CN114519210A - UEFI (unified extensible firmware interface) trusted implementation method based on domestic platform - Google Patents
UEFI (unified extensible firmware interface) trusted implementation method based on domestic platform Download PDFInfo
- Publication number
- CN114519210A CN114519210A CN202111596519.7A CN202111596519A CN114519210A CN 114519210 A CN114519210 A CN 114519210A CN 202111596519 A CN202111596519 A CN 202111596519A CN 114519210 A CN114519210 A CN 114519210A
- Authority
- CN
- China
- Prior art keywords
- uefi
- encryption chip
- measurement
- information
- hardware
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/73—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a UEFI trusted implementation method based on a domestic platform, which comprises the following steps: in the power-on stage, the hardware CPLD measures the credible encryption chip, after the CPLD receives a correct feedback signal of the encryption chip, the mainboard is allowed to be normally powered on, otherwise, the credible measurement fails, and the mainboard is prohibited from being powered on and started up; after the power-on self-test and before the operation system is entered, the identity authentication is carried out on the encryption chip and the UEFI BIOS, the encryption chip and the UEFI firmware are measured, and the power-on is forbidden in the case of measurement failure; after the handshake between the encryption chip and the UEFI BIOS is successful, collecting the hardware equipment information of the board card, and comparing the hardware equipment information with a reference value so as to measure whether the hardware information of the board card or the core file of the operating system is changed or tampered; and if the measurement is successful, normally starting the computer and booting the operating system. The method can meet the requirement of localization, and realizes the security measurement of the whole trusted chain of hardware, firmware and an operating system based on the Feiteng platform UEFI BIOS.
Description
Technical Field
The invention relates to a credibility measurement method, in particular to a credibility realization method based on a domestic platform UEFI.
Background
The existing credibility measurement method generally adopts a PCIE security card form to measure certain data in the BIOS, and the measurement mode is high in hardware cost on one hand, incomplete in measurement on the other hand, only binding of the BIOS and security is performed to achieve credible security starting, and whole credible chain measurement from hardware, firmware and an operating system is not achieved.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a trusted implementation method based on a UEFI (unified extensible firmware interface) of a domestic platform so as to meet the domestic requirements.
The technical scheme of the invention is as follows:
a trusted realization method based on a domestic platform UEFI comprises the following steps:
(1) in the power-on stage, the hardware CPLD measures the credible encryption chip, after the CPLD receives a correct feedback signal of the encryption chip, the mainboard is allowed to be normally powered on, otherwise, the credible measurement fails, and the mainboard is prohibited from being powered on and started up;
(2) after the power-on self-test and before the operation system is entered, the identity authentication is carried out on the encryption chip and the UEFI BIOS, the encryption chip and the UEFI firmware are measured, and the power-on is forbidden in the case of measurement failure;
(3) after the encryption chip and the UEFI BIOS handshake successfully, the UEFI BIOS collects the board card hardware equipment information, and compares the board card hardware equipment information with a reference value, so that whether the board card hardware information or the operating system core file is changed or tampered is measured;
(4) and if the measurement is successful, normally starting the computer and booting the operating system.
In step (3), the board card hardware device information includes the unique serial number of the encryption chip, the CPU model, the memory capacity and slot position, the hard disk capacity and SN information, PCIE device information, the network card MAC address, and MD5SUM information of the operating system core file.
In the step (3), if the BIOS prohibits starting the computer in the measurement failure, a sound-light alarm is adopted to inform the user, and the alarm log is stored in the SPI Flash of the UEFI BIOS or the encryption chip after being encrypted. The alarm log contains information of failure reason and time.
Compared with the prior art, the invention has the beneficial effects that:
(1) the nationwide production scheme is 100%, and the hardware, the encryption chip, the firmware and the operating system of the slave card are nationwide produced;
(2) the method comprises the steps of measuring a complete trusted chain, and realizing the security measurement of the whole trusted chain of slave hardware, firmware and an operating system based on a Feiteng platform UEFI;
(3) the invention has low cost, the invention adopts the domestic MCU as the encryption chip, develops the encryption chip firmware independently, compare with existing PCIE security card, it has the cost advantage obviously, the firmware adopts the domestic Feiteng UEFI;
(4) the portability is high, the product modularization can be realized, and the method is suitable for UEFI firmware of any domestic Feiteng platform.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed for the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
FIG. 1 is a diagram of the steps of the method of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In order to explain the technical means of the present invention, the following description will be given by way of specific examples.
Examples
The invention relates to UEFI BIOS credible measurement of a nationwide Feiteng platform, which comprises credible hardware measurement, credible firmware measurement and credible operation system core file measurement.
In order to meet the requirement of localization, the invention provides a trusted implementation method based on a localization platform UEFI, the trusted implementation method based on the Feiteng platform UEFI is used for realizing the security measurement of the whole trusted chain of slave hardware, firmware and an operating system, and in the implementation, the slave card hardware, the encryption chip, the firmware and the operating system are nationally produced, as shown in figure 1, the trusted implementation method specifically comprises the following steps:
(1) in the power-on stage, the hardware CPLD measures the credible encryption chip, after the CPLD receives a correct feedback signal of the encryption chip, the mainboard is allowed to be normally powered on, otherwise, the credible measurement fails, and the mainboard is prohibited from being powered on and started up;
(2) after the power-on self-test and before the operation system is entered, the identity authentication is carried out on the encryption chip and the UEFI BIOS, the encryption chip and the UEFI firmware are measured, and the power-on is forbidden in the case of measurement failure;
(3) after the encryption chip and the UEFI BIOS handshake successfully, the UEFI BIOS collects card hardware equipment information, such as a unique serial number of the encryption chip, a CPU model, memory capacity and slot positions, hard disk capacity and SN information, PCIE equipment information, a network card MAC address, MD5SUM of an operating system core file and the like, compares the information with a reference value, measures whether the card hardware information or the operating system core file is changed or tampered, if the measurement fails, the BIOS prohibits starting the computer, informs a user by adopting acousto-optic alarm, encrypts and stores an alarm log (information such as failure reason, time and the like) into an SPI Flash of the UEFI BIOS or the encryption chip, and preferentially selects and stores the reference value and the alarm log into the SPI Flash of the UEFI BIOS in consideration of cost and efficiency;
(4) and if the measurement is successful, normally starting the computer and booting the operating system.
The present invention is not limited to the above preferred embodiments, and any modifications, equivalents and improvements made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (4)
1. A trusted realization method based on a domestic platform UEFI is characterized by comprising the following steps:
(1) in the power-on stage, the hardware CPLD measures the credible encryption chip, after the CPLD receives a correct feedback signal of the encryption chip, the mainboard is allowed to be normally powered on, otherwise, the credible measurement fails, and the mainboard is prohibited from being powered on and started up;
(2) after the power-on self-test and before the operation system is entered, the identity authentication is carried out on the encryption chip and the UEFI BIOS, the encryption chip and the UEFI firmware are measured, and the power-on is forbidden in the case of measurement failure;
(3) after the encryption chip and the UEFI BIOS handshake successfully, the UEFI BIOS collects the board card hardware equipment information, and compares the board card hardware equipment information with a reference value, so that whether the board card hardware information or the operating system core file is changed or tampered is measured;
(4) and if the measurement is successful, normally starting the computer and booting the operating system.
2. The UEFI trusted implementation method based on the domestic platform according to claim 1, characterized in that: in step (3), the board card hardware device information includes the unique serial number of the encryption chip, the CPU model, the memory capacity and slot position, the hard disk capacity and SN information, PCIE device information, the network card MAC address, and MD5SUM information of the operating system core file.
3. The UEFI trusted implementation method based on the domestic platform according to claim 1, characterized in that: in the step (3), if the BIOS forbids starting the computer in measurement failure, a sound-light alarm is adopted to inform a user, and an alarm log is encrypted and then stored in a UEFI BIOS or an SPI Flash of an encryption chip.
4. The UEFI trusted implementation method based on the domestic platform according to claim 3, characterized in that: the alarm log contains information of failure reason and time.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111596519.7A CN114519210A (en) | 2021-12-24 | 2021-12-24 | UEFI (unified extensible firmware interface) trusted implementation method based on domestic platform |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111596519.7A CN114519210A (en) | 2021-12-24 | 2021-12-24 | UEFI (unified extensible firmware interface) trusted implementation method based on domestic platform |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114519210A true CN114519210A (en) | 2022-05-20 |
Family
ID=81597568
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111596519.7A Pending CN114519210A (en) | 2021-12-24 | 2021-12-24 | UEFI (unified extensible firmware interface) trusted implementation method based on domestic platform |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114519210A (en) |
-
2021
- 2021-12-24 CN CN202111596519.7A patent/CN114519210A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11360784B2 (en) | Integrity manifest certificate | |
TWI277904B (en) | Method, recording medium and system for protecting information | |
CN102663301B (en) | Trusted computer and credibility detection method | |
EP3676742A1 (en) | Hardware-enforced firmware security | |
JP5270377B2 (en) | Platform boot with bridge support | |
CN107665308B (en) | TPCM system for building and maintaining trusted operating environment and corresponding method | |
CN102289622B (en) | Trusted startup method based on authentication policy file and hardware information collection | |
CN104951701B (en) | A kind of method of the terminal device booting operating system based on USB controller | |
US10869176B1 (en) | Near field communication (NFC) enhanced computing systems | |
CN109948310B (en) | Locking method and related electronic equipment | |
CN103530548A (en) | Embedded terminal dependable starting method based on mobile dependable computing module | |
CN116070289A (en) | Security chip applied to system firmware and electronic equipment | |
EP2798428A1 (en) | Apparatus and method for managing operation of a mobile device | |
CN115017517A (en) | Chip and checking method | |
CN110096882B (en) | Safety measurement method in equipment operation process | |
CN109583214B (en) | Safety control method | |
CN111046392A (en) | BIOS (basic input output System) credibility measuring method and device and terminal equipment | |
CN114519210A (en) | UEFI (unified extensible firmware interface) trusted implementation method based on domestic platform | |
CN111597560A (en) | Secure trusted module starting method and system | |
CN114756905B (en) | Method and device for realizing mainboard anti-counterfeiting and BIOS protection and control mainboard | |
CN101452417B (en) | Monitor method and monitor device thereof | |
CN114519211A (en) | Credible realization method based on domestic platform uboot | |
CN112231159B (en) | Memory installation position testing method, system, terminal and storage medium | |
CN114510751A (en) | Hardware replacement prevention device and method based on processor security kernel | |
CN115062290A (en) | Component authentication method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |