CN114021143A - Trusted operation and maintenance module, computer and data chaining method - Google Patents
Trusted operation and maintenance module, computer and data chaining method Download PDFInfo
- Publication number
- CN114021143A CN114021143A CN202111314073.4A CN202111314073A CN114021143A CN 114021143 A CN114021143 A CN 114021143A CN 202111314073 A CN202111314073 A CN 202111314073A CN 114021143 A CN114021143 A CN 114021143A
- Authority
- CN
- China
- Prior art keywords
- computer
- module
- maintenance
- trusted
- event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
Abstract
The disclosure discloses a trusted operation and maintenance module, a computer and a data chaining method. The trusted operation and maintenance module is suitable for being installed on a computer, a platform management module is installed on the computer, the platform management module is used for monitoring the running state of the computer and recording a first operation and maintenance event of the computer, and the trusted operation and maintenance module comprises: the first interface module is used for communicating with the platform management module so as to acquire the first operation and maintenance event from the platform management module; the second interface module is used for communicating with the blockchain by using a client of the blockchain so as to store the first operation and maintenance event to the blockchain.
Description
Technical Field
The present disclosure relates to the field of block chaining, and in particular, to a trusted operation and maintenance module, a computer, and a data chaining method.
Background
Computers store large amounts of data associated with users (e.g., businesses), which are typically private data. For the data security problem on the computer, some solutions exist, such as preventing illegal personnel from operating the computer by some means.
However, if an illegal person does perform an illegal operation on a computer, how to record the illegal operation to trace the illegal operation behavior of the illegal person does not have a good solution at present.
Disclosure of Invention
The embodiment of the disclosure provides a trusted operation and maintenance module, a computer and a data chaining method, so as to solve the above problems.
In a first aspect, a trusted operation and maintenance module is adapted to be installed on a computer, where a platform management module is installed on the computer, the platform management module is configured to monitor an operation state of the computer and record a first operation and maintenance event of the computer, and the trusted operation and maintenance module includes: the first interface module is used for communicating with the platform management module so as to acquire the first operation and maintenance event from the platform management module; the second interface module is used for communicating with the blockchain by using a client of the blockchain so as to store the first operation and maintenance event to the blockchain.
In some possible implementation manners, an intrusion detection module is installed on the computer, the intrusion detection module is configured to detect a second operation and maintenance event of the computer, and the trusted operation and maintenance module further includes: the third interface module is used for communicating with the intrusion detection module so as to acquire the second operation and maintenance event from the intrusion detection module; the second interface module is further configured to store the second operation and maintenance event to the blockchain.
In some possible implementations, the intrusion detection module includes at least one of: and the alarm module, the temperature sensor and the level meter sensor are disassembled.
In some possible implementations, the first operation and maintenance event includes at least one of the following events: the method comprises the following steps of powering off the computer, restarting the computer, updating the firmware of the computer and plugging and unplugging the hard disk of the computer.
In some possible implementations, the method further includes: and the battery is used for supplying power to the credible operation and maintenance module under the condition that the computer is powered off.
In some possible implementations, the trusted operation and maintenance module obtains a supply current from the computer when the computer is powered on.
In some possible implementations, the platform management module is a BMC.
In some possible implementations, the computer is a server.
In a second aspect, there is provided a computer comprising: the platform management module is used for monitoring the running state of the computer and recording a first operation and maintenance event of the computer; the trusted operation and maintenance module according to the first aspect or any implementation manner of the first aspect, wherein the trusted operation and maintenance module is in communication connection with the platform management module.
In some possible implementations, the trusted operation and maintenance module is installed inside a chassis of the computer.
In a third aspect, a data chaining method is provided, where the method is applied to a trusted operation and maintenance module installed on a computer, a platform management module is installed on the computer, the platform management module is used to monitor an operating state of the computer and record a first operation and maintenance event of the computer, and a client of a block chain is installed on the trusted operation and maintenance module, and the method includes: communicating with the platform management module to obtain the first operation and maintenance event from the platform management module; communicating with the blockchain using a client of the blockchain to store the first operation and maintenance event to the blockchain.
In some possible implementation manners, an intrusion detection module is installed on the computer, and the intrusion detection module is configured to detect a second operation and maintenance event of the computer, and the method further includes: the intrusion detection module is used for communicating to acquire the second operation and maintenance event from the intrusion detection module; and storing the second operation and maintenance event to the block chain.
In some possible implementations, the intrusion detection module includes at least one of: and the alarm module, the temperature sensor and the level meter sensor are disassembled.
In some possible implementations, the first operation and maintenance event includes at least one of the following events: the method comprises the following steps of powering off the computer, restarting the computer, updating the firmware of the computer and plugging and unplugging the hard disk of the computer.
In some possible implementations, the platform management module is a BMC.
In some possible implementations, the computer is a server.
The trusted operation and maintenance module provided by the embodiment of the disclosure can acquire the operation and maintenance event of the computer, and upload the operation and maintenance event to the block chain for evidence storage. Due to the fact that the block chain has the characteristics of traceability and non-tampering, uploading the operation and maintenance event to the block chain can guarantee traceability of the operation and maintenance event. When data security problems occur, related operation and maintenance events can be obtained through the block chain, and the operation and maintenance events are analyzed, so that illegal operation behaviors of illegal personnel can be traced.
Drawings
Fig. 1 is a schematic structural diagram of a block chain system according to an embodiment of the present disclosure.
Fig. 2 is a schematic structural diagram of a computer according to an embodiment of the present disclosure.
Fig. 3 is a schematic diagram of log information recorded by a platform management module according to an embodiment of the present disclosure.
Fig. 4 is a schematic structural diagram of a computer according to another embodiment of the present disclosure.
Fig. 5 is a schematic diagram of an internal structure of a computer according to an embodiment of the present disclosure.
Fig. 6 is a flowchart illustrating a data uplink method according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all of the embodiments.
The scheme of the embodiment of the disclosure can be applied to a block chain system. For ease of understanding, the architecture of the blockchain system is described below with reference to fig. 1.
Block chain (Blockchain)
Referring to fig. 1, a blockchain 100 is a typical distributed collaboration system. The system includes a plurality of blockchain nodes 110. The plurality of blockchain nodes 110 may collectively maintain an ever-increasing distributed data record. The recorded data can protect the content and the time sequence through a cryptographic technology, so that any party is difficult to tamper, repudiate and counterfeit. Blockchain nodes 110 may be devices with computing capabilities, such as servers, groups of servers, blockchain chips, etc., where the groups of servers may be centralized or distributed. In other implementations, the server may also be a server that provides services for a cloud platform.
In a blockchain, data (e.g., transaction information, transaction execution results, etc.) may be encapsulated in the form of blocks (blocks). The tiles may be linked to each other by a forward reference to form a "chain," i.e., a chain of tiles. In general, the first block in a block chain may be referred to as an "originating block" or an "initial block", the one block in the block chain that precedes the current block as a "previous block", and the one block in the block chain that follows the current block as a "subsequent block".
In general, a tile may include a tile head and a tile body. The block header may contain basic information of the current block to ensure that the current block can correctly enter the block chain. For example, the chunk header may record a chunk hash value of a chunk immediately preceding the current chunk. As another example, the block header may also record the block height of the current block. The block height is called "block height" for short, and is used to identify the position of the block in the block chain. Typically, the starting block has a block height of 0. The block body can be used for recording transaction information. The transaction information may include, for example, information such as transaction amount and transaction data.
Blockchains are generally divided into three types: public chain (Public Blockchain), Private chain (Private Blockchain) and alliance chain (Consortium Blockchain). Furthermore, there may be a combination of the above types, such as private chain + federation chain, federation chain + public chain, and so on. Embodiments provided by the present disclosure can be implemented in a suitable type of blockchain.
Consensus mechanism
The consensus mechanism can be understood as how to agree between the nodes responsible for accounting (or accounting nodes) in the blockchain to identify the validity of a record.
The consensus mechanism of the block chain has the characteristics of 'few obedience majority' and 'human-equal', wherein the 'few obedience majority' does not completely refer to the number of nodes, and can also be the computing power, the number of shares or other characteristic quantities which can be compared by a computer. "equal people" means that when the nodes meet the condition, all the nodes have the right to give priority to the consensus result, are directly identified by other nodes, and finally possibly become the final consensus result. Taking bitcoins as an example, workload proofs are used that it is possible to falsify a record that does not exist only if accounting nodes that control more than 51% of the total network are involved. When enough nodes are added to the blockchain, the method is basically impossible, and therefore the possibility of counterfeiting is eliminated.
The trust of the block chain is mainly embodied in that users distributed in the block chain do not need to trust another party of the transaction or trust a centralized mechanism, and the transaction can be realized only by trusting a software system under a block chain protocol. The premise of self-trust is the consensus mechanism of the blockchain, that is, in a mutually untrusted market, a sufficient requirement for each node to agree is that each node, considering the maximization of its own interest, will spontaneously and honestly obey the rules preset in the protocol, judge the authenticity of each record, and finally record the record judged to be true into the blockchain. In other words, if the nodes have independent interests and compete with each other, the nodes are almost impossible to collude to cheat you, which is especially evident when the nodes have a common reputation in the network. The blockchain technology just applies a set of consensus-based mathematical algorithm to establish a 'trust' network between machines, so that brand-new credit creation is performed through technical endorsements rather than centralized credit organizations.
The consensus mechanism of the blockchain may be, for example, one of the following consensus mechanisms: a Proof Of Work (PoW), a Proof Of rights mechanism, a Proof Of share authorization mechanism, a verification pool mechanism, and a Practical Byzantine Fault Tolerance (PBFT).
Intelligent contract
An intelligent contract is a set of commitments defined in digital form, including agreements on which contract participants can execute the commitments. In other words, a smart contract may be understood as a piece of program deployed on a computer system, and the smart contract may be automatically executed when a trigger condition of the smart contract is satisfied.
The presence of blockchains provides technical support for the implementation of intelligent contracts. The smart contract is written into the block chain in a digital form, and the characteristics of the block chain technology ensure that the whole process of storing, reading and executing the smart contract is transparent, traceable and not easy to modify. On the other hand, a set of state machine system can be constructed by the block chain self-contained consensus algorithm, so that the intelligent contract can run efficiently.
In some implementations, the user can invoke the intelligent contract by submitting a transaction to the blockchain system, set the data recorded in the intelligent contract, and store the set intelligent contract in the blockchain. Accordingly, when a specific condition of the intelligent contract is triggered, the block chain nodes can execute the intelligent contract and record the execution result of the intelligent contract and the execution state of the intelligent contract.
At present, different types of block chains are built according to the own industry structure of each industry and certain fields (such as finance, public welfare, insurance, cross-border payment and the like) in the industry, and valuable information and assets in the industry or industry are recorded on the block chains.
The scheme of the embodiment of the disclosure relates to the data security problem of a computer. Computers typically store large amounts of data associated with users (e.g., businesses), which is typically private data. If the data has security problems, such as data leakage, illegal personnel stealing and the like, great loss can be caused to users.
The computer in the embodiment of the present disclosure may be any device having data security requirements. For example, the computer may be an electronic device, a server, a memory, or the like. The electronic device may be, for example, a terminal device with a display interface, such as a mobile phone, a television, a display, a tablet computer, and a vehicle-mounted computer, or an intelligent display wearable device, such as a smart watch and a smart bracelet.
For convenience of description, a computer is taken as an example of the server.
The server may be the user's own server, that is, the server is owned by the user, and the operation and maintenance of the server are also managed by the user. Alternatively, the server may be a server rented by the user. A user may rent a server provided by a server provider and run his own data on the server. In this case, the server is not owned by the user, and the operation and maintenance of the server are not governed by the user.
In some embodiments, if the user has a small amount of data, the user may rent a server provided by the server provider in order to reduce the cost of building the server. In other embodiments, in some scenarios, the user's server may need to be located in an externally qualified data center for management. Taking financial data as an example, the server needs to be maintained by a data center with a specific license plate. In this case, the user may also rent a server of a data center with a specific qualification.
Aiming at the problem of data security, especially for the situation that a computer is not owned by a user or operated and maintained by the user, how to ensure the data security inside the computer is a problem that the industry is continuously optimized.
The computer needs to have the ability to undertake and secure the services. However, some failures of the computer inevitably occur during the operation. In order to improve user experience, daily maintenance needs to be performed on the computer to ensure normal operation of the computer.
The operation and maintenance of the computer are handled by trusted operation and maintenance personnel. The operation and maintenance personnel can perform software maintenance and hardware maintenance on the computer. Hardware maintenance may include, for example: and detecting, replacing, upgrading and the like the hardware of the computer. Software maintenance may include, for example: upgrading software, repairing bugs, rewriting software code, etc.
In order to ensure the data security of the computer, some protection measures are currently available to prevent illegal personnel from entering the data center, i.e., to prevent the illegal personnel from operating the computer. For example, an access control system may be provided, a separate booth may be provided for the computer, or a cabinet of the computer may be locked, etc. Only authenticated personnel can enter the data center to operate the computer.
Although there are many measures to prevent illegal persons from entering the data center, it is inevitable that some illegal persons enter the data center by illegal means. For example, the operation and maintenance personnel are blackened, or illegal personnel obtain a certificate for entering the data center, and the like. If the illegal person performs illegal operation on the computer, the illegal operation of the illegal person can be recorded and traced, so that the illegal person can not repudiate the illegal operation behavior of the illegal person, and the loss of a user is reduced.
The illegal operation behavior of the illegal person can be various. For example, in the case of a computer being charged, an illegal person opens a lid of the computer to access and handle a malicious device. For another example, when the computer is not powered, an illegal person opens a cover to access a malicious device, or unplugs a hard disk to copy data.
How to trace back the illegal operation of the illegal person does not have a good solution at present. In some schemes, a camera can be installed near the computer, and the camera can monitor illegal operations of illegal personnel. However, the surveillance videos shot by the cameras may be maliciously deleted. After the monitoring video is deleted, the illegal operation behavior of the illegal person cannot be traced. Therefore, how to trace back the illegal operation of the illegal person is a problem which needs to be solved urgently at present.
In order to solve the above problem, an embodiment of the present disclosure provides a trusted operation and maintenance module, which has storage and communication functions, and is capable of acquiring an operation and maintenance event of a computer, and uploading the operation and maintenance event to a block chain for storage. As can be seen from the above description, uploading the operation and maintenance event to the blockchain can ensure that the operation and maintenance event is traceable, because the blockchain has the characteristic of being traceable and not being tampered with. When data security problems occur, related operation and maintenance events can be obtained through the block chain, and the operation and maintenance events are analyzed, so that illegal operation behaviors of illegal personnel can be traced.
The operation and maintenance event of the embodiment of the present disclosure may include any operation behavior of an operator (such as an illegal person or a legal person) on a computer. For example, the operation and maintenance event may be an event generated in the software maintenance process described above, or may also be an event generated in the hardware maintenance process.
The trusted operation and maintenance module may have a separate system. The trusted operation and maintenance module may have an independent processor and memory unit therein. For example, the trusted operation and maintenance module is an embedded system, which includes hardware and software, and is a device capable of operating independently. Therefore, the credible operation and maintenance module can be manufactured into a universal and replaceable device, so that the cost can be saved.
The trusted operation and maintenance module has a trusted and safe operation environment, so that other application programs can be prevented from snooping and tampering the application programs and data in the trusted operation and maintenance module, and the computing safety is ensured. The trusted operation and maintenance module has a Trusted Execution Environment (TEE). TEE is a concept proposed by the global platform organization (global platform) dedicated to developing, formulating and releasing security chip technology standards. A TEE is a secure computing environment that can completely isolate the execution of operations within the environment from the outside, thereby ensuring the privacy and integrity of code, applications, and data assets within the environment.
The trusted operation and maintenance module may be, for example, a root of trust, which may also be referred to as a local root of trust. The trusted operation and maintenance module may be any type of security chip, for example. For example, the Trusted operation Module may be a Trusted Platform Module (TPM) chip.
Fig. 2 is a schematic structural diagram of a computer provided in an embodiment of the present disclosure. The computer 200 may include a trusted operation and maintenance module 210 and a platform management module 220.
The platform management module 220 may monitor the operating status of the computer 200 to ensure the proper operation of the computer 200. For example, the platform management module 220 may monitor the temperature, voltage, fan, power, etc. of the computer 200 and make corresponding adjustments to ensure that the computer 200 is in a healthy state. In addition, the platform management module 220 may also record information of various hardware in the computer 200 and log information for prompting the user and location of subsequent questions.
Fig. 3 shows a schematic diagram of log information recorded by the platform management module. As can be seen from FIG. 3, the platform management module may record events such as a computer power outage, a power source being removed, a computer being rebooted, etc. Of course, the platform management module may also record other log information, for example, events such as a hard disk being plugged and unplugged, firmware being updated, and the like.
Since various operation events of the computer are recorded in the platform management module 220, the trusted operation and maintenance module 210 may obtain the first operation and maintenance event from the platform management module 220. For example, the trusted operation and maintenance module 210 may obtain the first operation and maintenance event from log information recorded by the platform management module 220. The first operation and maintenance event may include at least one of the following events: the method comprises the following steps of powering off the computer, restarting the computer, updating the firmware of the computer and plugging and unplugging the hard disk of the computer.
The trusted operation and maintenance module 210 may be communicatively coupled to the platform management module 220. The trusted operation and maintenance module 210 has a dedicated channel with the platform management module 220 over the physical link. For example, the trusted operation and maintenance module 210 may be electrically connected to the platform management module 220.
The trusted operation and maintenance module 210 is provided with a first interface module 211, and the first interface module 211 can communicate with the platform management module 220 to obtain the first operation and maintenance event from the platform management module 220.
The trusted operation and maintenance module 210 may obtain the first operation and maintenance event actively or passively by the trusted operation and maintenance module 210. For example, the platform management module 220 may actively send the first operation and maintenance event to the trusted operation and maintenance module 210, that is, the trusted operation and maintenance module 210 passively obtains the first operation and maintenance event. For another example, the trusted operation and maintenance module 210 may actively read the first operation and maintenance event from the log information recorded by the platform management module 220, that is, the trusted operation and maintenance module 210 actively obtains the first operation and maintenance event.
In some embodiments, the trusted operation and maintenance module 210 may obtain the first operation and maintenance event from the log information recorded by the platform management module 220 in real time, so as to synchronize with the platform management module 220 in real time. In other embodiments, the trusted operation and maintenance module 210 may obtain the first operation and maintenance event from the log information recorded by the platform management module 220 according to a certain period.
In addition to the information of the first operation and maintenance event, other operation events of the computer are also recorded in the platform management module 220. In order to save signaling overhead, the trusted operation and maintenance module 210 may obtain only the first operation and maintenance event in the log information.
The platform management module 220 in the embodiment of the present disclosure may be a Baseboard Management Controller (BMC). The BMC has an independent system and can run independently of the operating system of the computer.
As shown in FIG. 4, the BMC 221 may have a management portal 222. The management portal 222 may communicate with an out-of-band network. For example, the management portal 222 may provide information internal to the computer 200 to the out-of-band network, or may store information of the out-of-band network within the computer 200, and so forth. The computer 200 may also include a data portal 230, the data portal 230 being in communication with an in-band network.
As shown in fig. 2, the trusted operation and maintenance module 210 further includes a second interface module 212, and the second interface module 212 is configured to communicate with the blockchain. The second interface module 212 may be a portal. The trusted operation and maintenance module 210 further has a blockchain client, and the trusted operation and maintenance module 210 may use the blockchain client to communicate with the blockchain, and upload the operation and maintenance event to the blockchain.
The trusted operation and maintenance module 210 may upload the operation and maintenance event to the blockchain 250 through the blockchain gateway 240, as shown in fig. 4. The trusted operation and maintenance module 210 may first send the operation and maintenance event to the blockchain gateway 240, and then the blockchain gateway 240 sends the operation and maintenance event to the blockchain 250.
The trusted operation and maintenance module 210 also has processing capability to process the operation and maintenance event, such as converting the operation and maintenance event into a format that can be stored on the blockchain 250. For example, the trusted operation and maintenance module 210 may hash the operation and maintenance event and store the processed information to the blockchain 250.
The trusted operation and maintenance module 210 is adapted to be installed on the computer 200 to obtain operation and maintenance events of the computer 200. The installation manner of the trusted operation and maintenance module 210 is not specifically limited in the embodiment of the present disclosure. For example, the trusted operation and maintenance module 210 may be integrated on the computer 200, and the trusted operation and maintenance module 210 is connected to the computer 200 in a non-detachable manner, i.e., in a fixed connection. Before the computer leaves the factory, the manufacturer can integrate the trusted operation and maintenance module on the computer. As another example, the trusted operation and maintenance module 210 may be removably coupled (e.g., pluggable) to the computer 200. The computer 200 may be provided with an installation interface for installing the trusted operation and maintenance module 210, and a user may connect the trusted operation and maintenance module 210 to the installation interface as required.
The trusted operation and maintenance module 210 may be installed inside or outside the computer 200. For security, the trusted operation and maintenance module 210 may be installed inside the computer 200. Fig. 5 is a schematic diagram showing the internal structure of a computer. As shown in fig. 5, the computer 200 may include a chassis 260, and the trusted operation and maintenance module 210 may be installed inside the chassis 260.
In some embodiments, an intrusion detection module is further installed in the computer 200 to detect whether the computer 200 is intruded by an illegal person. The intrusion detection module may be configured to detect a second operation event of the computer 200. The trusted operation and maintenance module 210 may further include a third interface module, which may be configured to communicate with the intrusion detection module to obtain a second operation and maintenance event from the intrusion detection module. Further, the trusted operation and maintenance module 210 may also store the second operation and maintenance event to the blockchain 250 through the second interface module 212.
The intrusion detection module may include at least one of: and disassembling the alarm module, the temperature sensor, the level gauge sensor and the like.
The temperature sensor is used for detecting the temperature of the computer. When the temperature of the computer changes, the computer can be considered to be invaded. For example, electronic components in computers may be protected using liquid nitrogen cooling devices. When the electronic components are attacked, the liquid nitrogen expands, the temperature rises, and the temperature of the computer also rises together. Therefore, whether the computer is invaded can be detected by detecting the temperature of the computer. In this case, the second operation and maintenance event may include whether the temperature of the computer is increased.
The level sensor may be used to detect if the computer is moving. The level sensor may be used to detect if the computer is moving. The level sensor may detect a computer movement event when the computer is moved by an illegal person or is subjected to an impact. In this case, the second operation and maintenance event may include whether the computer has moved.
The disassembly alert module may be used to detect whether a component of the computer is disassembled. Such as whether a storage device (e.g., a hard disk) of the computer is removed or not, and whether a lid of the computer is opened or not. In this case, the second operation and maintenance event may include whether a lid of the computer is opened and/or whether a storage device of the computer is removed. The disassembly alarm module may generate an alarm event when the lid is opened or closed. Alternatively, the detachment alarm module may generate an alarm event when the storage device is detached. The trusted operation and maintenance module can acquire the alarm event from the disassembly alarm module.
The disassembly alert module 270 may be coupled to the case lid of the computer through a mechanical trigger device. For example, the detachment alarm module 270 may be coupled to a case lid of a computer via a mechanical trigger device. When the event that the cover is opened occurs, the mechanical trigger device can send a trigger signal to the disassembly alarm module, so that the disassembly alarm module senses and records the event. The mechanical trigger device may, for example, comprise a switch which switches from a closed state to an open state when the lid is opened. The disassembly warning module can judge whether the box cover is opened or not according to whether the state of the switch is over-converted or not.
In some embodiments, the detachment alarm module 270 may also be used to detect whether a storage device (e.g., a hard disk) internal to the computer 200 is detached. For example, the detachment alert module 270 may be coupled to a storage device via a mechanical trigger. When the event that the storage device is detached occurs, the mechanical trigger device can send a trigger signal to the detachment alarm module, so that the detachment alarm module senses and records the event. The mechanical trigger means may for example comprise a switch which switches from a closed state to an open state when the storage device is removed. The disassembly warning module can judge whether the storage equipment is disassembled or not according to whether the state of the switch is converted or not.
The disassembly alert module 270 may exist independently of the system of the computer 200. That is, the detachment alarm module 270 may be a separate hardware module that is capable of operating independently and without control of the system of the computer 200.
The following describes a scheme of the embodiment of the present disclosure, taking an example that the disassembly warning module 270 detects whether the box cover is opened.
The computer 200 may include a case and a lid that snap together. The processor, the memory and other devices on the computer are arranged in the box body, and the box cover can protect the devices in the box body from being damaged.
The disassembly warning module 270 may be disposed at a connection position of the case body and the case cover, i.e., a position where the case cover contacts the case body. For example, the detachment warning module 270 may be disposed at an edge of the case, such as an inner edge of the case, as shown in FIG. 5. Thus, the removal alert module 270 generates an alert event when the lid is opened and/or the lid is closed.
The structure of the disassembly warning module 270 will be described below, taking the case of the computer as an example where the case is opened.
As shown in fig. 5, the detachment warning module 270 may include a spring plate 271. The spring plate 271 is compressed when the cover is mounted on the housing. When the cover is removed, the spring plate 271 springs up. The event that the cover is opened and closed can be detected by detecting the compression and bounce of the spring piece 271.
The trusted operation and maintenance module 210 may be electrically connected to the detachment alarm module 270 to detect events of the spring plate 271 being compressed and bounced. For example, as shown in fig. 5, the detachment alarm module 270 may be connected to the connector 273 by a wire 272, and the trusted operation and maintenance module 210 may be connected to the connector 273 by a wire, so as to electrically connect the trusted operation and maintenance module 210 and the detachment alarm module 270. Therefore, the trusted operation and maintenance module 210 and the detachment alarm module 270 form a closed loop.
The trusted operation and maintenance module 210 is provided with a detection circuit, which can be used to detect the event that the box cover is opened and closed. When the box cover is closed, the spring plate 271 compresses to form a "short circuit" state with the trusted operation and maintenance module 210, and the trusted operation and maintenance module 210 detects a high level. When the cover is opened, the spring plate 271 springs open, and the trusted operation and maintenance module 210 detects a low level. The trusted operation and maintenance module 210 may determine whether the box lid is opened according to the detected change of the level signal. When the level signal changes, the trusted operation and maintenance module 210 may record an event that the box cover is opened.
In some embodiments, the platform management module 220 may also be electrically connected to the detachment alarm module 270 to record a second operation and maintenance event. The platform management module 220 may record the second operation and maintenance event in a log. When the case lid is opened or closed, the event that the case lid is opened or closed may be recorded in the platform management module 220 and the trusted operation and maintenance module 210.
The connection mode and the operation principle of the platform management module 220 and the detachment alarm module 270 may be similar to the connection mode and the operation principle of the trusted operation and maintenance module 210 and the detachment alarm module 270. For brevity, no further description is provided herein.
If the platform management module 220 records the second operation and maintenance event, the trusted operation and maintenance module 210 may also obtain the second operation and maintenance event from the platform management module 220. That is, the trusted operation and maintenance module 210 may obtain the second operation and maintenance event from the detachment alarm module 270, and may also obtain the second operation and maintenance event from the platform management module 220.
The power supply method of the trusted operation and maintenance module 210 is not specifically limited in the embodiment of the present disclosure. For example, the trusted operation and maintenance module 210 may be powered by a power source of the computer 200. After the computer 200 is powered on, the power source of the computer 200 may supply power to the trusted operation and maintenance module 210, that is, the trusted operation and maintenance module 210 may obtain a supply current from the computer 200. For another example, the trusted operation module 210 may have a separate battery, which may supply power to the trusted operation module 210.
The advantage of using the independent battery to supply power to the trusted operation and maintenance module 210 is that after the computer 200 is powered off, for example, after the computer is maliciously powered off by an illegal person, the independent battery can still supply power to the trusted operation and maintenance module 210, so that the trusted operation and maintenance module 210 is kept in an operating state, and the operation and maintenance events of the computer 200 are recorded.
For example, when the computer 200 is powered off, the trusted operation and maintenance module 210 cannot obtain the first operation and maintenance event from the platform management module 220, but can still obtain the second operation and maintenance event from the detachment alarm module 270. That is, the trusted operation and maintenance module can record the second operation and maintenance event no matter whether the computer is powered on or not. By recording the second operation and maintenance event, the illegal operation (such as uncovering operation) of the illegal person can be recorded, and the illegal action can be traced to a certain extent.
In some embodiments, the trusted operation and maintenance module 210 may also be connected to a power source of the computer 200. After the computer 200 is powered on, the trusted operation and maintenance module 210 may be powered by a power source of the computer 200, and the power source may also charge a battery of the trusted operation and maintenance module 210. When the computer 200 is powered off, the trusted operation and maintenance module 210 is powered by a separate battery.
In some embodiments, the alarm module may also be provided at other connection locations of the computer. For example, an alarm module may be provided at a connection location of the hard disk and the computer to detect an event that the hard disk is plugged or unplugged. The trusted operation and maintenance module 210 may be electrically connected to the alarm module, so as to detect an event that the hard disk is plugged or unplugged when the computer 200 is powered off.
The operation and maintenance events recorded in the embodiment of the present disclosure can also be combined with information acquired by other means to jointly analyze illegal operation behaviors of illegal persons. For example, if a person enters the data center through monitoring and shooting, and events such as power failure of the computer, plugging and unplugging of a hard disk and the like are recorded on the block chain in the same time period, the person can be determined as an illegal person with a high probability, and the illegal person performs illegal operation on the computer.
The embodiment of the present disclosure also provides a computer, which is any one of the computers described above. The computer may be a server, for example. The computer can comprise a platform management module and a trusted operation and maintenance module, and the trusted operation and maintenance module can be in communication connection with the platform management module. The trusted operation and maintenance module may be any one of the above-described trusted operation and maintenance modules, and the platform management module may be any one of the above-described platform management modules. For example, the platform management module may be configured to monitor an operating status of a computer and record a first operation and maintenance event of the computer.
In some embodiments, the trusted operation and maintenance module may be installed inside the chassis of the computer.
The device embodiment of the present disclosure is described in detail above in conjunction with fig. 1-5, and is described in detail below in conjunction with fig. 6. It is to be understood that the description of the apparatus embodiments corresponds to the description of the method embodiments and therefore reference may be made to the preceding apparatus embodiments for parts which are not described in detail.
Fig. 6 is a flowchart illustrating a data uplink method according to an embodiment of the present disclosure. The method can be applied to a trusted operation and maintenance module installed on a computer. And the trusted operation and maintenance module is provided with a client of the block chain. The computer is provided with a platform management module, and the platform management module is used for monitoring the running state of the computer and recording a first operation and maintenance event of the computer. The method 600 shown in fig. 6 may include steps S610 to S620.
In step S610, the platform management module is communicated to obtain a first operation and maintenance event from the platform management module.
In step S620, the client using the blockchain communicates with the blockchain to store the first operation and maintenance event to the blockchain.
Optionally, in some embodiments, an intrusion detection module is installed on the computer, and the intrusion detection module is configured to detect a second operation and maintenance event of the computer, and the method further includes: the intrusion detection module is used for communicating to acquire the second operation and maintenance event from the intrusion detection module; and storing the second operation and maintenance event to the block chain.
Optionally, in some embodiments, the intrusion detection module comprises at least one of: and the alarm module, the temperature sensor and the level meter sensor are disassembled.
Optionally, in some embodiments, the first operation and maintenance event includes at least one of the following events: the method comprises the following steps of powering off the computer, restarting the computer, updating the firmware of the computer and plugging and unplugging the hard disk of the computer.
Optionally, in some embodiments, the platform management module is a BMC.
Optionally, in some embodiments, the computer is a server.
In the above embodiments, all or part of the implementation may be realized by software, hardware, firmware or any other combination. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions described in accordance with the embodiments of the disclosure are, in whole or in part, generated when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., Digital Video Disk (DVD)), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
In the several embodiments provided in the present disclosure, it should be understood that the disclosed system, apparatus, and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present disclosure may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The above description is only for the specific embodiments of the present disclosure, but the scope of the present disclosure is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present disclosure, and all the changes or substitutions should be covered within the scope of the present disclosure. Therefore, the protection scope of the present disclosure shall be subject to the protection scope of the claims.
Claims (16)
1. A trusted operation and maintenance module is suitable for being installed on a computer, a platform management module is installed on the computer and used for monitoring the operation state of the computer and recording a first operation and maintenance event of the computer,
the trusted operation and maintenance module comprises:
the first interface module is used for communicating with the platform management module so as to acquire the first operation and maintenance event from the platform management module;
the second interface module is used for communicating with the blockchain by using a client of the blockchain so as to store the first operation and maintenance event to the blockchain.
2. The trusted operation and maintenance module according to claim 1, wherein an intrusion detection module is installed on the computer, the intrusion detection module is configured to detect a second operation and maintenance event of the computer, and the trusted operation and maintenance module further comprises:
the third interface module is used for communicating with the intrusion detection module so as to acquire the second operation and maintenance event from the intrusion detection module;
the second interface module is further configured to store the second operation and maintenance event to the blockchain.
3. The trusted operation and maintenance module of claim 2, wherein the intrusion detection module comprises at least one of: and the alarm module, the temperature sensor and the level meter sensor are disassembled.
4. The trusted operation and maintenance module according to claim 1, wherein the first operation and maintenance event comprises at least one of the following events: the method comprises the following steps of powering off the computer, restarting the computer, updating the firmware of the computer and plugging and unplugging the hard disk of the computer.
5. The trusted operation and maintenance module of claim 1, further comprising:
and the battery is used for supplying power to the credible operation and maintenance module under the condition that the computer is powered off.
6. The trusted operation and maintenance module according to claim 1, wherein when the computer is powered on, the trusted operation and maintenance module obtains a supply current from the computer.
7. The trusted operation and maintenance module of claim 1, wherein the platform management module is a Baseboard Management Controller (BMC).
8. The trusted operation and maintenance module of claim 1, wherein the computer is a server.
9. A computer, comprising:
the platform management module is used for monitoring the running state of the computer and recording a first operation and maintenance event of the computer;
the trusted operation and maintenance module of any one of claims 1-8, communicatively coupled with the platform management module.
10. The computer of claim 9, wherein the trusted operation and maintenance module is mounted inside a chassis of the computer.
11. A data chaining method is applied to a trusted operation and maintenance module installed on a computer, wherein a platform management module is installed on the computer and used for monitoring the operation state of the computer and recording a first operation and maintenance event of the computer, a client of a block chain is installed on the trusted operation and maintenance module,
the method comprises the following steps:
communicating with the platform management module to obtain the first operation and maintenance event from the platform management module;
communicating with the blockchain using a client of the blockchain to store the first operation and maintenance event to the blockchain.
12. The method of claim 11, wherein the computer has an intrusion detection module installed thereon, and the intrusion detection module is configured to detect a second operation and maintenance event of the computer, and the method further comprises:
the intrusion detection module is used for communicating to acquire the second operation and maintenance event from the intrusion detection module;
and storing the second operation and maintenance event to the block chain.
13. The method of claim 12, the intrusion detection module comprising at least one of: and the alarm module, the temperature sensor and the level meter sensor are disassembled.
14. The method of claim 11, the first operation event comprising at least one of: the method comprises the following steps of powering off the computer, restarting the computer, updating the firmware of the computer and plugging and unplugging the hard disk of the computer.
15. The method of claim 11, the platform management module being a Baseboard Management Controller (BMC).
16. The method of claim 11, the computer being a server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111314073.4A CN114021143A (en) | 2021-11-08 | 2021-11-08 | Trusted operation and maintenance module, computer and data chaining method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111314073.4A CN114021143A (en) | 2021-11-08 | 2021-11-08 | Trusted operation and maintenance module, computer and data chaining method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114021143A true CN114021143A (en) | 2022-02-08 |
Family
ID=80061944
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111314073.4A Pending CN114021143A (en) | 2021-11-08 | 2021-11-08 | Trusted operation and maintenance module, computer and data chaining method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114021143A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116467705A (en) * | 2023-01-16 | 2023-07-21 | 中科可控信息产业有限公司 | Full-time monitoring system and server for preventing server from invading |
-
2021
- 2021-11-08 CN CN202111314073.4A patent/CN114021143A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116467705A (en) * | 2023-01-16 | 2023-07-21 | 中科可控信息产业有限公司 | Full-time monitoring system and server for preventing server from invading |
| CN116467705B (en) * | 2023-01-16 | 2024-03-19 | 中科可控信息产业有限公司 | Full-time monitoring system and server for preventing server from invading |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9886583B2 (en) | Systems, methods, and apparatus to enhance the integrity assessment when using power fingerprinting systems for computer-based systems | |
| US8006101B2 (en) | Radio transceiver or other encryption device having secure tamper-detection module | |
| CN108632276B (en) | Computer network information safety system | |
| EP3812948A1 (en) | External connection type terminal protection device and protection system | |
| CN111683157B (en) | Network security protection method for Internet of things equipment | |
| US10931641B1 (en) | Hardware control logic based data forwarding control method and system | |
| CN105409164A (en) | Rootkit detection by using hardware resources to detect inconsistencies in network traffic | |
| US11416601B2 (en) | Method and system for improved data control and access | |
| CN110956722A (en) | Method, equipment and storage medium for alarming abnormity of intelligent lock | |
| WO2022220999A1 (en) | Systems and methods for chassis intrusion detection | |
| CN109815695A (en) | Detection method, device and the equipment of process safety | |
| CN114021143A (en) | Trusted operation and maintenance module, computer and data chaining method | |
| CN109241783B (en) | Implementation method and device for mobile terminal management and control strategy | |
| CN113973193A (en) | Security quality control method, electronic device and readable medium | |
| CN114629677A (en) | Safety protection system and method for thermal power generating unit electric quantity charging system | |
| CN111935068A (en) | Big data platform, server side thereof, security authentication system and method | |
| US10721253B2 (en) | Power circuitry for security circuitry | |
| Kundu et al. | Collaborative and accountable hardware governance using blockchain | |
| CN114003919A (en) | Computing device, security management method thereof and system supporting private computing | |
| CN110677483A (en) | Information processing system and trusted security management system | |
| CN114884993B (en) | Virtualized android system for enhancing data security | |
| US20240163287A1 (en) | Secure reuse of cloud at customer hardware | |
| CN115830734B (en) | Method for preventing card from being punched instead of card and related equipment | |
| JP4046629B2 (en) | Maintenance method and maintenance system using IC card | |
| CN117291199A (en) | Wearable RFID read-write device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |