | 2021-07-20 | 四川创智联恒科技有限公司 | SDR-based configurable protocol communication system |
| CN113627110A (en) * | 2021-08-25 | 2021-11-09 | 深圳市同泰怡信息技术有限公司 | Method and device for measuring credibility of double basic input and output systems and computer equipment |
| WO2021248934A1 (en) * | 2020-06-10 | 2021-12-16 | 苏州浪潮智能科技有限公司 | Monitoring and control method, circuit and device for on-board trusted platform |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120124356A1 (en) * | 2010-11-16 | 2012-05-17 | Datta Shamanna M | Methods and apparatuses for recovering usage of trusted platform module |
| CN103927490A (en) * | 2014-04-25 | 2014-07-16 | 华为技术有限公司 | OS secure startup method and device |
| CN206209731U (en) * | 2016-09-05 | 2017-05-31 | 深圳中电长城信息安全系统有限公司 | A kind of computer and its mainboard |
| CN108229132A (en) * | 2017-12-27 | 2018-06-29 | 北京和利时系统工程有限公司 | A kind of safe starting method and device, terminal |
| CN109784061A (en) * | 2018-12-17 | 2019-05-21 | 北京华胜天成信息技术发展有限公司 | The method and device for starting that control server is credible |
| CN110163012A (en) * | 2019-05-30 | 2019-08-23 | 苏州浪潮智能科技有限公司 | Mainboard powering method, apparatus and system based on programming device |
| CN110175478A (en) * | 2019-05-30 | 2019-08-27 | 苏州浪潮智能科技有限公司 | A kind of mainboard powering method, system and programming device |
-
2019
- 2019-11-26 CN CN201911172259.3A patent/CN111046392A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120124356A1 (en) * | 2010-11-16 | 2012-05-17 | Datta Shamanna M | Methods and apparatuses for recovering usage of trusted platform module |
| CN103927490A (en) * | 2014-04-25 | 2014-07-16 | 华为技术有限公司 | OS secure startup method and device |
| CN206209731U (en) * | 2016-09-05 | 2017-05-31 | 深圳中电长城信息安全系统有限公司 | A kind of computer and its mainboard |
| CN108229132A (en) * | 2017-12-27 | 2018-06-29 | 北京和利时系统工程有限公司 | A kind of safe starting method and device, terminal |
| CN109784061A (en) * | 2018-12-17 | 2019-05-21 | 北京华胜天成信息技术发展有限公司 | The method and device for starting that control server is credible |
| CN110163012A (en) * | 2019-05-30 | 2019-08-23 | 苏州浪潮智能科技有限公司 | Mainboard powering method, apparatus and system based on programming device |
| CN110175478A (en) * | 2019-05-30 | 2019-08-27 | 苏州浪潮智能科技有限公司 | A kind of mainboard powering method, system and programming device |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021248934A1 (en) * | 2020-06-10 | 2021-12-16 | 苏州浪潮智能科技有限公司 | Monitoring and control method, circuit and device for on-board trusted platform |
| CN113138795A (en) * | 2021-05-11 | 2021-07-20 | 四川创智联恒科技有限公司 | SDR-based configurable protocol communication system |
| CN113138795B (en) * | 2021-05-11 | 2023-04-07 | 四川创智联恒科技有限公司 | SDR-based configurable protocol communication system |
| CN113627110A (en) * | 2021-08-25 | 2021-11-09 | 深圳市同泰怡信息技术有限公司 | Method and device for measuring credibility of double basic input and output systems and computer equipment |
| CN113627110B (en) * | 2021-08-25 | 2023-11-07 | 深圳市同泰怡信息技术有限公司 | Method, device and computer equipment for trusted measurement of dual basic input/output system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9111097B2 (en) | Secure execution architecture | |
| US11379586B2 (en) | Measurement methods, devices and systems based on trusted high-speed encryption card | |
| US7849315B2 (en) | Method for managing operability of on-chip debug capability | |
| CN111046392A (en) | BIOS (basic input output System) credibility measuring method and device and terminal equipment | |
| US11165572B2 (en) | Trusted measuring method, apparatus, system, storage medium, and computing device | |
| CN107133520B (en) | Credibility measuring method and device for cloud computing platform | |
| CN110875819B (en) | Password operation processing method, device and system | |
| EP3859579B1 (en) | Trusted computing method, and server | |
| EP4116851A1 (en) | Trusted measurement method and related apparatus | |
| CN102063591A (en) | Methods for updating PCR (Platform Configuration Register) reference values based on trusted platform | |
| CN105447391A (en) | Operating system secure startup method, startup manager and operating system secure startup system | |
| CN109145651B (en) | Data processing method and device | |
| CN110674494B (en) | Process protection method, system and data processing method | |
| CN111125707A (en) | BMC (baseboard management controller) safe starting method, system and equipment based on trusted password module | |
| CN103488937A (en) | Measuring method, electronic equipment and measuring system | |
| CN116070289A (en) | Security chip applied to system firmware and electronic equipment | |
| CN111967016B (en) | Dynamic monitoring method of baseboard management controller and baseboard management controller | |
| CN114707140A (en) | Kernel architecture based on PKS system | |
| CN101303716A (en) | Embedded system recuperation mechanism based on TPM | |
| EP4184367A1 (en) | Integrity measurement method and integrity measurement device | |
| CN111651769A (en) | Method and device for obtaining measurement of secure boot | |
| CN112016090A (en) | Secure computing card, and measurement method and system based on secure computing card | |
| CN114641769A (en) | Safety measuring device and method for processor | |
| CN107368337B (en) | Application downloading method and device and terminal equipment | |
| CN115964721A (en) | Program verification method and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200421 |