CN117648701B - Implementation method of security starting mechanism of embedded operating system and electronic terminal - Google Patents
Implementation method of security starting mechanism of embedded operating system and electronic terminal Download PDFInfo
- Publication number
- CN117648701B CN117648701B CN202410116201.1A CN202410116201A CN117648701B CN 117648701 B CN117648701 B CN 117648701B CN 202410116201 A CN202410116201 A CN 202410116201A CN 117648701 B CN117648701 B CN 117648701B
- Authority
- CN
- China
- Prior art keywords
- kernel
- partition
- boot
- starting
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000005192 partition Methods 0.000 claims abstract description 80
- 238000012795 verification Methods 0.000 claims abstract description 50
- 102100038591 Endothelial cell-selective adhesion molecule Human genes 0.000 claims abstract description 31
- 101000882622 Homo sapiens Endothelial cell-selective adhesion molecule Proteins 0.000 claims abstract description 31
- 230000006835 compression Effects 0.000 claims description 10
- 230000005540 biological transmission Effects 0.000 claims description 6
- 238000004806 packaging method and process Methods 0.000 claims description 6
- 230000006870 function Effects 0.000 claims description 4
- 238000007906 compression Methods 0.000 claims description 3
- 230000002452 interceptive effect Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000005259 measurement Methods 0.000 description 2
- 230000008094 contradictory effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a method for realizing a safe starting mechanism of an embedded operating system, which comprises the following steps: the Boot partition performs signature verification, a Boot program U-Boot is started, the signature of the kernel is verified, and the kernel is started after the signature verification is qualified; the kernel partition signature verification is conducted, a signature verification program is guided to be started based on a Ramdisk file system in the kernel, signature verification is conducted on a startup loading file and security management software, and an embedded operating system and the security management software are started after the signature verification is qualified; the security management software reversely verifies the signatures of the boot partition and the kernel partition, and opens the ESAM access interface after the signature verification is qualified. The invention also discloses electronic equipment. The invention solves the technical problems that the existing embedded operating system cannot realize safe starting and ensures the integrity and feasibility of the running of software in the system.
Description
Technical Field
The present invention relates to the field of embedded operating systems, and in particular, to a method for implementing a secure boot mechanism of an embedded operating system and an electronic terminal.
Background
Currently, in existing power grid equipment, intelligent equipment such as a fusion terminal and an energy controller is started to be used. These intelligent devices are based on high-end platforms, employing new technologies such as edge computing, container technology, etc. The requirements on the performance and the functions of the chip are higher and higher in hardware, the bottom operating system is required to be flexible and professional in software, meanwhile, the integration of more new technologies can be supported, the requirements of business on the bottom technology are supported, and meanwhile, the requirements on safety are also more strict. The embedded operation system is responsible for the allocation of all software and hardware resources, task scheduling, control and coordination concurrent activities of the embedded system, and gradually enters more fields such as a power grid and the like along with the rapid development of the embedded operation system, but the embedded operation system still has huge potential safety hazards. For example, patent document 200610063319.4 discloses a method and a device for booting an image file of an embedded operating system, which cannot solve the technical problems that the existing embedded operating system cannot realize safe startup and ensure the integrity and feasibility of software running in the system. Therefore, it is needed to propose a method for implementing a secure boot mechanism of an embedded operating system and an electronic terminal, which solve the technical problems that the existing embedded operating system cannot implement secure boot and ensure the integrity and feasibility of software running in the system.
Disclosure of Invention
The invention mainly aims to provide a method for realizing a safe starting mechanism of an embedded operating system and an electronic terminal, and aims to solve the technical problems that the existing embedded operating system cannot realize safe starting and ensure the integrity and feasibility of software running in the system.
In order to achieve the above objective, the present invention provides a method for implementing a secure boot mechanism of an embedded operating system, where the method for implementing the secure boot mechanism of the embedded operating system includes the following steps:
s1, checking labels by a guide partition, starting a guide program U-Boot, verifying the signature of a kernel, and starting the kernel after the labels are checked to be qualified;
s2, checking labels by the inner core partition, guiding and starting a label checking program based on a Ramdisk file system in the inner core, checking labels for the starting loading file and the safety management software, and starting the embedded operating system and the safety management software after the labels are checked to be qualified;
s3, the security management software reversely verifies the signatures of the boot partition and the kernel partition, and opens an ESAM access interface after the signature verification is qualified.
In one preferred embodiment, the step S1 specifically includes:
s11, starting a Boot program U-Boot, and reading header data of a kernel Boot partition from the eMMC;
s12, transplanting an SM3 cryptographic algorithm, calculating a hash value of the kernel according to the SM3 cryptographic algorithm, and acquiring a serial number and a signature value from first signature information of a kernel boot partition;
s13, interacting kernel signature information with the ESAM through an SPI bus, and starting the kernel after the ESAM reply frame is qualified in signature verification; if the check is unqualified, the kernel data is read from the backup partition and checked, and the kernel is started after the check is qualified, otherwise, the check is failed, and the system is waited for resetting.
In one preferred scheme, the header data of the kernel boot partition includes the length of the kernel data and the starting position of the first signature information.
In one preferred embodiment, after the step S11, the method further includes:
reading header data of the kernel boot partition read from the eMMC to a kernel starting address of the DDR, and positioning the position of the original kernel data and the position of signature abstract information in the first signature information through the kernel starting address and the size of the kernel original file.
In one preferred embodiment, the step S11 specifically includes:
starting a Boot program U-Boot;
reading header data of the kernel boot partition through a kernel checking header function;
and calculating the size of the original file of the kernel according to the header data of the kernel boot partition, and packaging the original file and the header data of the kernel boot partition together to form an ESAM interactive transmission frame.
In one preferred embodiment, the step S2 specifically includes:
s21, guiding a startup signature verification program through a Ramdisk file system, reading a signed startup loading file and a compression package of security management software, and acquiring data and second signature information of the startup loading file and the security management software;
s22, transplanting an SM3 national encryption algorithm, calculating hash values of the boot loading file and the security management software according to the SM3 national encryption algorithm, and acquiring a serial number and a signature value from the second signature information;
s23, interactively starting signature information of the loaded file and the security management software with the ESAM through an SPI bus, decompressing the security management software compression package after the ESAM reply frame is checked to be qualified, and starting an embedded operating system and the security management software; if the signature verification is not qualified, the signature verification is carried out from the backup partition, and after the signature verification is qualified, the embedded operating system and the security management software are started, otherwise, the signature verification is failed, and the system is waited for resetting.
In one preferred embodiment, before the step S21, the method further includes: and mounting a Ramdisk file system.
In one preferred embodiment, after the step S23, the method further includes:
and after the loading file is started and the security management software is checked and signed to be qualified, the root file system is mounted.
In one preferred embodiment, the step S3 specifically includes:
s31, the security management software reads header information of the guide partition and the kernel partition, and acquires partition data of the guide partition and the kernel partition according to the header information;
s32, transplanting an SM3 cryptographic algorithm, calculating hash values of header information of the guide partition and the kernel partition according to the SM3 cryptographic algorithm, packaging the hash values together with the first signature information and the second signature information to form a transmission frame, accessing an ESAM interface, and starting service application software if the ESAM returns data to judge that reverse signature verification is normal, otherwise, not starting the service application software.
An electronic terminal comprises a processor, a memory and an application program which is stored in the memory and can run on the processor and is based on the safe starting of an embedded operating system, wherein the implementation of the safe starting mechanism of the embedded operating system is realized when the application program based on the safe starting of the embedded operating system is executed.
In the technical scheme of the invention, the implementation method of the safe starting mechanism of the embedded operating system comprises the following steps: the Boot partition performs signature verification, a Boot program U-Boot is started, the signature of the kernel is verified, and the kernel is started after the signature verification is qualified; the kernel partition signature verification is conducted, a signature verification program is guided to be started based on a Ramdisk file system in the kernel, signature verification is conducted on a startup loading file and security management software, and an embedded operating system and the security management software are started after the signature verification is qualified; the security management software reversely verifies the signatures of the boot partition and the kernel partition, and opens the ESAM access interface after the signature verification is qualified. The invention solves the technical problems that the existing embedded operating system cannot realize safe starting and ensures the integrity and feasibility of the running of software in the system.
In the invention, a set of trusted verification flow from the Boot program U-Boot and the kernel to the starting of the security management software is established, and the trusted verification flow comprises the Boot partition verification, the kernel partition verification and the reverse verification of the security management software, so that the closed-loop management of the verification of the operating system and the security management software is formed, and the integrity and the credibility of running software in the embedded operating system are ensured.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the invention, and that other drawings may be obtained from the structures shown in these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a method for implementing a secure boot mechanism of an embedded operating system according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a boot partition verification in accordance with an embodiment of the present invention;
FIG. 3 is a schematic diagram of a kernel partition verification in an embodiment of the present invention;
fig. 4 is a schematic diagram of step S3 in the embodiment of the invention.
The achievement of the object, functional features and advantages of the present invention will be further described with reference to the drawings in connection with the embodiments.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the invention. All other embodiments, based on the embodiments of the invention, which are apparent to those of ordinary skill in the art without inventive faculty, are intended to be within the scope of the invention.
Furthermore, descriptions such as those referred to as "first," "second," and the like, are provided for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implying an order of magnitude of the indicated technical features in the present disclosure. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature.
Moreover, the technical solutions of the embodiments of the present invention may be combined with each other, but it is necessary to be based on the fact that those skilled in the art can implement the embodiments, and when the technical solutions are contradictory or cannot be implemented, it should be considered that the combination of the technical solutions does not exist, and is not within the scope of protection claimed by the present invention.
Referring to fig. 1-4, according to an aspect of the present invention, the present invention provides a method for implementing a secure boot mechanism of an embedded operating system, where the method for implementing the secure boot mechanism of the embedded operating system includes the following steps:
s1, checking labels by a guide partition, starting a guide program U-Boot, verifying the signature of a kernel, and starting the kernel after the labels are checked to be qualified;
s2, checking labels by the inner core partition, guiding and starting a label checking program based on a Ramdisk file system in the inner core, checking labels for the starting loading file and the safety management software, and starting the embedded operating system and the safety management software after the labels are checked to be qualified;
s3, the security management software reversely verifies the signatures of the boot partition and the kernel partition, and opens an ESAM access interface after the signature verification is qualified.
Specifically, in this embodiment, the step S1 specifically includes:
s11, starting a Boot program U-Boot, and reading header data of a kernel Boot partition from the eMMC; the header data of the kernel boot partition comprises the length of the kernel data and the starting position of the first signature information, so that correct signature abstract information is obtained;
s12, transplanting an SM3 cryptographic algorithm, calculating a hash value of the kernel according to the SM3 cryptographic algorithm, and acquiring a serial number and a signature value from first signature information of a kernel boot partition;
s13, the embedded operating system interacts kernel signature information with the ESAM through an SPI bus, and starts the kernel after the ESAM replies that the frame is qualified in signature verification; if the check is unqualified, the kernel data is read from the backup partition and checked, and the kernel is started after the check is qualified, otherwise, the check is failed, and the system is waited for resetting.
Specifically, in this embodiment, after step S11, the method further includes:
reading header data of the kernel boot partition read from the eMMC to a kernel starting address of the DDR, and positioning the position of the original kernel data and the position of signature abstract information in the first signature information through the kernel starting address and the size of the kernel original file.
Specifically, in this embodiment, the data type of the SM3 cryptographic algorithm is unsigned long, where unsigned long represents an integer data type, which is used to store unsigned integers, and 4 byte spaces are located under 32-bit LINUX, and 8 byte spaces are occupied under 64-bit LINUX, so that, under a 32-bit system and a 64-bit system, the same content and the same endian obtain inconsistent results, and the same result can be obtained by forcedly using the unsigned int as the data type.
Specifically, in this embodiment, the step S11 specifically includes:
starting a Boot program U-Boot;
reading header data of the kernel boot partition through a kernel checking header function;
and calculating the size of the original file of the kernel according to the header data of the kernel boot partition, and packaging the original file and the header data of the kernel boot partition together to form an ESAM interactive transmission frame.
Specifically, in this embodiment, the step S2 specifically includes:
s21, guiding a starting signature verification program through a Ramdisk file system, reading a signed starting loading file and a compressed package of security management software, and acquiring data of the starting loading file and the security management software and second signature information, in particular signature abstract information in the second signature information;
s22, transplanting an SM3 national encryption algorithm, calculating hash values of the boot loading file and the security management software according to the SM3 national encryption algorithm, and acquiring a serial number and a signature value from the second signature information;
s23, the embedded operating system interactively starts the signature information of the loaded file and the security management software with the ESAM through the SPI bus, decompresses the security management software compression package after the ESAM reply frame is checked to be qualified, and starts the embedded operating system and the security management software; if the signature verification is not qualified, the signature verification is carried out from the backup partition, and after the signature verification is qualified, the embedded operating system and the security management software are started, otherwise, the signature verification is failed, and the system is waited for resetting.
Specifically, in this embodiment, before signing the kernel partition, the driver of ESAM is also required to be recorded, so that the related encrypted device name is generated in the Ramdisk file system.
Specifically, in this embodiment, before the step S21, the method further includes: mounting a Ramdisk file system, and starting a signature verification program of a kernel partition through the Ramdisk file system after the mounting is successful, and starting a compression package of a loading file and security management software through signature verification; the Ramdisk file system is packaged in the kernel mirror image and runs in the DDR memory, and the kernel is started to mount the Ramdisk file system at first, so that the system cannot log in even if the file system in the eMMC fails to read and mount, the system stability is better, and the device driver can be mounted in advance through changing the file system, so that the aim of priori mounting key files in the root file system can be achieved.
Specifically, in this embodiment, after the step S23, the method further includes: and after the loading file is started and the security management software is checked and signed to be qualified, the root file system is mounted.
Specifically, in this embodiment, the step S3 specifically includes:
s31, the security management software reads the header information of the Boot partition and the kernel partition in a read mode through the read block device, and specifically acquires the Boot program U-Boot of the Boot partition and the kernel data of the kernel partition; partition data of the guide partition and the kernel partition are obtained according to the header information, namely, data information and signature abstract information of the guide partition and the kernel partition are obtained according to the header data;
s32, transplanting an SM3 cryptographic algorithm, calculating hash values of header information of a guide partition and a kernel partition according to the SM3 cryptographic algorithm, packaging the hash values together with first signature information and second signature information to form a transmission frame, accessing an ESAM interface, starting service application software if ESAM return data judge reverse signature verification is normal, if signature verification is not qualified, performing signature verification from a backup partition, starting the service application software after the signature verification is qualified, and otherwise, not starting the service application software.
Specifically, in this embodiment, a set of trusted verification processes from the Boot program U-Boot, the kernel to the service application software start is established based on the signature and the signature verification mechanism of the digital certificate and the ESAM security chip, including forward measurement and reverse measurement, so as to form closed-loop management of the operation system and the application software signature verification, and ensure the integrity and the credibility of the running software in the terminal, and the security and the controllability of the system image and the application software of each terminal.
Specifically, in this embodiment, for a terminal of a LINUX system running with a practical eMMC as a storage medium, the system generally includes a Boot program U-Boot, an environment variable env, a kernel, a file following system and application service software, in order for the terminal to use a distributed operating system image, and the practical service application software is a unified release version, so as to prevent the system and the application from being tampered and stolen by people, ensure safe and reliable system and application, see fig. 2, after the Boot program U-Boot is started, the header data of the kernel Boot partition is read from the eMMC, the header data includes the required length of the read kernel data and the starting position of the first signature information to be read, thereby obtaining correct signature summary information, transplanting SM3 cryptographic algorithm, calculating hash values of the kernel through the SM3 cryptographic algorithm, obtaining serial numbers and signature values from the first signature information, interacting related kernel signature information through an SPI bus with the ESAM, and starting the kernel after verification is qualified according to a reply frame; referring to fig. 3, the ramdisk file system guides the starting signature verification program, reads the signed starting loading file and the security management software compression package through the signature verification program, acquires correct data information and signature summary information, transplants an SM3 cryptographic algorithm, calculates hash values of the starting loading file and the security management software compression package through the SM3 cryptographic algorithm, acquires a serial number and a signature value from the second signature information, interactively correlates the starting loading file and the security management software compression package signature information with the ESAM through an SPI bus, decompresses the security management software compression package after the reply frame is verified to be qualified, and starts the security management software; referring to fig. 4, the security management software can reversely verify the Boot program U-Boot and the kernel signature, and open the ESAM access interface after the verification is successful, otherwise, the security management software exits the operation.
An electronic terminal comprises a processor, a memory and an application program which is stored in the memory and can be implemented by an embedded operation system safety starting mechanism running on the processor, wherein the step of the implementation method of the embedded operation system safety starting mechanism is implemented when the application program which is implemented by the embedded operation system safety starting mechanism is executed.
The foregoing description of the preferred embodiments of the present invention should not be construed as limiting the scope of the invention, but rather as utilizing equivalent structural changes made in the description of the present invention and the accompanying drawings or directly/indirectly applied to other related technical fields under the inventive concept of the present invention.
Claims (6)
1. The implementation method of the safe starting mechanism of the embedded operating system is characterized by comprising the following steps:
s1, checking labels by a guide partition, starting a guide program U-Boot, verifying the signature of a kernel, and starting the kernel after the labels are checked to be qualified; the method comprises the following steps:
s11, starting a Boot program U-Boot, and reading header data of a kernel Boot partition from the eMMC; the header data of the kernel boot partition comprises the length of kernel data and the starting position of first signature information; the method comprises the following steps:
starting a Boot program U-Boot;
reading header data of the kernel boot partition through a kernel checking header function;
calculating the size of an original file of the kernel according to the header data of the kernel guide partition, and packaging the original file and the header data of the kernel guide partition together to form an ESAM interactive transmission frame;
after the step S11, the method further includes:
reading header data of a kernel boot partition read from the eMMC to a kernel starting address of the DDR, and positioning the position of original kernel data and the position of signature abstract information in first signature information through the kernel starting address and the size of an original kernel file;
s12, transplanting an SM3 cryptographic algorithm, calculating a hash value of the kernel according to the SM3 cryptographic algorithm, and acquiring a serial number and a signature value from first signature information of a kernel boot partition;
s13, interacting kernel signature information with the ESAM through an SPI bus, and starting the kernel after the ESAM reply frame is qualified in signature verification; if the check mark is unqualified, reading the kernel data from the backup partition and checking the mark, and starting the kernel after the check mark is qualified, otherwise, checking the mark to fail, and waiting for the system to reset;
s2, checking labels by the inner core partition, guiding and starting a label checking program based on a Ramdisk file system in the inner core, checking labels for the starting loading file and the safety management software, and starting the embedded operating system and the safety management software after the labels are checked to be qualified;
s3, the security management software reversely verifies the signatures of the boot partition and the kernel partition, and opens an ESAM access interface after the signature verification is qualified.
2. The method for implementing the secure boot mechanism of the embedded operating system according to claim 1, wherein the step S2 is specifically:
s21, guiding a startup signature verification program through a Ramdisk file system, reading a signed startup loading file and a compression package of security management software, and acquiring data and second signature information of the startup loading file and the security management software;
s22, transplanting an SM3 national encryption algorithm, calculating hash values of the boot loading file and the security management software according to the SM3 national encryption algorithm, and acquiring a serial number and a signature value from the second signature information;
s23, interactively starting signature information of the loaded file and the security management software with the ESAM through an SPI bus, decompressing the security management software compression package after the ESAM reply frame is checked to be qualified, and starting an embedded operating system and the security management software; if the signature verification is not qualified, the signature verification is carried out from the backup partition, and after the signature verification is qualified, the embedded operating system and the security management software are started, otherwise, the signature verification is failed, and the system is waited for resetting.
3. The method for implementing the secure boot mechanism of the embedded operating system according to claim 2, further comprising, before step S21: and mounting a Ramdisk file system.
4. The method for implementing the secure boot mechanism of the embedded operating system according to claim 2, further comprising, after step S23:
and after the loading file is started and the security management software is checked and signed to be qualified, the root file system is mounted.
5. The method for implementing the secure boot mechanism of the embedded operating system according to claim 1, wherein the step S3 is specifically:
s31, the security management software reads header information of the guide partition and the kernel partition, and acquires partition data of the guide partition and the kernel partition according to the header information;
s32, transplanting an SM3 cryptographic algorithm, calculating hash values of header information of the guide partition and the kernel partition according to the SM3 cryptographic algorithm, packaging the hash values together with the first signature information and the second signature information to form a transmission frame, accessing an ESAM interface, and starting service application software if the ESAM returns data to judge that reverse signature verification is normal, otherwise, not starting the service application software.
6. An electronic terminal, comprising a processor, a memory, and an application program implemented by an embedded operating system security boot mechanism stored on the memory and executable on the processor, wherein the implementation of the embedded operating system security boot mechanism implements the steps of the implementation method of the embedded operating system security boot mechanism according to any one of claims 1-5 when the application program implemented by the embedded operating system security boot mechanism is executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410116201.1A CN117648701B (en) | 2024-01-29 | 2024-01-29 | Implementation method of security starting mechanism of embedded operating system and electronic terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410116201.1A CN117648701B (en) | 2024-01-29 | 2024-01-29 | Implementation method of security starting mechanism of embedded operating system and electronic terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117648701A CN117648701A (en) | 2024-03-05 |
| CN117648701B true CN117648701B (en) | 2024-04-09 |
Family
ID=90048072
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410116201.1A Active CN117648701B (en) | 2024-01-29 | 2024-01-29 | Implementation method of security starting mechanism of embedded operating system and electronic terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117648701B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008122171A1 (en) * | 2007-04-06 | 2008-10-16 | Zte Corporation | A security pilot method and a system thereof, code signature construction method and authentication method |
| CN101751273A (en) * | 2008-12-15 | 2010-06-23 | 中国科学院声学研究所 | Safety guide device and method for embedded system |
| CN115357908A (en) * | 2022-10-19 | 2022-11-18 | 中国人民解放军军事科学院系统工程研究院 | Network equipment kernel credibility measurement and automatic restoration method |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8631239B2 (en) * | 2012-01-12 | 2014-01-14 | Facebook, Inc. | Multiple system images for over-the-air updates |
| US10664599B2 (en) * | 2017-05-01 | 2020-05-26 | International Business Machines Corporation | Portable executable and non-portable executable boot file security |
| US11520895B2 (en) * | 2020-12-07 | 2022-12-06 | Samsung Electronics Co., Ltd. | System and method for dynamic verification of trusted applications |
-
2024
- 2024-01-29 CN CN202410116201.1A patent/CN117648701B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008122171A1 (en) * | 2007-04-06 | 2008-10-16 | Zte Corporation | A security pilot method and a system thereof, code signature construction method and authentication method |
| CN101751273A (en) * | 2008-12-15 | 2010-06-23 | 中国科学院声学研究所 | Safety guide device and method for embedded system |
| CN115357908A (en) * | 2022-10-19 | 2022-11-18 | 中国人民解放军军事科学院系统工程研究院 | Network equipment kernel credibility measurement and automatic restoration method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117648701A (en) | 2024-03-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5821034B2 (en) | Information processing apparatus, virtual machine generation method, and application distribution system | |
| US20100023782A1 (en) | Cryptographic key-to-policy association and enforcement for secure key-management and policy execution | |
| US8161012B1 (en) | File integrity verification using a verified, image-based file system | |
| CN102270288B (en) | Method for performing trusted boot on operation system based on reverse integrity verification | |
| US9015481B2 (en) | Methods and systems for access security for dataloading | |
| CN112699419B (en) | Method for safely executing extensible firmware application program and calculator equipment | |
| WO2021249359A1 (en) | Data integrity protection method and apparatus | |
| CN111914303B (en) | Security measurement and security verification method for Linux system running state | |
| CN112148314B (en) | Mirror image verification method, device and equipment of embedded system and storage medium | |
| CN114818012B (en) | Linux file integrity measuring method based on white list | |
| CN106980800B (en) | Measurement method and system for authentication partition of encrypted solid state disk | |
| CN101908115B (en) | Method for realizing software trusted execution based on trusted platform module | |
| CN117648701B (en) | Implementation method of security starting mechanism of embedded operating system and electronic terminal | |
| CN112182642B (en) | Privacy data and trusted application processing method, system, device and equipment | |
| CN111400771A (en) | Target partition checking method and device, storage medium and computer equipment | |
| Maruyama et al. | Linux with TCPA integrity measurement | |
| CN110941843B (en) | Encryption implementation method, device, equipment and storage medium | |
| CN112114824A (en) | Linux-based software deployment method and equipment | |
| Catuogno et al. | An architecture for kernel-level verification of executables at run time | |
| CN116561772B (en) | Trusted static metric calculation method, trusted static metric calculation device, storage medium and processor | |
| CN114297679B (en) | Method for encrypted transmission and upgrading of mirror image | |
| CN118427891A (en) | System security management method and device and electronic equipment | |
| CN116541890A (en) | File integrity checking method, device, equipment and storage medium | |
| CN118586000A (en) | Safe starting method, system, device, medium and vehicle for vehicle-mounted system | |
| CN118568743A (en) | Data encryption and decryption method, device, medium and equipment based on hardware encryption card |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |