CN114707140A - Kernel architecture based on PKS system - Google Patents
Kernel architecture based on PKS system Download PDFInfo
- Publication number
- CN114707140A CN114707140A CN202210258947.7A CN202210258947A CN114707140A CN 114707140 A CN114707140 A CN 114707140A CN 202210258947 A CN202210258947 A CN 202210258947A CN 114707140 A CN114707140 A CN 114707140A
- Authority
- CN
- China
- Prior art keywords
- architecture
- module
- kernel
- security
- tee module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a PKS system-based kernel architecture, which comprises: the user area in the dual-architecture processor is used for calling an operation system security module (LSM) to provide a function for hooking the security software to uniformly control the hooking of the software and distribute running resources of the hooked security software; the security area in the dual-architecture processor is used for calling the TEE module to perform security check-signing on the code loaded into the kernel when the resource access request is obtained, and running the code loaded into the kernel if the check-signing is passed; wherein the authority of the safe area is higher than that of the user area; the UEFI module is used for performing credible measurement on UEFI firmware and an operating system through interaction with the TEE module so as to realize credible starting. The kernel architecture can acquire the calculation space state in real time for protection, and the situations that the safety space function is few and the performance is weak due to the adoption of a safe external double-architecture are avoided.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a kernel architecture based on a PKS system.
Background
The existing computer system is that the computing + security is in the same space, and the same set of computing resource, memory and I/O resource are shared. This enables the security software to obtain the computational state and enforce protection, but unknown computational risks can allow attackers to obtain legitimate rights or circumvent security software protection. The safety external double-structure adopted in the industry is often that the safety space function is few, the performance is weak, the calculation space state cannot be obtained in real time, and the protection cannot be deeply performed in time.
Therefore, how to provide a secure and reliable kernel architecture based on the PKS system is a technical problem to be urgently solved by those skilled in the art.
Disclosure of Invention
In view of this, an object of the present invention is to provide a kernel framework based on a PKS system, which can obtain a computation space state in real time for protection, and avoid a situation that a secure space is less in function and weak in performance due to a dual-framework with security external. The specific scheme is as follows:
the user area in the dual-architecture processor is used for calling the operating system security module LSM to provide a function for hooking the security software to uniformly control the hooking of the software and distribute running resources of the hooked security software;
the security area in the dual-architecture processor is used for calling the TEE module to perform security check-signing on the code loaded into the kernel when the resource access request is obtained, and running the code loaded into the kernel if the check-signing is passed; wherein the secure area has a higher authority than the user area;
and the UEFI module is positioned in the user area and used for performing credibility measurement on UEFI firmware and an operating system through interaction with the TEE module so as to realize credible starting.
Optionally, the user area and the secure area are obtained by dividing a related register configuration mode based on a PSPA specification, and performing custom protocol handshake on a data packet to be transmitted and transmitting the data packet by using a shared memory mode.
Optionally, the user area is further configured to:
and dynamically carrying out private key signature on the code of the kernel to be loaded, which is processed by the eBPF loader, and then sending the code to the TEE module, so that the TEE module can operate after checking and signing the code of the kernel to be loaded, which is signed by the private key.
Optionally, the performing, by interacting with the TEE module, a trusted measurement on the UEFI firmware and the operating system to implement trusted boot includes:
performing credibility measurement on the UEFI firmware by calling the TEE module, and starting the UEFI firmware after the UEFI firmware is determined to be credible;
traversing the mainboard equipment by utilizing the UEFI firmware to obtain related hardware information;
and carrying out credibility measurement on the hardware information by calling the TEE module, and if the hardware information is credible, carrying out credible starting.
Optionally, before the invoking of the TEE module to perform the trusted measurement on the hardware information, the method further includes:
judging whether the credibility measurement is the first measurement;
if so, generating a corresponding white list according to the first measurement result, and matching the dynamically calculated hash value with the white list in the subsequent measurement process;
if the matching is successful, judging that the measurement result is credible;
if the match fails, then either continue boot is skipped or an error is reported and the boot is prevented.
Optionally, after traversing the motherboard device by using the UEFI firmware to obtain the related hardware information, the method further includes:
splitting the hard disk partition table data in the traversed hardware information;
and sending the split data to the TEE module in batches so as to measure the acquired batch data by using the TEE module.
Optionally, the splitting the hard disk partition table data in the traversed hardware information includes:
and splitting the hard disk partition table data in the traversed hardware information to obtain a plurality of data packets taking the size of the shared memory as a unit.
Optionally, the TEE module is the only module with a FLASH physical read-write function.
Optionally, the kernel architecture based on the PKS system further includes:
and the heterogeneous computing unit is used for receiving the mounted safety software issued by the TEE module so as to perform heterogeneous computing processing on the mounted safety software.
Optionally, the TEE module is further configured to configure the secure memory according to the configuration instruction of the user area.
In the application, the kernel architecture based on the PKS system comprises a user area, a security area and a UEFI module in a dual-architecture processor. The user area is used for calling an operation system security module LSM to provide a function for a security software hook to uniformly control software hooking and distribute running resources of hooked security software; the security zone is used for calling the TEE module to carry out security check and sign on the code loaded into the kernel when the resource access request is obtained, and running the code loaded into the kernel if the check and sign are passed; wherein the secure area has a higher authority than the user area; and the UEFI module is used for performing credible measurement on UEFI firmware and an operating system through interaction with the TEE module so as to realize credible starting. Therefore, the kernel architecture divides the non-secure computation and the secure computation into different spaces by dividing the user area and the secure area, and meanwhile, the computation space state can be obtained in real time for protection based on the interaction between the TEE module and the UEFI module, so that the problems of few functions and poor performance of the secure space caused by adopting a secure external double-architecture are avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a diagram of a kernel architecture based on a PKS system provided in the present application;
fig. 2 is a schematic diagram of the internal interaction of a specific architecture provided in the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The existing computer system is that the computing + security is in the same space, and the same set of computing resource, memory and I/O resource are shared. This enables the security software to obtain the computational state and enforce protection, but unknown computational risks can cause attackers to obtain legitimate rights or bypass security software protection. The safety external double-structure adopted in the industry is often that the safety space function is few, the performance is weak, the calculation space state cannot be obtained in real time, and the protection cannot be deeply performed in time. Aiming at the technical defects, the application provides a kernel architecture based on a PKS system, the non-secure computation and the secure computation are divided into different spaces by dividing a user area and a secure area, meanwhile, the computation space state can be obtained in real time for protection based on the interaction between a TEE module and a UEFI module, and the problems of few functions and poor performance of the secure space caused by adopting a secure external double architecture are avoided.
Fig. 1 is a diagram of a kernel architecture based on a PKS system according to an embodiment of the present application. Referring to fig. 1, the kernel architecture based on the PKS architecture includes a user area and a secure area in a dual-architecture processor, a UEFI module, and a TEE module, wherein:
the user area in the dual-architecture processor is used for calling the operating system security module LSM to provide a function for hooking the security software to uniformly control the hooking of the software and distribute running resources of the hooked security software;
the security area in the dual-architecture processor is used for calling the TEE module to perform security check-signing on the code loaded into the kernel when the resource access request is obtained, and running the code loaded into the kernel if the check-signing is passed; wherein the secure area has a higher authority than the user area;
and the UEFI module is used for performing trusted measurement on UEFI firmware and the operating system through interaction with the TEE module so as to realize trusted starting.
The PKS system is a green, open and shared technical architecture and ecosystem. "P" stands for (PHYTIUM) Feiteng processor, "K" stands for (KYLIN) KYLIN operating system, and "S" stands for the ability to inject safety. The processor and the operating system in the embodiment are both the processor and the operating system under the PKS system, a processor dual-system structure with calculation and security protection coexisting is established, and an immune mode based on trusted calculation is created. On the basis, the user area in the dual-architecture processor is used for calling the operating system security module LSM so as to provide a function for hooking the security software to carry out unified control on software hooking and allocate running resources of the hooked security software. The security area in the dual-architecture processor is used for calling the TEE module to perform security check-signing on the code loaded into the kernel when the resource access request is obtained, and running the code loaded into the kernel if the check-signing is passed; wherein the secure area has a higher authority than the user area.
On this basis, the user area is also used for dynamically carrying out private key signature on the code of the kernel to be loaded, which is processed by the eBPF loader, and then sending the code to the TEE module, so that the TEE module can operate after checking the code of the kernel to be loaded, which is signed by the private key. The kylin OS provides interface function limitation for hooking of security software on the basis of a LINUX kernel LSM security mechanism (security module) and an eBPF, and avoids conflict or unsafe factors caused by direct writing of LSM data structures by the security software. In addition, when the loader of the eBPF dynamically loads the code into the kernel, the TEE module checks the security of the code, and the source is legal and correct.
In this embodiment, the processor CPU is divided into a user area and a secure area, and a dual-architecture processor is obtained. A safe area space is divided inside the same processor CPU, and a user area space, an I/O space and a memory space are physically isolated. The division method adopts software definition, and according to the ArmV8 TrustZone and Feiteng PSPA architecture principle, the authority of the safe area is higher than that of the user area, namely the safe area can see the user area, and the user area cannot see the safe area, so that the isolation can be realized, and the high-performance monitoring with strong functions can be realized. And the internal of the same chip is safer without changing the mainboard.
In this embodiment, the isolation may be configured in a software-defined manner, that is, the user area and the secure area are obtained by dividing the user area and the secure area in a manner of configuring the relevant registers based on the PSPA specification. In addition, the user area and the safe area perform custom protocol handshake on the data packet to be transmitted in a memory sharing mode and transmit the data packet. The TEE module and the communication mechanism of the OS kernel corresponding to the user area adopt a shared memory mode, a self-defined protocol is used for handshaking and transmitting, a header, a trailer and a handshaking signal of data to be transmitted can adopt an SMC (ArmV8) Monitor soft calling mode or an IRQ interruption mode. And the OS corresponding to the user area can also send a program required to run in the TEE module to the TEE module after being signed by a private key through a communication channel, and the program runs in the space of the TEE module after being checked by the TEE module.
In this embodiment, the UEFI module is located in the user area, and is configured to perform trusted measurement on the UEFI firmware and the operating system through interaction with the TEE module, so as to implement trusted boot. With particular reference to fig. 2. The UEFI firmware conforms to international relevant standards and architectures, and trusted boot and firmware security protection functions are added. The specific trusted boot process is as follows: performing credibility measurement on the UEFI firmware by calling the TEE module, and starting the UEFI firmware after the UEFI firmware is determined to be credible; traversing the mainboard equipment by utilizing the UEFI firmware to obtain related hardware information; and carrying out credibility measurement on the hardware information by calling the TEE module, and if the hardware information is credible, carrying out credible starting. It should be noted that, the embodiment generally invokes the TEE module to perform the trusted measurement on the UEFI firmware through PBF triggering. Before that, whether the credible measurement is the first measurement needs to be judged, if so, a corresponding white list is generated according to the first measurement result, and the hash value which is dynamically calculated in the subsequent measurement process is matched with the white list; if the matching is successful, judging that the measurement result is credible; if the match fails, then either continue boot is skipped or an error is reported and the boot is prevented. Namely, the UEFI firmware traverses the mainboard equipment (driven by a bus, a board card, a bridge chip and the like) and transmits the data codes to the TEE module to calculate the hash, and if the UEFI firmware is measured for the first time, a white list is generated by default. From the second time, the hash calculated dynamically is compared with the white list, if the hash is correct, the starting is carried out, and if one entry is incorrect, the starting can be skipped to continue or the starting can be prevented by reporting an error according to the user pre-configuration.
Furthermore, after the traversed hardware information, the hard disk partition table data in the traversed hardware information can be split, and then the split data is sent to the TEE module in batches, so that the TEE module is used for measuring the obtained batch data. Preferably, the hard disk partition table data can be split into data packets with the size of the shared memory as a unit, and the data packets are transmitted to the TEE module in batches for measurement, so that the hard disk partition table boot process is credible. And splitting the hard disk partition table data in the traversed hardware information to obtain a plurality of data packets taking the size of the shared memory as a unit.
In this embodiment, the TEE module is the only module having a FLASH physical read-write function. And finishing the physical reading and writing of the FLASH chip where the UEFI firmware is located in cooperation with the user area and the safe area, wherein the FLASH physical reading and writing function is arranged in the TEE module, and all other modules of the system have no FLASH reading and writing function, so that the system can resist firmware attack. Meanwhile, Bootkit and firmware virus can be prevented, and the 3.0 function of partial trusted computing is realized. In addition, on one hand, the TEE module completes operation in an isolation space to meet a credible environment; on the other hand, the method stores key data, keys, security policies and security management and control in the isolation space and is an important means for protecting memory attack and firmware attack. TEE and OS are different address spaces. The TEE module is a logical space address and the UEFI firmware is a physical space address. UEFI plays a role in mapping a logical address to a physical address, so that the TEE module can be safely configured on a bottom physical layer. The mapping mode comprises a driver, a data structure of UEFI and the like.
It can be understood that the TEE module operates in the isolation space of the secure area, and can directly implement security configuration on the memory and the heterogeneous computing unit while contacting other modules. In this embodiment, the secure memory and the heterogeneous computing unit both belong to one module, and are also part of a kernel architecture based on a PKS system. And the TEE module is also used for configuring the secure memory according to the configuration instruction of the user area. The heterogeneous computing unit may also be referred to as xPU, and includes an accelerator such as a GPU and an FPGA smart network card, and is configured to receive the mounted security software issued by the TEE module, so as to perform heterogeneous computing processing on the mounted security software. I.e., secure memory, receives configuration from the OS to the TEE module according to user configuration, the secure memory being configured by the TEE module, and the receipt of code from the OS at xPU completes execution of the security software at xPU. With particular reference to fig. 2.
It can be seen that, the kernel architecture based on the PKS architecture in the embodiment of the present application includes a user area and a secure area in a dual-architecture processor, and a UEFI module. The user area is used for calling an operation system security module LSM to provide a function for hooking the security software to uniformly control the hooking of the software and distribute running resources of the hooked security software; the security area is used for calling the TEE module to carry out security check on the code loaded into the kernel when the resource access request is obtained, and running the code loaded into the kernel if the check is passed; wherein the secure area has a higher authority than the user area; and the UEFI module is used for performing credible measurement on UEFI firmware and an operating system through interaction with the TEE module so as to realize credible starting. According to the kernel architecture, the user area and the safe area are divided, so that the non-safe calculation and the safe calculation belong to different spaces, meanwhile, the calculation space state can be obtained in real time to be protected based on the interaction between the TEE module and the UEFI module, and the problems that the safe space function is few and the performance is weak due to the adoption of a safe external double-architecture are avoided.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The kernel architecture based on the PKS system provided by the present invention is introduced in detail above, and a specific example is applied in the present document to illustrate the principle and the implementation of the present invention, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (10)
1. A kernel architecture based on a PKS system, comprising:
the user area in the dual-architecture processor is used for calling the operating system security module LSM to provide a function for hooking the security software to uniformly control the hooking of the software and distribute running resources of the hooked security software;
the security area in the dual-architecture processor is used for calling the TEE module to carry out security check and sign on the code loaded into the kernel when the resource access request is obtained, and running the code loaded into the kernel if the check and sign pass; wherein the secure area has a higher authority than the user area;
and the UEFI module is used for performing trusted measurement on UEFI firmware and an operating system through interaction with the TEE module so as to realize trusted starting.
2. The PKS architecture-based kernel architecture of claim 1, wherein the user area and the secure area are obtained by partitioning related registers based on PSPA specification, and performing custom protocol handshake for data packets to be transmitted and transmitting the data packets by using a shared memory.
3. The PKS architecture-based kernel architecture of claim 1, wherein the user domain is further configured to:
and dynamically carrying out private key signature on the code of the kernel to be loaded, which is processed by the eBPF loader, and then sending the code to the TEE module, so that the TEE module can operate after checking and signing the code of the kernel to be loaded, which is signed by the private key.
4. The PKS architecture-based kernel architecture of claim 1, wherein the performing trusted metrics on UEFI firmware and an operating system through interaction with the TEE module to implement trusted boot comprises:
performing credibility measurement on the UEFI firmware by calling the TEE module, and starting the UEFI firmware after the UEFI firmware is determined to be credible;
traversing the mainboard equipment by utilizing the UEFI firmware to obtain related hardware information;
and carrying out credibility measurement on the hardware information by calling the TEE module, and if the hardware information is credible, carrying out credible starting.
5. The PKS architecture-based kernel architecture of claim 4, wherein before the performing the trust measurement on the hardware information by invoking the TEE module, further comprising:
judging whether the credibility measurement is the first measurement;
if so, generating a corresponding white list according to the first measurement result, and matching the dynamically calculated hash value with the white list in the subsequent measurement process;
if the matching is successful, judging that the measurement result is credible;
if the match fails, then either continue boot is skipped or an error is reported and the boot is prevented.
6. The PKS architecture-based kernel architecture of claim 4, wherein after traversing the motherboard device with the UEFI firmware to obtain the relevant hardware information, further comprising:
splitting the hard disk partition table data in the traversed hardware information;
and sending the split data to the TEE module in batches so as to measure the acquired batch data by using the TEE module.
7. The PKS architecture-based kernel architecture of claim 6, wherein said splitting hard disk partition table data in said traversed hardware information comprises:
and splitting the hard disk partition table data in the traversed hardware information to obtain a plurality of data packets taking the size of the shared memory as a unit.
8. The PKS system-based kernel architecture according to any one of claims 1 to 7, wherein said TEE module is the only module with FLASH physical read-write function.
9. The PKS system-based kernel architecture according to any one of claims 1 to 7, further comprising:
and the heterogeneous computing unit is used for receiving the mounted safety software issued by the TEE module so as to perform heterogeneous computing processing on the mounted safety software.
10. The PKS architecture-based kernel architecture of any one of claims 1 to 7, wherein the TEE module is further configured to configure a secure memory according to a configuration instruction of the user area.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210258947.7A CN114707140A (en) | 2022-03-16 | 2022-03-16 | Kernel architecture based on PKS system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210258947.7A CN114707140A (en) | 2022-03-16 | 2022-03-16 | Kernel architecture based on PKS system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114707140A true CN114707140A (en) | 2022-07-05 |
Family
ID=82168384
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210258947.7A Pending CN114707140A (en) | 2022-03-16 | 2022-03-16 | Kernel architecture based on PKS system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114707140A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115495746A (en) * | 2022-11-16 | 2022-12-20 | 安超云软件有限公司 | eBPF-based safety protection method and system and electronic equipment |
| CN116628767A (en) * | 2023-07-20 | 2023-08-22 | 常州楠菲微电子有限公司 | Method for preventing flash system firmware attack after system start and flash controller |
-
2022
- 2022-03-16 CN CN202210258947.7A patent/CN114707140A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115495746A (en) * | 2022-11-16 | 2022-12-20 | 安超云软件有限公司 | eBPF-based safety protection method and system and electronic equipment |
| CN116628767A (en) * | 2023-07-20 | 2023-08-22 | 常州楠菲微电子有限公司 | Method for preventing flash system firmware attack after system start and flash controller |
| CN116628767B (en) * | 2023-07-20 | 2023-10-17 | 常州楠菲微电子有限公司 | Method for preventing flash system firmware attack after system start and flash controller |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9575790B2 (en) | Secure communication using a trusted virtual machine | |
| CN110414235B (en) | Active immune double-system based on ARM TrustZone | |
| US8910238B2 (en) | Hypervisor-based enterprise endpoint protection | |
| US9164925B2 (en) | Method and apparatus for authorizing host to access portable storage device | |
| US8464047B2 (en) | Method and apparatus for authorizing host to access portable storage device | |
| US11714910B2 (en) | Measuring integrity of computing system | |
| US7836299B2 (en) | Virtualization of software configuration registers of the TPM cryptographic processor | |
| US10726120B2 (en) | System, apparatus and method for providing locality assertion between a security processor and an enclave | |
| KR101458780B1 (en) | Providing a multi-phase lockstep integrity reporting mechanism | |
| US20160350534A1 (en) | System, apparatus and method for controlling multiple trusted execution environments in a system | |
| KR20160146955A (en) | Management of authenticated variables | |
| US20140230024A1 (en) | Computer system and virtual computer management method | |
| EP2317454A2 (en) | Providing authenticated anti-virus agents a direct access to scan memory | |
| CN113886809A (en) | Computing device | |
| CN114707140A (en) | Kernel architecture based on PKS system | |
| WO2014039363A1 (en) | Measuring platform components with a single trusted platform module | |
| CN111343352B (en) | Image forming apparatus, start control method thereof, and storage medium | |
| US8843742B2 (en) | Hypervisor security using SMM | |
| US11403403B2 (en) | Secure processing engine for securing a computing system | |
| EP3966721B1 (en) | Apparatus and method for disk attestation | |
| US20150381442A1 (en) | Reporting Platform Information Using A Secure Agent | |
| CN116070289A (en) | Security chip applied to system firmware and electronic equipment | |
| CN113419905A (en) | Method and device for realizing credible verification and security module | |
| CN114443147B (en) | Trusted hardware technology-based super monitoring type unmanned aerial vehicle trusted detection method | |
| CN115879064A (en) | Program running method and device, processor, chip and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |