CN117009982B - Image file security verification method and device, electronic equipment and storage medium - Google Patents
Image file security verification method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN117009982B CN117009982B CN202311254982.2A CN202311254982A CN117009982B CN 117009982 B CN117009982 B CN 117009982B CN 202311254982 A CN202311254982 A CN 202311254982A CN 117009982 B CN117009982 B CN 117009982B
- Authority
- CN
- China
- Prior art keywords
- file
- files
- signature
- image file
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012795 verification Methods 0.000 title claims abstract description 121
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000009434 installation Methods 0.000 claims description 18
- 238000010276 construction Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000013500 data storage Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The disclosure provides a security verification method and device for an image file, electronic equipment and a storage medium. The image file includes: the security verification method comprises the steps of: and carrying out signature verification on each file in the first file set based on signature files corresponding to each file in the first file set in the mirror image file, wherein the first file set comprises: files of the plurality of files other than the original root file system file; and performing signature verification on each file in a second file set based on a signature verification result of the first file set and signature files corresponding to each file in the second file set in the mirror image file, wherein the second file set comprises: the initial root file system file.
Description
Technical Field
The present disclosure relates generally to the field of computer technology, and more particularly, to a security verification method, apparatus, electronic device, and storage medium for an image file.
Background
In the process of constructing and distributing an ISO image file of an operating system, if files filed in the image file are modified, the functions, performance, stability, safety and compatibility of the operating system in the installation, operation and later maintenance of the operating system are affected, and even the operating system cannot normally operate in severe cases.
In order to solve the problem that files archived in an image file are easy to be tampered with at will, in the related art, a sha256sum verification method is generally used to verify whether the image file has an abnormality, for example, whether the image file is modified or not and whether the image file is complete, but there is still a risk that the files archived in the image file are tampered with but not verified. Therefore, the security of the image file needs to be further improved.
Disclosure of Invention
The exemplary embodiments of the present disclosure provide a method, an apparatus, an electronic device, and a storage medium for secure verification of an image file, which can effectively protect the image file and improve the security of the image file.
According to a first aspect of an embodiment of the present disclosure, there is provided a security verification method for an image file, the image file including: the security verification method comprises the steps of: and carrying out signature verification on each file in the first file set based on signature files corresponding to each file in the first file set in the mirror image file, wherein the first file set comprises: files of the plurality of files other than the original root file system file; and performing signature verification on each file in a second file set based on a signature verification result of the first file set and signature files corresponding to each file in the second file set in the mirror image file, wherein the second file set comprises: the initial root file system file.
Optionally, the step of performing signature verification on each file in the first file set based on the signature file corresponding to each file in the first file set in the mirror image file includes: starting an initial root file system based on the files in the second file set; and carrying out signature verification on each file in the first file set based on signature files corresponding to each file in the first file set in the mirror image file through the initial root file system.
Optionally, the step of performing signature verification on each file in the second file set based on the signature verification result of the first file set and the signature file corresponding to each file in the second file set in the mirror image file includes: and under the condition that all files in the first file set pass signature verification, carrying out signature verification on each file in the second file set based on signature files corresponding to each file in the second file set in the mirror image file.
Optionally, in the case that all files in the first file set pass signature verification, the step of performing signature verification on each file in the second file set based on a signature file corresponding to each file in the second file set in the mirror image file includes: starting a system installer based on the files in the first file set under the condition that all the files in the first file set pass signature verification; and carrying out signature verification on each file in the second file set based on the signature file corresponding to each file in the second file set in the mirror image file through the system installer.
Optionally, the security verification method further includes: and installing the target operating system under the condition that all files in the second file set pass signature verification.
Optionally, the first set of files includes at least one of: kernel files, boot load files, installation configuration files, and root file system files.
According to a second aspect of an embodiment of the present disclosure, there is provided a method for generating an image file, including: acquiring a plurality of files for installing a target operating system; signing each file in the plurality of files respectively to obtain signature files of each file; and obtaining the mirror image file of the target operating system based on the files and the signature files of the files.
Optionally, the plurality of files includes at least one of: kernel files, boot load files, installation configuration files, root file system files, and initial root file system files.
According to a third aspect of the embodiments of the present disclosure, there is provided a security verification apparatus for an image file, the image file including: the security verification device includes: the first signature verification unit is configured to perform signature verification on each file in a first file set based on signature files corresponding to each file in the first file set in the mirror image file, wherein the first file set comprises: files of the plurality of files other than the original root file system file; a second signature verification unit configured to perform signature verification on each file in a second file set based on a signature verification result of the first file set and signature files corresponding to each file in the second file set in the image file, wherein the second file set includes: the initial root file system file.
Optionally, the first check-in unit is configured to: starting an initial root file system based on the files in the second file set; and carrying out signature verification on each file in the first file set based on signature files corresponding to each file in the first file set in the mirror image file through the initial root file system.
Optionally, the second signature verification unit is configured to: and under the condition that all files in the first file set pass signature verification, carrying out signature verification on each file in the second file set based on signature files corresponding to each file in the second file set in the mirror image file.
Optionally, the second signature verification unit is configured to: starting a system installer based on the files in the first file set under the condition that all the files in the first file set pass signature verification; and carrying out signature verification on each file in the second file set based on the signature file corresponding to each file in the second file set in the mirror image file through the system installer.
Optionally, the security verification apparatus further includes: and an installation unit configured to install the target operating system in a case where all files in the second file set pass signature verification.
Optionally, the first set of files includes at least one of: kernel files, boot load files, installation configuration files, and root file system files.
According to a fourth aspect of an embodiment of the present disclosure, there is provided an image file generating apparatus, including: a file acquisition unit configured to acquire a plurality of files for installing a target operating system; the signature unit is configured to sign each file in the plurality of files respectively to obtain signature files of each file; and the image file generating unit is configured to obtain an image file of the target operating system based on the files and the signature files of the files.
Optionally, the plurality of files includes at least one of: kernel files, boot load files, installation configuration files, root file system files, and initial root file system files.
According to a fifth aspect of embodiments of the present disclosure, there is provided a computer-readable storage medium storing instructions that, when executed by a processor of an electronic device, enable the electronic device to perform a security verification method of an image file as described above or a generation method of an image file as described above.
According to a sixth aspect of embodiments of the present disclosure, there is provided an electronic device including: at least one processor; at least one memory storing computer-executable instructions, wherein the computer-executable instructions, when executed by the at least one processor, cause the at least one processor to perform a security verification method of an image file as described above or a generation method of an image file as described above.
According to the image file security verification method, the device, the electronic equipment and the storage medium, the binary files to be archived and the configuration files are signed by adopting a signature scheme in the image file construction process, and the signature verification is carried out in a subdivision mode when the image files are used for operating system installation, so that the problem that the files archived in the image files are randomly tampered can be effectively solved, the security of the image files is improved, and the problems in aspects of operating system functions, performance, stability, security, compatibility and the like caused by tampering of the image files are avoided.
In the following description, some aspects and/or advantages of the present general inventive concept will be set forth, and still others will be apparent from the following description or the practice of the present general inventive concept.
Drawings
These and/or other aspects and advantages of the present application will become more apparent and more readily appreciated from the following detailed description of the embodiments of the present application, taken in conjunction with the accompanying drawings, wherein:
FIG. 1 illustrates a flowchart of a method of generating an image file according to an exemplary embodiment of the present disclosure;
FIG. 2 illustrates an example of a signature flow of an image file according to an exemplary embodiment of the present disclosure;
FIG. 3 illustrates a flow chart of a method of secure verification of an image file according to an exemplary embodiment of the present disclosure;
FIG. 4 illustrates an example of a signature verification process for an image file according to an exemplary embodiment of the present disclosure;
FIG. 5 shows a block diagram of a device for generating an image file according to an exemplary embodiment of the present disclosure;
FIG. 6 illustrates a block diagram of a security verification apparatus for an image file according to an exemplary embodiment of the present disclosure;
fig. 7 shows a block diagram of an electronic device according to an exemplary embodiment of the present disclosure;
fig. 8 shows a block diagram of an electronic device according to another exemplary embodiment of the present disclosure.
Detailed Description
Reference will now be made in detail to embodiments of the present disclosure, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the like elements throughout. The embodiments will be described below in order to explain the present disclosure by referring to the figures.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the foregoing figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the disclosure described herein may be capable of operation in sequences other than those illustrated or described herein. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present disclosure as detailed in the accompanying claims.
It should be noted that, in this disclosure, "at least one of the items" refers to a case where three types of juxtaposition including "any one of the items", "a combination of any of the items", "an entirety of the items" are included. For example, "including at least one of a and B" includes three cases side by side as follows: (1) comprises A; (2) comprising B; (3) includes A and B. For example, "at least one of the first and second steps is executed", that is, three cases are juxtaposed as follows: (1) performing step one; (2) executing the second step; (3) executing the first step and the second step.
In order to solve the problem that files archived in the image files are easy to be tampered with, in the related art, a sha256sum verification method is generally used to verify whether the image files are abnormal, for example, whether the image files are modified and complete, but in fact, even if the verification method is used, the situation that the files archived in the image files are tampered and cannot be verified may still occur. For example, if the sha256sum file is regenerated to replace the original sha256sum file in the image file after the configuration file in the image file is tampered, when the tampered image file is verified by adopting the sha256sum verification mode, the configuration file cannot be verified to be modified, and the image file cannot be prompted to be abnormal.
In view of the above problems in the related art, the present disclosure proposes to sign a binary file and a configuration file to be archived by adopting an elf signature scheme in the image file construction process, and perform signature verification one by one in a subdivision manner when an operating system is installed by using the image file, if the signature verification does not pass, the operating system cannot be installed, so as to ensure the security of the image file of the operating system, and avoid random tampering of the image file.
Fig. 1 illustrates a flowchart of a method of generating an image file according to an exemplary embodiment of the present disclosure.
As an example, the method of generating an image file according to an exemplary embodiment of the present disclosure may be performed by an electronic device having data processing capabilities, which may be a server (e.g., a stand-alone server, a server cluster, a cloud platform, etc.), for example. The embodiments of the present disclosure are not limited in this regard.
Referring to fig. 1, in step 101, a plurality of files for installing a target operating system are acquired.
As an example, the plurality of files may include binary files and configuration files to be archived to an image file of the target operating system.
As an example, the plurality of files may include, but are not limited to, at least one of: kernel files, boot load files, installation configuration files, root file system files, initial root file system (initrd) files. For example, a bootload file, which is used to define the start-up of the live system (i.e., the system for installing the target operating system) from the storage medium, may include a bootload degree grub. For example, the installation configuration file is used to define the installation policy of the target operating system. For example, root file system files may include, but are not limited to: files of the target operating system, system installer (installer) files. For example, the initial root file system file may include, but is not limited to, an initialization script file.
In addition, the plurality of files may include other types of files, for example, files for making an installation medium, which is not limited by the present disclosure.
In step 102, each of the plurality of files is signed to obtain a signed file of each file. Specifically, for each of the plurality of files, the file is signed to obtain a signed file of the file.
As an example, a hash function may be used to generate summary information of a file to be signed, and then the summary information is encrypted with a private key to obtain a signed file corresponding to the file.
In step 103, an image file of the target operating system is obtained based on the plurality of files and the signature files of the files.
As an example, the plurality of files and the signature files of the respective files may be compressed together into an image file of the target operating system.
According to the image file generation method of the exemplary embodiment of the present disclosure, a plurality of files for installing a target operating system are respectively signed to obtain a plurality of signature files, and the obtained plurality of signature files and the plurality of files are put into the image file of the target operating system together, and since the digest information of the signed file is encrypted by using a private key when the signature file is generated, even if the signed file is tampered, the tampered file is identified because the signature file is not easy to imitate, and thus the security of the image file is improved.
Fig. 2 illustrates an example of a signature flow of an image file according to an exemplary embodiment of the present disclosure.
As shown in fig. 2, when the image construction server receives the image construction triggering operation, the image construction server requests the signature server to Sign the binary files and the configuration files precompressed into the image files one by one, specifically, the image construction server may send the Hash value of the files precompressed into the image files as summary information sha to the signature server to Sign, the signature server uses the received summary information to perform encryption processing to create a Sign file and returns the Sign file to the image construction server, and after receiving the signature file, the image construction server compresses the signature file and the files precompressed into the image files together for use in subsequent signature verification.
As an example, an example of signature codes is shown below.
Fig. 3 illustrates a flowchart of a method of security verification of an image file according to an exemplary embodiment of the present disclosure. The image file includes: and the signature files are used for installing a plurality of files of the target operating system and respectively signing the files. The image file may be obtained, for example, by executing the image file generation method shown in fig. 1.
As an example, the security verification method of the image file according to the exemplary embodiment of the present disclosure may be performed by an electronic device to which a target operating system is to be installed. For example, the electronic device may be a terminal (e.g., a personal notebook, desktop, etc.). The embodiments of the present disclosure are not limited in this regard.
Referring to fig. 3, in step 201, signature verification is performed on each file in a first set of files based on signature files corresponding to each file in the first set of files in an image file. Specifically, for each file in the first file set, signature verification is performed on the file based on a signature file corresponding to the file in the image file.
The first set of files includes: files of the plurality of files other than the original root file system file. As an example, the first set of files may include, but is not limited to, at least one of the following: kernel files, boot load files, installation configuration files, and root file system files.
As an example, the public key may be used to decrypt the signature file corresponding to the file to be checked to obtain summary information a; carrying out hash processing on the file (namely, the file to be checked) by using a hash function to obtain summary information B; and comparing the abstract information A with the abstract information B to determine whether the content of the file is tampered or not, thereby completing signature verification of the file.
In step 202, signature verification is performed on each file in the second set of files based on the signature verification result of the first set of files and the signature files in the image file that correspond to each file in the second set of files.
The second set of files includes: an initial root file system file.
As an example, step 202 may include: and under the condition that all files in the first file set pass signature verification, carrying out signature verification on each file in the second file set based on the signature files corresponding to each file in the second file set in the mirror image file. Specifically, in the case that all files in the first file set pass signature verification, for each file in the first file set, signature verification is performed on the file based on a signature file corresponding to the file in the image file.
As an example, step 201 may include: starting an initial root file system (initrd) based on the files in the second set of files; then, signature verification is performed on each file in the first set of files based on the signature files corresponding to each file in the first set of files in the image file through the initial root file system.
As an example, step 202 may include: under the condition that all files in the first file set pass signature verification, starting a system installer based on the files in the first file set; then, by the system installer, signature verification is performed on each file in the second set of files based on the signature files corresponding to each file in the second set of files in the image file.
By way of example, the system installer may be a deep-system installer (deepin-installer).
According to the embodiment of the disclosure, double security protection is realized in a cross check mode, so that all files to be checked can be checked, and the check execution program and the checked files cannot be tampered.
In addition, the security verification method of the image file according to the exemplary embodiment of the present disclosure may further include: in the case that all files in the second set of files pass signature verification, the target operating system is installed.
In addition, the security verification method of the image file according to the exemplary embodiment of the present disclosure may further include: in the case where any one of the files in the second file set fails the signature verification, the subsequent operation is not performed, that is, the signature verification is stopped for the file in the second file set that does not undergo the signature verification, and the target operating system installation operation is not performed.
In addition, the security verification method of the image file according to the exemplary embodiment of the present disclosure may further include: in the case that any one of the files in the first set of files fails to pass the signature verification, no subsequent operation is performed, that is, the signature verification is stopped for the files in the first set of files that do not undergo the signature verification, and the signature verification is not performed for the files in the second set of files.
Fig. 4 illustrates an example of a signature verification process for an image file according to an exemplary embodiment of the present disclosure.
As shown in fig. 4, the initrd stage is first entered before the operating system is installed, in the initrd stage, the files in the first file set are checked one by one according to the file sequence, the system installer deep-installer can be started only after all the files in the initrd stage pass the check, the system installer enters the check program again after being started, and the signature of the initrd file is verified, so that the check is completed. Only after the initrd file passes the signature verification, the system can be installed.
By way of example, the system boot medium may be a storage device such as an optical disk or a USB flash disk.
As an example, the Live system may be a system for installing an operating system.
As an example, an example of the signature verification code is shown below.
According to the signature verification mechanism of the image file, which is disclosed by the embodiment of the invention, the problem that the image ISO file is easy to modify can be solved, the purpose that the image file cannot be tampered randomly is achieved, the problems of system functions, performance, compatibility and the like caused by tampering the image file randomly can be avoided, and the distribution security of the image file is enhanced.
Fig. 5 illustrates a block diagram of a structure of an image file generating apparatus according to an exemplary embodiment of the present disclosure.
Referring to fig. 5, an image file generating apparatus according to an exemplary embodiment of the present disclosure includes: a file acquisition unit 301, a signature unit 302, and an image file generation unit 303.
Specifically, the file acquisition unit 301 is configured to acquire a plurality of files for installing the target operating system.
The signing unit 302 is configured to sign each of the plurality of files, respectively, to obtain a signed file of each file.
The image file generating unit 303 is configured to obtain an image file of the target operating system based on the plurality of files and the signature files of the respective files.
As an example, the plurality of files may include, but are not limited to, at least one of: kernel files, boot load files, installation configuration files, root file system files, and initial root file system files.
Fig. 6 illustrates a block diagram of a security verification apparatus for an image file according to an exemplary embodiment of the present disclosure. The image file includes: and the signature files are used for installing a plurality of files of the target operating system and respectively signing the files.
Referring to fig. 6, a security verification apparatus of an image file according to an exemplary embodiment of the present disclosure includes: a first signing verification unit 401 and a second signing verification unit 402.
Specifically, the first signing unit 401 is configured to perform signature verification on each file in the first file set based on signature files corresponding to each file in the first file set in the image file, where the first file set includes: files of the plurality of files other than the original root file system file.
The second signature verification unit 402 is configured to perform signature verification on each file in the second file set based on the signature verification result of the first file set and signature files corresponding to each file in the second file set in the image file, where the second file set includes: the initial root file system file.
As an example, the first check-in unit 401 may be configured to: starting an initial root file system based on the files in the second file set; then, signature verification is performed on each file in the first set of files based on the signature files corresponding to each file in the first set of files in the image file through the initial root file system.
As an example, the second signature verification unit 402 may be configured to: and under the condition that all files in the first file set pass signature verification, carrying out signature verification on each file in the second file set based on signature files corresponding to each file in the second file set in the mirror image file.
As an example, the second signature verification unit 402 may be configured to: under the condition that all files in the first file set pass signature verification, starting a system installer based on the files in the first file set; then, by the system installer, signature verification is performed on each file in the second set of files based on the signature files corresponding to each file in the second set of files in the image file.
As an example, the security verification apparatus of an image file according to an exemplary embodiment of the present disclosure may further include: an installation unit (not shown) configured to install the target operating system in a case where all files in the second file set pass signature verification.
As an example, the first set of files may include, but is not limited to, at least one of the following: kernel files, boot load files, installation configuration files, and root file system files.
It should be understood that specific processes performed by the image file generating apparatus and the image file security verification apparatus according to the exemplary embodiments of the present disclosure have been described in detail with reference to fig. 1 to 4, and related details will not be repeated here.
It should be understood that each unit in the image file generation device and the image file security verification device according to the exemplary embodiments of the present disclosure may be implemented as a hardware component and/or a software component. The individual units may be implemented, for example, using a Field Programmable Gate Array (FPGA) or an Application Specific Integrated Circuit (ASIC), depending on the processing performed by the individual units as defined.
Exemplary embodiments of the present disclosure provide a computer readable storage medium storing instructions that, when executed by a processor of an electronic device, enable the electronic device to perform a method of secure authentication of an image file as described in the above exemplary embodiments. The computer readable storage medium is any data storage device that can store data which can be read by a computer system. Examples of the computer readable storage medium include: read-only memory, random access memory, compact disc read-only, magnetic tape, floppy disk, optical data storage device, and carrier waves (such as data transmission through the internet via wired or wireless transmission paths).
Exemplary embodiments of the present disclosure provide a computer-readable storage medium storing instructions that, when executed by a processor of an electronic device, enable the electronic device to perform the image file generation method as described in the above exemplary embodiments. The computer readable storage medium is any data storage device that can store data which can be read by a computer system. Examples of the computer readable storage medium include: read-only memory, random access memory, compact disc read-only, magnetic tape, floppy disk, optical data storage device, and carrier waves (such as data transmission through the internet via wired or wireless transmission paths).
Fig. 7 shows a block diagram of an electronic device according to an exemplary embodiment of the present disclosure.
Referring to fig. 7, an electronic device according to an exemplary embodiment of the present disclosure includes: at least one first processor 501 and at least one first memory 502, wherein the at least one first memory 502 stores first computer executable instructions 503, which when executed by the at least one first processor 501, cause the at least one first processor 501 to perform the method of secure validation of an image file as described in the above exemplary embodiments. By way of example, the electronic device may be a terminal (e.g., personal notebook, desktop, etc.), to which embodiments of the present disclosure are not limited.
Fig. 8 shows a block diagram of an electronic device according to another exemplary embodiment of the present disclosure.
Referring to fig. 8, an electronic device according to an exemplary embodiment of the present disclosure includes: at least one second processor 601 and at least one second memory 602, wherein the at least one second memory 602 stores second computer executable instructions 603 and an operating system 604, the second computer executable instructions 603, when executed by the at least one second processor 601, cause the at least one second processor 601 to perform the method for generating an image file according to the above-described exemplary embodiments. As an example, the electronic device may be a server (e.g., a standalone server, a server cluster, a cloud platform, etc.), to which embodiments of the present disclosure are not limited.
The first processor 501 and the second processor 601 may include a Central Processing Unit (CPU), a Graphics Processor (GPU), a programmable logic device, a special purpose processor system, a microcontroller, or a microprocessor. By way of example and not limitation, the first processor 501 and the second processor 601 may also include an analog processor, a digital processor, a microprocessor, a multi-core processor, a processor array, a network processor, and the like.
In addition, the electronic device may also include a multimedia asset display (such as a liquid crystal display) and a user interaction interface (such as a keyboard, mouse, touch input device, etc.). All components of the electronic device may be connected to each other via a bus and/or a network.
Although a few exemplary embodiments of the present disclosure have been shown and described, it would be appreciated by those skilled in the art that changes may be made in these embodiments without departing from the scope and spirit of the disclosure, the scope and spirit of which is defined in the claims and their equivalents.
Claims (5)
1. A method for secure verification of an image file, wherein the image file comprises: the security verification method comprises the steps of:
starting an initial root file system based on the files in the second file set;
and performing signature verification on each file in the first file set based on a signature file corresponding to each file in the first file set in the mirror image file through the initial root file system, wherein the first file set comprises: files of the plurality of files other than the initial root file system file, the second set of files comprising: the initial root file system file;
starting a system installer based on the files in the first file set under the condition that all the files in the first file set pass signature verification;
performing signature verification on each file in the second file set based on a signature file corresponding to each file in the second file set in the mirror image file through the system installer;
and installing the target operating system under the condition that all files in the second file set pass signature verification.
2. The security verification method of claim 1, wherein the first set of files comprises at least one of: kernel files, boot load files, installation configuration files, and root file system files.
3. A security verification apparatus for an image file, wherein the image file comprises: the security verification device includes:
the first signature verification unit is configured to start an initial root file system based on the files in the second file set; and performing signature verification on each file in the first file set based on a signature file corresponding to each file in the first file set in the mirror image file through the initial root file system, wherein the first file set comprises: files of the plurality of files other than the initial root file system file, the second set of files comprising: the initial root file system file;
a second signature verification unit configured to start a system installer based on the files in the first file set in the case where all the files in the first file set pass signature verification; performing signature verification on each file in the second file set based on a signature file corresponding to each file in the second file set in the mirror image file through the system installer;
and an installation unit configured to install the target operating system in a case where all files in the second file set pass signature verification.
4. A computer readable storage medium storing instructions which, when executed by a processor of an electronic device, enable the electronic device to perform a method of security verification of an image file as claimed in any one of claims 1 to 2.
5. An electronic device, the electronic device comprising:
at least one processor;
at least one memory storing computer-executable instructions,
wherein the computer executable instructions, when executed by the at least one processor, cause the at least one processor to perform the method of security verification of an image file as claimed in any one of claims 1 to 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311254982.2A CN117009982B (en) | 2023-09-26 | 2023-09-26 | Image file security verification method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311254982.2A CN117009982B (en) | 2023-09-26 | 2023-09-26 | Image file security verification method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117009982A CN117009982A (en) | 2023-11-07 |
| CN117009982B true CN117009982B (en) | 2023-12-26 |
Family
ID=88567510
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311254982.2A Active CN117009982B (en) | 2023-09-26 | 2023-09-26 | Image file security verification method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117009982B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8161012B1 (en) * | 2010-02-05 | 2012-04-17 | Juniper Networks, Inc. | File integrity verification using a verified, image-based file system |
| CN114417360A (en) * | 2022-03-28 | 2022-04-29 | 青岛鼎信通讯股份有限公司 | System safety starting method applied to embedded power equipment |
| CN115481405A (en) * | 2022-09-23 | 2022-12-16 | 北京计算机技术及应用研究所 | Safe starting and optimized upgrading method of embedded system |
| CN115828252A (en) * | 2022-10-10 | 2023-03-21 | 中国科学院信息工程研究所 | Mobile terminal safe starting method capable of updating trust root |
| CN116522368A (en) * | 2023-06-29 | 2023-08-01 | 浙江大学 | Firmware decryption analysis method for Internet of things equipment, electronic equipment and medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10331892B2 (en) * | 2017-02-24 | 2019-06-25 | Dell Products L.P. | Systems and methods for secure boot and runtime tamper detection |
-
2023
- 2023-09-26 CN CN202311254982.2A patent/CN117009982B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8161012B1 (en) * | 2010-02-05 | 2012-04-17 | Juniper Networks, Inc. | File integrity verification using a verified, image-based file system |
| CN114417360A (en) * | 2022-03-28 | 2022-04-29 | 青岛鼎信通讯股份有限公司 | System safety starting method applied to embedded power equipment |
| CN115481405A (en) * | 2022-09-23 | 2022-12-16 | 北京计算机技术及应用研究所 | Safe starting and optimized upgrading method of embedded system |
| CN115828252A (en) * | 2022-10-10 | 2023-03-21 | 中国科学院信息工程研究所 | Mobile terminal safe starting method capable of updating trust root |
| CN116522368A (en) * | 2023-06-29 | 2023-08-01 | 浙江大学 | Firmware decryption analysis method for Internet of things equipment, electronic equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117009982A (en) | 2023-11-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2009233685B2 (en) | Method and apparatus for incremental code signing | |
| US8997221B2 (en) | System and method for validating and controlling applications | |
| US6928548B1 (en) | System and method for verifying the integrity of stored information within an electronic device | |
| CN108062461A (en) | Software authorization method, device and system | |
| CN108229144B (en) | Verification method of application program, terminal equipment and storage medium | |
| CN112231702B (en) | Application protection method, device, equipment and medium | |
| CN112163412A (en) | Data verification method and device, electronic equipment and storage medium | |
| CN112163240A (en) | Block chain based distributed government affair architecture unifying method and system | |
| CN111506327A (en) | Block chain node hot upgrading method and related equipment | |
| CN114238874A (en) | Digital signature verification method and device, computer equipment and storage medium | |
| CN112001376A (en) | Fingerprint identification method, device, equipment and storage medium based on open source component | |
| CN110324343B (en) | Information monitoring and broadcasting method and device, electronic equipment and storage medium | |
| CN112000933A (en) | Application software activation method and device, electronic equipment and storage medium | |
| CN115514492A (en) | BIOS firmware verification method, device, server, storage medium and program product | |
| CN117473020B (en) | Data access method, system, computer storage medium and terminal device | |
| CN113051622B (en) | Index construction method, device, equipment and storage medium | |
| CN114499859A (en) | Password verification method, device, equipment and storage medium | |
| CN117009982B (en) | Image file security verification method and device, electronic equipment and storage medium | |
| US11574055B2 (en) | Validation and installation of a file system | |
| CN112711570A (en) | Log information processing method and device, electronic equipment and storage medium | |
| CN111340484A (en) | Payment verification method, device, system, storage medium and computer equipment | |
| CN115509556A (en) | Application management method, device, equipment and medium | |
| KR101893504B1 (en) | A file integrity test in linux environment device and method | |
| CN111177784A (en) | Security protection method and device for file system and storage medium | |
| CN117389574A (en) | Application deployment method, device, equipment and medium based on preheating |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |