CN115906046A

CN115906046A - Trusted computing system and measurement method based on trusted computing system

Info

Publication number: CN115906046A
Application number: CN202210612298.6A
Authority: CN
Inventors: 朱贺新; 王巍; 刘业辉; 赵元苏; 郭蕊; 方水平; 宋玉娥; 杨洪涛
Original assignee: Beijing University of Technology
Current assignee: Beijing University of Technology
Priority date: 2022-05-31
Filing date: 2022-05-31
Publication date: 2023-04-04

Abstract

The application relates to the technical field of information security, in particular to a trusted computing system and a measurement method based on the trusted computing system, wherein the trusted computing system comprises: a TPCM interface module in the operation system loader is used for packaging corresponding contents to be measured in the hardware equipment based on an active measurement control instruction sent by an active measurement engine and a predefined algorithm in a trusted platform control module TPCM; the assistance measurement engine module in the operating system loader is used for carrying out scheduling processing and assistance measurement processing on the packaged content to be measured to obtain measurement content and sending the measurement content to the active measurement engine; and the active measurement engine is used for sending an active measurement control instruction to the TPCM interface module, receiving measurement contents sent by the assistant measurement engine module, and performing measurement verification on the measurement contents to verify whether the system state is credible or not. In this way, the system can perform active measurement, and the authenticity, reliability and flexibility of measurement are improved.

Description

Trusted computing system and measurement method based on trusted computing system

Technical Field

The present application relates to the field of information security technologies, and in particular, to a trusted computing system and a measurement method based on the trusted computing system.

Background

With the development of information security technology, trusted computing has become a new development direction, and draws more and more attention of related research units. The trusted computing system is mainly based on a trusted security chip and establishes a secure computing environment which can be expected by a user. Trusted Computing Group (TCG) originally proposed and specified Trusted Computing industry standards. A trust chain is built step by introducing a security chip on a mainboard, the security of the trust chain is ensured, and finally a safe and credible working environment is built on a computer hardware system.

In order to solve the problem of the security of the current network space, the TCG provides a Trusted computing method, and provides that a Trusted Platform Module (TPM) and a Basic Input Output System (BIOS) start code are used as a root of trust, and the first-level measurement is performed by one level, so as to construct a trust chain of the computer, thereby protecting important resources of the computer from being illegally tampered and damaged. The TPM works in a 'passive' mode, is used as a common peripheral of the system and is called by other applications to have functions, the other applications can determine whether to use or shield the TPM functions, specifically, whether the starting state of the platform meets an expected measurement result is verified by adopting an operating system or an application program on the system and combining a remote server, so that the safety state of the system is known, and whether the state of the system is credible is verified.

However, the TPM can only perform static measurement on resources such as firmware and executable programs of a computer, and cannot perform measurement actively, and when an operating environment of the TPM is subjected to illegal intrusion or tampering, authenticity and reliability of the measurement are affected.

Disclosure of Invention

The application provides a trusted computing system and a measurement method based on the trusted computing system, which can be used for actively measuring the computer system and improving the authenticity, reliability and flexibility of measurement.

In a first aspect, the present application provides a trusted computing system, comprising: the system comprises a trusted platform control module TPCM, an active measurement engine, hardware equipment and an operating system loader;

the TPCM interface module is used for packaging corresponding contents to be measured in the hardware equipment based on an active measurement control instruction sent by the active measurement engine and a predefined algorithm in the TPCM; the assistance measurement engine module is used for carrying out scheduling processing and assistance measurement processing on the packaged content to be measured to obtain measurement content and sending the measurement content to the active measurement engine;

the active measurement engine is used for sending an active measurement control instruction to the TPCM interface module, receiving the measurement content sent by the assistant measurement engine module, and performing measurement verification on the measurement content to verify whether the system state is credible.

Optionally, the TPCM interface module includes: the bottom layer device driver is used for establishing a channel between the hardware device and the TPCM so as to enable the operating system loader to communicate with the TPCM;

the TPCM function operation module is used for packaging the content to be measured based on the function corresponding to the content to be measured after receiving an active measurement control instruction sent by the active measurement engine in a predefined period; the function is determined based on a predefined algorithm within the TPCM;

the security protocol stack is used for encrypting the packaged content to be measured and sending the encrypted content to be measured to the assistant measurement engine module.

Optionally, the assistance metrics engine module includes: the protocol analysis and scheduling module and the assistance measurement processing module are arranged in the network; the protocol analysis and scheduling module is used for decrypting the encrypted content to be measured based on a predefined protocol, scheduling an operating system file of a corresponding type and sending the operating system file to the assistant measurement processing module for processing; the operating system files comprise operating system kernel files and operating system configuration files;

the assistant measurement processing module is used for reading the measurement content in the operating system file and calling the TPCM interface module to send the measurement content to the active measurement engine.

Optionally, the active metric engine is disposed in a TPCM service module inside the TPCM, and the TPCM service module is configured to obtain a metric reference value; the active metric engine is specifically configured to:

acquiring measurement content sent by the assistance measurement processing module based on the active measurement control instruction, performing measurement calculation on the measurement content by using a predefined algorithm provided by the TPCM to obtain a measurement result, and performing measurement verification based on the measurement reference value and the measurement result to judge whether the system state is credible;

if the system state is credible, sending an operating system starting instruction to the operating system loader;

and if the system state is not credible, sending an operating system starting prohibition instruction to the operating system loader.

Optionally, the operating system loader further includes: and the behavior execution module is used for executing corresponding operation based on the control command sent by the TPCM and handing control right to a corresponding operating system.

Optionally, the behavior execution module executes corresponding operations based on the control command sent by the TPCM, including:

if the control command sent by the TPCM is an operating system starting instruction, acquiring a corresponding starting parameter, starting a corresponding operating system based on the starting parameter, and storing the starting parameter for the next measurement calculation;

and if the control command sent by the TPCM is an instruction for forbidding starting the operating system, forbidding starting of a corresponding operating system kernel, and sending alarm information.

Optionally, the trusted computing system further includes: a TPCM management interface to: and acquiring a measurement reference value which changes in real time from a remote end or acquiring a manually input measurement reference value, and transmitting the acquired measurement reference value to the TPCM service module.

In a second aspect, the present application further provides a trusted computing system-based metrology method applied to an operating system loader, where the operating system loader includes a TPCM interface module and an assistance metrology engine module; the method comprises the following steps:

packaging corresponding contents to be measured in hardware equipment through the TPCM interface module based on an active measurement control instruction sent by an active measurement engine and a predefined algorithm in a TPCM of a trusted platform control module;

the assistance measurement engine module is used for carrying out scheduling processing and assistance measurement processing on the packaged content to be measured to obtain measurement content, and the measurement content is sent to the active measurement engine, so that the active measurement engine carries out measurement verification based on the received measurement content sent by the assistance measurement engine module to verify whether the system state is credible or not.

In a third aspect, the present application further provides a measurement method based on a trusted computing system, applied to an active measurement engine, where the method includes:

sending an active measurement control instruction to a TPCM interface module in an operating system loader;

receiving measurement content sent by an assistant measurement engine module in an operating system loader, and performing measurement verification on the measurement content to verify whether the system state is credible, wherein the TPCM interface module is used for packaging corresponding content to be measured in hardware equipment based on an active measurement control instruction sent by the active measurement engine and a predefined algorithm in a TPCM (trusted platform control module); the assistance measurement engine module is used for carrying out scheduling processing and assistance measurement processing on the packaged content to be measured to obtain measurement content, and sending the measurement content to the active measurement engine.

In a fourth aspect, the present application further provides an electronic device, including: a processor, a memory, and a computer program; wherein the computer program is stored in the memory and configured to be executed by the processor, the computer program comprising instructions for performing the trusted computing system based metrology method of the second or third aspect.

In summary, the present application provides a trusted computing system and a measurement method based on the trusted computing system, which can be implemented by mutually cooperating a TPCM interface module and an assistant measurement engine module in an operating system loader with an active measurement engine, and after receiving an active measurement control instruction sent by the active measurement engine, the TPCM interface module encapsulates corresponding contents to be measured in a hardware device, and then sends the encapsulated contents to the assistant measurement engine module for scheduling and assistant measurement to obtain measurement contents, and further sends the measurement contents to the active measurement engine for measurement verification to verify whether the system state is reliable, so that the present application can perform active measurement, and further improve the authenticity, reliability and flexibility of measurement.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.

Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;

FIG. 2 is a diagram of a system architecture provided for verifying that a system state is authentic;

FIG. 3 is another system architecture diagram provided for verifying that the system state is authentic;

FIG. 4 is a schematic diagram of a dual-system architecture of a trusted computing platform supported by TPCM;

FIG. 5 is a block diagram illustrating an architecture of a trusted computing system according to an embodiment of the present application;

FIG. 6 is a diagram of a Grub display interface provided by an embodiment of the present application;

fig. 7 is a schematic structural diagram of a TPCM interface module according to an embodiment of the present disclosure;

fig. 8 is a schematic diagram illustrating an architecture of an assistance metrics engine module according to an embodiment of the present disclosure;

FIG. 9 is a block diagram illustrating an architecture of a complete trusted computing system according to an embodiment of the present application;

FIG. 10 is a flowchart illustrating a trusted computing system based metric method according to an embodiment of the present application;

FIG. 11 is a flowchart illustrating another trusted computing system based metrology method provided in an embodiment of the present application;

fig. 12 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

With the above figures, there are shown specific embodiments of the present application, which will be described in more detail below. The drawings and written description are not intended to limit the scope of the inventive concepts in any manner, but rather to illustrate the concepts of the application by those skilled in the art with reference to specific embodiments.

Detailed Description

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the application, as detailed in the appended claims.

In the embodiments of the present application, terms such as "first" and "second" are used to distinguish the same or similar items having substantially the same function and action. For example, the first device and the second device are only used for distinguishing different devices, and the sequence order thereof is not limited. Those skilled in the art will appreciate that the terms "first," "second," and the like do not denote any order or importance, but rather the terms "first," "second," and the like do not denote any order or importance.

It is noted that, in the present application, words such as "exemplary" or "for example" are used to mean exemplary, illustrative, or descriptive. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.

In the present application, "at least one" means one or more, "a plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a alone, A and B together, and B alone, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or multiple.

Embodiments of the present application will be described below with reference to the accompanying drawings. Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application, and a trusted computing system provided in the present application may be applied to the application scenario shown in fig. 1. The application scenario includes: the computer terminal equipment comprises computer terminal equipment and a user, wherein a Trusted computing system is installed in the computer terminal equipment, the Trusted computing system comprises a computing component and a protection component, the computing component comprises a hardware system and a software system, the hardware system is usually a chip, the software system can acquire data in the hardware system, the data can be used for measurement calculation to obtain a measurement result, the protection component comprises Trusted Platform Control Module (TPCM) hardware, TPCM firmware and an active measurement engine, the TPCM hardware stores an algorithm for measurement, the TPCM firmware is loaded on the TPCM hardware to run, the active measurement engine is used for sending an active measurement request, active measurement can be carried out to obtain the measurement result, and whether the system is Trusted or not is judged based on the measurement result.

Specifically, if the Ubuntu operating system and the reddat operating system are installed at the same time in the computer terminal device, the active measurement engine sends an active measurement request to the computing component, a software system in the computing component may determine which operating system is selected to be started based on the obtained active measurement request, further obtain data for measurement in the hardware system, that is, measurement content, and send the measurement content to the active measurement engine, which is used for performing measurement calculation and verifying whether the corresponding operating system is trusted, and if not, send an instruction for prohibiting starting the operating system to the computing component to prohibit the corresponding operating system kernel from being started, and correspondingly, the computing component may also send alarm information to be visually displayed in the computer terminal device for the user to check.

It should be noted that a trusted computing system is a computer system that can provide reliability, availability, information and behavior security of the system. The reliability and the safety of the system are the two main attributes of the trusted computing at the present stage. Thus, trusted means that the service provided by the computer system is trusted and the trust is demonstrable, and one of the core goals of trust is to ensure the integrity of the system and ensure that the system operates in a set desired state.

Trusted Computing (TC) is a technology promoted and developed by TCG, and is a Trusted Computing platform widely used in Computing and communication systems and based on the support of a hardware security module (TPM), which can improve the security of the entire system. The core idea is that the computer behavior is expected, usually, the startup state information is recorded in the startup process, and the system verifies whether the startup state is expected after running to a certain stage, that is, the TCG defines which contents are recorded at what position and at what data structure.

The TPM can provide a cryptographic operation function for the trusted computing platform, has a storage protection function and comprises hardware configuration such as a platform state register and the like.

In a possible implementation manner, fig. 2 is a system architecture diagram for verifying whether a system state is trusted, as shown in fig. 2, a trusted platform module TPM is used as core hardware of trusted computing, provides bottom hardware support for the trusted computing, and is connected by welding or inserting a card on the computer platform hardware, the TPM is used as a Central Processing Unit (CPU) peripheral and is started by a BIOS, it should be noted that the BIOS is a set of programs that are solidified on a ROM/Flash chip on a motherboard in the computer, and stores programs of most important basic input and output of the computer, a self-test program after startup, and a system self-start program, and its main function is to provide the bottom most direct hardware setting and control for the computer. In addition, the BIOS provides some system parameters to the operating system. As the traditional BIOS has more and more prominent limitations along with the technical development, the traditional BIOS is gradually replaced by a Unified Extensible Firmware Interface (UEFI), and the UEFI is used as a replacement scheme of the BIOS to define a software Interface between an operating system and system Firmware, is responsible for power-on self-test, contact the operating system, and provide an Interface for connecting the operating system and hardware, and is abbreviated as the UEFI or referred to as the UEFI BIOS according to the UEFI specification.

Further, after the UEFI BIOS completes basic hardware initialization after being powered on and started, a TPM device driver is operated to operate TPM hardware, then a trust root is created in the UEFI BIOS, measurement is started step by step and logs are recorded, then the logs are stored in a Platform Configuration Register (PCR), a mode of measuring a previous stage and a next stage is adopted to record a starting state, and then an operating system or an application program on the system is adopted to verify whether the starting state of the Platform meets expectations in combination with a remote server, namely, whether the state of the system is trusted is verified. Where the root of trust is a source that can always be trusted in the cryptographic system.

The UEFI BIOS boot late stage measures and starts a boot loader package (GNU Grand Unified loader, grub) from a GNU project, after the Grub is started, a TPM bottom layer driver provided by the UEFI BIOS is called inside the Grub to encapsulate a TPM device function, the Grub measures kernel files of operating systems such as OS1 to OSn preferentially after reading the kernel files, and records a measurement result to a log and stores the measurement result in a PCR (polymerase chain reaction), the Grub selects which operating system to start, and after the corresponding operating system kernel is started, the corresponding operating system takes over control right to run the corresponding operating system.

It should be noted that Grub may select different operating systems for booting, and measure which operating system the user is prepared to boot. The commonly adopted method is to call the PCR state and the recorded log after entering the operating system, verify whether the process of system startup is expected or not by remote certification and the like, and Grub is one of the most widely used operating system loaders (OS loaders) at present.

However, in the above implementation scheme, the TPM is used in Grub to measure the behavior of the kernel of the operating system, and only information in the operating system to be run is recorded, that is, only static measurement can be performed on resources such as firmware and executable programs of a computer, and active measurement cannot be performed, and a remote server needs to be combined to verify whether the platform startup state meets an expected measurement result, so that when the operating environment is illegally invaded or tampered, the operating system can be started, which causes many hazards and affects the authenticity and reliability of measurement.

In another possible implementation manner, fig. 3 is another provided system architecture diagram for verifying whether the system state is trusted, as shown in fig. 3, the TPCM operates in an "active" mode, and is a first component powered on and running on the platform as a protection component, and is executed independently and in parallel with the computing component, so as to provide active measurement and active control for UEFI in the trusted computing platform, and perform security protection while implementing operations.

Specifically, the TPCM is connected to the computer platform hardware in an independent hardware form, and provides the TPCM hardware in a manner of a Peripheral Component Interconnect express (PCIe) plug-in card, where the TPCM hardware runs corresponding TPCM firmware, the TPCM firmware is a flash plug-in memory chip running firmware on the PCIe card, and the TPCM can ensure that the PCIe card is started and executed before the computer platform hardware by modifying the startup power configuration information, and the TPCM metric agent is a program code deployed in the trusted computing system and can execute static metric and dynamic metric on the trusted computing to obtain the system state information of the trusted computing.

Further, after the TPCM is powered on and started, TPCM self-checking is carried out, then computer platform hardware is started, UEFI initialization is completed, PCIe equipment is loaded, namely TPCM measurement agents are created in UEFI and Grub by using hardware resources provided by TPCM, grub is measured by TPCM measurement agents in UEFI, kernel files of operating systems OS1 to OSn are measured by TPCM measurement agents in Grub, the security state of the system is known through the measurement result of TPCM measurement agents, whether the state of the system is credible or not is verified, and then a corresponding operating system is guided to start.

However, in the above implementation scheme, by using a measurement proxy mode, except for measuring UEFI after preferential startup, the rest part cannot embody active measurement and active control, and the implementation essence is that TPCM is regarded as a special TPM after UEFI startup, a measurement function similar to the TPM is provided, whether measurement is actively determined and a measurement result of active verification is limited, and the flexibility is poor.

The mode that the CPU is powered on firstly and then a trust chain is established by a password chip is provided based on international standards, a trusted computing platform dual-system architecture based on a TPCM chip is provided, the TPCM chip not only provides domestic SM2, SM3 and SM4 password functions, but also can be powered on before the CPU, integrity measurement is carried out on the BIOS before the CPU, and active control and active measurement are carried out based on a predefined algorithm.

For example, fig. 4 is a schematic diagram of a dual-system architecture of a trusted computing platform supported by a TPCM, as shown in fig. 4, the dual-system architecture of the trusted computing platform includes a computing component and a protection component, and a communication connection is established between the computing component and the protection component, where the computing component is formed by components for performing a computational task, and includes a computing component, system firmware, system software, and application software, the system software may obtain corresponding data in the computing component and the system firmware, the data may be used for performing a metric, and the application software may also obtain data required for performing the metric; the protection component is composed of a trusted password module, a TPCM (trusted platform control Module) and a trusted software base, the protection component is independent of the calculation component to execute, the trusted password module stores a predefined algorithm and provides the predefined algorithm for the TPCM, the trusted software base is used for providing a trusted calculation protection function of active measurement and active control characteristics for a trusted calculation platform, namely, measurement calculation is carried out based on data to obtain a measurement result, whether the system is trusted or not is judged by using the measurement result, and the trusted calculation platform dual-system architecture can realize safety protection while calculation is carried out, so that the whole calculation process is controllable and measurable and is not interfered by external factors.

In view of the above, in the embodiments of the present application, with reference to a trusted computing platform dual-system architecture, a trusted computing system is provided, where an active measurement engine in a TPCM sends an active measurement control instruction to an operating system loader, and the operating system loader may read data to be captured for executing the active measurement control instruction based on the active measurement control instruction and send the data to the active measurement engine, and further, the active measurement engine performs measurement calculation and verification by using the data to verify whether a system state is trusted, so that resources such as firmware and executable programs of a computer may be actively measured, and authenticity, reliability, and flexibility of measurement are improved. The active measurement engine may be disposed inside the TPCM, or may be disposed in parallel with the TPCM, which is not specifically limited in this embodiment of the present disclosure.

Fig. 5 is a schematic architecture diagram of a trusted computing system according to an embodiment of the present application, and as shown in fig. 5, the trusted computing system includes: the system comprises a trusted platform control module TPCM, an active measurement engine, hardware equipment and an operating system loader;

the operating system loader comprises a TPCM interface module and an assistant measuring engine module, wherein the TPCM interface module is used for packaging corresponding contents to be measured in the hardware equipment based on an active measuring control instruction sent by the active measuring engine and a predefined algorithm in the TPCM; the assistance measurement engine module is used for carrying out scheduling processing and assistance measurement processing on the packaged content to be measured to obtain measurement content, and sending the measurement content to the active measurement engine;

In this embodiment of the present application, a trusted platform control module TPCM may be integrated in a trusted computing system, where the TPCM is a basic hardware module that establishes and guarantees a trust origin, and provides functions such as active measurement and active control for the trusted computing system, and the TPCM belongs to an active device, where the TPCM may include TPCM hardware, TPCM firmware, and an active measurement engine, where the TPCM hardware is used to store a predefined algorithm, the TPCM firmware is used to load the predefined algorithm, the predefined algorithm is used to measure a file to be executed, and the active measurement engine may be used to send an active measurement control instruction in a predefined period, and may also send the active measurement control instruction in a starting process.

The measurement may refer to an operation of calculating a hash value of a file to be executed, then performing hash calculation, writing an obtained hash result into a PCR in an extended manner, and forming a log from related information.

The OS Loader may refer to a reloader for booting an OS, such as winloader of Windows OS, bootx64.EFI of X86-64PC, bootia32.EFI of X86-32PC, etc., and the OS Loader includes lilo (Linux Loader), elilo (EFI Linux Loader), grub, etc., where Grub is one of the most widely used OS loaders currently used, and Grub is a multi-boot manager that can select which system to boot when multiple OS coexist, and can boot an OS such as Unix, linux, and Windows, etc., and thus Grub is described as an example in the embodiments of the present application.

The hardware device includes an untrusted hardware device such as platform hardware, and may also include another trusted hardware device, which is not specifically limited in this embodiment of the present application.

The operating system loader runs on platform hardware, the platform hardware and TPCM hardware have related connection modes, one more general mode is to adopt PCIe card connection, specifically, adopt PCIe card connection to computer hardware platform, through pulling signals such as power supply, prior to running on computer hardware platform, and control the power-on sequence of the computer platform.

It should be noted that, the connection mode between the platform hardware and the TPCM hardware may be a connection mode by other hardware interfaces besides the PCIe card, such as a Serial Peripheral Interface (SPI) mode, a Serial bus (I2C) mode, and the TPCM may also have various modes such as a Baseboard Management Controller (BMC) mode, a CPU built-in mode, and a coprocessor software and hardware besides the PCIe card mode.

When TPCM control UEFI starts, UEFI will initialize platform hardware and finish self-checking and guide the start of the loader of the operating system, and the scheme of active measurement in UEFI belongs to the prior art and is not repeated here, and the application mainly describes TPCM active measurement in the loader of the operating system.

Specifically, the os loader includes a TPCM interface module and an assistance measurement engine module, which are two newly added function modules, and the TPCM interface module may shield differences in the shapes of the device driver interfaces after receiving an active measurement control instruction sent by the active measurement engine, encapsulate related data and commands based on a predefined algorithm in the TPCM, and then send the encapsulated related data and commands to the assistance measurement engine module for processing.

When the assistant measurement engine module detects the encapsulated related data and commands sent by the TPCM interface module, the assistant measurement engine module can acquire the type, position, attribute and other information of the kernel file of the corresponding operating system, then schedule the measurement content of the operating system of the corresponding type based on the information, load the measurement content of the corresponding drive read operating system, and then call the TPCM interface module to send the measurement content to an active measurement engine for measurement calculation and verification, so as to verify whether the system state is credible.

The TPCM interface module can open a channel for communication between the operating system loader and the TPCM, so that related data and commands can be communicated between the operating system loader and the TPCM, and corresponding device drivers are supported according to the connection mode of the TPCM and platform hardware.

Therefore, an embodiment of the present application provides a trusted computing system, which may encapsulate content to be measured corresponding to hardware equipment after receiving an active measurement control instruction sent by an active measurement engine through a TPCM interface module and an assistance measurement engine module in an operating system loader, and then send the encapsulated content to the assistance measurement engine module for scheduling processing and assistance measurement processing to obtain measurement content, and further send the measurement content to the active measurement engine for measurement verification to verify whether a system state is trusted.

In the following, it is described that the os Loader is Grub, the main role of the os Loader is to load and boot an os, specifically, the kernel of the os Loader is to load os kernel files and boot os kernel files to execute, in general, the os Loader is provided by an os vendor, for example, the os Loader of Linux is lilo, the os Loader of updated Linux is elilo, and the os Loader of Windows NT is NT Loader, because the os is of various types, it is troublesome for BIOS to adapt to various types of os loaders, and Grub is a multi-boot manager that can boot Unix, linux, windows, and other os, so that the booting of various os can be completed by Grub.

It should be noted that initializing the hardware boot operating system is a work that the UEFI or the BIOS needs to complete, so the BIOS starts the boot operating system loader after starting to a certain stage, specifically, the BIOS is a first component of the computer system that is powered on and running, after completing the early basic initialization, the BIOS further initializes the TPM and creates a Core Root of a Root of Trust metric (CRTM), and can further measure the content executed by the BIOS, store the measurement result extension in the PCR, record log information, and further, start the boot operating system loader to obtain data required for measurement.

Illustratively, fig. 6 is a Grub display interface diagram provided in an embodiment of the present application; as shown in fig. 6, grub is a multi-boot manager, which can load the kernel of the operating system and initialize the operating system, or give the boot right to the operating system to complete booting, for example, grub can replace lilo to complete booting of Linux, support display of boot screen, and perform menu-type selection execution mode, and it can be seen that a plurality of operating systems can be booted by the boot manager.

Specifically, the user may select the highlighted entry by using the up-down key on the display interface of the gu GRUB version 0.95, that is, may select Ubuntu, cores 2.6.12-9386, ubuntu, cores 2.6.12-9386 (restore mode), ubuntu, and memory test 86 ″, or may select another operating system, such as Windows NT/2000/Xp, further, after selecting the entry on the display interface, press the enter key to start the selected operating system, or press the 'e' key to edit a command before starting the operating system, or press the c key to start a command line.

In this embodiment, the underlying device driver may support a corresponding device driver according to a connection manner between the TPCM side and the platform hardware, for example, a PCIe device driver or an SPI driver is implemented in Grub, and specifically, the underlying device driver may communicate related data and commands between Grub and the TPCM by opening a channel through which the Grub communicates with the TPCM, for example, the Grub may obtain a metric algorithm pre-stored in the TPCM, or the TPCM side sends an active metric control instruction in a protocol communication manner.

The TPCM side is independent and perfect, comprises TPCM hardware, TPCM firmware, an active measurement engine and the like, and belongs to a protection component.

The TPCM function operation module is used for shielding the difference of the forms of the driving interfaces of the underlying devices and packaging specific TPCM function commands, such as TPCM state and attribute information obtained from active measurement control instructions in a predefined period received from Grub, wherein the TPCM state and attribute information are determined by a predefined algorithm.

Since a related security protocol stack is needed to transmit contents to be measured between the TPCM and Grub, and it is ensured that a control command sent by the TPCM is not tampered, thereby ensuring that online transmission is encrypted, the TPCM interface module further includes a security protocol stack for encrypting the contents to be measured, where the contents to be measured include an active measurement control instruction and data required for measurement, which is not specifically limited in the embodiment of the present application.

It should be noted that, if the UEFI can provide a device driver interface to Grub, grub can directly encapsulate the related content to be measured of the UEFI.

Fig. 7 is an architecture schematic diagram of a TPCM interface module provided in an embodiment of the present application, and as shown in fig. 7, the TPCM interface module includes a bottom device driver, a TPCM function running module, and a security protocol stack, where the bottom device driver is used to establish a communication connection between an operating system loader and the TPCM, so that content to be measured can be communicated between the operating system loader and the TPCM; and the TPCM function operation module is used for packaging the content to be measured based on the function corresponding to the content to be measured, and then transmitting the packaged content to be measured to the security protocol stack for encryption.

Therefore, the TPCM interface module comprises a bottom-layer device driver, a TPCM function operation module and a safety protocol stack, the TPCM and the operating system loader can communicate through the mutual cooperation of the three functional modules, and the active measurement engine sends an active measurement control instruction based on a preset period, so that active measurement can be performed regularly.

Optionally, the assistance metric engine module includes: the protocol analysis and scheduling module and the assistance measurement processing module are arranged in the network; the protocol analysis and scheduling module is used for decrypting the encrypted content to be measured based on a predefined protocol, scheduling an operating system file of a corresponding type and sending the operating system file to the assistant measurement processing module for processing; the operating system files comprise operating system kernel files and operating system configuration files;

The measurement content includes an operating system kernel file, configuration information, system startup parameters and the like.

In the embodiment of the application, the protocol analysis and scheduling module may analyze the encrypted content to be measured sent by the TPCM interface module, that is, decrypt the content to be measured, and obtain information about the type, position, attribute, and the like of an operating system file in the decrypted content to be measured, how to type the operating system file, whether windows10 or ubuntu18.4, where the operating system file to be started is located, on a flash memory, a hard disk, or a network server, and further call the operating system file of the corresponding type and position, where the operating system file includes an operating system kernel file and an operating system configuration file, where the operating system kernel file is a file in system software with functions of a hardware abstraction layer, a disk, and file system control, multitask, and the like; the operating system configuration file is a computer file used to configure parameters and initial settings for a computer program.

It should be noted that, when the assistant measurement engine module is started, that is, when the encrypted content to be measured sent by the TPCM interface module is received, the assistant measurement engine module may detect the content to be measured and perform parsing and scheduling, so that a relevant protocol has been defined in advance between the TPCM and the os loader, and is used to describe information such as the type, location, and attribute of the os file that the TPCM wants the os loader to capture.

The assistant measurement processing module is used for loading a corresponding driver to process an operating system file, if an operating system to be started is positioned on a hard disk, the HDD driver needs to be loaded, and if the operating system to be started is positioned on a network server, a network protocol stack needs to be loaded, so that a kernel file of the operating system is read, measurement required information such as configuration information and starting parameters of the operating system is obtained, and the TPCM interface module is called to send the measurement required information to the active measurement engine.

For example, fig. 8 is a schematic diagram of an architecture of an assistance metric engine module according to an embodiment of the present application; as shown in fig. 8, the assistance metric engine module includes a protocol parsing and scheduling module and an assistance metric processing module, where the protocol parsing and scheduling module is configured to parse protocol contents in contents to be measured and schedule operating system files of corresponding types, and the assistance metric processing module may read metric contents in the operating system files, that is, data to be captured for metric.

Therefore, in the embodiment of the application, the protocol analysis module and the scheduling module in the assistant measuring engine module are matched with the assistant measuring processing module to acquire the data required by measurement and send the data to the active measuring engine, so that the workload of the loader of the operating system is reduced, and the computer system is convenient to upgrade.

By combining the above embodiments, it can be understood that the flow of the os loader is to receive a measurement assistance request (active measurement control command) sent by the TPCM side, further analyze protocol contents, read data required to be captured by the measurement request and send the data to the TPCM, so that the os loader detaches the function of the original measurement agent, reduces memory usage of the os loader, and facilitates kernel upgrade and maintenance of the os.

and if the system state is not credible, sending an instruction for forbidding starting the operating system to the operating system loader.

In the embodiment of the present application, the predefined algorithm may be used for performing metric calculation, and may also be used for distinguishing the functions corresponding to the content to be measured.

Specifically, the active measurement engine may send an active measurement control instruction to obtain measurement content corresponding to the operating system loader, that is, data required for measurement, and further perform measurement calculation on the measurement content to obtain a measurement result, where the measurement result is used to express an operating system running state, and by comparing the measurement result with a measurement reference value, it may be determined whether the operating system is abnormal, that is, whether the system state is trusted or not, if it is determined that the system state is trusted, an operating system startup instruction is sent to the operating system loader to start a corresponding operating system kernel, and if it is determined that the system state is not trusted, an operating system startup prohibition instruction is sent to the operating system loader to prohibit the operating system kernel from being started, so as to guarantee the security of the computing system.

It should be noted that the active measurement engine is on the TPCM side, and may be disposed in the TPCM service module inside the TPCM, or may be disposed in parallel with the TPCM, but is located in the TPCM service module, because the active measurement engine is located on the TPCM side, the active measurement engine may be preferentially started, and after the active measurement engine is started, the active measurement engine implements the active measurement and active control behavior, that is, the active measurement engine may send the active measurement control instruction to the operating system loader and the like in a protocol communication manner.

Therefore, the embodiment of the application can reduce system coupling, remove the function of the quantitative agent in the operating system loader, namely, the operating system loader does not need to compare with a reference value, remotely prove support and other operations, so that the active measurement engine can perform measurement calculation and verify whether the system is credible or not, the method conforms to the latest credible calculation national standard thought and requirement, and convenience is provided for system operation.

Specifically, the behavior execution module is configured to execute a control command sent from the TPCM side, and if the active measurement engine finds an exception after completing measurement calculation, send a prohibited control command to prohibit the kernel of the operating system from being started, at this time, the behavior execution module stops booting the operating system to be started, otherwise, the active measurement engine sends a control command that can be started, and then the behavior execution module correctly configures the start parameter, stores the kernel file of the operating system in the memory, and executes a series of behavior actions such as passing the control right to the kernel file of the operating system.

Therefore, the embodiment of the application can control the start or pause of the operating system through the newly added behavior execution module of the operating system loader, and realize the active control function of the trusted computing system.

In the embodiment of the present application, the start parameter is used to indicate a parameter required for starting a corresponding operating system, and the alarm information is used to indicate that the corresponding operating system is abnormal, and if the operating system is occupied by malware, the corresponding alarm information is sent.

Exemplarily, in the application scenario of fig. 1, if a protection component in a computer terminal device sends an operating system starting instruction to a computing component, a software system may obtain a corresponding starting parameter, start a corresponding operating system based on the starting parameter, load a hardware system, and store measurement content corresponding to the operating system for the next measurement calculation; if the protection component in the computer terminal equipment sends an instruction for prohibiting starting the operating system to the computing component, the software system can prohibit the corresponding operating system kernel from starting, and sends alarm information in the form of a display frame to be visually displayed in the computer terminal equipment for a user to check.

It should be noted that, in the embodiment of the present application, when the corresponding operating system is started based on the start parameter and the start parameter is stored for the next measurement calculation, the contents such as the kernel file and the configuration information of the corresponding operating system are also stored correspondingly, that is, the measurement content that changes may be stored in real time.

Therefore, the embodiment of the application can execute corresponding operation based on the control command sent by the TPCM, improve the flexibility of system operation, and realize the functions of trusted storage and trusted report of the trusted computing system.

In this application, the metric reference value may refer to a reference value used for determining whether an operating system is abnormally set, and the metric reference value may change due to upgrading of a computer system or continuous operation of the system, so that the metric reference value that changes may be obtained in real time from a remote end such as a cloud, or the metric reference value that is manually input may be obtained to accurately obtain the metric reference value corresponding to the computer system at this time, or the corresponding metric reference value may be obtained by a local server.

Therefore, by setting the TPCM management interface, the embodiment of the application can acquire the updated measurement reference value in real time, and the accuracy of measurement verification is ensured.

With reference to the foregoing embodiments, fig. 9 is a schematic diagram of an architecture of a complete trusted computing system according to an embodiment of the present disclosure, and as shown in fig. 9, a TPCM is connected to a computer platform hardware, as compared with the prior art shown in fig. 3, grub mainly adds three new functional modules, which are a TPCM interface module, an assistant measurement engine module, and a behavior execution module, respectively, and the three functional modules are combined to complete supporting active measurement and response control behaviors in Grub, and a TPCM side mainly includes TPCM hardware, TPCM firmware, a TPCM service module including an active measurement engine, and a TPCM management interface, and can complete initiation of the active measurement behaviors, verification, initiation of control commands, and the like.

In the prior art, a measurement agent function is built in a Grub, a measurement operation is performed by using the measurement agent, active control judgment and reference value comparison are performed, and operations such as reference value reading function, event log storage, remote certification support and the like are involved, so that the Grub memory occupies a large amount and the execution operation is complicated.

Therefore, the trusted computing system provided by the embodiment of the application has a perfect TPCM basic function and related software stack by adopting a high-speed channel connection mode through an independent TPCM module (TPCM side), can actively send a measurement assistance request and control behavior information to an operating system loader in a protocol mode, realizes a dual system with TPCM in parallel with the computing system, solves the problems of actively measuring and verifying kernel files of the operating system, can control kernel execution of the operating system according to a verification result, and guarantees the security of the computer system.

Optionally, the present application further provides a measurement method based on a trusted computing system, which is applied to an operating system loader, and fig. 10 is a schematic flow chart of the measurement method based on the trusted computing system according to the embodiment of the present application; as shown in fig. 10, the operating system loader includes a TPCM interface module and a assistance metrics engine module; the flow of the measuring method based on the trusted computing system comprises the following steps:

s1001, packaging corresponding contents to be measured in hardware equipment through the TPCM interface module based on an active measurement control instruction sent by an active measurement engine and a predefined algorithm in a trusted platform control module TPCM.

S1002, the assistance measurement engine module performs scheduling processing and assistance measurement processing on the packaged content to be measured to obtain measurement content, and sends the measurement content to the active measurement engine, so that the active measurement engine performs measurement verification based on the received measurement content sent by the assistance measurement engine module to verify whether the system state is credible.

For specific implementation principles and effects of the measurement method based on the trusted computing system provided in the foregoing embodiment, reference may be made to relevant description and effects corresponding to the foregoing embodiment, which are not described in detail herein.

Optionally, the present application further provides a measurement method based on a trusted computing system, which is applied to an active measurement engine, fig. 11 is a schematic flowchart of another measurement method based on a trusted computing system according to an embodiment of the present application, and as shown in fig. 11, a flow of the measurement method based on a trusted computing system includes the following steps:

s1101, sending an active measurement control instruction to a TPCM interface module in an operating system loader.

S1102, receiving measurement content sent by an assistant measurement engine module in an operating system loader, and performing measurement verification on the measurement content to verify whether the system state is credible, wherein the TPCM interface module is used for verifying corresponding content to be measured in the hardware equipment based on an active measurement control instruction sent by the active measurement engine and a predefined algorithm in a trusted platform control module TPCM; the assistance measurement engine module is used for carrying out scheduling processing and assistance measurement processing on the packaged content to be measured to obtain measurement content, and sending the measurement content to the active measurement engine.

For specific implementation principles and effects of the measurement method based on the trusted computing system provided by the above embodiment, reference may be made to relevant descriptions and effects corresponding to the above embodiment, which are not described in detail herein.

An embodiment of the present application further provides a schematic structural diagram of an electronic device, and fig. 12 is a schematic structural diagram of an electronic device provided in an embodiment of the present application, and as shown in fig. 12, the electronic device may include: a processor 1201 and a memory 1202 communicatively coupled to the processor; the memory 1202 stores computer programs; the processor 1201 executes the computer program stored in the memory 1202 to cause the processor 1201 to perform the method according to any of the embodiments described above.

The memory 1202 and the processor 1201 may be connected by a bus 1203.

Embodiments of the present application further provide a computer-readable storage medium, in which computer program execution instructions are stored, and the computer program execution instructions, when executed by a processor, are used to implement the method according to any of the foregoing embodiments of the present application.

The embodiment of the present application further provides a chip for executing the instruction, where the chip is used to execute the method in any of the foregoing embodiments executed by the electronic device in any of the foregoing embodiments of the present application.

Embodiments of the present application also provide a computer program product, which includes a computer program that, when executed by a processor, can implement the method described in any of the foregoing embodiments as performed by an electronic device in any of the foregoing embodiments of the present application.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of modules is merely a logical division, and other divisions may be realized in practice, for example, a plurality of modules or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed coupling or direct coupling or communication connection between each other may be through some interfaces, indirect coupling or communication connection between devices or modules, and may be in an electrical, mechanical or other form.

Modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to implement the solution of the present embodiment.

In addition, functional modules in the embodiments of the present application may be integrated into one processing unit, or each module may exist alone physically, or two or more modules are integrated into one unit. The unit formed by the modules can be realized in a hardware form, and can also be realized in a form of hardware and a software functional unit.

The integrated module implemented in the form of a software functional module may be stored in a computer-readable storage medium. The software functional module is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) or a processor to execute some steps of the methods described in the embodiments of the present application.

It should be understood that the Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in the incorporated application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in the processor.

The Memory may include a Random Access Memory (RAM), and may further include a Non-volatile Memory (NVM), for example, at least one magnetic disk Memory, and may also be a usb disk, a removable hard disk, a read-only Memory, a magnetic disk or an optical disk.

The bus may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended ISA (Extended Industry Standard Architecture) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, the buses in the figures of the present application are not limited to only one bus or one type of bus.

The storage medium may be implemented by any type of volatile or nonvolatile storage device or combination thereof, such as Static Random-Access Memory (SRAM), electrically Erasable Programmable Read-Only Memory (EEPROM), erasable Programmable Read-Only Memory (EPROM), programmable Read-Only Memory (PROM), read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk or optical disk. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.

An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an Application Specific Integrated Circuits (ASIC). Of course, the processor and the storage medium may reside as discrete components in an electronic device or host device.

The above description is only a specific implementation of the embodiments of the present application, but the scope of the embodiments of the present application is not limited thereto, and any changes or substitutions within the technical scope disclosed in the embodiments of the present application should be covered within the scope of the embodiments of the present application. Therefore, the protection scope of the embodiments of the present application shall be subject to the protection scope of the claims.

Claims

1. A trusted computing system, the trusted computing system comprising: the system comprises a trusted platform control module TPCM, an active measurement engine, hardware equipment and an operating system loader;

the active measurement engine is configured to send an active measurement control instruction to the TPCM interface module, receive the measurement content sent by the assistance measurement engine module, and perform measurement verification on the measurement content to verify whether a system state is trusted.

2. The trusted computing system of claim 1, wherein the TPCM interface module comprises: the bottom layer device driver is used for establishing a channel between the hardware device and the TPCM so as to enable the operating system loader to communicate with the TPCM;

3. The trusted computing system of claim 1, wherein the assistance metrics engine module comprises: the protocol analysis and scheduling module and the assistance measurement processing module are used for processing the protocol analysis and scheduling; the protocol analysis and scheduling module is used for decrypting the encrypted content to be measured based on a predefined protocol, scheduling an operating system file of a corresponding type and sending the operating system file to the assistant measurement processing module for processing; the operating system files comprise operating system kernel files and operating system configuration files;

4. The trusted computing system of claim 3, wherein the proactive metrics engine is disposed within a TPCM service module internal to the TPCM, the TPCM service module configured to obtain metrics reference values; the active metric engine is specifically configured to:

5. The trusted computing system of claim 4, wherein the operating system loader further comprises: and the behavior execution module is used for executing corresponding operation based on the control command sent by the TPCM and handing control right to a corresponding operating system.

6. The trusted computing system of claim 5, wherein the behavior execution module performs corresponding operations based on control commands sent by the TPCM, including:

7. The trusted computing system of any one of claims 1-6, wherein the trusted computing system further comprises: a TPCM management interface for: and acquiring a measurement reference value which changes in real time from a remote end or acquiring a manually input measurement reference value, and sending the acquired measurement reference value to the TPCM service module.

8. A measurement method based on a trusted computing system is applied to an operating system loader, wherein the operating system loader comprises a TPCM interface module and an assistance measurement engine module; the method comprises the following steps:

9. A measurement method based on a trusted computing system is applied to an active measurement engine, and the method comprises the following steps:

10. An electronic device, comprising: a processor, a memory, and a computer program; wherein the computer program is stored in the memory and configured to be executed by the processor, the computer program comprising instructions for performing the trusted computing system based metrology method of claim 8 or 9.