CN114519210A - UEFI (unified extensible firmware interface) trusted implementation method based on domestic platform - Google Patents

UEFI (unified extensible firmware interface) trusted implementation method based on domestic platform Download PDF

Info

Publication number
CN114519210A
CN114519210A CN202111596519.7A CN202111596519A CN114519210A CN 114519210 A CN114519210 A CN 114519210A CN 202111596519 A CN202111596519 A CN 202111596519A CN 114519210 A CN114519210 A CN 114519210A
Authority
CN
China
Prior art keywords
uefi
encryption chip
measurement
information
hardware
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111596519.7A
Other languages
Chinese (zh)
Inventor
吴昌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fengwei Firmware Shenzhen Co ltd
Original Assignee
Fengwei Firmware Shenzhen Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fengwei Firmware Shenzhen Co ltd filed Critical Fengwei Firmware Shenzhen Co ltd
Priority to CN202111596519.7A priority Critical patent/CN114519210A/en
Publication of CN114519210A publication Critical patent/CN114519210A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a UEFI trusted implementation method based on a domestic platform, which comprises the following steps: in the power-on stage, the hardware CPLD measures the credible encryption chip, after the CPLD receives a correct feedback signal of the encryption chip, the mainboard is allowed to be normally powered on, otherwise, the credible measurement fails, and the mainboard is prohibited from being powered on and started up; after the power-on self-test and before the operation system is entered, the identity authentication is carried out on the encryption chip and the UEFI BIOS, the encryption chip and the UEFI firmware are measured, and the power-on is forbidden in the case of measurement failure; after the handshake between the encryption chip and the UEFI BIOS is successful, collecting the hardware equipment information of the board card, and comparing the hardware equipment information with a reference value so as to measure whether the hardware information of the board card or the core file of the operating system is changed or tampered; and if the measurement is successful, normally starting the computer and booting the operating system. The method can meet the requirement of localization, and realizes the security measurement of the whole trusted chain of hardware, firmware and an operating system based on the Feiteng platform UEFI BIOS.

Description

UEFI (unified extensible firmware interface) trusted implementation method based on domestic platform
Technical Field
The invention relates to a credibility measurement method, in particular to a credibility realization method based on a domestic platform UEFI.
Background
The existing credibility measurement method generally adopts a PCIE security card form to measure certain data in the BIOS, and the measurement mode is high in hardware cost on one hand, incomplete in measurement on the other hand, only binding of the BIOS and security is performed to achieve credible security starting, and whole credible chain measurement from hardware, firmware and an operating system is not achieved.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a trusted implementation method based on a UEFI (unified extensible firmware interface) of a domestic platform so as to meet the domestic requirements.
The technical scheme of the invention is as follows:
a trusted realization method based on a domestic platform UEFI comprises the following steps:
(1) in the power-on stage, the hardware CPLD measures the credible encryption chip, after the CPLD receives a correct feedback signal of the encryption chip, the mainboard is allowed to be normally powered on, otherwise, the credible measurement fails, and the mainboard is prohibited from being powered on and started up;
(2) after the power-on self-test and before the operation system is entered, the identity authentication is carried out on the encryption chip and the UEFI BIOS, the encryption chip and the UEFI firmware are measured, and the power-on is forbidden in the case of measurement failure;
(3) after the encryption chip and the UEFI BIOS handshake successfully, the UEFI BIOS collects the board card hardware equipment information, and compares the board card hardware equipment information with a reference value, so that whether the board card hardware information or the operating system core file is changed or tampered is measured;
(4) and if the measurement is successful, normally starting the computer and booting the operating system.
In step (3), the board card hardware device information includes the unique serial number of the encryption chip, the CPU model, the memory capacity and slot position, the hard disk capacity and SN information, PCIE device information, the network card MAC address, and MD5SUM information of the operating system core file.
In the step (3), if the BIOS prohibits starting the computer in the measurement failure, a sound-light alarm is adopted to inform the user, and the alarm log is stored in the SPI Flash of the UEFI BIOS or the encryption chip after being encrypted. The alarm log contains information of failure reason and time.
Compared with the prior art, the invention has the beneficial effects that:
(1) the nationwide production scheme is 100%, and the hardware, the encryption chip, the firmware and the operating system of the slave card are nationwide produced;
(2) the method comprises the steps of measuring a complete trusted chain, and realizing the security measurement of the whole trusted chain of slave hardware, firmware and an operating system based on a Feiteng platform UEFI;
(3) the invention has low cost, the invention adopts the domestic MCU as the encryption chip, develops the encryption chip firmware independently, compare with existing PCIE security card, it has the cost advantage obviously, the firmware adopts the domestic Feiteng UEFI;
(4) the portability is high, the product modularization can be realized, and the method is suitable for UEFI firmware of any domestic Feiteng platform.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed for the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
FIG. 1 is a diagram of the steps of the method of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In order to explain the technical means of the present invention, the following description will be given by way of specific examples.
Examples
The invention relates to UEFI BIOS credible measurement of a nationwide Feiteng platform, which comprises credible hardware measurement, credible firmware measurement and credible operation system core file measurement.
In order to meet the requirement of localization, the invention provides a trusted implementation method based on a localization platform UEFI, the trusted implementation method based on the Feiteng platform UEFI is used for realizing the security measurement of the whole trusted chain of slave hardware, firmware and an operating system, and in the implementation, the slave card hardware, the encryption chip, the firmware and the operating system are nationally produced, as shown in figure 1, the trusted implementation method specifically comprises the following steps:
(1) in the power-on stage, the hardware CPLD measures the credible encryption chip, after the CPLD receives a correct feedback signal of the encryption chip, the mainboard is allowed to be normally powered on, otherwise, the credible measurement fails, and the mainboard is prohibited from being powered on and started up;
(2) after the power-on self-test and before the operation system is entered, the identity authentication is carried out on the encryption chip and the UEFI BIOS, the encryption chip and the UEFI firmware are measured, and the power-on is forbidden in the case of measurement failure;
(3) after the encryption chip and the UEFI BIOS handshake successfully, the UEFI BIOS collects card hardware equipment information, such as a unique serial number of the encryption chip, a CPU model, memory capacity and slot positions, hard disk capacity and SN information, PCIE equipment information, a network card MAC address, MD5SUM of an operating system core file and the like, compares the information with a reference value, measures whether the card hardware information or the operating system core file is changed or tampered, if the measurement fails, the BIOS prohibits starting the computer, informs a user by adopting acousto-optic alarm, encrypts and stores an alarm log (information such as failure reason, time and the like) into an SPI Flash of the UEFI BIOS or the encryption chip, and preferentially selects and stores the reference value and the alarm log into the SPI Flash of the UEFI BIOS in consideration of cost and efficiency;
(4) and if the measurement is successful, normally starting the computer and booting the operating system.
The present invention is not limited to the above preferred embodiments, and any modifications, equivalents and improvements made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (4)

1. A trusted realization method based on a domestic platform UEFI is characterized by comprising the following steps:
(1) in the power-on stage, the hardware CPLD measures the credible encryption chip, after the CPLD receives a correct feedback signal of the encryption chip, the mainboard is allowed to be normally powered on, otherwise, the credible measurement fails, and the mainboard is prohibited from being powered on and started up;
(2) after the power-on self-test and before the operation system is entered, the identity authentication is carried out on the encryption chip and the UEFI BIOS, the encryption chip and the UEFI firmware are measured, and the power-on is forbidden in the case of measurement failure;
(3) after the encryption chip and the UEFI BIOS handshake successfully, the UEFI BIOS collects the board card hardware equipment information, and compares the board card hardware equipment information with a reference value, so that whether the board card hardware information or the operating system core file is changed or tampered is measured;
(4) and if the measurement is successful, normally starting the computer and booting the operating system.
2. The UEFI trusted implementation method based on the domestic platform according to claim 1, characterized in that: in step (3), the board card hardware device information includes the unique serial number of the encryption chip, the CPU model, the memory capacity and slot position, the hard disk capacity and SN information, PCIE device information, the network card MAC address, and MD5SUM information of the operating system core file.
3. The UEFI trusted implementation method based on the domestic platform according to claim 1, characterized in that: in the step (3), if the BIOS forbids starting the computer in measurement failure, a sound-light alarm is adopted to inform a user, and an alarm log is encrypted and then stored in a UEFI BIOS or an SPI Flash of an encryption chip.
4. The UEFI trusted implementation method based on the domestic platform according to claim 3, characterized in that: the alarm log contains information of failure reason and time.
CN202111596519.7A 2021-12-24 2021-12-24 UEFI (unified extensible firmware interface) trusted implementation method based on domestic platform Pending CN114519210A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111596519.7A CN114519210A (en) 2021-12-24 2021-12-24 UEFI (unified extensible firmware interface) trusted implementation method based on domestic platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111596519.7A CN114519210A (en) 2021-12-24 2021-12-24 UEFI (unified extensible firmware interface) trusted implementation method based on domestic platform

Publications (1)

Publication Number Publication Date
CN114519210A true CN114519210A (en) 2022-05-20

Family

ID=81597568

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111596519.7A Pending CN114519210A (en) 2021-12-24 2021-12-24 UEFI (unified extensible firmware interface) trusted implementation method based on domestic platform

Country Status (1)

Country Link
CN (1) CN114519210A (en)

Similar Documents

Publication Publication Date Title
US11360784B2 (en) Integrity manifest certificate
TWI277904B (en) Method, recording medium and system for protecting information
CN102663301B (en) Trusted computer and credibility detection method
EP3676742A1 (en) Hardware-enforced firmware security
JP5270377B2 (en) Platform boot with bridge support
CN107665308B (en) TPCM system for building and maintaining trusted operating environment and corresponding method
CN102289622B (en) Trusted startup method based on authentication policy file and hardware information collection
CN104951701B (en) A kind of method of the terminal device booting operating system based on USB controller
US10869176B1 (en) Near field communication (NFC) enhanced computing systems
CN109948310B (en) Locking method and related electronic equipment
CN103530548A (en) Embedded terminal dependable starting method based on mobile dependable computing module
CN116070289A (en) Security chip applied to system firmware and electronic equipment
EP2798428A1 (en) Apparatus and method for managing operation of a mobile device
CN115017517A (en) Chip and checking method
CN110096882B (en) Safety measurement method in equipment operation process
CN109583214B (en) Safety control method
CN111046392A (en) BIOS (basic input output System) credibility measuring method and device and terminal equipment
CN114519210A (en) UEFI (unified extensible firmware interface) trusted implementation method based on domestic platform
CN111597560A (en) Secure trusted module starting method and system
CN114756905B (en) Method and device for realizing mainboard anti-counterfeiting and BIOS protection and control mainboard
CN101452417B (en) Monitor method and monitor device thereof
CN114519211A (en) Credible realization method based on domestic platform uboot
CN112231159B (en) Memory installation position testing method, system, terminal and storage medium
CN114510751A (en) Hardware replacement prevention device and method based on processor security kernel
CN115062290A (en) Component authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination