CN112329023A - Method for accelerating starting time by using Intel QuickAssist technology - Google Patents
Method for accelerating starting time by using Intel QuickAssist technology Download PDFInfo
- Publication number
- CN112329023A CN112329023A CN202011271792.8A CN202011271792A CN112329023A CN 112329023 A CN112329023 A CN 112329023A CN 202011271792 A CN202011271792 A CN 202011271792A CN 112329023 A CN112329023 A CN 112329023A
- Authority
- CN
- China
- Prior art keywords
- quickassist
- hash value
- intel
- firmware
- hardware
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000005516 engineering process Methods 0.000 title claims abstract description 32
- 238000004364 calculation method Methods 0.000 claims abstract description 10
- 230000006870 function Effects 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 2
- 238000005259 measurement Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000004904 shortening Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method for accelerating starting time by using an Intel QuickAssist technology, and belongs to the technical field of safe starting of UEFI firmware. The method expands the Intel QuickAssist technology to the UEFI firmware field, and changes the hash value calculation of the firmware image in the UEFI safe starting process from sequential execution to parallel execution by utilizing the QuickAssist technology, thereby saving the safe starting time. The invention calculates the hash value of the firmware image to be responsible for QuickAssist hardware, and skips the measurement of the firmware image when UEFI firmware is started, so that the sequential starting process is changed into a parallel starting process, thereby saving the starting time.
Description
Technical Field
The invention belongs to the technical field of safe starting of UEFI firmware, and particularly relates to a method for accelerating starting time by using an Intel QuickAssist technology.
Background
UEFI firmware enables more and more functionality to enhance the security of the boot. Thus, the boot performance becomes a serious challenge for the fast boot requirement of the Windows operating system. Secure boot requires measuring all firmware images and saving the computed hash value to the TPM device. This step usually takes 200-300 ms, which is about 10% of the total fast start time.
The usual solution is to perform a minimum of boot steps at fast boot, initializing only the necessary chipset and boot device. The complete start-up procedure is responsible for caching the necessary start-up device information for the subsequent fast start-up. In this way, the fast boot may only run the first boot option directly into the operating system without initializing other devices and providing system configuration, thereby speeding boot time. Existing fast boot, while optimizing boot-up procedures, does not remove critical boot-up procedures and still requires all firmware images to be measured to meet the requirements of a secure boot.
Disclosure of Invention
Aiming at the problems in the prior art, the technical problem to be solved by the invention is to provide a method for accelerating the starting time by using an Intel QuickAssist technology, the Intel QuickAssist technology is expanded to the UEFI firmware field, and the QuickAssist technology is used for changing the Hash calculation of the firmware image in the UEFI safe starting process from sequential execution to parallel execution, so that the safe starting time is saved.
In order to solve the problems, the technical scheme adopted by the invention is as follows:
a method for accelerating starting time by using an Intel QuickAssist technology expands the Intel QuickAssist technology into the field of UEFI firmware, and changes the Hash calculation of firmware images in the UEFI safe starting process from sequential execution to parallel execution by using the QuickAssist technology, thereby saving the safe starting time. The method specifically comprises the following steps:
(1) UEFI firmware carries out EFI pre-initialization, and then immediately inquires equipment resources; then judging whether QuickAssist hardware exists or not, if yes, entering the step (2), otherwise, completing system starting according to a conventional program;
(2) the method comprises the steps of opening a PCI channel for accessing hardware, distributing PCI system resources and DMA memory resources, then sending related commands, setting a matched hash algorithm, starting QuickAssist hardware, inquiring FV images needing to be executed on Flash, and sequentially reporting addresses of the FV images on the Flash to the QuickAssist hardware for hash calculation;
(3) the UEFI firmware continues to execute the PEI and the DXE, when the DXE phase is finished, the state of QuickAssist hardware is inquired, and if the hash value is already calculated, the step (4) is directly carried out; if the hash value is not calculated, inquiring the state of the QuickAssist hardware in a timed polling mode until the hash value is calculated, and then entering the step (4);
(4) and the UEFI firmware acquires the hash value and writes the hash value into the TPM equipment to complete the system starting work.
According to the method for accelerating the starting time by using the Intel QuickAssist technology, before the UEFI firmware is started, the hash value is not calculated, the UEFI firmware enters an idle mode, and the UEFI firmware waits continuously until the hash value is acquired.
The method for accelerating the starting time by using the Intel QuickAssist technology comprises the following conventional steps of: and sequentially carrying out a DXE operation stage and a BDS operation stage, then acquiring the hash value, writing the hash value into the TPM and finishing the starting work of the operating system.
The method for accelerating the starting time by using the Intel QuickAssist technology comprises the following steps of: hash/identity verification operations, SHA-1, MD5, SHA-224, SHA-256, SHA-384, SHA-512, respectively.
The method for accelerating boot time using Intel QuickAssist technology, the UEFI firmware calculates a hash value of a firmware image using SHA-1 or SHA-256.
According to the method for accelerating the starting time by using the Intel QuickAssist technology, the UEFI firmware runs in the continuous physical memory mapped by 1:1 and supports PCI equipment and DMA operation.
The method for accelerating the starting time by using the Intel QuickAssist technology has the duration of timing polling of 10 milliseconds.
Has the advantages that: compared with the prior art, the invention has the advantages that:
(1) the method uses the QuickAssist technology of Intel in UEFI firmware, the Hash calculation of the firmware image is given the responsibility of the QuickAssist hardware, and the UEFI firmware skips the measurement of the firmware image when starting, so that the sequential starting process is changed into the parallel starting process, thereby saving the starting time.
(2) The invention applies the Intel QuickAssist technology to calculate the firmware image hash value in parallel, can completely save the starting time required by the firmware image measurement, and achieves the aim of improving the whole safe starting time by 10 percent.
Drawings
FIG. 1 is a flow chart of a boot process using QuickAssist hardware;
FIG. 2 is a flow chart of a boot process without utilizing QuickAssist hardware.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with examples are described in detail below.
Example 1
A method for accelerating starting time by using an Intel QuickAssist technology is disclosed, wherein the Intel QuickAssist technology is expanded to the field of UEFI firmware, and the QuickAssist technology is used for changing the Hash calculation of firmware images in the UEFI safe starting process from sequential execution to parallel execution, thereby saving the safe starting time.
The intel QuickAssist technology provides hardware acceleration services for efficient encryption and compression performance. The symmetric cryptographic functions supported include hash/authentication operations (SHA-1, MD5, SHA-224, SHA-256, SHA-384, SHA-512). The hardware interface is asynchronous in nature and consists of multiple parallel engines (12 symmetrically encrypted intel communication chipsets 8955) supporting parallel computing. Direct access to data in DRAM using DMA is required during the computation and the data sent to the accelerator must be stored contiguously in physical memory.
The UEFI firmware uses SHA-1 or SHA-256 to compute a hash value for the firmware image. The UEFI firmware runs in 1:1 mapped contiguous physical memory and supports PCI device and DMA operations. Thus, the QuickAssist hardware can operate in a UEFI firmware environment. Once the QuickAssist hardware is enabled, the firmware image discovered by the UEFI firmware during boot-up may be reported to it immediately. Because the hardware interface of the QuickAssist is asynchronous, the UEFI firmware can continue to perform the boot process, and finally obtain the computed hash value from the QuickAssist hardware and write to the TPM device before loading the operating system. In most cases, the total number of all the firmware images to be measured is less than 10, and the firmware images can be processed by the QuickAssist multi-engine in parallel, thereby further shortening the starting time. The specific operation steps comprise the following steps:
(1) UEFI firmware carries out EFI pre-initialization, and then immediately inquires equipment resources; then judging whether QuickAssist hardware exists or not, if yes, entering the step (2), otherwise, completing system starting according to a conventional program;
(2) getting through a PCI channel for accessing hardware, allocating PCI system resources and DMA memory resources, then sending related commands, setting a matched hash algorithm, starting QuickAssist hardware, finally inquiring FV images needing to be executed on Flash, and sequentially reporting addresses of the FV images on the Flash to the QuickAssist hardware for hash calculation;
(3) the UEFI firmware continues to execute the PEI and the DXE, when the DXE phase is finished, the state of QuickAssist hardware is inquired, and if the hash value is already calculated, the step (4) is directly carried out; if the hash value is not calculated, inquiring the state of the QuickAssist hardware in a mode of regularly polling every 10 milliseconds until the hash value is calculated, and then entering the step (4);
(4) the UEFI firmware acquires the hash value and writes the hash value into the TPM equipment to complete the system starting work. Before the UEFI firmware is started, the hash value is not calculated, the UEFI firmware enters an idle mode, and the UEFI firmware continuously waits until the hash value is acquired.
While the flow diagrams of FIGS. 1 and 2 show the secure boot process without and with QuickAssist, FIG. 2 is a normal boot process, i.e., without the use of QuickAssist hardware, that requires waiting for each firmware image hash calculation before proceeding with the subsequent boot. FIG. 1 is a boot flow diagram using QuickAssist hardware, where the hash computation of the firmware image is handled by the QuickAssist hardware, thus skipping this step in the boot process. Intel provides the relevant library functions based on the application at the operating system level, and the application program can be called directly. However, UEFI firmware needs to re-implement the related calls and device initialization, as well as the allocation of DMA memory resources, and needs to maintain real-time synchronization with the QuickAssist hardware, ensuring that the firmware image hash value can be obtained from the QuickAssist hardware before the boot is completed.
Claims (8)
1. A method for accelerating starting time by using an Intel QuickAssist technology is characterized in that the Intel QuickAssist technology is expanded to the field of UEFI firmware, and the QuickAssist technology is used for changing the Hash calculation of a firmware image in the UEFI safe starting process from sequential execution to parallel execution, so that the safe starting time is saved.
2. The method for accelerating startup time using the intel QuickAssist technique as claimed in claim 1, further comprising the steps of:
(1) UEFI firmware carries out EFI pre-initialization, and then immediately inquires equipment resources; then judging whether QuickAssist hardware exists or not, if yes, entering the step (2), otherwise, completing system starting according to a conventional program;
(2) the method comprises the steps of opening a PCI channel for accessing hardware, distributing PCI system resources and DMA memory resources, then sending related commands, setting a matched hash algorithm, starting QuickAssist hardware, inquiring FV images needing to be executed on Flash, and sequentially reporting addresses of the FV images on the Flash to the QuickAssist hardware for hash calculation;
(3) the UEFI firmware continues to execute the PEI and the DXE, when the DXE phase is finished, the state of QuickAssist hardware is inquired, and if the hash value is already calculated, the step (4) is directly carried out; if the hash value is not calculated, inquiring the state of the QuickAssist hardware in a timed polling mode until the hash value is calculated, and then entering the step (4);
(4) and the UEFI firmware acquires the hash value and writes the hash value into the TPM equipment to complete the system starting work.
3. The method for accelerating boot time using intel QuickAssist technology as recited in claim 1, wherein the hash value has not been computed before the UEFI firmware boot ends, and the UEFI firmware will enter idle mode and wait until the hash value is obtained.
4. The method for accelerating boot time using intel QuickAssist technology as claimed in claim 1, wherein the routine procedure of system boot is: and sequentially carrying out a DXE operation stage and a BDS operation stage, then acquiring the hash value, writing the hash value into the TPM and finishing the starting work of the operating system.
5. The method of claim 1, wherein the symmetric cryptographic functions supported by the Intel QuickAssist technique comprise Hash/identity verification operations such as SHA-1, MD5, SHA-224, SHA-256, SHA-384, and SHA-512.
6. The method for accelerating boot time using intel QuickAssist technology as recited in claim 1, wherein the UEFI firmware uses SHA-1 or SHA-256 to compute a hash of the firmware image.
7. The method for accelerating boot time using intel QuickAssist technology as recited in claim 1, wherein the UEFI firmware runs in 1:1 mapped contiguous physical memory and supports PCI devices and DMA operations.
8. The method for accelerating startup time using intel QuickAssist technology as recited in claim 2, wherein the timed poll is 10 milliseconds long.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011271792.8A CN112329023B (en) | 2020-11-13 | Method for accelerating starting time by Intel QuickAssist technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011271792.8A CN112329023B (en) | 2020-11-13 | Method for accelerating starting time by Intel QuickAssist technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112329023A true CN112329023A (en) | 2021-02-05 |
| CN112329023B CN112329023B (en) | 2024-05-24 |
Family
ID=
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106909345A (en) * | 2015-12-22 | 2017-06-30 | 中电科技(北京)有限公司 | A kind of UEFI firmware implementation methods based on desktop computer |
| US20170270301A1 (en) * | 2016-03-15 | 2017-09-21 | Sumanth Vidyadhara | Systems And Methods Using Virtual UEFI Path For Secure Firmware Handling In Multi-Tenant Or Server Information Handling System Environments |
| CN108829599A (en) * | 2018-06-15 | 2018-11-16 | 郑州云海信息技术有限公司 | A kind of test method and system of the QuickAssist technical software based on Linux |
| CN109997140A (en) * | 2018-09-10 | 2019-07-09 | 深圳市汇顶科技股份有限公司 | Accelerate the low-power-consumption embedded equipment of clean boot from the sleep state of equipment using write-once register |
| CN110609708A (en) * | 2018-06-15 | 2019-12-24 | 伊姆西Ip控股有限责任公司 | Method, apparatus and computer program product for data processing |
| CN111859402A (en) * | 2020-07-30 | 2020-10-30 | 山东超越数控电子股份有限公司 | Safe boot method and device based on UEFI BIOS start |
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106909345A (en) * | 2015-12-22 | 2017-06-30 | 中电科技(北京)有限公司 | A kind of UEFI firmware implementation methods based on desktop computer |
| US20170270301A1 (en) * | 2016-03-15 | 2017-09-21 | Sumanth Vidyadhara | Systems And Methods Using Virtual UEFI Path For Secure Firmware Handling In Multi-Tenant Or Server Information Handling System Environments |
| CN108829599A (en) * | 2018-06-15 | 2018-11-16 | 郑州云海信息技术有限公司 | A kind of test method and system of the QuickAssist technical software based on Linux |
| CN110609708A (en) * | 2018-06-15 | 2019-12-24 | 伊姆西Ip控股有限责任公司 | Method, apparatus and computer program product for data processing |
| CN109997140A (en) * | 2018-09-10 | 2019-07-09 | 深圳市汇顶科技股份有限公司 | Accelerate the low-power-consumption embedded equipment of clean boot from the sleep state of equipment using write-once register |
| CN111859402A (en) * | 2020-07-30 | 2020-10-30 | 山东超越数控电子股份有限公司 | Safe boot method and device based on UEFI BIOS start |
Non-Patent Citations (1)
| Title |
|---|
| RAMAKESAVAN, S等: "Security acceleration, driver architecture and performance measurements for IntelEP80579 integrated processor with IntelQuickAssist technology", 《INTEL TECHNOLOGY JOURNAL》, vol. 13, no. 1, 1 January 2009 (2009-01-01), pages 66 - 73 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10032030B2 (en) | Trusted kernel starting method and apparatus | |
| US9881162B2 (en) | System and method for auto-enrolling option ROMS in a UEFI secure boot database | |
| US8010776B2 (en) | Adaptive system boot accelerator for computing systems | |
| US20170003956A1 (en) | Updating computer firmware | |
| WO2017166446A1 (en) | Vulnerability-fixing method and device | |
| US20110154010A1 (en) | Security to extend trust | |
| JP2015055898A (en) | Secure boot method, semiconductor device, and secure boot program | |
| WO2016126523A2 (en) | Authenticated control stacks | |
| CN101807152B (en) | Basic output and input system for self verification of selection read only memory and verification method thereof | |
| US8838952B2 (en) | Information processing apparatus with secure boot capability capable of verification of configuration change | |
| CN111338662A (en) | Firmware upgrading method and device for slave station and terminal | |
| US20200379748A1 (en) | Upgrading method and apparatus | |
| CN111079189B (en) | Information processing method, electronic equipment and computer readable storage medium | |
| CN113434202A (en) | Starting method and device of equipment, electronic equipment and computer storage medium | |
| CN111124508A (en) | Method and device for adjusting PXE (PCI extensions for instrumentation) starting sequence of network card | |
| US10318343B2 (en) | Migration methods and apparatuses for migrating virtual machine including locally stored and shared data | |
| CN114969713A (en) | Equipment verification method, equipment and system | |
| CN109213572B (en) | Credibility determination method based on virtual machine and server | |
| WO2018166322A1 (en) | Repairing method and device for system partition | |
| CN112329023B (en) | Method for accelerating starting time by Intel QuickAssist technology | |
| CN112329023A (en) | Method for accelerating starting time by using Intel QuickAssist technology | |
| CN106570402A (en) | Encryption module and process trusted measurement method | |
| CN112434278A (en) | Bare computer authentication method, apparatus, device and medium | |
| CN114625584A (en) | Test verification method and device for dynamic conversion of data transmission rate of solid state disk | |
| CN112783866A (en) | Data reading method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |