CN114519211A - Credible realization method based on domestic platform uboot - Google Patents

Credible realization method based on domestic platform uboot Download PDF

Info

Publication number
CN114519211A
CN114519211A CN202111596526.7A CN202111596526A CN114519211A CN 114519211 A CN114519211 A CN 114519211A CN 202111596526 A CN202111596526 A CN 202111596526A CN 114519211 A CN114519211 A CN 114519211A
Authority
CN
China
Prior art keywords
uboot
encryption chip
hardware
operating system
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111596526.7A
Other languages
Chinese (zh)
Inventor
吴昌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fengwei Firmware Shenzhen Co ltd
Original Assignee
Fengwei Firmware Shenzhen Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fengwei Firmware Shenzhen Co ltd filed Critical Fengwei Firmware Shenzhen Co ltd
Priority to CN202111596526.7A priority Critical patent/CN114519211A/en
Publication of CN114519211A publication Critical patent/CN114519211A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a trusted realization method based on a domestic platform uboot, which comprises the following steps: in the power-on stage, the hardware CPLD measures the credible encryption chip, after the CPLD receives a correct feedback signal of the encryption chip, the mainboard is allowed to be normally powered on, otherwise, the credible measurement fails, and the mainboard is prohibited from being powered on and started up; after the power-on startup self-check is carried out and before the power-on startup self-check enters an operating system, both the encryption chip and the uboot carry out identity authentication, the encryption chip and the uboot firmware are measured, and the startup is prohibited when the measurement fails; after the handshake between the encryption chip and the uboot is successful, the uboot collects the hardware equipment information of the board card and compares the hardware equipment information with a reference value, so that whether the hardware information of the board card or the core file of the operating system is changed or tampered is measured; and if the measurement is successful, normally starting the computer and booting the operating system. The method can meet the requirement of localization, and realizes the security measurement of the whole trusted chain of hardware, firmware and an operating system based on the Feiteng platform uboot.

Description

Trusted implementation method based on domestic platform uboot
Technical Field
The invention relates to a credibility measurement method, in particular to a credibility realization method based on a domestic platform uboot.
Background
The existing credibility measurement method generally adopts a PCIE security card form to measure certain data in the BIOS, and the measurement mode is high in hardware cost on one hand, incomplete in measurement on the other hand, only binding of the BIOS and security is performed to achieve credible security starting, and whole credible chain measurement from hardware, firmware and an operating system is not achieved.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a trusted implementation method based on a domestic platform uboot to meet the domestic requirements.
The technical scheme of the invention is as follows:
a trusted implementation method based on a domestic platform uboot comprises the following steps:
(1) in the power-on stage, the hardware CPLD measures the credible encryption chip, after the CPLD receives a correct feedback signal of the encryption chip, the mainboard is allowed to be normally powered on, otherwise, the credible measurement fails, and the mainboard is prohibited from being powered on and started up;
(2) after the power-on startup self-check is carried out and before the power-on startup self-check enters an operating system, both the encryption chip and the uboot carry out identity authentication, the encryption chip and the uboot firmware are measured, and the startup is prohibited when the measurement fails;
(3) after the handshake between the encryption chip and the uboot is successful, the uboot collects the hardware equipment information of the board card and compares the hardware equipment information with a reference value, so that whether the hardware information of the board card or the core file of the operating system is changed or tampered is measured;
(4) and if the measurement is successful, normally starting the computer and booting the operating system.
In step (3), the board card hardware device information includes the unique serial number of the encryption chip, the CPU model, the memory capacity and slot position, the hard disk capacity and SN information, PCIE device information, the network card MAC address, and MD5SUM information of the operating system core file.
In the step (3), if the uboot is measured in failure and the computer is prohibited from being started, a sound-light alarm is adopted to inform a user, and an alarm log is stored in the uboot or an SPI Flash of an encryption chip after being encrypted. The alarm log contains information of failure reason and time.
Compared with the prior art, the invention has the beneficial effects that:
(1) the nationwide production scheme is 100%, and the hardware, the encryption chip, the firmware and the operating system of the slave card are nationwide produced;
(2) measuring the complete credibility chain, and realizing the safety measurement of the whole credibility chain of the slave hardware, the firmware and the operating system based on the Feiteng platform uboot;
(3) the method has low cost, adopts the domestic MCU as the encryption chip, autonomously develops the firmware of the encryption chip, has obvious cost advantage compared with the existing PCIE security card, and adopts the domestic Feiteng uboot as the firmware;
(4) the method has high portability, can modularize products, and is suitable for any domestic Feiteng platform uboot firmware.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed for the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
FIG. 1 is a diagram of the steps of the method of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In order to explain the technical means of the present invention, the following description will be given by way of specific examples.
Examples
The invention relates to uboot credibility measurement of a nationwide production Feiteng platform, which comprises credible hardware measurement, credible firmware measurement and credible operation system core file measurement.
In order to meet the requirement of localization, the invention provides a trusted implementation method based on a localization platform uboot, the invention realizes the security measurement of the whole trusted chain of slave hardware, firmware and an operating system based on the Feiteng platform uboot, and the slave card hardware, an encryption chip, the firmware and the operating system all adopt nationwide localization in the implementation, as shown in figure 1, the method specifically comprises the following steps:
(1) in the power-on stage, the hardware CPLD measures the credible encryption chip, after the CPLD receives a correct feedback signal of the encryption chip, the mainboard is allowed to be normally powered on, otherwise, the credible measurement fails, and the mainboard is prohibited from being powered on and started up;
(2) after the power-on startup self-check is carried out and before the power-on startup self-check enters an operating system, both the encryption chip and the uboot carry out identity authentication, the encryption chip and the uboot firmware are measured, and the startup is prohibited when the measurement fails;
(3) after the handshake between the encryption chip and the uboot is successful, the uboot collects the hardware equipment information of the board card, such as the unique serial number of the encryption chip, the CPU model, the memory capacity and the slot position, the hard disk capacity and the SN information, the PCIE equipment information, the MAC address of the network card and the MD5SUM of the core file of the operating system, and compares the information with a reference value, thereby measuring whether the hardware information of the board card or the core file of the operating system is changed or tampered, if the uboot fails to measure, the computer is prohibited to start, a sound-light alarm is adopted to inform a user, an alarm log (information such as failure reason and time) is stored into the SPI Flash of the uboot or the encryption chip after encryption, and considering the cost and efficiency problems, the reference value and the log are preferentially selected to be stored into the SPI Flash of the uboot;
(4) and if the measurement is successful, normally starting the computer and booting the operating system.
The present invention is not limited to the above preferred embodiments, and any modifications, equivalent substitutions and improvements made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (4)

1. A trusted implementation method based on a domestic platform uboot is characterized by comprising the following steps:
(1) in the power-on stage, the hardware CPLD measures the credible encryption chip, after the CPLD receives a correct feedback signal of the encryption chip, the mainboard is allowed to be normally powered on, otherwise, the credible measurement fails, and the mainboard is prohibited from being powered on and started up;
(2) after the power-on startup self-check is carried out and before the power-on startup self-check enters an operating system, both the encryption chip and the uboot carry out identity authentication, the encryption chip and the uboot firmware are measured, and the startup is prohibited when the measurement fails;
(3) after the handshake between the encryption chip and the uboot is successful, the uboot collects the hardware equipment information of the board card and compares the hardware equipment information with a reference value, so that whether the hardware information of the board card or the core file of the operating system is changed or tampered is measured;
(4) and if the measurement is successful, normally starting the computer and booting the operating system.
2. The trusted implementation method based on the domestic platform uboot according to claim 1, wherein: in step (3), the board card hardware device information includes the unique serial number of the encryption chip, the CPU model, the memory capacity and slot position, the hard disk capacity and SN information, PCIE device information, the network card MAC address, and MD5SUM information of the operating system core file.
3. The trusted implementation method based on the domestic platform uboot according to claim 1, wherein: in the step (3), if the uboot is measured in failure and the computer is prohibited from being started, a sound-light alarm is adopted to inform a user, and an alarm log is stored in the uboot or an SPI Flash of an encryption chip after being encrypted.
4. The trusted implementation method based on the domestic platform uboot according to claim 3, wherein: the alarm log contains information of failure reason and time.
CN202111596526.7A 2021-12-24 2021-12-24 Credible realization method based on domestic platform uboot Pending CN114519211A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111596526.7A CN114519211A (en) 2021-12-24 2021-12-24 Credible realization method based on domestic platform uboot

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111596526.7A CN114519211A (en) 2021-12-24 2021-12-24 Credible realization method based on domestic platform uboot

Publications (1)

Publication Number Publication Date
CN114519211A true CN114519211A (en) 2022-05-20

Family

ID=81596944

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111596526.7A Pending CN114519211A (en) 2021-12-24 2021-12-24 Credible realization method based on domestic platform uboot

Country Status (1)

Country Link
CN (1) CN114519211A (en)

Similar Documents

Publication Publication Date Title
US11861372B2 (en) Integrity manifest certificate
CN100454324C (en) Embed type platform guiding of credible mechanism
CN102663301B (en) Trusted computer and credibility detection method
JP5270377B2 (en) Platform boot with bridge support
CN103080904B (en) Multistage lock-step integrity report mechanism is provided
CN107665308B (en) TPCM system for building and maintaining trusted operating environment and corresponding method
CN104951701B (en) A kind of method of the terminal device booting operating system based on USB controller
TW200414051A (en) Encapsulation of a TCPA trusted platform module functionality within a server management coprocessor subsystem
CN109948310B (en) Locking method and related electronic equipment
CN103530548A (en) Embedded terminal dependable starting method based on mobile dependable computing module
CN111125707A (en) BMC (baseboard management controller) safe starting method, system and equipment based on trusted password module
CN116070289A (en) Security chip applied to system firmware and electronic equipment
CN117992311B (en) Server and hard disk monitoring method, device, equipment and medium thereof
CN110096882B (en) Safety measurement method in equipment operation process
CN108197455B (en) Electronic device and safe starting method thereof
CN114756905B (en) Method and device for realizing mainboard anti-counterfeiting and BIOS protection and control mainboard
CN114519211A (en) Credible realization method based on domestic platform uboot
CN111597560A (en) Secure trusted module starting method and system
CN103795905A (en) Trusted starting method of web camera
CN114519210A (en) UEFI (unified extensible firmware interface) trusted implementation method based on domestic platform
CN111723379B (en) Trusted protection method, system, equipment and storage medium for trusted platform area intelligent terminal
CN114780152A (en) Computing equipment starting method and device
CN115062290A (en) Component authentication method and device
CN114510751A (en) Hardware replacement prevention device and method based on processor security kernel
CN118427147B (en) Secure starting method of server motherboard based on eISPI and related equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination