CN113806811B - Automatic recovery method and device for tampered firmware and storage medium - Google Patents
Automatic recovery method and device for tampered firmware and storage medium Download PDFInfo
- Publication number
- CN113806811B CN113806811B CN202110805729.6A CN202110805729A CN113806811B CN 113806811 B CN113806811 B CN 113806811B CN 202110805729 A CN202110805729 A CN 202110805729A CN 113806811 B CN113806811 B CN 113806811B
- Authority
- CN
- China
- Prior art keywords
- firmware
- tampered
- recovery
- abstract
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000011084 recovery Methods 0.000 title claims abstract description 108
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000001514 detection method Methods 0.000 claims abstract description 77
- 238000005259 measurement Methods 0.000 claims abstract description 74
- 238000012795 verification Methods 0.000 claims description 18
- 230000002159 abnormal effect Effects 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 4
- 230000000737 periodic effect Effects 0.000 claims description 3
- 230000008569 process Effects 0.000 abstract description 21
- 108010028984 3-isopropylmalate dehydratase Proteins 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1446—Point-in-time backing up or restoration of persistent data
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Bioethics (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Quality & Reliability (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
The application relates to a method, a device and a storage medium for automatically recovering tampered firmware. The method comprises the following steps: maintaining a firmware recovery set connected with the device; selecting a tamper measurement object of the firmware, and storing an initial reference value encryption signature of the tamper measurement object in the device; when the device firmware runs, the digest of the current value of the tamper measurement object is periodically calculated, the signature is verified to obtain the digest of the initial reference value, whether the firmware is tampered is determined by comparing whether the initial reference value is the same as the digest of the current value, and if so, the corresponding image file and configuration file are obtained from the firmware recovery set to replace the firmware. The application also relates to a device for realizing the method and a storage medium. The application can realize the tamper detection of the firmware in the running process of the firmware, and once the firmware is detected to be tampered, the corresponding image file and configuration file are obtained from the firmware restoration set to replace the firmware. The potential safety hazard of equipment caused by illegal tampering of the firmware is avoided, and the safety of the firmware and the equipment is ensured.
Description
Technical Field
The present application relates to the field of firmware security, and in particular, to a method and apparatus for automatically recovering tampered firmware, and a storage medium.
Background
For the firmware installed by the device, a trusted computing technology is generally adopted to ensure the safety of the firmware, so that the potential safety hazard of the device caused by malicious tampering of the firmware is avoided.
The current popular firmware tamper resistant schemes utilize digital signature technology. The electronic manufacturer generates a public key and a private key pair, signs an original firmware package by using the private key, and issues the signed firmware as a mirror image package. When the device is started, the trusted root is utilized to decrypt the signed image package, the measurement and the signature verification are carried out on the image package, and the firmware package passing the signature verification can be guided and started by the system correctly. The existing scheme realizes tamper resistance in the firmware starting process, but cannot deal with the situation that the firmware is tampered during the running process. In the prior art, a scheme for verifying the TPM is also provided, however, the application scene of the scheme for verifying the TPM is limited, the scheme for verifying the TPM can only be applied to firmware at a BIOS level or firmware at an OS level, and is not applicable to firmware at a non-BIOS level or OS level.
Disclosure of Invention
In order to solve the above technical problems or at least partially solve the above technical problems, the present application provides a method, an apparatus and a storage medium for automatically recovering tampered firmware.
In a first aspect, the present application provides a tampered firmware automatic recovery method, maintaining a firmware recovery set connected to a device, where the firmware recovery set includes a default configuration file and an image file of each firmware;
selecting corresponding key parameters as tamper measurement objects aiming at each firmware in the equipment, and storing initial reference value encryption signatures of the tamper measurement objects of each firmware into the equipment;
when the firmware runs, periodically calculating the abstract of the current value of the tamper measurement object of the firmware, acquiring the initial reference value of the corresponding encryption signature, and verifying the signature;
after the signature is verified successfully, obtaining the abstract of the initial reference value, comparing the abstract of the initial reference value of the same falsification measuring object with the abstract of the current value, judging whether the firmware is falsified,
and if the firmware is tampered, acquiring a corresponding image file and a configuration file from the firmware restoration set to replace the tampered firmware.
Further, the key parameters selected as tamper measures include the key configuration fixed in the firmware and the key code of the firmware.
Further, storing the initial reference value encryption signature of the tamper measure object of each firmware includes:
before the equipment leaves the factory, processing the initial reference value of the firmware through an SHA256 or SHA384 algorithm to obtain a corresponding abstract;
signing the abstract through a private key of the digital signature and writing the abstract into a corresponding first storage unit;
writing the public key of the digital signature into the corresponding second storage unit.
Further, obtaining an initial reference value of the corresponding encrypted signature, and verifying the signature includes:
obtaining a summary of the signature from the corresponding first storage unit and a public key from the corresponding second storage unit;
and carrying out signature verification on the signed abstract through the public key so as to obtain the abstract.
Still further, if the firmware is tampered, obtaining the corresponding image file and the configuration file from the firmware restoration set to replace the tampered firmware includes:
suspending the operation of the firmware;
determining the name version of the mirror image file of the tampered firmware, and determining the name of the configuration file of the tampered firmware;
downloading the corresponding image file from the firmware restoration set according to the name version of the image file, and downloading the corresponding configuration file from the firmware restoration set according to the name of the configuration file;
after the tampered firmware is erased, the image file is installed and configured according to the configuration file.
And further, periodically carrying out integrity and tamper detection on the configuration files and the image files in the firmware restoration set, and replacing the configuration files and the image files with damaged integrity and tampered configuration files in the firmware restoration set.
In a second aspect, the present application provides an apparatus for automatically recovering tampered firmware, comprising:
the management module is used for providing a management interface for an administrator, the administrator configures a detection period, firmware to be detected and a firmware recovery set through the management interface, and the administrator inquires the firmware state through the management interface.
The firmware measurement module is used for checking the signature to obtain a summary of the initial reference value of the falsified measurement object; the firmware measurement module calculates the abstract of the current value of the falsified measurement object according to the periodic detection instruction, compares the abstract of the current value with the abstract of the initial reference value, and judges whether the firmware is falsified during the operation period;
the firmware recovery module is used for receiving a recovery instruction and acquiring a default configuration file and an image file from a firmware recovery set configured by the management module to recover tampered firmware;
the detection recovery control module is used for periodically sending detection instructions to the firmware measurement modules and controlling the corresponding firmware measurement modules to tamper and detect the firmware; and the detection recovery control module sends a recovery instruction to the firmware recovery module when receiving tampered information transmitted by the firmware measurement module.
Still further, the apparatus for determining the repair order of the vulnerability further includes: the watchdog module is used for receiving the heartbeat signal sent by the detection recovery control module and judging whether the detection recovery control module works normally or not according to the heartbeat signal;
and the reset module is used for resetting the detection recovery control module when the watchdog module detects that the detection recovery control module is abnormal.
Still further, the apparatus for determining the repair order of the vulnerability further includes: and the log module is used for recording the detection result of the firmware measurement module into a log.
In a third aspect, the present application provides a storage medium for implementing an automatic recovery method of tampered firmware, where the storage medium implementing the automatic recovery method of tampered firmware stores at least one instruction, and executing the instruction implements the automatic recovery method of tampered firmware.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the following advantages:
the tampered firmware automatic recovery method provided by the application ensures the safety of the initial reference value of the firmware tampering measurement object written into the equipment in a mode of encryption signature, so that the initial reference value for ensuring the safe operation of the firmware can not be tampered arbitrarily.
The application utilizes the detection recovery control module to control the firmware measurement module to periodically detect the firmware tampering, the firmware measurement module periodically calculates the abstract of the current value of the firmware tampering measurement object when the firmware runs, obtains the abstract of the stored initial reference value in a signature verification mode, and compares the abstract of the current value with the abstract of the initial reference value to verify whether the firmware is tampered. Thereby realizing the detection of whether the firmware is tampered or not in the running process of the firmware.
According to the application, after the firmware is tampered, the firmware restoration module is controlled by the detection restoration control module to acquire the corresponding image file and the configuration file from the firmware restoration set to replace the tampered firmware, so that the firmware is restored to a default state, and the potential safety hazard of equipment caused by malicious firmware tampering is avoided.
The application carries out integrity and tamper detection on the image files and the configuration files in the firmware restoration set, and ensures the safety of the image files and the configuration files in the firmware restoration set.
The application utilizes the watchdog module and the reset module to reset when the detection recovery control module is abnormal, so that the detection recovery control module keeps continuous long-time normal operation.
The application also utilizes the log module to record the tampering detection result of the tampering measurement object, thereby being convenient for an administrator to check.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the application or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, and it will be obvious to a person skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a flowchart of a method for automatically recovering tampered firmware according to an embodiment of the present application;
FIG. 2 is a flowchart of firmware provided in an embodiment of the present application, which obtains initial reference values of a corresponding encrypted signature from a corresponding first storage unit, and verifies the signature;
FIG. 3 is a flow chart of an alternative tampered firmware provided by an embodiment of the present application;
FIG. 4 is a schematic diagram of an apparatus for automatically recovering tampered firmware according to an embodiment of the present application;
fig. 5 is a specific architecture diagram of a device for automatically recovering tampered firmware in a server according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Example 1
The embodiment of the application provides an automatic recovery method of tampered firmware.
The tampered firmware automatic recovery method needs matching of a firmware recovery set, wherein the firmware recovery set comprises a default configuration file and an image file of each firmware.
In an implementation, a device vendor maintains a firmware recovery set that can connect with a user's device. The firmware recovery set is an image station where the device manufacturer stores default configuration files and image files for each firmware provided. And in the process of maintaining the firmware restoration set, equipment manufacturers periodically perform integrity and tamper detection on the configuration files and the image files in the firmware restoration set, and replace the configuration files and the image files with damaged integrity and tampered configuration files in the firmware restoration set.
The automatic recovery method of the tampered firmware needs to select corresponding key parameters as tampering measuring objects aiming at each firmware in the equipment, and store initial reference value encryption signatures of the tampering measuring objects of each firmware into the equipment.
In the implementation process, when the firmware is configured to the device, the device manufacturer selects corresponding key parameters for different firmware to be used as tamper measurement objects, wherein the key parameters selected as the tamper measurement objects comprise the key configuration fixed in the firmware and the key codes of the firmware. In this embodiment, the key configuration fixed by taking the server device as an example includes a public key certificate, a key, and configuration related to verification Boot, and the key code includes POSTcode, CPU MicroCodeupdate, EFI Driver & Application, secure Boot, uboot of the BMC.
The device manufacturer configures an initial reference value for the tamper measure object. And the configuration file and the image file in the firmware recovery set adopt corresponding initial reference values.
The equipment manufacturer processes the firmware initial reference value through an SHA256 or an SHA384 algorithm to obtain a corresponding abstract, and then signs the abstract by using a private key of the digital signature; and storing the initial reference value after encryption signature into a corresponding first storage unit in the equipment. The device is wound up and stores the corresponding public key of the digital signature in a corresponding second storage unit in the device. Taking a server as an example for illustration, an equipment manufacturer stores a corresponding initial reference value after encryption signature into a corresponding first storage unit connected with a chip where the firmware is located, and the equipment manufacturer stores a public key into a corresponding second storage unit, wherein the second storage unit is an OTP component or a BMC chip, and the corresponding OTP component is connected with a chip for configuring the corresponding firmware; if the BIOS chip of the server is connected with the OTP component corresponding to the BIOS, the CPLD chip in the server is connected with the OTP component corresponding to the CPLD, and for the BMC of the server, the initial reference value and the public key after encryption signature are written into the BMC chip of the server.
Referring to fig. 1, the method for automatically recovering tampered firmware includes:
s100, periodically sending a detection instruction to each firmware; and the sending period of the detection instruction is set according to the user requirement.
S200, responding to the detection instruction in the running process of the firmware, and acquiring the abstract of the current value of the tamper measurement object of the firmware in a corresponding calculation mode; in the specific implementation process, the current value of the tamper-measured object is obtained from the corresponding memory space of the firmware, the digest of the current value is calculated by using the SHA256 or SHA384 algorithm, and the SHA256 or SHA384 is selected according to the algorithm of initial reference value encryption.
S300, the firmware acquires an initial reference value of a corresponding encryption signature from a corresponding first storage unit, and verifies the signature; it should be understood that the initial reference values of the different firmware are stored in different first storage units, and the corresponding first storage units refer to the first storage units in which the initial reference values of the specified firmware are located. In the implementation process, referring to fig. 2, the firmware obtains an initial reference value of a corresponding encrypted signature from a corresponding first storage unit, and verifies the signature includes:
s301, firmware obtains a signature summary from a corresponding first storage unit and obtains a public key from a corresponding second storage unit. It should be appreciated that the public keys of different firmware are stored in different second storage units, the corresponding second storage unit referring to the second storage unit in which the public key of the specified firmware is located.
S302, signature verification is carried out on the signed abstract through the public key so as to obtain the abstract of the initial reference value.
S400, comparing the abstract of the initial reference value of the same falsification measurement object with the abstract of the current value, judging whether the firmware is falsified, executing step S500 if the firmware is falsified,
s500, acquiring corresponding image files and configuration files from the firmware restoration set to replace tampered firmware. Referring to fig. 3, obtaining the corresponding image file and configuration file from the firmware restoration set to replace the tampered firmware includes:
s501, stopping the operation of firmware;
s502, determining the name version of the mirror image file of the tampered firmware and determining the name of the configuration file of the tampered firmware;
s503, downloading the corresponding image file from the firmware restoration set according to the name version of the image file, and downloading the corresponding configuration file from the firmware restoration set according to the name of the configuration file;
s504, after the tampered firmware is erased, installing an image file and configuring according to a configuration file;
s505, restarting the firmware, performing tamper detection again to judge whether the recovered firmware is tampered, and executing step S506 if yes;
s506, feeding back the failed firmware state.
In a specific implementation process, the method for automatically recovering the tampered firmware further comprises the following steps: and recording the result of the firmware tampering detection as a log and storing the log.
Example 2
The embodiment provides a device for automatically recovering tampered firmware, referring to fig. 4, the device for automatically recovering tampered firmware includes:
the management module is used for providing a management interface for an administrator, and the administrator configures a detection period, firmware to be detected and a firmware recovery set through the management interface; and the administrator inquires the firmware state through the management interface.
Specifically, the configuration monitoring period refers to a period for configuring a detection instruction to be sent to firmware; configuring the firmware to be monitored refers to selecting the corresponding firmware in the equipment as an object for tamper detection; configuring a firmware recovery set refers to configuring a link address of a firmware recovery set mirror station at a device.
Firmware states include verification pass, verification in progress, firmware flush, failure in the present application. Verification is that the firmware is verified to be not tampered, verification is that a tampering verification process is performed, firmware refreshing is that an image file and a configuration file are obtained from a firmware recovery set to replace the tampered firmware, and failure is that the firmware is not tampered and recovery fails.
The firmware measurement module is used for checking the signature to obtain the abstract of the initial reference value of the falsification measurement object, calculating the abstract of the current value of the falsification measurement object according to the periodic detection instruction, and comparing the abstract of the current value with the abstract of the initial reference value to judge whether the firmware is falsified or not in the operation period.
Specifically, the firmware measurement module obtains an initial reference value of the encryption signature from a corresponding storage unit, the firmware measurement module obtains a public key from the corresponding storage unit, and the firmware measurement module verifies the initial reference value of the encryption signature by using the public key to obtain a corresponding abstract. The firmware measurement module calculates the abstract of the current value of the falsification measurement object of the firmware, compares whether the abstract of the current value of the same falsification measurement object is different from the abstract of the initial reference value, and judges that the firmware is falsified in the running period if the abstract of the current value of the same falsification measurement object is different from the abstract of the initial reference value.
And the firmware recovery module is used for receiving a recovery instruction and acquiring a default configuration file and an image file from the firmware recovery set configured by the management module to recover the tampered firmware.
In the implementation process, the firmware recovery module determines the name version of the mirror image file of the tampered firmware and determines the name of the configuration file of the tampered firmware; downloading the corresponding image file from the firmware restoration set according to the name version of the image file, and downloading the corresponding configuration file from the firmware restoration set according to the name of the configuration file; after erasing the tampered firmware, installing an image file and configuring according to a configuration file; the firmware restoration module restarts the replacement completed firmware.
The detection recovery control module is used for periodically sending detection instructions to the firmware measurement modules and controlling the corresponding firmware measurement modules to tamper and detect the firmware; the detection and recovery control module is used for receiving the tampering detection result of the firmware measurement module and sending a recovery instruction to the firmware recovery module when receiving tampered information transmitted by the firmware measurement module.
In a specific implementation process, the device for automatically recovering the tampered firmware further comprises: the watchdog module is used for receiving the heartbeat signal sent by the detection recovery control module and judging whether the detection recovery control module works normally or not according to the heartbeat signal;
and the reset module is used for resetting the detection recovery control module when the watchdog module detects that the detection recovery control module is abnormal.
In a specific implementation process, the device for automatically recovering the tampered firmware further comprises: and the log module is used for recording the detection result of the firmware measurement module into a log.
Referring to fig. 5, a device for automatically recovering tampered firmware will be described by taking a server as an example:
in the server, the detection recovery control module and the management module are deployed in an upper-layer OS, and are realized by a CPU in cooperation with a corresponding memory, so that the upper-layer OS is required to be capable of accessing the BMC system in-band.
Or the detection recovery control module is deployed in the BMC system, is directly realized by the BMC in cooperation with a corresponding memory, and the corresponding management module is realized by web services of the BMC.
In the server, the log module, the watchdog module and the firmware recovery module are realized by the BMC.
The log module collects and records tamper detection results of the firmware measurement modules in the chips by using a log system of the BMC.
The detection and recovery control module adopts a system d to periodically send heartbeat information to the watchdog module, the watchdog module confirms that the detection and recovery control module works normally through the heartbeat information, and when the watchdog module detects that the heartbeat information of the detection and recovery control module lacks a set period, the watchdog module controls the reset module to reset and restart the detection and recovery control module. And ensuring the detection and recovery control module to work continuously.
The firmware recovery module utilizes the web function of the BMC to realize connection with the firmware recovery set, controls the corresponding firmware to stop running from the firmware recovery module when the firmware is tampered, and acquires the corresponding image file and the corresponding configuration file from the firmware recovery set to be written into the corresponding chip. After the firmware recovery is completed, the firmware recovery module informs the detection recovery control module that the firmware refreshing is completed, and the detection recovery control module controls the corresponding firmware measurement module to perform tamper detection again.
In the server, the detection recovery control module realizes communication with each chip through the BMC. Specifically, the IPMI implementation provided by the BMC forwards the detection instruction sent by the detection recovery control module to the firmware measurement module implemented by the corresponding chip, where the corresponding chip includes a BIOS chip, a CPLD chip, and a BMC chip in service; and the IPMI implementation provided by the BMC sends the detection result of the corresponding firmware measurement module to the detection recovery control module. And the detection recovery control module also sends the heartbeat information to the watchdog module through IPMI. And the detection recovery control module also sends a recovery instruction to the firmware recovery module through IPMI. The firmware recovery module sends a firmware recovery completion signal to the detection recovery control module.
In the server, several OTP components or BMC chips are employed to store the corresponding public key and initial reference value of the cryptographic signature.
In the server, for a chip lacking signature verification or digest calculation capability, the firmware measurement module cannot realize signature verification or digest calculation on the current value, so that the firmware running on the chip cannot realize self-checking.
One possible design approach is: configuring a public key corresponding to a chip lacking verification signature or digest calculation capability and an initial reference value of an encryption signature in a designated storage area of a BMC chip, wherein in the firmware operation process, a firmware measurement module of the BMC processes the initial reference value of the encryption signature through verification signature, obtains a digest of the initial reference value of the chip and sends the digest to the corresponding chip, or a firmware measurement module of the BMC acquires a current value of a falsified measurement object from the chip through IPMI and calculates the digest of the current value and sends the digest to the corresponding chip; the firmware measurement module of the chip compares the abstract of the initial reference value of the falsified measurement object with the abstract of the current value.
Another possible design approach is: configuring the corresponding public key and the initial reference value of the encryption signature in a designated storage area of the BMC chip, and performing verification signature processing on the initial reference value of the encryption signature by a firmware measurement module of the BMC to obtain a summary of the initial reference value of the chip; the firmware measurement module of the chip only collects the current value of the falsified measurement object, then sends the current value to the firmware measurement module of the BMC through the IPMI, the firmware measurement module of the BMC calculates the abstract of the current value, the firmware measurement module of the BMC compares the abstract of the current value of the falsified measurement object of the chip with the abstract of the initial reference value to judge whether the firmware of the chip is falsified, and the BMC firmware measurement module adds the ID of the chip firmware into the detection result of the detection recovery control module.
Example 3
The present embodiment provides a storage medium that implements a tampered firmware automatic recovery method. The storage medium for realizing the tampered firmware automatic recovery method stores at least one instruction, the storage medium for realizing the tampered firmware automatic recovery method is provided with at least one data transmission interface, and the related processor is connected with the storage medium through the data transmission interface to acquire the instruction, and executes the instruction to realize the tampered firmware automatic recovery method.
The tampered firmware automatic recovery method provided by the application ensures the safety of the initial reference value of the firmware tampering measurement object written into the equipment in a mode of encryption signature, so that the initial reference value for ensuring the safe operation of the firmware can not be tampered arbitrarily.
The application utilizes the detection recovery control module to control the firmware measurement module to periodically detect the firmware tampering, the firmware measurement module periodically calculates the abstract of the current value of the firmware tampering measurement object when the firmware runs, obtains the abstract of the stored initial reference value in a signature verification mode, and compares the abstract of the current value with the abstract of the initial reference value to verify whether the firmware is tampered. Thereby realizing the detection of whether the firmware is tampered or not in the running process of the firmware.
According to the application, after the firmware is tampered, the firmware restoration module is controlled by the detection restoration control module to acquire the corresponding image file and the configuration file from the firmware restoration set to replace the tampered firmware, so that the firmware is restored to a default state, and the potential safety hazard of equipment caused by malicious firmware tampering is avoided.
The application carries out integrity and tamper detection on the image files and the configuration files in the firmware restoration set, and ensures the safety of the image files and the configuration files in the firmware restoration set.
The application utilizes the watchdog module and the reset module to reset when the detection recovery control module is abnormal, so that the detection recovery control module keeps continuous long-time normal operation.
The application also utilizes the log module to record the tampering detection result of the tampering measurement object, thereby being convenient for an administrator to check.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The foregoing is only a specific embodiment of the application to enable those skilled in the art to understand or practice the application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (8)
1. An apparatus for automatically recovering tampered firmware, comprising:
the management module is used for providing a management interface for an administrator, the administrator configures a detection period, firmware to be detected and a firmware recovery set through the management interface, and the administrator inquires the firmware state through the management interface;
the firmware measurement module is used for checking the signature to obtain the abstract of the initial reference value of the falsification measurement object, calculating the abstract of the current value of the falsification measurement object according to the periodic detection instruction, comparing the abstract of the current value with the abstract of the initial reference value, and judging whether the firmware is falsified or not in the operation period; the key parameters selected as tamper measurement objects comprise fixed key configuration in the firmware and key codes of the firmware;
the firmware recovery module is used for receiving a recovery instruction and acquiring a default configuration file and an image file from a firmware recovery set configured by the management module to recover tampered firmware;
the detection recovery control module is used for periodically sending detection instructions to the firmware measurement modules and controlling the corresponding firmware measurement modules to tamper and detect firmware, and when receiving tampered information transmitted by the firmware measurement modules, the detection recovery control module sends recovery instructions to the firmware recovery modules;
the watchdog module is used for receiving the heartbeat signal sent by the detection recovery control module and judging whether the detection recovery control module works normally or not according to the heartbeat signal;
and the reset module is used for resetting the detection recovery control module when the watchdog module detects that the detection recovery control module is abnormal.
2. The apparatus for automatic recovery of tampered firmware according to claim 1, further comprising: and the log module is used for recording the detection result of the firmware measurement module into a log.
3. An automatic recovery method of tampered firmware, applied to the automatic recovery device of tampered firmware according to claim 1 or 2, characterized in that a firmware recovery set connected with a device is maintained, wherein the firmware recovery set contains a default configuration file and an image file of each firmware;
selecting corresponding key parameters as tamper measurement objects aiming at each firmware in the device, wherein the key parameters selected as the tamper measurement objects comprise fixed key configuration in the firmware and key codes of the firmware; storing the initial reference value encryption signature of the tamper measurement object of each firmware to the device;
when the firmware runs, the digest of the current value of the tamper measure object of the firmware is calculated periodically,
acquiring an initial reference value of a corresponding encryption signature, verifying the signature, acquiring an abstract of the initial reference value after the signature is verified to be successful, comparing the abstract of the initial reference value of the same tamper measurement object with the abstract of the current value, judging whether the firmware is tampered, and acquiring a corresponding mirror image file and a configuration file from the firmware restoration set to replace the tampered firmware if the firmware is tampered.
4. The method of automatically recovering tampered firmware according to claim 3, wherein storing an initial reference value encryption signature of a tamper measure object of each firmware comprises:
before the equipment leaves the factory, processing the initial reference value of the firmware through an SHA256 or SHA384 algorithm to obtain a corresponding abstract;
signing the abstract through a private key of the digital signature and writing the abstract into a corresponding first storage unit;
writing the public key of the digital signature into the corresponding second storage unit.
5. A tampered firmware automatic recovery method according to claim 3, wherein obtaining an initial reference value of a corresponding encryption signature and verifying the signature comprises:
obtaining a summary of the signature from the corresponding first storage unit and a public key from the corresponding second storage unit;
and carrying out signature verification on the signed abstract through the public key so as to obtain the abstract.
6. The method of automatically recovering tampered firmware according to claim 3, wherein obtaining the corresponding image file and configuration file from the firmware recovery set to replace the tampered firmware if the firmware is tampered comprises:
suspending the operation of the firmware;
determining the name version of the mirror image file of the tampered firmware, and determining the name of the configuration file of the tampered firmware;
downloading the corresponding image file from the firmware restoration set according to the name version of the image file, and downloading the corresponding configuration file from the firmware restoration set according to the name of the configuration file;
after the tampered firmware is erased, the image file is installed and configured according to the configuration file.
7. A tampered firmware automatic restoration method according to claim 3, wherein integrity and tampering detection are periodically performed on the configuration files and the image files in the firmware restoration set, and the configuration files and the image files in the firmware restoration set, in which the integrity is broken and tampered, are replaced.
8. A storage medium for implementing a tampered firmware automatic recovery method, wherein the storage medium for implementing a tampered firmware automatic recovery method stores at least one instruction, and a processor executes the instruction to implement the tampered firmware automatic recovery method according to any one of claims 3 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110805729.6A CN113806811B (en) | 2021-07-16 | 2021-07-16 | Automatic recovery method and device for tampered firmware and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110805729.6A CN113806811B (en) | 2021-07-16 | 2021-07-16 | Automatic recovery method and device for tampered firmware and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113806811A CN113806811A (en) | 2021-12-17 |
| CN113806811B true CN113806811B (en) | 2023-08-29 |
Family
ID=78893088
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110805729.6A Active CN113806811B (en) | 2021-07-16 | 2021-07-16 | Automatic recovery method and device for tampered firmware and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113806811B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116611075A (en) * | 2023-07-18 | 2023-08-18 | 深圳市楠菲微电子有限公司 | Detection method, os detection firmware and system for preventing attack chip during XIP starting |
| CN116795741B (en) * | 2023-08-28 | 2023-11-10 | 凡澈科技(武汉)有限公司 | Method and system for preventing memory data from being deleted and tampered |
-
2021
- 2021-07-16 CN CN202110805729.6A patent/CN113806811B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN113806811A (en) | 2021-12-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4855679B2 (en) | Encapsulation of reliable platform module functions by TCPA inside server management coprocessor subsystem | |
| US10157050B2 (en) | Method for confirming correction program and information processing apparatus | |
| US7558966B2 (en) | Notifying remote administrator of platform integrity determination | |
| CN113806811B (en) | Automatic recovery method and device for tampered firmware and storage medium | |
| US8533829B2 (en) | Method for monitoring managed device | |
| CN111158767B (en) | BMC-based server safe starting method and device | |
| US10977367B1 (en) | Detecting malicious firmware modification | |
| JP6391439B2 (en) | Information processing apparatus, server apparatus, information processing system, control method, and computer program | |
| CN103186434A (en) | Method and system for recovering basic input/output system | |
| WO2020037613A1 (en) | Security upgrade method, apparatus and device for embedded program, and storage medium | |
| KR20080050216A (en) | Secure booting apparatus and method of mobile platform using tpm | |
| CN110990124A (en) | Cloud host recovery method and device | |
| CN111651769B (en) | Method and device for acquiring measurement of security initiation | |
| US10621334B2 (en) | Electronic device and system | |
| CN104573499A (en) | Executable program file protection system and method on basis of UEFI (Unified Extensible Firmware Interface) | |
| CN114692160A (en) | Processing method and device for safe and trusted starting of computer | |
| CN113127873A (en) | Credible measurement system of fortress machine and electronic equipment | |
| CN116820528A (en) | Firmware version upgrading method and device, chip and electronic equipment | |
| CN111858114B (en) | Device starting exception handling and device starting control method, device and system | |
| CN111506897B (en) | Data processing method and device | |
| CN114579971A (en) | Starting method of safety control module and related device | |
| CN117033086B (en) | Recovery method and device of operating system, storage medium and server management chip | |
| CN111625831B (en) | Trusted security measurement method and device | |
| CN115618366B (en) | Authentication method and device for server | |
| US20240070329A1 (en) | Applying trusted backup configuration to a node |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |