CN114579983B - Method and device for acquiring trusted information and trusted server - Google Patents

Method and device for acquiring trusted information and trusted server Download PDF

Info

Publication number
CN114579983B
CN114579983B CN202210443827.4A CN202210443827A CN114579983B CN 114579983 B CN114579983 B CN 114579983B CN 202210443827 A CN202210443827 A CN 202210443827A CN 114579983 B CN114579983 B CN 114579983B
Authority
CN
China
Prior art keywords
trusted
band
band system
information
service port
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210443827.4A
Other languages
Chinese (zh)
Other versions
CN114579983A (en
Inventor
蔡恒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba China Co Ltd
Alibaba Cloud Computing Ltd
Original Assignee
Alibaba China Co Ltd
Alibaba Cloud Computing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba China Co Ltd, Alibaba Cloud Computing Ltd filed Critical Alibaba China Co Ltd
Priority to CN202210443827.4A priority Critical patent/CN114579983B/en
Publication of CN114579983A publication Critical patent/CN114579983A/en
Application granted granted Critical
Publication of CN114579983B publication Critical patent/CN114579983B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information

Abstract

An embodiment of the present specification provides a method, an apparatus, and a trusted server for obtaining trusted information, where the method for obtaining trusted information is applied to a trusted server, the trusted server includes an in-band system, an out-of-band system, and a trusted computing cryptographic module, the trusted computing cryptographic module includes at least two trusted service ports, a first trusted service port is in butt joint with the in-band system, and a second trusted service port is in butt joint with the out-of-band system, and the method includes: receiving an attestation request; the in-band system acquires the out-of-band trusted information recorded by the trusted computing cryptographic module through the first path of trusted service port; or, the in-band trusted information recorded by the trusted computing cryptography module is acquired by the out-of-band system through the second path of trusted service port.

Description

Method and device for acquiring trusted information and trusted server
Technical Field
The embodiment of the specification relates to the technical field of computers, in particular to a method and a device for acquiring trusted information and a trusted server.
Background
The trusted server is a data storage and processing platform which is constructed by integrating trusted services on the basis of a trusted computing cryptographic module, and provides the trusted services to the outside through the platform. In the trusted server, the trusted computing cryptography module has only one interface, which interfaces with the CPU. For example, during a trusted server boot, the server host CPU may extend the metric values of the server's in-band system to the trusted computing crypto module. After the server is started, a trusted agent deployed on a main CPU of the server provides a trusted certificate of a platform in-band system to the outside (challenger), the starting process of the platform is proved to be in accordance with expectation, abnormal behaviors such as firmware tampering and starting flow tampering do not occur, and the platform works in a trusted state.
However, since the trusted agent on the server main CPU only goes through the in-band trusted certification process, on one hand, a user needs to deploy a trusted certification client on the platform to interface with the remote certification platform, which results in poor implementability, and on the other hand, it is difficult to meet the demand of external challengers for diversification of trusted information.
Disclosure of Invention
In view of this, the present specification provides a method for acquiring trusted information. One or more embodiments of the present disclosure also relate to an apparatus for obtaining trusted information, a trusted server, a computing device, a computer-readable storage medium, and a computer program, so as to solve technical deficiencies of the prior art.
According to a first aspect of the embodiments of the present specification, there is provided a method for obtaining trusted information, which is applied to a trusted server, where the trusted server includes an in-band system, an out-of-band system, and a trusted computing cryptographic module, and the trusted computing cryptographic module includes at least two trusted service ports, where a first trusted service port is in butt joint with the in-band system, and a second trusted service port is in butt joint with the out-of-band system, and the method includes: receiving a request for attestation; according to the certification request, an in-band system acquires out-of-band trusted information recorded by the trusted computing cryptographic module through the first path of trusted service port, wherein the out-of-band trusted information is trusted information of the out-of-band system; or, according to the certification request, an out-of-band system acquires in-band trusted information recorded by the trusted computing cryptographic module through the second path of trusted service port, wherein the in-band trusted information is trusted information of the in-band system.
Optionally, the receiving an attestation request includes: receiving the attestation request through a first remote attestation client interface provided by an in-band system to the outside; the method further comprises the following steps: sending the out-of-band trusted information to a requesting end of the attestation request through the first remote attestation client interface.
Optionally, the receiving an attestation request includes: receiving the attestation request through a second remote attestation client interface provided externally by the out-of-band system; the method further comprises the following steps: sending the in-band trusted information to a requesting end of the attestation request through the second remote attestation client interface.
Optionally, the acquiring, by the in-band system, the out-of-band trusted information recorded by the trusted computing cryptographic module through the first path of trusted service port includes: the in-band system acquires a temporary challenge random number carried by the certification request; the in-band system sends an out-of-band information acquisition request carrying the temporary challenge random number to the trusted computing cryptographic module through the first path of trusted service port; and the in-band system receives the signed out-of-band trusted information and the temporary challenge random number of the trusted computing cryptographic module through the first path of trusted service port. The obtaining, by the out-of-band system, the in-band trusted information recorded by the trusted computing cryptographic module through the second path of trusted service port includes: acquiring a temporary challenge random number carried by the certification request at an out-of-band system; sending an in-band information acquisition request carrying the temporary challenge random number to the trusted computing password module through the second path of trusted service port in an out-of-band system; and receiving the signed in-band trusted information and the temporary challenge random number of the trusted computing password module by the out-of-band system through the second path of trusted service port.
Optionally, the method further comprises: the in-band system acquires the in-band trusted information recorded by the trusted computing password module through the first path of trusted service port; or, the out-of-band system acquires the out-of-band trusted information recorded by the trusted computing cryptographic module through the second path of trusted service port.
Optionally, the in-band trusted information is start measurement information of an in-band system; the in-band system is used for carrying out measurement calculation by using a trusted measurement root during starting to obtain a measurement value, and expanding the measurement value to the trusted calculation cryptographic module for recording starting measurement information; and the trusted computing password module is used for recording the starting measurement information of the in-band system.
Optionally, the out-of-band trusted information is start measurement information of an out-of-band system; the out-of-band system is used for carrying out measurement calculation according to the trusted measurement root during starting to obtain a measurement value, and expanding the measurement value to the trusted calculation cryptographic module for recording starting measurement information; and the trusted computing password module is used for recording the starting measurement information of the out-of-band system.
Optionally, the method further comprises: obtaining a sequence of in-band system metric values from an in-band metric log; correspondingly, the sequence of the in-band system metric value is sent to the request end of the certification request, so that the request end obtains the in-band to-be-verified metric data by using the sequence of the in-band system metric value, and the in-band to-be-verified metric data is verified by using the starting metric information of the in-band system. Alternatively, the method further comprises: acquiring a sequence of out-of-band system metric values from the out-of-band metric log; correspondingly, the sequence of the out-of-band system metric value is sent to the request end of the certification request, so that the request end obtains the out-of-band to-be-verified metric data by using the sequence of the out-of-band system metric value, and the out-of-band to-be-verified metric data is verified by using the starting metric information of the out-of-band system.
According to a second aspect of embodiments of the present specification, there is provided an apparatus for obtaining trusted information, configured in a trusted server, where the trusted server includes an in-band system, an out-of-band system, and a trusted computing cryptographic module, and the trusted computing cryptographic module includes at least two trusted service ports, where a first trusted service port is interfaced with the in-band system, and a second trusted service port is interfaced with the out-of-band system, the apparatus including: a receiving module configured to receive an attestation request. The information acquisition module is configured to acquire, by the in-band system through the first path of trusted service port, out-of-band trusted information recorded by the trusted computing cryptographic module according to the certification request, where the out-of-band trusted information is trusted information of the out-of-band system; or, according to the certification request, the in-band trusted information recorded by the trusted computing cryptographic module is acquired by the out-of-band system through the second path of trusted service port, wherein the in-band trusted information is the trusted information of the in-band system.
According to a third aspect of embodiments herein, there is provided a trusted server comprising: the system comprises an in-band system, an out-of-band system and a trusted computing password module, wherein the trusted computing password module comprises at least two paths of trusted service ports, a first path of trusted service port is in butt joint with the in-band system, a second path of trusted service port is in butt joint with the out-of-band system, and the in-band system or the out-of-band system is provided with a trusted information acquisition unit. The trusted information obtaining unit is configured to receive a certification request, and obtain, by an in-band system, out-of-band trusted information recorded by the trusted computing cryptographic module through the first path of trusted service port according to the certification request, where the out-of-band trusted information is trusted information of the out-of-band system, or obtain, by an out-of-band system, in-band trusted information recorded by the trusted computing cryptographic module through the second path of trusted service port according to the certification request, where the in-band trusted information is trusted information of the in-band system.
According to a fourth aspect of embodiments herein, there is provided a computing device comprising: a memory and a processor; the memory is configured to store computer-executable instructions, and the processor is configured to execute the computer-executable instructions, and the computer-executable instructions, when executed by the processor, implement the steps of the above-mentioned method for obtaining trusted information.
According to a fifth aspect of embodiments herein, there is provided a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, implement the steps of the above-described method of obtaining trusted information.
According to a sixth aspect of embodiments herein, there is provided a computer program, wherein the computer program, when executed in a computer, causes the computer to perform the steps of the above method of obtaining trusted information.
One embodiment of the present specification provides a method for obtaining trusted information, which is applied to a trusted server, where the trusted server includes an in-band system, an out-of-band system, and a trusted computing cryptographic module, and the trusted computing cryptographic module includes at least two trusted service ports, where a first trusted service port is in butt joint with the in-band system, and a second trusted service port is in butt joint with the out-of-band system, so that after receiving a certification request, the method can obtain, at the in-band system, out-of-band trusted information recorded by the trusted computing cryptographic module through the first trusted service port, or can obtain, at the out-of-band system, in-band trusted information signed by the trusted computing cryptographic module through the second trusted service port, thereby on one hand, implementing trusted certification of in-band information based on an out-of-band interface, and avoiding only going through an in-band trusted certification process, the feasibility is enhanced, or on the other hand, the trusted certification of the out-of-band information based on the in-band interface is realized, so that the in-band can also concern the out-of-band trusted information, more complete trusted information is reported for external challengers, and the platform trust is ensured.
Drawings
FIG. 1 is a flow diagram of a method for obtaining trusted information according to one embodiment of the present description;
FIG. 2 is a flowchart of a process of a method for obtaining trusted information according to another embodiment of the present disclosure;
FIG. 3 is a flowchart illustrating a process of a method for obtaining trusted information according to yet another embodiment of the present disclosure;
FIG. 4 is a flowchart of a process of a method for obtaining trusted information according to yet another embodiment of the present description;
fig. 5 is a schematic structural diagram of a trusted computing cryptography module TPM/TCM according to an embodiment of the present disclosure;
FIG. 6 is a schematic view of a BMC boot metric process provided by an embodiment of the present disclosure;
FIG. 7 is a flow diagram of BIOS boot metrics provided in one embodiment of the present description;
FIG. 8 is a flowchart illustrating a process of a method for obtaining trusted information applied to an out-of-band system BMC according to an embodiment of the disclosure;
fig. 9 is a schematic structural diagram of an apparatus for acquiring trusted information according to an embodiment of the present specification;
FIG. 10 is a block diagram of a trusted server according to an embodiment of the present disclosure;
fig. 11 is a block diagram of a computing device according to an embodiment of the present disclosure.
Detailed Description
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present description. This description may be implemented in many ways other than those specifically set forth herein, and those skilled in the art will appreciate that the present description is susceptible to similar generalizations without departing from the scope of the description, and thus is not limited to the specific implementations disclosed below.
The terminology used in the description of the one or more embodiments is for the purpose of describing the particular embodiments only and is not intended to be limiting of the description of the one or more embodiments. As used in one or more embodiments of the present specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used in one or more embodiments of the present specification refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It will be understood that, although the terms first, second, etc. may be used herein in one or more embodiments to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first can be termed a second and, similarly, a second can be termed a first without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
First, the noun terms to which one or more embodiments of the present specification relate are explained.
Tcg (trustedcomputing group): the international trusted computing group.
Trusted computing (TrustedComputing): the technology developed and popularized by the international trusted computing group TCG uses a trusted computing platform based on the support of a hardware security module in a computing and communication system so as to improve the overall security of the system. With trusted computing, the computer will always operate in the intended manner, and these behaviors will be guaranteed by both the computer hardware and software, by using a hardware security module that is inaccessible to the rest of the system to achieve this behavior.
Trusted computing cryptography module TPM (TPM), also known as trusted platform module), is an international standard for secure cryptoprocessors, written by TCG, to protect the hardware by integrating encryption keys into the device through a special microcontroller. The TPM security chip is a security chip conforming to TPM standards, and is generally bound to a computing platform in a physical mode, so that the PC can be effectively protected, and illegal users can be prevented from accessing the security chip.
Trusted computing cryptogram module TCM (TCM, also called trusted cryptogram module): the trusted computing platform is a hardware module of the trusted computing platform, provides a cryptographic operation function for the trusted computing platform, has a protected storage space, is a domestic research in China, and corresponds to the TPM.
Platform configuration registers pcr (platformicconfigurationregisters): a non-persistent secure storage space provided by a trusted secure chip. The system is used for storing the measurement extension value and proving the integrity of the platform outwards, and can be used for proving the integrity of the measurement log.
Metric log sml (storedmeasurementlog): the SML records a sequence of extended digest values that the TPM/TCM extends into the corresponding PCRs. And verifying the integrity of the measurement event, recalculating the contents in the SML in sequence to obtain a calculated PCR value, comparing the calculated PCR value with that in the TPM/TCM, checking whether the calculated PCR value is equal to that in the TPM/TCM, and determining whether the integrity is changed. The SML may be relatively large and therefore not stored in the TPM/TCM, with its integrity protected by the PCR values in the TPM/TCM.
Challenger (challenge): an entity configured by the platform is verified.
In-band system: the management control information of the network and the bearing item information of the user network are transmitted through the same logical channel. In the trusted server scenario, it may refer to a management path on the CPU side, which uses the same logical channel as the bearer item information of the user network.
Out-of-band systems: it means that the management control information of the network and the bearing item information of the user network are transmitted in different logical channels. In the trusted server scenario, it may refer to a Management path on the BMC (Baseboard Management Controller) side, which is a different logical channel from the logical channel used by the user network to carry the project information.
The existing TPM/TCM chip only provides one external service port, such as LPC, SPI, I2C, etc., and directly interfaces with a target device (such as BMC or CPU). A possible usage method under the application scene of the TPM/TCM is as follows: taking the TPM/TCM as a trusted root, when a target chip (such as BMC or CPU) which is in butt joint with the TPM/TCM is started, the trusted root in the target chip/firmware performs measurement calculation on the firmware to be guided and executed in the later stage, and then the measurement information is gradually expanded into the PCR of the TPM/TCM for trusted recording, so that the trusted chain transmission from the trusted root to the operating system kernel is finally completed. After the system is started, a trusted agent component (remote attestation client) is deployed in an operating system of the target chip to communicate with a remote challenger, respond to a challenge request of the challenger, and invoke the TPM/TCM to provide trusted attestation to the outside. Because the existing TPM/TCM chip only provides one service port externally, when the trusted server is used in a scene, the BMC does not interface the TPM, the CPU interfaces the TPM and only provides trusted start and trusted certification of the CPU, and the CPU and the BMC respectively and independently interface two TPMs. However, in the former case, the BMC does not support trusted boot, and in both cases, the platform part trusted certificate of the CPU depends on the in-band management path, and in the public cloud bare metal scenario, there is a dependency on the user, which is specifically shown in that the user needs to deploy a trusted certificate client on his platform to dock the remote certificate platform, so the implementability is poor.
Therefore, on one hand, the existing trusted computing cryptographic module only provides one service port, in a trusted server scene, in order to provide platform trusted certification on the CPU side, an agent component is inevitably required to be deployed on a system on the CPU side, and an in-band trusted certification flow is carried out. On the other hand, BMC, as an out-of-band system on a server, has its own trust requirements.
In view of the above, in the present specification, a method for obtaining trusted information is provided, and the specification also relates to an apparatus for obtaining trusted information, a trusted server, a computing device, and a computer-readable storage medium, which are described in detail in the following embodiments one by one.
Specifically, the method for obtaining trusted information provided in the embodiments of the present specification may be applied to a trusted server, where the trusted server includes an in-band system, an out-of-band system, and a trusted computing cryptographic module, and the trusted computing cryptographic module includes at least two paths of trusted service ports, where a first path of trusted service port is in butt joint with the in-band system, and a second path of trusted service port is in butt joint with the out-of-band system. It can be understood that, because the trusted computing cryptographic module includes at least two trusted service ports, a first trusted service port is in butt joint with the in-band system, and a second trusted service port is in butt joint with the out-of-band system, the trusted computing cryptographic module may be configured to record in-band trusted information of the in-band system and/or out-of-band trusted information of the out-of-band system. Correspondingly, according to the method provided by the embodiment of the present specification, the out-of-band trusted information recorded by the trusted computing cryptographic module may be acquired by the in-band system through the first path of trusted service port, or the in-band trusted information recorded by the trusted computing cryptographic module may be acquired by the out-of-band system through the second path of trusted service port. Therefore, on the physical level, the out-of-band and in-band credible requirements are simultaneously solved through the plurality of paths of credible service ports.
Specifically, referring to fig. 1, fig. 1 shows a flowchart of a method for obtaining trusted information according to an embodiment of the present specification. The method may include the following steps.
Step 102: an attestation request is received through an interface in an out-of-band system.
It should be noted that the method provided in the embodiment of the present specification may be applied to an in-band system, and may also be applied to an out-of-band system. In case of an out-of-band system, an out-of-band interface may be provided externally in the out-of-band system, and the out-of-band interface is configured to receive the attestation request, so that step 104 may be further performed to implement the trusted attestation based on the in-band trusted information of the out-of-band interface.
The certification request may be understood as a certification request issued by an entity having a requirement for verifying platform configuration, i.e. a challenger. For example, the attestation request may carry a challenge random number nonce generated by the challenger. The challenger carries the random number nonce in the remote attestation request and sends the request to the in-band interface or the out-of-band interface of the trusted server.
Step 104: and acquiring the in-band trusted information recorded by the trusted computing cryptographic module by the out-of-band system through the second path of trusted service port according to the certification request.
The in-band credible information is credible information of the in-band system. The in-band trusted information can be understood as the measurement information of the in-band system recorded by the trusted computing cryptographic module after the measurement value obtained by the in-band system by using the trusted measurement root to perform measurement computation on any measurement object such as firmware, software, file and the like is expanded to the trusted computing cryptographic module.
According to the embodiment shown in fig. 1, the in-band trust information can be queried through the out-of-band interface to verify the in-band trust. For example, in the process of verifying the in-band trusted information through the out-of-band interface, the challenger may send a remote attestation request through a remote attestation client interface provided by the out-of-band system, which may also be understood as the out-of-band interface, so as to obtain the in-band trusted information. Thus, in this embodiment, the method may be applied to an out-of-band system, and the step of receiving an attestation request may include: the attestation request is received through a first remote attestation client interface provided out-of-band by the in-band system.
Correspondingly, according to the flow shown in fig. 1, the method may further include:
sending the out-of-band trusted information to a requesting end of the attestation request through the first remote attestation client interface.
By the embodiment, the trusted attestation of the platform firmware or software of the trusted server can go away from the off-band trusted attestation flow, thereby not relying on deployment of a trusted agent in the in-band system. Accordingly, the challenger may also be deployed in a management network of the data center, isolated from the data network.
Referring to fig. 2, fig. 2 is a flowchart illustrating a method for obtaining trusted information according to another embodiment of the present disclosure. The method may specifically comprise the following steps.
Step 202: the attestation request is received through an interface in the in-band system.
In case the method is applied to an in-band system, an in-band interface may be provided externally at the in-band system, and the in-band interface is used to receive a certification request, so that step 204 may be further performed to implement trusted certification of out-of-band trusted information based on the in-band interface.
Step 204: and according to the certification request, the in-band system acquires the out-of-band trusted information recorded by the trusted computing cryptographic module through the first path of trusted service port.
And the out-of-band trusted information is the trusted information of the out-of-band system. The out-of-band trusted information can be understood as the measurement information of the out-of-band system recorded by the trusted computing cryptographic module after the measurement value obtained by the out-of-band system by using the trusted measurement root to perform measurement computation on any measurement object such as firmware, software, file and the like is expanded to the trusted computing cryptographic module.
According to the embodiment shown in fig. 2, the out-of-band trust information may be queried through the in-band interface to verify the out-of-band trust. In the process of verifying out-of-band credibility through the in-band interface, a challenger can send a remote certification request through a remote certification client interface provided by an out-of-band system, namely the out-of-band interface, so as to acquire out-of-band credible information. Thus, in this embodiment, the method may be applied to an out-of-band system, and the step of receiving a request for attestation may include: the attestation request is received through a second remote attestation client interface provided externally to the out-of-band system.
Correspondingly, according to the flow shown in fig. 2, the method may further include:
sending the out-of-band trusted information to a requesting end of the attestation request through the first remote attestation client interface.
With this embodiment, trusted attestation of platform firmware or software to a trusted server can walk through an in-band trusted attestation process, thereby not relying on deployment of a trusted agent in an out-of-band system.
It can be seen that, since the trusted computing cryptographic module of the method includes at least two paths of trusted service ports, wherein a first path of trusted service port is in butt joint with the in-band system, and a second path of trusted service port is in butt joint with the out-of-band system, the method can acquire the out-of-band trusted information recorded by the trusted computing cryptographic module in the in-band system through the first path of trusted service port after receiving the certification request, or acquire the in-band trusted information recorded by the trusted computing cryptographic module in the out-of-band system through the second path of trusted service port, thereby on one hand, realizing the trusted certification of the in-band information based on the out-of-band interface, avoiding the process of only walking the in-band trusted certification, enhancing the implementability, or on the other hand, realizing the trusted certification of the out-of-band information based on the in-band interface, and enabling the in-band to pay attention to the out-of-band trusted information, and reporting more complete credible information for external challengers to ensure the credibility of the platform.
In another or more embodiments of the present specification, according to the trusted computing cryptography modules of at least two trusted service ports, not only the trusted certification of the out-of-band information based on the in-band interface, or the trusted certification of the in-band information based on the out-of-band interface, but also the trusted certification of the in-band information based on the in-band interface, or the trusted certification of the out-of-band information based on the out-of-band interface can be implemented.
Specifically, for example, referring to fig. 3, fig. 3 shows a flowchart of a method for obtaining trusted information according to another embodiment of the present description. The method may include the following steps.
Step 302: an attestation request is received through an interface in an out-of-band system.
Step 304: and acquiring the in-band trusted information recorded by the trusted computing cryptographic module by the out-of-band system through the second path of trusted service port according to the certification request.
Step 306: and acquiring the out-of-band trusted information recorded by the trusted computing cryptographic module by the out-of-band system through the second path of trusted service port according to the certification request.
For example, referring to fig. 4, fig. 4 shows a flowchart of a method for obtaining trusted information according to still another embodiment of the present description. The method may include the following steps.
Step 402: an attestation request is received through an interface in an in-band system.
Step 404: and according to the certification request, the in-band system acquires the out-of-band trusted information recorded by the trusted computing cryptographic module through the first path of trusted service port.
Step 406: and according to the certification request, an in-band system acquires the in-band trusted information recorded by the trusted computing cryptographic module through the first path of trusted service port.
As can be seen from the above-mentioned embodiments shown in fig. 3 and fig. 4, according to the method provided in the embodiment of the present specification, the method may further include: when the method is applied to an in-band system, the in-band system acquires the in-band trusted information recorded by the trusted computing cryptographic module through the first path of trusted service port, or when the method is applied to an out-band system, the out-band system acquires the out-of-band trusted information recorded by the trusted computing cryptographic module through the second path of trusted service port, so that an out-of-band in-band double-trusted certification process is realized. After the in-band and out-of-band trusted information is obtained, the in-band and out-of-band trusted information may be sent to the challenger.
In order to make the method provided by the embodiments of the present specification easier to understand, the following describes a trusted computing cryptographic module with at least two trusted service ports in more detail by taking the example of recording boot metric information of a system as an example. For example, as shown in fig. 5, the trusted computing cryptography module TPM/TCM physically provides two trusted service ports, and the physical layer interface may be LPC, SPI, I2C, or other non-listed interface. The first path of trusted service port is connected with an in-band system (such as a CPU) in an interfacing mode, and the second path of trusted service port is connected with an out-of-band system (such as a BMC) in an interfacing mode. Accordingly, the second path of trusted service port may receive the boot metric information of the out-of-band system extension, so that the trusted computing cryptographic module records the boot metric information of the out-of-band system, for example, to solve the trusted requirement of a BMC management chip on the server, and/or the first path of trusted service port may receive the boot metric information of the in-band system extension, so that the trusted computing cryptographic module records the boot metric information of the in-band system, for example, to solve the trusted requirement of a CPU on the server, thereby ensuring that the firmware of the core device on the server is trusted. In addition, the trusted computing cryptography module can also expand the trusted certification response range of the single-ended service interface, for example, when responding to a certification request, PCR registers on both the in-band side and the out-of-band side can be merged and expanded from 0-23 to 0-47, so that the in-band starting measurement information of the out-of-band trusted certification can be realized, or the out-of-band starting measurement information of the in-band trusted certification can be realized.
Taking the BMC start measurement process of the out-of-band system as an example, as shown in fig. 6, the BMC start measurement process is schematically illustrated, and the BMC start measurement process includes:
1, a boot starting module performs measurement calculation on a firmware uboot to be guided and executed at the later stage by using a credible measurement root;
the boot starting module expands the metric value to the PCR of the trusted computing cryptography module;
3, the boot starting module writes the metric value into a metric log;
4, the boot starting module transfers control to uboot;
5, uboot performs measurement calculation on the firmware kernel to be guided and executed at the later stage;
the uboot expands the metric value to the PCR of the credible computing cryptographic module;
uboot writes the metric value into a metric log;
uboot transfers control to kernel;
measuring and calculating the firmware to be guided and executed by the later stage, such as the firmware comprising an application/library/mmap and the like, by a kernel;
the kernel extends the metric values to the PCR of the trusted computing cryptography module;
writing the measurement value into a measurement log by a kernel;
kernel transfers control to the back stage firmware.
Taking the BIOS boot measurement procedure of the in-band system as an example, as shown in fig. 7, the BIOS boot measurement procedure includes:
1, the BIOS starting module uses the credibility measurement root to perform measurement calculation on a starting BIOS self-checking module to be booted and executed at the later stage;
2, the BIOS starting module expands the measurement value to the PCR of the trusted computing password module;
3, the BIOS starting module writes the metric value into a metric log;
4, the BIOS starting module transfers the control to the power-on BIOS self-checking module;
5. the boot BIOS self-checking module performs measurement calculation on a Grub boot menu module to be booted and executed at the later stage;
6. the power-on BIOS self-checking module expands the metric value to the PCR of the trusted computing password module;
7. the power-on BIOS self-checking module writes the measurement value into a measurement log;
8. the power-on BIOS self-checking module transfers control to the Grub starting menu module;
9, the Grub starting menu module performs measurement calculation on a Linux Kernel mirror image module to be guided and executed at the later stage;
the Grub starting menu module expands the measurement value to the PCR of the credible computing password module;
the Grub starting menu module writes the measurement value into a measurement log;
12, the Grub starting menu module transfers control to the Linux Kernel mirror image module;
measuring and calculating the firmware to be guided and executed at the back stage, such as the firmware comprising an application/library/mmap and the like, by using a Linux Kernel mirror image module;
the Linux Kernel mirror image module expands the measurement value to the PCR of the credible computing cryptographic module;
writing the measurement value into a measurement log by a Linux Kernel mirror image module;
the Linux Kernel mirror module transfers control to the back stage firmware.
In summary, the BMC of the out-of-band system and the BIOS of the in-band system gradually extend the digest values of the key firmware and configuration parameters into the PCR register of the TPM/TCM during the respective boot processes. The extended characteristic of the PCR register ensures the authenticity and tamper resistance of the whole starting measurement process.
For example, the metric information extended to PCR may be calculated by using the following calculation formula of PCR based on Hash algorithm:
PCR_new=Hash_alg(PCR_old||Hash_alg(data_new))
where PCR _ new denotes start metric information extended into the PCR, and data _ new denotes an extended digest value.
As can be seen from the above calculation formula, due to the unidirectional property of the Hash algorithm, an attacker cannot realize the expected modification of the PCR value, that is, any tampering of the PCR will result in an unpredictable PCR result, and therefore, the metric information recorded in the PCR is trusted, and is referred to as trusted metric information, which can be provided to a challenger to be used as a proof whether the platform is attacked or not.
As can be seen from the above examples, in one or more embodiments, the in-band trusted information may be boot metric information of an in-band system. Correspondingly, the in-band system can be used for performing measurement calculation by using the trusted measurement root during startup to obtain a measurement value, and expanding the measurement value to the trusted calculation cryptographic module for recording startup measurement information. The trusted computing cryptography module may be configured to record boot metric information of the in-band system. In one or more embodiments, the out-of-band trusted information is boot metric information for the out-of-band system. Correspondingly, the out-of-band system can be used for carrying out measurement calculation according to the trusted measurement root during starting to obtain a measurement value, and expanding the measurement value to the trusted calculation cryptographic module for recording starting measurement information. The trusted computing cryptography module may be configured to record start-up metric information of the out-of-band system. For example, based on at least two trusted service ports, the trusted computing cryptography module can record boot metric information of the BMC and the CPU, and provide a basic condition for providing (out-of-band or in-band) trusted certification for the next step.
It should be noted that, in the method provided in the embodiment of the present specification, the trusted information recorded by the trusted computing cryptographic module may be start measurement information of the system, or measurement information of some files or software after the system is started, which is not limited in the specification. In addition, in order to prevent replay attacks, in one or more embodiments of the present specification, the acquiring, by the in-band system, the out-of-band trusted information recorded by the trusted computing cryptography module through the first path of trusted service port may include:
acquiring a temporary challenge random number carried by the certification request in an in-band system;
the in-band system sends an out-of-band information acquisition request carrying the temporary challenge random number to the trusted computing cryptographic module through the first path of trusted service port;
and the in-band system receives the signed out-of-band trusted information and the temporary challenge random number of the trusted computing password module through the first path of trusted service port.
The obtaining, by the out-of-band system, the in-band trusted information recorded by the trusted computing cryptographic module through the second trusted service port may include:
sending an in-band information acquisition request carrying the temporary challenge random number to the trusted computing password module through the second path of trusted service port in an out-of-band system;
and receiving the signed in-band trusted information and the temporary challenge random number of the trusted computing password module by the out-of-band system through the second path of trusted service port.
In the above embodiment, the replay attack is prevented by challenging the random number nonce. Even if the attacker intercepts the historical response information and returns the intercepted historical response information to the challenger, the response information contains unpredictable random number nonce values, so that the historical response information intercepted by the attacker is invalid, and replay attack is effectively prevented.
In one or more embodiments of the present disclosure, to prove that the platform of the trusted server is trusted, the metric values in the metric log of the platform may be sent to the challenger, so that the challenger verifies the metric values in the metric log to determine that the platform is trusted. Specifically, the method may further include:
obtaining a sequence of in-band system metric values from an in-band metric log;
correspondingly, the sequence of the in-band system metric value is sent to a request end of the certification request, so that the request end obtains in-band to-be-verified metric data by using the sequence of the in-band system metric value, and the in-band to-be-verified metric data is verified by using the starting metric information of the in-band system;
alternatively, the first and second electrodes may be,
acquiring a sequence of out-of-band system metric values from the out-of-band metric log;
correspondingly, the sequence of the out-of-band system metric value is sent to the request end of the certification request, so that the request end obtains the out-of-band to-be-verified metric data by using the sequence of the out-of-band system metric value, and the out-of-band to-be-verified metric data is verified by using the starting metric information of the out-of-band system.
The following describes the method for obtaining trusted information further by taking the example that the method for obtaining trusted information provided in this specification is applied to an out-of-band system BMC to implement a dual trusted certification process of in-band and out-of-band boot measurement information, with reference to fig. 8. Fig. 8 shows a processing procedure diagram of a method for obtaining trusted information according to an embodiment of the present specification, which specifically includes the following steps.
Step 802: the BMC system receives the challenger's remote attestation request through a remote attestation client interface.
For example, the challenge random nonce generated by the challenger may be carried in the remote attestation request. The challenger sends a random number nonce to the server out-of-band system, the BMC system, through a remote attestation request.
Step 804: the BMC system issues a PCR acquisition request and a signature request to a trusted computing cryptography module TPM/TCM through a second path of trusted service port, and the request can carry a nonce so as to acquire signed out-of-band trusted measurement information, signed in-band trusted measurement information and the nonce.
For example, in this step, the BMC system may obtain PCR register information of BMC and CPU, waiting for TPM/TCM complete response. Since the TPM/TCM is used to record boot measurement information for both the BMC and the CPU, it is possible to provide the BMC with boot measurement information for each of the BMC itself and the CPU for trusted attestation. The start measurement information of the BMC provided by the TPM/TCM corresponds to the out-of-band trusted information described in the embodiments of the present specification, and the start measurement information of the CPU corresponds to the in-band trusted information described in the embodiments of the present specification.
Step 806: the BMC system obtains its own sequence of out-of-band system metric values from the in-band metric log bmcSML, as represented hereinafter by bmcSML.
It can be understood that when the method is applied to an out-of-band system, the sequence bios sml of the in-band system metric value on the CPU side may not be acquired, and the PCR on the CPU side may be verified in a PCR white list manner. In this embodiment, for the in-band trusted attestation on the CPU side, the start measurement information on part of the CPU side recorded by the TPM/TCM may be obtained according to the attestation request. For example, the PCRs 0-23 of the TPM/TCM are used to record CPU-side boot metric information, whereas the trusted certificate may only require the boot metric information recorded in the PCRs 0-7 registers to be retrieved.
Step 808: the BMC returns the bmcSML and signed boot metrics information (e.g., boot metrics information for both in-band and out-of-band systems) and nonces to the challenger through the second remote attestation client interface.
The challenger obtains the sequence of out-of-band system metric values returned by the second remote attestation client interface, and after signed boot metric information and nonces, the challenger verifies the signature of the TPM/TCM a priori to ensure the authenticity and validity of the PCR values (corresponding to the boot metric information). The challenger verifies the integrity of the bmcSML by using the PCR value verified by the signature, and if the integrity of the bmcSML is inconsistent, the tampering of the bmcSML is indicated. In addition, the challenger may compare the metric value in the bmcSML with the value in the reference database to ensure consistency, and if not, it may indicate tampering with the firmware or key configuration during the boot process of the BMC. In addition, optionally, the challenger may also skip the step of verifying the bmcSML according to a preset verification policy, and directly verify the boot metric information of the BMC and the CPU in a PCR white list manner.
It should be noted that fig. 8 illustrates an attestation flow implemented in both in-band and out-of-band as applied to the out-of-band system BMC. The process of implementing the in-band and out-of-band dual trusted flow by the method applied to the in-band system is similar to the process shown in fig. 8, and is not described in detail herein. Under the condition of realizing an in-band and out-band double-trusted flow applied to an in-band system, an in-band user can also concern the trusted information of the BMC, so that more complete server platform measurement information is reported, and the platform trust is ensured.
Corresponding to the above method embodiment, this specification further provides an embodiment of an apparatus for acquiring trusted information, and fig. 9 shows a schematic structural diagram of an apparatus for acquiring trusted information provided in an embodiment of this specification. The device is configured on a trusted server, the trusted server comprises an in-band system, an out-of-band system and a trusted computing password module, the trusted computing password module comprises at least two paths of trusted service ports, wherein a first path of trusted service port is in butt joint with the in-band system, and a second path of trusted service port is in butt joint with the out-of-band system. As shown in fig. 9, the apparatus may include:
the receiving module 902 may be configured to receive an attestation request.
An information obtaining module 904, which may be configured to obtain, by an in-band system through the first path of trusted service port, out-of-band trusted information recorded by the trusted computing cryptographic module according to the attestation request; or, according to the certification request, the in-band trusted information recorded by the trusted computing cryptographic module is acquired by the out-of-band system through the second path of trusted service port.
Because the trusted computing cryptographic module of the device comprises at least two paths of trusted service ports, wherein a first path of trusted service port is in butt joint with the in-band system, and a second path of trusted service port is in butt joint with the out-of-band system, after receiving the certification request, the method can acquire out-of-band trusted information recorded by the trusted computing cryptographic module through the first path of trusted service port in the in-band system, or can acquire signed in-band trusted information of the trusted computing cryptographic module through the second path of trusted service port in the out-of-band system, thereby realizing the trusted certification of the in-band information based on the out-of-band interface on one hand, avoiding only going through the in-band trusted certification process, enhancing the feasibility, or realizing the trusted certification of the out-of-band information based on the in-band interface on the other hand, and enabling the in-band to pay attention to the out-of-band trusted information, and reporting more complete measurement information for external challengers to ensure the credibility of the platform.
In one or more embodiments of the present description, the receiving module 902 may be configured to receive the attestation request through a first remote attestation client interface provided outside of the in-band system. Accordingly, the apparatus may further include: an information return module configured to send the out-of-band trusted information to a requesting end of the attestation request through the first remote attestation client interface.
In one or more embodiments of the present disclosure, the receiving module 902 may be configured to receive the attestation request through a second remote attestation client interface provided externally to the out-of-band system. Accordingly, the apparatus may further include: an information return module configured to send the in-band trusted information to a requesting end of the attestation request through the second remote attestation client interface.
In one or more embodiments of the present specification, the information obtaining module 904 may include:
a Nonce acquisition sub-module configured to acquire, in an in-band system, a temporary challenge random number carried by the attestation request;
the request sending submodule is configured to send an out-of-band information acquisition request carrying the temporary challenge random number to the trusted computing cryptographic module through the first path of trusted service port in an in-band system;
and the information acquisition submodule is configured to receive the signed out-of-band trusted information and the temporary challenge random number of the trusted computing cryptographic module through the first path of trusted service port in the in-band system.
In one or more embodiments of the present disclosure, the information obtaining module 904 may include:
a Nonce acquiring sub-module configured to acquire, at an out-of-band system, a Nonce challenge random number carried by the attestation request;
the request sending submodule is configured to send an in-band information acquisition request carrying the temporary challenge random number to the trusted computing cryptographic module through the second path of trusted service port in an out-of-band system;
and the information acquisition sub-module is configured to receive the signed in-band trusted information and the temporary challenge random number of the trusted computing password module through the second path of trusted service port in an out-of-band system.
In one or more embodiments of the present description, the apparatus may implement an out-of-band in-band dual trusted attestation flow. Specifically, the apparatus may further include:
the in-band trusted information acquisition module is configured to acquire in-band trusted information recorded by the trusted computing password module through the first path of trusted service port in an in-band system; alternatively, the first and second electrodes may be,
and the out-of-band trusted information acquisition module is configured to acquire the out-of-band trusted information recorded by the trusted computing password module through the second path of trusted service port in an out-of-band system.
In one or more embodiments of the present disclosure, to prove that the platform of the trusted server is trusted, the metric values in the metric log of the platform may be sent to the challenger, so that the challenger verifies the metric values in the metric log to determine that the platform is trusted. Specifically, the apparatus may further include:
a metric log acquisition module configured to acquire a sequence of in-band system metric values from an in-band metric log;
correspondingly, the information returning module may be configured to send the sequence of the in-band system metric values to the requesting end of the certification request, so that the requesting end obtains the in-band data to be verified by using the sequence of the in-band system metric values, and verifies the in-band data to be verified by using the in-band trusted information.
Alternatively, the first and second electrodes may be,
the apparatus may further include:
a metric log acquisition module configured to acquire a sequence of out-of-band system metric values from an out-of-band metric log;
correspondingly, the information returning module may be configured to send the sequence of the out-of-band system metric value to the requesting end of the certification request, so that the requesting end obtains the out-of-band data to be verified by using the sequence of the out-of-band system metric value, and verifies the out-of-band data to be verified by using the out-of-band trusted information.
The above is an illustrative scheme of an apparatus for acquiring trusted information according to the present embodiment. It should be noted that the technical solution of the apparatus for acquiring trusted information and the technical solution of the method for acquiring trusted information belong to the same concept, and details of the technical solution of the apparatus for acquiring trusted information, which are not described in detail, can be referred to the description of the technical solution of the method for acquiring trusted information.
Corresponding to the above method embodiment, the present specification further provides an embodiment of a trusted server, and fig. 10 shows a schematic structural diagram of a trusted server provided in an embodiment of the present specification. As shown in fig. 10, the trusted server 1000 includes:
an in-band system 1002, an out-of-band system 1004, and a trusted computing cryptography module 1006.
The trusted computing cryptography module 1006 may include at least two trusted service ports, where a first trusted service port 1008 is interfaced with the in-band system 1002, a second trusted service port 1010 is interfaced with the out-of-band system 1004, the in-band system 1002 is configured with a trusted information obtaining unit 1012, and/or the out-of-band system 1004 is configured with a trusted information obtaining unit 1014.
The trusted information obtaining unit 1012 may be configured to receive an attestation request, and obtain, according to the attestation request, out-of-band trusted information recorded by the trusted computing crypto module through the first path of trusted service port by the in-band system.
The trusted information obtaining unit 1014 may be configured to receive an attestation request, and obtain, by an out-of-band system, in-band trusted information recorded by the trusted computing crypto module through the second path of trusted service port according to the attestation request.
Because the trusted server comprises an in-band system, an out-of-band system and a trusted computing cryptographic module, and because the trusted computing cryptographic module comprises at least two paths of trusted service ports, wherein a first path of trusted service port is in butt joint with the in-band system, and a second path of trusted service port is in butt joint with the out-of-band system, after receiving a certification request, the trusted information acquisition unit can acquire out-of-band trusted information recorded by the trusted computing cryptographic module through the first path of trusted service port in the in-band system, or acquire in-band trusted information recorded by the trusted computing cryptographic module through the second path of trusted service port in the out-of-band system, thereby realizing the trusted certification of the in-band information based on the out-of-band interface on one hand, avoiding the in-band trusted certification flow only, enhancing the practicability, or realizing the trusted certification of the out-of-band information based on the in-band interface on the other hand, the in-band trusted information can also concern the out-of-band trusted information, more complete trusted information is reported for external challengers, and the credibility of the platform is ensured.
Wherein the trusted computing cryptography module is configured to record in-band trusted information of the in-band system and/or out-of-band trusted information of the out-of-band system.
It will be appreciated that a plurality of firmware, files, software, etc. may be included in the in-band system, the out-of-band system, etc. In the in-band system, the out-band system may perform metric calculation on any firmware, file, and software to be booted and executed at a later stage by using a trusted metric root to obtain a metric value, and extend the metric value to a metric information recording area of the trusted calculation cryptographic module to be recorded as trusted information.
The above is an exemplary scheme of the trusted server of this embodiment. It should be noted that the technical solution of the trusted server and the technical solution of the method for obtaining the trusted metric information belong to the same concept, and details that are not described in detail in the technical solution of the trusted server can be referred to the description of the technical solution of the method for obtaining the trusted metric information.
FIG. 11 illustrates a block diagram of a computing device 1100 provided in accordance with one embodiment of the present description. The components of the computing device 1100 include, but are not limited to, memory 1110 and a processor 1120. The processor 1120 is coupled to the memory 1110 via a bus 1130 and the database 1150 is used to store data.
The computing device 1100 also includes an access device 1140, the access device 1140 enabling the computing device 1100 to communicate via one or more networks 1160. Examples of such networks include the Public Switched Telephone Network (PSTN), a Local Area Network (LAN), a Wide Area Network (WAN), a Personal Area Network (PAN), or a combination of communication networks such as the internet. The access device 1140 may include one or more of any type of network interface, e.g., a Network Interface Card (NIC), wired or wireless, such as an IEEE802.11 Wireless Local Area Network (WLAN) wireless interface, a worldwide interoperability for microwave access (Wi-MAX) interface, an ethernet interface, a Universal Serial Bus (USB) interface, a cellular network interface, a bluetooth interface, a Near Field Communication (NFC) interface, and so forth.
In one embodiment of the present description, the above-described components of computing device 1100, as well as other components not shown in FIG. 11, may also be connected to each other, such as by a bus. It should be understood that the block diagram of the computing device structure shown in FIG. 11 is for illustration purposes only and is not intended to limit the scope of the present description. Those skilled in the art may add or replace other components as desired.
Computing device 1100 can be any type of stationary or mobile computing device, including a mobile computer or mobile computing device (e.g., tablet, personal digital assistant, laptop, notebook, netbook, etc.), mobile phone (e.g., smartphone), wearable computing device (e.g., smartwatch, smartglasses, etc.), or other type of mobile device, or a stationary computing device such as a desktop computer or PC. The computing device 1100 can also be a mobile or stationary server.
The processor 1120 is configured to execute computer-executable instructions, which when executed by the processor, implement the steps of the above-described method for obtaining trusted information. For example, it includes:
receiving a request for attestation;
according to the certification request, an in-band system acquires out-of-band trusted information recorded by the trusted computing cryptographic module through the first path of trusted service port; alternatively, the first and second electrodes may be,
and acquiring the in-band trusted information recorded by the trusted computing cryptographic module by the out-of-band system through the second path of trusted service port according to the certification request.
The foregoing is a schematic diagram of a computing device of the present embodiment. It should be noted that the technical solution of the computing device and the technical solution of the above method for obtaining the trusted information belong to the same concept, and details that are not described in detail in the technical solution of the computing device can be referred to the description of the technical solution of the above method for obtaining the trusted information.
An embodiment of the present specification further provides a computer-readable storage medium, which stores computer-executable instructions, and when executed by a processor, the computer-executable instructions implement the steps of the above method for obtaining trusted information. For example, it includes:
receiving an attestation request;
according to the certification request, an in-band system acquires out-of-band trusted information recorded by the trusted computing cryptographic module through the first path of trusted service port; alternatively, the first and second electrodes may be,
and according to the certification request, an out-of-band system acquires the in-band trusted information recorded by the trusted computing cryptographic module through the second path of trusted service port.
The above is an illustrative scheme of a computer-readable storage medium of the present embodiment. It should be noted that the technical solution of the storage medium and the technical solution of the above method for obtaining the trusted information belong to the same concept, and details that are not described in detail in the technical solution of the storage medium can be referred to the description of the technical solution of the above method for obtaining the trusted information.
An embodiment of the present specification further provides a computer program, wherein when the computer program is executed in a computer, the computer program is used to make the computer execute the steps of the above method for obtaining the trusted information. For example, it includes:
receiving a request for attestation;
according to the certification request, an in-band system acquires out-of-band trusted information recorded by the trusted computing cryptographic module through the first path of trusted service port; alternatively, the first and second electrodes may be,
and acquiring the in-band trusted information recorded by the trusted computing cryptographic module by the out-of-band system through the second path of trusted service port according to the certification request.
The above is an illustrative scheme of a computer program of the present embodiment. It should be noted that the technical solution of the computer program and the technical solution of the above method for obtaining the trusted information belong to the same concept, and details that are not described in detail in the technical solution of the computer program can be referred to the description of the technical solution of the above method for obtaining the trusted information.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The computer instructions comprise computer program code which may be in the form of source code, object code, an executable file or some intermediate form, or the like. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U.S. disk, removable hard disk, magnetic diskette, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signal, telecommunications signal, and software distribution medium, etc. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
It should be noted that, for the sake of simplicity, the foregoing method embodiments are described as a series of acts, but those skilled in the art should understand that the present embodiment is not limited by the described acts, because some steps may be performed in other sequences or simultaneously according to the present embodiment. Further, those skilled in the art should also appreciate that the embodiments described in this specification are preferred embodiments and that acts and modules referred to are not necessarily required for an embodiment of the specification.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
The preferred embodiments of the present specification disclosed above are intended only to aid in the description of the specification. Alternative embodiments are not exhaustive and do not limit the invention to the precise embodiments described. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the embodiments and the practical application, to thereby enable others skilled in the art to best understand and utilize the embodiments. The specification is limited only by the claims and their full scope and equivalents.

Claims (12)

1. A method for obtaining trusted information is applied to a trusted server, the trusted server comprises an in-band system, an out-of-band system and a trusted computing password module, the trusted computing password module comprises at least two paths of trusted service ports, wherein a first path of trusted service port is in butt joint with the in-band system, a second path of trusted service port is in butt joint with the out-of-band system, and the method comprises the following steps:
receiving a request for attestation;
according to the certification request, an in-band system acquires out-of-band trusted information recorded by the trusted computing cryptographic module through the first path of trusted service port, wherein the out-of-band trusted information is trusted information of the out-of-band system; alternatively, the first and second electrodes may be,
and acquiring in-band trusted information recorded by the trusted computing cryptographic module by an out-of-band system through the second path of trusted service port according to the certification request, wherein the in-band trusted information is the trusted information of the in-band system.
2. The method of claim 1, the receiving a request for attestation, comprising:
receiving the attestation request through a first remote attestation client interface provided by an in-band system to the outside;
the method further comprises the following steps:
sending the out-of-band trusted information to a requesting end of the attestation request through the first remote attestation client interface.
3. The method of claim 1, the receiving a request for attestation, comprising:
receiving the attestation request through a second remote attestation client interface provided externally by the out-of-band system;
the method further comprises the following steps:
sending the in-band trusted information to a requesting side of the attestation request through the second remote attestation client interface.
4. The method of claim 1, wherein the in-band system obtains the out-of-band trusted information recorded by the trusted computing cryptography module through the first trusted service port, and comprises:
the in-band system acquires a temporary challenge random number carried by the certification request;
the in-band system sends an out-of-band information acquisition request carrying the temporary challenge random number to the trusted computing cryptographic module through the first path of trusted service port;
receiving signed out-of-band trusted information and a temporary challenge random number of the trusted computing cryptographic module by the in-band system through the first path of trusted service port;
the acquiring, by the out-of-band system through the second path of trusted service port, the in-band trusted information recorded by the trusted computing cryptographic module includes:
acquiring a temporary challenge random number carried by the certification request at an out-of-band system;
sending an in-band information acquisition request carrying the temporary challenge random number to the trusted computing password module through the second path of trusted service port in an out-of-band system;
and receiving the signed in-band trusted information and the temporary challenge random number of the trusted computing cryptographic module by the out-of-band system through the second path of trusted service port.
5. The method of claim 1, further comprising:
the in-band system acquires the in-band trusted information recorded by the trusted computing password module through the first path of trusted service port; alternatively, the first and second electrodes may be,
and acquiring the out-of-band trusted information recorded by the trusted computing cryptographic module at the out-of-band system through the second path of trusted service port.
6. The method of claim 1, the in-band trusted information being boot metric information of an in-band system;
the in-band system is used for carrying out measurement calculation by using a trusted measurement root during starting to obtain a measurement value, and expanding the measurement value to the trusted calculation cryptographic module for recording starting measurement information;
and the trusted computing password module is used for recording the starting measurement information of the in-band system.
7. The method of claim 1, the out-of-band trusted information being boot metric information of an out-of-band system;
the out-of-band system is used for carrying out measurement calculation according to the trusted measurement root during starting to obtain a measurement value, and expanding the measurement value to the trusted calculation cryptographic module for recording starting measurement information;
and the trusted computing password module is used for recording the starting measurement information of the out-of-band system.
8. The method of claim 6 or 7, further comprising:
obtaining a sequence of in-band system metric values from an in-band metric log;
correspondingly, the sequence of the in-band system metric value is sent to the request end for proving the request, so that the request end obtains in-band to-be-verified metric data by using the sequence of the in-band system metric value, and the in-band to-be-verified metric data is verified by using the starting metric information of the in-band system;
alternatively, the first and second electrodes may be,
acquiring a sequence of out-of-band system metric values from an out-of-band metric log;
correspondingly, the sequence of the out-of-band system metric value is sent to the request end of the certification request, so that the request end obtains the out-of-band to-be-verified metric data by using the sequence of the out-of-band system metric value, and the out-of-band to-be-verified metric data is verified by using the starting metric information of the out-of-band system.
9. An apparatus for obtaining trusted information, configured in a trusted server, the trusted server including an in-band system, an out-of-band system, and a trusted computing cryptographic module, the trusted computing cryptographic module including at least two trusted service ports, a first trusted service port being interfaced with the in-band system, and a second trusted service port being interfaced with the out-of-band system, the apparatus comprising:
a receiving module configured to receive an attestation request;
the information acquisition module is configured to acquire out-of-band trusted information recorded by the trusted computing cryptographic module through the first path of trusted service port by an in-band system according to the certification request; or, according to the certification request, the in-band trusted information recorded by the trusted computing cryptographic module is acquired by the out-of-band system through the second path of trusted service port.
10. A trusted server, comprising: the system comprises an in-band system, an out-of-band system and a trusted computing password module, wherein the trusted computing password module comprises at least two paths of trusted service ports, a first path of trusted service port is in butt joint with the in-band system, a second path of trusted service port is in butt joint with the out-of-band system, and the in-band system or the out-of-band system is provided with a trusted information acquisition unit;
the trusted information obtaining unit is configured to receive a certification request, and obtain, by the in-band system, the out-of-band trusted information recorded by the trusted computing cryptographic module through the first path of trusted service port according to the certification request, or obtain, by the out-of-band system, the in-band trusted information recorded by the trusted computing cryptographic module through the second path of trusted service port according to the certification request.
11. A computing device, comprising:
a memory and a processor;
the memory is configured to store computer-executable instructions, and the processor is configured to execute the computer-executable instructions, which when executed by the processor implement the steps of the method of obtaining trusted information according to any one of claims 1 to 8.
12. A computer-readable storage medium storing computer-executable instructions which, when executed by a processor, implement the steps of the method of obtaining trusted information of any one of claims 1 to 8.
CN202210443827.4A 2022-04-26 2022-04-26 Method and device for acquiring trusted information and trusted server Active CN114579983B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210443827.4A CN114579983B (en) 2022-04-26 2022-04-26 Method and device for acquiring trusted information and trusted server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210443827.4A CN114579983B (en) 2022-04-26 2022-04-26 Method and device for acquiring trusted information and trusted server

Publications (2)

Publication Number Publication Date
CN114579983A CN114579983A (en) 2022-06-03
CN114579983B true CN114579983B (en) 2022-09-09

Family

ID=81785221

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210443827.4A Active CN114579983B (en) 2022-04-26 2022-04-26 Method and device for acquiring trusted information and trusted server

Country Status (1)

Country Link
CN (1) CN114579983B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102708028A (en) * 2012-05-18 2012-10-03 中国人民解放军第二炮兵装备研究院第四研究所 Trusted redundant fault-tolerant computer system
CN103049293A (en) * 2012-12-12 2013-04-17 中国电力科学研究院 Starting method of embedded trusted system
CN103179129A (en) * 2013-03-29 2013-06-26 华南理工大学 Remote attestation method based on cloud computing infrastructure as a service (IaaS) environment
CN110032399A (en) * 2019-04-15 2019-07-19 苏州浪潮智能科技有限公司 A kind of TPM initial method and relevant apparatus
CN111125707A (en) * 2019-11-22 2020-05-08 苏州浪潮智能科技有限公司 BMC (baseboard management controller) safe starting method, system and equipment based on trusted password module
CN113918953A (en) * 2021-09-08 2022-01-11 中科可控信息产业有限公司 Trusted server security control device and method and trusted server

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8868914B2 (en) * 1999-07-02 2014-10-21 Steven W. Teppler System and methods for distributing trusted time
US9747450B2 (en) * 2014-02-10 2017-08-29 Facebook, Inc. Attestation using a combined measurement and its constituent measurements
US10810327B2 (en) * 2018-01-05 2020-10-20 Intel Corporation Enforcing secure display view for trusted transactions

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102708028A (en) * 2012-05-18 2012-10-03 中国人民解放军第二炮兵装备研究院第四研究所 Trusted redundant fault-tolerant computer system
CN103049293A (en) * 2012-12-12 2013-04-17 中国电力科学研究院 Starting method of embedded trusted system
CN103179129A (en) * 2013-03-29 2013-06-26 华南理工大学 Remote attestation method based on cloud computing infrastructure as a service (IaaS) environment
CN110032399A (en) * 2019-04-15 2019-07-19 苏州浪潮智能科技有限公司 A kind of TPM initial method and relevant apparatus
CN111125707A (en) * 2019-11-22 2020-05-08 苏州浪潮智能科技有限公司 BMC (baseboard management controller) safe starting method, system and equipment based on trusted password module
CN113918953A (en) * 2021-09-08 2022-01-11 中科可控信息产业有限公司 Trusted server security control device and method and trusted server

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
A Secure Middlebox Framework for Enabling Visibility Over Multiple Encryption Protocols;Juhyeng Han 等;《IEEE/ACM Transactions on Networking》;20200824;第28卷(第6期);第2727-2740页 *
基于可信BMC的服务器安全启动机制;孙亮 等;《山东大学学报(理学版)》;20180131;第53卷(第1期);第89-94页 *

Also Published As

Publication number Publication date
CN114579983A (en) 2022-06-03

Similar Documents

Publication Publication Date Title
CN109858265B (en) Encryption method, device and related equipment
KR101662618B1 (en) Measuring platform components with a single trusted platform module
US8966642B2 (en) Trust verification of a computing platform using a peripheral device
JP5497171B2 (en) System and method for providing a secure virtual machine
KR101066779B1 (en) Secure booting a computing device
US8572692B2 (en) Method and system for a platform-based trust verifying service for multi-party verification
US10771264B2 (en) Securing firmware
US11722300B2 (en) Chip, private key generation method, and trusted certification method
US20140066015A1 (en) Secure device service enrollment
US20120278597A1 (en) Compatible trust in a computing device
CN107077567B (en) Identifying security boundaries on computing devices
US11265702B1 (en) Securing private wireless gateways
JP2006501581A (en) Encapsulation of reliable platform module functions by TCPA inside server management coprocessor subsystem
CN104715183A (en) Trusted verifying method and equipment used in running process of virtual machine
CN109492352B (en) Method and device for realizing equipment identification combination engine
CN108595983B (en) Hardware architecture based on hardware security isolation execution environment and application context integrity measurement method
US10229272B2 (en) Identifying security boundaries on computing devices
Dhar et al. Proximitee: Hardened sgx attestation by proximity verification
EP3736718B1 (en) A tpm-based secure multiparty computing system using a non-bypassable gateway
US11748520B2 (en) Protection of a secured application in a cluster
CN117453343A (en) Virtual machine measurement and secret calculation authentication method, device, system and storage medium
CN114579983B (en) Method and device for acquiring trusted information and trusted server
Wang et al. Independent credible: Secure communication architecture of Android devices based on TrustZone
EP3525391A1 (en) Device and method for key provisioning
CN112000935A (en) Remote authentication method, device, system, storage medium and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant