CN116992431A

CN116992431A - Version verification method and related device for image file

Info

Publication number: CN116992431A
Application number: CN202311272200.8A
Authority: CN
Inventors: 孙一品; 顾剑; 丁涛; 李煜
Original assignee: Phytium Technology Co Ltd
Current assignee: Phytium Technology Co Ltd
Priority date: 2023-09-28
Filing date: 2023-09-28
Publication date: 2023-11-03
Anticipated expiration: 2043-09-28
Also published as: CN116992431B

Abstract

The application discloses a version verification method and a related device of an image file, wherein the version verification method of the image file comprises the following steps: responding to a version verification request, and verifying the version of the target image file according to a security notification number corresponding to the target image file; the security notification number is used for marking a security version of the image file after an image file revocation event, the security notification number is updated after each occurrence of the image file revocation event, and the image file revocation event is an event declared to be revoked by an image file provider because of security holes of the image file; the security notification number corresponding to the target image file includes: a security advertisement number corresponding to the target image file stored in a one-time programmable storage component of the computing device. The technical scheme provided by the application can solve the problem of short defending period in the defending mode of mirror image rollback attack in the prior art.

Description

Version verification method and related device for image file

Technical Field

The present application relates to the field of computer application technologies, and in particular, to a software version verification technology in the field of computer application technologies, and more particularly, to a method and a related device for verifying a version of an image file.

Background

In the computer field, the version of an image file is sometimes of great importance to verify whether the image file is legal and its security, for example, some attackers may collect an old version image file containing a security hole and make it replace the image file of the target system. Since the old version image file has legal authorization information, the security starting mechanism can be penetrated, and the target system is attacked through security holes existing in the old version image file, so that it is necessary to provide a version verification method for the image file.

Disclosure of Invention

In order to solve the technical problems, the application provides a version verification method and a related device for an image file, so as to realize the purpose of verifying the version of the image file, and on the basis, the purpose of prolonging the defending period for vulnerability attacks (such as image rollback attacks) of the version of the image file can be realized.

In order to achieve the technical purpose, the embodiment of the application provides the following technical scheme:

in a first aspect, an embodiment of the present application provides a method for verifying a version of an image file, applied to a computing device, where the method includes:

responding to a version verification request, and verifying the version of the target image file according to a security notification number corresponding to the target image file;

The security notification number is used for marking a security version of the image file after an image file revocation event, the security notification number is updated after each occurrence of the image file revocation event, and the image file revocation event is an event announced by an image file provider because of security holes of the image file; the security notification number corresponding to the target image file includes: a security advertisement number corresponding to the target image file stored in a one-time programmable storage component of the computing device.

In the embodiment of the application, the security notification number is used for marking the security version of the image file after the image file revocation event, so that the security notification number can replace the version information of the image file to verify the version of the image file. And because the security notification number is updated when the image file is invalidated, compared with version information updated when the image file is updated each time, the security notification number has lower updating frequency, so that the consumption frequency of the storage space can be reduced, and the defending period for the image file version vulnerability attack (such as image rollback attack) can be prolonged.

In some embodiments, the target image file is an image file to be loaded in a secure boot process of the computing device, or the target image file is a factory image file to be loaded when the computing device performs a factory restoration operation.

In the embodiment of the application, in the process of safe starting, the version verification is carried out on the image file to be loaded through the safety notice number, so that the image rollback attack can be prevented, and the safety of the safe starting process is improved. And the update frequency of the security notification number is lower than that of the version information, which is beneficial to prolonging the defending period of the mirror image rollback attack. Meanwhile, the security notification number can support legal mirror image rollback, and reasonable rollback requirements of users are met.

In addition, the embodiment of the application supports the restoration of the factory setting, and can carry out version verification on the factory image file to be loaded through the security notification number, thereby preventing image rollback attack and improving the security of the restoration of the factory process.

In some embodiments, the verifying the version of the target image file according to the security notification number corresponding to the target image file includes:

carrying out security verification on the version of the target image file according to the first security notification number and the second security notification number corresponding to the target image file;

the first security notification number comprises a security notification number carried in authorization information of the target image file; the second security notification number includes a security notification number stored in the one-time programmable storage device that corresponds to the target image file.

In the embodiment of the application, whether the image file is the image file of the safe version can be judged based on the security notification number locally stored in the computing device and the security notification carried in the image file authorization information, and legal image rollback can be realized while image rollback attack is prevented.

In some embodiments, the updated security notification number is greater than the pre-update security notification number;

the security verification of the version of the target image file according to the first security notification number and the second security notification number corresponding to the target image file includes:

determining that the version of the target image file passes the security verification under the condition that the first security notification number is greater than or equal to the second security notification number;

and under the condition that the first security notification number is smaller than the second security notification number, determining that the version of the target image file fails the security verification.

In the embodiment of the application, whether the version of the image file to be loaded is a safe version can be determined by comparing the size relation between the security notification number locally stored in the computing device and the security notification number carried in the image file authorization information, so that the image rollback attack is prevented.

In some embodiments, in the event that the first security notification number is greater than the second security notification number, the method further comprises:

and updating the security notification number corresponding to the target image file in the one-time programmable storage component.

In the embodiment of the application, the security notification number stored in the OTP storage component cannot be changed or deleted, the security notification number in the authorization information is encrypted by the private key, and the security and the reliability of the two security notification numbers are higher, so that whether to update the security notification number stored in the OTP storage component is determined based on the comparison result of the two security notification numbers, and the reliability and the security are higher.

In some embodiments, in a case that the target image file is a factory image file required for the computing device to perform a factory restoration operation, verifying, according to a security notification number corresponding to the target image file, a version of the target image file includes:

verifying whether the target image file is a factory image file of a safe version according to the safety notification number and the hash abstract corresponding to the target image file;

the security notification number corresponding to the target image file further comprises: a security notification number carried in the authorization information of the target image file; the hash abstract corresponding to the target image file comprises the following steps: and the hash abstract carried in the authorization information of the target image file and the hash abstract corresponding to the factory image file stored in the one-time programmable storage component.

In the embodiment of the application, before the computing equipment leaves the factory, the factory image file with safe and reliable version can be filled in the computing equipment, and the hash abstract corresponding to the factory image file is stored in the OTP storage component. When the equipment needs to restore the factory setting, whether the factory image file to be loaded is the factory image file of a safe version or not, namely whether the factory image file of a boot loading version is allowed or not is determined by comparing the security notification number in the authorization information of the factory image file to be loaded with the security notification number stored in the OTP storage component and comparing the hash abstract corresponding to the factory image file to be loaded with the hash abstract stored in the OTP storage component, so that mirror rollback attack is prevented, and the security of restoring the factory setting is improved.

In some embodiments, at least two security notification numbers are stored in the computing device, each security notification number corresponds to a boot sequence number, the boot sequence number corresponds to an image file, and the boot sequence number is used to indicate a boot sequence of the image file corresponding to the boot sequence number in a secure boot process.

According to the embodiment of the application, by setting the security notification number in such a way, the security notification number can be managed in a refined way, for example, because the probability of generating security holes by the image files of different guide layers is different, namely the probability of generating a revocation event is different, a larger storage space of the security notification number can be allocated for the guide layer which is easy to generate the revocation event of the image file in the OTP storage part, and the image rollback defense period is improved; and for a guide layer which is not easy to generate an image file revocation event, a smaller storage space of a security notification number is allocated, and the storage space of the OTP storage component is saved. By reasonably using the storage space of the OTP storage component, a better mirror image rollback attack defense effect is achieved.

In some embodiments, the computing device stores a security notification number that corresponds to a plurality of image files that need to be loaded during a secure boot process.

The mode of setting the security notification number for the computing equipment provided by the embodiment of the application is relatively simple, convenient to manage and less in occupied storage space of the OTP storage component.

In some embodiments, the storage area of the one-time programmable storage unit for storing the security notification number corresponding to the target image file includes: a start zone and an increment zone;

the initial area is used for storing an initial security notification number in binary numbers, or storing a first numerical value forming the initial security notification number in binary numbers under the condition that the initial security notification number is larger than the maximum numerical value which can be stored in the initial area, wherein the first numerical value is the maximum numerical value which can be stored in the initial area;

the increment area is used for storing an increment value of a security notification number in a bit accumulation mode, and storing a second value in a bit accumulation mode under the condition that the initial security notification number is larger than the maximum value which can be stored in the initial area, wherein the second value is the difference between the initial security notification number and the first value; and the security notification number corresponding to the target image file stored in the one-time programmable storage component is the sum of the initial security notification and the increment value.

Compared with the existing storage mode of all bitwise writing, the storage mode of the security notification number in the embodiment of the application has the advantages that the numerical value of the maximum security notification number which can be stored is larger, and the defending period of the mirror image rollback attack is longer.

In a second aspect, an embodiment of the present application provides a version verification apparatus for an image file, applied to a computing device, where the apparatus includes:

the version verification module is used for responding to the version verification request and verifying the version of the target image file according to the security notification number corresponding to the target image file;

the security notification number is used for marking a security version of the image file after an image file revocation event, the security notification number is updated after each occurrence of the image file revocation event, and the image file revocation event is an event declared to be revoked by an image file provider because of security holes of the image file; the security notification number corresponding to the target image file includes: a security advertisement number corresponding to the target image file stored in a one-time programmable storage component of the computing device.

In some embodiments, the version verification module comprises:

the first version verification unit is used for carrying out security verification on the version of the target image file according to the first security notification number and the second security notification number corresponding to the target image file;

the first version verification unit is specifically configured to:

In some embodiments, the apparatus further comprises:

and the updating module is used for updating the security notification number corresponding to the target image file in the one-time programmable storage component under the condition that the first security notification number is larger than the second security notification number.

In some embodiments, the target image file is a factory image file required when the computing device performs a restore factory operation;

the version verification module comprises:

the second version verification unit is used for verifying whether the target image file is a factory image file of a safe version according to the safety notification number and the hash abstract corresponding to the target image file;

In a third aspect, embodiments of the present application provide a computing device comprising: a processor and a memory;

The memory is connected with the processor and is used for storing a safe starting program and a computer program;

the processor is configured to implement the method for verifying the version of the image file according to any one of the above claims by running a computer program stored in the memory.

In a fourth aspect, an embodiment of the present application provides a storage medium, where a computer program is stored, where the computer program is executed by a processor to implement a method for verifying a version of an image file according to the first aspect.

In a fifth aspect, embodiments of the present application provide a computer program product or computer program, the computer program product comprising a computer program stored in a computer readable storage medium; a processor of the computer device reads the computer program from the computer readable storage medium, the processor implementing the steps of the version verification method of an image file according to the first aspect when the computer program is executed.

In the technical scheme provided by the application, the version information of the image file is replaced by the security notification number, and whether the image file to be loaded is the image file of the security version is judged, so that the security verification of the image file version is realized. In addition, since the security notification number is updated when an image file revocation event occurs, that is, when the image file provider declares revocation due to the existence of a security hole in the image file, the security notification number is updated with a lower update frequency than version information updated each time the image file is updated, so that the consumption frequency of the storage space can be reduced, and the defending period against image file version hole attacks (for example, image rollback attacks) can be prolonged.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.

Fig. 1 is a flow chart of a method for verifying version of an image file according to the present application.

Fig. 2 is a schematic block diagram of a version verification device for an image file according to the present application.

Fig. 3 is a schematic structural diagram of a computing device according to the present application.

Detailed Description

Unless otherwise defined, technical or scientific terms used in the embodiments of the present application should be given the ordinary meaning as understood by one of ordinary skill in the art to which the present application belongs. The terms "first," "second," and the like, as used in embodiments of the present application, do not denote any order, quantity, or importance, but rather are used to avoid intermixing of components.

Throughout the specification, unless the context requires otherwise, the word "plurality" means "at least two", and the word "comprising" is to be construed as open, inclusive meaning, i.e. as "comprising, but not limited to. In the description of the present specification, the terms "one embodiment," "some embodiments," "example embodiments," "examples," "particular examples," or "some examples," etc., are intended to indicate that a particular feature, structure, material, or characteristic associated with the embodiment or example is included in at least one embodiment or example of the application. The schematic representations of the above terms do not necessarily refer to the same embodiment or example.

The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

SUMMARY

The security verification of the image file to be loaded is an effective technical means for improving the security of the computer system. For example, during the secure boot process of the computing device, the image file to be loaded is subjected to digital signature verification, and the boot operation is continued only if the verification is correct. The mechanism can effectively inhibit the capability of an attacker to tamper with the image file. However, as the functions of the image file become more complex, the code amount becomes larger, so that the vulnerability or vulnerability of the image file is less likely to be eradicated, and some attackers can attack the target system by utilizing the vulnerability problem of the image file. After the image file leaks the security hole, the image file provider will revise the code and issue a new version image file. However, an attacker may collect these historical version image files with security hole problems, replace the image files in the target system with the historical version image files, penetrate the security start mechanism based on legal authorization information (such as legal digital signature) in the historical version image files, and attack the target system by using security holes of the historical version image files, and such attacks are called image rollback attacks.

To prevent such attacks, one existing defense approach is: the latest version information of the image file is stored in a one-time programmable (One Time Programmable, OTP) memory unit, and once the version information is written into the OTP memory unit, the version information cannot be modified or replaced, so that an attacker can be prevented from tampering with the OTP memory unit. When the version information of the image file to be loaded is inconsistent with the latest version information stored in the OTP storage component, loading is stopped, so that image rollback attack is prevented.

However, this protection method has some problems, for example, since the version update frequency of the image file is high, the storage bit of the OTP storage unit is easily consumed soon, so that the version control capability is lost, that is, the image rollback protection capability is lost, and the protection period is short. In addition, mirror rollback is also an objective reality requirement. Firstly, the image file is unavoidably improved, and the problems are fed back to the product line to analyze, correct and upgrade the image version, so that the time is required. Under the existing conventional scheme, the user can only wait for version upgrade, and the longer the waiting time is, the worse the user experience is. In addition, the user cannot select the low version image file rollback according to past experience. Secondly, the user needs are quite different, the newly updated image file may not be the best choice for the user, the user may wish to roll back to a previous history version, but the defense mode does not support legal image rolling back, and the reasonable image rolling back needs of the user cannot be met.

Based on the technical problems, the application provides a version verification method of an image file, and the version verification method of the image file provided by the application is described in an exemplary way with reference to the accompanying drawings.

Exemplary method

Taking application to computing equipment as an example, the embodiment of the application provides a method for verifying the version of an image file, which can comprise the following steps:

s101: and responding to the version verification request, and verifying the version of the target image file according to the security notification number corresponding to the target image file.

The image file in the embodiment of the application can refer to an image file which needs to be loaded in the starting process of the computing equipment. And the target image file may be one of the image files that need to be loaded during startup.

The security notification number is used to mark the security version of the image file after an image file revocation event, that is, after an image file revocation event occurs, the security notification number marks which versions of the image file are security versions. The secure versions described herein include, but are not limited to, at least one of the following: the latest version of the image file, the historical version of the image file that was not invalidated.

For example, image files that need to be loaded during a computing device boot process include: mirror file A, B, C, D. Currently, the version number of the image file a is 1.0, the version number of the image file B is 2.0, the version number of the image file C is 3.0, and the version number of the image file D is 4.0. The versions of the four image files may be marked with the current security announcement number "1" to indicate version security. It is assumed that, during the use of the image file, the provider of the image file a finds that the image file of version 1.0 has a serious security hole and invalidates it, and at this time, the security notification number needs to be updated, for example, the current security notification number is updated from "1" to "2". The updated security announcement number "2" marks the security versions of the four image files, which are respectively: version 2.0 of image file published by the provider of image file a, version 2.0 of image file B, version 3.0 of image file C, and version 4.0 of image file D. Of course, the updated security notification number is also used to mark the historical version of the image file that was not invalidated, e.g., version 3.0 of image file D was not invalidated, and version 3.0 of image file D is marked with the updated security notification number "2" to indicate that version 3.0 of image file D is secure.

In order to effectively mark the security version by the security notification number, the security notification number in the embodiment of the application is updated after an image file revocation event occurs so as to mark the security version of the image file by the new security notification number, and the updated security notification number is different from any one historical security notification number so as to avoid the repetition problem.

The image file revocation event may refer to an event declared to be revoked by an image file provider due to a security hole of an image file, and specifically may refer to a notification message issued by the image file provider that some image files have a serious security hole and are inconvenient to resume use. The image files that are invalidated can be regarded as image files of dangerous version (or illegal image files), and the image files that are not invalidated can be regarded as image files of safe version (or legal image files).

The security notification number may be stored in the computing device, and in particular may be stored in an OTP storage element of the computing device, so that the security notification number corresponding to the target image file described in step 101 may include the security notification number corresponding to the target image file stored in the OTP storage element of the computing device. The computing device may verify the version of the target image file based on the security advertisement number stored in the OTP component. And if the version of the target image file fails verification, stopping loading the target image file. Wherein the area in the OTP memory unit for storing the security notification number may be referred to as a security notification number storage area.

In the embodiment of the application, the security notification number is used for marking the security version of the image file after the image file revocation event, so that the security notification number can replace the version information of the image file to verify the version of the image file. And because the security notification number is updated when the image file is invalidated, compared with version information which needs to be updated when the image file is upgraded each time, the security notification number has lower updating frequency, so that the consumption frequency of the storage space can be reduced, and the defending period for image file version vulnerability attacks (such as image rollback attacks) can be prolonged.

In addition, the security notification number is used for marking security versions except for the obsolete version, not only can the latest version of the image file be marked, but also the history version which is not obsolete can be marked, so that a user can apply to roll back to the image file of the appointed history version as long as the image file of the version is not the obsolete image file.

In summary, the technical scheme provided by the embodiment of the application changes from the software perspective to the mirror image rollback attack from the security perspective, namely: besides the image files of the obsolete version, the image files of other versions are generally considered to be safe, so that the technical scheme provided by the embodiment of the application can meet the dual requirements of image rollback attack protection and legal image rollback.

In some embodiments, the image revocation event occurs due to an image having a high-risk vulnerability, i.e., the image provider declares image revocation due to an image having a high-risk vulnerability.

For existing conventional schemes, each version upgrade of an image file means that at least one memory bit of the OTP memory unit is consumed. The guard period of the image rollback attack depends on the update speed of the image file version on the premise of the storage bit length determination. In fact, many factors that cause the update of the version of the image file are involved, and the security hole repair is one of the factors that affect the security, while other factors that affect the update of the image file have less impact on the security, which results in some cases that the update of the version information in the OTP storage unit is meaningless and wastes storage space. In the embodiment of the application, the image file of a certain version is declared to be invalidated only when the high-risk and high-hazard loopholes occur, namely the security notification number is updated when the high-risk and high-hazard loopholes occur in the image file, so that compared with the conventional scheme, the security notification number in the embodiment of the application has lower updating frequency while resisting the image rollback attack, and is beneficial to prolonging the defending period of the image rollback attack.

In some embodiments, the method for verifying the version of the image file can be applied to a secure boot process of the computing device, namely, the method can be used for verifying the version of the image file to be loaded in the secure boot process of the computing device. Specifically, the computing device may perform a boot process in response to the power-on request, during which security verification of the target image file is performed. The security verification process of the target image file may include: and responding to the version verification request, and verifying the version of the target image file according to the security notification number corresponding to the target image file.

In this application scenario, the target image file may be an image file to be loaded during a secure boot process of the computing device.

The security verification of the target image file described herein may include verification of whether the target image file is tampered or not, in addition to verification of the version of the target image file. After the target image file passes the security verification, the computing equipment guides and loads the target image file; when the target image file fails the security verification, the computing device stops loading the target image file.

In the embodiment of the application, in the process of safe starting, the version verification is carried out on the image file to be loaded through the safety notice number, so that the image rollback attack can be prevented, and the safety of the safe starting process is improved. And the update frequency of the security notification number is lower than that of the version information, which is beneficial to prolonging the defending period of the mirror image rollback attack. In addition, the security notification number can support legal mirror image rollback, and the reasonable rollback requirement of the user is met.

In some embodiments, the method for verifying the version of the image file can also be applied to a factory-restoring setting process of the computing device, namely, the version of the factory image file to be loaded is verified through the scheme in the factory-restoring setting process of the computing device. Specifically, when the computing device enters a secure boot process, the computing device verifies the factory image file to be loaded, where the verification process may include: and responding to the version verification request, and verifying the version of the target image file according to the security notification number corresponding to the target image file.

In the application scene, the target image file is a factory image file to be loaded when the computing equipment executes factory restoration operation.

After the version of the factory image file passes verification, the computing equipment can load the factory image file; and when the factory image file fails to pass the security verification, the computing equipment stops loading the factory image file and recovers the failure of factory setting operation.

The technical scheme provided by the embodiment of the application supports the restoration of the factory setting, and can carry out version verification on the factory image file to be loaded through the security notification number, thereby preventing the image rollback attack and improving the security of the restoration of the factory process.

In some alternative implementations, as shown in fig. 1, step S101: verifying the version of the target image file according to the security notification number corresponding to the target image file may include:

step S1011: and carrying out security verification on the version of the target image file according to the first security notification number and the second security notification number corresponding to the target image file.

The first security notification number comprises a security notification number carried in authorization information of the target image file. The second security notification number includes a security notification number stored in the OTP memory that corresponds to the target image file.

In the embodiment of the present application, the security notification number may be stored in the computing device and may be added to the authorization information of the image file, so the security notification number corresponding to the target image file in step 101 may further include the security notification number carried in the authorization information of the target image file, and the computing device may verify the version of the target image file based on the security notification number stored in the OTP storage unit (i.e., the first security notification number) and the security notification number carried in the authorization information of the target image file (i.e., the second security notification number), for example, it may be determined whether the version of the target image file is a secure version based on the comparison result of the sizes of the two security notification numbers.

In the embodiment of the application, in order to effectively mark the security version by the security notification number, after each image file revocation event occurs, the image file provider needs to re-authorize some legal image files (such as some image files which need to be loaded in the security starting process), and a new security notification number is added in the authorization information to indicate the security of the image file versions. It follows that the update of the security notification number means that the legal image file needs to be re-applied for electronic authorization, and that the image file of the history version is not declared to be totally invalidated.

In some embodiments, the image file provider will issue a new legitimate image file when the security notification number is updated. Table 1 illustrates a composition structure of a legal image file, including an image file, a hash digest, a security notification number, and a digital signature, where the digital signature may be obtained by encrypting information such as the security notification number and the hash digest by a private key. The hash digest described herein may be used to determine whether an image file has been tampered with. The hash digest may be obtained by hashing the image file, and the hash operation may be specifically implemented based on a hash algorithm. The computing device may decrypt the digital signature with the public key to obtain the hash digest and the security notification number in the authorization information.

TABLE 1

For updating of the security notification number stored in the computing device, a notification message indicating an image revocation event may be sent by the image provider to the computing device, which updates the locally stored security notification number based on the notification message. Of course, the manner of updating the security notification number in the computing device is not limited to the foregoing, and other realizations are possible.

In some alternative implementations, the updated security notification number is greater than the pre-update security notification number, i.e., the security notification number is updated on a small-to-large basis. For example, the security notification number before the image revocation event does not occur is 10, and the security notification number after the image revocation event occurs is updated to 11.

Optionally, the increment value of the updated security notification number compared with the security notification number before updating may be a fixed value, and the specific value of the fixed value may be set according to actual requirements, for example, may be an integer greater than or equal to 1. Because the larger the difference value is, the larger the updated security notification number is, the more memory space is occupied, and therefore, the increment value with smaller value is preferable in the embodiment of the application, for example, the increment value is set to be 1. It can be understood that the increment value of the updated security notification number compared with the security notification number before updating can also be a variable value, and the change rule of the value can be random, for example, when each updating is performed, an integer greater than 0 is randomly selected as the increment value in a preset value range (such as [1,3 ]); of course, the change rule of the numerical value may also be changed according to a preset rule, for example, the increment value of each update is increased by 1 compared with the increment value of the previous update.

In some alternative implementations, the update policy of the aforementioned security notification number is: based on the update policy that the updated security notification number is greater than the security notification number before update, the foregoing step of performing security verification on the version of the target image file according to the first security notification number and the second security notification number corresponding to the target image file may include:

under the condition that the first security notification number is larger than or equal to the second security notification number, determining that the version of the target image file passes the security verification; and under the condition that the first security notification number is smaller than the second security notification number, determining that the version of the target image file fails the security verification.

And under the condition that the security notification number carried in the image file authorization information is consistent with the security notification number locally stored in the computing device, the version of the image file is described as a security version and is not a revocation version, and the version of the image file passes the security verification.

Under the condition that the security notification number carried in the image file authorization information is larger than the security notification number locally stored in the computing device, the image file provider authorizes the authorized image file again, the updated security notification number is added in the authorization information, and the computing device does not know the image file revocation event, so that the locally stored security notification number is not synchronously updated, and the situation that the security notification number in the image file authorization information is larger than the security notification number locally stored in the computing device is caused, but the situation also indicates that the version of the image file is a security version and is not a revocation version, and the version of the image file can pass security verification.

In some embodiments, since the security notification number in the authorization information is greater than the security notification number locally stored by the computing device indicating that an image revocation event has occurred, the computing device may update the security notification number in the OTP storage element corresponding to the target image if it detects that the first security notification number is greater than the second security notification number. In such updating mode, the security notification number stored in the OTP memory is not changeable or deleted, the security notification number in the authorization information is encrypted by the private key, and the security and reliability of the two security notification numbers are higher, so that based on the comparison result of the two security notification numbers, whether to update the security notification number stored in the OTP memory is determined, and the reliability and security are higher.

Under the condition that the security notification number carried in the image file authorization information is smaller than the security notification number locally stored in the computing device, the image file is not legal in authorization information, and possibly is an image file of a revocation version, and potential safety hazards exist, so that the image file version security verification fails, and at the moment, loading of the image file can be stopped, and image rollback attack is avoided.

In some optional implementations, in a case where the target image file is a factory image file to be loaded when the computing device performs a factory restoration operation, as described in fig. 1, step S101: verifying the version of the target image file according to the security notification number corresponding to the target image file may include:

step S1012: and verifying whether the target image file is a factory image file of a safe version according to the safety notification number and the hash abstract corresponding to the target image file.

The security notification number corresponding to the target image file includes: the security notification number carried in the authorization information of the target image file and the security notification number corresponding to the target image file stored in the one-time programmable storage component in the computing device. The hash abstract corresponding to the target image file comprises the following steps: the hash abstract carried in the authorization information of the target image file and the hash abstract corresponding to the factory image file of the safe version stored in the one-time programmable storage component.

In this embodiment, in order to support factory setting restoration and improve factory setting restoration security, a hash digest corresponding to a factory image file of a secure version may be stored in a hash digest storage area in an OTP storage section of a computing device, so that when factory setting restoration is performed, whether the factory image file to be loaded is the secure version or not is effectively verified based on the hash digest stored in the OTP storage section, potential safety hazards of the factory image file itself are eliminated, image rollback attack is prevented, and factory setting restoration security is improved.

The factory image file of the safe version can be a factory image file used when the computing equipment leaves the factory, and can also be a factory image file with higher safety compared with the factory image file used when the computing equipment leaves the factory.

In the process of restoring the factory setting, a user can burn the factory image file into a flash memory (flash) of the computing device through a specific tool in advance. And then, under the condition that the computing equipment enters a safe starting process, verifying the factory image file (namely the target image file) in the flash memory, and determining whether the factory image file is the factory image file of the safe version. If the factory image file to be loaded is the factory image file of the safe version, continuing to boot and load the factory image file; if the factory image file to be loaded is not the factory image file of the safe version, stopping the boot loading of the factory image file, which also means that the factory setting is not restored. The factory image file burned into the flash memory by the user can be obtained by applying for the equipment manufacturer or the image file provider, and the authorization information comprises the latest security notification number.

Specifically, whether the target image file is a factory image file of a secure version may be determined according to the first security notification number and the second security notification number corresponding to the target image file, and the first hash digest and the second hash digest corresponding to the target image file.

The first security notification number comprises a security notification number carried in authorization information of the target image file. The second security notification number includes a security notification number stored in the OTP memory that corresponds to the target image file. The first hash digest includes a hash digest carried in authorization information of the target image file. The second hash digest includes the hash digest stored in the OTP memory, and the second hash digest is the hash digest stored in the OTP memory.

And determining that the target image file is a factory image file with a safe version under the condition that the first safety notice number is larger than or equal to the second safety notice number and the first hash digest is the same as the second hash digest. And when the condition that the first security notification number is larger than or equal to the second security notification number and the first hash digest is the same as the second hash digest is not satisfied, determining that the target image file is not the factory image file of the secure version, and stopping restoring the factory operation.

For example, the computing device reads the security notification number local_sv (corresponding to the second security notification number) and the hash digest local_hash (corresponding to the second hash digest) stored in the OTP storage section, and reads the authorization information of the target image file, and acquires the security notification number ec_sv (corresponding to the first security notification number) and the hash digest ec_hash (corresponding to the first hash digest) in the authorization information. Afterwards, the local_sv and the ec_sv are compared, and the local_hash and the ec_hash are compared. If the ec_sv is greater than or equal to the local_sv and the local_hash is equal to the ec_hash, continuing to execute the factory setting restoration operation, otherwise, stopping the factory setting restoration operation.

Under the existing conventional scheme, restoring factory settings means that version information for preventing the image rollback attack is reset, namely, version information of a factory image file needs to be rewritten in an OTP storage component, and then updating of the version information is restarted from the version information, which not only causes rollback prevention memory failure, but also causes consumption of OTP storage resources, and the OTP storage resources also restrict the number of times of restoring factory settings.

When the embodiment of the application restores the factory setting, the updating of the safety notice number is not caused, namely OTP storage resources are not consumed, the restoration of the factory setting for any times can be supported, and the multiple requirements of a user on the restoration of the factory setting are met. In addition, when factory settings are restored, the embodiment of the application can not cause the invalidation of the security notification number, namely the defense mechanism for the mirror image rollback attack is effective, and the obsolete mirror image files released under the prior security notification number can not pass through the rollback prevention mechanism.

Furthermore, in the embodiment of the application, the factory image file with a safe and reliable version can be selected as the factory image file required for restoring factory settings, so that the probability of security holes of the factory image file is reduced.

Optionally, the storage locations in the OTP storage unit for storing the hash digests may include a plurality of storage locations, so that when the factory image file for restoring factory settings needs to be invalidated due to the security problem of exposing the high-risk vulnerability, the device manufacturer may obtain a new factory image file from the image file provider and recall the relevant computing device, and write the hash digests corresponding to the new factory image file in the OTP storage unit. For example, the factory image file of the original safe version is the factory image file when the computing device leaves the factory, and then the factory image file is found to have high-risk vulnerabilities and is invalidated. The equipment manufacturer obtains a new factory image file with higher security from the image file provider, recalls the related computing equipment, and writes a hash abstract corresponding to the new factory image file in the OTP storage component.

Table 2 illustrates an example of a hash digest memory area in an OTP memory unit, which has a total of 3 digest memory areas, digest memory area 1, digest memory area 2, and digest memory area 3, respectively, meaning that there is a 3-time opportunity to write the hash digest. The initial value of the current digest sequence number may be 0, incremented by 1 after each hash digest is written.

TABLE 2

In some alternative implementations, multiple security announcement numbers may be set according to the boot sequence number, namely: at least two security notification numbers are stored in the computing device, each security notification number corresponds to a guide sequence number, the guide sequence number corresponds to the image file, the guide sequence number is used for indicating the guide sequence of the image file corresponding to the guide sequence number in security starting, the security notification number corresponding to the target image file is one of the at least two security notification numbers, in other words, the security notification number corresponding to the target image file is the security notification number corresponding to the guide sequence number of the target image file.

The image file in the embodiment of the application refers to an image file which needs to be loaded in the secure boot process of the device, and the secure boot generally adopts a chained process, and the next-level image file is loaded, verified and guided step by step from the on-chip image file, in other words, each image file corresponds to a fixed guide sequence number in secure guide. In the embodiment of the present application, the security notification numbers may be set for different boot levels, for example, table 3 illustrates n security notification number division examples, and the security start process includes n boot levels capable of performing image file version verification through the security notification numbers, and then one security notification number may be set for the n boot levels, that is, the security notification storage area in the OTP storage unit includes n security notification numbers.

TABLE 3 Table 3

Thus, when an image file is invalidated, only the security notification number corresponding to the boot number of the image file is updated, and the security notification numbers corresponding to the other boot numbers remain unchanged.

When the image file corresponding to one guide serial number can be selected from image files provided by a plurality of providers, the providers can form an friend group. Each image file provider needs to announce the version information of the image file to be invalidated and the maximum security announcement number when the image file to be invalidated is issued, pays attention to the announcements of other friends, and maintains an image file revocation list.

According to the embodiment of the application, by setting the security notification number in such a way, the security notification number can be managed in a refined way, for example, because the probability of generating security holes by the image files of different guide layers is different, namely the probability of generating a revocation event is different, a larger storage space of the security notification number can be allocated for the guide layer which is easy to generate the revocation event of the image file in the OTP storage part, and the image rollback defense period is improved; and for a guide layer which is not easy to generate an image file revocation event, a smaller storage space of a security notification number is allocated, and the storage space of the OTP storage component is saved. By reasonably using the storage space of the OTP storage component, a better mirror image rollback attack defense effect is achieved. The method is more suitable for the condition that the storage space of the OTP storage part is sufficient.

In some alternative implementations, a security notification number may be set according to the computing device, namely: the computing device has a security notification number stored therein, i.e., the security notification number storage area in the OTP storage device includes a security notification number. The security notification number corresponds to a plurality of image files to be loaded in the security starting process, wherein the plurality of image files refer to image files capable of verifying versions through the security notification number. And updating the security notification number when a revocation event occurs in any image file of the plurality of image files.

In this case, the security notification number corresponding to the target image file is the unique security notification number.

The mode of setting the security notification number for the computing equipment provided by the embodiment of the application is relatively simple, convenient to manage, less in occupied storage space of the OTP storage component and particularly suitable for the situation of shortage of the storage space of the OTP storage component.

As an optional implementation manner, the storage area of the OTP storage unit for storing the security notification number corresponding to the target image file includes: a start zone and an increment zone.

The initial area is used for storing an initial security notification number by binary numbers, or storing a first numerical value forming the initial security notification number by binary numbers under the condition that the initial security notification number is larger than the maximum numerical value which can be stored in the initial area, wherein the first numerical value is the maximum numerical value which can be stored in the initial area. The initial security notification number refers to the first security notification number written into the security notification number storage area of the OTP storage device, that is, the security notification number of the factory image file. The initial security notification number may also be referred to as a factory security notification number.

The increment area is used for storing increment values of the security notification numbers in a bit accumulation mode, and storing second values in a bit accumulation mode under the condition that the initial security notification number is larger than the maximum value which can be stored in the initial area, wherein the second values are differences between the initial security notification number and the first values.

The security notification number corresponding to the target image file is the sum of the initial security notification and the increment value.

In order to better understand the above, an example is illustrated below.

It is assumed that a storage area for storing a security notification number corresponding to a target image file includes n-bit storage bits. And taking the continuous x storage bits in the n storage bits as a starting area for storing and reading the starting security notification number in an integral read-write mode, namely storing and reading the starting security notification in a binary number mode. The rest of the continuous n-x bits are used as an increment area for storing and reading the increment value of the security notification number in a bit-by-bit read-write mode, namely storing and reading the increment value in a bit-by-bit accumulation mode.

Before the equipment leaves the factory, if the current security notification number corresponding to the target image file is smaller than or equal to the upper limit of the value range of the initial area (namely the maximum binary number 2 which can be stored in the initial area) ^x -1), the starting security announcement number (i.e. the current security announcement number corresponding to the target image file) is written directly in the starting area. If the current security notification number corresponding to the target image file is greater than the upper limit of the value range of the initial area, writing the non-exceeded part (corresponding to the first numerical value) into the initial area by binary numbers, and writing the exceeded part into the increment area by a bit accumulation mode.

For example, when n= 8,x =3, the maximum binary number 2 that the start area can store is 2 ^x -1=7。

Before the equipment leaves the factory, if the current security notification number corresponding to the target image file is 6, namely the initial security notification number is 6, writing a binary number 110 corresponding to the value 6 into an initial area, as shown in an initial area shown in a schematic diagram of table 4. Each time a security announcement number update occurs, increment values are written to the increment area, and if three updates are assumed, three increment values "1" are written in the increment area by bit, as shown in the increment area illustrated in table 4. At this time, the security notification number stored in the storage area shown in table 4 is 6+3=9.

TABLE 4 Table 4

Before the equipment leaves the factory, if the current security notification number corresponding to the target image file is 9, namely the initial security notification number is 9, writing binary number "111" corresponding to the numerical value 7 which does not exceed the initial area part into the initial area, and writing the numerical value 2 which exceeds the initial area part into the increment area in a bit accumulating mode (namely two 1) as shown in the initial area shown in the schematic diagram of table 5. Each time a security announcement number update occurs, increment values are written to the increment area, and if the update is twice, two increment values "1" are written in the increment area by bit, as shown in the increment area illustrated in table 5. At this time, the security notification number stored in the storage area shown in table 5 is 9+2 =11.

TABLE 5

Based on the storage mode of the security notification number provided by the embodiment of the application, the maximum security notification number M=2 which can be stored by combining the initial area with the increment area ^x The larger the M is, the longer the guard period of the mirror rollback attack is. In addition, the more protected upgrades(s) the computing device can obtain, the better the defensive effect, so the maximum security notification number M and the protected upgrades s that can be stored are two main factors affecting the defensive result. The number of protected upgrades can be represented by the expected value E(s).

Before the equipment leaves the factory, the embodiment of the application can combine the three factors (namely the stored maximum security notification number M, the protected upgrading number s and the expected value E(s) of the protected upgrading number s) to analyze whether the defending effect meets the requirement under the current security notification number, thereby determining whether the equipment can leave the factory.

Specifically, the embodiment of the application can determine whether the equipment can leave the factory under the current security notification number based on the following three strategies by taking the protected upgrading frequency as a primary target and taking the maximum security notification number as a suboptimal target.

Strategy 1: and optimizing M on the premise of ensuring that min(s) is more than or equal to a (namely, the minimum value of s is more than or equal to a), wherein 0 < a is less than or equal to n-x.

s is related to the safety notice number (denoted as f) and the device life cycle when leaving the factory, and s=min (n-x, M-f) assuming that the device life cycle has no upper limit, that is, s takes the minimum value of n-x and M-f. When the initial security notification number exceeds the maximum value that can be stored in the initial area, s=m-f is smaller than n-x, and min(s) =m-f (i.e. the minimum value of s is M-f), so that M-f is greater than or equal to a, i.e. f is less than or equal to M-a. When min(s) takes the minimum value a (i.e. s=a), x=n-a, m=2 ^n-a -1+a, thenf≤2 ^n-a -1+a-a, i.e. f.ltoreq.2 ⁿ ^-a -1. It follows that under policy 1, the current notification number is less than or equal to 2 ^n-a In the case of-1, the device may be shipped from the factory; at the current notice number greater than 2 ^n-a -1, terminating the device from the factory.

Strategy 2: and optimizing M on the premise of ensuring that E(s) takes the maximum value.

When max (f) =m (i.e., the maximum value of f is M), assuming that the update timing of the security notification number, the device delivery timing are distributed according to equal probability, the expression of E(s) can be obtained by:

at the current security notification number less than or equal to 2 ^x In the case of-1, i.e. where the start zone can store the start security announcement number, a total of 2 can be stored ^x -1 initial security announcement number, each security announcement number corresponding to a number of updates n-x, together (n-x) (2 ^x -1) cases.

At present, the security notification number is more than 2 ^x In the case of-1, that is, in the case where the initial security announcement number needs to be stored through the initial area and the incremental area, n-x initial security announcement numbers may be stored together, and (n-x)/2 (n-x) cases are altogether.

In combination of the above two cases, the total expected value E(s) = [ (n-x) ×2 ^x -1)+(n-x)/2*(n-x)]/(2 ^x -1+n-x)。

As can be seen from the expression of E(s), in the case where n is constant, x is a variable, affecting the value of E(s), if E(s) is guaranteed to be maximum, it is necessary to calculate an x value that maximizes E(s), where the expression of x that maximizes E(s) is x=argmax (E (s)). For example, taking n=32 as an example, under this strategy, max (E (s))=22.96, x=8, m=278.

When the x value at which E(s) takes the maximum value is plural, the x value at which M takes the maximum value is selected from among the plural x values. From m=2 ^x It is clear that x and M have a positive correlation, i.e., the larger x, the larger M, so that the x value that maximizes M should be the maximum of the plurality of x values.

Under the condition that the foregoing condition is satisfied, the device shipment can be implemented as long as f is smaller than M.

Strategy 3: and (3) optimizing M on the premise of ensuring E(s) is more than or equal to b, wherein b is more than 0 and less than or equal to max (E (s)).

Under this strategy, all x values that make E(s). Gtoreq.b need to be calculated, and then the maximum value thereof is taken, so that M is maximized, i.e., M is optimized.

For example, taking n=32 as an example, if b=16, it can be calculated that: x=15, m=32784, e(s) =16.99.

In the following, n=32 is taken as an example, and a comparison is made for illustrating the conventional storage manner and the storage manner provided in the embodiment of the present application.

When a conventional storage mode, namely a storage mode of writing according to all bits is adopted, the corresponding maximum security notification number is 32. By adopting the storage mode provided by the embodiment of the application, the maximum security notification number which can be stored is not less than 32.

If it is agreed that each device needs to obtain upgrade protection no less than 27 times after leaving the factory, the maximum security notification number of the storage mode (see policy 1 in table 6) provided by the embodiment of the present application is 58, and before the initial security notification number does not exceed 31, the device can leave the factory. For the conventional storage mode (see conventional 1 in table 6), when the security notification number is higher than 5, the shipment is stopped.

If the expected value of the number of the protected upgrades is used as an index, the expected value of the number of the protected upgrades is equal to 16 by adopting a conventional storage mode (see a conventional 2 in a table 6). Compared with the prior art, the storage mode provided by the embodiment of the application supports two strategies, one of which is the highest expected value of the protected upgrade number (see strategy 2 in table 6), the supported maximum security notification number is 279, which is more than 8 times of that of the conventional storage mode, the expected value of the protected upgrade number is equal to 22.96, and is 143.5% of that of the conventional scheme. The other is that the expected value of the protected upgrade number is more than 16 (see the strategy 3 of the table 6), and the supported maximum security notification number is 32784 which is more than 1000 times of that of the conventional storage mode.

TABLE 6

It will be appreciated that in some embodiments, the initial security notification number may also be stored in the OTP memory by using a storage manner that is accumulated by bits, in other words, the initial security notification number and the increment value of the security notification number are both stored in the OTP memory by using a storage manner that is accumulated by bits. The storage mode does not need to distinguish a starting area and an increment area, and corresponding data information is sequentially written in the sequence from beginning to end of the storage area.

The above is a description of the version verification method of the image file provided by the embodiment of the application.

In summary, the security notification number in the embodiment of the present application is updated only when the image file revocation event occurs, which can reduce the consumption frequency of OTP memory resources, promote the defending period against the image file version vulnerability attack (for example, the image rollback attack), and support legal image rollback at the same time, so as to satisfy the reasonable image rollback requirement of the user.

Exemplary apparatus

The embodiment of the application also provides a version verification device of the image file, which is applied to the computing equipment.

As shown in fig. 2, the apparatus may include:

the version verification module 201 is configured to respond to a version verification request, and verify a version of a target image file according to a security notification number corresponding to the target image file.

The security notification number is used for marking a security version of the image file after an image file revocation event, the security notification number is updated after the image file revocation event occurs, and the image file revocation event is an event announced to be revoked by an image file provider because of security holes in the image file; the security notification number corresponding to the target image file includes: a security advertisement number corresponding to the target image file stored in a one-time programmable storage component of the computing device.

In some embodiments, as shown in fig. 2, the version verification module 201 may include:

the first version verification unit 2011 is configured to perform security verification on the version of the target image file according to the first security notification number and the second security notification number corresponding to the target image file.

In some embodiments, the updated security notification number is greater than the pre-update security notification number.

The first version verification unit 2011 may be specifically configured to:

determining that the version of the target image file passes the security verification under the condition that the first security notification number is greater than or equal to the second security notification number; and under the condition that the first security notification number is smaller than the second security notification number, determining that the version of the target image file fails the security verification.

In some embodiments, as shown in fig. 2, the apparatus may further include:

and the updating module 202 is configured to update the security notification number corresponding to the target image file in the one-time programmable storage unit if the first security notification number is greater than the second security notification number.

In some embodiments, the target image file is a factory image file required when the computing device performs a restore factory operation.

As shown in fig. 2, the version verification module 201 may include:

and a second version verification unit 2012, configured to verify whether the target image file is a factory image file of a secure version according to the secure notification number and the hash digest corresponding to the target image file.

In some embodiments, the storage area of the one-time programmable storage unit for storing the security notification number corresponding to the target image file includes: a start zone and an increment zone.

The initial area is used for storing an initial security notification number in binary numbers, or storing a first numerical value forming the initial security notification number in binary numbers under the condition that the initial security notification number is larger than the maximum numerical value which can be stored in the initial area, wherein the first numerical value is the maximum numerical value which can be stored in the initial area.

The version verification device of the image file provided by the embodiment of the application belongs to the same application conception as the version verification method of the image file provided by the embodiment of the application, and the version verification method of the image file provided by any embodiment of the application can be executed, and has the corresponding functional module and beneficial effects of the execution method. Technical details not described in detail in this embodiment may refer to specific processing content of the version verification method of the image file provided in the foregoing embodiment of the present application, and will not be described herein again.

Exemplary computing device

An embodiment of the present application further provides a computing device, as shown in fig. 3, including: a memory 300 and a processor 310.

The memory 300 is coupled to the processor 310 for storing programs.

In the case that the computing device is a server, the processor 310 is configured to implement the version verification method of the image file in the above embodiment by running the program stored in the memory 300.

Specifically, the computing device may further include: a communication interface 320, an input device 330, an output device 340, and a bus 350.

The processor 310, the memory 300, the communication interface 320, the input device 330 and the output device 340 are interconnected by a bus. Wherein:

Bus 350 may include a path to transfer information between components of a computer system.

The processor 310 may be a general-purpose processor, such as a general-purpose Central Processing Unit (CPU), microprocessor, etc., or may be an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the program of the present invention. But may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.

Processor 310 may include a host processor, and may also include a baseband chip, modem, and the like.

The memory 300 stores programs for implementing the technical scheme of the present invention, and may also store an operating system and other key services. In particular, the program may include program code including computer-operating instructions. More specifically, the memory 300 may include read-only memory (ROM), other types of static storage devices that may store static information and instructions, random access memory (random access memory, RAM), other types of dynamic storage devices that may store information and instructions, disk storage, flash, and the like.

The input device 330 may include means for receiving data and information entered by a user, such as a keyboard, mouse, camera, scanner, light pen, voice input device, touch screen, pedometer, or gravity sensor, among others.

Output device 340 may include means, such as a display screen, printer, speakers, etc., that allow information to be output to a user.

Communication interface 320 may include devices that use any type of transceiver to communicate with other devices or communication networks, such as an ethernet, a Radio Access Network (RAN), a Wireless Local Area Network (WLAN), etc.

The processor 310 executes programs stored in the memory 300 and invokes other devices that may be used to implement the steps of the image file version verification method provided by the embodiments of the present application.

Exemplary computer program product and storage Medium

In addition to the methods and apparatus described above, the image file version verification method provided by the embodiments of the present application may also be a computer program product comprising computer program instructions which, when executed by a processor, cause the processor to perform the steps in the image file version verification method according to the various embodiments of the present application described in the "exemplary method" section above.

The computer program product may write program code for performing operations of embodiments of the present application in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server.

Furthermore, embodiments of the present application also provide a computer-readable storage medium having stored thereon a computer program for executing steps in the version verification method of an image file according to various embodiments of the present application described in the above-described "exemplary method" section of the present application by a processor.

Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the present application.

The foregoing examples are merely representative of several embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the embodiments of the present application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.

Claims

1. A method of version verification of an image file, for use with a computing device, the method comprising:

2. The image file version verification method according to claim 1, wherein the target image file is an image file to be loaded in a secure boot process of the computing device or is a factory image file to be loaded when the computing device performs a factory restoration operation.

3. The method for verifying the version of the image file according to claim 2, wherein verifying the version of the target image file according to the security notification number corresponding to the target image file comprises:

4. A version verification method for an image file according to claim 3, wherein the updated security notification number is greater than the security notification number before updating;

5. The method for version verification of an image file according to claim 4, wherein in the case where the first security notification number is greater than the second security notification number, the method further comprises:

6. The method for verifying the version of the image file according to claim 2, wherein in the case that the target image file is a factory image file required for the computing device to perform a factory restoration operation, verifying the version of the target image file according to a security notification number corresponding to the target image file includes:

7. The method for verifying the version of the image file according to claim 2, wherein at least two security notification numbers are stored in the computing device, each security notification number corresponds to a boot sequence number, the boot sequence number corresponds to the image file, and the boot sequence number is used for indicating a boot sequence of the image file corresponding to the boot sequence number in a security startup process.

8. The method of claim 2, wherein a security notification number is stored in the computing device, the security notification number corresponding to a plurality of image files to be loaded during a secure boot process.

9. The version verification method of an image file according to claim 1, wherein the storage area of the one-time programmable storage means for storing a security notification number corresponding to the target image file comprises: a start zone and an increment zone;

10. A version verification apparatus for an image file, applied to a computing device, the apparatus comprising:

11. The image file version verification apparatus according to claim 10, wherein the target image file is an image file to be loaded in a secure boot process of the computing device or is a factory image file to be loaded when the computing device performs a factory restoration operation.

12. The version verification device of an image file according to claim 11, wherein the version verification module comprises:

13. The version verification device of an image file according to claim 12, wherein the updated security notification number is greater than the pre-update security notification number;

the first version verification unit is specifically configured to:

14. The image file version verification apparatus of claim 13, wherein the apparatus further comprises:

15. The image file version verification apparatus according to claim 11, wherein the target image file is a factory image file required when the computing device performs a factory restoration operation;

the version verification module comprises:

16. A computing device, comprising: a processor and a memory;

Wherein the memory is connected with the processor and is used for storing a computer program; the processor is configured to implement the version verification method of an image file according to any one of claims 1 to 9 by running a computer program stored in the memory.

17. A storage medium having stored thereon a computer program which, when executed by a processor, implements the version verification method of an image file as claimed in any one of claims 1 to 9.