CN112016090A - Secure computing card, and measurement method and system based on secure computing card - Google Patents
Secure computing card, and measurement method and system based on secure computing card Download PDFInfo
- Publication number
- CN112016090A CN112016090A CN201910463688.XA CN201910463688A CN112016090A CN 112016090 A CN112016090 A CN 112016090A CN 201910463688 A CN201910463688 A CN 201910463688A CN 112016090 A CN112016090 A CN 112016090A
- Authority
- CN
- China
- Prior art keywords
- card
- platform system
- module
- computing platform
- trusted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000691 measurement method Methods 0.000 title abstract description 17
- 238000005259 measurement Methods 0.000 claims abstract description 174
- 238000004364 calculation method Methods 0.000 claims abstract description 40
- 238000000034 method Methods 0.000 claims description 117
- 230000008569 process Effects 0.000 claims description 81
- 230000015654 memory Effects 0.000 claims description 62
- 230000005540 biological transmission Effects 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 9
- 238000011084 recovery Methods 0.000 claims description 7
- 230000006870 function Effects 0.000 description 23
- 238000010586 diagram Methods 0.000 description 13
- 238000012545 processing Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 8
- 230000000694 effects Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000012546 transfer Methods 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- JBWKIWSBJXDJDT-UHFFFAOYSA-N triphenylmethyl chloride Chemical compound C=1C=CC=CC=1C(C=1C=CC=CC=1)(Cl)C1=CC=CC=C1 JBWKIWSBJXDJDT-UHFFFAOYSA-N 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000005034 decoration Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 239000003826 tablet Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/77—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in smart cards
Abstract
The invention discloses a security computing card, a measurement method and a measurement system based on the security computing card. Wherein, this safe calculation card is independent of main computing platform system, includes: the system comprises a credible module, a storage module and a processor module, wherein the credible module is used for measuring the main computing platform system to obtain a second measurement result; the storage module is used for storing a second credible reference value of the main computing platform system; and the processor module is used for comparing the second measurement result with a second credible reference value, determining that the main computing platform system is not credible under the condition that the second measurement result and the second credible reference value do not meet a second preset condition, and stopping starting the main computing platform system.
Description
Technical Field
The invention relates to the field of computers, in particular to a secure computing card, and a measurement method and a measurement system based on the secure computing card.
Background
The trusted computing is computing based on hardware security module support in a computing and communication system so as to improve the security of the whole system. Trusted Computing is completed based on the Trusted standard of the international Trusted Computing Group (TCG)/Trusted Platform Module (TPM). The TCG/TPM trusted standards are: with the TPM as a root of trust, when the system is started, devices or applications included in the system are measured step by step, and all measurement values are faithfully recorded in a Platform Configuration Register (PCR) inside TPM hardware.
Trusted remote authentication, namely, a trusted platform system (or called as a local trusted server) reports a PCR value recorded in a TPM of the trusted platform system to a remote authenticator (challenge) faithfully, and the remote authenticator compares the PCR value with a correct PCR reference value (refresh PCR), and if the PCR value is equal to the reference value, the remote authentication is passed, and the trusted server is trusted; if the values are not equal, the remote authentication fails, which indicates that the PCR values recorded in the TPM of the trusted server are not correct, that is, the trusted server is not trusted because the module measured in the system boot link is tampered by a person.
The method comprises the steps of recording the measurement value of each module in the starting process of a trusted platform system (a main computing platform system), carrying out remote certification of measurement value reporting after the starting is finished, belonging to a mode of after-the-fact alarming, and executing malicious module codes in the starting process. Therefore, in the related art, there are problems that in the measurement process of the trusted platform system starting, the starting cannot be stopped in time for malicious module tampering, and the security protection is insufficient.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a security computing card, and a measurement method and a measurement system based on the security computing card, which are used for at least solving the technical problems that in the related technology, in the measurement process of starting a trusted platform system, malicious module tampering exists, the starting cannot be stopped in time, and the security protection is insufficient.
According to an aspect of an embodiment of the present invention, there is provided a secure computing card, independent of a host computing platform system, including: the trusted module is used for measuring the main computing platform system through a first interface to obtain a second measurement result; the storage module is used for storing a second credible reference value corresponding to the main computing platform system; the processor module is configured to compare the second metric result obtained by the trusted module with a second trusted reference value stored by the storage module, determine that the main computing platform system is not trusted when the second metric result and the second trusted reference value do not satisfy a second preset condition, and stop starting the main computing platform system.
According to another aspect of the embodiments of the present invention, there is provided a secure computing card-based metrology method, the secure computing card being independent of a host computing platform system, comprising: the safety computing card measures the main computing platform system to obtain a second measurement result; comparing the second measurement result of the secure computing card with a second trusted reference value corresponding to the main computing platform system, wherein the second trusted reference value is stored in the secure computing card; and under the condition that the second measurement result and the second credible reference value do not meet a second preset condition, the safety computing card determines that the main computing platform system is not credible, and stops starting the main computing platform system.
According to a further aspect of the embodiments of the present invention, there is provided a measurement method based on a secure computing card, where the secure computing card is independent from a main computing platform system, where the secure computing card includes a trusted module, a storage module and a processor module, and the secure computing card measures the main computing platform system through a first interface by using the trusted module to obtain a second measurement result; the safety computing card stores a second credible reference value corresponding to the main computing platform system through the storage module; and the safety computer card compares a second measurement result obtained by the credible module with a second credible reference value stored by the storage module through the processor module, determines that the main computing platform system is not credible under the condition that the second measurement result and the second credible reference value do not meet a second preset condition, and stops starting the main computing platform system.
According to yet another aspect of an embodiment of the present invention, there is provided a secure computing card-based metrology system, including: the system comprises the security computing card and a main computing platform system, wherein the security computing card is independent of the main computing platform system and comprises a trusted module, a storage module and a processor module, wherein the trusted module is used for measuring the security computing card to obtain a first measurement result and/or measuring the main computing platform system through a first interface to obtain a second measurement result; the storage module is used for storing a first credible reference value corresponding to the safety computing card and a second credible reference value corresponding to the main computing platform system; the processor module is configured to compare the first metric result obtained by the trusted module with a first trusted reference value stored in the storage module, determine that the secure computing card is not trusted when the first metric result and the first trusted reference value do not satisfy a first preset condition, and stop starting the secure computing card; and/or the second measurement result obtained by the trusted module is compared with a second trusted reference value stored by the storage module, and when the second measurement result and the second trusted reference value do not meet a second preset condition, the main computing platform system is determined to be not trusted, and the main computing platform system is stopped to be started.
According to an aspect of the embodiments of the present invention, there is provided a storage medium storing a program, wherein the program controls a processor to execute any one of the above-mentioned secure computing card-based metrology methods when executed by the processor.
According to another aspect of an embodiment of the present invention, there is provided a computer apparatus including: a memory and a processor, the memory storing a computer program; the processor is configured to execute the computer program stored in the memory, and when the computer program runs, the processor is enabled to execute any one of the above-mentioned measurement methods based on the secure computing card.
According to yet another aspect of an embodiment of the present invention, there is provided a secure computing card, independent of a host computing platform system, including: the trusted module is used for measuring the main computing platform system through a first interface to obtain a measurement result of the main computing platform system; the storage module is used for storing a credible reference value of a main computing platform system corresponding to the main computing platform system; the processor module is used for comparing the measurement result of the main computing platform system obtained by the credible module with the credible reference value of the main computing platform system stored by the storage module, determining that the main computing platform system is not credible under the condition that the measurement result of the main computing platform system and the credible reference value of the main computing platform system do not meet a second preset condition, and stopping starting the main computing platform system.
In the embodiment of the invention, the safety computing card is independent of the main computing platform system, the measurement of the safety computing card and the main computing platform system can be realized according to the independent configuration of the safety computing card, and the aim of independently realizing the safety function without depending on the main computing platform system is fulfilled, so that the plug-and-play function is realized, and the cost and the flexibility are considered; moreover, when the security computing card and the main computing platform system are measured, the technical effect of starting which measurement cannot pass can be stopped in time, and the technical problems that in the related technology, malicious module tampering exists in the measurement process of starting the trusted platform system, the starting cannot be stopped in time, and the security protection is insufficient are solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 shows a block diagram of a hardware architecture of a computer terminal for a secure computing card based metrology method;
FIG. 2 is a flowchart of the trust chain delivery of the TCG/TPM trusted standard on which embodiments of the present invention are based;
FIG. 3 is a schematic diagram of SGX encryption calculation for comparison according to an embodiment of the present invention;
FIG. 4 is a block diagram of a secure computing card according to embodiment 1 of the present invention;
FIG. 5 is a flow chart of a first secure computing card-based metrology method according to embodiment 1 of the present invention;
FIG. 6 is a flowchart of a second secure computing card based metrology method according to embodiment 1 of the present invention;
FIG. 7 is a schematic illustration of the separation of the computational guards of a secure computing card in accordance with a preferred embodiment of the present invention;
FIG. 8 is a diagram of the logical architecture of a generic secure computing card provided in accordance with an embodiment of the present invention;
FIG. 9 is a functional block diagram of a generic secure computing card provided in accordance with an embodiment of the present invention;
fig. 10 is a block diagram of a secure computing card-based metrology system according to embodiment 1 of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, some terms or terms appearing in the description of the embodiments of the present application are applicable to the following explanations:
trusted Computing (Trusted Computing) technology developed and popularized by the international Trusted Computing Group (TCG), wherein a Trusted Computing platform based on hardware security module support is used in a Computing and communication system to improve the overall security of the system. With trusted computing, the computer will always operate in the expected manner, and these behaviors will be guaranteed by both the computer hardware and the program, by using a hardware security module that is inaccessible to the rest of the system to achieve this behavior.
Trusted Platform Module (TPM), TPM is an international standard for secure cryptoprocessors, written by TCG, to protect hardware by integrating encryption keys into devices through specialized microcontrollers. The TPM security chip is a security chip conforming to TPM standards, and is generally bound to a computing platform in a physical mode, so that the PC can be effectively protected and illegal user access can be prevented.
TPCM, as independent controllable credible node in China, implants the credible source root, adds the Control function of the credible root on the basis of TPM, realizes the initiative Control and measurement on the basis of password; the TPCM starts before the CPU and verifies the BIOS, thereby changing the traditional thought that the TPM is taken as a passive device and realizing the active control of the TPCM on the whole platform.
SGX (Intel Software Guard extensions): an extension of the Intel Architecture (IA) to enhance the security of programs. In this way, not all malicious programs on the platform are identified and isolated, but the security operation of a legitimate program is encapsulated in an enclave, so that the malicious program is protected from being attacked, and the privileged or non-privileged program cannot access the enclave, that is, once the program and data are in the enclave, even an operating system or a vmm (hypervisor) cannot influence the code and data in the enclave. The security boundary of Enclave only contains the CPU and itself, and the Enclave created by SGX can also be understood as a trusted Execution environment tee (trusted Execution environment).
PCR (platform Configuration registers) for non-permanent secure storage space provided by trusted secure chips. The system is used for storing the measurement extension value and proving the integrity of the platform outwards, and can be used for proving the integrity of the measurement log.
Example 1
There is also provided, in accordance with an embodiment of the present invention, a method embodiment of a remote authentication method, it being noted that the steps illustrated in the flowchart of the figure may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than that presented herein.
The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Fig. 1 shows a block diagram of a hardware structure of a computer terminal (or mobile device) for a secure computing card-based metrology method. As shown in fig. 1, the computer terminal 10 (or mobile device 10) may include one or more (shown as 102a, 102b, … …, 102 n) processors 102 (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), and memory 104 for storing data. Besides, the method can also comprise the following steps: a transmission module, a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a power source, and/or a camera. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
It should be noted that the one or more processors 102 and/or other data processing circuitry described above may be referred to generally herein as "data processing circuitry". The data processing circuitry may be embodied in whole or in part in software, hardware, firmware, or any combination thereof. Further, the data processing circuit may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computer terminal 10 (or mobile device). As referred to in the embodiments of the application, the data processing circuit acts as a processor control (e.g. selection of a variable resistance termination path connected to the interface).
The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the remote authentication method in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, that is, implementing the secure computing card-based measurement method of the application program. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission module is used for receiving or sending data through a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission module includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission module may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 10 (or mobile device).
Fig. 2 is a flowchart of a trust chain transfer of a TCG/TPM trusted standard on which an embodiment of the present invention is based, and as shown in fig. 2, the TCG/TPM trusted standard is: the method comprises the steps of taking a TPM as a trusted root, measuring equipment or application included by a System step by step when the System is started, starting from the trusted measuring root in a basic Input Output System (BIOS for short) when the System is started, measuring a BIOS initial boot module, measuring a BIOS main boot module by the BIOS initial boot module, measuring the rest part of the BIOS and an Operating System (OS) loader by the BIOS main boot module, measuring an OS kernel by the OS loader, and so on, thereby finally completing a trust transfer process from a starting point to the application and a network. All the measurement values are faithfully recorded in a Platform Configuration Register (PCR) inside the TPM hardware.
But the measurement values of all modules are recorded in the starting process, the remote certification of the measurement value report is carried out after the starting is finished, the remote certification belongs to a mode of after-the-fact alarm, and malicious module codes are already executed in the starting process. In addition, trusted computing is often used to prove system security, and lacks the necessary security protection for applications and data.
Fig. 3 is a schematic diagram of SGX encryption calculation for comparison according to an embodiment of the present invention, and as shown in fig. 3, the Intel SGX uses an instruction provided by a CPU processor to partition a part of a region (called EPC) in a memory and map Enclave in an application address space to the part of the memory region. This part of the memory area is encrypted, encrypted and address translated by the memory control unit (MC) in the CPU.
When the processor accesses the data in the Enclave, the CPU automatically switches to a new CPU mode, called Enclave mode, which forces additional hardware checks for each memory access. Since the data is placed in the EPC, the memory contents in the EPC are encrypted by a Memory Encryption Engine (MEE) in order to prevent known memory attacks (e.g., memory sniffing). The memory content in EPC is decrypted only when entering CPU (cache); when the EPC memory is returned from the CPU, the EPC memory is re-encrypted. Therefore, the data in the EPC memory is always ciphertext, the encryption key used here is Seal key, and the encryption keys used by each Encrypt (EPC) are different.
Different application programs are simultaneously operated on the physical memory DRAM of the host; however, different application programs use different memory encryption keys, and isolated computation, namely encryption computation, of the application programs is realized on the host memory in the form of encryption ciphertexts. Safety boundary: only the CPU Package can see the envelope plaintext, and the CPU is the encrypted ciphertext. Both Memory Bus and System Memory snoops fail.
Although the SGX ensures the safety of application programs and data, the SGX has a harsh requirement on a platform, and a server processor is only supported by an Intel E3 CPU at present; however, currently, an SGX CPU can only reach 8 cores at most, and an EPC memory can only reach 256MB at most, and cannot meet performance requirements on a cloud. In addition, the encryption key of the SGX depends on the CPU root key of the Intel, and the user, the cloud manufacturer, and the like cannot acquire the corresponding encryption key when the SGX is held by the Intel. Moreover, when the CPU itself is not trusted or there is a large security hole, the secure computing scheme of the SGX fails completely.
Therefore, the TPM trusted certification belongs to post-affair certification and has insufficient safety protection on application programs and data; the encryption calculation is mainly based on the Intel-SGX technology, so that a user can put own data in a cloud environment to operate with confidence, and the user does not need to worry about that the data is snooped by a cloud operator. However, the SGX is limited by platform requirements, and at present, a server processor is only supported by an Intel E3 CPU and cannot meet performance requirements on a cloud, that is, the SGX has a relatively strict requirement on the platform and insufficient performance, and a key and a trust starting point are both mastered in the Intel CPU, which has a poor support on a general computing platform. Therefore, the embodiment of the invention provides a general security computing card based on trusted computing and encryption computing, which can realize a security computing function and a certain security management function by being inserted into a common server.
In view of the above-mentioned shortcomings, a secure computing card as shown in fig. 4 is provided in an embodiment of the present invention. Fig. 4 is a block diagram of a secure computing card according to embodiment 1 of the present invention, and as shown in fig. 4, the secure computing card is independent of a host computing platform system, and includes: the trusted module is used for measuring the main computing platform system through the first interface to obtain a second measurement result; the storage module is used for storing a second credible reference value corresponding to the main computing platform system; and the processor module is used for comparing the second measurement result obtained by the credible module with a second credible reference value stored by the storage module, determining that the main computing platform system is not credible under the condition that the second measurement result and the second credible reference value do not meet a second preset condition, and stopping starting the main computing platform system.
As an optional embodiment, the trusted module is further configured to measure the security computing card itself to obtain a first measurement result; the storage module is also used for storing a first credible reference value corresponding to the safety calculation card; the processor module is further configured to compare the first measurement result obtained by the trusted module with a first trusted reference value stored by the storage module, determine that the secure computing card is not trusted when the first measurement result and the first trusted reference value do not satisfy a first preset condition, and stop starting the secure computing card.
As an alternative embodiment, the secure computing card is independent from the host computing platform system, wherein the secure computing card is independent from the host computing platform system as an independent security protection system, has its own secure hardware and software, does not use any computing resource of the host computing platform system, has its own independent trusted module, storage module and processor module, and accomplishes the security protection function of the entire secure computing card through the implemented functions of the respective modules.
As an optional embodiment, the trusted module is configured to measure the security computing card itself to obtain a first measurement result, and/or measure the host computing platform system through the first interface to obtain a second measurement result. Based on the above description, the secure computing card has its own independent hardware and software, so that when the secure computing card is measured, the modules included in the secure computing card are measured in sequence by using the trusted module as the root of trust. For example, the hardware included in a secure computing card is measured first: the processor module and the storage module, wherein the storage module can comprise a volatile memory module which is combined with the processor module and used for realizing the internal computing function of the secure computing card, and can also comprise a nonvolatile storage module used for storing application programs and data. After that, software of the secure computing card, for example, a secure computing card Chip operating System SoC (System-on-Chip), etc., is measured. It should be noted that, when the security computing card is measured, all the hardware and software owned by the security computing card itself may be measured, or a part of the hardware and software owned by the security computing card itself may be measured, or contents specified in the hardware and software owned by the security computing card itself may be measured, and may be flexibly selected according to specific requirements.
As an alternative embodiment, when the trusted module measures the host computing platform system through the first interface, the first interface may be an interface specially used for measuring the host computing platform, for example, may be an SPI low-speed bus interface, and receives data transmitted by the host computing platform system to the secure computing card through the SPI low-speed bus interface, and measures the host computing platform system according to the transmitted data. In addition, when the main computing platform system is measured, the safety computing card is used as a trust root to measure hardware and software included in the main computing platform system. In addition, when the main computing platform system is measured, all hardware and software owned by the main computing platform system can be measured, part of hardware and software owned by the main computing platform system can be measured, specified contents in the hardware and software owned by the main computing platform system can be measured, and the measurement can be flexibly selected according to specific requirements.
As an optional embodiment, the trusted module measures the security computing card itself to obtain a first measurement result, and measures the main computing platform system through the first interface, and when the second measurement result is obtained, the trusted module may measure the security computing card itself before measuring the main computing platform system through the first interface. Namely, the security computing card performs measurement on the main computing platform system after measuring the security computing card and trusting the security computing card, thereby ensuring that the main computing platform system is determined to be trustable after being measured on a trustable basis. Therefore, the secure computing card provides a function of a trust root, namely, the secure computing card is used as a trusted basis to realize the trust measurement of the main computing platform system.
As an alternative embodiment, the storage module stores a first trusted reference value corresponding to the secure computing card and a second trusted reference value corresponding to the host computing platform system. Wherein the first trusted reference value corresponding to the secure computing card may include: all the trusted reference values of the metric object included in the secure computing card may include, for example, the trusted reference values of the metric object of the hardware included in the secure computing card, and may also include the trusted reference values of the metric object of the application program and the data included in the secure computing card. The first trusted reference value corresponding to the host computing platform system may include: all the trusted reference values of the metric object included in the host computing platform system may include, for example, the trusted reference values of the metric object of the hardware included in the host computing platform system, and may also include the trusted reference values of the metric object of the application program and the data included in the host computing platform system.
As an optional embodiment, the processor module compares the first metric result obtained by the trusted module with a first trusted reference value stored by the storage module, and determines that the secure computing card is not trusted and stops starting the secure computing card when the first metric result and the first trusted reference value do not satisfy a first preset condition. Namely, the secure computing card is used as an independent secure measurement device, when the secure computing card measures itself, a first measurement result obtained according to the measurement is compared with a first credible reference value stored in the secure computing card, and under the condition that the comparison result does not meet a first preset condition, the secure computing card can be directly determined to be not credible, namely, the secure computing card is illegally tampered, and the secure computing card is stopped to be started. It should be noted that, in the process of starting the secure computing card, as long as the measurement object is related to the untrusted object, the start of the corresponding measurement object may be immediately stopped, so that in the process of starting the secure computing card, the untrusted object may be determined in the process of local start without sending the measurement result to the remote authenticator for authenticating whether the measurement result is legitimate, and the effect of efficiently and timely stopping the untrusted start is effectively achieved.
As an alternative embodiment, when the first metric result obtained according to the metric is compared with a first trusted reference value stored in the secure computing card, and the secure computing card is determined to be not trusted directly under the condition that the comparison result does not satisfy the first preset condition, the first preset condition may be represented as a range, or may be represented as a numerical value. For example, when expressed as a range, the range may be whether a difference between a first metric result obtained by the metric and a first confidence reference value stored by the range is within the range, and if not, it may be determined that the first preset condition is not satisfied by the two. For another example, when the first metric result is expressed as a numerical value, the first metric result obtained by the metric may be directly compared with the first confidence reference value stored in the first confidence reference value, and if the first metric result and the first confidence reference value are not consistent, it may be determined that the first confidence reference value and the first confidence reference value are not consistent. Which way is selected for comparison can be flexibly selected according to specific requirements.
As an optional embodiment, the processor module compares the second metric result obtained by the trusted module with a second trusted reference value stored by the storage module, and determines that the main computing platform system is not trusted and stops starting the main computing platform system when the second metric result and the second trusted reference value do not satisfy a second preset condition. Namely, the security computing card is used as an independent security measurement device, when the main computing platform system is measured, the second measurement result obtained according to the measurement is compared with a second credible reference value stored by the security computing card, and under the condition that the comparison result does not meet a second preset condition, the main computing platform system can be directly determined to be untrustworthy, namely, the main computing platform system is illegally tampered, and the main computing platform system is stopped to be started. It should be noted that, in the process of starting the main computing platform system, as long as the metric object is associated with the untrusted object, the start of the corresponding metric object may be immediately stopped, so that in the process of starting the main computing platform system, the untrusted object may be determined in the process of local start, and the metric result is not sent to the remote authenticator to authenticate whether the metric result is legal, thereby effectively achieving the effect of efficiently and timely stopping the untrusted start.
As an alternative embodiment, when the processor module compares the second metric result obtained by the trusted module with the second trusted reference value stored in the storage module, and determines that the host computing platform system is not trusted under the condition that the second metric result and the second trusted reference value do not satisfy the second preset condition, the second preset condition may be represented as a range, or may be represented as a numerical value. For example, when expressed as a range, the range may be whether a difference between a second metric result obtained by the metric and a second confidence reference value stored by the second metric result is within the range, and if not, it may be determined that the second predetermined condition is not satisfied. For another example, when the second metric result is expressed as a numerical value, the second metric result obtained by the metric may be directly compared with a second confidence reference value stored in the second metric result, and if the second metric result and the second confidence reference value are not consistent, it may be determined that the second predetermined condition is not satisfied. Which way is selected for comparison can be flexibly selected according to specific requirements.
As an alternative embodiment, the secure computing card may further comprise: the network module is used for carrying out data transmission with an external network through a second interface and carrying out data transmission with the main computing platform system through a third interface, wherein the external network is a network except the safety computing card and the main computing platform system; the processor module is also used for decrypting the ciphertext data entering the secure computing card through the second interface and transmitting the ciphertext data to the main computing platform system through the third interface; and encrypting the plaintext data coming out of the main computing platform system through the third interface, and transmitting the encrypted plaintext data to an external network through the second interface. Namely, the safety computing card is used as an independent safety device and is used for data transmission with an external network through the second interface and is used for data transmission with the main computing platform system through the third interface. And after decryption calculation is carried out on ciphertext data entering from the external network, the ciphertext data are transmitted to the main computing platform system, and plaintext data coming out of the main computing platform system are encrypted and transmitted to the external network. Namely, only the security computing card can directly process the original data, and the security computing card is secret to an external network, so that the security of the data is ensured. It should be noted that the second interface connecting the secure computing card and the external network may be bidirectional, that is, data may be transmitted from the secure computing card to the external network, or may be transmitted from the external network to the secure computing card. The third interface connecting the secure computing card with the host computing platform system may also be bi-directional, and may transfer data from the secure computing card to the host computing platform system, or may transfer data from the host computing platform system to the secure computing card.
As an optional embodiment, the network module is further configured to, in a case that a sensitive application write request of a user owning the write permission in the card is received, write the sensitive application requested to be written into the storage module through the second interface. Namely, the secure computing card can achieve isolation of sensitive applications to some extent. Only the user with the in-card write authority can write the sensitive application into the secure computing card, so that the protection of the sensitive application is realized. It should be noted that the storage module may be a stable nonvolatile storage module, so that the sensitive application can be safely stored, and the sensitive application is prevented from being lost.
As an alternative embodiment, when calling a sensitive application in a secure computing card, in order to enable the sensitive application to be executed safely, first, the secure computing card needs to authenticate the authority of a user calling the sensitive application, and only when it is determined that the user has the in-card calling authority, the calling is allowed. In addition, the trusted module in the secure computing card is also required to measure the sensitive application requested to be called under the condition that the secure computing card receives the sensitive application calling request of the user with the calling authority in the card; the processor module executes the sensitive application under the condition that the measurement result of the trusted module measuring the sensitive application requesting to be called is that the integrity of the sensitive application requesting to be called is not damaged. Therefore, the safety computing card not only realizes the safety protection of the platform system, but also realizes the safety protection of the application program.
As an alternative embodiment, when accessing a process of the host computing platform system, in order to enable the process of the host computing platform system to be executed safely, first, the secure computing card authenticates the authority of a user who needs to access the process of the host computing platform system, and only when it is determined that the user has the process access authority of the host computing platform system, the access is allowed. In addition, the trusted module of the secure computing card also needs to measure the application process requested to be accessed when the secure computing card receives a process access request of a user having a process access right of the main computing platform system; the processor module is further required to execute the application process in a case that a measurement result of the measurement performed by the trusted module on the application process requesting access is that the integrity of the application process requesting access is not destroyed. Therefore, the safety computing card not only realizes the safety protection of the platform system, but also realizes the safety access protection of the application process according to the specific access rule.
As an alternative embodiment, the secure computing card may further comprise: and the strategy configuration interface is used for configuring the MAC rule of the mandatory access control of the process access control. The process access control is flexibly configured by setting a policy configuration interface, so that the access can be controlled according to a specific configuration rule.
As an alternative embodiment, the secure computing card may also have some additional functions, for example, the secure computing card may determine the failure cause of the host computing platform system according to the running status log of the host computing platform system in case of failure of the host computing platform system according to the included processor module, and/or control firmware upgrade and firmware recovery of the host computing platform. Namely, when the main computing platform system fails, the failure reason is determined, and certain measures are adopted to remove the failure, so that the safety of the main computing platform system is guaranteed.
In the embodiment of the invention, the safety computing card is independent of the main computing platform system, the measurement of the safety computing card and the main computing platform system can be realized according to the independent configuration of the safety computing card, and the aim of independently realizing the safety function without depending on the main computing platform system is fulfilled, so that the plug-and-play function is realized, and the cost and the flexibility are considered; moreover, when the security computing card and the main computing platform system are measured, the technical effect of starting which measurement cannot pass can be stopped in time, and the technical problems that in the related technology, malicious module tampering exists in the measurement process of starting the trusted platform system, the starting cannot be stopped in time, and the security protection is insufficient are solved.
In an embodiment of the present invention, a secure computing card-based measurement method is further provided, and fig. 5 is a flowchart of a first secure computing card-based measurement method according to embodiment 1 of the present invention, where the secure computing card is independent of a host computing platform system, as shown in fig. 5, the flowchart includes the following steps:
step S502, the security computing card measures the security computing card on the main computing platform system to obtain a second measurement result;
step S504, the safety calculation card compares the second measurement result with a second credible reference value corresponding to the main calculation platform system, wherein the second credible reference value is stored in the safety calculation card;
step S506, under the condition that the second measurement result and the second credible reference value do not meet the second preset condition, the safety computing card determines that the main computing platform system is not credible, and stops starting the main computing platform system.
As an optional embodiment, the secure computing card further measures the secure computing card itself to obtain a first measurement result; the safety calculation card compares the first measurement result with a first credible reference value corresponding to the safety calculation card, wherein the first credible reference value is stored in the safety calculation card; and under the condition that the first measurement result and the first credible reference value do not meet the first preset condition, the safety computing card determines that the safety computing card is not credible, and the safety computing card is stopped to start.
As an alternative embodiment, the measurement method based on the secure computing card is applied to the secure computing card of the embodiment and the preferred embodiment included in fig. 4, and the following specific steps respectively correspond to the above functional modules, and a description will not be repeated here, and refer to the corresponding description specifically.
As an alternative embodiment, the secure computing card decrypts ciphertext data entering the secure computing card from an external network, and transmits the ciphertext data to the host computing platform system, and encrypts plaintext data coming out of the host computing platform system, and transmits the plaintext data to the external network, where the external network is a network outside the secure computing card and the host computing platform system.
As an alternative embodiment, the secure computing card receives a sensitive application write request; and under the condition that the user corresponding to the sensitive application writing request has the in-card writing permission, the secure computing card writes the sensitive application requested to be written into the secure computing card.
As an optional embodiment, under the condition that the secure computing card receives a sensitive application calling request of a user having a calling authority in the card, measuring the sensitive application requested to be called; and the secure computing card executes the sensitive application under the condition that the integrity of the sensitive application requested to be called is not damaged as a measurement result of measuring the sensitive application requested to be called.
As an optional embodiment, the secure computing card measures the application process requesting access when receiving a process access request of a user having a process access right of the host computing platform system; and the secure computing card executes the application process under the condition that the integrity of the application process requesting access is not damaged as a measurement result of the trusted module measuring the application process requesting access.
As an alternative embodiment, the secure computer card configures the MAC rule of mandatory access control for process access control through the policy configuration interface.
As an alternative embodiment, in the case of a failure of the main computing platform system, the secure computing card determines the failure cause of the main computing platform system according to the running state log of the main computing platform system, and/or controls firmware upgrade and firmware recovery of the main computing platform.
In an embodiment of the present invention, a secure computing card-based measurement method is further provided, and fig. 6 is a flowchart of a secure computing card-based measurement method two according to embodiment 1 of the present invention, where the secure computing card is independent of a host computing platform system, and the secure computing card includes a trusted module, a storage module, and a processor module, as shown in fig. 6, the flowchart includes the following steps:
step S602, the security computing card measures the main computing platform system through the first interface by adopting the trusted module to obtain a second measurement result;
step S604, the safety computer card stores a second credible reference value corresponding to the main computing platform system through the storage module;
and step S606, the safety computer card compares the second measurement result obtained by the trusted module with a second trusted reference value stored by the storage module through the processor module, determines that the main computing platform system is not trusted under the condition that the second measurement result and the second trusted reference value do not meet a second preset condition, and stops starting the main computing platform system.
As an optional embodiment, the secure computing card further measures the secure computing card itself through the trusted module to obtain a first measurement result; the safety computing card stores a first credible reference value corresponding to the safety computing card through the storage module; and the safety computing card compares the first measurement result obtained by the credible module with the first credible reference value stored by the storage module through the processor module, determines that the safety computing card is not credible under the condition that the first measurement result and the first credible reference value do not meet the first preset condition, and stops starting the safety computing card.
As an alternative embodiment, the secure computing card-based measurement method is applied to a system formed by the secure computing card and the host computing platform system of the embodiment and the preferred embodiment included in fig. 4, and corresponding steps are executed to correspond to modules of the secure computing card, which are not described repeatedly herein, and refer to the corresponding description specifically.
As an alternative embodiment, the secure computing card further comprises: the network module is used for transmitting data between the security computing card and an external network through a second interface of the network module and transmitting data between the security computing card and the main computing platform system through a third interface, wherein the external network is a network outside the security computing card and the main computing platform system; the secure computing card decrypts the ciphertext data entering the secure computing card through the second interface through the processor module and transmits the ciphertext data to the main computing platform system through the third interface; and encrypting the plaintext data coming out of the main computing platform system through the third interface, and transmitting the encrypted plaintext data to an external network through the second interface.
Based on the above-described examples and preferred embodiments, a preferred embodiment is provided, which is described below.
FIG. 7 is a schematic diagram of the separation of the computing protection of a secure computing card according to the preferred embodiment of the present invention, as shown in FIG. 7, the protection system (secure computing card) is separated from the computing system (host computing platform system), and all the security protection operations are put into operation in the protection system and completely isolated from the computing system, using the protection system's own security hardware and security system. The safety computing card is a set of independent protection system, and isolates a main computing platform system from a network; the safety computing card uses independent modules such as a processor, a memory, a storage and the like, and does not use computing resources of a main computing platform.
The independent secure computing card has at least the following advantages:
(1) a security platform covering all security scenarios: the safety protection function is separated from the main computing platform system, and a universal safety computing card can flexibly realize various safety functions.
(2) Plug and play mode, compromise cost and flexibility: the universal secure computing card is no longer subject to the requirements of any computing platform (e.g., the host computing platform system exemplified in this application) such as configuration; when the safety computing card is inserted into the computing platform, a safety computing platform is synthesized, and when the safety computing card is pulled out, a common computing platform or any common computing platform is synthesized, and the general safety computing card is inserted into the common computing platform, so that the safety computing platform can be synthesized. The resources of the original computing platform can be completely used for computing, and the performance and the cost are not influenced.
(3) A decoupling universal platform, independent evolution does not affect each other: the evolution and the function integration of the safety computing card are independent of a main computing platform and are independently developed.
Fig. 8 is a logical architecture diagram of a general secure computing card provided according to an embodiment of the present invention, and as shown in fig. 8, the general secure computing card may include: a processor module, a trusted module, a volatile memory module, a non-volatile storage module, and a network module.
The hardware interface of the generic secure computing card may include: a Serial Peripheral Interface (SPI for short) low-speed bus Interface, a Peripheral Component Interconnect Express (PCIE) high-speed bus Interface, and a network module I/O Interface.
And the trusted module carries out trusted measurement verification on the platform system for the main computing platform system through the SPI low-speed bus interface.
The processor module, which may be a computing unit x86, arm, FPGA, etc., provides computing power within the secure computing card.
The volatile memory module and the processor module provide computing power together.
And the nonvolatile storage module is used for storing the credible reference value, the application program and the data.
The network module transmits data with the outside through a network I/O interface; and meanwhile, data is transmitted with the main computing platform system through the high-speed PCIE interface.
After entering a general secure computing card, external ciphertext data is transmitted to a main computing platform system after being decrypted by a processor and a memory module of the secure computing card; the plaintext data generated by the main computing platform system also needs to be transmitted to an external network after the encryption operation of the secure computing card.
Fig. 9 is a functional block diagram of a general secure computing card provided according to an embodiment of the present invention, and as shown in fig. 9, the functions of the general secure computing card mainly include: platform metrics, application metrics, data security, remote attestation, and other functions, each of which is described below.
Platform metrology
(1) In the starting process of the safety computing card, the trusted module measures the platform of the safety computing card: taking a trusted module as a trust root, measuring a processor module, then measuring a volatile memory module, a non-volatile memory module, a network module and finally a System-on-Chip (SoC) of a Chip operating System of the security computing card.
(2) The starting of the main computing platform system is realized by the security computing card through the SPI low-speed interface, and the credibility measurement of the main computing platform system is realized: and measuring a BIOS initial boot module, then measuring a BIOS main boot module, measuring the rest part of the BIOS, measuring an OS loader, measuring an OS kernel and the like by taking the safety computing card as a trusted root, thereby finally completing the trusted transmission process from a starting point to an application and a network.
(3) And the nonvolatile storage module stores the credible reference values of the measurement modules. In the former two steps of credible measurement process, after each measurement is completed, the measurement value is compared with a credible reference value, when the measurement value of a certain module is different from the reference value, the starting process is stopped immediately, and an incredible alarm of the platform is sent out.
Application metrics
1. Sensitive application isolation
(1) Firstly, a user with the in-card write-in authority directly writes own sensitive application into a non-volatile storage module in a secure computing card through a network I/O interface.
(2) Then, the user with the in-card calling authority can call the sensitive application in the card; after the secure computing card receives the call request, the integrity of the application is measured by using the trusted module, and the secure computing card is allowed to execute the application only when the integrity of the sensitive application is not damaged;
(3) user sensitive applications are only allowed to execute inside the secure computing card, completely physically isolated from the computing resources of the host computing platform. Here, physical memory other than SGX is not isolated (virtual isolation by cryptographic means).
2. Process access control
(1) The process access authority on the main computing platform system is controlled by a safety computing card;
(2) the secure computing card provides a MAC (mandatory access control) mechanism, provides policy configuration: only the appointed authority can call the appointed application process on the main computing platform; and the integrity of the specified application process is not destroyed, execution is allowed.
(3) The secure computing card provides a policy configuration interface for configuring MAC rules for process access control.
Data security
(1) The safety computing card leaves a factory and is internally provided with a root Key, and the root Key is written into the hardware Fuse through a physical means.
(2) And the user application generates an application data encryption Key Seal Key by combining the own metric value with the root Key Fuse Key. The obtained Seal keys are different for different user applications.
(3) All application data entering and exiting the secure computing card are encrypted by using the Seal Key of the application, ciphertext enters and exits, and plaintext is only visible for the secure computing card.
(4) The ciphertext data enters the main computing platform after being decrypted by the safety computing card, and the return data of the main computing platform enters the network after being encrypted by the safety computing card.
Remote attestation
Remote attestation flow: the security computing card reports the PCR value recorded in the security computing card to a remote authenticator (challenge); the remote authenticator proves whether the main computing platform system is credible by comparing with a correct PCR reference value (Refrenew PCR).
Other functions
(1) The security computing card can preset system monitoring application, monitors the running state of the main computing platform in real time through the PCIE high-speed interface, and the monitoring application is isolated and executed in the security computing card.
(2) And after the main computing platform fails, the safety computing card reports/analyzes the running state log of the main computing platform and locates the failure reason of the main computing platform.
(3) The secure computing card executes applications such as firmware upgrading and firmware recovery of the main computing platform through the PCIE high-speed interface, and is isolated from the secure computing card for execution.
Through the preferred embodiment, compared with a post-reporting mechanism of TPM trusted computing, the preferred embodiment provides a trusted verification mechanism in the starting process, and not only verifies the trusted measurement of the main computing platform system, but also verifies the trusted measurement of the security computing card. Meanwhile, besides the credibility verification of the platform, the credibility measurement verification of the application process is additionally added, the application process is allowed to be called only if the integrity is not damaged, and the appointed application process can only be called by the appointed authority, so that the forced access control of the process is realized.
In addition, compared with the SGX limitation on the platform and the Intel control on the key and the trust starting point, the preferred embodiment does not limit the main computing platform system (any general computing platform is plugged with a secure computing card to form the secure computing platform) or the processor platform of the secure computing card (ARM/X86/FPGA and the like). The computing security card provides security-wise computing resources without affecting the performance of the host computing platform system. Moreover, all SGX applications run in the same physical memory, and virtual isolation is implemented by means of memory encryption, whereas the secure computing card of the preferred embodiment uses physical isolation, and sensitive applications do not run in the memory of the host computing platform system directly, using the computing environment of the secure computing card itself.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
In an embodiment of the present invention, there is further provided a secure computing card-based measurement system, and fig. 10 is a block diagram of a structure of the secure computing card-based measurement system according to embodiment 1 of the present invention, and as shown in fig. 10, the secure computing card-based measurement system 10 includes: the system comprises a security computing card 11 and a main computing platform system 12, wherein the security computing card is independent of the main computing platform system and comprises a trusted module, a storage module and a processor module, wherein the trusted module is used for measuring the security computing card to obtain a first measurement result and/or measuring the main computing platform system through a first interface to obtain a second measurement result; the storage module is used for storing a first credible reference value corresponding to the safety computing card and a second credible reference value corresponding to the main computing platform system; the processor module is used for comparing the first measurement result obtained by the trusted module with a first trusted reference value stored by the storage module, determining that the secure computing card is not trusted under the condition that the first measurement result and the first trusted reference value do not meet a first preset condition, and stopping starting the secure computing card; and/or the second measurement result obtained by the trusted module is compared with a second trusted reference value stored by the storage module, and when the second measurement result and the second trusted reference value do not meet a second preset condition, the main computing platform system is determined to be not trusted, and the main computing platform system is stopped to be started.
In the embodiment corresponding to the measurement method and system based on the security computing card, the security computing card is independent of the main computing platform system, the measurement of the security computing card and the main computing platform system can be realized according to the independent configuration of the security computing card, and the purpose of independently realizing the security function independent of the main computing platform system is achieved, so that the purposes of plug-and-play and cost and flexibility are realized; moreover, when the security computing card and the main computing platform system are measured, the technical effect of starting which measurement cannot pass can be stopped in time, and the technical problems that in the related technology, malicious module tampering exists in the measurement process of starting the trusted platform system, the starting cannot be stopped in time, and the security protection is insufficient are solved.
It should be noted here that the secure computing card-based measurement system corresponds to steps S602 to S606 included in fig. 6 in embodiment 1 described above. The above measurement system based on the secure computing card is the same as the example and application scenario realized by the corresponding steps, but is not limited to the disclosure of the above embodiment 1. It should be noted that the modules described above as part of the apparatus may be run in the computer terminal 10 provided in the first embodiment.
Example 3
Embodiments of the present invention may provide a secure computing card, independent of a host computing platform system, comprising: the system comprises a trusted module, a storage module and a processor module, wherein the trusted module is used for measuring the main computing platform system through a first interface to obtain a measurement result of the main computing platform system; the storage module is used for storing a credible reference value of the main computing platform system corresponding to the main computing platform system; and the processor module is used for comparing the measurement result of the main computing platform system obtained by the credible module with the credible reference value of the main computing platform system stored by the storage module, determining that the main computing platform system is not credible and stopping starting the main computing platform system under the condition that the measurement result of the main computing platform system and the credible reference value of the main computing platform system do not meet a second preset condition.
As an optional embodiment, the trusted module is further configured to measure the secure computing card itself to obtain a measurement result of the secure computing card; the storage module is also used for storing a credible reference value of the safety computing card corresponding to the safety computing card; the processor module is further used for comparing the measurement result of the secure computing card obtained by the trusted module with the trusted reference value of the secure computing card stored by the storage module, determining that the secure computing card is not trusted and stopping starting the secure computing card under the condition that the measurement result of the secure computing card and the trusted reference value of the secure computing card do not meet the first preset condition.
It should be noted here that, when the security computing card measures the security computing card itself to obtain the measurement result of the security computing card, and measures the host computing platform system through the first interface to obtain the measurement result of the host computing platform system, the measurement on the security computing card itself may be performed before the measurement on the host computing platform system through the first interface. Namely, the security computing card performs measurement on the main computing platform system after measuring the security computing card and trusting the security computing card, thereby ensuring that the main computing platform system is determined to be trustable after being measured on a trustable basis. Therefore, the secure computing card provides a function of a trust root, namely, the secure computing card is used as a trusted basis to realize the trust measurement of the main computing platform system.
Example 4
Embodiments of the present invention may provide a computer terminal (or referred to as a computer device), where the computer terminal may be any one computer terminal device in a computer terminal group. Optionally, in this embodiment, the computer terminal may also be replaced with a terminal device such as a mobile terminal.
Optionally, in this embodiment, the computer terminal may be located in at least one network device of a plurality of network devices of a computer network.
Optionally, in this embodiment, the computer device may include: a memory and a processor, the memory storing a computer program; a processor for executing a computer program stored in the memory, the computer program when executed causing the processor to perform the method of any of the above.
The memory may be used to store software programs and modules, such as program instructions/modules corresponding to the secure computing card-based metrology method and apparatus in the embodiments of the present invention, and the processor executes various functional applications and data processing by running the software programs and modules stored in the memory, that is, implementing the secure computing card-based metrology method described above. The memory may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory may further include memory located remotely from the processor, and these remote memories may be connected to the computer terminal through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The processor can call the information and application program stored in the memory through the transmission device to execute the following steps: the secure computing card is independent of the host computing platform system, comprising: the safety calculation card measures the main calculation platform system to obtain a second measurement result; the safety calculation card compares the second measurement result with a second credible reference value corresponding to the main calculation platform system, wherein the second credible reference value is stored in the safety calculation card; and under the condition that the second measurement result and the second credible reference value do not meet the second preset condition, the safety calculation card determines that the main calculation platform system is not credible, and stops starting the main calculation platform system.
Optionally, the processor may further execute the program code of the following steps: the safety calculation card measures the safety calculation card to obtain a first measurement result; the safety calculation card compares the first measurement result with a first credible reference value corresponding to the safety calculation card, wherein the first credible reference value is stored in the safety calculation card; and under the condition that the first measurement result and the first credible reference value do not meet the first preset condition, the safety computing card determines that the safety computing card is not credible, and the safety computing card is stopped to start.
Optionally, the processor may further execute the program code of the following steps: the secure computing card decrypts ciphertext data entering the secure computing card from an external network and transmits the ciphertext data to the main computing platform system, and encrypts plaintext data coming out of the main computing platform system and transmits the encrypted plaintext data to the external network, wherein the external network is a network outside the secure computing card and the main computing platform system.
Optionally, the processor may further execute the program code of the following steps: the secure computing card receives a sensitive application write request; and under the condition that the user corresponding to the sensitive application writing request has the in-card writing permission, the secure computing card writes the sensitive application requested to be written into the secure computing card.
Optionally, the processor may further execute the program code of the following steps: under the condition that the secure computing card receives a sensitive application calling request of a user with calling authority in the card, measuring the sensitive application requested to be called; and the secure computing card executes the sensitive application under the condition that the integrity of the sensitive application requested to be called is not damaged as a measurement result of measuring the sensitive application requested to be called.
Optionally, the processor may further execute the program code of the following steps: under the condition that the safety computing card receives a process access request of a user with the process access authority of the main computing platform system, measuring an application process requesting to access; and the secure computing card executes the application process under the condition that the integrity of the application process requesting access is not damaged as a measurement result of the trusted module measuring the application process requesting access.
Optionally, the processor may further execute the program code of the following steps: and the security computing card configures the MAC rule of the mandatory access control of the process access control through a policy configuration interface.
Optionally, the processor may further execute the program code of the following steps: and under the condition that the main computing platform system has a fault, the safety computing card determines the fault reason of the main computing platform system according to the running state log of the main computing platform system and/or controls the firmware upgrading and the firmware recovery of the main computing platform.
The processor can also call the information stored in the memory and the application program through the transmission device to execute the following steps: the safety computing card is independent of the main computing platform system, wherein the safety computing card comprises a credible module, a storage module and a processor module, and the safety computing card measures the main computing platform system through a first interface by adopting the credible module to obtain a second measurement result; the safety computing card stores a second credible reference value corresponding to the main computing platform system through the storage module; and the safety computing card compares the second measurement result obtained by the credible module with a second credible reference value stored by the storage module through the processor module, determines that the main computing platform system is not credible under the condition that the second measurement result and the second credible reference value do not meet a second preset condition, and stops starting the main computing platform system.
Optionally, the processor may further execute the program code of the following steps: the safety computing card measures the safety computing card through the credible module to obtain a first measurement result; the safety computing card stores a first credible reference value corresponding to the safety computing card through the storage module; and the safety computing card compares the first measurement result obtained by the credible module with the first credible reference value stored by the storage module through the processor module, determines that the safety computing card is not credible under the condition that the first measurement result and the first credible reference value do not meet the first preset condition, and stops starting the safety computing card.
Optionally, the processor may further execute the program code of the following steps: the secure computing card further comprises: the network module is used for transmitting data between the security computing card and an external network through a second interface of the network module and transmitting data between the security computing card and the main computing platform system through a third interface, wherein the external network is a network outside the security computing card and the main computing platform system; the secure computing card decrypts the ciphertext data entering the secure computing card through the second interface through the processor module and transmits the ciphertext data to the main computing platform system through the third interface; and encrypting the plaintext data coming out of the main computing platform system through the third interface, and transmitting the encrypted plaintext data to an external network through the second interface.
In the embodiment of the invention, the safety computing card is independent of the main computing platform system, the measurement of the safety computing card and the main computing platform system can be realized according to the independent configuration of the safety computing card, and the aim of independently realizing the safety function without depending on the main computing platform system is fulfilled, so that the plug-and-play function is realized, and the cost and the flexibility are considered; moreover, when the security computing card and the main computing platform system are measured, the technical effect of starting which measurement cannot pass can be stopped in time, and the technical problems that in the related technology, malicious module tampering exists in the measurement process of starting the trusted platform system, the starting cannot be stopped in time, and the security protection is insufficient are solved.
It can be understood by those skilled in the art that the computer terminal may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, and a Mobile Internet Device (MID), a PAD, etc. The embodiment of the invention does not limit the structure of the electronic device. For example, the computer devices described above may also include more or fewer components (e.g., network interfaces, display devices, etc.), or have different configurations.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
Example 5
The embodiment of the invention also provides a storage medium. Optionally, in this embodiment, the storage medium may be configured to store a program code corresponding to any secure computing card-based measurement method provided in embodiment 1, and when the program code is executed by the processor, the processor is controlled to execute any secure computing card-based measurement method.
Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: the secure computing card is independent of the host computing platform system, comprising: the safety calculation card measures the main calculation platform system to obtain a second measurement result; the safety calculation card compares the second measurement result with a second credible reference value corresponding to the main calculation platform system, wherein the second credible reference value is stored in the safety calculation card; and under the condition that the second measurement result and the second credible reference value do not meet the second preset condition, the safety calculation card determines that the main calculation platform system is not credible, and stops starting the main calculation platform system.
Optionally, in this embodiment, the storage medium is further configured to store program code for performing the following steps: the safety calculation card measures the safety calculation card to obtain a first measurement result; the safety calculation card compares the first measurement result with a first credible reference value corresponding to the safety calculation card, wherein the first credible reference value is stored in the safety calculation card; and under the condition that the first measurement result and the first credible reference value do not meet the first preset condition, the safety computing card determines that the safety computing card is not credible, and the safety computing card is stopped to start.
Optionally, in this embodiment, the storage medium is further configured to store program code for performing the following steps: the secure computing card decrypts ciphertext data entering the secure computing card from an external network and transmits the ciphertext data to the main computing platform system, and encrypts plaintext data coming out of the main computing platform system and transmits the encrypted plaintext data to the external network, wherein the external network is a network outside the secure computing card and the main computing platform system.
Optionally, in this embodiment, the storage medium is further configured to store program code for performing the following steps: the secure computing card receives a sensitive application write request; and under the condition that the user corresponding to the sensitive application writing request has the in-card writing permission, the secure computing card writes the sensitive application requested to be written into the secure computing card.
Optionally, in this embodiment, the storage medium is further configured to store program code for performing the following steps: under the condition that the secure computing card receives a sensitive application calling request of a user with calling authority in the card, measuring the sensitive application requested to be called; and the secure computing card executes the sensitive application under the condition that the integrity of the sensitive application requested to be called is not damaged as a measurement result of measuring the sensitive application requested to be called.
Optionally, in this embodiment, the storage medium is further configured to store program code for performing the following steps: under the condition that the safety computing card receives a process access request of a user with the process access authority of the main computing platform system, measuring an application process requesting to access; and the secure computing card executes the application process under the condition that the integrity of the application process requesting access is not damaged as a measurement result of the trusted module measuring the application process requesting access.
Optionally, in this embodiment, the storage medium is further configured to store program code for performing the following steps: and the security computing card configures the MAC rule of the mandatory access control of the process access control through a policy configuration interface.
Optionally, in this embodiment, the storage medium is further configured to store program code for performing the following steps: and under the condition that the main computing platform system has a fault, the safety computing card determines the fault reason of the main computing platform system according to the running state log of the main computing platform system and/or controls the firmware upgrading and the firmware recovery of the main computing platform.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: the safety computing card is independent of the main computing platform system, wherein the safety computing card comprises a credible module, a storage module and a processor module, and the safety computing card measures the main computing platform system through a first interface by adopting the credible module to obtain a second measurement result; the safety computing card stores a second credible reference value corresponding to the main computing platform system through the storage module; and the safety computing card compares the second measurement result obtained by the credible module with a second credible reference value stored by the storage module through the processor module, determines that the main computing platform system is not credible under the condition that the second measurement result and the second credible reference value do not meet a second preset condition, and stops starting the main computing platform system.
Optionally, in this embodiment, the storage medium is further configured to store program code for performing the following steps: the safety computing card measures the safety computing card through the credible module to obtain a first measurement result; the safety computing card stores a first credible reference value corresponding to the safety computing card through the storage module; and the safety computing card compares the first measurement result obtained by the credible module with the first credible reference value stored by the storage module through the processor module, determines that the safety computing card is not credible under the condition that the first measurement result and the first credible reference value do not meet the first preset condition, and stops starting the safety computing card.
Optionally, in this embodiment, the storage medium is further configured to store program code for performing the following steps: the secure computing card further comprises: the network module is used for transmitting data between the security computing card and an external network through a second interface of the network module and transmitting data between the security computing card and the main computing platform system through a third interface, wherein the external network is a network outside the security computing card and the main computing platform system; the secure computing card decrypts the ciphertext data entering the secure computing card through the second interface through the processor module and transmits the ciphertext data to the main computing platform system through the third interface; and encrypting the plaintext data coming out of the main computing platform system through the third interface, and transmitting the encrypted plaintext data to an external network through the second interface.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, a division of a unit is merely a division of a logic function, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (24)
1. A secure computing card, independent of a host computing platform system, comprising:
a trusted module, a storage module, and a processor module, wherein,
the trusted module is used for measuring the main computing platform system through a first interface to obtain a second measurement result;
the storage module is used for storing a second credible reference value corresponding to the main computing platform system;
the processor module is configured to compare the second metric result obtained by the trusted module with a second trusted reference value stored by the storage module, determine that the main computing platform system is not trusted when the second metric result and the second trusted reference value do not satisfy a second preset condition, and stop starting the main computing platform system.
2. The secure computing card of claim 1,
the trusted module is also used for measuring the security computing card to obtain a first measurement result;
the storage module is further used for storing a first trusted reference value corresponding to the secure computing card;
the processor module is further configured to compare the first metric result obtained by the trusted module with a first trusted reference value stored in the storage module, and determine that the secure computing card is not trusted and stop starting the secure computing card when the first metric result and the first trusted reference value do not satisfy a first preset condition.
3. The secure computing card of claim 1, further comprising: a network module, wherein,
the network module is used for carrying out data transmission with an external network through a second interface and carrying out data transmission with the main computing platform system through a third interface, wherein the external network is a network outside the safety computing card and the main computing platform system;
the processor module is further configured to decrypt ciphertext data entering the secure computing card through the second interface, and transmit the ciphertext data to the main computing platform system through the third interface; and after encrypting the plaintext data coming out of the main computing platform system through the third interface, transmitting the encrypted plaintext data to the external network through the second interface.
4. The secure computing card of claim 3,
and the network module is also used for writing the sensitive application requested to be written into the storage module through the second interface under the condition of receiving the sensitive application writing request of the user with the writing permission in the card.
5. The secure computing card of claim 4,
the trusted module is also used for measuring the sensitive application requested to be called under the condition that the secure computing card receives the sensitive application calling request of the user with the calling authority in the card;
the processor module is further configured to execute the sensitive application when a measurement result obtained by the trusted module measuring the sensitive application requested to be invoked is that the integrity of the sensitive application requested to be invoked is not damaged.
6. The secure computing card of claim 1,
the trusted module is further used for measuring the application process requesting access under the condition that the secure computing card receives a process access request of a user having the process access authority of the main computing platform system;
the processor module is further configured to execute the application process when a measurement result obtained by measuring the application process requesting access by the trusted module is that the integrity of the application process requesting access is not destroyed.
7. The secure computing card of claim 6, further comprising: and the strategy configuration interface is used for configuring the MAC rule of the mandatory access control of the process access control.
8. The secure computing card of any of claims 1 to 7,
the processor module is further configured to determine a failure cause of the main computing platform system according to the running state log of the main computing platform system when the main computing platform system fails, and/or control firmware upgrade and firmware recovery of the main computing platform.
9. A secure computing card-based metrology method, wherein the secure computing card is independent of a host computing platform system, comprising:
the safety computing card measures the main computing platform system to obtain a second measurement result;
the safety computing card compares the second measurement result with a second credible reference value corresponding to the main computing platform system, wherein the second credible reference value is stored in the safety computing card;
and under the condition that the second measurement result and the second credible reference value do not meet a second preset condition, the safety computing card determines that the main computing platform system is not credible, and stops starting the main computing platform system.
10. The method of claim 9, further comprising:
the safety calculation card measures the safety calculation card to obtain a first measurement result;
the secure computing card compares the first measurement result with a first credible reference value corresponding to the secure computing card, wherein the first credible reference value is stored in the secure computing card;
and under the condition that the first measurement result and the first credible reference value do not meet a first preset condition, the safety computing card determines that the safety computing card is not credible, and stops starting the safety computing card.
11. The method of claim 9, further comprising:
the secure computing card decrypts ciphertext data entering the secure computing card from an external network and transmits the ciphertext data to the main computing platform system, and encrypts plaintext data coming out of the main computing platform system and transmits the plaintext data to the external network, wherein the external network is a network outside the secure computing card and the main computing platform system.
12. The method of claim 9, further comprising:
the secure computing card receives a sensitive application write request;
and under the condition that a user corresponding to the sensitive application writing request has the in-card writing permission, the secure computing card writes the sensitive application requested to be written into the secure computing card.
13. The method of claim 12, further comprising:
under the condition that the secure computing card receives a sensitive application calling request of a user with calling authority in the card, measuring the sensitive application requested to be called;
and the secure computing card executes the sensitive application when the measurement result of the measurement on the sensitive application requested to be called is that the integrity of the sensitive application requested to be called is not damaged.
14. The method of claim 9,
under the condition that the safety computing card receives a process access request of a user with the process access authority of a main computing platform system, measuring an application process requesting to be accessed;
and the secure computing card executes the application process when the measurement result of the measurement of the application process requesting access by the trusted module is that the integrity of the application process requesting access is not damaged.
15. The method of claim 14, further comprising:
and the security computing card configures the MAC rule of the mandatory access control of the process access control through a policy configuration interface.
16. The method according to any one of claims 9 to 15,
and under the condition that the main computing platform system fails, the safety computing card determines the failure reason of the main computing platform system according to the running state log of the main computing platform system and/or controls the firmware upgrading and the firmware recovery of the main computing platform.
17. A secure computing card-based metrology method, wherein the secure computing card is independent of a host computing platform system, wherein the secure computing card comprises a trusted module, a storage module, and a processor module, wherein,
the security computing card measures the main computing platform system through a first interface by adopting the trusted module to obtain a second measurement result;
the safety computing card stores a second credible reference value corresponding to the main computing platform system through the storage module;
and the safety computer card compares a second measurement result obtained by the credible module with a second credible reference value stored by the storage module through the processor module, determines that the main computing platform system is not credible under the condition that the second measurement result and the second credible reference value do not meet a second preset condition, and stops starting the main computing platform system.
18. The method of claim 17,
the secure computing card measures the secure computing card through the trusted module to obtain a first measurement result;
the safety computing card stores a first credible reference value corresponding to the safety computing card through the storage module;
and the secure computing card compares the first measurement result obtained by the trusted module with a first trusted reference value stored in the storage module through the processor module, determines that the secure computing card is not trusted under the condition that the first measurement result and the first trusted reference value do not meet a first preset condition, and stops starting the secure computing card.
19. The method of claim 17, wherein the secure computing card further comprises: a network module, wherein,
the secure computing card performs data transmission with an external network through a second interface of the network module, and performs data transmission with the main computing platform system through a third interface, wherein the external network is a network outside the secure computing card and the main computing platform system;
the secure computing card decrypts the ciphertext data entering the secure computing card through the second interface through the processor module and transmits the ciphertext data to the main computing platform system through the third interface; and after encrypting the plaintext data coming out of the main computing platform system through the third interface, transmitting the encrypted plaintext data to the external network through the second interface.
20. A secure computing card based metrology system, comprising: the secure computing card and a host computing platform system, wherein the secure computing card is independent of the host computing platform system, the secure computing card comprising a trusted module, a storage module, and a processor module, wherein,
the trusted module is used for measuring the security computing card to obtain a first measurement result and/or measuring the main computing platform system through a first interface to obtain a second measurement result;
the storage module is used for storing a first credible reference value corresponding to the safety computing card and a second credible reference value corresponding to the main computing platform system;
the processor module is configured to compare the first metric result obtained by the trusted module with a first trusted reference value stored in the storage module, determine that the secure computing card is not trusted when the first metric result and the first trusted reference value do not satisfy a first preset condition, and stop starting the secure computing card; and/or the second measurement result obtained by the trusted module is compared with a second trusted reference value stored by the storage module, and when the second measurement result and the second trusted reference value do not meet a second preset condition, the main computing platform system is determined to be not trusted, and the main computing platform system is stopped to be started.
21. A storage medium storing a program, wherein the program, when executed by a processor, controls the processor to perform the secure computing card based metrology method of any one of claims 9 to 19.
22. A computer device, comprising: a memory and a processor, wherein the processor is capable of,
the memory stores a computer program;
the processor for executing the computer program stored in the memory, the computer program when executed causing the processor to perform the secure computing card based metrology method of any one of claims 9 to 19.
23. A secure computing card, independent of a host computing platform system, comprising: a trusted module, a storage module, and a processor module, wherein,
the trusted module is used for measuring the main computing platform system through the first interface to obtain a measurement result of the main computing platform system;
the storage module is used for storing a credible reference value of a main computing platform system corresponding to the main computing platform system;
the processor module is used for comparing the measurement result of the main computing platform system obtained by the credible module with the credible reference value of the main computing platform system stored by the storage module, determining that the main computing platform system is not credible under the condition that the measurement result of the main computing platform system and the credible reference value of the main computing platform system do not meet a second preset condition, and stopping starting the main computing platform system.
24. The secure computing card of claim 23,
the trusted module is also used for measuring the safety computing card to obtain a measurement result of the safety computing card;
the storage module is further used for storing a trusted reference value of the secure computing card corresponding to the secure computing card;
the processor module is further configured to compare the measurement result of the secure computing card obtained by the trusted module with a trusted reference value of the secure computing card stored in the storage module, determine that the secure computing card is not trusted when the measurement result of the secure computing card and the trusted reference value of the secure computing card do not meet a first preset condition, and stop starting the secure computing card.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910463688.XA CN112016090B (en) | 2019-05-30 | 2019-05-30 | Secure computing card, and measuring method and system based on secure computing card |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910463688.XA CN112016090B (en) | 2019-05-30 | 2019-05-30 | Secure computing card, and measuring method and system based on secure computing card |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112016090A true CN112016090A (en) | 2020-12-01 |
| CN112016090B CN112016090B (en) | 2024-01-23 |
Family
ID=73500462
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910463688.XA Active CN112016090B (en) | 2019-05-30 | 2019-05-30 | Secure computing card, and measuring method and system based on secure computing card |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112016090B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113010875A (en) * | 2021-03-17 | 2021-06-22 | 紫光国芯微电子股份有限公司 | Information isolation method, memory card and mobile terminal |
| CN113536361A (en) * | 2021-09-15 | 2021-10-22 | 统信软件技术有限公司 | Method and device for realizing trusted reference library and computing equipment |
| WO2022155973A1 (en) * | 2021-01-25 | 2022-07-28 | 华为技术有限公司 | Terminal chip and measurement method therefor |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101515316A (en) * | 2008-02-19 | 2009-08-26 | 北京工业大学 | Trusted computing terminal and trusted computing method |
| CN101576944A (en) * | 2008-11-20 | 2009-11-11 | 武汉大学 | Computer secure startup system based on trusted platform module |
| CN103927490A (en) * | 2014-04-25 | 2014-07-16 | 华为技术有限公司 | OS secure startup method and device |
| US9147086B1 (en) * | 2013-06-07 | 2015-09-29 | Amazon Technologies, Inc. | Trusted computing host |
| CN108418786A (en) * | 2017-12-28 | 2018-08-17 | 广州华夏职业学院 | A kind of cloud computing data security supporting platform |
| CN108595964A (en) * | 2018-04-27 | 2018-09-28 | 北京可信华泰信息技术有限公司 | A kind of credible platform control module implementation method based on firmware |
| CN109241744A (en) * | 2018-08-28 | 2019-01-18 | 全球能源互联网研究院有限公司 | A kind of creditable calculation modules and the credible starting method using the module |
| CN109241745A (en) * | 2018-08-28 | 2019-01-18 | 全球能源互联网研究院有限公司 | A kind of credible starting method and device of computing platform |
| CN109325352A (en) * | 2018-08-28 | 2019-02-12 | 全球能源互联网研究院有限公司 | A kind of credible calculating platform framework |
-
2019
- 2019-05-30 CN CN201910463688.XA patent/CN112016090B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101515316A (en) * | 2008-02-19 | 2009-08-26 | 北京工业大学 | Trusted computing terminal and trusted computing method |
| CN101576944A (en) * | 2008-11-20 | 2009-11-11 | 武汉大学 | Computer secure startup system based on trusted platform module |
| US9147086B1 (en) * | 2013-06-07 | 2015-09-29 | Amazon Technologies, Inc. | Trusted computing host |
| CN103927490A (en) * | 2014-04-25 | 2014-07-16 | 华为技术有限公司 | OS secure startup method and device |
| CN108418786A (en) * | 2017-12-28 | 2018-08-17 | 广州华夏职业学院 | A kind of cloud computing data security supporting platform |
| CN108595964A (en) * | 2018-04-27 | 2018-09-28 | 北京可信华泰信息技术有限公司 | A kind of credible platform control module implementation method based on firmware |
| CN109241744A (en) * | 2018-08-28 | 2019-01-18 | 全球能源互联网研究院有限公司 | A kind of creditable calculation modules and the credible starting method using the module |
| CN109241745A (en) * | 2018-08-28 | 2019-01-18 | 全球能源互联网研究院有限公司 | A kind of credible starting method and device of computing platform |
| CN109325352A (en) * | 2018-08-28 | 2019-02-12 | 全球能源互联网研究院有限公司 | A kind of credible calculating platform framework |
Non-Patent Citations (2)
| Title |
|---|
| 宗涛;: "基于可信计算的结构性安全模型设计与实现", 计算机工程, no. 20 * |
| 陈建民等: "无线Mesh网络的可信度量机制", 华中科技大学学报(自然科学版) * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022155973A1 (en) * | 2021-01-25 | 2022-07-28 | 华为技术有限公司 | Terminal chip and measurement method therefor |
| CN113010875A (en) * | 2021-03-17 | 2021-06-22 | 紫光国芯微电子股份有限公司 | Information isolation method, memory card and mobile terminal |
| CN113536361A (en) * | 2021-09-15 | 2021-10-22 | 统信软件技术有限公司 | Method and device for realizing trusted reference library and computing equipment |
| CN113536361B (en) * | 2021-09-15 | 2022-02-25 | 统信软件技术有限公司 | Method and device for realizing trusted reference library and computing equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112016090B (en) | 2024-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107533609B (en) | System, device and method for controlling multiple trusted execution environments in a system | |
| EP3326103B1 (en) | Technologies for trusted i/o for multiple co-existing trusted execution environments under isa control | |
| EP3582129B1 (en) | Technologies for secure hardware and software attestation for trusted i/o | |
| US20190132136A1 (en) | Technologies for secure authentication and programming of accelerator devices | |
| US8364975B2 (en) | Methods and apparatus for protecting data | |
| EP3326105B1 (en) | Technologies for secure programming of a cryptographic engine for secure i/o | |
| EP3326104B1 (en) | Technologies for secure trusted i/o access control | |
| US10318765B2 (en) | Protecting critical data structures in an embedded hypervisor system | |
| US20200026882A1 (en) | Methods and systems for activating measurement based on a trusted card | |
| US9015454B2 (en) | Binding data to computers using cryptographic co-processor and machine-specific and platform-specific keys | |
| CN110971398A (en) | Data processing method, device and system | |
| CN112016090B (en) | Secure computing card, and measuring method and system based on secure computing card | |
| US11575672B2 (en) | Secure accelerator device pairing for trusted accelerator-to-accelerator communication | |
| US20230134324A1 (en) | Managing storage of secrets in memories of baseboard management controllers | |
| US10824766B2 (en) | Technologies for authenticated USB device policy enforcement | |
| CN110334532B (en) | File encryption and decryption processing method and encryption and decryption system | |
| CN110858246B (en) | Authentication method and system of security code space, and registration method thereof | |
| US11960737B2 (en) | Self-deploying encrypted hard disk, deployment method thereof, self-deploying encrypted hard disk system and boot method thereof | |
| Feng et al. | Using mobile phones to enhance computing platform trust | |
| Holoubková | Rešerše a ukázka zabezpečení platformy (TPM) | |
| CN117763553A (en) | Computer device, operation method thereof and security chip | |
| CN110059489A (en) | Safe electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40039143 Country of ref document: HK |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |