CN117749785A

CN117749785A - Data transmission method and related equipment

Info

Publication number: CN117749785A
Application number: CN202311542256.0A
Authority: CN
Inventors: 王钦东
Original assignee: XFusion Digital Technologies Co Ltd
Current assignee: XFusion Digital Technologies Co Ltd
Priority date: 2023-11-17
Filing date: 2023-11-17
Publication date: 2024-03-22

Abstract

The embodiment of the application discloses a data transmission method and related equipment, which are used for realizing data transmission in-band and out-of-band of a server. The application is used for a server, and the server comprises a processor and a Baseboard Management Controller (BMC). The processor firstly obtains first network information of the BMC through an internal channel of the server. And then, the processor establishes a first network connection on a network channel based on the first network information and the BMC, so that the processor and the BMC can perform data transmission through the first network connection, thereby ensuring the data transmission of a large trusted file without installing a driver.

Description

Data transmission method and related equipment

Technical Field

The present disclosure relates to the field of computers, and in particular, to a data transmission method and related devices.

Background

Management of the server can be divided into two parts, out-of-band management and in-band management. Common out-of-band management software includes an intelligent baseboard management controller (Intelligent Baseboard Management Controller, iBMC), run by the baseboard management controller (Baseboard Management Controller, BMC), for providing various interfaces for server management. Common in-band management software includes intelligent baseboard management agents (Baseboard Management Agent, iBMA), run by a processor (e.g., central processing unit (Central Processing Unit, CPU)) to obtain and provide information on portions of the system that are not directly available to the out-of-band management software to assist the out-of-band management software in managing the servers.

Currently, communication between in-band management software and out-of-band management software may be achieved in two ways, as described in detail below. Mode 1, communication is performed through a virtual portal. Specifically, a virtual network port is simulated through a high-speed serial computer expansion bus standard (peripheral component interconnect express, PCIe) device or a universal serial bus (Universal Serial Bus, USB) device, and in-band management software and out-of-band management software can communicate through the virtual network port. Mode 2, communication is through PCIe devices. Specifically, the in-band management software and the out-of-band management software communicate through devices simulated by PCIe.

However, in the above embodiment 1, there is a virtual portal, and there may be a security risk. In mode 2, a driver related to the installation of the device obtained by simulation is required, and the driver of the device needs to be compiled for each kernel because of numerous kernel versions of the Linux system so as to be used, and the development cost is too high.

Disclosure of Invention

The embodiment of the application provides a data transmission method and related equipment, which are used for realizing data transmission in-band and out-of-band of a server.

The first aspect of the application provides a data transmission method for a server, wherein the server comprises a processor and a BMC. In the application, the processor first acquires the first network information of the BMC through an internal channel of the server. And then, the processor establishes a first network connection on a network channel based on the first network information and the BMC, so that the processor and the BMC can perform data transmission through the first network connection, thereby ensuring the data transmission of a large trusted file without installing a driver.

In some possible implementations, the processor may send a request message to the BMC through the internal channel, where the request message is used to request the first network information to be acquired. And then, the processor receives a response message sent by the BMC through the internal channel, wherein the response message comprises the first network information. Therefore, the processor can acquire the first network information of the BMC through the internal channel of the server.

In some possible implementations, the first network information includes a first network address and a first port number, the processor sends a first connection request to the BMC through the network channel, where a destination address of the first connection request is the first network address, and a destination port of the first connection request is the first port number, and the first connection request is used to request to establish the first network connection. And then, the processor receives a first connection response sent by the BMC through the network channel, wherein the first connection response is used for responding to the first connection request so as to establish the first network connection. So that the processor may establish a first network connection with the BMC over a network channel based on the first network information.

In some possible implementations, the first network information further includes a first public certificate key, the first connection response includes a first certificate, a digital signature of the first certificate is encrypted by a first private certificate key, and the first private certificate key and the first public certificate key are matched public-private key pairs. Then, after the processor receives the first connection response sent by the BMC through the network channel, the processor may verify the first certificate based on the first certificate public key to verify the legitimacy of the BMC.

In some possible implementations, the first certificate includes a first subject public key. Then, after the processor verifies the first certificate based on the first certificate public key, if the first certificate verification is successful, the processor obtains the first subject public key from the first certificate. The processor may generate a first communication key and encrypt the first communication key with the first subject public key to obtain an encrypted first communication key. And the processor can send the encrypted first communication key to the BMC through the network channel, so that the BMC decrypts the encrypted first communication key through a first main private key and reverts to the first communication key, and the first main private key and the first main public key are matched public-private key pairs. And then, the processor and the BMC perform data transmission based on the first communication key through the first network connection, so that the processor and the BMC perform data transmission through the first network connection.

In some possible implementations, the first network information further includes a first token. Then, after the processor establishes a first network connection with the BMC on a network channel based on the first network information, the processor sends a first access request through the first network connection, where the first access request carries the first token, so that the BMC verifies the validity of the processor based on the first token.

In some possible implementations, the first network connection is a secure hypertext transfer protocol (Hypertext Transfer Protocol Secure, HTTPS) based connection, thereby enabling data transfer between the processor and the BMC.

In some possible implementations, the internal channel is an intelligent platform management interface (Intelligent Platform Management Interface, IPMI) channel, so that the processor can obtain trusted network information from the BMC.

In some possible implementations, the first network address is a media access control bit (Media Access Control, MAC) address and/or a network protocol (Internet protocol, IP) address, such that the processor can access the BMC over a network channel based on the first network address.

In some possible implementations, the network channel is a channel based on a network device or a network, thereby implementing the network channel.

The second aspect of the application provides a data transmission method for a server, wherein the server comprises a processor and a BMC. In the application, the BMC firstly acquires second network information of the processor through an internal channel, and establishes a second network connection with the processor on the network channel based on the second network information. And then, the BMC can perform data transmission with the processor through the second network connection, so that the data transmission of the credible large file is ensured, and a driver is not required to be installed.

In some possible implementations, the BMC receives, through the internal channel, target information sent by the processor, where the target information is used to indicate the second network information. Therefore, the BMC can acquire the second network information through an internal channel.

In some possible implementations, the BMC sends a second connection request to the processor through the network channel, where a destination address of the second connection request is the second network address, a destination port is the second port number, and the second connection request is used to request to establish the second network connection. Then, the BMC may receive a second connection response sent by the processor through the network channel, where the second connection response is used to respond to the second connection request, so as to establish the second network connection.

In some possible implementations, the second network information further includes a second public certificate key, the second connection response includes a second certificate, a digital signature of the second certificate is encrypted by a second private certificate key, and the second private certificate key and the second public certificate key are matched public-private key pairs. Then, after the BMC receives a second connection response sent by the processor through the network channel, the BMC may verify the second certificate based on the second certificate public key to verify the validity of the processor.

In some possible implementations, the second certificate includes a second subject public key, and then, after the BMC verifies the second certificate based on the second certificate public key, if the second certificate verification is successful, the BMC obtains the second subject public key from the second certificate. Then, the BMC may generate a second communication key and encrypt the second communication key with the second subject public key to obtain an encrypted second communication key. And then, the BMC sends the encrypted second communication key to the processor through the network channel, so that the processor decrypts the encrypted second communication key through a second main private key and reverts to the second communication key, and the second main private key and the second main public key are matched public-private key pairs. And finally, the BMC can perform data transmission with the processor through the second network connection based on the second communication key, so that the BMC and the processor perform data transmission through the second network connection.

In some possible implementations, the second network information further includes a second token, and after the BMC establishes a second network connection with the processor on a network channel based on the second network information, the BMC sends a second access request through the second network connection, where the second access request carries the second token, so that the processor verifies legitimacy of the BMC based on the second token.

In some possible implementations, the second network connection is an https-based connection, thereby enabling data transfer between the processor and the BMC.

In some possible implementations, the internal channel is an IPMI channel, so that the processor may obtain trusted network information from the BMC.

In some possible implementations, the second network address is included as a MAC address and/or an IP address, such that the processor can access the BMC through a network channel based on the second network address.

A third aspect of the present application provides a server comprising a processor and a BMC, the processor being connected to the BMC such that the server performs the method of any of the first or second aspects above.

A fourth aspect of the present application provides a computer readable storage medium having instructions stored therein which, when run on a computer, cause the computer to perform the method of any one of the first or second aspects above.

A fifth aspect of the present application provides a computer program product comprising computer-executable instructions stored in a computer-readable storage medium; the at least one processor of the apparatus may read the computer-executable instructions from a computer-readable storage medium, the at least one processor executing the computer-executable instructions causing the apparatus to implement the method provided by any one of the possible implementations of the first or second aspects described above.

A sixth aspect of the present application provides a communication device that may include at least one processor, a memory, and a communication interface. At least one processor is coupled with the memory and the communication interface. The memory is for storing instructions, the at least one processor is for executing the instructions, and the communication interface is for communicating with other communication devices under control of the at least one processor. The instructions, when executed by at least one processor, cause the at least one processor to perform the method of any possible implementation of the first or second aspect.

A seventh aspect of the present application provides a chip system comprising a processor for supporting the functions involved in implementing any one of the possible implementations of the first or second aspect.

In one possible design, the chip system may further include memory to hold the necessary program instructions and data. The chip system can be composed of chips, and can also comprise chips and other discrete devices.

The technical effects of the third to seventh aspects or any one of the possible implementation manners may be referred to technical effects of the different possible implementation manners of the first aspect or the second aspect, which are not described herein.

Drawings

Fig. 1 is a schematic diagram of a composition structure of a communication system according to an embodiment of the present application;

fig. 2 is a schematic flow chart of an embodiment of a data transmission method according to an embodiment of the present application;

fig. 3 is a schematic flow chart of an embodiment of a data transmission method according to an embodiment of the present application;

fig. 4 is a schematic flow chart of a first portion of a third embodiment of a data transmission method according to the embodiments of the present application;

fig. 5 is a schematic flow chart of a second part of a third embodiment of a data transmission method according to the embodiment of the present application;

Fig. 6 is a schematic flow chart of a first part of a fourth embodiment of a data transmission method according to the embodiments of the present application;

fig. 7 is a schematic flow chart of a second part of a fourth embodiment of a data transmission method according to the embodiments of the present application;

fig. 8 is a schematic structural diagram of a communication device according to an embodiment of the present application.

Detailed Description

Embodiments of the present application are described below with reference to the accompanying drawings.

The terms first, second and the like in the description and in the claims of the present application and in the above-described figures, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the terms so used are interchangeable under appropriate circumstances and are merely illustrative of the manner in which the embodiments of the application described herein have been described for objects of the same nature. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of elements is not necessarily limited to those elements, but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.

Referring to fig. 1, the embodiment of the present application may be applied to a communication system 100, where the communication system 100 includes a server 110 and a network device 120.

Since the server 110 needs to respond to the service request and process the service, and provide reliable service, the server 110 should generally have the capability of bearing the service and guaranteeing the service, and the server 110 needs to have strong processing capability, high stability, high reliability, high security, expandability and manageability. The server may be a rack server, a cabinet server, or a blade server, or the server may be a general purpose server, a GPU server, an AI server, or a DPU server, etc.

The server 110 may vary considerably in configuration or performance and may include at least one central processing unit (central processing units, CPU) (e.g., at least one processor) and memory, at least one storage medium (e.g., at least one mass storage device) storing application programs or data. The memory and storage medium may be transitory or persistent. The program stored on the storage medium may include at least one module, each of which may include a series of instruction operations on the server 110. Still further, the central processor may be arranged to communicate with a storage medium, and to execute a series of instruction operations in the storage medium on the server 110. The Server 110 may also include at least one power source, at least one wired or wireless network interface, at least one input output interface, and/or at least one operating system, such as Windows Server, mac OS X, unix, linux, freeBSD, netWare, etc. In some possible implementations, the server 110 may also be a cloud server, which is not limited herein.

In the embodiment of the present application, the server 110 has a BMC 111 and a processor 112 built therein. Wherein the BMC 111 may run out-of-band management software, such as an iBMC, for providing various interfaces for server 110 management. The processor 112 may run in-band management software, such as iBMA, for acquiring and providing information on portions of the system that are not directly available to the out-of-band management software to assist the out-of-band management software in managing the server 110.

The BMC 111 may run out-of-band management software through an advanced reduced instruction set machine (Advanced RISC Machine, ARM) chip to obtain out-of-band management information, which mainly includes device information management (recording server model, manufacturer, date, generation of each component, technical information, etc.), server status monitoring management (detecting health status of each component of the server, such as temperature, voltage, etc., for example, a central processor, a memory, a hard disk, a fan, a frame, etc.), remote control management (power on/off, restarting, maintenance, firmware update, system installation, etc., of the server), maintenance management (log management, user management, alarm management, etc.), and so on.

The processor 112 may be a single-core processor or a multi-core processor. When the processor 112 is a multi-core processor, the methods provided herein may run on one core or may be distributed to run on different cores. The number of processors 112 may be one or plural, and the types of the plural processors may be the same or different. The type of processor is a central processing unit (central processing unit, CPU) or a microprocessor.

For example, the in-band management information such as operating system information, network protocol (Internet protocol, IP)/media access control bits (Media Access Control, MAC) used by the ethernet card, IP/MAC of the virtualized portal, drive information of the board, etc., is required to be acquired by in-band management software in the processor 112 and provided to the out-of-band management software in the BMC 111, so that the out-of-band management software can perform server management according to the in-band management information and the out-of-band management information acquired by the BMC. Therefore, how to implement communication of the in-band management software and the out-of-band management software is critical.

To this end, in the embodiment of the present application, communication between the in-band management software and the out-of-band management software may be implemented through an intelligent platform management interface (Intelligent Platform Management Interface, IPMI) channel and a network channel inside the server 110. The IPMI channel is an internal communication channel of the server, and the in-band management software and the out-of-band management software can perform mutual trust communication based on the IPMI channel. And the in-band management software sends a message to the out-of-band management software based on the IPMI protocol through the IPMI channel, and the message is used for acquiring or setting information.

In addition, two lines may be connected between the server 110 and the network device 120, one for in-band management software in the server 110 and the other for out-of-band management software in the server 110. The in-band management software and the out-band management software may then be mutually accessible through the network device 120, and may be used to implement access to services based on HTTPS, SFTP, and the like.

The network device 120 is used to connect to the server 110 to enable communication between the in-band management software and the out-band management software in the server 110. The network device 120 can understand different protocols, such as an ethernet protocol used by a local area network, a transmission control protocol/internet protocol (Transmission Control Protocol/Internet Protocol, TCP/IP) protocol used by the internet, etc., so that the network device 120 can analyze destination addresses of messages transmitted from various different types of networks, and convert non-TCP/IP addresses to TCP/IP addresses, or vice versa; and then transmitting each message to the destination address according to the optimal transmission path according to the routing algorithm. Then, when the network device 120 is able to receive the data packet, it can read the destination address in the data packet and transmit the data packet according to the destination address.

In some possible implementations, the server 110 may also connect two different network devices, where the two network devices may communicate through a direct connection, ethernet, or a public network, so that communication between in-band management software and out-of-band management software in the server 110 is implemented, which is not limited herein.

Therefore, the embodiment of the application provides a data transmission method and related equipment, which are used for realizing data transmission in-band and out-of-band of a server.

Referring to fig. 2, a data transmission method provided in an embodiment of the present application is used for a server, where the server includes a processor and a BMC, and the method includes:

201. and the processor acquires the first network information of the BMC through an internal channel of the server.

In some possible implementations, the processor may send a request message to the BMC through the internal channel, where the request message is used to request the first network information to be acquired. And then, the processor receives a response message sent by the BMC through the internal channel, wherein the response message comprises the first network information.

202. The processor establishes a first network connection with the BMC over a network channel based on the first network information.

In some possible implementations, the processor first sends a first connection request to the BMC through the network channel, where a destination address of the first connection request is the first network address, a destination port is the first port number, and the first connection request is used to request to establish the first network connection. And then, the processor receives a first connection response sent by the BMC through the network channel, wherein the first connection response is used for responding to the first connection request so as to establish the first network connection.

In some possible implementations, after the first certificate includes a first subject public key, the processor verifies the first certificate based on the first certificate public key, if the first certificate verification is successful, the processor obtains the first subject public key from the first certificate. The processor may then generate a first communication key and encrypt the first communication key with the first subject public key to obtain an encrypted first communication key. The processor may send the encrypted first communication key to the BMC through the network channel, so that the BMC decrypts the encrypted first communication key through a first private key of the first body, and reverts to the first communication key, where the first private key of the first body and the public key of the first body are matched public-private key pairs. And finally, the processor and the BMC are connected through the first network to perform data transmission based on the first communication key.

203. And the processor and the BMC are connected through the first network to conduct data transmission.

In some possible implementations, the first network information further includes a first token, and then the processor may send a first access request over the first network connection, the first access request carrying the first token, such that the BMC verifies the legitimacy of the processor based on the first token.

In the application, the processor first acquires the first network information of the BMC through an internal channel of the server. And then, the processor establishes a first network connection on a network channel based on the first network information and the BMC, so that the processor and the BMC can perform data transmission through the first network connection, thereby ensuring the data transmission of a large trusted file without installing a driver.

Referring to fig. 3, a data transmission method provided in a second embodiment of the present application is used for a server, where the server includes a processor and a BMC, and the method includes:

301. and the BMC acquires second network information of the processor through an internal channel.

In some possible implementations, the BMC may receive, through the internal channel, target information sent by the processor, where the target information is used to indicate the second network information.

302. The BMC establishes a second network connection with the processor on a network channel based on the second network information.

In some possible implementations, the BMC may send a second connection request to the processor through the network channel, where a destination address of the second connection request is the second network address, a destination port is the second port number, and the second connection request is used to request to establish the second network connection. And then, the BMC receives a second connection response sent by the processor through the network channel, wherein the second connection response is used for responding to the second connection request so as to establish the second network connection.

In some possible implementations, the second certificate includes a second subject public key, and then, after the BMC verifies the second certificate based on the second certificate public key, if the second certificate verification is successful, the BMC obtains the second subject public key from the second certificate. And then, the BMC generates a second communication key, encrypts the second communication key through the second main body public key, and obtains the encrypted second communication key. And then, the BMC can send the encrypted second communication key to the processor through the network channel, so that the processor decrypts the encrypted second communication key through a second main private key and reverts to the second communication key, and the second main private key and the second main public key are matched public-private key pairs. Finally, the BMC can perform data transmission with the processor through the second network connection based on the second communication key.

303. And the BMC and the processor are connected through the second network for data transmission.

In some possible implementations, the second network information further includes a second token, and then, after the BMC establishes a second network connection with the processor over a network channel based on the second network information, the BMC sends a second access request over the second network connection, the second access request carrying the second token, so that the processor verifies the legitimacy of the BMC based on the second token.

In the application, the BMC firstly acquires second network information of the processor through an internal channel, and establishes a second network connection with the processor on the network channel based on the second network information. And then, the BMC can perform data transmission with the processor through the second network connection, so that the data transmission of the credible large file is ensured, and a driver is not required to be installed.

Next, a data transmission method will be described by 2 embodiments, respectively, as the third embodiment and the fourth embodiment.

Wherein the third embodiment is divided into 2 parts, a first part and a second part, respectively. In the first part, in-band management software in a processor requests first network information from out-of-band management software in a BMC through an IPMI channel; in the second part, the in-band management software in the processor negotiates a first communication key with the out-of-band management software in the BMC based on the first network information through the network channel, and realizes data transmission between the in-band management software and the out-of-band management software, namely, data transmission between the processor and the BMC based on the first communication key. Wherein the first network information includes a first network address and a first port number.

The fourth embodiment is also divided into 2 parts, a first part and a second part, respectively. In the first part, in-band management software in a processor writes network information into the out-of-band management software in the BMC through an IPMI channel; in the second part, the out-of-band management software in the BMC negotiates a second communication key with the in-band management software in the processor based on the network information through the network channel, and realizes data transmission between the in-band management software in the processor and the out-of-band management software in the BMC based on the second communication key. Wherein the second network information includes a second network address, a second port number.

Referring to fig. 4, a second embodiment of the present application provides a first portion of a data transmission method, which mainly includes the following steps:

401. the processor sends a first request message to the BMC through the IPMI channel, wherein the first request message is used for requesting to acquire a first network address of the BMC.

In the embodiment of the application, the processor may query the BMC for information, and thus, the processor may request to obtain the first network address of the BMC by sending a first request message to the BMC.

In this embodiment of the present application, the first network address is a network address of the BMC. That is, when the BMC sends an a message through the network channel, the source network address of the a message is the first network address; when the BMC receives a B message through a network channel, the destination network address of the B message is the first network address.

In some possible implementations, the first network address may be an IP address and/or a MAC address, which is not limited herein. Illustratively, the first network address may be 192.168.1.5 (IP address). Also by way of example, the first network address may be 00-01-6C-06-A6-29 (MAC address).

For example, if the processor and the BMC implement data transmission through a network device, and the network device is a device in a local area network, the first network address may be a MAC address. For example, after the network device receives the a message sent by the sender (e.g., the processor), the destination address in the a message is a first network address, where the first network address is a MAC address, the network device may determine the receiver (e.g., BMC) based on the first network address, and send the a message to the receiver.

For example, if the processor and the BMC implement data transmission through a public network or a private network, the first network address may be an IP address. For example, after the network device receives the a message sent by the sender (e.g., the processor), the destination address in the a message is a first network address, where the first network address is an IP address, then the network device may determine a next hop based on the first network address, and send the a message to the next hop, so that the a message is finally sent to the receiver (e.g., the BMC).

It should be noted that, the IPMI channel is an internal communication channel of the server, and the processor and the BMC may perform mutual trust communication based on the IPMI channel. Then, when the processor sends the first request message to the BMC through the IPMI channel, the BMC does not need to verify the authenticity of the identity of the processor that sent the first request message, nor does it need to verify the authenticity of the first request message.

402. The BMC sends a first response message to the processor through the IPMI channel, wherein the first response message comprises the first network address.

In this embodiment of the present application, after the BMC receives the first request message, the BMC may determine the first network address based on the request content of the first request message, and send a first response message to the processor through the IPMI channel, where the first response message includes the first network address.

It should be noted that, if the first network address is a MAC address, the BMC may obtain the MAC address from a network card of the server. If the first network address is an IP address, the BMC may communicate with a dynamic host configuration protocol (dynamic host configuration protocol, DHCP) server such that the BMC obtains a private network IP address (including a subnet mask) configured by the DHCP server.

It should be noted that, the IPMI channel is an internal communication channel of the server, and the processor and the BMC may perform mutual trust communication based on the IPMI channel. Then, when the BMC sends the first response message to the processor through the IPMI channel, the processor does not need to verify the authenticity of the identity of the BMC that sent the first response message, nor does it need to verify the authenticity of the first response message.

403. The processor sends a second request message to the BMC through the IPMI channel, where the second request message is used to request to acquire the first port number.

It should be noted that, the first port number is used to indicate the corresponding service. For example, if the traffic is https protocol based traffic, the first port number is 443. For another example, if the traffic is being performed by a remote process, then the first port number is 512.

In some possible implementations, one or more port numbers may be maintained in the BMC. In some possible implementations, the second request message may carry a name or identification of the particular service (e.g., https) so that the BMC may return a port number corresponding to the service based on the name or identification of the particular service (e.g., 443).

In some possible implementations, the second request message may also not carry a name or an identifier of the specific service, and the BMC may return the one or more port numbers based on the second request message, so that the processor may select one from the one or more port numbers based on the specific service that is required, which is not limited herein. For example, one or more port numbers may be 512/513/514/515/516, and specific services respectively indicated are: remote process execution (port number: 512), remote login (port number: 513), cmd command (port number: 514), spoonr (port number: 515), visualization data (port number: 516). And are not limited herein.

It should be noted that, the IPMI channel is an internal communication channel of the server, and the processor and the BMC may perform mutual trust communication based on the IPMI channel. Then, when the processor sends the second request message to the BMC through the IPMI channel, the BMC does not need to verify the authenticity of the identity of the processor that sent the second request message, nor does it need to verify the authenticity of the second request message.

404. The BMC sends a second response message to the processor through the IPMI channel, the second response message including the first port number.

In this embodiment of the present application, after the BMC receives the second request message, the BMC may determine the first port number based on the request content of the second request message, and send a second response message to the processor through the IPMI channel, where the second response message includes the first port number.

In some possible implementations, after receiving the second request message, if the second request message carries a name or an identifier of a specific service, the BMC may determine a port number corresponding to the specific service and send the port number to the processor through a second response message.

In some possible implementations, if the second request message does not carry the name or the identifier of the specific service, the BMC may return a second response message to the processor, where the second response message includes a first port number, and the first port number may be one or more port numbers, and send the second response message to the processor through the second response message.

It should be noted that, the IPMI channel is an internal communication channel of the server, and the processor and the BMC may perform mutual trust communication based on the IPMI channel. Then, when the BMC sends the second response message to the processor through the IPMI channel (i.e., the second response message is a request message based on the IPMI protocol), the processor does not need to verify the authenticity of the identity of the BMC that sent the second response message, nor does the processor need to verify the authenticity of the second response message.

405. The processor sends a third request message to the BMC through the IPMI channel, wherein the third request message is used for requesting to acquire the first token.

It should be noted that, the token is also called token, and is information carried in a request message sent by the client when the client requests data from the server, where the token is used to verify the identity of the client. After receiving the request message, the server obtains the token from the request message and verifies the validity of the client based on the token.

In some possible implementations, the first token may be a string (including letters, numbers, words, and/or coincidences) generated by the BMC as an identification of the processor. Illustratively, the first token may be 112233 x ABC.

In some possible implementations, the first token may be random or a processor-related sequence. For example, the first token may be iBMA123. And are not limited herein.

In some possible implementations, the first token may also be a sequence related to the traffic requested by the BMC. Illustratively, the first token may be https123. And are not limited herein.

In some possible implementations, the first token may also include an account number and a password. For example, the account number in the first token may be: 112233; the password may be: * ABC. And are not limited herein. For another example, the account number in the first token is iBMA123 and the password is abcd123.

In some possible implementations, after the BMC receives the third request message, a first token may be generated for the processor based on the third request message and assigned to the processor.

In some possible implementations, the BMC may also generate the first token in advance, and after the BMC receives the third request message, the first token may be allocated to the processor based on the third request message.

It should be noted that, the IPMI channel is an internal communication channel of the server, and the processor and the BMC may perform mutual trust communication based on the IPMI channel. Then, when the processor sends the third request message to the BMC through the IPMI channel, the BMC does not need to verify the authenticity of the identity of the processor that sent the third request message, nor does the BMC need to verify the authenticity of the third request message.

406. And the BMC sends a third response message to the processor through the IPMI channel, wherein the third response message carries the first token.

In this embodiment of the present application, after the BMC receives the third request message, the first token may be determined based on the request content of the third request message, and a third response message may be sent to the processor through the IPMI channel, where the third response message includes the first token.

In some possible implementations, after receiving the third request message, if the third request message carries a name or an identifier of a specific service, the BMC may generate a first token corresponding to the specific service and send the first token to the processor through a third response message.

It should be noted that, the IPMI channel is an internal communication channel of the server, and the processor and the BMC may perform mutual trust communication based on the IPMI channel. Then, when the BMC sends the third response message to the processor through the IPMI channel, the processor does not need to verify the authenticity of the identity of the BMC that sent the third response message, nor does it need to verify the authenticity of the third response message.

407. The processor sends a fourth request message to the BMC through the IPMI channel, where the fourth request message is used to request to obtain the first certificate public key.

It should be noted that the first certificate public key and the first certificate private key are matched public-private key pairs. The first certificate private key is used for encrypting first related data (for example, a first main body public key, a main body name and the like, wherein the main body is a BMC) to obtain a first digital signature, namely, the first certificate comprises the first related data and the first digital signature. The first certificate public key is used for verifying the first digital signature, and if verification is passed, the authenticity of the first related data can be determined, namely the authenticity of the information such as the first main body public key, the main body name and the like is verified.

It should be noted that, the IPMI channel is an internal communication channel of the server, and the processor and the BMC may perform mutual trust communication based on the IPMI channel. Then, when the processor sends the fourth request message to the BMC through the IPMI channel, the BMC does not need to verify the authenticity of the identity of the processor that sent the fourth request message, nor does it need to verify the authenticity of the fourth request message.

408. The BMC sends a fourth response message to the processor through the IPMI channel, wherein the fourth response message carries the first certificate public key.

The BMC may apply for a certificate to the CA institution. Illustratively, the BMC may send a request message to the CA authority carrying information such as the BMC's name/identification, the first subject public key, etc., and the CA may then generate a matching first certificate private key and first certificate public key. Then, the CA mechanism encrypts the information such as the name/identifier of the BMC, the public key of the first main body and the like through the private key of the first certificate to obtain a first digital signature, so that the first certificate is obtained, and the first certificate comprises the information such as the name/identifier of the BMC, the public key of the first main body and the like and the first digital signature. The CA authority returns the first certificate and the first certificate public key to the BMC.

The first main body public key and the first main body private key are matched public-private key pairs, the first main body public key and the first main body private key are generated by the BMC, the first main body public key is used for encrypting the first communication key to obtain the encrypted first communication key, the first main body private key is used for decrypting the encrypted first communication key and restoring the encrypted first communication key to the first communication key, and the first communication key is used for encrypting service data.

In some possible implementations, after the BMC receives the fourth response message, the BMC may request the first certificate and the first certificate public key from the CA mechanism, and then return the first certificate public key to the processor through the IPMI channel.

In some possible implementations, when the BMC may also request the first certificate and the first certificate public key from the CA mechanism in advance, and then return the first certificate public key to the processor through the IPMI channel. After the BMC receives the fourth request message, the BMC may return the first certificate public key to the processor through the IPMI channel, where the first certificate public key is carried in the fourth response message.

In some possible implementations, the processor may also be pre-configured with the first certificate public key, which is not limited herein.

In some possible implementations, the BMC may also generate the certificate itself. For example, the BMC may generate a first certificate public key and a first certificate private key that are matched, where the first certificate private key encrypts information such as a name/identifier of the BMC, a first body public key, and the like, to obtain a first digital signature, thereby obtaining a first certificate, and the first certificate includes the information such as the name/identifier of the BMC, the first body public key, and the like, and the first digital signature.

It should be noted that, the IPMI channel is an internal communication channel of the server, and the processor and the BMC may perform mutual trust communication based on the IPMI channel. Then, when the BMC sends the fourth response message to the processor through the IPMI channel, the processor does not need to verify the authenticity of the identity of the BMC that sent the fourth response message, nor does it need to verify the authenticity of the fourth response message.

The above description of steps 401-408 describes that the processor may send four request messages (first request message, second request message, third request message, fourth request message, respectively) to the BMC to obtain the first network address of the BMC, the first port number of the specific service, the first token of the processor, and the first certificate public key, respectively, from the out-of-band management request.

In some possible implementations, the processor may also send only one request message to the BMC requesting to obtain the first network address, the first port number, the first token, and/or the first certificate public key. Then, after receiving a request message, the BMC may return a response message to the processor, where the response message includes the first network address, the first port number, the first token, and/or the first certificate public key. And are not limited herein.

In some possible implementations, the processor may also send only 2 request messages to the BMC, where one request message is for requesting to obtain the first network address and/or the first port number, and another request message is for requesting to obtain the first token and/or the first certificate public key. Then, after receiving the 2 request messages, the BMC may respectively return different 2 response messages to the processor, where one response message includes the first network address and/or the first port number, and the other response message includes the first token and/or the first certificate public key. And are not limited herein.

In some possible implementations, the processor may also send 3 or more request messages to the BMC requesting to obtain the first network address, the first port number, the first token, and/or the first certificate public key. Then, the BMC may also return 3 or more response messages to the processor to return the first network address, the first port number, the first token, and/or the first certificate public key, respectively. And are not limited herein.

Referring to fig. 5, a second part of a data transmission method according to a second embodiment of the present application mainly includes the following steps:

501. the processor sends a first connection request to the BMC through a network channel, wherein the destination address of the first connection request is a first network address, and the destination port is a first port number.

In the embodiment of the present application, the first connection request is taken as an example to request to implement the connection between the processor and the BMC based on https protocol.

It should be noted that, the network channel is a communication channel implemented through the network device, and the processor and the BMC may communicate based on the network channel, but the processor and the BMC need to mutually verify legitimacy. Then, when the processor sends the first connection request to the BMC through the network channel, the BMC needs to verify the authenticity of the identity of the processor that sent the first connection request, and also needs to verify the authenticity of the first connection request.

For this purpose, the destination IP address of the first connection request is a first network address and the destination port is a first port number, and the network device may send the first connection request to the BMC based on the first network address and the first port number.

In some possible implementations, the network channel may be implemented by a network device in a local area network, may be implemented by an ethernet network, or may be implemented by a public network, which is not limited herein. Then, when the network communication is implemented by a network device within the local area network, the first network address may be a MAC address. When the network communication is implemented through a local area network, ethernet or public network device, the first network address may be an IP address.

Illustratively, the first connection request has a port number 443 and the first network address may be an IP address (e.g., 192.168.1.5).

502. The BMC sends a first connection response to the processor through the network channel, the first connection response being for responding to the first connection request to establish the first network connection.

In this embodiment of the present application, after the BMC receives the first connection request, the BMC may generate a corresponding first connection response based on the first connection request, where the first connection response is used to respond to the first connection request to establish the first network connection. The first connection response comprises a first certificate, a first digital signature of the first certificate is encrypted by a first certificate private key, the first certificate private key and the first certificate public key are matched public-private key pairs, and the first certificate carries a first main body public key of the BMC.

503. The processor verifies the first certificate based on the first certificate public key.

In an embodiment of the present application, after the processor receives the first connection response, the first digital signature of the first certificate may be verified by the first certificate public key obtained in steps 201-208 to verify the authenticity of the first certificate. If the verification of the first digital certificate is passed, the authenticity of the first certificate is verified, i.e. the validity of the BMC is verified, and step 504 is executed; if the authenticity of the first digital certificate is not verified, the authenticity of the first certificate is not verified, that is, the validity of the BMC is not verified, that is, verification fails, the processor may discard the first connection response, or return an error prompt to the BMC.

504. The processor obtains a first subject public key from the first certificate.

In some possible implementations, when the processor verifies the first certificate in the first connection response successfully, the processor may obtain the first principal public key from the first certificate. It should be noted that, the first public key and the first private key are public-private key pairs generated by the BMC, where the first public key is used to encrypt a first communication key to obtain an encrypted first communication key, and the first private key is located at the BMC and used to decrypt the encrypted first communication key to restore the first communication key.

505. The processor encrypts the first communication key through the first subject public key to obtain an encrypted first communication key.

In some possible implementations, the first communication key may be a random string generated, a preset string, or another type of string, which is not limited herein. In some possible implementations, the first communication key may be a string of english letters (case-or case-less), latin letters (case-or case-less), symbols, numbers, etc., without limitation. In embodiments of the present application, the first communication key may be used to encrypt traffic data.

In the embodiment of the present application, in order to ensure confidentiality of the first communication key, the first communication key needs to be encrypted by the first public key of the main body, so as to obtain the encrypted first communication key. It should be noted that, the encrypted first communication key can only be decrypted by the first private key of the first main body, and then be restored to the first communication key.

In some possible implementations, the first communication key may be a first symmetric key, so that the BMC may encrypt the first service data with the first symmetric key, obtain encrypted first service data, and send the encrypted first service data to the processor. The processor may decrypt the encrypted first service data by using the first symmetric key, and restore the encrypted first service data to the first service data.

In some possible implementations, the first communication key may be a second subject public key, wherein the second subject public key and the second subject private key are a matched public-private key pair, the second subject public key and the second subject private key are generated by the processor, and the second subject private key is held by the processor. Then, the BMC may encrypt the service data by the second body public key, obtain encrypted service data, and send the encrypted service data to the processor. The processor may decrypt the encrypted service data by the second subject private key to restore the service data.

506. The processor sends the encrypted first communication key to the BMC over a first network connection.

In this embodiment of the present application, the processor may send the encrypted first communication key to the BMC through the first network connection. By encrypting the first communication key, an encrypted first communication key is obtained, and even if a third party intercepts the encrypted first communication key, the encrypted first communication key cannot be decrypted because the third party does not have the first main body private key, namely cannot be restored to the first communication key, so that confidentiality of the first communication key is ensured.

507. The BMC decrypts the encrypted first communication key through the first main body private key to obtain the first communication key, and the first main body private key and the first main body public key are matched public-private key pairs.

In this embodiment of the present application, after the BMC receives the encrypted first communication key, because the BMC has the first private key, the BMC may decrypt the encrypted first communication key based on the first private key and restore the encrypted first communication key to the first communication key.

508. The processor sends a first access request to the BMC over a first network connection, the first access request carrying a first token.

In some possible implementations, to verify the validity of the processor, when the processor accesses the BMC for the first time, the processor may generate a first access address (for example, https address) through the first network address, the first port number, and the first request address (i.e., a file address of the access content), and encapsulate the content of the application layer through the first access address, where the obtained data packet is a first access request, and a header of the first access request is filled with the first token. It should be noted that the first token is used for letting the BMC verify the validity of the processor. Illustratively, the first token may be 112233 x ABC.

In some possible implementations, if the first communication key is a first symmetric key, the first access request is encrypted by the first communication key; if the first communication key is the second subject public key, the first access request is encrypted by the first subject public key.

509. The BMC verifies the first token.

In some possible implementations, after the BMC generates the first token, the first token is stored in a local token list. After the BMC receives the first access request, if the first communication key is a first symmetric key, the BMC decrypts the first access request through the first symmetric key; if the first communication key is the second subject public key, the BMC decrypts the first access request through the first subject private key. Then, the BMC may obtain the first token from the header of the first access request, and compare the first token with each token in the locally stored token list. If the token list comprises the first token, the BMC determines that the validity verification of the processor is successful; if the token list does not include the first token, the BMC determines that the validation of the processor failed.

510. The BMC sends a first check result of the first token to the processor through the first network connection.

In some possible implementations, if the BMC fails to verify the first token, i.e. the validity of the processor fails, the BMC may send a first verification result to the processor for the first token, where the first verification result is used to prompt that the identity of the processor fails to verify. If the BMC fails to check the first token, that is, the validity of the processor is verified successfully, the BMC can send a first check result of the first token to the processor, wherein the first check result is used for prompting that the identity of the processor is verified successfully.

In some possible implementations, if the first communication key is a first symmetric key, the first verification result is obtained by encrypting the first communication key; if the first communication key is the second main public key, the first verification result is obtained by encrypting the second main public key.

511. And the BMC and the processor conduct data transmission through the first network connection.

Illustratively, the BMC sends the first service data to the processor over the first network connection by steps S11-S13.

S11, the BMC encrypts the service data through the first communication key to obtain encrypted service data.

And S12, the BMC sends the encrypted service data to the processor through the first network connection.

S13, the processor decrypts the encrypted service data through the first communication key to obtain the service data.

Then, even if the third party intercepts the encrypted service data, the encrypted service data cannot be decrypted due to the lack of the first communication key, so that the encrypted service data is restored to the service data, and the safety of the service data is ensured.

In some possible implementations, if the first communication key is a first symmetric key, the processor may encrypt the service data with the first symmetric key to obtain encrypted service data, and transmit the encrypted service data to the BMC. Then, the BMC may decrypt the encrypted service data through the first symmetric key and restore the encrypted service data to service data.

In some possible implementations, if the first communication key is the second public key, the processor may encrypt the service data by using the first public key to obtain encrypted service data, and transmit the encrypted service data to the BMC. Then, the BMC may decrypt the encrypted service data through the first private key and restore the encrypted service data to service data.

Referring to fig. 6, a first part of a data transmission method according to a third embodiment of the present application mainly includes the following steps:

601. The processor sends first information to the BMC through the IPMI channel, wherein the first information is used for indicating a second network address of the processor.

In the embodiment of the application, the processor may write information into the BMC, so the processor may instruct to acquire the second network address of the processor by sending the first information to the BMC.

It should be noted that, if the second network address is a MAC address, the processor may obtain the MAC address from a network card of the server. If the second network address is an IP address, the processor may communicate with a dynamic host configuration protocol (dynamic host configuration protocol, DHCP) server such that the processor obtains a private network IP address (including a subnet mask) configured by the DHCP server.

In this embodiment of the present application, the second network address is a network address of the processor. That is, when the processor sends an a message through the network channel, the source network address of the a message is the second network address; when the processor receives a B message through the network channel, the destination network address of the B message is the second network address.

In some possible implementations, the second network address may be an IP address and/or a MAC address, which is not limited herein. Illustratively, the second network address may be 192.168.1.6 (IP address). Also by way of example, the second network address may be 00-01-6C-06-A6-28 (MAC address).

For example, if the BMC and the processor implement data transmission through a network device, and the network device is a device in the lan, the second network address may be a MAC address. For example, after the network device receives the a message sent by the sender (e.g., BMC), the destination address in the a message is a second network address, where the second network address is a MAC address, then the network device may determine the receiver (e.g., processor) based on the second network address, and send the a message to the receiver.

For example, if the BMC and the processor implement data transmission through a public network or a private network, the second network address may be an IP address. For example, after the network device receives the a message sent by the sender (e.g., BMC), the destination address in the a message is a second network address, where the second network address is an IP address, then the network device may determine a next hop based on the second network address, and send the a message to the next hop, so that the a message is finally sent to the receiver (e.g., processor).

It should be noted that, the IPMI channel is an internal communication channel of the server, and the BMC and the processor may perform mutual trust communication based on the IPMI channel. Then, when the processor sends the first information to the BMC through the IPMI channel, the BMC does not need to verify the authenticity of the identity of the processor that sent the first information, nor does it need to verify the authenticity of the first information.

602. The BMC sends a first confirmation message to the processor through the IPMI channel.

In this embodiment of the present application, after the BMC receives the first information, the BMC may send a first acknowledgement message to the processor through the IPMI channel. The first acknowledgement message may be ACK information, for example.

It should be noted that, the IPMI channel is an internal communication channel of the server, and the BMC and the processor may perform mutual trust communication based on the IPMI channel. Then, when the BMC sends the first confirmation message to the processor through the IPMI channel, the processor does not need to verify the authenticity of the identity of the BMC that sent the first confirmation message, nor does it need to verify the authenticity of the first confirmation message.

603. The processor sends second information to the BMC through the IPMI channel, the second information indicating the second port number.

It should be noted that, the second port number is used for indicating the corresponding service. For example, if the traffic is https protocol based traffic, the second port number is 443. For another example, if the traffic is being performed by a remote process, then the second port number is 512.

In some possible implementations, one or more port numbers may be maintained in the processor. In some possible implementations, the processor may determine a port number (e.g., 443) corresponding to the particular service based on the name or identification of the service, carried in the second information.

In some possible implementations, the processor may determine the one or more port numbers based on the second information, carried in the second information, so that the BMC may select one from the one or more port numbers based on the specific service required, without limitation. For example, one or more port numbers may be 512/513/514/515/516, and specific services respectively indicated are: remote process execution (port number: 512), remote login (port number: 513), cmd command (port number: 514), spoonr (port number: 515), visualization data (port number: 516). And are not limited herein.

It should be noted that, the IPMI channel is an internal communication channel of the server, and the BMC and the processor may perform mutual trust communication based on the IPMI channel. Then, when the processor sends the second information to the BMC through the IPMI channel, the BMC does not need to verify the authenticity of the identity of the processor that sent the second information, nor does the BMC need to verify the authenticity of the second information.

604. The BMC sends a second confirmation message to the processor through the IPMI channel.

In this embodiment of the present application, after the BMC receives the second information, the second acknowledgement message may be sent to the processor through the IPMI channel. The second acknowledgement message may be ACK information, for example.

It should be noted that, the IPMI channel is an internal communication channel of the server, and the BMC and the processor may perform mutual trust communication based on the IPMI channel. Then, when the BMC sends the second confirmation message to the processor through the IPMI channel, the processor does not need to verify the authenticity of the identity of the BMC that sent the second confirmation message, nor does it need to verify the authenticity of the second confirmation message.

605. The processor sends third information to the BMC via the IPMI channel, the third information indicating the second token.

In some possible implementations, the second token may be a string (including letters, numbers, words, and/or coincidences) generated by the processor as an identification to the BMC. Illustratively, the second token may be 112233 ABD.

In some possible implementations, the second token may be random or a BMC related sequence. For example, the second token may be iBMA124. And are not limited herein.

In some possible implementations, the second token may also be a sequence related to the service requested by the processor. Illustratively, the second token may be https124. And are not limited herein.

In some possible implementations, the second token may also include an account number and a password. For example, the account number in the first token may be: 112234; the password may be: * ABD. And are not limited herein. For another example, the account number in the second token is iBMA124 and the password is abcd124.

In some possible implementations, after the BMC receives the third information, the second token allocated by the processor to the BMC may be obtained from the third information.

In some possible implementations, the processor may also generate the second token in advance, and carry the second token in the third information, and after the BMC receives the third information, the second token allocated by the processor to the BMC may be obtained from the third information.

It should be noted that, the IPMI channel is an internal communication channel of the server, and the BMC and the processor may perform mutual trust communication based on the IPMI channel. Then, when the processor sends the third information to the BMC through the IPMI channel, the BMC does not need to verify the authenticity of the identity of the processor that sent the third information, nor does the BMC need to verify the authenticity of the third information.

606. The BMC sends a third acknowledgement message to the processor over the IPMI channel.

In this embodiment of the present application, after the BMC receives the third information, the third acknowledgement message may be sent to the processor through the IPMI channel. The third acknowledgement message may be ACK information, for example.

It should be noted that, the IPMI channel is an internal communication channel of the server, and the BMC and the processor may perform mutual trust communication based on the IPMI channel. Then, when the BMC sends the third confirmation message to the processor through the IPMI channel, the processor does not need to verify the authenticity of the identity of the BMC that sent the third confirmation message, nor does it need to verify the authenticity of the third confirmation message.

607. The processor sends fourth information to the BMC through the IPMI channel, the fourth information indicating the second certificate public key.

It should be noted that the second certificate public key and the second certificate private key are matched public-private key pairs. The second certificate private key is used for encrypting second related data (for example, a second main body public key, a main body name and the like, wherein the main body is a processor) to obtain a second digital signature, namely, the second certificate comprises the second related data and the second digital signature. And if the verification is passed, the authenticity of the second related data can be determined, namely, the authenticity of the information such as the second main body public key, the main body name and the like is verified.

It should be noted that, the IPMI channel is an internal communication channel of the server, and the BMC and the processor may perform mutual trust communication based on the IPMI channel. Then, when the processor sends the fourth information to the BMC through the IPMI channel, the BMC does not need to verify the authenticity of the identity of the processor that sent the fourth information, nor does it need to verify the authenticity of the fourth information.

The processor may apply for the certificate to the CA institution. For example, the processor may send a request message carrying information of the name/identification of the processor, the second subject public key, etc. to the CA authority, and the CA may then generate the matching second certificate private key and second certificate public key. Then, the CA mechanism encrypts the information such as the name/identifier of the processor, the second subject public key and the like through the second certificate private key to obtain a second digital signature, so that a second certificate is obtained, and the second certificate comprises the information such as the name/identifier of the processor, the second subject public key and the like and the second digital signature. The CA authority returns the second certificate and the second certificate public key to the processor.

The second main public key and the second main private key are matched public-private key pairs, the second main public key and the second main private key are generated by the processor, the second main public key is used for encrypting the second communication key to obtain the encrypted second communication key, the second main private key is used for decrypting the encrypted second communication key and restoring the encrypted second communication key to the second communication key, and the second communication key is used for encrypting service data.

In some possible implementations, when the processor may request the second certificate and the second certificate public key from the CA mechanism in advance, the second certificate public key may be sent to the BMC through the IPMI channel. After the BMC receives the fourth information, the BMC may obtain the second certificate public key from the fourth information.

In some possible implementations, the BMC may also be pre-configured with the second certificate public key, which is not limited herein.

In some possible implementations, the processor may also generate the certificate itself. For example, the processor may generate a matched second certificate public key and second certificate private key, where the second certificate private key encrypts information such as a name/identifier of the processor, a second subject public key, and the like to obtain a second digital signature, thereby obtaining a second certificate, and the second certificate includes information such as the name/identifier of the processor, the second subject public key, and the like, and the second digital signature.

608. The BMC sends a fourth acknowledgement message to the processor via the IPMI channel.

In this embodiment of the present application, after the BMC receives the fourth information, the fourth acknowledgement message may be sent to the processor through the IPMI channel. The fourth acknowledgement message may be ACK information, for example.

It should be noted that, the IPMI channel is an internal communication channel of the server, and the BMC and the processor may perform mutual trust communication based on the IPMI channel. Then, when the BMC sends the fourth confirmation message to the processor through the IPMI channel, the processor does not need to verify the authenticity of the identity of the BMC that sent the fourth confirmation message, nor does it need to verify the authenticity of the fourth confirmation message.

The above description of steps 601-608 describes that the processor may send four messages (first, second, third, fourth, respectively) to the BMC to write the second network address of the processor, the second port number of the specific service, the second token of the processor, and the second certificate public key, respectively, in the BMC.

In some possible implementations, the processor may also send only one message to the BMC indicating the second network address, the second port number, the second token, and/or the second certificate public key. Then, after the BMC receives the information, the second network address, the second port number, the second token, and/or the second certificate public key may be obtained from the information. And are not limited herein.

In some possible implementations, the processor may also send only 2 messages to the BMC, one message indicating the second network address and/or the second port number, and another message indicating the second token and/or the second certificate public key. Then, after the BMC receives 2 pieces of information, the first network address and/or the first port number may be obtained from one piece of information, and the first token and/or the first certificate public key may be obtained from another piece of information. And are not limited herein.

In some possible implementations, the processor may also send 3 or more amounts of information to the BMC indicating the first network address, the first port number, the first token, and/or the first certificate public key. Then, after the BMC receives 3 or more pieces of information, the second network address, the second port number, the second token, and/or the second certificate public key may be acquired from the 3 or more pieces of information. And are not limited herein.

Referring to fig. 7, a second portion of a data transmission method according to a third embodiment of the present application mainly includes the following steps:

701. the BMC sends a second connection request to the processor through the network channel, wherein the destination address of the second connection request is a second network address, and the destination port is a second port number.

In the embodiment of the present application, the second connection request is taken as an example to request to implement the connection between the processor and the BMC based on https protocol.

It should be noted that, the network channel is a communication channel implemented through the network device, and communication between the BMC and the processor may be performed based on the network channel, but legitimacy needs to be verified between the BMC and the processor. Then, when the BMC sends the second connection request to the processor through the network channel, the processor needs to verify the authenticity of the identity of the BMC that sent the second connection request, and also needs to verify the authenticity of the second connection request.

For this purpose, the destination IP address of the second connection request is a second network address and the destination port is a second port number, and the network device may send the second connection request to the processor based on the second network address and the second port number.

In some possible implementations, the network channel may be implemented by a network device in a local area network, may be implemented by an ethernet network, or may be implemented by a public network, which is not limited herein. Then, when the network communication is implemented by a network device within the local area network, the second network address may be a MAC address. The second network address may be an IP address when the network communication is implemented through a local area network, ethernet or public network device.

Illustratively, the port number of the second connection request is 443 and the second network address may be an IP address (e.g., 192.168.1.5).

702. The processor sends a second connection response to the BMC over the network channel, the second connection response being for responding to the second connection request to establish a second network connection.

In an embodiment of the present application, after the processor receives the second connection request, the processor may generate a corresponding second connection response based on the second connection request, where the second connection response is used to respond to the second connection request to establish the second network connection. The second connection response comprises a second certificate, a second digital signature of the second certificate is encrypted by a second certificate private key, the second certificate private key and the second certificate public key are matched public-private key pairs, and the second certificate carries a second main body public key of the processor.

703. The BMC verifies the second certificate based on the second certificate public key.

In the embodiment of the present application, after the BMC receives the second connection response, the second digital signature of the second certificate may be verified by using the second certificate public key obtained in steps 601-608 to verify the authenticity of the second certificate. If the second digital certificate passes the verification, the authenticity of the second digital certificate is verified, i.e. the validity of the processor is verified, and step 704 is performed; if the authenticity of the second digital certificate is not verified, the authenticity of the second certificate is not verified, that is, the validity of the processor is not verified, that is, the verification fails, the BMC may discard the second connection response, or return an error prompt to the processor.

704. The BMC obtains a second subject public key from the second certificate.

In some possible implementations, when the BMC verifies the second certificate in the second connection response successfully, the BMC may obtain the second subject public key from the second certificate. It should be noted that, the second main public key and the second main private key are public-private key pairs generated by the processor, the second main public key is used for encrypting the second communication key to obtain an encrypted second communication key, and the second main private key is located at the processor and used for decrypting the encrypted second communication key to restore the second communication key.

705. And the BMC encrypts the second communication key through the second main body public key to obtain an encrypted second communication key.

In some possible implementations, the second communication key may be a random string generated, a preset string, or another type of string, which is not limited herein. In some possible implementations, the second communication key may be a string of english letters (case-or case-less), latin letters (case-or case-less), symbols, numbers, etc., without limitation. In embodiments of the present application, the second communication key may be used to encrypt traffic data.

In the embodiment of the present application, in order to ensure confidentiality of the second communication key, the second communication key needs to be encrypted by the second public key to obtain an encrypted second communication key. It should be noted that, the encrypted second communication key can only be decrypted by the second private key of the second main body, and then be restored to the second communication key.

In some possible implementations, the second communication key may be a second symmetric key, so that the processor may encrypt the first service data with the second symmetric key, obtain encrypted first service data, and send the encrypted first service data to the BMC. The BMC can decrypt the encrypted first service data through the second symmetric key and restore the encrypted first service data into the first service data.

In some possible implementations, the second communication key may be a first subject public key, wherein the first subject public key and the first subject private key are a matched public-private key pair, the first subject public key and the first subject private key are generated by the BMC, and the first subject private key is held by the BMC. Then, the processor may encrypt the service data by the first body public key, obtain encrypted service data, and send the encrypted service data to the BMC. Then, the BMC may decrypt the encrypted service data through the first private key and restore the encrypted service data to service data.

706. The BMC sends the encrypted second communication key to the processor over a second network connection.

In this embodiment of the present application, the BMC may send the encrypted second communication key to the processor through the second network connection. By encrypting the second communication key, the encrypted second communication key is obtained, and even if the third party intercepts the encrypted second communication key, the encrypted second communication key cannot be decrypted because the third party does not have the second main body private key, namely, the encrypted second communication key cannot be restored to the second communication key, so that the confidentiality of the second communication key is ensured.

707. The processor decrypts the encrypted second communication key through a second main private key to obtain the second communication key, wherein the second main private key and the second main public key are matched public-private key pairs.

In this embodiment of the present application, after the processor receives the encrypted second communication key, because the processor has the second private key, the processor may decrypt the encrypted second communication key based on the second private key and restore the encrypted second communication key to the second communication key.

708. The BMC sends a second access request to the processor over a second network connection, the second access request carrying a second token.

In some possible implementations, in order to verify the validity of the BMC, when the BMC accesses the processor for the first time, the BMC may generate a second access address (for example, https address) through the second network address, the second port number, and the second request address (i.e., a file address of the access content), and encapsulate the content of the application layer through the second access address, where the obtained data packet is a second access request, and a header of the second access request is filled with the second token. It should be noted that the second token is used for letting the processor verify the validity of the BMC. Illustratively, the second token may be 112233 ABD.

In some possible implementations, if the second communication key is a second symmetric key, the second access request is encrypted by the second communication key; if the second communication key is the first subject public key, the second access request is encrypted by the second subject public key.

709. The processor verifies the second token.

In some possible implementations, after the processor generates the second token, the second token is stored in a local token list. After the processor receives the second access request, if the second communication key is a second symmetric key, the processor decrypts the second access request through the second symmetric key; if the second communication key is the first subject public key, the processor decrypts the second access request by the second subject private key. The processor may then obtain the second token from the header of the second access request, in comparison with each token in the locally stored token list. If the token list comprises the second token, the processor determines that the validity verification of the BMC is successful; if the token list does not include the first token, the processor determines that the BMC fails the validation.

710. The processor sends a second check result of the second token to the BMC through a second network connection.

In some possible implementations, if the processor fails to verify the second token, i.e. the validity of the BMC fails, the processor may send a second verification result of the second token to the BMC, where the second verification result is used to prompt the BMC that the identity verification fails. If the processor checks the second token successfully, that is, the validity of the BMC is verified successfully, the processor can send a second check result of the second token to the BMC, and the second check result is used for prompting that the identity of the BMC is verified successfully.

In some possible implementations, if the second communication key is a second symmetric key, the second verification result is obtained by encrypting the second communication key; if the second communication key is the first subject public key, the second verification result is obtained by encrypting the first subject public key.

711. And the processor and the BMC are connected through the second network, and data transmission is carried out based on the second communication key.

Illustratively, the processor is then enabled to send the service data to the BMC via the second network connection based on the second communication key via steps S31-S33.

S21, the processor encrypts the service data through the second communication key to obtain encrypted service data.

S22, the processor sends the encrypted service data to the BMC through the second network connection.

S23, the BMC decrypts the encrypted service data through the second communication key to obtain the service data.

Then, even if the third party intercepts the encrypted service data, the encrypted service data cannot be decrypted due to the lack of the second communication key, so that the encrypted service data is restored to the service data, and the security of the service data is ensured.

In some possible implementations, if the second communication key is a second symmetric key, the BMC may encrypt the service data with the second symmetric key to obtain encrypted service data, and transmit the encrypted service data to the processor. The processor may then decrypt the encrypted service data to restore the service data by the second symmetric key.

In some possible implementations, if the second communication key is the first public key, the BMC may encrypt the service data with the second public key to obtain encrypted service data, and transmit the encrypted service data to the processor. Then, the processor may decrypt the encrypted service data through the second body private key, and restore the encrypted service data to service data.

It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of action combinations, but it should be understood by those skilled in the art that the present application is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required in the present application.

In order to facilitate better implementation of the above-described aspects of the embodiments of the present application, the following further provides related devices for implementing the above-described aspects.

It should be noted that, because the content of information interaction and execution process between the modules/units of the above-mentioned device is based on the same concept as the method embodiment of the present application, the technical effects brought by the content are the same as the method embodiment of the present application, and specific content can be referred to the description in the method embodiment shown in the foregoing application, which is not repeated here.

The embodiment of the application also provides a computer storage medium, wherein the computer storage medium stores a program, and the program executes part or all of the steps described in the embodiment of the method.

Referring to fig. 8, a communication device 800 according to another embodiment of the present application includes:

a receiver 801, a transmitter 802, a processor 803, a BMC 804, and a memory 805. In some embodiments of the present application, the receiver 801, transmitter 802, processor 803, and memory 805 may be connected by a bus or other means, with the bus connection being exemplified in fig. 8.

Memory 805 may include read only memory and random access memory and provide instructions and data to the processor 803. A portion of the memory 805 may also include non-volatile random access memory (non-volatile random access memory, NVRAM). The memory 805 stores an operating system and operating instructions, executable modules or data structures, or a subset thereof, or an extended set thereof, wherein the operating instructions may include various operating instructions for performing various operations. The operating system may include various system programs for implementing various underlying services and handling hardware-based tasks.

The processor 803 controls the operation of the communication device 800 through in-band management software, and the BMC 804 controls the operation of the communication device 800 through out-of-band management software.

In a particular application, the various components of the communications device 800 are coupled together by a bus system that may include a power bus, a control bus, a status signal bus, and the like, in addition to a data bus. For clarity of illustration, however, the various buses are referred to in the figures as bus systems.

The processor 803 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuitry of hardware or instructions in software form in the processor 803. The processor 803 may be a general purpose processor, a digital signal processor (digital signal processing, DSP), an application specific integrated circuit (application specific integrated circuit, ASIC), a field-programmable gate array (field-programmable gate array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in hardware, in a decoded processor, or in a combination of hardware and software modules in a decoded processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in memory 805 and the processor 803 reads information in the memory 805 to perform the relevant method steps in combination with its hardware.

The receiver 801 may be used to receive input digital or character information and to generate signal inputs related to related settings and function control, the transmitter 802 may include a display device such as a display screen, and the transmitter 802 may be used to output digital or character information through an external interface.

In another possible design, when communication device 800 is a chip, it includes: a processing unit, which may be, for example, a processor, and a communication unit, which may be, for example, an input/output interface, pins or circuitry, etc. The processing unit may execute the computer-executable instructions stored in the storage unit to cause the chip in the terminal to perform the method for transmitting wireless report information according to any one of the above first aspects. Alternatively, the storage unit is a storage unit in the chip, such as a register, a cache, or the like, and the storage unit may also be a storage unit in the terminal located outside the chip, such as a read-only memory (ROM) or other type of static storage device that may store static information and instructions, a random access memory (random access memory, RAM), or the like.

The processor mentioned in any of the above may be a general-purpose central processing unit, a microprocessor, an ASIC, or one or more integrated circuits for controlling the execution of the programs of the above method.

It should be further noted that the above-described apparatus embodiments are merely illustrative, and that the units described as separate units may or may not be physically separate, and that units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. In addition, in the drawings of the embodiment of the device provided by the application, the connection relation between the modules represents that the modules have communication connection therebetween, and can be specifically implemented as one or more communication buses or signal lines.

From the above description of the embodiments, it will be apparent to those skilled in the art that the present application may be implemented by means of software plus necessary general purpose hardware, or of course may be implemented by dedicated hardware including application specific integrated circuits, dedicated CPUs, dedicated memories, dedicated components and the like. Generally, functions performed by computer programs can be easily implemented by corresponding hardware, and specific hardware structures for implementing the same functions can be varied, such as analog circuits, digital circuits, or dedicated circuits. However, a software program implementation is a preferred embodiment in many cases for the present application. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a readable storage medium, such as a floppy disk, a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk or an optical disk of a computer, etc., including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the method described in the embodiments of the present application.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product.

The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be stored by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy Disk, a hard Disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.

Claims

1. A data transmission method, characterized by being used for a server, the server comprising a processor and a baseboard management controller BMC, the method comprising:

the processor acquires first network information of the BMC through an internal channel of the server;

the processor establishes a first network connection on a network channel with the BMC based on the first network information;

and the processor and the BMC are connected through the first network to conduct data transmission.

2. The method of claim 1, wherein the processor obtaining the first network information of the BMC through an internal channel of the server comprises:

the processor sends a request message to the BMC through the internal channel, wherein the request message is used for requesting to acquire the first network information;

and the processor receives a response message sent by the BMC through the internal channel, wherein the response message comprises the first network information.

3. The method of claim 1 or 2, wherein the first network information includes a first network address and a first port number, and wherein the processor establishes a first network connection with the BMC over a network channel based on the first network information, comprising:

The processor sends a first connection request to the BMC through the network channel, wherein the destination address of the first connection request is the first network address, the destination port is the first port number, and the first connection request is used for requesting to establish the first network connection;

the processor receives a first connection response sent by the BMC through the network channel, wherein the first connection response is used for responding to the first connection request so as to establish the first network connection.

4. The method of claim 3, wherein the first network information further comprises a first certificate public key, the first connection response comprises a first certificate, a digital signature of the first certificate is encrypted by a first certificate private key, and the first certificate private key and the first certificate public key are matched public-private key pairs;

after the processor receives the first connection response sent by the BMC through the network channel, the method further includes:

the processor verifies the first certificate based on the first certificate public key to verify the legitimacy of the BMC.

5. The method of claim 4, wherein the first certificate comprises a first subject public key, and wherein the processor, after verifying the first certificate based on the first certificate public key, further comprises:

If the first certificate is successfully verified, the processor acquires the first main body public key from the first certificate;

the processor generates a first communication key, encrypts the first communication key through the first main body public key, and obtains an encrypted first communication key;

the processor sends the encrypted first communication key to the BMC through the network channel, so that the BMC decrypts the encrypted first communication key through a first main body private key and reverts the encrypted first communication key to the first communication key, and the first main body private key and the first main body public key are matched public-private key pairs;

the data transmission between the processor and the BMC through the first network connection comprises:

and the processor and the BMC are connected through the first network and perform data transmission based on the first communication key.

6. The method of any of claims 1-5, wherein the first network information further comprises a first token, and wherein the processor, after establishing a first network connection with the BMC over a network channel based on the first network information, further comprises:

the processor sends a first access request through the first network connection, wherein the first access request carries the first token, so that the BMC verifies the validity of the processor based on the first token.

7. A data transmission method for a server, the server including a processor and a BMC, the method comprising:

the BMC acquires second network information of the processor through an internal channel;

the BMC establishes a second network connection with the processor on a network channel based on the second network information;

and the BMC and the processor are connected through the second network for data transmission.

8. The method of claim 7, wherein the second network information includes a second network address and a second port number, and wherein the BMC establishes a second network connection with the processor over a network channel based on the second network information, comprising:

the BMC sends a second connection request to the processor through the network channel, wherein the destination address of the second connection request is the second network address, the destination port is the second port number, and the second connection request is used for requesting to establish the second network connection;

and the BMC receives a second connection response sent by the processor through the network channel, wherein the second connection response is used for responding to the second connection request so as to establish the second network connection.

9. The method of claim 8, wherein the second network information further comprises a second certificate public key, the second connection response comprising a second certificate, a digital signature of the second certificate being encrypted by a second certificate private key, the second certificate private key and the second certificate public key being a matched public-private key pair;

after the BMC receives the second connection response sent by the processor through the network channel, the method further includes:

the BMC verifies the second certificate based on the second certificate public key to verify the legitimacy of the processor.

10. The method of claim 9, wherein the second certificate comprises a second subject public key, and wherein the BMC, after verifying the second certificate based on the second certificate public key, further comprises:

if the second certificate is successfully verified, the BMC acquires the second main body public key from the second certificate;

the BMC generates a second communication key, encrypts the second communication key through the second main body public key and obtains an encrypted second communication key;

the BMC sends the encrypted second communication key to the processor through the network channel, so that the processor decrypts the encrypted second communication key through a second main private key and reverts the encrypted second communication key to the second communication key, and the second main private key and the second main public key are matched public-private key pairs;

The BMC and the processor perform data transmission through the second network connection, including:

and the BMC performs data transmission with the processor based on the second communication key through the second network connection.

11. The method of any of claims 7-10, wherein the second network information further comprises a second token, the BMC, after establishing a second network connection with the processor over a network channel based on the second network information, the method further comprising:

and the BMC sends a second access request through the second network connection, wherein the second access request carries the second token, so that the processor verifies the validity of the BMC based on the second token.

12. A server comprising a processor and a BMC, the processor being coupled to the BMC, the server configured to perform the data transfer method of any of claims 1-6 or 7-11.