CN112016090B - Secure computing card, and measuring method and system based on secure computing card - Google Patents
Secure computing card, and measuring method and system based on secure computing card Download PDFInfo
- Publication number
- CN112016090B CN112016090B CN201910463688.XA CN201910463688A CN112016090B CN 112016090 B CN112016090 B CN 112016090B CN 201910463688 A CN201910463688 A CN 201910463688A CN 112016090 B CN112016090 B CN 112016090B
- Authority
- CN
- China
- Prior art keywords
- card
- trusted
- platform system
- module
- computing card
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims description 132
- 238000005259 measurement Methods 0.000 claims abstract description 193
- 230000008569 process Effects 0.000 claims description 82
- 230000015654 memory Effects 0.000 claims description 65
- 230000005540 biological transmission Effects 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 8
- 238000011084 recovery Methods 0.000 claims description 6
- 238000000691 measurement method Methods 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 21
- 238000004364 calculation method Methods 0.000 description 20
- 238000010586 diagram Methods 0.000 description 16
- 230000004224 protection Effects 0.000 description 15
- 238000012545 processing Methods 0.000 description 10
- 230000000694 effects Effects 0.000 description 6
- 238000012546 transfer Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 4
- 230000002093 peripheral effect Effects 0.000 description 4
- JBWKIWSBJXDJDT-UHFFFAOYSA-N triphenylmethyl chloride Chemical compound C=1C=CC=CC=1C(C=1C=CC=CC=1)(Cl)C1=CC=CC=C1 JBWKIWSBJXDJDT-UHFFFAOYSA-N 0.000 description 4
- 238000002955 isolation Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/77—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in smart cards
Abstract
The invention discloses a secure computing card, and a measurement method and a measurement system based on the secure computing card. Wherein the secure computing card is independent of the host computing platform system, comprising: the system comprises a trusted module, a storage module and a processor module, wherein the trusted module is used for measuring a main computing platform system to obtain a second measurement result; the storage module is used for storing a second trusted reference value of the main computing platform system; and the processor module is used for comparing the second measurement result with a second trusted reference value, determining that the main computing platform system is not trusted under the condition that the second measurement result and the second trusted reference value do not meet a second preset condition, and stopping starting the main computing platform system.
Description
Technical Field
The invention relates to the field of computers, in particular to a secure computing card, a measuring method and a measuring system based on the secure computing card.
Background
Trusted computing is the use of hardware-based security module-supported computing in computing and communication systems to improve the security of the system as a whole. Trusted computing is done based on trusted standards of the International trusted computing group (Trusted Computing Group, abbreviated as TCG)/trusted platform Module (Trusted Platform Model, abbreviated as TPM). The TCG/TPM trusted standards are: with the TPM as a trusted root, the system is started to measure the equipment or the application included in the system step by step, and all measurement values are faithfully recorded in a platform configuration register (Platform Configuration Registers, abbreviated as PCR) inside the TPM hardware.
Trusted remote authentication, that is, a trusted platform system (or referred to as a local trusted server) faithfully reports the PCR value recorded in the TPM of the trusted platform system to a remote authentication party (challenge), and if the PCR value is equal to a correct PCR reference value (return PCR), the remote authentication is passed, and the trusted server is trusted; if the remote authentication is unequal, the remote authentication fails, and the fact that the PCR values recorded in the trusted server TPM are not right is indicated, namely, the trusted server is tampered by a person in a system starting link, and the trusted server is not trusted.
The method comprises the steps of recording the measurement values of all modules in the starting process of a trusted platform system (a main computing platform system), and carrying out remote proof of measurement value report after the starting is completed, wherein the measurement values belong to a mode of post alarm, and malicious module codes are executed in the starting process. Therefore, in the related art, the problem that the starting cannot be stopped in time when a malicious module is tampered in the measurement process of starting the trusted platform system exists, and the safety protection is insufficient exists.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the invention provides a secure computing card, a measuring method and a measuring system based on the secure computing card, which at least solve the technical problems that in the related art, in the measuring process of starting a trusted platform system, the starting cannot be stopped in time when a malicious module is tampered, and the security protection is insufficient.
According to one aspect of an embodiment of the present invention, there is provided a secure computing card independent of a host computing platform system, comprising: the system comprises a trusted module, a storage module and a processor module, wherein the trusted module is used for measuring the main computing platform system through a first interface to obtain a second measurement result; the storage module is used for storing a second trusted reference value corresponding to the main computing platform system; the processor module is configured to compare a second measurement result obtained by the trusted module with a second trusted reference value stored by the storage module, and determine that the main computing platform system is not trusted when the second measurement result and the second trusted reference value do not meet a second preset condition, and stop starting the main computing platform system.
According to another aspect of an embodiment of the present invention, there is provided a measurement method based on a secure computing card, the secure computing card being independent of a host computing platform system, including: the security computing card measures the main computing platform system to obtain a second measurement result; comparing the second measurement result with a second trusted reference value corresponding to the main computing platform system by the secure computing card, wherein the secure computing card stores the second trusted reference value; and the secure computing card determines that the main computing platform system is not trusted under the condition that the second measurement result and the second trusted reference value do not meet a second preset condition, and stops starting the main computing platform system.
According to still another aspect of the embodiment of the present invention, there is provided a measurement method based on a secure computing card, where the secure computing card is independent of a main computing platform system, and the secure computing card includes a trusted module, a storage module and a processor module, and the secure computing card measures the main computing platform system through a first interface by using the trusted module to obtain a second measurement result; the secure computing card stores a second trusted reference value corresponding to the main computing platform system through the storage module; and the secure computing card compares a second measurement result obtained by the trusted module with a second trusted reference value stored by the storage module through the processor module, and determines that the main computing platform system is not trusted under the condition that the second measurement result and the second trusted reference value do not meet a second preset condition, and stops starting the main computing platform system.
According to yet another aspect of an embodiment of the present invention, there is provided a secure computing card-based metrology system, comprising: the secure computing card is independent of the main computing platform system, and comprises a trusted module, a storage module and a processor module, wherein the trusted module is used for measuring the secure computing card to obtain a first measurement result and/or measuring the main computing platform system through a first interface to obtain a second measurement result; the storage module is used for storing a first trusted reference value corresponding to the secure computing card and a second trusted reference value corresponding to the main computing platform system; the processor module is used for comparing the first measurement result obtained by the trusted module with a first trusted reference value stored by the storage module, and determining that the secure computing card is not trusted under the condition that the first measurement result and the first trusted reference value do not meet a first preset condition, and stopping starting the secure computing card; and/or comparing the second measurement result obtained by the trusted module with a second trusted reference value stored by the storage module, and determining that the main computing platform system is not trusted under the condition that the second measurement result and the second trusted reference value do not meet a second preset condition, and stopping starting the main computing platform system.
According to an aspect of an embodiment of the present invention, there is provided a storage medium storing a program, wherein the program, when executed by a processor, controls the processor to perform the secure computing card-based metric method of any one of the above.
According to another aspect of an embodiment of the present invention, there is provided a computer apparatus including: a memory and a processor, the memory storing a computer program; the processor is configured to execute a computer program stored in the memory, where the computer program when executed causes the processor to perform the secure computing card-based metrology method of any one of the above.
According to yet another aspect of an embodiment of the present invention, there is provided a secure computing card, independent of a host computing platform system, comprising: the system comprises a trusted module, a storage module and a processor module, wherein the trusted module is used for measuring the main computing platform system through a first interface to obtain a measurement result of the main computing platform system; the storage module is used for storing a trusted reference value of the main computing platform system corresponding to the main computing platform system; the processor module is configured to compare the measurement result of the main computing platform system obtained by the trusted module with the trusted reference value of the main computing platform system stored by the storage module, and determine that the main computing platform system is not trusted when the measurement result of the main computing platform system and the trusted reference value of the main computing platform system do not meet a second preset condition, and stop starting the main computing platform system.
In the embodiment of the invention, the security computing card is independent of the main computing platform system, so that the measurement of the security computing card and the main computing platform system can be realized according to the independent configuration of the security computing card, the purpose of independently realizing the security function without depending on the main computing platform system is achieved, and the purposes of plug-and-play and cost and flexibility are achieved; moreover, when the security computing card and the main computing platform system are measured, the starting technical effect that measurement is not passed can be stopped in time, and the technical problem that in the related art, starting cannot be stopped in time when a malicious module is tampered in the measurement process of starting the trusted platform system is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:
FIG. 1 shows a block diagram of the hardware architecture of a computer terminal for a secure computing card based metrology method;
FIG. 2 is a trust chain transfer flow diagram of a TCG/TPM trusted standard on which an embodiment of the present invention is based;
FIG. 3 is a schematic diagram of SGX encryption computation for comparison according to an embodiment of the present invention;
FIG. 4 is a block diagram of the structure of a secure computing card according to embodiment 1 of the present invention;
FIG. 5 is a flow chart of a method one of secure computing card based metrics in accordance with embodiment 1 of the present invention;
FIG. 6 is a flow chart of a second security computing card based metric method in accordance with embodiment 1 of the present invention;
FIG. 7 is a schematic diagram of a computational guard separation of a secure computing card in accordance with a preferred embodiment of the present invention;
FIG. 8 is a logical architecture diagram of a generic secure computing card provided in accordance with an embodiment of the present invention;
FIG. 9 is a functional block diagram of a generic secure computing card provided in accordance with an embodiment of the present invention;
fig. 10 is a block diagram of the architecture of a secure computing card based metrology system in accordance with embodiment 1 of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, partial terms or terminology appearing in describing embodiments of the present application are applicable to the following explanation:
trusted computing (Trusted Computing) an international trusted computing group (Trusted Computing Group, abbreviated as TCG) development and promotion technique uses a trusted computing platform supported by a hardware-based security module in computing and communication systems to improve the security of the system as a whole. With trusted computing, a computer will always operate in the expected manner, which will be guaranteed by both the computer hardware and the program, by using hardware security modules that are inaccessible to the rest of the system.
Trusted platform module (TPM, trusted Platform Model), a international standard for secure cryptoprocessor, written by TCG, protects hardware by integrating encryption keys into the device through a specialized microcontroller. The TPM security chip is a security chip conforming to the TPM standard and is generally and physically bound to a computing platform, so that the TPM security chip can effectively protect a PC and prevent illegal users from accessing the TPM security chip.
The trusted platform control module (TPCM, trusted Platform Control Model) is characterized in that the TPCM is used as a trusted source root implanted in autonomous controllable trusted nodes in China, and a trusted root control function is added on the basis of TPM, so that the active control and measurement based on passwords are realized; the TPCM starts before the CPU and verifies the BIOS, so that the traditional thought that the TPM is used as passive equipment is changed, and the active control of the TPCM on the whole platform is realized.
SGX (Intel Software Guard Extensions): an extension of Intel Architecture (IA) to enhance security of programs. In this way, instead of identifying and isolating all malicious programs on the platform, the security operations of legitimate programs are encapsulated in one enclave, protecting them from attacks by malicious programs, neither privileged nor non-privileged programs can access the enclave, i.e., once programs and data are located in the enclave, even the operating system or VMM (Hypervisor) cannot affect the code and data inside the enclave. The secure boundary of Enclave contains only the CPU and itself, and the Enclave created by SGX can also be understood as a trusted execution environment TEE (Trusted Execution Environment).
PCR (Platform Configuration Registers) non-permanent secure storage space provided by a trusted security chip. The method is used for storing the measurement extension value, proving the integrity of the platform outwards and proving the integrity of the measurement log.
Example 1
In accordance with an embodiment of the present invention, there is also provided a method embodiment of a remote authentication method, it being noted that the steps shown in the flowchart of the figures may be performed in a computer system, such as a set of computer executable instructions, and, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order other than that shown or described herein.
The method embodiment provided in the first embodiment of the present application may be executed in a mobile terminal, a computer terminal or a similar computing device. Fig. 1 shows a block diagram of the hardware architecture of a computer terminal (or mobile device) for a secure computing card based metrology method. As shown in fig. 1, the computer terminal 10 (or mobile device 10) may include one or more (shown as 102a, 102b, … …,102 n) processors 102 (the processors 102 may include, but are not limited to, a microprocessor MCU, a programmable logic device FPGA, etc. processing means), a memory 104 for storing data. In addition, the method may further include: a transmission module, a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a power supply, and/or a camera. It will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 1 is merely illustrative and is not intended to limit the configuration of the electronic device described above. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
It should be noted that the one or more processors 102 and/or other data processing circuits described above may be referred to generally herein as "data processing circuits. The data processing circuit may be embodied in whole or in part in software, hardware, firmware, or any other combination. Furthermore, the data processing circuitry may be a single stand-alone processing module, or incorporated, in whole or in part, into any of the other elements in the computer terminal 10 (or mobile device). As referred to in the embodiments of the present application, the data processing circuit acts as a processor control (e.g., selection of the path of the variable resistor termination to interface).
The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the remote authentication method in the embodiment of the present invention, and the processor 102 executes the software programs and modules stored in the memory 104 to perform various functional applications and data processing, that is, implement the secure computing card-based metric method of the application program. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission module is used for receiving or transmitting data through a network. The specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission module includes a network adapter (Network Interface Controller, NIC) that can connect to other network devices through the base station to communicate with the internet. In one example, the transmission module may be a Radio Frequency (RF) module, which is used to communicate with the internet wirelessly.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 10 (or mobile device).
FIG. 2 is a trust chain transfer flow diagram of TCG/TPM trusted standards on which embodiments of the present invention are based, as shown in FIG. 2, the TCG/TPM trusted standards being: taking a TPM as a trusted root, measuring equipment or application included in the System step by step when the System is started, starting by the trusted measurement root in a basic input output System (Base Input Output System, abbreviated as BIOS), measuring a BIOS initial boot module, measuring a BIOS main boot module by the BIOS initial boot module, measuring the rest of the BIOS and an Operation System (abbreviated as OS) loader by the BIOS main boot module, measuring an OS kernel by the OS loader, and the like, thereby finally completing the trust transfer process from a starting point to an application and a network. All metric values are faithfully recorded in a platform configuration register (Platform Configuration Registers, abbreviated PCR) internal to the TPM hardware.
But the measurement value of each module is recorded in the starting process, remote proof of measurement value report is carried out after the starting is completed, the method belongs to a mode of post alarm, and malicious module codes are executed in the starting process. In addition, trusted computing is often used to prove system security, and applications and data lack the necessary security.
FIG. 3 is a schematic diagram of an embodiment of the present invention for contrast SGX encryption computation, as shown in FIG. 3, where Intel SGX uses instructions provided by a CPU processor to partition a portion of memory (called EPC) and map Enclave in an application address space to the portion of memory. This portion of the memory area is encrypted, encrypted and address translated by a memory control unit (MC) in the CPU.
When the processor accesses data in the Enclave, the CPU automatically switches to a new CPU mode, called Enclave mode, which forces additional hardware checks for each memory access. Since data is placed in the EPC, to prevent known memory attacks (e.g., memory sniffing), the memory contents of the EPC are encrypted by a Memory Encryption Engine (MEE). The memory content in the EPC is decrypted only when entering a CPU (Cache); when the EPC memory is returned from the CPU, it is re-encrypted. Thus, the data in the EPC memory is always ciphertext, the encryption key used in the EPC memory is a Seal key, and the encryption keys used by each Enclave (EPC) are different.
Different application programs are simultaneously run on the physical memory DRAM of the host; however, since different applications use different memory encryption keys, the isolated computation of the applications, that is, the encryption computation, is implemented on the host memory in the form of encrypted ciphertext. Safety boundary: only the CPU Package can see the Enclave plaintext, and the CPU is the encrypted ciphertext. Memory Bus and System Memory snoop fail.
While the SGX ensures the safety of application programs and data, the SGX has severe requirements on a platform, and the current server processor only has Intel E3 CPU support; however, SGX CPUs can only reach 8 cores at present, EPC memories can only reach 256MB at maximum, and performance requirements on the cloud cannot be met. In addition, the encryption key of the SGX depends on the CPU hardware root key of Intel, and the user, cloud manufacturer, etc. cannot obtain the corresponding encryption key. Moreover, the SGX secure computation scheme fails entirely when the CPU itself is not trusted, or there is a large security vulnerability.
Therefore, the TPM trusted certificate belongs to post-evidence, and the security protection of the application program and the data is insufficient; the encryption calculation is mainly based on Intel-SGX technology, so that a user can safely put own data into a cloud environment to run without worrying about the data being snooped by a cloud operator. However, SGX is limited by platform requirements, and at present, a server processor only has Intel E3 CPU support, and cannot meet performance requirements on the cloud, that is, SGX is harsh to platform requirements and has insufficient performance, and keys and trust origins are mastered in Intel CPU, so that support for a general computing platform is poor. Therefore, the embodiment of the invention provides a universal safety calculation card based on trusted calculation and encryption calculation, which can realize the safety calculation function and a certain safety management function by being inserted on a common server.
Based on the above-described shortcomings, a secure computing card as shown in fig. 4 is provided in an embodiment of the present invention. FIG. 4 is a block diagram of the architecture of a secure computing card according to embodiment 1 of the invention, as shown in FIG. 4, independent of the host computing platform system, comprising: the system comprises a trusted module, a storage module and a processor module, wherein the trusted module is used for measuring a main computing platform system through a first interface to obtain a second measurement result; the storage module is used for storing a second trusted reference value corresponding to the main computing platform system; and the processor module is used for comparing the second measurement result obtained by the trusted module with a second trusted reference value stored by the storage module, and determining that the main computing platform system is not trusted under the condition that the second measurement result and the second trusted reference value do not meet a second preset condition, and stopping starting the main computing platform system.
As an optional embodiment, the trusted module is further configured to measure the secure computing card itself to obtain a first measurement result; the storage module is also used for storing a first trusted reference value corresponding to the secure computing card; the processor module is further used for comparing the first measurement result obtained by the trusted module with a first trusted reference value stored by the storage module, and determining that the secure computing card is not trusted under the condition that the first measurement result and the first trusted reference value do not meet a first preset condition, and stopping starting the secure computing card.
As an alternative embodiment, the secure computing card is independent of the host computing platform system, wherein the secure computing card is independent of the host computing platform system as an independent secure protection system, has own secure hardware and software, does not use any computing resources of the host computing platform system, has own independent trusted modules, a storage module and a processor module, and completes the secure protection function of the whole secure computing card through the implemented functions of the respective modules.
As an optional embodiment, the trusted module is configured to measure the secure computing card itself to obtain a first measurement result, and/or measure the host computing platform system through the first interface to obtain a second measurement result. Based on the above description, the secure computing card has its own independent hardware and software, so when the secure computing card itself is measured, the modules included in the secure computing card are measured sequentially by taking the trusted module as a root of trust. For example, the hardware included in the secure computing card is measured first: the processor module, the storage module, wherein, the storage module can include the volatile memory module used for realizing the internal computing function of the secure computing card in combination with the processor module, can also include the nonvolatile storage module used for storing application programs and data. Thereafter, software of the secure computing card, such as a secure computing card Chip operating System SoC (System-on-Chip), etc., is measured. When the secure computing card is measured, all hardware and software owned by the secure computing card can be measured, part of the hardware and software owned by the secure computing card can be measured, or specified contents in the hardware and software owned by the secure computing card can be measured, and the secure computing card can be flexibly selected according to specific requirements.
As an alternative embodiment, when the trusted module measures the main computing platform system through the first interface, the first interface may be an interface specially used for measuring the main computing platform, for example, may be an SPI low-speed bus interface, through which data transmitted by the main computing platform system to the secure computing card is received, and the main computing platform system is measured according to the transmitted data. In addition, when the main computing platform system is measured, the security computing card is used as a trust root to measure the hardware and the software included in the main computing platform system. In addition, when the main computing platform system is measured, all hardware and software owned by the main computing platform system can be measured, part of hardware and software owned by the main computing platform system can be measured, or specified content in the hardware and software owned by the main computing platform system can be measured, and the main computing platform system can be flexibly selected according to specific requirements.
As an alternative embodiment, the trusted module measures the secure computing card itself to obtain a first measurement result, and measures the main computing platform system through the first interface, and when the second measurement result is obtained, the trusted module measures the secure computing card itself before measuring the main computing platform system through the first interface. That is, the secure computing card performs the measurement of the main computing platform system after measuring the trusted itself, thereby ensuring that the main computing platform system is determined to be trusted after measuring on a trusted basis. The secure computing card thus provides a root of trust in implementing a trust metric for the host computing platform system based on the secure computing card as a trust basis.
As an alternative embodiment, the storage module stores a first trusted reference value corresponding to the secure computing card and a second trusted reference value corresponding to the host computing platform system. Wherein the first trusted reference value corresponding to the secure computing card may include: all trusted reference values of the measurement objects included in the secure computing card may include, for example, the trusted reference values of the measurement objects of the hardware included in the secure computing card, or the trusted reference values of the measurement objects of the application and data included in the secure computing card. The first trusted reference value corresponding to the primary computing platform system may include: all trusted reference values for the metrology objects included in the host computing platform system may include, for example, the trusted reference values for the metrology objects for the hardware included in the host computing platform system, or the trusted reference values for the metrology objects for the applications and data included in the host computing platform system.
As an alternative embodiment, the processor module compares the first measurement result obtained by the trusted module with the first trusted reference value stored in the storage module, and determines that the secure computing card is not trusted when the first measurement result and the first trusted reference value do not meet a first preset condition, and stops starting the secure computing card. When the security computing card is used as an independent security measurement device to measure the security computing card, a first measurement result obtained according to measurement is compared with a first trusted reference value stored by the security computing card, and under the condition that the comparison result does not meet a first preset condition, the security computing card can be directly determined to be unreliable, namely the security computing card has been illegally tampered, and the security computing card should be stopped from being started. It should be noted that, in the process of starting the secure computing card, as long as the measurement object relates to the unreliability, the corresponding measurement object can be immediately stopped from starting, so that in the process of starting the secure computing card, the unreliability can be determined in the process of local starting, and the measurement result is not transmitted to a remote authenticator to authenticate whether the authentication is legal or not, thereby effectively realizing the effect of stopping the unreliability starting in time with high efficiency.
As an alternative embodiment, when the first measurement result obtained according to the measurement is compared with the first trusted reference value stored in the first measurement result, and the comparison result does not meet the first preset condition, the first preset condition can be expressed as a range or a numerical value when the security computing card is directly determined to be not trusted. For example, when expressed as a range, the range may be whether the difference between the measured first measurement result and the first trusted reference value stored in the range is within the range, and if not, it may be determined that the first preset condition is not satisfied. For example, when the first measurement result is expressed as a numerical value, the first measurement result obtained by the measurement and the first trusted reference value stored in the first measurement result can be directly compared, whether the first measurement result and the first trusted reference value are consistent in numerical value or not, and if the first measurement result and the first trusted reference value are inconsistent, it can be determined that the first preset condition is not met. The specific selection of which mode to compare can be flexibly selected according to specific requirements.
As an alternative embodiment, the processor module compares the second measurement result obtained by the trusted module with the second trusted reference value stored in the storage module, and determines that the main computing platform system is not trusted when the second measurement result and the second trusted reference value do not meet a second preset condition, and stops starting the main computing platform system. When the security computing card is used as an independent security measurement device to measure the main computing platform system, the second measurement result obtained according to the measurement is compared with a second trusted reference value stored by the security computing card, and under the condition that the comparison result does not meet a second preset condition, the main computing platform system can be directly determined to be unreliable, namely, the main computing platform system is illegally tampered, and the starting of the main computing platform system should be stopped. It should be noted that, in the process of starting the main computing platform system, as long as the measurement object relates to the unreliability, the corresponding measurement object can be immediately stopped from starting, so that in the process of starting the main computing platform system, the unreliability can be determined in the process of local starting, and the measurement result is not transmitted to the remote authenticator to authenticate whether the authentication is legal or not, thereby effectively realizing the effect of stopping the unreliable starting in time with high efficiency.
As an alternative embodiment, the processor module compares the second measurement result obtained by the trusted module with the second trusted reference value stored in the storage module, and determines that the host computing platform system is not trusted when the second measurement result and the second trusted reference value do not meet a second preset condition, where the second preset condition may be represented as a range or a numerical value. For example, when expressed as a range, the range may be whether the difference between the measured second measurement result and the second trusted reference value stored in itself is within the range, and if not, it may be determined that both do not satisfy the second preset condition. For example, when the value is expressed as a numerical value, the second measurement result obtained by the measurement may be directly compared with the second trusted reference value stored in the second measurement result, and if the two values are not identical, it may be determined that the second preset condition is not satisfied. The specific selection of which mode to compare can be flexibly selected according to specific requirements.
As an alternative embodiment, the secure computing card may further comprise: the network module is used for carrying out data transmission with an external network through a second interface and carrying out data transmission with the main computing platform system through a third interface, wherein the external network is a network outside the security computing card and the main computing platform system; the processor module is also used for decrypting the ciphertext data entering the secure computing card through the second interface and then transmitting the ciphertext data to the main computing platform system through the third interface; and encrypting the plaintext data coming out of the main computing platform system through the third interface and transmitting the plaintext data to an external network through the second interface. Namely, the secure computing card is used as an independent secure device, and performs data transmission with an external network through a second interface and performs data transmission with a main computing platform system through a third interface. And decrypting and calculating ciphertext data entering from the external network, transmitting the ciphertext data to the main computing platform system, and encrypting and transmitting plaintext data coming out of the main computing platform system to the external network. Only the secure computing card can directly process the original data, the external network is kept secret, and the data security is ensured. It should be noted that, the second interface connecting the secure computing card and the external network may be bidirectional, that is, data may be transmitted from the secure computing card to the external network or may be transmitted from the external network to the secure computing card. The third interface connecting the secure computing card and the host computing platform system may also be bi-directional, and may transfer data from the secure computing card to the host computing platform system, or may transfer data from the host computing platform system to the secure computing card.
As an alternative embodiment, the network module is further configured to, when receiving a sensitive application writing request from a user having a writing authority in the card, write the sensitive application requested to be written to the storage module through the second interface. I.e. the secure computing card may to some extent realize isolation of sensitive applications. Only the user with the writing authority in the card can write the sensitive application into the secure computing card, thereby realizing the protection of the sensitive application. It should be noted that, the storage module may be a stable nonvolatile storage module, so as to store the sensitive application safely and avoid the loss of the sensitive application.
As an alternative embodiment, when calling a sensitive application in a secure computing card, in order to enable secure execution of the sensitive application, first, the secure computing card needs to authenticate the authority of the user calling the sensitive application, and only if the user is determined to have the calling authority in the card, the calling is allowed. In addition, the trusted module in the secure computing card also needs to measure the sensitive application which is requested to be called under the condition that the secure computing card receives the sensitive application calling request of the user with the calling authority in the card; the processor module executes the sensitive application when the measurement result of the trusted module for measuring the sensitive application requested to be invoked is that the integrity of the sensitive application requested to be invoked is not destroyed. Therefore, the secure computing card not only realizes the security protection of the platform system, but also realizes the security protection of the application program.
As an alternative embodiment, when accessing a process of the host computing platform system, in order to make the process of the host computing platform system execute securely, first, the secure computing card authenticates the authority of a user who needs to access the process of the host computing platform system, and only if it is determined that the user owns the process access authority of the host computing platform system, the access is allowed. In addition, the trusted module of the secure computing card also needs to measure the application process which requests access under the condition that the secure computing card receives the process access request of the user with the process access authority of the main computing platform system; the processor module also needs to execute the application process if the measurement result of the measurement of the application process requesting access by the trusted module is that the integrity of the application process requesting access is not destroyed. Therefore, the secure computing card not only realizes the security protection of the platform system, but also realizes the security access protection of the application process according to the specific access rule.
As an alternative embodiment, the secure computing card may further comprise: and the policy configuration interface is used for configuring the forced access control (MAC) rule of the process access control. The flexible configuration of the process access control is realized by setting a strategy configuration interface, so that the access can be controlled according to specific configuration rules.
As an alternative embodiment, the secure computing card may further have some additional functions, for example, the secure computing card may determine, according to a processor module included, a cause of a failure of the main computing platform system according to an operation status log of the main computing platform system in case of a failure of the main computing platform system, and/or control firmware upgrade and firmware restoration of the main computing platform. When the main computing platform system fails, determining the failure cause, adopting certain measures to remove the failure, and guaranteeing the safety of the main computing platform system.
In the embodiment of the invention, the security computing card is independent of the main computing platform system, so that the measurement of the security computing card and the main computing platform system can be realized according to the independent configuration of the security computing card, the purpose of independently realizing the security function without depending on the main computing platform system is achieved, and the purposes of plug-and-play and cost and flexibility are achieved; moreover, when the security computing card and the main computing platform system are measured, the starting technical effect that measurement is not passed can be stopped in time, and the technical problem that in the related art, starting cannot be stopped in time when a malicious module is tampered in the measurement process of starting the trusted platform system is solved.
In an embodiment of the present invention, there is further provided a method for measuring based on a secure computing card, and fig. 5 is a flowchart of a first method for measuring based on a secure computing card according to embodiment 1 of the present invention, where the secure computing card is independent of a host computing platform system, and as shown in fig. 5, the flowchart includes the following steps:
step S502, the security computing card measures the security computing card against the main computing platform system to obtain a second measurement result;
step S504, the security computing card compares the second measurement result with a second trusted reference value corresponding to the main computing platform system, wherein the security computing card stores the second trusted reference value;
and step S506, the secure computing card determines that the main computing platform system is not trusted under the condition that the second measurement result and the second trusted reference value do not meet the second preset condition, and stops starting the main computing platform system.
As an alternative embodiment, the secure computing card also measures the secure computing card itself to obtain a first measurement result; the security calculation card compares the first measurement result with a first trusted reference value corresponding to the security calculation card, wherein the security calculation card stores the first trusted reference value; and the secure computing card determines that the secure computing card is not trusted under the condition that the first measurement result and the first trusted reference value do not meet the first preset condition, and stops starting the secure computing card.
As an alternative embodiment, the method for measuring a secure computing card is applied to the secure computing card of the embodiment and the preferred embodiment included in fig. 4, and the following specific steps correspond to the functional modules, respectively, and will not be repeated herein, specifically referring to the corresponding description.
As an alternative embodiment, the secure computing card decrypts the ciphertext data entering the secure computing card from the external network, transmits the decrypted ciphertext data to the host computing platform system, encrypts the plaintext data coming out of the host computing platform system, and transmits the encrypted plaintext data to the external network, wherein the external network is a network outside the secure computing card and the host computing platform system.
As an alternative embodiment, the secure computing card receives a sensitive application write request; and the security computing card writes the sensitive application which is requested to be written into the security computing card under the condition that the user corresponding to the sensitive application writing request has the writing authority in the card.
As an alternative embodiment, the security computing card measures the sensitive application requesting to be invoked when receiving the sensitive application invoking request of the user having the invoking authority in the card; the secure computing card executes the sensitive application when the measurement result of measuring the sensitive application requesting the call is that the integrity of the sensitive application requesting the call is not destroyed.
As an alternative embodiment, the security computing card measures the application process requesting access when receiving the process access request of the user having the process access authority of the main computing platform system; the secure computing card executes the application process when the measurement result of the trusted module for measuring the application process requesting access is that the integrity of the application process requesting access is not destroyed.
As an alternative embodiment, the security computing card configures mandatory access control MAC rules for process access control through a policy configuration interface.
As an alternative embodiment, the secure computing card determines the failure cause of the main computing platform system according to the running state log of the main computing platform system under the condition that the main computing platform system fails, and/or controls the firmware upgrade and firmware recovery of the main computing platform.
In an embodiment of the present invention, there is further provided a method for measuring based on a secure computing card, fig. 6 is a flowchart of a second method for measuring based on a secure computing card according to embodiment 1 of the present invention, the secure computing card being independent of a host computing platform system, wherein the secure computing card includes a trusted module, a storage module and a processor module, and as shown in fig. 6, the flowchart includes the steps of:
Step S602, the secure computing card adopts a trusted module to measure the main computing platform system through a first interface to obtain a second measurement result;
step S604, the secure computing card stores a second trusted reference value corresponding to the main computing platform system by the storage module;
step S606, the secure computing card compares the second measurement result obtained by the trusted module with a second trusted reference value stored by the storage module through the processor module, and determines that the main computing platform system is not trusted under the condition that the second measurement result and the second trusted reference value do not meet a second preset condition, and stops starting the main computing platform system.
As an optional embodiment, the secure computing card measures the secure computing card itself through the trusted module to obtain a first measurement result; the secure computing card stores a first trusted reference value corresponding to the secure computing card in the storage module; the security computing card compares a first measurement result obtained by the trusted module with a first trusted reference value stored by the storage module through the processor module, and determines that the security computing card is not trusted under the condition that the first measurement result and the first trusted reference value do not meet a first preset condition, and stops starting the security computing card.
As an alternative embodiment, the method for measuring based on the secure computing card is applied to the system formed by the secure computing card and the host computing platform system in the embodiment and the preferred embodiment included in fig. 4, and the corresponding steps are performed respectively corresponding to the modules of the secure computing card, so that the description is not repeated, and specific reference is made to the corresponding description.
As an alternative embodiment, the secure computing card further comprises: the network module is used for carrying out data transmission between the secure computing card and an external network through a second interface of the network module and carrying out data transmission between the secure computing card and a main computing platform system through a third interface, wherein the external network is a network outside the secure computing card and the main computing platform system; the secure computing card decrypts the ciphertext data entering the secure computing card through the second interface through the processor module and transmits the ciphertext data to the main computing platform system through the third interface; and encrypting the plaintext data coming out of the main computing platform system through the third interface and transmitting the plaintext data to an external network through the second interface.
Based on the above examples and preferred embodiments, a preferred embodiment is provided, and the preferred embodiment will be described below.
FIG. 7 is a schematic diagram showing the separation of the computing protections of a secure computing card, in accordance with a preferred embodiment of the present invention, as depicted in FIG. 7, in which the protection system (secure computing card) is independent of the computing system (host computing platform system), and in which all security operations are run in the protection system, using the security system's own security hardware and security system, and is completely isolated from the computing system. The security computing card is an independent protection system, and isolates the main computing platform system from the network; the secure computing card uses its own independent processor, memory, storage, etc. modules, without using the computing resources of the host computing platform.
The independent secure computing card has at least the following advantages:
(1) A security platform covering the entire security scene: the safety protection function is separated from the main computing platform system, and a universal safety computing card can flexibly realize multiple safety functions.
(2) Plug and play mode, taking into account cost and flexibility: the universal secure computing card is no longer constrained by the requirements of the configuration of any computing platform (e.g., the host computing platform system exemplified in the present application); the secure computing card is inserted into the computing platform to synthesize a secure computing platform, and the secure computing card is pulled out to be a common computing platform, or any common computing platform is inserted into the common secure computing card to synthesize a secure computing platform. The resources of the original computing platform can be used as all computing, and the performance and the cost are not affected.
(3) Decoupling the universal platform, and independent evolution does not affect each other: the evolution and function integration of the secure computing card is independent of the main computing platform and is developed independently.
Fig. 8 is a logic architecture diagram of a general-purpose secure computing card provided according to an embodiment of the present invention, and as shown in fig. 8, the general-purpose secure computing card may include: processor module, trusted module, volatile memory module, non-volatile storage module, and network module.
The hardware interface of the universal secure computing card may include: a serial peripheral interface (Serial Peripheral Interface, abbreviated as SPI) low-speed bus interface, a peripheral component interconnect standard (Peripheral Component Interconnect Express, abbreviated as PCIE) high-speed bus interface, and a network module I/O interface.
The trusted module performs trusted measurement verification of the platform system on the main computing platform system through the SPI low-speed bus interface.
The processor module, which may be an x86, arm, FPGA, etc. computing unit, provides computing power within the secure computing card.
The volatile memory module, together with the processor module, provides computing power.
And the nonvolatile storage module is used for storing the trusted reference value, the application program and the data.
The network module transmits data with the outside through a network I/O interface; and meanwhile, the data is transmitted with a main computing platform system through a high-speed PCIE interface.
After the external ciphertext data enter the general safe computing card, the external ciphertext data are transmitted to the main computing platform system after decryption operation of a processor and a memory module of the safe computing card; the plaintext data generated by the main computing platform system is also transferred to the external network after the encryption operation of the secure computing card.
Fig. 9 is a functional block diagram of a general-purpose secure computing card according to an embodiment of the present invention, and as shown in fig. 9, the functions of the general-purpose secure computing card mainly include: platform metrics functions, application metrics functions, data security functions, remote attestation functions, and other functions, each of which are listed above, are described below.
Platform metrology
(1) In the starting process of the secure computing card, the trusted module realizes the self platform measurement of the secure computing card: taking the trusted module as a trust root, measuring the processor module, then measuring the volatile memory module, measuring the nonvolatile memory module, measuring the network module, and finally measuring the System-on-Chip (SoC) of the security computing card Chip.
(2) Starting the main computing platform system, and realizing the trusted measurement of the main computing platform system by a security computing card through an SPI low-speed interface: taking the secure computing card as a trusted root, measuring a BIOS initial boot module, then measuring a BIOS main boot module, measuring the rest of the BIOS, measuring an OS loader, measuring an OS kernel and the like, thereby finally completing the trust transfer process from a starting point to an application and a network.
(3) The nonvolatile memory module stores the credible reference value of each measurement module. In the trusted measurement process of the first two steps, the measurement value is compared with a trusted reference value after each measurement is completed, when the measurement value of a certain module is found to be different from the reference value, the starting process is stopped immediately, and an untrusted alarm of the platform is sent out.
Application metrics
1. Sensitive application isolation
(1) Firstly, a user with the writing authority in the card directly writes own sensitive application into the secure computing card through a network I/O interface, and a nonvolatile storage module.
(2) Then, the user with the calling authority in the card can call the sensitive application in the card; after the secure computing card receives the call request, the trusted module is used for measuring the integrity of the application, and the secure computing card is allowed to execute in the secure computing card only when the integrity of the sensitive application is not destroyed;
(3) The user-sensitive application is only allowed to execute within the secure computing card, being completely physically isolated from the computing resources of the host computing platform. Here, the physical memory other than SGX is not isolated (virtual isolation by encryption means).
2. Process access control
(1) The process access right on the main computing platform system is controlled by a secure computing card;
(2) The secure computing card provides a MAC (mandatory access control) mechanism, providing policy configuration: only the designated rights can invoke the designated application process on the host computing platform; and the designated application process integrity is not compromised.
(3) The secure computing card provides a policy configuration interface for configuring MAC rules for process access control.
Data security
(1) The secure computing card leaves the factory and is internally provided with a root Key Key, and the root Key Key is written into the hardware Fuse through a physical means.
(2) And the user application generates an application data encryption Key Seal Key together with the measurement value of the user application and the root Key Fuse Key. Different user applications, the resulting Seal keys are all different.
(3) All application data entering and exiting the secure computing card are encrypted by using the Seal Key of the application, the ciphertext is input into and output from the ciphertext, and the plaintext is only visible by the secure computing card.
(4) The ciphertext data is decrypted by the secure computing card and then enters the main computing platform, and return data of the main computing platform is encrypted by the secure computing card and then enters the network.
Remote attestation
Remote proof flow: the secure computing card reports the PCR value recorded in itself to a remote authentication party (challenge); the remote authenticator verifies whether the host computing platform system is authentic by comparing with the correct PCR reference value (refrence PCR).
Other functions
(1) The secure computing card can preset a system monitoring application, the running state of the main computing platform is monitored in real time through the PCIE high-speed interface, and the monitoring application is isolated and executed in the secure computing card.
(2) After the main computing platform fails, the safety computing card reports/analyzes the running state log of the main computing platform and positions the failure reason of the main computing platform.
(3) The secure computing card executes applications such as firmware upgrade, firmware recovery and the like to the main computing platform through the PCIE high-speed interface, and is isolated from being executed inside the secure computing card.
Through the above preferred embodiment, compared with the post reporting mechanism of the trusted computing of the TPM, the preferred embodiment provides a trusted verification mechanism in the starting process, which not only verifies the trusted metrics of the main computing platform system, but also verifies the trusted metrics of the secure computing card itself. Meanwhile, besides verifying the credibility of the platform, the credibility measurement verification of the application process is additionally added, only the application process with uncorrupted integrity is allowed to be called, and the appointed application process can only be called by the appointed authority, so that the forced access control of the process is realized.
In addition, compared with the limitation of the SGX to the platform and the control of Intel to the key and the trust origin, the preferred embodiment does not limit the main computing platform system, (any general computing platform is plugged with a secure computing card to become the secure computing platform), and does not limit the processor platform (ARM/X86/FPGA, etc.) of the secure computing card. The security-wise computing resources are provided by the computing security card without affecting the performance of the host computing platform system. Moreover, all the application programs of the SGX are operated on the same physical memory, virtual isolation is realized through a memory encryption means, the security computing card of the preferred embodiment uses the physical isolation means, the sensitive application program is directly not operated on the memory of the main computing platform system, and the computing environment of the security computing card is used.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present invention is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present invention. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present invention.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method of the various embodiments of the present invention.
Example 2
In an embodiment of the present invention, there is further provided a secure computing card-based metrology system, fig. 10 is a block diagram of a secure computing card-based metrology system according to embodiment 1 of the present invention, and as shown in fig. 10, the secure computing card-based metrology system 10 includes: the system comprises a secure computing card 11 and a main computing platform system 12, wherein the secure computing card is independent of the main computing platform system, and comprises a trusted module, a storage module and a processor module, wherein the trusted module is used for measuring the secure computing card to obtain a first measurement result, and/or measuring the main computing platform system through a first interface to obtain a second measurement result; the storage module is used for storing a first trusted reference value corresponding to the secure computing card and a second trusted reference value corresponding to the main computing platform system; the processor module is used for comparing the first measurement result obtained by the trusted module with a first trusted reference value stored by the storage module, determining that the secure computing card is not trusted under the condition that the first measurement result and the first trusted reference value do not meet a first preset condition, and stopping starting the secure computing card; and/or comparing the second measurement result obtained by the trusted module with a second trusted reference value stored by the storage module, and determining that the main computing platform system is not trusted under the condition that the second measurement result and the second trusted reference value do not meet a second preset condition, and stopping starting the main computing platform system.
In the embodiment corresponding to the measurement method and the measurement system based on the secure computing card, the secure computing card is independent of the main computing platform system, so that the measurement of the secure computing card and the main computing platform system can be realized according to the independent configuration of the secure computing card, the purpose of independently realizing the secure function without depending on the main computing platform system is achieved, and the purposes of plug-and-play and cost and flexibility are achieved; moreover, when the security computing card and the main computing platform system are measured, the starting technical effect that measurement is not passed can be stopped in time, and the technical problem that in the related art, starting cannot be stopped in time when a malicious module is tampered in the measurement process of starting the trusted platform system is solved.
It should be noted that, the measurement system based on the secure computing card corresponds to steps S602 to S606 included in fig. 6 in embodiment 1. The secure computing card based metrology system described above is the same as the examples and application scenarios implemented by the corresponding steps, but is not limited to that disclosed in embodiment 1 above. It should be noted that the above-described module may be operated as a part of the apparatus in the computer terminal 10 provided in the first embodiment.
Example 3
Embodiments of the present invention may provide a secure computing card that is independent of a host computing platform system, comprising: the system comprises a trusted module, a storage module and a processor module, wherein the trusted module is used for measuring a main computing platform system through a first interface to obtain a measurement result of the main computing platform system; the storage module is used for storing the trusted reference value of the main computing platform system corresponding to the main computing platform system; and the processor module is used for comparing the measurement result of the main computing platform system obtained by the trusted module with the trusted reference value of the main computing platform system stored by the storage module, determining that the main computing platform system is not trusted under the condition that the measurement result of the main computing platform system and the trusted reference value of the main computing platform system do not meet a second preset condition, and stopping starting the main computing platform system.
As an optional embodiment, the trusted module is further configured to measure the secure computing card itself to obtain a measurement result of the secure computing card; the storage module is also used for storing the credible reference value of the safety calculation card corresponding to the safety calculation card; the processor module is further used for comparing the measurement result of the secure computing card obtained by the trusted module with the trusted reference value of the secure computing card stored by the storage module, and determining that the secure computing card is not trusted under the condition that the measurement result of the secure computing card and the trusted reference value of the secure computing card do not meet a first preset condition, and stopping starting the secure computing card.
The method includes that the security computing card measures the security computing card to obtain a measurement result of the security computing card, and measures the main computing platform system through the first interface, so that when the measurement result of the main computing platform system is obtained, the measurement of the security computing card can be performed before the measurement of the main computing platform system through the first interface. That is, the secure computing card performs the measurement of the main computing platform system after measuring the trusted itself, thereby ensuring that the main computing platform system is determined to be trusted after measuring on a trusted basis. The secure computing card thus provides a root of trust in implementing a trust metric for the host computing platform system based on the secure computing card as a trust basis.
Example 4
Embodiments of the present invention may provide a computer terminal (or computer device) that may be any one of a group of computer terminals. Alternatively, in the present embodiment, the above-described computer terminal may be replaced with a terminal device such as a mobile terminal.
Alternatively, in this embodiment, the above-mentioned computer terminal may be located in at least one network device among a plurality of network devices of the computer network.
Optionally, in this embodiment, the computer device may include: a memory and a processor, the memory storing a computer program; a processor for executing a computer program stored in the memory, the computer program when run causing the processor to perform the method of any one of the above.
The memory may be used to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for measuring a security computing card in the embodiment of the present invention, and the processor executes the software programs and modules stored in the memory, thereby performing various functional applications and data processing, that is, implementing the method for measuring a security computing card. The memory may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory may further include memory remotely located relative to the processor, which may be connected to the computer terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The processor may call the information and the application program stored in the memory through the transmission device to perform the following steps: a secure computing card independent of a host computing platform system, comprising: the security computing card measures the main computing platform system to obtain a second measurement result; the security computing card compares the second measurement result with a second trusted reference value corresponding to the main computing platform system, wherein the security computing card stores the second trusted reference value; and under the condition that the second measurement result and the second credible reference value do not meet the second preset condition, the secure computing card determines that the main computing platform system is not credible, and stops starting the main computing platform system.
Optionally, the above processor may further execute program code for: the security calculation card measures the security calculation card to obtain a first measurement result; the security calculation card compares the first measurement result with a first trusted reference value corresponding to the security calculation card, wherein the security calculation card stores the first trusted reference value; and the secure computing card determines that the secure computing card is not trusted under the condition that the first measurement result and the first trusted reference value do not meet the first preset condition, and stops starting the secure computing card.
Optionally, the above processor may further execute program code for: the secure computing card decrypts the ciphertext data entering the secure computing card from the external network, transmits the ciphertext data to the main computing platform system, encrypts the plaintext data coming out of the main computing platform system and transmits the plaintext data to the external network, wherein the external network is a network outside the secure computing card and the main computing platform system.
Optionally, the above processor may further execute program code for: the security computing card receives a sensitive application writing request; and the security computing card writes the sensitive application which is requested to be written into the security computing card under the condition that the user corresponding to the sensitive application writing request has the writing authority in the card.
Optionally, the above processor may further execute program code for: under the condition that the secure computing card receives a sensitive application calling request of a user with calling authority in the card, measuring the sensitive application which is requested to be called; the secure computing card executes the sensitive application when the measurement result of measuring the sensitive application requesting the call is that the integrity of the sensitive application requesting the call is not destroyed.
Optionally, the above processor may further execute program code for: under the condition that the secure computing card receives a process access request of a user with a process access authority of the main computing platform system, measuring an application process requesting access; the secure computing card executes the application process when the measurement result of the trusted module for measuring the application process requesting access is that the integrity of the application process requesting access is not destroyed.
Optionally, the above processor may further execute program code for: the security computing card configures forced access control (MAC) rules for process access control through a policy configuration interface.
Optionally, the above processor may further execute program code for: under the condition that the main computing platform system fails, the security computing card determines the failure reason of the main computing platform system according to the running state log of the main computing platform system and/or controls the firmware upgrading and firmware recovery of the main computing platform.
The processor may also call the information stored in the memory and the application program through the transmission device to perform the following steps: the secure computing card is independent of the main computing platform system, wherein the secure computing card comprises a trusted module, a storage module and a processor module, and measures the main computing platform system through a first interface by adopting the trusted module to obtain a second measurement result; the secure computing card stores a second trusted reference value corresponding to the main computing platform system through the storage module; the security computing card compares a second measurement result obtained by the trusted module with a second trusted reference value stored by the storage module through the processor module, and determines that the main computing platform system is not trusted under the condition that the second measurement result and the second trusted reference value do not meet a second preset condition, and stops starting the main computing platform system.
Optionally, the above processor may further execute program code for: the security computing card measures the security computing card by a trusted module to obtain a first measurement result; the secure computing card stores a first trusted reference value corresponding to the secure computing card in the storage module; the security computing card compares a first measurement result obtained by the trusted module with a first trusted reference value stored by the storage module through the processor module, and determines that the security computing card is not trusted under the condition that the first measurement result and the first trusted reference value do not meet a first preset condition, and stops starting the security computing card.
Optionally, the above processor may further execute program code for: the secure computing card further includes: the network module is used for carrying out data transmission between the secure computing card and an external network through a second interface of the network module and carrying out data transmission between the secure computing card and a main computing platform system through a third interface, wherein the external network is a network outside the secure computing card and the main computing platform system; the secure computing card decrypts the ciphertext data entering the secure computing card through the second interface through the processor module and transmits the ciphertext data to the main computing platform system through the third interface; and encrypting the plaintext data coming out of the main computing platform system through the third interface and transmitting the plaintext data to an external network through the second interface.
In the embodiment of the invention, the security computing card is independent of the main computing platform system, so that the measurement of the security computing card and the main computing platform system can be realized according to the independent configuration of the security computing card, the purpose of independently realizing the security function without depending on the main computing platform system is achieved, and the purposes of plug-and-play and cost and flexibility are achieved; moreover, when the security computing card and the main computing platform system are measured, the starting technical effect that measurement is not passed can be stopped in time, and the technical problem that in the related art, starting cannot be stopped in time when a malicious module is tampered in the measurement process of starting the trusted platform system is solved.
Those skilled in the art will appreciate that the computer terminal may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, a mobile internet device (Mobile Internet Devices, MID), a PAD, etc. The embodiment of the invention does not limit the structure of the electronic device. For example, the computer device may also include more or fewer components (e.g., network interfaces, display devices, etc.), or have different configurations.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of the above embodiments may be implemented by a program for instructing a terminal device to execute in association with hardware, the program may be stored in a computer readable storage medium, and the storage medium may include: flash disk, read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), magnetic or optical disk, and the like.
Example 5
The embodiment of the invention also provides a storage medium. Alternatively, in this embodiment, the storage medium may be used to store the program code corresponding to any of the secure computing card-based metrics methods provided in embodiment 1, where the program code, when executed by the processor, controls the processor to execute any of the secure computing card-based metrics methods.
Alternatively, in this embodiment, the storage medium may be located in any one of the computer terminals in the computer terminal group in the computer network, or in any one of the mobile terminals in the mobile terminal group.
Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of: a secure computing card independent of a host computing platform system, comprising: the security computing card measures the main computing platform system to obtain a second measurement result; the security computing card compares the second measurement result with a second trusted reference value corresponding to the main computing platform system, wherein the security computing card stores the second trusted reference value; and under the condition that the second measurement result and the second credible reference value do not meet the second preset condition, the secure computing card determines that the main computing platform system is not credible, and stops starting the main computing platform system.
Optionally, in the present embodiment, the storage medium is further configured to store program code for performing the steps of: the security calculation card measures the security calculation card to obtain a first measurement result; the security calculation card compares the first measurement result with a first trusted reference value corresponding to the security calculation card, wherein the security calculation card stores the first trusted reference value; and the secure computing card determines that the secure computing card is not trusted under the condition that the first measurement result and the first trusted reference value do not meet the first preset condition, and stops starting the secure computing card.
Optionally, in the present embodiment, the storage medium is further configured to store program code for performing the steps of: the secure computing card decrypts the ciphertext data entering the secure computing card from the external network, transmits the ciphertext data to the main computing platform system, encrypts the plaintext data coming out of the main computing platform system and transmits the plaintext data to the external network, wherein the external network is a network outside the secure computing card and the main computing platform system.
Optionally, in the present embodiment, the storage medium is further configured to store program code for performing the steps of: the security computing card receives a sensitive application writing request; and the security computing card writes the sensitive application which is requested to be written into the security computing card under the condition that the user corresponding to the sensitive application writing request has the writing authority in the card.
Optionally, in the present embodiment, the storage medium is further configured to store program code for performing the steps of: under the condition that the secure computing card receives a sensitive application calling request of a user with calling authority in the card, measuring the sensitive application which is requested to be called; the secure computing card executes the sensitive application when the measurement result of measuring the sensitive application requesting the call is that the integrity of the sensitive application requesting the call is not destroyed.
Optionally, in the present embodiment, the storage medium is further configured to store program code for performing the steps of: under the condition that the secure computing card receives a process access request of a user with a process access authority of the main computing platform system, measuring an application process requesting access; the secure computing card executes the application process when the measurement result of the trusted module for measuring the application process requesting access is that the integrity of the application process requesting access is not destroyed.
Optionally, in the present embodiment, the storage medium is further configured to store program code for performing the steps of: the security computing card configures forced access control (MAC) rules for process access control through a policy configuration interface.
Optionally, in the present embodiment, the storage medium is further configured to store program code for performing the steps of: under the condition that the main computing platform system fails, the security computing card determines the failure reason of the main computing platform system according to the running state log of the main computing platform system and/or controls the firmware upgrading and firmware recovery of the main computing platform.
Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of: the secure computing card is independent of the main computing platform system, wherein the secure computing card comprises a trusted module, a storage module and a processor module, and measures the main computing platform system through a first interface by adopting the trusted module to obtain a second measurement result; the secure computing card stores a second trusted reference value corresponding to the main computing platform system through the storage module; the security computing card compares a second measurement result obtained by the trusted module with a second trusted reference value stored by the storage module through the processor module, and determines that the main computing platform system is not trusted under the condition that the second measurement result and the second trusted reference value do not meet a second preset condition, and stops starting the main computing platform system.
Optionally, in the present embodiment, the storage medium is further configured to store program code for performing the steps of: the security computing card measures the security computing card by a trusted module to obtain a first measurement result; the secure computing card stores a first trusted reference value corresponding to the secure computing card in the storage module; the security computing card compares a first measurement result obtained by the trusted module with a first trusted reference value stored by the storage module through the processor module, and determines that the security computing card is not trusted under the condition that the first measurement result and the first trusted reference value do not meet a first preset condition, and stops starting the security computing card.
Optionally, in the present embodiment, the storage medium is further configured to store program code for performing the steps of: the secure computing card further includes: the network module is used for carrying out data transmission between the secure computing card and an external network through a second interface of the network module and carrying out data transmission between the secure computing card and a main computing platform system through a third interface, wherein the external network is a network outside the secure computing card and the main computing platform system; the secure computing card decrypts the ciphertext data entering the secure computing card through the second interface through the processor module and transmits the ciphertext data to the main computing platform system through the third interface; and encrypting the plaintext data coming out of the main computing platform system through the third interface and transmitting the plaintext data to an external network through the second interface.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and are merely a logical functional division, and there may be other manners of dividing the apparatus in actual implementation, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.
Claims (19)
1. A secure computing card, the secure computing card being independent of a host computing platform system, comprising: a trusted module, a memory module and a processor module, wherein,
the trusted module is used for measuring the main computing platform system through a first interface to obtain a second measurement result;
the storage module is used for storing a second trusted reference value corresponding to the main computing platform system;
the processor module is configured to compare a second measurement result obtained by the trusted module with a second trusted reference value stored by the storage module, and determine that the main computing platform system is not trusted when the second measurement result and the second trusted reference value do not meet a second preset condition, and stop starting the main computing platform system;
the trusted module is further used for measuring the security computing card to obtain a first measurement result; the storage module is further used for storing a first trusted reference value corresponding to the secure computing card; the processor module is further configured to compare the first measurement result obtained by the trusted module with a first trusted reference value stored in the storage module, and determine that the secure computing card is not trusted when the first measurement result and the first trusted reference value do not meet a first preset condition, and stop starting the secure computing card;
Wherein the trusted module measures the secure computing card itself prior to measuring the host computing platform system via the first interface.
2. The secure computing card of claim 1, further comprising: a network module, wherein,
the network module is used for carrying out data transmission with an external network through a second interface and carrying out data transmission with the main computing platform system through a third interface, wherein the external network is a network outside the secure computing card and the main computing platform system;
the processor module is further configured to decrypt ciphertext data entering the secure computing card through the second interface, and then transmit the decrypted ciphertext data to the main computing platform system through the third interface; and encrypting the plaintext data coming out of the main computing platform system through the third interface and transmitting the plaintext data to the external network through the second interface.
3. The secure computing card of claim 2, wherein,
the network module is further configured to, when receiving a sensitive application writing request from a user having a writing authority in the card, write the sensitive application requested to be written into the storage module through the second interface.
4. A secure computing card as defined in claim 3, wherein,
the trusted module is further used for measuring the sensitive application which is requested to be called under the condition that the secure computing card receives the sensitive application calling request of the user with the calling authority in the card;
the processor module is further configured to execute the sensitive application when the integrity of the sensitive application requested to be invoked is not destroyed as a result of the measurement by the trusted module that the sensitive application requested to be invoked measures.
5. The secure computing card of claim 1, wherein,
the trusted module is further used for measuring an application process which requests access under the condition that the secure computing card receives a process access request of a user with process access authority of the main computing platform system;
the processor module is further configured to execute the application process when the integrity of the application process requesting access is not damaged as a result of the measurement by the trusted module of the application process requesting access.
6. The secure computing card of claim 5, further comprising: and the policy configuration interface is used for configuring the forced access control (MAC) rule of the process access control.
7. The secure computing card of any of claims 1-6, wherein,
the processor module is further configured to determine a failure cause of the main computing platform system according to an operation state log of the main computing platform system and/or control firmware upgrade and firmware recovery of the main computing platform under a condition that the main computing platform system fails.
8. A secure computing card-based metrology method, wherein the secure computing card is independent of a host computing platform system, comprising:
the security computing card measures the main computing platform system to obtain a second measurement result;
the security computing card compares the second measurement result with a second trusted reference value corresponding to the main computing platform system, wherein the security computing card stores the second trusted reference value;
the secure computing card determines that the main computing platform system is not trusted under the condition that the second measurement result and the second trusted reference value do not meet a second preset condition, and stops starting the main computing platform system;
the security computing card measures the security computing card to obtain a first measurement result; the security computing card compares the first measurement result with a first trusted reference value stored by the storage module, wherein the security computing card stores the first trusted reference value; the secure computing card determines that the secure computing card is not trusted under the condition that the first measurement result and the first trusted reference value do not meet a first preset condition, and stops starting the secure computing card;
Wherein the secure computing card measures the secure computing card itself prior to measuring the host computing platform system through the first interface.
9. The method as recited in claim 8, further comprising:
the secure computing card decrypts ciphertext data entering the secure computing card from an external network, transmits the ciphertext data to the main computing platform system, encrypts plaintext data coming out of the main computing platform system and transmits the encrypted plaintext data to the external network, wherein the external network is a network outside the secure computing card and the main computing platform system.
10. The method as recited in claim 8, further comprising:
the secure computing card receives a sensitive application writing request;
and the security computing card writes the sensitive application which is requested to be written into the security computing card under the condition that the user corresponding to the sensitive application writing request has the writing authority in the card.
11. The method as recited in claim 10, further comprising:
under the condition that the secure computing card receives a sensitive application calling request of a user with calling authority in the card, measuring the sensitive application which is requested to be called;
And the security computing card executes the sensitive application requested to be invoked under the condition that the integrity of the sensitive application requested to be invoked is not destroyed as a result of the measurement of the sensitive application requested to be invoked.
12. The method of claim 8, wherein the step of determining the position of the first electrode is performed,
under the condition that the secure computing card receives a process access request of a user with a process access authority of the main computing platform system, measuring an application process requesting access;
and the secure computing card executes the application process when the measurement result of the trusted module for measuring the application process requesting access is that the integrity of the application process requesting access is not destroyed.
13. The method as recited in claim 12, further comprising:
the security computing card configures Mandatory Access Control (MAC) rules for process access control through a policy configuration interface.
14. The method according to any one of claims 8 to 13, wherein,
and under the condition that the main computing platform system fails, the security computing card determines the failure reason of the main computing platform system according to the running state log of the main computing platform system, and/or controls the firmware upgrading and firmware recovery of the main computing platform.
15. A method of measuring based on a secure computing card, wherein the secure computing card is independent of a host computing platform system, wherein the secure computing card comprises a trusted module, a memory module and a processor module, wherein,
the secure computing card adopts the trusted module to measure the main computing platform system through a first interface to obtain a second measurement result;
the secure computing card stores a second trusted reference value corresponding to the main computing platform system through the storage module;
the secure computing card compares a second measurement result obtained by the trusted module with a second trusted reference value stored by the storage module through the processor module, and determines that the main computing platform system is not trusted under the condition that the second measurement result and the second trusted reference value do not meet a second preset condition, and stops starting the main computing platform system;
the secure computing card adopts the trusted module to measure the secure computing card to obtain a first measurement result; the secure computing card stores a first trusted reference value corresponding to the secure computing card through the storage module; the secure computing card compares the first measurement result obtained by the trusted module with a first trusted reference value stored by the storage module through the processor module, and determines that the secure computing card is not trusted under the condition that the first measurement result and the first trusted reference value do not meet a first preset condition, and stops starting the secure computing card;
The secure computing card measures the secure computing card by adopting the trusted module before measuring the main computing platform system through the first interface.
16. The method of claim 15, wherein the secure computing card further comprises: a network module, wherein,
the secure computing card performs data transmission with an external network through a second interface of the network module and performs data transmission with the main computing platform system through a third interface, wherein the external network is a network outside the secure computing card and the main computing platform system;
the secure computing card decrypts the ciphertext data entering the secure computing card through the second interface through the processor module and transmits the ciphertext data to the main computing platform system through the third interface; and encrypting the plaintext data coming out of the main computing platform system through the third interface and transmitting the plaintext data to the external network through the second interface.
17. A secure computing card based metrology system, comprising: the secure computing card and the host computing platform system, wherein the secure computing card is independent of the host computing platform system, the secure computing card comprising a trusted module, a storage module and a processor module, wherein,
The trusted module is used for measuring the main computing platform system through a first interface to obtain a second measurement result;
the storage module is used for storing a second trusted reference value corresponding to the main computing platform system;
the processor module is configured to compare the second measurement result obtained by the trusted module with a second trusted reference value stored in the storage module, and determine that the main computing platform system is not trusted when the second measurement result and the second trusted reference value do not meet a second preset condition, and stop starting the main computing platform system;
the trusted module is further used for measuring the security computing card to obtain a first measurement result; the storage module is further used for storing a first trusted reference value corresponding to the secure computing card; the processor module is further configured to compare the first measurement result obtained by the trusted module with a first trusted reference value stored in the storage module, and determine that the secure computing card is not trusted when the first measurement result and the first trusted reference value do not meet a first preset condition, and stop starting the secure computing card;
Wherein the trusted module measures the secure computing card itself prior to measuring the host computing platform system via the first interface.
18. A storage medium storing a program, wherein the program when executed by a processor controls the processor to perform the secure computing card-based metrology method of any one of claims 8 to 16.
19. A computer device, comprising: a memory and a processor, wherein the memory is configured to store,
the memory stores a computer program;
the processor for executing a computer program stored in the memory, which when run causes the processor to perform the secure computing card based metrics method of any one of claims 8 to 16.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910463688.XA CN112016090B (en) | 2019-05-30 | 2019-05-30 | Secure computing card, and measuring method and system based on secure computing card |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910463688.XA CN112016090B (en) | 2019-05-30 | 2019-05-30 | Secure computing card, and measuring method and system based on secure computing card |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112016090A CN112016090A (en) | 2020-12-01 |
| CN112016090B true CN112016090B (en) | 2024-01-23 |
Family
ID=73500462
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910463688.XA Active CN112016090B (en) | 2019-05-30 | 2019-05-30 | Secure computing card, and measuring method and system based on secure computing card |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112016090B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022155973A1 (en) * | 2021-01-25 | 2022-07-28 | 华为技术有限公司 | Terminal chip and measurement method therefor |
| CN113010875A (en) * | 2021-03-17 | 2021-06-22 | 紫光国芯微电子股份有限公司 | Information isolation method, memory card and mobile terminal |
| CN113536361B (en) * | 2021-09-15 | 2022-02-25 | 统信软件技术有限公司 | Method and device for realizing trusted reference library and computing equipment |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101515316A (en) * | 2008-02-19 | 2009-08-26 | 北京工业大学 | Trusted computing terminal and trusted computing method |
| CN101576944A (en) * | 2008-11-20 | 2009-11-11 | 武汉大学 | Computer secure startup system based on trusted platform module |
| CN103927490A (en) * | 2014-04-25 | 2014-07-16 | 华为技术有限公司 | OS secure startup method and device |
| US9147086B1 (en) * | 2013-06-07 | 2015-09-29 | Amazon Technologies, Inc. | Trusted computing host |
| CN108418786A (en) * | 2017-12-28 | 2018-08-17 | 广州华夏职业学院 | A kind of cloud computing data security supporting platform |
| CN108595964A (en) * | 2018-04-27 | 2018-09-28 | 北京可信华泰信息技术有限公司 | A kind of credible platform control module implementation method based on firmware |
| CN109241744A (en) * | 2018-08-28 | 2019-01-18 | 全球能源互联网研究院有限公司 | A kind of creditable calculation modules and the credible starting method using the module |
| CN109241745A (en) * | 2018-08-28 | 2019-01-18 | 全球能源互联网研究院有限公司 | A kind of credible starting method and device of computing platform |
| CN109325352A (en) * | 2018-08-28 | 2019-02-12 | 全球能源互联网研究院有限公司 | A kind of credible calculating platform framework |
-
2019
- 2019-05-30 CN CN201910463688.XA patent/CN112016090B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101515316A (en) * | 2008-02-19 | 2009-08-26 | 北京工业大学 | Trusted computing terminal and trusted computing method |
| CN101576944A (en) * | 2008-11-20 | 2009-11-11 | 武汉大学 | Computer secure startup system based on trusted platform module |
| US9147086B1 (en) * | 2013-06-07 | 2015-09-29 | Amazon Technologies, Inc. | Trusted computing host |
| CN103927490A (en) * | 2014-04-25 | 2014-07-16 | 华为技术有限公司 | OS secure startup method and device |
| CN108418786A (en) * | 2017-12-28 | 2018-08-17 | 广州华夏职业学院 | A kind of cloud computing data security supporting platform |
| CN108595964A (en) * | 2018-04-27 | 2018-09-28 | 北京可信华泰信息技术有限公司 | A kind of credible platform control module implementation method based on firmware |
| CN109241744A (en) * | 2018-08-28 | 2019-01-18 | 全球能源互联网研究院有限公司 | A kind of creditable calculation modules and the credible starting method using the module |
| CN109241745A (en) * | 2018-08-28 | 2019-01-18 | 全球能源互联网研究院有限公司 | A kind of credible starting method and device of computing platform |
| CN109325352A (en) * | 2018-08-28 | 2019-02-12 | 全球能源互联网研究院有限公司 | A kind of credible calculating platform framework |
Non-Patent Citations (2)
| Title |
|---|
| 基于可信计算的结构性安全模型设计与实现;宗涛;;计算机工程(第20期);全文 * |
| 无线Mesh网络的可信度量机制;陈建民等;华中科技大学学报(自然科学版);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112016090A (en) | 2020-12-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8832778B2 (en) | Methods and apparatuses for user-verifiable trusted path in the presence of malware | |
| CN107533609B (en) | System, device and method for controlling multiple trusted execution environments in a system | |
| US8364975B2 (en) | Methods and apparatus for protecting data | |
| KR101662618B1 (en) | Measuring platform components with a single trusted platform module | |
| US8832457B2 (en) | Methods and apparatus for authenticating components of processing systems | |
| Parno et al. | Bootstrapping trust in modern computers | |
| CN107851160B (en) | Techniques for trusted I/O of multiple coexisting trusted execution environments under ISA control | |
| US8352740B2 (en) | Secure execution environment on external device | |
| US20170230179A1 (en) | Password triggered trusted encrytpion key deletion | |
| CN110737897B (en) | Method and system for starting measurement based on trusted card | |
| US11281781B2 (en) | Key processing methods and apparatuses, storage media, and processors | |
| US10318765B2 (en) | Protecting critical data structures in an embedded hypervisor system | |
| US9015454B2 (en) | Binding data to computers using cryptographic co-processor and machine-specific and platform-specific keys | |
| CN112016090B (en) | Secure computing card, and measuring method and system based on secure computing card | |
| US20230237155A1 (en) | Securing communications with security processors using platform keys | |
| US20230134324A1 (en) | Managing storage of secrets in memories of baseboard management controllers | |
| US20190042800A1 (en) | Technologies for authenticated usb device policy enforcement | |
| Stancu et al. | TIO-Secure Input/Output for Intel SGX Enclaves | |
| Pedone et al. | Trusted computing technology and proposals for resolving cloud computing security problems | |
| US11960737B2 (en) | Self-deploying encrypted hard disk, deployment method thereof, self-deploying encrypted hard disk system and boot method thereof | |
| US20230114687A1 (en) | Self-deploying encrypted hard disk, deployment method thereof, self-deploying encrypted hard disk system and boot method thereof | |
| Feng et al. | Using mobile phones to enhance computing platform trust | |
| Holoubková | Rešerše a ukázka zabezpečení platformy (TPM) | |
| Holloway | Project number: 883156 Project acronym: EXFILES Project title |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40039143 Country of ref document: HK |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |