Background
In the use process of the existing linux system, the types of the wireless peripherals are more and more abundant, and the use frequency of the wireless peripherals such as a wireless network and Bluetooth equipment is higher and higher. However, the existing linux system has no management and control mechanism for the wireless device, so for the industry application with higher security level and the user with higher security requirement, the existing wireless device has no management and control state and cannot effectively meet the requirement, and the advantages of the wireless device cannot be effectively utilized in the using process, so that the existing mature wireless technology cannot be effectively deployed and used in the related industries, the use scene of the wireless device is greatly limited, and the wireless device-based application is not favorable for being deployed in the full environment.
In a general Linux system, the switching function of the existing wireless equipment mostly controls the direct switching authority of the equipment on the root user level, and for the convenience of application calling, more user-level interfaces in a D-bus mode are saved, so that malicious developers cannot be called, and the effect of a safe white list cannot be realized.
The method is characterized in that a black-and-white list function of the wireless network under the condition of a file system based on a user space, such as a black-and-white list scheme of wpa _ supplicant, is used for storing security configuration information by using/etc/wpa _ supplicant.
In the aspect of bluetooth management and control under the file system condition based on the user space, only the ble device adopts the blacklist mechanism in design, but the user layer configuration scheme cannot be effectively formed under the existing condition, and the bluetooth hardware cache region is directly cached, so that the bluetooth hardware management and control system has great defects in use, is poor in compatibility and cannot achieve an effective management and control function. At present, no corresponding control mechanism is provided in the aspects of infrared, 802.15.4, communication module and NFC.
In summary, under the existing linux conditions, in the aspect of wireless device security management and control, the schemes are fewer, the security is poorer, and the types of the function coverage devices are not comprehensive, so that the effect of wireless management and control cannot be achieved.
Disclosure of Invention
In order to solve the above problems, the present invention provides a method for managing and controlling wireless devices based on an ARM platform supporting Trustzone, the method comprising the steps of:
an ARM platform frame is built on a system;
configuring a wireless equipment switch function on the ARM platform;
configuring a wireless device connection control function based on a kernel protocol on the ARM platform;
configuring a trustzone-based complete control function on the ARM platform;
and configuring an infrared control function based on kernel driving on the ARM platform.
Preferably, the building of the ARM platform framework on the system comprises the following steps:
building a deployment of REE os environments on the system;
building a TEE os environment on the system;
building a Trustzone-based secure storage on the system;
deploying a driver layer and hardware equipment bottom layer operation dependence on the system;
deploying a trusted application on the system;
performing a system status test on the system.
Preferably, the configuring the wireless device switch function on the ARM platform includes the steps of:
deploying an application of a wireless device switch on the ARM platform;
calling an interface of a kernel subsystem as a unique trusted interface of the application program;
the root is disabled for gpio enabled and service node debug aspects of the device.
Preferably, the configuring of the wireless device connection management and control function based on the kernel protocol on the ARM platform includes:
configuring connection management and control information on the ARM platform;
the connection information is sent to a trusted program used for inquiring the connection management and control information;
the background program provides connectable information by performing information matching on the black or white list;
the information is fed back to the user program and is sent to the authentication part of the kernel;
and finishing the judgment of the query information on the kernel space to finish the connection process.
Preferably, the configuring of the trustzone-based full management and control function on the ARM platform includes the steps of:
a user program requests the ARM platform to use the NFC equipment;
calling the NFC equipment through an NFC driver;
and the NFC equipment completes NFC interaction.
Preferably, the step of configuring the infrared control function based on the kernel driver on the ARM platform includes:
configuring control taking information on the ARM platform;
the connection information is sent to a trusted program used for inquiring the connection management and control information;
the background program provides connectable information by performing information matching on the black or white list;
and finishing the judgment of the query information on the kernel space.
The method carries out design adjustment and function addition by adjusting the rfkill subsystem part of the linux kernel, the protocol part of the wireless equipment and the drive part of the wireless equipment (the specific equipment corresponding type relation is shown in figure 1), does not cause functional influence on the original kernel architecture, can ensure the normality of the original function, can also complete the realization of the wireless management and control function through the technical scheme, has the characteristics of strong portability, good compatibility and high stability, and also has higher safety; the secure data is written and inquired through the trustzone correlation technology, so that the interruption formed in the input process is not monitored by other programs, and a TEE os-based storage mode is merged into the scheme, thereby realizing higher security; the interaction process of the user space and the kernel space is controlled through selinux, and the interaction safety of the user space and the kernel space under the REE os condition is guaranteed.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings in conjunction with the following detailed description. It should be understood that the description is intended to be exemplary only, and is not intended to limit the scope of the present invention. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present invention.
As shown in fig. 1, in the embodiment of the present application, the present invention provides a method for managing and controlling a wireless device based on an ARM platform supporting Trustzone, where the method includes the steps of:
s1: an ARM platform frame is built on a system;
s2: configuring a wireless equipment switch function on the ARM platform;
s3: configuring a wireless device connection control function based on a kernel protocol on the ARM platform;
s4: configuring a trustzone-based complete control function on the ARM platform;
s5: and configuring an infrared control function based on kernel driving on the ARM platform.
When the wireless equipment is controlled based on the ARM platform supporting Trustzone, firstly, an ARM platform frame is built on a system; then configuring a wireless equipment switch function on the ARM platform; then configuring a wireless device connection control function based on a kernel protocol on the ARM platform; then configuring a trustzone-based complete control function on the ARM platform; and then configuring an infrared control function based on kernel driving on the ARM platform.
In this embodiment of the present application, the step of building an ARM platform framework on a system in step S1 includes the steps of:
building a deployment of REE os environments on the system;
building a TEE os environment on the system;
building a Trustzone-based secure storage on the system;
deploying a driver layer and hardware equipment bottom layer operation dependence on the system;
deploying a trusted application on the system;
performing a system status test on the system.
In the embodiment of the application, when an ARM platform framework is built on a system, the deployment of an REE os environment is completed firstly, the REE os environment comprises the whole linux system, and the kernel of a wireless management and control scheme is opened by the kernel, wherein the environment is the most basic environment of the whole system; then, a TEE os environment is set up, the TEE os provides safe storage, calling of trusted firmware equipment and deployment of a trusted program for an operating system under the condition of the overall wireless control scheme, and the purpose is to use a basic environment of trustzone technology under an arm platform; then, building a trustzone-based secure storage for storing relevant instructions or hardware information under the control of a black and white list; then deploying a driver layer and hardware equipment bottom layer operation dependence on the system, and completing deployment of the driver layer and the hardware equipment bottom layer api; then, a trusted application is deployed, wherein the trusted application is a program for implementing key-in of control data in a wireless device control scheme (the idea can be understood as an input method that data cannot be intercepted by other applications) and storing and querying of a black list and a white list; then, the interaction test of the secure monitor is completed, and the system state is confirmed to be normally available.
In this embodiment of the present application, the step of configuring the switch function of the wireless device on the ARM platform in step S2 includes the steps of:
deploying an application of a wireless device switch on the ARM platform;
calling an interface of a kernel subsystem as a unique trusted interface of the application program;
the root is disabled for gpio enabled and service node debug aspects of the device.
In the embodiment of the application, when the switch function of the wireless equipment is configured on the ARM platform, an application program of the wireless equipment switch is deployed at first, and the application program provides the only available switch interface under the control of the whole system; under the condition that a user opens wireless control, selinux calls an interface column of an rfkill subsystem through an application program to be a unique trusted interface, wherein the rfkill subsystem is used for solving the switch control of all wireless devices; under the wireless control condition, the permission of root to the aspects of gpio enabling, service node debugging of equipment and the like is forbidden, so that a single switch entrance of the whole system is ensured.
In this embodiment of the present application, the step S3 of configuring a kernel protocol-based wireless device connection management and control function on the ARM platform includes the steps of:
configuring connection management and control information on the ARM platform;
the connection information is sent to a trusted program used for inquiring the connection management and control information;
the background program provides connectable information by performing information matching on the black or white list;
the information is fed back to the user program and is sent to the authentication part of the kernel;
and finishing the judgment of the query information on the kernel space to finish the connection process.
In the embodiment of the application, when a wireless device connection management and control function based on a kernel protocol is configured on the ARM platform, firstly, a user configures connection management and control information, a program realizes the pull-up of a trusted environment program through a TEE client api, and the write-in operation of safe storage is completed through the key-in application of the trusted program; then, the user requests connection through the application, and the connection information is sent to a trusted program used for inquiring the connection management and control information; then, the background program provides connectable information by matching information of the black list or the white list, the connectable information is fed back to the user program, and the connectable information is directly sent to the authentication part of the kernel through a bottom library by selinux; then, the kernel space completes the judgment of the query information in the original connection authentication process, and if the connection is allowed in a control mode (namely in a white list or not in a black list), the connection can be performed; and if the control inquiry information feedback is not allowed to be connected, the connection is not allowed.
In this embodiment of the application, the step S4 of configuring the trustzone-based complete management and control function on the ARM platform includes the steps of:
a user program requests the ARM platform to use the NFC equipment;
calling the NFC equipment through an NFC driver;
and the NFC equipment completes NFC interaction.
In the embodiment of the application, when a trustzone-based complete control function is configured on the ARM platform, a user program requests the use of an NFC device, and a trusted environment program is pulled up through a TEE client api; then, the program confirms that the pull-up state is safe, the calling of the equipment is directly realized through NFC drive, and the whole operation is processed by the cpu of trustzone without being processed by REE os; and then the NFC interaction is completed, and the network synchronization or other modes of synchronization operation of the NFC synchronization information is completed through the user program.
In this embodiment of the application, the step S5 of configuring the infrared control function based on the kernel driver on the ARM platform includes the steps of:
configuring control taking information on the ARM platform;
the connection information is sent to a trusted program used for inquiring the connection management and control information;
the background program provides connectable information by performing information matching on the black or white list;
and finishing the judgment of the query information on the kernel space.
In the embodiment of the application, when an infrared control function based on kernel driving is configured on the ARM platform, firstly, a user configures connection control information, a program realizes the pull-up of a trusted environment program through a TEE client api, and the write-in operation of safe storage is completed through the key-in application of the trusted program, wherein the control information of infrared equipment is different from a protocol and is based on a coding mode; a user requests connection through an application, and connection information is sent to a trusted program used for inquiring connection management and control information; the background program provides connectable information by matching information of the black list or the white list, the connectable information is fed back to the user program and is directly sent to the drive part of the kernel through the bottom library by selinux; before the original process of driving information analysis, the kernel space completes the judgment of query information, and if analysis and connection are allowed in a control mode (namely in a white list or not in a black list), the query information can be connected; and if the control inquiry information feedback is not allowed to be connected, the connection is not allowed.
The method carries out design adjustment and function addition by adjusting the rfkill subsystem part of the linux kernel, the protocol part of the wireless equipment and the drive part of the wireless equipment (the specific equipment corresponding type relation is shown in figure 1), does not cause functional influence on the original kernel architecture, can ensure the normality of the original function, can also complete the realization of the wireless management and control function through the technical scheme, has the characteristics of strong portability, good compatibility and high stability, and also has higher safety; the secure data is written and inquired through the trustzone correlation technology, so that the interruption formed in the input process is not monitored by other programs, and a TEE os-based storage mode is merged into the scheme, thereby realizing higher security; the interaction process of the user space and the kernel space is controlled through selinux, and the interaction safety of the user space and the kernel space under the REE os condition is guaranteed.
It is to be understood that the above-described embodiments of the present invention are merely illustrative of or explaining the principles of the invention and are not to be construed as limiting the invention. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present invention should be included in the protection scope of the present invention. Further, it is intended that the appended claims cover all such variations and modifications as fall within the scope and boundaries of the appended claims or the equivalents of such scope and boundaries.