CN116991671A - DCS controller and trusted start audit log recording method and system thereof - Google Patents
DCS controller and trusted start audit log recording method and system thereof Download PDFInfo
- Publication number
- CN116991671A CN116991671A CN202310996589.4A CN202310996589A CN116991671A CN 116991671 A CN116991671 A CN 116991671A CN 202310996589 A CN202310996589 A CN 202310996589A CN 116991671 A CN116991671 A CN 116991671A
- Authority
- CN
- China
- Prior art keywords
- trusted
- verification
- storage area
- audit log
- measurement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012550 audit Methods 0.000 title claims abstract description 153
- 238000000034 method Methods 0.000 title claims abstract description 69
- 238000012795 verification Methods 0.000 claims abstract description 200
- 238000005259 measurement Methods 0.000 claims abstract description 127
- 230000008569 process Effects 0.000 claims abstract description 21
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 238000013475 authorization Methods 0.000 description 3
- 238000010248 power generation Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
- G06F11/3072—Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Quality & Reliability (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention belongs to the field of DCS controllers, and discloses a DCS controller and a trusted start audit log recording method and system thereof, wherein in the starting process of the DCS controller, an audit log of trusted measurement and an audit log of trusted verification are stored into a global variable of a measurement verification module, and the audit log of the trusted measurement and the audit log of the trusted verification are respectively written into a preset first storage area and a preset second storage area on a nonvolatile memory of a trusted calculation module of the DCS controller from the global variable of the measurement verification module; acquiring and verifying a first storage area read-write request and a second storage area read-write request, and allowing the audit log of the trusted measurement of the first storage area to be read and written after the first storage area read-write request passes the verification; and when the second storage area read-write request passes the verification, allowing the second storage area to read and write the audit log of the trusted verification. The audit log in the starting process of the DCS controller can be safely and effectively stored.
Description
Technical Field
The invention belongs to the field of DCS controllers, and relates to a method and a system for recording audit logs of a DCS controller and trusted starting.
Background
The method comprises the steps that a measurement verification module is arranged in a DCS (Distributed Control System ) controller in the power generation industry, the measurement verification module integrates a trusted computing function and is used for carrying out trusted measurement and trusted verification on each object in the starting process of the DCS controller so as to ensure the credibility of a bootstrap program, an operating system kernel and a file system, and audit logs of the trusted measurement and the trusted verification are required to be stored. Thus, it is a problem how to securely store the trust metrics and the audit log of the trust verification during the trust initiation process for a third party to audit the trust metrics and the trust verification process through the log.
At present, for the storage of the trusted measurement and the trusted verification audit log in the trusted starting process, a space is opened up in advance in a memory, the trusted measurement and the trusted verification audit log are stored in the space in the starting stage of the DCS controller, and the space is read and written during audit. However, there is a possibility that the data in the memory is tampered with and lost, and the authenticity and integrity of the audit log cannot be guaranteed.
Disclosure of Invention
The invention aims to overcome the defect that the authenticity and the integrity of an audit log cannot be ensured by the existing method for recording the audit log which is started by the trusted mode of the DCS controller in the prior art, and provides the DCS controller and the method and the system for recording the audit log which is started by the trusted mode of the DCS controller.
In order to achieve the purpose, the invention is realized by adopting the following technical scheme:
the first aspect of the invention provides an audit log recording method for trusted starting of a DCS controller, which comprises the following steps: during the starting process of the DCS controller, the audit log of the trusted measurement and the audit log of the trusted verification are stored into the global variable of the measurement verification module; the method comprises the steps that an audit log of trusted measurement and an audit log of trusted verification are generated by performing trusted measurement on an object needing to be subjected to trusted measurement and performing trusted verification on the object needing to be subjected to trusted verification through a measurement verification module of a DCS controller respectively; after all objects needing to be subjected to the trusted measurement and the trusted verification respectively finish the trusted measurement and the trusted verification, writing an audit log of the trusted measurement and an audit log of the trusted verification into a preset first storage area and a preset second storage area on a nonvolatile memory of a trusted computing module of the DCS controller from a global variable of a measurement verification module respectively; acquiring and verifying a first storage area read-write request, and allowing the audit log of the trusted measurement of the first storage area to be read and written after the first storage area read-write request passes the verification; and acquiring and verifying the second storage area read-write request, and allowing the second storage area trusted verification audit log to be read and written after the second storage area read-write request passes the verification.
Optionally, the method further comprises: two storage areas are created on a nonvolatile memory of a trusted computing module of the DCS controller and are respectively used as a preset first storage area and a preset second storage area.
Optionally, the audit log of the trusted metrics includes one or more of: the method comprises the steps of measuring time, unique log record codes of measuring operations, measuring source names, measuring object names, PCR values corresponding to measuring objects, hash algorithm used by measuring and measuring hash values of measuring objects.
Optionally, the audit log of the trusted verification includes one or more of the following: the verification method comprises the steps of verification time, a unique log record code of verification operation, a verification object name, a PCR value corresponding to a verification object, a hash algorithm used by the verification object, a trusted state of the verification object, a measurement value of the verification object and a reference value of the verification object.
Optionally, the method further comprises: after the audit log of the trusted measurement is written into a preset first storage area from the global variable of the measurement verification module, deleting the audit log of the trusted measurement from the global variable of the measurement verification module; and after the trusted verification audit log is written into a preset second storage area from the global variable of the measurement verification module, deleting the trusted verification audit log from the global variable of the measurement verification module.
Optionally, the obtaining the first storage area read-write request and verifying includes: acquiring a first storage area read-write request, and acquiring a first verification password according to the first storage area read-write request; when the first verification password is the same as a preset first storage area verification password, the first storage area read-write request passes the verification; otherwise, the read-write request of the first storage area is not verified; the obtaining the second storage area read-write request and verifying includes: acquiring a second storage area read-write request, and acquiring a second verification password according to the second storage area read-write request; when the second verification password is the same as a preset second storage area verification password, the second storage area read-write request passes the verification; otherwise, the second storage area read-write request is not verified.
In a second aspect of the present invention, there is provided an audit log recording system for trusted initiation of a DCS controller, comprising: the temporary storage module is used for storing the audit log of the trusted measurement and the audit log of the trusted verification into the global variable of the measurement verification module in the starting process of the DCS controller; the method comprises the steps that an audit log of trusted measurement and an audit log of trusted verification are generated by performing trusted measurement on an object needing to be subjected to trusted measurement and performing trusted verification on the object needing to be subjected to trusted verification through a measurement verification module of a DCS controller respectively; the storage module is used for respectively writing an audit log of the trusted measurement and an audit log of the trusted verification into a preset first storage area and a preset second storage area on a nonvolatile memory of a trusted computing module of the DCS controller from global variables of the measurement verification module after all objects needing to be subjected to the trusted measurement and the trusted verification respectively finish the trusted measurement and the trusted verification; the read-write control module is used for acquiring and verifying the read-write request of the first storage area, and allowing the read-write of the audit log of the trusted measurement of the first storage area after the read-write request of the first storage area passes the verification; and acquiring and verifying the second storage area read-write request, and allowing the second storage area trusted verification audit log to be read and written after the second storage area read-write request passes the verification.
Optionally, the system further comprises a memory area creation module, which is used for creating two memory areas on the nonvolatile memory of the trusted computing module of the DCS controller, wherein the two memory areas are respectively used as a preset first memory area and a preset second memory area.
Optionally, the temporary storage module and the storage module are both disposed in a measurement verification module of the DCS controller.
In a third aspect of the present invention, a DCS controller is provided, in which the above-mentioned audit log recording system that the DCS controller can be started up with reliability is provided.
Compared with the prior art, the invention has the following beneficial effects:
the invention relates to an audit log recording method for trusted starting of a DCS controller, which comprises the steps of firstly storing an audit log of a trusted measurement and an audit log of trusted verification into a global variable of a measurement verification module, after all objects needing to be subjected to the trusted measurement and the trusted verification respectively finish the trusted measurement and the trusted verification, writing the audit log of the trusted measurement and the audit log of the trusted verification into a first storage area and a second storage area which are preset on a nonvolatile memory of a trusted computing module of the DCS controller respectively from the global variable of the measurement verification module, and then transmitting the audit log of the trusted measurement and the audit log of the trusted verification of the second storage area only after a read-write request of the first storage area and a read-write request of the second storage area pass the verification. The method has the advantages that audit logs in the starting process of the DCS controller can be safely and effectively stored, a third party can audit the trusted verification and trusted measurement process conveniently, meanwhile, the trusted third party can be proved the credibility of the DCS controller, the DCS controller is protected from being tampered maliciously, and the safety of a power generation system is guaranteed.
Drawings
FIG. 1 is a flowchart of an audit log recording method for trusted boot of a DCS controller according to an embodiment of the present invention.
FIG. 2 is a schematic diagram of an audit log recording method for trusted boot of a DCS controller according to an embodiment of the present invention.
FIG. 3 is a block diagram of an audit log recording system for trusted boot of a DCS controller according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The invention is described in further detail below with reference to the attached drawing figures:
referring to fig. 1 and 2, in an embodiment of the present invention, an audit log recording method for trusted start of a DCS controller is provided, which can safely and effectively store an audit log during the start process of the DCS controller. Specifically, the method for recording the audit log of the trusted start of the DCS controller comprises the following steps:
s1: during the starting process of the DCS controller, the audit log of the trusted measurement and the audit log of the trusted verification are stored into the global variable of the measurement verification module; the method comprises the steps of performing trusted measurement on an object to be subjected to trusted measurement and performing trusted verification on the object to be subjected to trusted verification through a measurement verification module of a DCS controller, wherein the trusted measurement audit log and the trusted verification audit log are generated through the trusted measurement of the object to be subjected to trusted verification.
S2: after all the objects needing to be subjected to the trusted measurement and the trusted verification respectively finish the trusted measurement and the trusted verification, respectively writing an audit log of the trusted measurement and an audit log of the trusted verification into a preset first storage area and a preset second storage area on a nonvolatile memory of a trusted computing module of the DCS controller from a global variable of a measurement verification module.
S3: acquiring and verifying a first storage area read-write request, and allowing the audit log of the trusted measurement of the first storage area to be read and written after the first storage area read-write request passes the verification; and acquiring and verifying the second storage area read-write request, and allowing the second storage area trusted verification audit log to be read and written after the second storage area read-write request passes the verification.
In summary, the method for recording the audit log of trusted starting of the DCS controller of the present invention stores the audit log of trusted measurement and the audit log of trusted verification into the global variable of the measurement verification module, after all the objects requiring trusted measurement and trusted verification complete the trusted measurement and trusted verification, respectively writes the audit log of trusted measurement and the audit log of trusted verification into the preset first storage area and the preset second storage area on the nonvolatile memory of the trusted computing module of the DCS controller from the global variable of the measurement verification module, and then transmits the audit log of trusted measurement and the audit log of trusted verification of the second storage area only after the read-write request of the first storage area and the read-write request of the second storage area pass the verification. The method has the advantages that audit logs in the starting process of the DCS controller can be safely and effectively stored, a third party can audit the trusted verification and trusted measurement process conveniently, meanwhile, the trusted third party can be proved the credibility of the DCS controller, the DCS controller is protected from being tampered maliciously, and the safety of a power generation system is guaranteed.
In one possible implementation manner, the audit log recording method that the DCS controller can start reliably further includes the following steps: two storage areas are created on a nonvolatile memory of a trusted computing module of the DCS controller and are respectively used as a preset first storage area and a preset second storage area.
Specifically, two storage areas NV1 and NV2 are created on a nonvolatile memory of the trusted computing module through an interface provided by the trusted computing module, and are respectively used for storing an audit log of trusted measurement and an audit log of trusted verification of trusted starting. The nonvolatile memory is used for ensuring the security of the audit log of the trusted measurement and the audit log of the trusted verification by virtue of the fact that the stored data cannot disappear after the current is turned off.
The method comprises the steps of setting two storage areas to respectively store an audit log of a trusted measurement and an audit log of a trusted verification, wherein the size of one storage space is limited, so that all logs are inconvenient to store simultaneously; secondly, because the log format of one space storage is the same, if the audit log of the trusted measurement and the audit log of the trusted verification are put together, the processing modes are different due to different formats, and the processing difficulty is increased.
In one possible implementation, the audit log of the trusted metrics includes one or more of the following: the method comprises the steps of measuring time, unique log record codes of measuring operations, measuring source names, measuring object names, PCR values corresponding to measuring objects, hash algorithm used by measuring and measuring hash values of measuring objects. Optionally, the audit log of the trusted verification includes one or more of the following: the verification method comprises the steps of verification time, a unique log record code of verification operation, a verification object name, a PCR value corresponding to a verification object, a hash algorithm used by the verification object, a trusted state of the verification object, a measurement value of the verification object and a reference value of the verification object.
In one possible implementation manner, the audit log recording method that the DCS controller can start up reliably further includes: after the audit log of the trusted measurement is written into a preset first storage area from the global variable of the measurement verification module, deleting the audit log of the trusted measurement from the global variable of the measurement verification module; and after the trusted verification audit log is written into a preset second storage area from the global variable of the measurement verification module, deleting the trusted verification audit log from the global variable of the measurement verification module.
Specifically, after the measurement verification module completes the trusted measurement and the trusted verification operation of all the objects, audit logs of all the objects are temporarily stored in a global variable of the measurement verification module, the audit logs of the trusted measurement and the log contents of the audit logs of the trusted verification are organized according to a preset format, the audit logs are written into a first storage area NV1 and a second storage area NV2 of the trusted computing module for persistent storage at one time, and the global variable is emptied to release space and ensure that the audit logs cannot be stolen, so that the security of the audit logs is ensured.
In one possible implementation manner, the acquiring the first storage area read-write request and verifying includes: acquiring a first storage area read-write request, and acquiring a first verification password according to the first storage area read-write request; when the first verification password is the same as a preset first storage area verification password, the first storage area read-write request passes the verification; otherwise, the first storage area read-write request is not verified. The obtaining the second storage area read-write request and verifying includes: acquiring a second storage area read-write request, and acquiring a second verification password according to the second storage area read-write request; when the second verification password is the same as a preset second storage area verification password, the second storage area read-write request passes the verification; otherwise, the second storage area read-write request is not verified.
Specifically, an authorization mechanism of the trusted computing module is used for controlling the reading and writing of the first storage area NV1 and the second storage area NV2, so that the storage area can be read and written only by an object which acquires a correct verification password, a third party is forbidden to read and write the storage area at will, and the storage safety and the credibility of the storage area are ensured.
In summary, the method for recording the audit log of the trusted start of the DCS controller utilizes the storage trusted root of the trusted computing module to create two storage areas on the nonvolatile memory of the trusted computing module, one storage area is used for storing the audit log of the trusted measurement, the other storage area is used for storing the audit log of the trusted verification, and the authorization mechanism of the trusted computing module is used for carrying out authorization control on the reading and writing of the storage area, so that any third party program is prevented from reading and writing the storage area of the log, and the security of the audit log is ensured. After the verification of the trusted measurement object of the trusted verification object is completed in the starting process of the DCS controller, audit log contents are organized according to a preset format and stored in a storage area of an allocated nonvolatile memory, and after the system is started, a related interface is provided at an operating system layer for a third party program to call to read the audit log of the trusted measurement and the audit log of the trusted verification from the storage area of the nonvolatile memory for audit.
The following are device embodiments of the present invention that may be used to perform method embodiments of the present invention. For details not disclosed in the apparatus embodiments, please refer to the method embodiments of the present invention.
Referring to fig. 3, in still another embodiment of the present invention, an audit log recording system that is reliably started by a DCS controller is provided, which can be used to implement the above-mentioned audit log recording method that is reliably started by the DCS controller, and specifically, the audit log recording system that is reliably started by the DCS controller includes a temporary storage module, a storage module, and a read-write control module.
The temporary storage module is used for storing the audit log of the trusted measurement and the audit log of the trusted verification into the global variable of the measurement verification module in the starting process of the DCS controller; the method comprises the steps that an audit log of trusted measurement and an audit log of trusted verification are generated by performing trusted measurement on an object needing to be subjected to trusted measurement and performing trusted verification on the object needing to be subjected to trusted verification through a measurement verification module of a DCS controller respectively; the storage module is used for writing an audit log of the trusted measurement and an audit log of the trusted verification into a preset first storage area and a preset second storage area on a nonvolatile memory of a trusted computing module of the DCS controller from global variables of the measurement verification module after all objects needing to be trusted measurement and trusted verification respectively finish the trusted measurement and the trusted verification; the read-write control module is used for acquiring and verifying the read-write request of the first storage area, and allowing the read-write of the audit log of the trusted measurement of the first storage area after the read-write request of the first storage area passes the verification; and acquiring and verifying the second storage area read-write request, and allowing the second storage area trusted verification audit log to be read and written after the second storage area read-write request passes the verification.
In one possible implementation manner, the audit log recording system that the DCS controller is trusted to start further includes a memory area creation module for creating two memory areas on the nonvolatile memory of the trusted computing module of the DCS controller, as the preset first memory area and the preset second memory area, respectively.
In one possible embodiment, the temporary storage module and the storage module are both disposed within a metric verification module of the DCS controller.
All relevant contents of each step involved in the foregoing embodiment of the method for recording an audit log that is reliably started by the DCS controller may be cited to the functional description of the functional module corresponding to the audit log recording system that is reliably started by the DCS controller in the embodiment of the present invention, and will not be described herein.
The division of the modules in the embodiments of the present invention is schematically only one logic function division, and there may be another division manner in actual implementation, and in addition, each functional module in each embodiment of the present invention may be integrated in one processor, or may exist separately and physically, or two or more modules may be integrated in one module. The integrated modules may be implemented in hardware or in software functional modules.
In still another embodiment of the present invention, a DCS controller is provided, in which the above-mentioned audit log recording system for trusted start of the DCS controller is provided.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.
Claims (10)
1. An audit log recording method for trusted start of a DCS controller is characterized by comprising the following steps:
during the starting process of the DCS controller, the audit log of the trusted measurement and the audit log of the trusted verification are stored into the global variable of the measurement verification module; the method comprises the steps that an audit log of trusted measurement and an audit log of trusted verification are generated by performing trusted measurement on an object needing to be subjected to trusted measurement and performing trusted verification on the object needing to be subjected to trusted verification through a measurement verification module of a DCS controller respectively;
after all objects needing to be subjected to the trusted measurement and the trusted verification respectively finish the trusted measurement and the trusted verification, writing an audit log of the trusted measurement and an audit log of the trusted verification into a preset first storage area and a preset second storage area on a nonvolatile memory of a trusted computing module of the DCS controller from a global variable of a measurement verification module respectively;
acquiring and verifying a first storage area read-write request, and allowing the audit log of the trusted measurement of the first storage area to be read and written after the first storage area read-write request passes the verification; and acquiring and verifying the second storage area read-write request, and allowing the second storage area trusted verification audit log to be read and written after the second storage area read-write request passes the verification.
2. The method for audit log of a trusted boot of a DCS controller of claim 1, further comprising:
two storage areas are created on a nonvolatile memory of a trusted computing module of the DCS controller and are respectively used as a preset first storage area and a preset second storage area.
3. The method of audit log recording a trusted boot of a DCS controller of claim 1, wherein the audit log of the trusted metrics comprises one or more of the following: the method comprises the steps of measuring time, unique log record codes of measuring operations, measuring source names, measuring object names, PCR values corresponding to measuring objects, hash algorithm used by measuring and measuring hash values of measuring objects.
4. The method of audit log recording for trusted enablement of a DCS controller of claim 1, wherein the trusted verification audit log comprises one or more of the following: the verification method comprises the steps of verification time, a unique log record code of verification operation, a verification object name, a PCR value corresponding to a verification object, a hash algorithm used by the verification object, a trusted state of the verification object, a measurement value of the verification object and a reference value of the verification object.
5. The method for audit log of a trusted boot of a DCS controller of claim 1, further comprising:
after the audit log of the trusted measurement is written into a preset first storage area from the global variable of the measurement verification module, deleting the audit log of the trusted measurement from the global variable of the measurement verification module;
and after the trusted verification audit log is written into a preset second storage area from the global variable of the measurement verification module, deleting the trusted verification audit log from the global variable of the measurement verification module.
6. The method of audit log of a trusted boot of a DCS controller of claim 1, wherein the obtaining and verifying the first storage area read-write request comprises:
acquiring a first storage area read-write request, and acquiring a first verification password according to the first storage area read-write request;
when the first verification password is the same as a preset first storage area verification password, the first storage area read-write request passes the verification; otherwise, the read-write request of the first storage area is not verified;
the obtaining the second storage area read-write request and verifying includes:
acquiring a second storage area read-write request, and acquiring a second verification password according to the second storage area read-write request;
when the second verification password is the same as a preset second storage area verification password, the second storage area read-write request passes the verification; otherwise, the second storage area read-write request is not verified.
7. An audit log recording system for trusted initiation of a DCS controller, comprising:
the temporary storage module is used for storing the audit log of the trusted measurement and the audit log of the trusted verification into the global variable of the measurement verification module in the starting process of the DCS controller; the method comprises the steps that an audit log of trusted measurement and an audit log of trusted verification are generated by performing trusted measurement on an object needing to be subjected to trusted measurement and performing trusted verification on the object needing to be subjected to trusted verification through a measurement verification module of a DCS controller respectively;
the storage module is used for respectively writing an audit log of the trusted measurement and an audit log of the trusted verification into a preset first storage area and a preset second storage area on a nonvolatile memory of a trusted computing module of the DCS controller from global variables of the measurement verification module after all objects needing to be subjected to the trusted measurement and the trusted verification respectively finish the trusted measurement and the trusted verification;
the read-write control module is used for acquiring and verifying the read-write request of the first storage area, and allowing the read-write of the audit log of the trusted measurement of the first storage area after the read-write request of the first storage area passes the verification; and acquiring and verifying the second storage area read-write request, and allowing the second storage area trusted verification audit log to be read and written after the second storage area read-write request passes the verification.
8. The system of claim 7, further comprising a memory area creation module configured to create two memory areas on the nonvolatile memory of the trusted computing module of the DCS controller as a preset first memory area and a preset second memory area, respectively.
9. The system of claim 7, wherein the temporary storage module and the storage module are both disposed within a metric verification module of the DCS controller.
10. A DCS controller, wherein an audit log recording system of any one of claims 7 to 9 is provided in the DCS controller.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310996589.4A CN116991671A (en) | 2023-08-08 | 2023-08-08 | DCS controller and trusted start audit log recording method and system thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310996589.4A CN116991671A (en) | 2023-08-08 | 2023-08-08 | DCS controller and trusted start audit log recording method and system thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116991671A true CN116991671A (en) | 2023-11-03 |
Family
ID=88521084
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310996589.4A Pending CN116991671A (en) | 2023-08-08 | 2023-08-08 | DCS controller and trusted start audit log recording method and system thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116991671A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117195206A (en) * | 2023-11-06 | 2023-12-08 | 西安热工研究院有限公司 | Method, system, equipment and medium for acquiring trusted state of DCS controller in real time |
-
2023
- 2023-08-08 CN CN202310996589.4A patent/CN116991671A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117195206A (en) * | 2023-11-06 | 2023-12-08 | 西安热工研究院有限公司 | Method, system, equipment and medium for acquiring trusted state of DCS controller in real time |
| CN117195206B (en) * | 2023-11-06 | 2024-01-26 | 西安热工研究院有限公司 | Method, system, equipment and medium for acquiring trusted state of DCS controller in real time |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8719580B2 (en) | Data verification method | |
| KR20140068867A (en) | System and method for validating components during a booting process | |
| CN110990045A (en) | double-BMC FLASH upgrading method and equipment | |
| CN102279914A (en) | Unified extensible firmware interface (UEFI) trusted supporting system and method for controlling same | |
| US8751817B2 (en) | Data processing apparatus and validity verification method | |
| CN116991671A (en) | DCS controller and trusted start audit log recording method and system thereof | |
| TWI736075B (en) | Storage device | |
| CN113486360B (en) | RISC-V based safe starting method and system | |
| JP5466645B2 (en) | Storage device, information processing device, and program | |
| US11366911B2 (en) | Cryptography module and method for operating same | |
| KR102598510B1 (en) | Method and apparatus for verify software integrity | |
| KR101401379B1 (en) | Nand flash memory io method and embedded system using the same | |
| US7207066B2 (en) | Method for protecting a microcomputer system against manipulation of data stored in a storage arrangement of the microcomputer system | |
| CN109583197B (en) | Trusted overlay file encryption and decryption method | |
| CN116991622A (en) | Recovery method and system for starting failure of trusted DCS controller system | |
| CN101799858A (en) | FLASH data protection method and device | |
| US20230214494A1 (en) | Electronic control device and control method | |
| CN114077740A (en) | Bidirectional authentication trusted boot system and method based on TPCM chip | |
| CN111124462B (en) | Method, device, server and storage medium for updating embedded multimedia card | |
| KR20230082388A (en) | Apparatus for verifying bootloader of ecu and method thereof | |
| US20100049373A1 (en) | Method for modular software removal | |
| CN114201224B (en) | Processor starting method, heterogeneous processor system and processor starting device | |
| CN112822013B (en) | Block chain consensus method, device and storage medium | |
| US20240256714A1 (en) | Method and system for runtime integrity check | |
| KR20240024971A (en) | Methods for checking digital signatures, vehicle computing units and vehicles |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |