CN112597505B

CN112597505B - Credibility measuring method, control method, processor, chip, device and medium

Info

Publication number: CN112597505B
Application number: CN202011605143.7A
Authority: CN
Inventors: 白兆伟; 应志伟; 陈善
Original assignee: Haiguang Information Technology Co Ltd
Current assignee: Haiguang Information Technology Co Ltd
Priority date: 2020-12-29
Filing date: 2020-12-29
Publication date: 2022-11-22
Anticipated expiration: 2040-12-29
Also published as: CN112597505A

Abstract

The embodiment of the application provides a credibility measuring method, a control method, a processor, a chip, a device and a medium, wherein an original measuring reference library for credibility verification of a measured object is pre-imported into a preset nonvolatile storage space; the agent module is triggered by finding the target measured object, a measurement command is formed to trigger measurement calculation of measured data of the target measured object by the security processor, original expected measurement information obtained from an original measurement reference library or expected measurement information obtained after updating the original expected measurement information is used for carrying out credible verification on the measurement information of the target measured object, a verification result is obtained, and a safe, reliable and active credible measurement scheme is realized.

Description

Credibility measuring method, control method, processor, chip, device and medium

Technical Field

The embodiment of the application relates to the technical field of data security, in particular to a credibility measuring method, a control method, a processor, a chip, a device and a medium.

Background

Integrity (Integrity) is a primary form of computer data security, meaning that the data content has not been tampered with.

Integrity can be classified into three types according to the phase of the data object: when a data object is on a non-volatile storage medium (such as a magnetic disk, flash memory, optical disk), its integrity may be referred to as "storage integrity"; when a data object is loaded from a non-volatile storage medium into memory, its integrity may be referred to as "integrity on load"; when a data object runs in the memory of a host, its integrity may be referred to as "run-time integrity".

For the integrity of the storage, a higher-strength check algorithm such as MD5 has been used to complete the operation.

For integrity during loading, the integrity can be verified through static measurement, specifically, the step-by-step measurement is performed by taking a Root of Trust Measurement (RTM) as a starting point, a component started first measures a component started at the next stage, the successful verification of the measurement value marks the successful transmission of a trust chain from previous-stage software to the next stage, and the Root of Trust Measurement (RTM) in the static measurement must be a code (generally, a BIOS boot code or a code in a ROM) executed at the first stage after the computer is restarted, so the static measurement requires that the computer is restarted each time to establish the trust chain.

In order to achieve integrity even under the normal operation condition of the computer, verification can be performed through dynamic measurement, and a Central Processing Unit (CPU) is specifically used as a trusted measurement root to establish a trust chain. This requires a special hardware architecture of the CPU (e.g., providing a new instruction set) to support dynamic metrics such as Intel's Trusted Execution Technology (TXT) and AMD's Secure Virtual Machine (SVM) technologies.

However, the above various measurement methods do not take deep consideration of the resources and efficiency required for measurement calculation. For example, for a computer system, the larger the size of the system, the more data objects that need to be measured, and how to consider the efficiency and security of the measurement is a considerable problem.

Furthermore, the existing static measurement and dynamic measurement have certain problems, such as no check like MD5 when considering "integrity at loading time" and "integrity at runtime"; static measurement requires static fixation of the data object, and it also has the inherent drawback that the computer needs to be restarted every time measurement is performed; dynamic metrics are not generic because they depend on a specific CPU architecture (e.g., intel, AMD CPUs), and are complex because they require a software programming model that changes the data object being measured.

Disclosure of Invention

In view of this, embodiments of the present application provide a trusted measurement method, a control method, a processor, a chip, an apparatus, and a medium, which solve the problems in the prior art.

The embodiment of the application provides a credibility measuring method which is applied to a safety processor; the method comprises the following steps that an original measurement reference library used for credibility verification of a measured object is pre-imported into a preset nonvolatile storage space; the credibility measurement method comprises the following steps: responding to the measurement command, acquiring measured data of a corresponding target measured object, and placing the measured data in an unmeasured queue; selecting measured data of a target measured object from an unmeasured queue, and performing a measurement calculation to generate measurement information; performing credibility verification on the measurement information of the target measured object according to original expected measurement information obtained from an original measurement reference library or expected measurement information obtained by updating the original expected measurement information to obtain a credibility verification result; and sending a command corresponding to the credible verification result.

Optionally, the nonvolatile storage space includes: a secure storage space configured corresponding to the secure processor; and, an unsecure storage space outside the secure storage space; under the condition that the data size of the original measurement reference library does not exceed the safe storage space, placing the original measurement reference library in the safe storage space; or, under the condition that the data size of the original measurement reference library exceeds the safe storage space, the exceeding part of the original measurement reference library relative to the safe storage space is encrypted into a ciphertext by the safe processor and is imported into the non-safe storage space.

Optionally, the ciphertext is signed with the electronic signature via the secure processor.

Optionally, the data of the raw metric reference library in the secure storage space is compressed.

Optionally, the raw metric reference library includes: a field for storing expected measurement information of the measured object; the credible verification of the metric information of the target measured object according to the original expected metric information obtained from the original metric reference library or the expected metric information obtained by updating the original expected metric information to obtain a credible verification result comprises the following steps: comparing the generated measurement information with the expected measurement information; if the comparison is consistent, obtaining a credible result of the target measured object; otherwise, a result that the target measured object is not authentic is obtained.

Optionally, the method for measuring the credibility includes: loading target information of a target measured object in an original measurement reference library to a memory reference library in a secure memory so as to execute the credibility verification by using the memory reference library; the target information includes: the information items of the measured object in the original measurement reference library or the segment information where the information items are located.

Optionally, the raw metric reference library is stored according to a page table, and the fragment information is the page table.

Optionally, an index structure for indexing the measured objects is established in the memory reference library, where the index structure includes an object identifier of each measured object and index information of associated target information;

the loading target information of a target measured object in an original measurement reference library to a memory reference library in a secure memory so as to execute the credibility verification by using the memory reference library, includes: matching the associated index information in the index structure according to the object identification of the target measured object; and inquiring the target information according to the matched index information.

Optionally, the credibility measuring method includes: and when the internal memory reference library and the partial original measurement reference library in the secure storage space do not match the target information of the target measured object, the secure processor sends a loading request command to the outside to request to acquire the target information corresponding to the index information from the partial original measurement reference library in the non-secure storage space.

Optionally, the measurement command includes memory address information of the target measured object; the acquiring measured data of the corresponding target measured object in response to the measurement command comprises: and acquiring the measured data of the target measured object according to the memory address information in the measurement command.

Optionally, the credibility measuring method includes: according to the information item of the measured object contained in the received information item operation command, corresponding operation is carried out in the memory reference library; the operations include at least one of: addition, deletion and update of information items.

Optionally, selecting measured data of each measured object from the unmeasured queue by a measurement scheduling policy; the metric scheduling policy includes at least one of: a fair scheduling policy; a sequential scheduling policy; the fair scheduling policy includes: forming a plurality of unmeasured queues and setting a priority for each unmeasured queue, each measured data in an unmeasured queue of higher priority being selected in preference to lower priority; the measured data of each measured object obtains less maximum calculation time in the unmeasured queue with higher priority; moving the measured object with the corresponding maximum calculation time in the higher unmeasured queue to the lower priority unmeasured queue for waiting; the sequential scheduling policy comprises: and selecting the measured object information in the unmeasured queue according to the first-in first-out sequence.

Optionally, the fair scheduling policy further includes at least one of the following sub-policies: sub-strategy 1: selecting measured data of each measured object in the unmeasured queue with the lowest priority through rotation; sub-strategy 2: after every preset time, each residual measured object is placed in the unmeasured queue with the highest priority; sub-strategy 3: when the unmeasured queue has no residual measured object, setting an unmeasured queue used for next-stage measurement according to the measured queue for carrying out next-round measurement; and the measured value column is used for placing the measured information of each measured object of which the credible verification result is credible.

Optionally, the credibility measuring method includes: in response to the end metric command, the corresponding measured object is purged.

Optionally, the measured object is selected from data objects whose contents do not change at runtime in memory.

Optionally, the credibility measuring method includes: and verifying the authorization information in the received command, and executing the verification under the condition that the verification is passed.

The embodiment of the application provides a measurement control method, which is applied to an agent module communicated with system software, wherein the agent module is communicated with a safety processor; an original measurement reference library for trusted verification of a measured object is pre-imported into a preset nonvolatile storage space; the metric control method comprises the following steps: triggered by the found target measured object, sending a measurement command corresponding to the target measured object to a security processor; and acquiring a notice of a credible verification result corresponding to the target measured object.

Optionally, the metric control method includes: sending a library import command to a secure processor to trigger the secure processor to import the raw metric reference library into the non-volatile storage space.

Optionally, the metric control method includes: and providing target information about the measured object in a partial original measurement reference library positioned in a non-safe storage space of the non-volatile storage space in response to a loading request command of the safe processor.

Optionally, the measurement command includes an object identifier of the target measured object and memory address information for storing measured data.

Optionally, each measured object has an object identifier, and the object identifier is calculated according to the file path information of the measured object.

Optionally, the metric control method includes: sending an information item operation command of the information item of the measured object to the security processor to trigger the security processor to perform corresponding operation in the memory reference library; the operations include at least one of: addition, deletion and update of information items.

Optionally, the metric control method includes: upon startup of the secure processor, a policy setting command is sent to set a metric policy for the secure processor.

Optionally, the metric control method includes: and sending a measurement failure alarm command to system software under the condition that the credibility verification result is not credible.

Optionally, the metric control method includes: triggered by the elimination of the measured object, an end measurement command is sent to the secure processor.

Optionally, the command sent by the proxy module to the security processor includes authorization information, so as to verify the validity of the command.

The embodiment of the application provides a credibility measuring device which is applied to a safety processor; the method comprises the following steps that an original measurement reference library used for credible verification of a measured object is pre-imported into a preset nonvolatile storage space; the trusted metrics device comprises: the acquisition module is used for responding to the measurement command, acquiring measured data of a corresponding target measured object and placing the measured data in the unmeasured queue; a metric calculation module for selecting measured data of a target measured object from the unmeasured queue, and performing metric calculation to generate metric information; the credibility verification module is used for carrying out credibility verification on the measurement information of the target measured object according to original expected measurement information obtained from an original measurement reference library or expected measurement information obtained after updating the original expected measurement information so as to obtain a credibility verification result; and the communication module is used for sending a command corresponding to the credible verification result.

The embodiment of the application provides a measurement control device, which is applied to an agent module communicated with system software, wherein the agent module is communicated with a safety processor; an original measurement reference library for trusted verification of a measured object is pre-imported into a preset nonvolatile storage space; the metric control apparatus includes: (ii) a The command processing module is used for sending a library import command to the security processor so as to trigger the security processor to import the original measurement reference library into the nonvolatile storage space; the command processing module is used for sending a measurement command corresponding to a target measured object to the security processor under the trigger of the target measured object; and the receiving module is used for acquiring a notice of a credible verification result corresponding to the target measured object.

An embodiment of the present application provides a secure processor, configured to run an executable program to perform any one of the above described trust measurement methods.

The embodiment of the application provides a main processor which is in communication connection with a safety processor and used for running an executable program so as to realize an agent module loaded on system software, wherein the agent module executes any one of the measurement control methods.

The embodiment of the application provides a processor chip, packaged with including: the safety processor is in communication connection with the main processor.

An embodiment of the present application provides a computer apparatus, including: the processor chip; or, the security system comprises the security processor and the main processor, and the security processor is in communication connection with the main processor.

The embodiment of the application provides a computer readable storage medium, which stores an executable program, wherein the executable program executes the credibility measuring method when being executed; alternatively, a proxy module installed in system software is implemented, and the proxy module executes any one of the metric control methods.

Compared with the prior art, the technical scheme of the embodiment of the application has the following beneficial effects:

on one hand, the security processor can update the information item of the same measured object in the memory reference library according to the information of the measured object in the command (such as a measurement command), so that active measurement initiated from the outside to the security processor is realized, the measurement mode is more flexible and richer, the measurement efficiency is improved by matching with dynamic measurement, the efficiency of a computer device is also improved, and the safety and the reliability of measurement are considered by matching with the security processor.

On the other hand, the original measurement reference library for the credible measurement is safely stored in the nonvolatile storage medium, so that the safety of the original measurement reference library is guaranteed. Specifically, the nonvolatile storage medium may include a pre-configured secure storage space and may also include an insecure storage space, and for a primary measurement reference library with a larger size, a portion of the primary measurement reference library exceeding the secure storage space may be stored in the insecure storage space in an encrypted manner, which takes into account the requirements of security and capacity of the primary measurement reference library, does not need to enlarge the size of the existing secure storage space, saves the secure storage resources of the limited secure processor, and can efficiently cope with the trusted measurement of a system with a large number of measured objects.

On the other hand, when the measured objects are scheduled, a fair scheduling strategy can be adopted, which is beneficial to fairly distributing the computing resources of the security processor occupied by each data object and realizing more reasonable application of the computing resources of the security processor.

On the other hand, the command obtained from the agent module by the security processor needs to verify the authorization information in the command, and the command is executed after the verification is passed, so that good security is achieved.

On the other hand, the data object can be selected into various types with unchanged content during the operation of the operation environment, and the data object is not limited by the existing static measurement and dynamic measurement modes, so that better universality is realized.

On the other hand, the proxy module can exist as a component embedded in the system software, can be light-weighted, is convenient to be transplanted among different system-level software, and does not depend on a specific processor hardware architecture.

Drawings

Fig. 1 shows a schematic view of an application scenario in an embodiment of the present application.

Fig. 2 shows a flowchart of a trust metric interaction flow in an embodiment of the present application.

Fig. 3 shows a schematic diagram of importing a raw metrology reference library into a non-volatile storage space in an embodiment of the present application.

Fig. 4 shows a schematic diagram of a data format in a raw metrology reference library in an embodiment of the present application.

Fig. 5 shows a schematic structural diagram of an index structure in an embodiment of the present application.

Fig. 6 is a schematic diagram illustrating a process of importing a corresponding target measured object into a memory reference library according to an embodiment of the present application.

Fig. 7 shows an exemplary diagram of a sequential scheduling policy in an embodiment of the present application.

Fig. 8 shows an exemplary diagram of a fair scheduling policy in an embodiment of the present application.

FIG. 9 shows a functional block diagram of a metrology system in an embodiment of the present application.

Fig. 10 shows a functional block diagram of the agent module in the embodiment of the present application.

Fig. 11A to 11C show schematic diagrams of an example of a credibility measurement process in an embodiment of the present application.

FIG. 12 shows a functional block diagram of a trusted metrology device in an embodiment of the present application.

FIG. 13 shows a functional block diagram of a metrology control apparatus in an embodiment of the present application.

Detailed Description

In view of various problems of the prior art, embodiments of the present application provide a reliable measurement scheme capable of solving the above problems.

As shown in fig. 1, a schematic diagram of an application scenario in the embodiment of the present application is shown.

In this application scenario, the architecture of the computer device is presented. On the hardware level, the computer device includes a main processor 11, a secure processor 12, a volatile memory, and a non-volatile memory. The computer means may be implemented, for example, on a server or other device.

The main processor 11 is communicatively coupled to the secure processor 12. The main processor 11 refers to a processor mainly responsible for running and processing tasks in a computer device, such as a Central Processing Unit (CPU); the secure processor 12 is a coprocessor that assists in achieving data security during operation, such as secure encryption, restricted access, and the like. The secure processor 12 may be more privileged than the main processor 11 so that hardware and software resources, such as memory resources, may be securely isolated from the main processor 11.

In some examples, the main processor 11 and the secure processor 12 may employ processors of the same architecture, for example, processors that may each employ, for example, a 32-bit or 64-bit X86 architecture; alternatively, a different architecture may be used, for example, the main processor 11 may be a 32-bit or 64-bit X86 architecture processor, and the secure processor 12 may be an ARM architecture processor, an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), or the like.

In some examples, the volatile memory may be implemented as memory of a computer device, which may be partitioned into a non-secure memory space 14 and a secure memory space 13. The non-secure memory space 14 has access to both the main processor 11 and the secure processor 12, and the secure memory space 13 has access to only the secure processor 12, and may be invisible to the main processor 11 or encrypted for memory data.

In some examples, the non-volatile memory may be distributed on the main processor 11 side and the secure processor 12 side. In a specific implementation, the nonvolatile memory on the side of the main processor 11 may include a hard disk or other storage device accessible by the main processor 11; the nonvolatile memory on the secure processor 12 side may be a memory dedicated to the secure processor 12 internally or externally, or the like. The non-volatile memory on the side of the secure processor 12 is securely isolated from the main processor 11, such as invisible or data encrypted, and therefore can be referred to as a secure storage space 15; the non-volatile memory on one side of the main processor 11, such as a hard disk, and the like, both the secure processor 12 and the main processor 11 have access rights, and are not safely isolated from the main processor 11, so that the non-volatile memory may be referred to as a non-secure storage space 16; in particular, the secure processor 12 may access its connected non-volatile memory through the main processor 11.

From a software level, the main processor 11 may run system software in an insecure memory space, where the system software refers to software directly running on computer platform hardware and having full control, such as Kernel mode (Kernel) of an operating system, a BIOS program, an embedded operating system, and the like. In addition, application software may also be installed on the basis of the system software of the operating system type.

In one implementation, the host processor 11 may embed a proxy module 18 in an operating system 19 running in a non-secure memory space, which may be embedded in the kernel of the operating system for security purposes. The secure processor 12 may implement the metric function of the secure processor 12 through a hardware circuit or a combination of hardware and software, for example, the secure processor 12 may execute an executable program (such as firmware or other programs) in the secure memory space 13 to implement the metric system 17; the agent module 18 acts as an agent for the secure processor 12 in its external environment and interacts with the secure processor 12 (implemented metrology system 17) to assist the secure processor 12 in performing trust metrics on the operating environment of the computer device. For the sake of brevity, the following is described as the interaction between the processing module and the secure processor 12.

Specifically, when system software and application software run, the related measured object may be loaded into the memory; agent module 18 detects the operation of the object being measured and interacts with secure processor 12 to complete the trustworthiness measurement of the object being measured.

To enable generalization of the metric object, in some examples, the measured object may be selected from any object whose contents do not change during runtime of the memory, such as a physical address or a virtual address; an object directly running on hardware, such as PEIM or DXE driver in Unified Extensible Firmware Interface (UEFI); for another example, most objects of the linear address space in the Linux kernel; locking data objects in the user space of the memory, and the like.

To illustrate the specific implementation of the trust metric, as shown in fig. 2, a schematic flow diagram illustrating an interaction flow of the trust metric between the agent module and the security processor in the embodiment of the present application is shown. From the software level, the security processor communicates with the agent module through the implemented measurement system, but in this embodiment, the security processor is directly used as an interactive object with the agent module for a more intuitive expression. Wherein, the security processor can lead the original measurement reference library used for the credibility verification of the measured object into the nonvolatile storage space in advance. Optionally, the act of importing the raw metric reference library by the security processor may be triggered by a library import command sent by the proxy module.

The credibility measurement interaction process comprises the following steps:

step S201: triggered by the monitored measured object, the proxy module sends a measurement command corresponding to the measured object to the security processor;

step S202: in response to the measurement command, the security processor obtains measured data of the corresponding target measured object and places the measured data in the unmeasured queue.

Step S203: the safety processor selects measured data of a target measured object from the unmeasured queue, and performs measurement calculation to generate measurement information;

step S204: the security processor performs trusted verification on the measurement information of the target measured object according to original expected measurement information obtained from an original measurement reference library or expected measurement information obtained by updating the original expected measurement information to obtain a trusted verification result;

step S205: the safety processor sends a command corresponding to the credible verification result;

step S206: and the agent module acquires a command corresponding to the trusted verification result.

In a specific implementation, the original metric reference library contains reference information of each measured object, and the reference information is used as a comparison standard in credible verification.

Alternatively, the base of raw metrics may not be created and stored in advance, but instead, when an administrator creates the base of raw metrics (for example, an administrator of a computer device), the base import command triggers the security processor to write the information items of the base of raw metrics into the nonvolatile storage space in batch.

As shown in fig. 3, in order to realize the isolated and secure storage of the raw metric library 31 from the outside of the secure processor, the data of the raw metric library 31 may be preferentially imported into the secure storage space 32 of the secure processor; however, in practical scenarios, since the secure memory resource and the non-volatile secure storage space 32 of the secure processor are very limited (for example, several M in size), and there are many objects to be measured in a large system (for example, 10 tens of thousands or more of objects to be measured), the corresponding raw metric reference library becomes huge, and the non-volatile secure storage space 32 of the secure processor may not accommodate the whole raw metric reference library 31 at one time. To solve this problem, after a part 311 of the raw metric library 31 occupies the secure storage space 32, the excess part 312 is encrypted to form the non-secure storage space 33, for example, a hard disk on the host processor side.

The secure processor may encrypt the data of the raw metric reference library 31 to be imported into the non-secure memory space 33 so that the host processor, while having access to the non-secure memory space 33, is ciphertext to that portion of the data. Optionally, the secure processor may further attach an electronic signature to the ciphertext of the portion of data for tamper resistance.

It can be understood that, since the size of the memory reference library is proportional to the number of the measured objects, the secure storage resource of the secure processor itself is very limited, and it is difficult to satisfy the situation that the number of the measured objects is increased. By the method in the above embodiment, the non-volatile secure storage resource that can be used by the secure processor to store the raw metrology reference library can be extended from its inherent secure storage space to a non-secure storage space (e.g., a hard disk space), so that it is not necessary to increase the size of the storage resource of the secure processor in order to meet the storage requirement of the raw metrology reference library, and the cost is reduced.

Alternatively, in order to save the secure memory resources of the secure processor itself, the data of the raw metric reference library in the secure memory space is compressed, and the compression algorithm may be lighter, such as Zlib or the like.

Fig. 4 is a schematic diagram showing a data format of the raw metric reference library in the embodiment of the present application.

In some examples, the data in the raw metric reference library may be stored in the form of page tables, and each page table may store N information items, for example, N is 8, and the like.

Each information item in each page table includes a number of fields as illustrated, including: object identification, expectation metric information. Wherein the data object identification is used for indicating the data object to which the information item belongs, and the expected measurement information is used as a comparison standard in the credible measurement.

In a possible implementation manner, the data object identifier may be generated according to some feature information of the measured object, preferably fixed information that does not change, such as a physical address, an absolute file path of a file related to the data object (e.g., a file path of a \ bc \ d.dll), and the like, and a corresponding object identifier may be calculated according to the feature information through, for example, a hash algorithm.

Optionally, the plurality of fields may further include a flag bit; the flag bit can have one or more, including at least one of the following: storing a location flag bit; and measuring a flag bit of the algorithm.

For example, the storage flag bit value indicates the storage location of the information item, for example, "00" indicates the storage location in the secure storage area of the secure processor, and "01" indicates the storage location in the hard disk on the host processor side.

For another example, the value of the flag bit of the metric algorithm represents the calculation algorithm of the desired metric information, for example, "00" represents SM3-256 algorithm, and "01" represents SHA256 algorithm. The SM3-256 algorithm is a domestic password hash function standard and is used for generating a message digest, and 256 represents that the message digest obtained by calculation is 256 bits; SHA256 is one of the international secure hash algorithm standards for generating a message digest, 256 meaning that the message digest is computed to be 256 bits. It should be understood that the hash algorithm that can be used is only partially listed here, and may be changed according to the actual situation, and is not limited by the example.

It should be noted that the data format of the raw metric library in the example of fig. 4 is only an example, and the fields may be added or deleted according to actual needs, which is not limited to this.

In step S201 of fig. 2, when the target measured object appears, it can be monitored by the agent module, so as to trigger generation and transmission of a measurement command to trigger measurement calculation. In an alternative example, the target measured object may be data of system software, application software, or other software that, when opened, causes the corresponding target measured object to be loaded into memory. In a specific implementation example, the agent module may be known by monitoring the opening of a file corresponding to a target measured object, for example, the agent module may register its callback interface into a file system of system software (operating system), so that when the file is opened, the agent module monitors the opening of the file; alternatively, in other examples, the agent module may scan for memory awareness via system software.

In some examples, the metric command may include an object identifier of the target measured object and memory address information for storing measured data of the target measured object. In a specific example, the memory address information may be a physical address range of the measured data in the memory, and may be implemented as a set of multiple continuous or discontinuous physical memories, or a physical memory head address plus an address offset, and the like.

In some examples, corresponding to step S202, the secure processor may load a raw metric reference library in the non-volatile storage space into its secure memory space to form a memory reference library. On one hand, compared with the memory in a nonvolatile storage space such as a hard disk, after the memory is loaded into the memory, the memory reference library has higher speed when the operation of the credibility measurement is carried out; on the other hand, the memory reference library in the memory can be flexibly modified without modifying the data of the original measurement reference library in the nonvolatile storage space, so that the active modification of the reference information of the measured object can be realized, and the credibility measurement is performed according to the modified reference information, thereby considering both the original data security of the original measurement reference library and the reference update of the credibility measurement.

In some examples, to limit the size of the space occupied by the memory reference library, only the target data related to the target measured object may be loaded from the original measurement reference library, where the target data may be an information item of the target measured object in the original measurement reference library or a piece of information where the information item is located, so that only the target measured object may be loaded, which may save the space of the secure memory, reduce the amount of data read, and improve the operating efficiency of the secure processor.

In a specific implementation, the information item may be loaded or the fragment information where the information item is located may be selected according to a balance between the number of information items and the space capacity of the secure memory. For example, if there are more information items, the clip information may be loaded. As mentioned above, the raw metric library may be stored in the form of a page table, and the fragment information may be a page table, and the loading unit is a page table in the manner of loading the fragment information. For another example, if the total amount of information items is small, the information items may be regarded as a unit of loading.

As shown in fig. 5, the memory reference library may be correspondingly established with an indexing mechanism 50 for indexing the measured object, the indexing mechanism 50 may be, for example, a tree structure, and each node 51 in the indexing mechanism 50 includes each object identifier (such as ID _0 and ID _8 in the figure) and index information of the corresponding measured object, and the index information may be indexed to target information, i.e., information items or fragment information, of the measured object in the original measurement reference library. In a possible example, the object identifications of all the measured objects in the original metric reference library may be placed in the nodes 51 of the indexing mechanism 50 in advance.

Therefore, by matching the object identifier of the target object to be measured in the measurement command in each node 51 of the index mechanism 50, when the identifier is matched in a certain node 51, the corresponding index information can be obtained, the target information is obtained according to the index information, and the target information is imported into the memory reference library. In the case that the fragment information is a page table, the index information may be a table sequence number (for example, table _0 and table _1 in the figure) of the page table. Optionally, the Table sequence numbers may be generated according to a time, for example, the secure processor scans each page Table in the nonvolatile memory space one by one, and then the Table sequence numbers may be allocated according to an order in which the page tables are scanned, for example, a Table sequence number allocated to a first scanned page Table is Table0, a Table sequence number allocated to a second scanned page Table is Table1, and so on.

For example, the object identifier of the target object to be measured included in the measurement command is a, and the object identifier is matched in the indexing mechanism 50 through a, if the identifier included in a certain node 51 is matched to be a, and the index information in the node 51 is table1, table1 is correspondingly loaded into the memory reference library.

In some examples, the indexing mechanism 50 may be implemented as a Red Black Tree (Red Black Tree), black and Red being represented in Black and white in fig. 5, respectively, which is a self-balancing binary search Tree, so it has a better complexity of search time (than a table) at the same time, i.e., O (logN), N being the number of nodes 51. For example, if there are 10 thousand objects being measured, it is only necessary to make a maximum of 5 comparisons to locate it.

In an actual example, the indexing mechanism 50 may be organized in a secure memory space according to all measured objects in advance, when the secure processor receives a measurement command sent by the processing module, the object identifiers of the target measured objects in the measurement command are matched in each node 51 of the indexing mechanism 50, and if the object identifiers are matched, the fragment information of the original measurement reference library in the indexed nonvolatile memory space is obtained according to the corresponding index information, and is loaded into the memory reference library.

If the matching is not found in the indexing mechanism 50, the raw metrology reference library needs to be loaded from the non-volatile storage space, wherein the data of the raw metrology reference library in the secure storage space may be directly loaded into the memory reference library by the secure processor, while the data of the raw metrology reference library in the non-secure storage space, such as the data in the hard disk, may not be connected to the hard disk through the I/O interface, so that there is no way to directly access the data, and instead, the data needs to be obtained through the main processor. Of course, in other examples, if the secure processor can directly access the hard disk to read the data, it may not be necessary to obtain the data instead through the main processor.

Fig. 6 is a schematic flow chart illustrating the process of importing the corresponding target measured object into the memory reference library according to the embodiment of the present application.

The process comprises the following steps:

step S601: if the index structure is established, the security processor may match the object identification of the target measured object in the index structure.

In specific implementation, the object identifiers and the index information of all measured objects should be introduced into the index structure, and then under normal conditions, the object identifiers of the target measured objects can be matched with the same object identifiers in the index structure; however, the situation that the matching cannot be achieved is not excluded, when the external original metric reference library is updated, and the original metric reference library in the nonvolatile storage space is not updated in time, the object identifier of the newly added target measured object may not be matched, and accordingly, only the original metric reference library in the nonvolatile storage space needs to be updated correspondingly, and the original metric reference library is not expanded much here. The loading of the target information is mainly shown in the flow.

Step S602: inquiring target information (namely information item or fragment information) in a page table space of the memory reference library according to the index information associated with the matched object identifier; if the query can be carried out, the subsequent credibility measurement calculation can be executed; if the query cannot be made, step S603 is executed.

Step S603: inquiring target information in the safe storage space according to the index information; if yes, go to step S604; if the query is not received, executing step S605;

and if the query is not received, the target information is possibly in the partial original measurement reference library in the non-secure storage space.

Step S604: loading the target information to a memory reference library;

step S605: sending a loading request command to an agent module to request to acquire target information corresponding to the index information from a part of original measurement reference library located in a non-secure storage space;

wherein, the load request command may include the index information; the proxy module may request the query by communicating with system software, such as an operating system kernel.

In the same way, under normal conditions, if the data of the original measurement reference library stored by the non-secure storage space and the secure storage space together are complete, and the situation that the original measurement reference library and the target measured object are not in the same version does not occur, the target information can be queried.

Step S606: the agent module sends the inquired target information to the safety processor;

step S607: and the safety processor loads the inquired target information into a memory reference library.

In a specific implementation, the target information from the non-secure storage space may be in a form of a ciphertext with an electronic signature, and the secure processor needs to verify the electronic signature and decrypt the electronic signature to obtain a plaintext, and then loads the plaintext into the memory reference library.

In some examples, the fields of the information items of each measured object in the in-memory reference library may or may not be identical to the original measurement reference library.

In some examples, the agent module may further send an information item operation command to the security processor, where the information item operation command includes an information item of the measured object, that is, includes an object identifier, expected measurement information, and so on, for triggering the security processor to perform a corresponding operation in the memory reference library according to the information item, where the operation includes: addition, deletion and update of information items.

For example, in the information item of the measured object in the memory reference library, the object identifier is a, and the expected measurement information is B; and the agent module sends an information item operation command, wherein the information item operation command comprises an object identifier A and expected measurement information C, and the safety processor can correspondingly modify the expected measurement information of the information item in the memory reference library from B to C.

Corresponding to the implementation of step S203 in fig. 2, the unmeasured queue may be implemented in an internal storage resource of the secure processor or a secure memory, and accordingly, optionally, a measured queue and a measurement failure queue may also be set. The unmeasured queue is used for loading measured data with an unmeasurable measure, the unmeasured queue is used for loading measured data with a passing trusted verification result in step S204, and the measurement failure queue is used for loading measured data with a failing trusted verification result in step S204. Optionally, the number of the unmeasured queue, the measured queue and the measurement failure queue may be one or more.

In some examples, the metric efficiency of the measured data may be improved by a metric scheduling policy, such as selecting measured data of each measured object from an unmeasured queue by the metric scheduling policy. In a specific implementation, the metric scheduling policy includes at least one of: a fair scheduling policy; and (4) a sequential scheduling strategy.

Illustratively, the order policy may be implemented on the basis of FCFS (first-come first-serve), and the whole algorithm may implement the unmeasured queue with only one first-in first-out (FIFO) queue. The process can be as follows: initially, each measured object needing measurement is added to the unmeasured queue (FIFO queue implementation) in turn, and the measured data at the head of the unmeasured queue is selected each time, so the time complexity is O (1) and is independent of the total number of objects. Therefore, the sequence strategy has the advantages of simplicity, directness, easy realization, fixed action process and better time complexity.

However, the sequential policy has the disadvantage that, regardless of the size of the data volume (corresponding to the physical address range) of the object to be measured, the measurement of the next object is started only after the previous object is measured. Accordingly, it can be inferred that the measured object with a large data volume occupies more computing resources of the security processor, and the measured object with a small data volume occupies less computing resources of the security processor. This is unfair for small data volume objects to be measured. In addition, the sequential strategy has no way to set up differentiated treatment for critical or common objects to be measured.

For example, suppose three measured objects Obj _ a, obj _ B, and Obj _ C are currently measured, and the physical space occupied by the measured data for these three objects is 12K, 8K, and 4K (in bytes), respectively. The computation for metric calculation per second (e.g., hash operations such as SM3-256, SHA256, etc.) can handle 4 kbytes; the Obj _ a, obj _ B and Obj _ C are sequentially added to the measurement queue in order, and the processing procedure is as shown in fig. 7, in which the respective measured data of the three measured objects are simply marked by Obj _ a, obj _ B and Obj _ C.

The waiting time of Obj _ a is 0 second, the waiting time of Obj _ B is 3 seconds, the waiting time of Obj _ C is 5 seconds, and the average waiting time is (0 +3+ 5)/3 =2.6 seconds. More importantly, in the first 4s, the measurement times of Obj _ a are 1, obj _ B is 0.5, obj _ C is 0, and obviously, this is unfair for the measured object Obj _ C with the smallest data volume.

Illustratively, the fair scheduling policy includes:

forming a plurality of unmeasured queues and setting a priority for each unmeasured queue, each measured data in an unmeasured queue of higher priority being selected in preference to lower priority; the measured data of each measured object obtains less maximum calculation time in the unmeasured queue with higher priority; and moving the measured object with the corresponding maximum calculation time in the higher unmeasured queue to the lower-priority unmeasured queue to wait.

For example, a plurality of unmeasured queues Q (1) -Q (N) may be prioritized, each unmeasured queue having a priority; the larger N is, the lower the priority is, and the corresponding priorities Q (1) -Q (N) are from high to low; measured data of the measured objects with the same priority are stored in an unmeasured queue with the same priority; when the measured data is selected, only if Q (1) is empty, the element in the unmeasured queue of the next priority, namely Q (2), is selected for measurement calculation; the measured object staying in the Q (1) and reaching the corresponding maximum calculation time can be moved to the Q (2) for continuous calculation; if all measured data of the measured objects in a certain queue are measured and calculated, credible verification can be carried out, the measured objects which pass the verification are placed into a measured queue, and the measured objects which do not pass the verification are placed into a measurement failure queue.

The priorities corresponding to Q (1) -Q (N) are from high to low, and the maximum computation time they respectively have is negative relative from low to high. For example, Q (1) has 2 time units, Q (2) has 4 time units, and Q (N) has 30 time units, i.e., the measured data of each measured object in Q (1) can be calculated 2 times, and Q (2) can be calculated 4 times.

And achieving the fair distribution of computing resources among the measured objects with different data volume sizes in a mode that the priority of the unmeasured queue is inversely related to the maximum computing time.

In some examples, the fair scheduling policy may further include at least one of the following sub-policies:

sub-strategy 1: the measured data of each measured object in the unmeasured queue with the lowest priority is selected through rotation (RR).

Specifically, since the measured object in the unmeasured queue with the lowest priority is not available any more, if the unmeasured queue with the lowest priority is served first, the object has fairness problems as a sequential policy, and therefore the object can be executed in a rotating manner, for example, the computing resources of the security processor are divided into time slices and timed, and are circularly allocated to each measured object for use. When a measured object uses the current time slice, the next time slice is allocated to the next measured object regardless of whether the calculation is completed or not, and so on. If the measured data of a measured object is calculated in the allocated time slice, the calculation of the security processor in the current time slice can be directly released, and the calculation of the measured data of the next measured object is entered.

Sub-strategy 2: after every predetermined time, each remaining object to be measured is placed in the unmeasured queue of highest priority.

This may help solve the problem of "starvation" of a measured object with a large amount of measured data, because the measured object with a large amount of measured data requires more time for calculation of the measurement, and the longer the time, the deeper the unmeasured queue where the measured object is located, i.e., the lower the priority, and the longer the waiting time, the more "starvation" will be. In order to avoid waiting too long, waiting time is reduced by resetting the measured object to the highest priority, which is beneficial to improving the efficiency of the overall measurement calculation.

Sub-strategy 3: when the unmeasured queue has no residual measured object, setting an unmeasured queue used for next-stage measurement according to the measured queue for carrying out next-round measurement; and the measured value column is used for placing the measured information of each measured object of which the credible verification result is credible.

In a specific implementation, the measured queues may be designed to be symmetrical to the unmeasured queues, for example, the unmeasured queues have Q (1) -Q (N), the measured queues correspond to Q (1 ') -Q (N '), initially, the measurement information of each measured object to be calculated in the unmeasured queue Q (1) is placed in the measured queue Q (1 ') one by one if passing through credible verification, after all measured data in the unmeasured queue is emptied, identities may be exchanged between the unmeasured queue and the measured queue, the measured queues Q (1 ') -Q (N ') of the current round are respectively used as the unmeasured queues Q (1) -Q (N) of the next round, the unmeasured queues Q (1) -Q (N) of the current round are respectively used as the measured queues Q (1 ') -Q (N ') of the next round, and the two queues are time-shared, so that secure memory resources of the security processor are effectively saved.

To intuitively explain the principle of the fair scheduling policy, please refer to fig. 8, which shows a schematic diagram of the implementation of a specific fair scheduling policy according to the embodiment.

The previous example of Obj _ A, obj _ B, obj _ C may be used, and in this embodiment, unmeasured queue Q (1) has a maximum computation time of 1 second, Q (2) of 2 seconds, and Q (3) of 3 seconds; correspondingly, the measured queues are shown to be Q (1), Q (2) and Q (3); although only 3 queue numbers are illustrated in this example, this is not a limitation.

At second 0, arrange in Q (1) of unmeasured queue by Obj _ A, obj _ B, obj _ C, all unprocessed; obj _ a at the Q (1) head;

at 1 second, obj _ a measures the first 4 kbytes of data in this 1 second, limited by the 1 second maximum computation time limit of Q (1), which is placed in Q (2);

at second 2, obj _ B measures the first 4 kbytes of data, up to the 1 second limit, placed in Q (2) due to the priority of processing the data in Q (1);

at the 3 rd second, the data in the queue Q (1) is processed preferentially, and the Obj _ C measures 4K bytes of data, and is placed in the queue Q (1) of the measured queue because the measured queue has only 4K bytes of data and passes the credibility verification, and the queue Q (1) of the measured queue is empty;

at second 4, the second 4K bytes of data of Obj _ A are measured since the unmeasured queue Q (1) is empty and data in Q (2) is preferentially processed; and Obj _ a is moved to Q (3) after Q (2) has reached a maximum computation time of 2 seconds.

At the 5 th second, the Obj _ B measures the second 4K bytes of data, the data is 8K bytes, the measurement is completed, and if the trusted verification is passed, the measurement is placed in the measured queue Q (1); only Obj _ a remains in Q (3) in the unmeasured queue;

at 6 seconds, obj _ a measures the third 4 kbytes of data, 12 kbytes of data, and the measurement is complete and placed in measured queue Q (1) assuming trusted verification is passed.

In the above example, if a new object is added to the higher priority queue, the high priority new object will still be preferentially processed

For example, there are no measured objects in the queue Q (1), and there are two measured objects Obj _ a and Obj _ B in the queue Q (2); if Obj _ C is newly added to Q (1) while Obj _ a is being processed, obj _ C will be preferentially processed instead of Obj _ B after Obj _ a is processed.

It can be deduced from the above example that the latency of Obj _ a is 3 seconds, the latency of Obj _ B is 3 seconds, the latency of Obj _ C is 2 seconds, and the average latency is (3 + 2)/3 =2.6 seconds as in the previous example of the sequential strategy, but in the first 4s, the number of times of measurement of Obj _ a is 0.6 times, the number of times of measurement of Obj _ B is 0.5 times, and the number of times of measurement of Obj _ C is 1, so that all measured objects (especially measured objects with small data amount) are fairer.

In some examples, the security processor may select a setting among a variety of metric scheduling policies. For example, at some point, the agent module sends a policy setting command to the security processor to set a sequential policy or fairness policy. Optionally, the timing may be set when the secure processor is started and initialized to be configured.

In some examples, in step S203, the same metric calculation algorithm as that used to obtain the expected metric information, for example, SM3-256 or SHA-256, may be used to perform metric calculation on the measured data to obtain the metric information in the form of a hash value, and in step S206, whether the calculated metric information is consistent with the expected metric information in the memory reference library may be compared; if the target object is consistent with the target object, obtaining a credible result of the corresponding target object to be measured; if the target measured object is not credible, the result that the target measured object is not credible is obtained. The desired metric information in the memory reference library may be original information obtained from an original metric reference library, or may be modified by the information item operation command. It can be understood that the expectation metric information can be modified, so that the system software side can actively set the expectation metric value, and thus actively set the credible metric rule, thereby achieving the purpose of 'active measurement'.

In some examples, the agent module obtains a command corresponding to the trusted verification result, determines a corresponding action, and may issue an end measurement command to the security processor when it is monitored that the measured object is eliminated from the memory (for example, the related file is closed), and the security processor clears the measured object in response to the end measurement command. For example, the data of the measured object in the unmeasured queue, the measured queue, the failure measurement queue, etc. is cleared.

In some examples, in step S205 of fig. 2, corresponding to the result that the measured object is not authentic (the corresponding measured data may be stored in the measurement failure queue), the security processor may send a measurement failure alarm command to notify the agent module; accordingly, in step S206, after obtaining the metric failure alarm command, the agent module may notify the system software to process the metric failure alarm command.

According to the foregoing embodiment, the command sent from the agent module to the secure processor may include, for example: a library import command, an information item operation command, a measurement command, an end measurement command, a policy setting command, and the like; the commands sent from the security processor to the agent module may include, for example: a metric failure alarm command, a load request command, etc.

In order to guarantee the trust of the command received by the secure processor and the initiator (e.g., the proxy module), in some examples, various commands (e.g., listed above) sent by the proxy module to the secure processor module may further include authorization information, and the secure processor, upon receiving the command, verifies the authorization information therein and executes the command if the verification is passed.

Referring to fig. 9, a functional block diagram of a metrology system 90 in an embodiment of the present application is shown. The metrology system 90 may be implemented by a security processor that may run an executable program.

The metrology system 90 may include: a communication module 91, a metric engine 92, a memory reference library 93, and an authorization module 94.

The communication module 91 is used for communicating with the outside, for example, communicating with the agent module to interact with the above commands.

The metric engine 92 may be configured to schedule a policy according to the metric, so as to control scheduling of the measured object in the unmeasured queue 921, the measured queue 922, and the metric failure queue 923, and to calculate metric information and perform trust verification, etc.

The memory reference library 93 may include: an index structure 931, and various information items imported from a raw metric reference library, and the like; alternatively, the items of information may be presented by being carried in page tables 932.

The authorization module 94 is used for verifying the authorization information in the command sent from the outside (such as the agent module); under the condition that the verification is passed, the safety processor executes a corresponding command; otherwise, execution is not performed.

It should be noted that specific principles of the modules are described in the foregoing embodiments, and reference may be made to the foregoing embodiments, which are not repeated herein.

Fig. 10 is a schematic diagram showing functional modules of the agent module in the embodiment of the present application.

The agent module 100 specifically includes:

the main control module 101 is used for initializing the agent module and performing some global tasks;

a communication module 102 for communicating with the outside, for example with a communication module of a secure processor.

A command processing module 103 for generating commands to be sent to the secure processor, such as one or more of a library import command, an information item operation command, a metric command, an end metric command, a policy setting command, and the like; optionally, before forwarding through the communication module, the command may be subjected to some preprocessing according to circumstances, for example, an address translation module is called to translate a virtual address into a physical address, or authorization information is added to the command; in addition, the command processing module also processes commands sent by the secure processor and executes the commands accordingly, such as a measurement failure warning command, a loading request command and the like.

An external interface 104 for external (e.g., system software) calls to generate commands related to tasks to be performed, such as the commands sent to the secure processor described above.

Optionally, if there is a need for address translation, the agent module 100 may include an address translation module 105; of course, if all the addresses used in the proxy module are physical addresses, the address translation module is not required to be arranged.

For portability, the proxy module needs to remain compact in implementation, independent of the embedded operating system, and independent of the services (such as the OS API) of the particular operating system.

It should be noted that the functional module architectures of fig. 9 and fig. 10 are only an example, and each of the functional modules may be changed according to different actual needs, which is not limited thereto.

The credibility measurement process is fully described by a flow example. It is to be understood that the specific details, as well as specific details, are not to be interpreted as limiting.

Under the environment of system software (operating system), 24 measured objects are assumed to exist in the operating system and are represented as Obj _0 to Obj _23; the raw metrics library comprises a plurality of page tables, each page table has 8 entries (N = 8), and the secure memory space of the secure processor is limited to accommodate only 2 page tables; while the memory reference bank limit can only accommodate 1 page table.

When the kernel of the operating system is initialized, the proxy module imports the 24 objects to be measured into a nonvolatile secure storage space through a library import command, however, the secure storage space is limited to only accommodate 2 page tables, and 3 page tables to be imported are respectively table _0, table _1 and table _2.

As shown in fig. 11A, table _0 and table _1 may be stored in a secure storage space, and table _2 may be stored in a non-volatile non-secure storage space (for example, a hard disk connected to a main processor).

When the secure processor is started, the secure processor scans all information items in all page tables distributed in the secure memory space and the non-secure memory space; as shown in fig. 11B, all information items (object id, table number of the table) can be inserted into each node in the index structure (e.g., red and black tree). Optionally, the table sequence number may be automatically generated during scanning, for example, when a first batch of N information items are scanned, the table sequence number of the information items is 0, when a second batch of N information items are scanned, the table sequence number of the information items is 1, and so on.

When a certain file _0 is opened in the operating system, the proxy module is monitored to trigger the proxy module to generate a measurement action related to the file _0. Specifically, the agent module calculates a hash value according to the absolute path of the file _0, and the hash value is used as a corresponding object identifier ID _0; under the condition that address translation is needed, an address translation module is called, each virtual address of the measured data in the memory is translated into a physical address by querying a page table, and a physical address range is formed.

And putting the ID _0 and the physical address range into a measurement command, and sending the measurement command to the security processor.

After receiving the measurement command, the security processor searches for a node containing ID _0 in the index structure, and after the node is searched, acquires corresponding index information, namely a table sequence number, which is assumed to be table _0. The security processor queries table _0 in the memory reference library, finds that the table _0 is empty, indicates that table _0 is not loaded yet, the security processor tries to load from the security storage space first, if the table _0 fails (indicates that table _0 is not in the security storage space), then tries to send a load request command to the proxy module, so that the proxy module loads the ciphertext of table _0 from the non-security storage space (such as a hard disk), the security processor checks and decrypts the ciphertext to obtain the plaintext of table _0, and loads the plaintext into the page table space of the memory reference library, and correspondingly, the information item corresponding to ID _0 also exists in the memory reference library. The measured data of the ID _0 object is read from the memory according to the physical address range corresponding to the ID _0, and added to the unmeasured queue, as shown in fig. 11C.

According to the set measurement scheduling strategy, circularly selecting measured data from the unmeasured queue to carry out measurement operation, and continuously reading the measured data from the memory to the unmeasured queue; and comparing the metric information obtained by the metric calculation (such as hash calculation) with the expected metric information, such as comparing two hash values, if the comparison is inconsistent, notifying the agent module by a metric failure alarm command through the security processor, further notifying the operating system kernel by the agent module, and determining the next processing by the operating system kernel.

When closing file _0, triggering the agent module to send the end measurement command to the security processor. Specifically, a hash value may be calculated for the absolute path of file _0, ID _0 is obtained, and the obtained value is placed in the end metric command.

And after receiving the measurement ending command, the security processor searches and clears the object corresponding to the ID _0 in the unmeasured queue, the measured queue and the failure measurement queue of the measurement engine.

At this point, the trusted measurement process for the target measured object ID _0 is completed.

Then, similarly, when the file _1 is opened, the proxy module is triggered to generate and send a measurement command; specifically, ID _1 is calculated according to the absolute path of file _1 and is used as a corresponding object identifier ID _1; under the condition that address translation is needed, an address translation module is called, and each virtual address of the measured data in the memory is translated into a physical address by querying a page table, so that a physical address range is formed.

And putting the ID _1 and the physical address range into a measurement command, and sending the measurement command to the security processor.

After receiving the measurement command, the security processor searches for a node containing the ID _1 in the index structure, and after the node is searched, obtains corresponding index information, namely a table sequence number, which is table _0. And the security processor queries table _0 in the memory reference library, and directly returns the information item corresponding to the ID _1 when finding that the table _0 is loaded in the memory reference library. The subsequent processes of measurement calculation and trusted verification related to ID _1 are similar to ID _0, and therefore are not repeated herein.

By analogy, when the file _8 is opened, the triggering agent module sends a measurement command to the security processor, wherein the measurement command comprises the ID _8 obtained by calculation according to the file _8 absolute path and the corresponding memory physical address range.

After receiving the measurement command, the security processor searches the node of ID _8 in the index structure, and finds that the associated table sequence number is table _1 when the node is searched; furthermore, the security processor queries the memory reference library, and finds that table _1 is not loaded yet and the space of the memory reference library is full (because only 1 page table can be accommodated), it determines to discard the page table _0, tries to load the page table _1 from the secure memory space and the non-secure memory space, and replaces table _0. Thus, the information item corresponding to ID _8 is made to already exist in the memory reference library and is available from the memory reference library; the subsequent measurement calculation and trusted verification processes related to ID _8 are similar to those of ID _0, and therefore are not repeated herein.

Fig. 12 is a functional block diagram of a confidence measuring apparatus according to an embodiment of the present application. The trusted metrics device may be applied to a secure processor. The original measurement reference library used for the credibility verification of the measured object is pre-imported into a preset nonvolatile storage space. Since the functional implementation is described in the foregoing embodiment, reference may be made to the foregoing corresponding description, for example, in the embodiment of fig. 2 and the following description, and therefore, repeated descriptions are not provided herein.

The trusted metrics device 120 comprises:

an obtaining module 121, configured to, in response to the measurement command, obtain measured data of a corresponding target measured object, and place the measured data in an unmeasured queue;

a metric calculation module 122, configured to select measured data of a target measured object from the unmeasured queue, perform metric calculation to generate metric information;

a trusted verification module 123, configured to perform trusted verification on the measurement information of the target measured object according to original expected measurement information obtained from an original measurement reference library or expected measurement information obtained by updating the original expected measurement information, so as to obtain a trusted verification result;

a communication module 124, configured to send a command corresponding to the trusted verification result.

Optionally, the ciphertext is signed with an electronic signature via the secure processor.

Optionally, an index structure for indexing the measured objects is established in the memory reference library, where the index structure includes an object identifier of each measured object and index information of associated target information; the loading target information of a target measured object in an original measurement reference library to a memory reference library in a secure memory so as to execute the credibility verification by using the memory reference library, includes: matching the associated index information in the index structure according to the object identification of the target measured object; and inquiring the target information according to the matched index information.

Optionally, the communication module 124 is configured to send a load request command to the outside to request to acquire target information corresponding to the index information from a part of the raw metric reference library located in the non-secure storage space when the part of the raw metric reference library in the memory reference library and the secure storage space does not match the target information of the target measured object.

Optionally, the measurement command includes memory address information of the target measured object; the responding to the measurement command and acquiring the measured data of the corresponding target measured object comprises the following steps: and acquiring the measured data of the target measured object according to the memory address information in the measurement command.

Optionally, the trusted metric apparatus includes: the item operation module is used for carrying out corresponding operation in the memory reference library according to the information item of the measured object contained in the received information item operation command; the operations include at least one of: addition, deletion and update of information items.

Optionally, the metric calculating module includes: the scheduling module is used for selecting measured data of each measured object from the unmeasured queue through a measurement scheduling strategy; the metric scheduling policy includes at least one of: a fair scheduling policy; a sequential scheduling policy; the fair scheduling policy comprises: forming a plurality of unmeasured queues and setting a priority for each unmeasured queue, each measured data in an unmeasured queue of higher priority being selected in preference to lower priority; the measured data of each measured object obtains less maximum calculation time in the unmeasured queue with higher priority; moving the measured object with the maximum calculation time in the higher unmeasured queue to the lower priority unmeasured queue for waiting; the sequential scheduling policy includes: and selecting the measured object information in the unmeasured queue according to the first-in first-out order.

Optionally, the trusted metric apparatus includes: and the authorization module is used for verifying the authorization information in the received command and executing the command under the condition of passing the verification.

Fig. 13 is a schematic diagram showing functional modules of the metrology control apparatus in the embodiment of the present application. The measurement control device is applied to an agent module which is communicated with system software, and the agent module is communicated with a safety processor; an original measurement reference library for trusted verification of a measured object is pre-imported into a preset nonvolatile storage space; the original measurement reference library contains reference information of each measured object. Since the function implementation is described in the foregoing embodiment, reference may be made to the foregoing corresponding description, for example, in the embodiment of fig. 2 and the following description, and repeated description is omitted here.

The metric control device 130 includes:

the command processing module 131 is configured to, triggered by a found target measured object, send a measurement command corresponding to the target measured object to the security processor;

a communication module 132, configured to obtain a notification of a trusted verification result corresponding to the target measured object.

Optionally, the metric control method includes: and providing target information about the measured object in a partial original measurement reference library positioned in a non-secure storage space of the non-volatile storage space in response to a loading request command of the secure processor.

Optionally, the command processing module 131 is configured to send a library import command to the security processor, so as to trigger the security processor to import the raw metric reference library into the nonvolatile storage space.

Optionally, the communication module 132 is configured to send an information item operation command including an information item of the measured object to the security processor, so as to trigger the security processor to perform a corresponding operation in the memory reference library; the operations include at least one of: addition, deletion and update of information items.

Optionally, the communication module 132 is configured to send a policy setting command to set the metric policy for the security processor when the security processor is started.

Optionally, the communication module 132 is configured to send a measurement failure warning command to the system software when the trusted verification result is not trusted.

Optionally, the communication module 132 is configured to send a measure ending command to the security processor, triggered by the removal of the measured object.

Optionally, the communication module 132 is configured to send a command to the security processor, where the command includes authorization information, so as to verify the validity of the command.

It should be noted that the functional modules or sub-modules in the drawings can be implemented by any one of hardware circuit/software/hardware/software combination, and each functional module and sub-module is only one functional expression, and in an actual implementation, the division manner between the functional modules and sub-modules is not limited to the actual implementation that must be implemented by independent hardware or software, that is, any combination of the functional modules and sub-modules is not limited to be implemented by multiple hardware units that are the same or independent from each other but communicate, or implemented by multiple software programs that are the same or independent from each other but communicate.

Furthermore, the metric system of fig. 9 may be an actual implementation of the confidence metric apparatus of fig. 12, and the agent module of fig. 10 may be an actual implementation of the metric control apparatus of fig. 13. For example, the metric engine of the metric system of fig. 9 corresponds to a combination of the acquisition module, the metric calculation module, and the trust verification module of fig. 12; the command processing module in fig. 10 corresponds to the command processing module in fig. 13 and the like.

Embodiments of the present application provide a secure processor for running an executable program to perform various process steps performed by the secure processor, such as in the embodiment of fig. 2 and other embodiments.

Embodiments of the present application provide a main processor, communicatively connected to a security processor, for running an executable program to implement a proxy module loaded in system software, where the proxy module executes various process steps executed by the proxy module in the embodiment of fig. 2 and other embodiments.

In an embodiment of the present application, a computer device may also be provided, where the computer device may be implemented as a server, a desktop computer, a notebook computer, a tablet computer, a smart phone, or the like. In some examples, the computer apparatus includes the processor chip; alternatively, in another example, the main processor and the secure processor may be separately in separate independent chips.

Additionally, the computer apparatus further comprises a memory comprising: a volatile memory (RAM) used as a memory, a hard disk used as an external storage, a ROM, and the like.

Optionally, the computer device may further include a communicator, and the communicator may include a wired or wireless communication circuit module, such as a wired network card, a USB module, a WiFi module, a mobile network communication module (one or more of 2G to 5G modules), and the like.

A computer-readable storage medium may also be provided in the embodiment of the present application, and has a computer program stored thereon, where the computer program executes to perform the steps in the foregoing embodiment (for example, the embodiment in fig. 2).

That is, the method flows in the embodiments of the present application (e.g., the fig. 2 embodiment) may be implemented as software or computer code storable in a recording medium, or as computer code originally stored in a remote recording medium or a non-transitory machine-readable medium and to be stored in a local recording medium downloaded through a network, so that the methods described herein may be stored as such software processes on a recording medium using a general purpose computer, a dedicated processor, or programmable or dedicated hardware (such as an ASIC or FPGA). It is understood that a computer, processor, microprocessor controller, or programmable hardware includes memory components (e.g., registers, cache, RAM, ROM, flash memory, etc.) that can store or receive software or computer code that when read/written by a computer, processor, or hardware and executed, implements the methods described herein. Further, when a general purpose computer reads/writes code for implementing the methods illustrated herein, execution of the code transforms the general purpose computer into a special purpose computer for performing the methods illustrated herein.

In the description of the present application, reference to the description of "one embodiment," "some embodiments," "an example," or "some examples" or the like is intended to mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this application can be combined and combined by those skilled in the art without contradiction.

Additionally, any process or method descriptions in flow charts or otherwise described herein in the foregoing embodiments (e.g., embodiments) may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process. And the scope of the preferred embodiments of the present application includes other implementations in which functions may be performed out of the order shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved.

On the other hand, when the measured objects are scheduled, a fair scheduling strategy can be adopted, which is beneficial to fairly distributing the computing resources of the security processor occupied by each data object and realizes more reasonable application of the computing resources of the security processor.

Although the embodiments of the present application are disclosed above, the present invention is not limited thereto. Various changes and modifications may be effected by one skilled in the art without departing from the spirit and scope of the embodiments of the invention as defined by the appended claims.

Claims

1. A credibility measurement method is applied to a security processor; the method comprises the following steps that an original measurement reference library used for credibility verification of a measured object is pre-imported into a preset nonvolatile storage space; the credibility measurement method comprises the following steps:

responding to the measurement command, acquiring measured data of a corresponding target measured object, and placing the measured data in an unmeasured queue;

selecting measured data of a target measured object from the unmeasured queue, and performing measurement calculation to generate measurement information;

performing credible verification on the measurement information of the target measured object according to original expected measurement information obtained from an original measurement reference library or expected measurement information obtained by updating the original expected measurement information to obtain a credible verification result;

and sending a command corresponding to the credible verification result.

2. The method for trustworthiness measurement according to claim 1, wherein the non-volatile storage space comprises: a secure storage space configured corresponding to the secure processor; and, an unsecure storage space outside the secure storage space;

under the condition that the data size of the original measurement reference library does not exceed the safe storage space, placing the original measurement reference library in the safe storage space;

or, under the condition that the data size of the original measurement reference library exceeds the safe storage space, the exceeding part of the original measurement reference library relative to the safe storage space is encrypted into a ciphertext by the safe processor and is imported into the non-safe storage space.

3. The method of claim 2, wherein the ciphertext is signed with an electronic signature via a secure processor.

4. The method of trusted metrics as claimed in claim 2, wherein data of a base of raw metrics in the secure memory space is compressed.

5. The method of trusted metrics as claimed in claim 1, wherein said base of raw metrics comprises: a field for storing expected measurement information of the measured object; the credible verification of the metric information of the target measured object according to the original expected metric information obtained from the original metric reference library or the expected metric information obtained by updating the original expected metric information to obtain a credible verification result comprises the following steps:

comparing the generated measurement information with the expected measurement information;

if the comparison is consistent, obtaining a credible result of the target measured object; otherwise, a result that the target measured object is not authentic is obtained.

6. The method of claim 1, comprising: loading target information of a target measured object in an original measurement reference library to a memory reference library in a secure memory so as to execute the credibility verification by using the memory reference library; the target information includes: the information items of the measured object in the original measurement reference library or the segment information where the information items are located.

7. The method of claim 6, wherein the baseline library of raw metrics is stored as a page table and the fragment information is a page table.

8. The method according to claim 6, wherein the memory reference library is configured with an index structure for indexing the measured objects, and the index structure includes an object identifier of each measured object and index information of associated target information;

the loading target information of a target measured object in an original measurement reference library to a memory reference library in a secure memory so as to execute the credibility verification by using the memory reference library, includes:

matching the associated index information in the index structure according to the object identification of the target measured object;

and inquiring the target information according to the matched index information.

9. The method for trustworthiness measurement according to claim 8, comprising: and when the internal memory reference library and the partial original measurement reference library in the secure storage space do not match the target information of the target measured object, the secure processor sends a loading request command to the outside to request to acquire the target information corresponding to the index information from the partial original measurement reference library in the non-secure storage space.

10. The method according to claim 1 or 6, wherein the metric command includes memory address information of a target object to be measured; the responding to the measurement command and acquiring the measured data of the corresponding target measured object comprises the following steps:

and acquiring the measured data of the target measured object according to the memory address information in the measurement command.

11. The method of claim 6, comprising: according to the information item of the measured object contained in the received information item operation command, corresponding operation is carried out in the memory reference library; the operations include at least one of: addition, deletion and update of information items.

12. The credibility measurement method according to claim 1, wherein the measured data of each measured object is selected from the unmeasured queue by a measure scheduling policy; the metric scheduling policy includes at least one of: a fair scheduling policy; a sequential scheduling policy;

the fair scheduling policy includes: forming a plurality of unmeasured queues and setting a priority for each unmeasured queue, each measured data in the higher priority unmeasured queue being selected in preference to the lower priority; the measured data of each measured object obtains less maximum calculation time in the unmeasured queue with higher priority; moving the measured object with the corresponding maximum calculation time in the higher unmeasured queue to the lower priority unmeasured queue for waiting;

the sequential scheduling policy includes: and selecting the measured object information in the unmeasured queue according to the first-in first-out sequence.

13. The method for measuring trust in claim 12, wherein the fair scheduling policy further comprises at least one of the following sub-policies:

sub-strategy 1: selecting measured data of each measured object in the unmeasured queue with the lowest priority through rotation;

sub-strategy 2: after every preset time, each residual measured object is placed in the unmeasured queue with the highest priority;

sub-strategy 3: when the unmeasured queue has no residual measured object, setting an unmeasured queue used by the next stage measurement according to the measured queue for carrying out the next round of measurement; and the measured value column is used for placing the measured information of each measured object of which the credible verification result is credible.

14. The method for trustworthiness measurement according to claim 1, comprising: in response to the end metric command, the corresponding measured object is purged.

15. The method for trustworthiness measurement according to claim 1, wherein the measured object is selected from data objects that are invariant in content at runtime in memory.

16. The method for trustworthiness measurement according to claim 1, comprising: and verifying the authorization information in the received command, and executing the verification under the condition that the verification is passed.

17. A metric control method applied to an agent module in communication with system software, the agent module in communication with a security processor as claimed in claim 1; an original measurement reference library for trusted verification of a measured object is pre-imported into a preset nonvolatile storage space; the metric control method comprises the following steps:

triggered by the found target measured object, sending a measurement command corresponding to the target measured object to a security processor;

and acquiring a notice of a credible verification result corresponding to the target measured object.

18. The metric control method of claim 17, comprising: sending a library import command to a secure processor to trigger the secure processor to import the raw metric reference library into the non-volatile storage space.

19. The metric control method of claim 17, wherein the metric control method comprises:

and providing target information about the target measured object in a partial original measurement reference library positioned in a non-safety storage space of the non-volatile storage space in response to a loading request command of the safety processor.

20. The method of claim 17, wherein the metrology command comprises an object identifier of a target object to be measured and memory address information for storing the measured data.

21. The metric control method of claim 17, wherein each measured object has an object identifier, the object identifier being calculated from file path information of the measured object.

22. The metric control method of claim 17, comprising: sending an information item operation command of the information item of the measured object to the security processor to trigger the security processor to perform corresponding operation in the memory reference library; the operations include at least one of: and adding, deleting and updating information items.

23. The metric control method of claim 17, comprising: upon startup of the secure processor, a policy setting command is sent to set a metric policy for the secure processor.

24. The metric control method of claim 17, comprising: and sending a measurement failure alarm command to system software under the condition that the credibility verification result is not credible.

25. The metric control method of claim 17, comprising: triggered by the elimination of the measured object, an end measurement command is sent to the secure processor.

26. The metric control method of claim 17, wherein the command sent by the proxy module to the security processor includes authorization information for verifying the validity of the command.

27. A trusted metrics device, applied to a secure processor; the method comprises the following steps that an original measurement reference library used for credible verification of a measured object is pre-imported into a preset nonvolatile storage space; the credibility measurement device comprises:

the acquisition module is used for responding to the measurement command, acquiring measured data of a corresponding target measured object and placing the measured data in an unmeasured queue;

a metric calculation module for selecting measured data of a target measured object from the unmeasured queue, and performing metric calculation to generate metric information;

the credibility verification module is used for carrying out credibility verification on the measurement information of the target measured object according to original expected measurement information obtained from an original measurement reference library or expected measurement information obtained after updating the original expected measurement information so as to obtain a credibility verification result;

and the communication module is used for sending a command corresponding to the credible verification result.

28. A metric control apparatus adapted to communicate with system software, an agent module in communication with the security processor as claimed in claim 27; an original measurement reference library used for credibility verification of a measured object is pre-imported into a preset nonvolatile storage space; the metric control apparatus includes:

the command processing module is used for sending a measurement command corresponding to a target measured object to the security processor under the trigger of the target measured object;

and the communication module is used for acquiring the notice of the credible verification result corresponding to the target measured object.

29. A secure processor arranged to run an executable program to implement a trust metric method as claimed in any one of claims 1 to 16.

30. A host processor communicatively connected to a security processor for running an executable program to implement an agent module hosted by system software, the agent module performing a metric control method as claimed in any one of claims 17 to 26.

31. A processor chip, packaged with a package comprising: the security processor of claim 29 and the main processor of claim 30, the security processor and the main processor communicatively coupled.

32. A computer device, comprising: the processor chip of claim 31; alternatively, comprising a security processor as claimed in claim 29 and a main processor as claimed in claim 30, the security processor and main processor being communicatively coupled.

33. A computer-readable storage medium, in which an executable program is stored, the executable program when executed performing the trust metric method of any one of claims 1 to 16; alternatively, a proxy module, hosted on system software, is implemented, which performs the metric control method of any of claims 17 to 26.