CN118568743A - Data encryption and decryption method, device, medium and equipment based on hardware encryption card - Google Patents

Data encryption and decryption method, device, medium and equipment based on hardware encryption card Download PDF

Info

Publication number
CN118568743A
CN118568743A CN202410598023.0A CN202410598023A CN118568743A CN 118568743 A CN118568743 A CN 118568743A CN 202410598023 A CN202410598023 A CN 202410598023A CN 118568743 A CN118568743 A CN 118568743A
Authority
CN
China
Prior art keywords
partition
root
operating system
data
boot
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410598023.0A
Other languages
Chinese (zh)
Inventor
袁柱
赵天朗
韩永杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan Qilin Xin'an Technology Co ltd
Original Assignee
Hunan Qilin Xin'an Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan Qilin Xin'an Technology Co ltd filed Critical Hunan Qilin Xin'an Technology Co ltd
Priority to CN202410598023.0A priority Critical patent/CN118568743A/en
Publication of CN118568743A publication Critical patent/CN118568743A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a data encryption and decryption method, a device, a medium and equipment based on a hardware encryption card, and relates to the technical field of data encryption, wherein the method comprises the following steps: creating a boot partition and a root partition in an installation disk in the installation process of an operating system of electronic equipment; encrypting the data of the boot partition and the root partition by a hardware encryption card, wherein the data of the boot partition and the root partition are ciphertext data after the installation of the operating system is completed; inquiring and loading a bootloader program through firmware in the starting process of the operating system, and calling a hardware encryption card through the bootloader program to read and decrypt from the boot partition to obtain an operating system kernel image and a temporary root file system image; loading the operating system kernel image into a memory and running to run the operating system kernel in the memory; after the kernel of the operating system runs, the ciphertext data of the boot partition and the root partition are decrypted through the hardware encryption card. The invention can effectively improve the safety of protecting the computer system.

Description

Data encryption and decryption method, device, medium and equipment based on hardware encryption card
Technical Field
The embodiment of the invention relates to the technical field of data encryption, in particular to a data encryption and decryption method, device, medium and equipment based on a hardware encryption card.
Background
With the penetration of digitization, informatization and intellectualization in various fields of society, data security has become an increasingly important issue. The data may contain sensitive business information and personal data, and leakage of the data may lead to loss of trade secrets and loss of financial properties. Therefore, ensuring the security of computer systems such as personal computers and government agency servers, preventing data from being illegally tampered with or accessed, is an important field of research and practice.
The security protection of computer systems typically includes both boot protection and data protection. Boot protection concerns verifying whether the system has been tampered with and is a preset system during system boot. Data protection refers to encryption protection of data in system operation, so as to prevent the data from being illegally accessed or tampered in the process of storage and processing.
In the prior art, a "trust chain" and a "trusted root" are generally used to perform boot protection on a computer system, that is, by gradually verifying the integrity of each system component from the trusted root, and storing the verification result in a secure location, such as a centralized hardware or cloud. However, this approach focuses mainly on the integrity verification of components at system start-up, while data generated or processed in system operation is still in plain text form, i.e. only the start-up trust is verified and the execution and generated data during start-up, operation are not protected.
There is currently no better solution to the above problems.
Disclosure of Invention
The embodiment of the invention provides a data encryption and decryption method, a device, a medium and equipment based on a hardware encryption card, so as to improve the security of protecting a computer system.
According to one embodiment of the present invention, there is provided a data encryption and decryption method based on a hardware encryption card, applied to an electronic device, where the electronic device includes an installation disk and a memory, and the memory stores firmware, and the method includes:
creating a boot partition and a root partition in the installation disk in the installation process of the operating system of the electronic equipment;
encrypting the data of the boot partition and the root partition by a hardware encryption card, wherein the data of the boot partition and the root partition are ciphertext data after the installation of the operating system is completed;
Inquiring and loading a bootloader program through the firmware in the starting process of the operating system, and calling the hardware encryption card through the bootloader program to read and decrypt from the boot partition to obtain an operating system kernel image and a temporary root file system image;
Loading and running the operating system kernel image to the memory to run the operating system kernel in the memory;
After the kernel of the operating system runs, the ciphertext data of the boot partition and the root partition are decrypted through the hardware encryption card.
In an exemplary embodiment, the encrypting, by a hardware encryption card, the data of the boot partition and the root partition includes:
Installing a second driver and a dm-crypt kernel module in the operating system, wherein the dm-crypt kernel module is used for calling the hardware encryption card to encrypt data of the boot partition and the root partition;
Creating root partition encryption volume equipment in the root partition, and creating boot partition encryption volume equipment in the boot partition;
Formatting the root partition encryption volume equipment to obtain a root partition file system, and formatting the boot partition encryption volume equipment to obtain a boot partition file system;
and calling the hardware encryption card through the second driver to encrypt the data written into the boot partition file system from the boot partition, and encrypting the data written into the root partition file system from the root partition.
In an exemplary embodiment, the invoking, by the second driver, the hardware encryption card to encrypt data written to the boot partition file system from the boot partition and encrypt data written to the root partition file system from the root partition includes:
Writing all file catalogues of the root partition into the root partition file system, and writing all file catalogues of the boot partition into the boot partition file system, wherein in the process of writing all file catalogues of the root partition into the root partition file system, all file catalogues of the root partition pass through the root partition encryption volume device, and in the process of writing all file catalogues of the boot partition into the boot partition file system, all file catalogues of the boot partition pass through the boot partition encryption volume device;
Under the condition that all file catalogues of the root partition pass through the root partition encryption volume equipment, calling the hardware encryption card by the second driver to encrypt all file catalogues of the root partition;
and under the condition that all file directories of the boot partition pass through the boot partition encryption volume device, calling the hardware encryption card by the second driver to encrypt all file directories of the boot partition.
In an exemplary embodiment, the obtaining, by the bootloader program, the kernel image of the operating system and the temporary root file system image includes:
Loading a first driver through the bootloader program, and inquiring the boot partition;
Mounting the boot partition into a boot partition file system through the bootloader program, and reading ciphertext data of the kernel image of the operating system and ciphertext data of the temporary root file system image in the boot partition file system;
and calling the first driver to decrypt the ciphertext data of the kernel image of the operating system to obtain the kernel image of the operating system, and decrypting the ciphertext data of the temporary root file system to obtain the temporary root file system image.
In an exemplary embodiment, after the operating system kernel image and the temporary root file system image are obtained by the bootloader program, the method further includes:
And loading the temporary root file system image into the memory and mounting the temporary root file system image as a memory file system type, so that the operating system accesses and uses systemd programs in the temporary root file system image through the memory file system type to start programs and/or components in the operating system.
In an exemplary embodiment, the decrypting, by the hardware encryption card, the ciphertext data of the boot partition and the root partition includes:
installing a second driver and a dm-crypt kernel module in the operating system, wherein the dm-crypt kernel module is used for calling the hardware encryption card to decrypt ciphertext data of the boot partition and the root partition;
Creating root partition encryption volume equipment in the root partition, and creating boot partition encryption volume equipment in the boot partition;
Mounting the root partition encryption volume device as a root partition file system, so that the operating system accesses and uses systemd programs in the root partition file system to start programs and/or components in the operating system;
Reading ciphertext data of the root partition, and calling the second driver to decrypt the ciphertext data of the root partition through the root partition encryption volume equipment;
And mounting the boot partition encryption volume equipment as a boot partition file system, reading ciphertext data of the boot partition, and calling the second driver to decrypt the ciphertext data of the boot partition through the boot partition encryption volume equipment.
In an exemplary embodiment, the bootloader program includes an encryption and decryption module, where the encryption and decryption module is configured to drive the hardware encryption card to encrypt and decrypt data of the boot partition.
According to another embodiment of the present invention, there is provided a data encryption and decryption apparatus based on a hardware encryption card, including:
The encryption module is used for creating a boot partition and a root partition in the installation disk in the installation process of the operating system of the electronic equipment, and encrypting data of the boot partition and the root partition through a hardware encryption card, wherein after the operating system is installed, the data of the boot partition and the root partition are ciphertext data;
The operating system kernel running module is used for inquiring and loading a bootloader program through the firmware in the starting process of the operating system, obtaining an operating system kernel image and a temporary root file system image through the bootloader program, loading the operating system kernel image into the memory and running the operating system kernel image so as to run the operating system kernel in the memory;
and the decryption module is used for decrypting the ciphertext data of the boot partition and the root partition through the hardware encryption card after the kernel of the operating system runs.
According to a further embodiment of the invention, there is also provided a computer readable storage medium having stored therein a computer program, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
According to still another embodiment of the present invention, there is also provided an electronic apparatus including:
The data encryption and decryption device based on the hardware encryption card;
a memory configured to store instructions; and
And the processor is configured to call the instruction from the memory and can realize the data encryption and decryption method based on the hardware encryption card when executing the instruction.
According to the technical scheme, the boot partition and the root partition in the installation disk are encrypted, so that the data of the whole operating system can be effectively ensured to be in a ciphertext form during storage, and unauthorized access and data leakage are effectively prevented; in the starting process of the operating system, a bootloader program is loaded through firmware, an operating system kernel image is obtained through the bootloader program, the operating system kernel image is loaded to a memory for operation, after the operating system kernel is operated, ciphertext data are decrypted through a hardware encryption card, the safety of the data can be effectively protected, the data are prevented from being illegally accessed or tampered in the starting stage of the operating system or the operating stage of the operating system, and the data safety of the operating system from starting to operating in the whole process is effectively ensured.
Drawings
Fig. 1 is a block diagram of a hardware structure of a mobile terminal according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of the overall structure of a data encryption and decryption method based on a hardware encryption card according to an embodiment of the present invention;
FIG. 3 is a flow chart of a method for encrypting and decrypting data of a hardware encryption card according to an embodiment of the invention;
FIG. 4 is a block diagram of a bootloader phase according to an embodiment of the present invention;
fig. 5 is a schematic diagram of the initrd stage according to an embodiment of the invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it should be understood that the detailed description described herein is merely for illustrating and explaining the embodiments of the present application, and is not intended to limit the embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In addition, if there is a description of "first", "second", etc. in the embodiments of the present application, the description of "first", "second", etc. is for descriptive purposes only and is not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be considered to be absent and not within the scope of protection claimed in the present application.
The method embodiments provided in the embodiments of the present application may be performed in a mobile terminal, a computer terminal or similar computing device. Taking the mobile terminal as an example, fig. 1 is a hardware structure block diagram of a mobile terminal based on a data encryption and decryption method of a hardware encryption card according to an embodiment of the present application. As shown in fig. 1, a mobile terminal may include one or more (only one is shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a microprocessor MCU or a processing device such as a programmable logic device FPGA) and a memory 104 for storing data, wherein the mobile terminal may also include a transmission device 106 for communication functions and an input-output device 108. It will be appreciated by those skilled in the art that the structure shown in fig. 1 is merely illustrative and not limiting of the structure of the mobile terminal described above. For example, the mobile terminal may also include more or fewer components than shown in fig. 1, or have a different configuration than shown in fig. 1.
The memory 104 may be used to store a computer program, for example, a software program of application software and a module, for example, a computer program corresponding to a data encryption and decryption method based on a hardware encryption card in an embodiment of the present invention, and the processor 102 executes the computer program stored in the memory 104 to perform various functional applications and data processing, that is, implement the method described above. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory remotely located relative to the processor 102, which may be connected to the mobile terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the mobile terminal. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, simply referred to as a NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is configured to communicate with the internet wirelessly.
Example 1:
the data encryption and decryption method based on the hardware encryption card provided by the embodiment of the application is described in detail below through specific embodiments and application scenes thereof with reference to the accompanying drawings.
For the convenience of understanding the technical solution, please refer to fig. 2, fig. 2 shows an overall structure diagram of a data encryption and decryption method based on a hardware encryption card.
The firmware is a program written into the programmable read-only memory, and is mainly used for searching and loading bootloader programs when the system is started, and generally comprises two types, namely a legacy BIOS and a UEFI. In this embodiment, bootloader is a deep modified grub2, and is mainly used for identifying a boot partition, initializing a hardware encryption card driver 1, searching and loading an operating system kernel image and a temporary root file system image initrd. Img, and performing encryption and decryption processing on data in the boot partition through the hardware encryption card driver 1. The driver 1 is a program developed based on a bootloader software framework and used for driving a hardware encryption card, and is not in the category of an operating system, and is mainly used for calling the hardware encryption card to encrypt and decrypt data accessing a boot partition in the booting process of the operating system.
In this embodiment, the operating system is a linux system, and mainly includes a linux kernel, a customized init. Img, a driver 2, a disk encryption engine, a root partition file system, and a boot partition file system. The linux kernel refers to a kernel image of a linux operating system. The initrd. Img is a customized temporary root file system image, and the operating system is loaded into a memory and decompressed in the starting process, and the subsequent starting operation of the operating system is completed based on the memory and the decompression. The driver 2 is a kernel program developed based on a linux operating system device driving framework and used for driving a hardware encryption card, and is mainly used for initializing the configuration of the hardware encryption card, distributing memory resources and calling hardware to carry out encryption and decryption operation processing. The disk encryption engine is used for encrypting the volume equipment and the root partition encryption volume equipment based on the boot partition and the root partition which are created by superposition in the initrd execution process, so that the hardware card driver 2 is called when the boot partition and the root partition data are accessed transparently in the initrd stage of system starting, and the disk data are encrypted and decrypted in real time through the hardware encryption card.
The root partition file system and the boot partition file system are file systems formatted and mounted after the root partition (ciphertext) and the boot partition (ciphertext) are respectively overlapped with the encryption volume equipment. The hardware encryption card is mainly used for encrypting and decrypting data, is generally connected with a host machine in a PCI bus mode, and can effectively liberate CPU load by processing complex encrypting and decrypting operation through corresponding hardware, so that the overall performance of the system is accelerated. The boot partition (ciphertext) refers to a disk partition written with boot partition data, the partition is searched when an operating system is started, and the boot partition file system is mounted based on the partition after an encryption and decryption layer is overlapped, wherein the data in the boot partition is in a ciphertext form in the embodiment. The root partition (ciphertext) refers to a disk partition written with root partition data, and after the system is started, the system is mounted as a root partition file system based on the superposition of encryption and decryption layers of the partition, wherein the data in the root partition is in a ciphertext form.
Based on the overall structure schematic diagram of the data encryption and decryption method based on the hardware encryption card shown in fig. 2, the embodiment of the application discloses a data encryption and decryption method based on the hardware encryption card.
Referring to fig. 3, a data encryption and decryption method based on a hardware encryption card is applied to an electronic device, the electronic device comprises an installation disk and a memory, and firmware is stored in the memory, and the method comprises the following steps:
S110, creating a boot partition and a root partition in an installation disk in the installation process of an operating system of the electronic equipment.
Boot partitions are partitions that store boot loaders (bootloaders) and associated boot files. The boot loader is a program that is first loaded at the time of starting up the electronic device, and is used to boot up the starting process of the operating system. boot partitions typically include a boot loader, kernel image, device drivers, and other necessary boot files.
The root partition is the partition where the root file system of the operating system is located, including all files and directories of the operating system. The root partition typically contains the kernel of the operating system, system libraries, configuration files, applications, user data, and the like.
S120, encrypting the data of the boot partition and the root partition through a hardware encryption card, wherein the data of the boot partition and the root partition are ciphertext data after the installation of the operating system is completed.
In the installation process of the operating system of the electronic equipment, the data of the boot partition and the root partition are encrypted through the hardware encryption card, and after the installation of the operating system is completed, the data of the boot partition and the root partition are ciphertext data, so that any unauthorized visitor or attacker cannot directly read or understand the contents of the boot partition and the root partition. Only by means of a decryption operation by means of a hardware encryption card, the ciphertext data can be converted into the original plaintext data so that the operating system can correctly read and use these data.
By encrypting the data of the boot partition and the root partition, the security of the electronic device can be enhanced. Even if the storage medium of the device is physically acquired, the encryption protection that the data cannot be directly read can effectively prevent data leakage and unauthorized access, and higher data security is provided.
S130, inquiring and loading a bootloader program through firmware in the starting process of the operating system, and calling a hardware encryption card through the bootloader program to read and decrypt from the boot partition to obtain an operating system kernel image and a temporary root file system image.
The bootloader program comprises an encryption and decryption module, and the encryption and decryption module is used for driving the hardware encryption card to encrypt and decrypt the data of the boot partition.
The firmware is used for searching and loading bootloader programs when the operating system is started. The operating system kernel image contains the kernel code and functions of the operating system, which is typically a binary file that is compiled and packaged.
The temporary root filesystem image is a temporary filesystem that contains the most basic files and directories required for the operating system to boot, which typically contain the necessary drivers, configuration files, and boot scripts, etc.
S140, loading the operating system kernel image into a memory and running the operating system kernel image so as to run the operating system kernel in the memory.
The bootloader program can read and load the kernel image of the operating system and the temporary root file system image from the boot partition into a memory, so that the bootloader program transfers control to the kernel of the operating system, and the normal operation of the operating system is started.
In the case where the kernel image is loaded into memory (hereinafter referred to as "memory"), bootloade programs transfer control to the kernel, thereby booting the operating system. The kernel runs in memory and performs various functions and tasks of the operating system.
In particular, the memory may be a Random Access Memory (RAM), which is a temporary storage space for storing programs and data.
When the bootloader program loads the kernel image of the operating system, the kernel image is read from the disk to the memory because the memory is read and written at a far faster speed than the disk. Therefore, the kernel mirror image is loaded into the memory, so that the starting speed and performance of the operating system can be improved.
S150, after the kernel of the operating system runs, data decryption is carried out on ciphertext data of the boot partition and the root partition through a hardware encryption card.
After the kernel of the operating system runs, the ciphertext data of the boot partition and the root partition are decrypted through the hardware encryption card.
In S120, the data of the boot partition and the root partition are encrypted into ciphertext data, so that the ciphertext data of the boot partition and the root partition cannot be directly read and used by the operating system before the operating system kernel runs, and the operating system kernel can call the hardware encryption card to perform decryption operation in order to decrypt the ciphertext data.
The decrypted data may be read and used by the operating system kernel, including reading configuration files, loading applications, accessing user data, and the like. Through the decryption operation of the hardware encryption card, the operating system can be effectively ensured to be capable of correctly accessing and using the data in the boot partition and the root partition, and transparent access to the encrypted data can be provided when the operating system runs. Only if the kernel of the operating system has a hardware encryption card, the data can be successfully decrypted, so that the security of the data can be effectively protected, and unauthorized access and data leakage are prevented.
According to the embodiment, the boot partition and the root partition in the installation disk are encrypted, so that the data of the whole operating system can be effectively ensured to be in a ciphertext form during storage, and unauthorized access and data leakage are effectively prevented; in the starting process of the operating system, a bootloader program is loaded through firmware, an operating system kernel image is obtained through the bootloader program, the operating system kernel image is loaded to a memory for operation, after the operating system kernel is operated, ciphertext data are decrypted through a hardware encryption card, the safety of the data can be effectively protected, the data are prevented from being illegally accessed or tampered in the starting stage of the operating system or the operating stage of the operating system, and the data safety of the operating system from starting to operating in the whole process is effectively ensured.
In one implementation manner of the embodiment, encrypting the data of the boot partition and the root partition by the hardware encryption card includes the following steps:
s210, installing a second driver and a dm-crypt kernel module in an operating system, wherein the dm-crypt kernel module is used for calling a hardware encryption card to encrypt data of a boot partition and a root partition.
S220, creating root partition encryption volume equipment in the root partition, and creating boot partition encryption volume equipment in the boot partition.
The encryption volume equipment is logic block equipment and is mainly used for calling a hardware encryption card through a second driver to complete encryption and decryption operation of data.
S230, formatting the root partition encryption volume equipment to obtain a root partition file system, and formatting the boot partition encryption volume equipment to obtain the boot partition file system.
Formatting refers to creating a corresponding file system structure for the cryptographic volume device so that the operating system can read, write, and manage data in the cryptographic volume device.
S240, calling a hardware encryption card through a second driver to encrypt data written into the boot partition file system from the boot partition, and encrypting data written into the root partition file system from the root partition.
When writing data into a boot partition or a root partition, the data is encrypted by a hardware encryption card and finally stored into corresponding encrypted volume equipment.
That is, when the operating system is installed, a boot partition and a root partition can be created according to the selected installation disk, an encrypted volume device is respectively constructed on the boot partition and the root partition, then the boot partition file system and the root partition file system are respectively formatted based on the encrypted volume device, and finally files required by the boot partition and the root partition in the system installation package are respectively written into the boot partition file system and the root partition file system.
The data of the boot partition and the root partition of the present embodiment may be encrypted as ciphertext data and stored in the corresponding encrypted volume device. Only through the decryption operation of the hardware encryption card, the correct plaintext data can be obtained, the data security of the electronic equipment can be improved, and unauthorized access and data leakage are prevented.
In one implementation manner of the present embodiment, the encrypting, by the second driver, the data written from the boot partition to the boot partition file system and the encrypting the data written from the root partition to the root partition file system, includes the following steps:
S310, writing all file directories of the root partition into the root partition file system, and writing all file directories of the boot partition into the boot partition file system, wherein in the process of writing all file directories of the root partition into the root partition file system, all file directories of the root partition pass through root partition encryption volume equipment, and in the process of writing all file directories of the boot partition into the boot partition file system, all file directories of the boot partition pass through the boot partition encryption volume equipment.
In the process of writing all file directories of the root partition into the root partition file system, all file directories of the root partition pass through the root partition encryption volume device. In the same way, in the process of writing all the file directories of the boot partition into the boot partition file system, all the file directories of the boot partition pass through the boot partition encryption volume device.
S320, under the condition that all file catalogues of the root partition pass through the root partition encryption volume device, the second driver calls a hardware encryption card to encrypt all file catalogues of the root partition.
S330, under the condition that all file directories of the boot partition pass through the boot partition encryption volume device, the second driver calls a hardware encryption card to encrypt all file directories of the boot partition.
And under the condition that all file directories of the root partition pass through the root partition encryption volume device, calling a hardware encryption card by a second driver to encrypt all file directories of the root partition. And under the condition that all file directories of the boot partition pass through the boot partition encryption volume device, the second driver calls a hardware encryption card to encrypt all file directories of the boot partition. Therefore, when the file directories of the boot partition and the root partition are written, the file directories are ensured to be encrypted by the hardware encryption card. In the writing process of S310, when the volume device is encrypted through the root partition and the volume device is encrypted through the boot partition, the second driver is used to call the hardware encryption card to encrypt the data, so after the operating system is installed, the system data in the form of ciphertext exists in the root partition and the boot partition.
In this embodiment, only by performing decryption operation by the hardware encryption card, the ciphertext data can be converted into the original plaintext data, so that the operating system can correctly read and use the data. The data security of the electronic equipment can be effectively improved, and unauthorized access and data leakage are prevented.
In one implementation manner of the embodiment, the obtaining, by the bootloader program, the kernel image of the operating system and the temporary root file system image includes the following steps:
S410, loading a first driver through a bootloader program, and inquiring a boot partition.
After the bootloader program loads the first driver, the first driver searches the boot partition.
S420, mounting the boot partition into a boot partition file system through a bootloader program, and reading ciphertext data of an operating system kernel image and ciphertext data of a temporary root file system image in the boot partition file system.
S430, invoking a first driver to decrypt the ciphertext data of the kernel image of the operating system to obtain the kernel image of the operating system, and decrypting the ciphertext data of the temporary root file system to obtain the temporary root file system image.
Mount refers to attaching a file system to a particular directory of the Linux file system so that files and directories in the file system can be accessed and used in the Linux system.
In the process that the bootloader program mounts the boot partition as the boot partition file system, the bootloader program reads ciphertext data of the kernel image of the operating system and ciphertext data of the temporary root file system image from the boot partition, and invokes the first driver program to decrypt the ciphertext data. The decryption process of the ciphertext data of the kernel mirror image of the operating system and the ciphertext data of the temporary root file system mirror image is performed in real time when the boot partition reads the ciphertext data.
In summary, when the operating system is started, that is, after the hardware finishes powering up, the bootloader program can be searched and loaded through the firmware, the bootloader program can read data (including a linux kernel image and a temporary root file system image initrd. Img) in the boot partition, the data is in a ciphertext form, a first driver can be called in real time to decrypt the read data in the reading process, so that a linux kernel image and a root file system image of a plaintext are obtained, the subsequent starting of loading of the operating system kernel is completed, and the memory of the temporary root file system is loaded and mounted as a memory file system, so that the linux operating system starts to operate.
The bootloader program of the embodiment can acquire ciphertext data of the kernel image of the operating system and the temporary root file system image, and decrypt the ciphertext data to obtain corresponding plaintext image data, so that the kernel of the operating system and the temporary root file system can be loaded and used, and normal starting and running of the operating system are realized.
In one implementation manner of this embodiment, after the kernel image of the operating system and the temporary root file system image are obtained by the bootloader program, the method further includes the following steps:
S510, loading the temporary root file system image into a memory and mounting the temporary root file system image as a memory file system type, so that an operating system accesses and uses systemd programs in the temporary root file system image through the memory file system type to start programs and/or components in the operating system.
In this implementation, the temporary root filesystem image is loaded into memory, and the operating system mounts it as a memory filesystem type, indicating that the files and directories in the temporary root filesystem image can be accessed and used as the files and directories in memory.
When the temporary root filesystem image is loaded into memory and mounted as a memory filesystem type, the operating system runs systemd programs. systemd then proceed to launch other programs or components.
Other programs or components refer to various services, processes, and applications in an operating system, such as web services, file system services, user interface services, database services, and the like.
By mounting the temporary root filesystem image as a memory filesystem type, the operating system can use systemd programs therein to launch other programs and components in the operating system. systemd is an initialization system and system manager for launching and managing various services and processes in an operating system.
In summary, the bootloader program may read ciphertext data of the temporary root file system image from the mounted boot partition file system, and call the first driver program in real time to complete decryption of the temporary root file system image in the process, and then load the temporary root file system image into a memory (storage) and mount the temporary root file system image as a memory file system type.
In the embodiment, the operating system can complete loading and mounting of the temporary root file system image, and the systemd programs in the temporary root file system image are used for starting and managing the programs and components in the operating system, so that the normal operation of the operating system is facilitated, and various functions and services are provided.
In one implementation manner of the embodiment, the data decryption of ciphertext data of a boot partition and a root partition through a hardware encryption card includes the following steps:
S610, installing a second driver and a dm-crypt kernel module in an operating system, wherein the dm-crypt kernel module is used for calling a hardware encryption card to decrypt ciphertext data of a boot partition and a root partition.
S620, creating root partition encryption volume equipment in the root partition, and creating boot partition encryption volume equipment in the boot partition.
S630, the root partition encryption volume device is installed as a root partition file system, so that an operating system accesses and uses systemd programs in the root partition file system to start programs and/or components in the operating system.
S640, reading ciphertext data of the root partition, and calling a second driver to decrypt the ciphertext data of the root partition through the root partition encryption volume equipment.
In this embodiment, the operating system switches the root file system from the temporary root file system in the memory to the root partition file system, and in the process that the operating system switches the root file system from the temporary root file system in the memory to the root partition file system, the operating system reads ciphertext data of the root partition, and calls the second driver in real time through the root partition encryption volume device to complete decryption of the ciphertext data of the root partition.
During execution of the systemd programs in the root partition file system, the operating system accesses and uses the systemd programs in the root partition file system to launch programs and/or components in the operating system.
When the root partition file system is read in the subsequent process, the second driver is called in real time through the root partition encryption volume equipment to decrypt the disk root partition data by using the hardware encryption card; when data is written into the root partition file system, the second driver is called in real time through the root partition encryption volume device, and the hardware encryption card is used for encrypting the disk root partition data. When the boot partition file system is read in the subsequent process, the second driver is called in real time through the boot partition encryption volume equipment, and the hardware encryption card is used for decrypting the disk boot partition data; when data is written into the boot partition file system, the second driver is called in real time through the boot partition encryption volume device, and the hardware encryption card is used for encrypting the disk boot partition data.
S650, mounting the boot partition encryption volume device as a boot partition file system, reading ciphertext data of the boot partition, and calling a second driver to decrypt the ciphertext data of the boot partition through the boot partition encryption volume device.
In summary, after the operating system is started, encryption volume devices (boot partition encryption volume devices and root partition encryption volume devices) can be respectively created based on partition sizes of boot partitions and root partitions created during installation of the operating system, and are respectively mounted as file system types formatted during installation of the operating system, and then real-time encryption and decryption during data reading and writing of the boot partitions and the root partitions can be realized through the encryption volume devices; then, the operating system starting flow can switch the current root directory of the system from the root directory of the temporary root file system to the root directory corresponding to the root partition file system after the root partition is mounted, and the subsequent starting process is continuously completed.
In the embodiment, the ciphertext data of the boot partition and the root partition are decrypted into plaintext data, and can be normally read and used by an operating system, the operating system can acquire correct data, and a program and a component in the correct data are started and run.
In summary, the implementation of the present embodiment may include bootloader phase and initrd phase.
Fig. 4 shows a schematic structural diagram of a bootloader stage, where in this embodiment, the bootloader stage includes searching and reading a linux kernel image and a temporary root file system image initrd. Img from a boot partition, and loading the linux kernel image and the temporary root file system image initrd. Img into a memory (storage), so that booting and starting of an operating system can be completed.
In this embodiment, data in the boot partition is written into the boot partition in a ciphertext form encrypted by a hardware encryption card when the operating system is installed, so that the data in the boot partition needs to be decrypted in a bootloader stage to be correctly identified and loaded for execution.
Because the bootloader stage is not booted and started, the software and hardware interrupt mechanism is not operated, and at the moment, the implementation of the driver of the hardware encryption card cannot be completed based on the device driving framework of the linux operating system.
Specifically, an encryption and decryption layer is implemented and added on the basis of a bootloader program, boot partition (ciphertext data) is required to be read in the bootloader booting and loading system process, the boot partition data is accessed through the encryption and decryption layer, a data decryption interface of a driver 1 (a first driver) is called by the encryption and decryption layer after the ciphertext data of the partition is read each time, and after the decryption operation on the data is completed through a hardware encryption card, the caller returns. If the bootloader stage needs to write data into the boot partition, firstly writing plaintext data by the bootloader program, calling a data encryption interface of the driver 1 (a first driver) by the plaintext data through an encryption and decryption layer, and writing the plaintext data into the boot partition after completing the encryption operation of the data by the hardware encryption card. The whole encryption and decryption process is transparent to bootloader guiding and loading system flow, the data in the boot partition comprises key data such as a kernel, a file system mirror image, system configuration and the like, all the data exist in the form of ciphertext, the newly generated and modified data are dynamically and real-time encrypted and decrypted through an encryption and decryption layer, and an encryption and decryption algorithm and a key management scheme can be matched based on user requirements.
Fig. 5 shows a schematic structural diagram of an initrd stage, where the kernel of the linux operating system is already loaded and running, and performs a process of performing image decompression of the temporary root file system, mounting the temporary root file system as a memory file system, and further mounting the root partition file system and the boot partition file system.
In this embodiment, in the initrd stage, the disk encryption engine may create an encrypted volume device based on the device where the root partition and the boot partition are located and the partition size according to the partition condition of the system disk at the time of starting.
The encryption volume equipment is a logic block equipment and is mainly used for completing encryption and decryption operations of data by calling a hardware encryption card through a drive 2 (a second drive program), and the encryption volume equipment can be formatted and mounted into a root partition file system and a boot partition file system based on the external expression form of the logic block equipment respectively. Because the kernel of the linux system is loaded at this stage, the linux device driving framework is activated, the hardware encryption card driver 2 (second driver) is implemented and operated based on the linux device driving framework, and the encryption and decryption operation logic or algorithm called by the driver 2 (second driver) should be ensured to be consistent with the encryption and decryption operation logic or algorithm used at the bootloader stage.
Any subsequent data read-write operation on the root partition file system and the boot partition file system is performed by calling a hardware encryption card through a drive 2 (a second drive program) to encrypt and decrypt data through the encryption volume equipment where the root partition file system and the boot partition file system are located, so that a complete ciphertext of the system and the data can be realized, and the file system and the application of the file system on the file system have low coupling degree which is insensitive to encryption and decryption actions.
In summary, it can be seen that the embodiments of the present application have the following effects:
1. The first driver is designed based on the bootloader frame, and the bootloader stage can have the capability of calling the hardware encryption card to encrypt and decrypt data, so that key software such as an operating system kernel image, a temporary root file system image and the like in the bootloader partition and configuration data can exist in a ciphertext mode, and the data which can possibly change in the starting process can be effectively ensured to be stored in a disk in the ciphertext mode, and compared with the mode of only carrying out hash value storage and verification, the security of the data and the system is greatly improved.
And 2. Introducing the bootloader into an encryption and decryption layer, and carrying out encryption and decryption processing on the data in real time by the encryption and decryption layer when the bootloader reads and writes the data to the disk boot partition. The scheme ensures that the whole boot partition data does not need to be read into the memory and then encrypted and decrypted, so that the memory occupation and the processing efficiency are greatly reduced. In addition, the processing in bootloader stage can reduce the limitation on boot firmware or disk partition formats, and the traditional BIOS boot mode and UEFI boot mode can be well supported on MBR and GPT partition formats.
3. In the initrd stage of the starting of the operating system, a disk encryption and decryption engine is introduced, encryption volume equipment is respectively established for a disk boot partition and a disk root partition, and the drive 2 software and the drive 1 software of the hardware encryption card are kept consistent in encryption and decryption operation logic or algorithm level through the layered design of a file system, the encryption volume equipment and a bottom disk, so that the normal starting of the system based on disk ciphertext data is ensured, and encryption storage of data generated in real time in the running process is realized.
4. When the operating system is installed, after the disk partition is established, the encryption volume equipment is established for the disk partition, then the file system is formatted on the basis of the encryption volume equipment, and the subsequent system installation is carried out. The method can encrypt data in real time in the system installation process, does not need to encrypt and decrypt the whole partition, has little transformation on the whole system installation process and has low installation efficiency influence.
Example 2:
The encryption mode for the root partition in the embodiment of the application can be designed based on the LUKS frame, namely the boot partition still adopts the scheme in the embodiment 1, and the root partition encryption is realized by adapting the form of supporting a hardware encryption card algorithm by the LUKS (Linux unified key setting). This embodiment introduces an additional LUKS disk head format and adapts to flow and kits in situations where use is not possible.
Example 3:
in the embodiment of the application, the initrd stage started by the operating system is only used for mounting the root partition, and after the operating system is switched to the real root file system, the boot partition is mounted in a service form by adding systemd. The related processes are not described in detail herein.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method of the various embodiments of the present invention.
The embodiment also provides a data encryption and decryption device based on a hardware encryption card, which is used for implementing the above embodiment and the preferred implementation manner, and is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
The data encryption and decryption device based on the hardware encryption card in the embodiment of the invention comprises:
The encryption module is used for creating a boot partition and a root partition in an installation disk in the installation process of the operating system of the electronic equipment, and encrypting data of the boot partition and the root partition through a hardware encryption card, wherein after the operating system is installed, the data of the boot partition and the root partition are ciphertext data;
The operating system kernel running module is used for inquiring and loading bootloader programs through firmware in the starting process of the operating system, obtaining an operating system kernel image and a temporary root file system image through the bootloader programs, loading the operating system kernel image into a memory and running the operating system kernel image so as to run the operating system kernel in the memory;
And the decryption module is used for decrypting the ciphertext data of the boot partition and the root partition through the hardware encryption card after the kernel of the operating system runs.
It should be noted that each of the above modules may be implemented by software or hardware, and for the latter, it may be implemented by, but not limited to: the modules are all located in the same processor; or the above modules may be located in different processors in any combination.
Embodiments of the present invention also provide a computer readable storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
In one exemplary embodiment, the computer readable storage medium may include, but is not limited to: a usb disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory RAM), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing a computer program.
The embodiment of the invention also provides electronic equipment, which comprises:
The data encryption and decryption device based on the hardware encryption card;
a memory configured to store instructions; and
And the processor is configured to call the instruction from the memory and can realize the data encryption and decryption method based on the hardware encryption card when executing the instruction.
In an exemplary embodiment, the electronic device may further include a transmission device connected to the processor, and an input/output device connected to the processor.
Specific examples in this embodiment may refer to the examples described in the foregoing embodiments and the exemplary implementation, and this embodiment is not described herein.
It will be appreciated by those skilled in the art that the modules or steps of the invention described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, they may be implemented in program code executable by computing devices, so that they may be stored in a storage device for execution by computing devices, and in some cases, the steps shown or described may be performed in a different order than that shown or described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple modules or steps of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. The data encryption and decryption method based on the hardware encryption card is characterized by being applied to electronic equipment, wherein the electronic equipment comprises an installation disk and a memory, and firmware is stored in the memory, and the method comprises the following steps:
creating a boot partition and a root partition in the installation disk in the installation process of the operating system of the electronic equipment;
encrypting the data of the boot partition and the root partition by a hardware encryption card, wherein the data of the boot partition and the root partition are ciphertext data after the installation of the operating system is completed;
Inquiring and loading a bootloader program through the firmware in the starting process of the operating system, and calling the hardware encryption card through the bootloader program to read and decrypt from the boot partition to obtain an operating system kernel image and a temporary root file system image;
Loading and running the operating system kernel image to the memory to run the operating system kernel in the memory;
After the kernel of the operating system runs, the ciphertext data of the boot partition and the root partition are decrypted through the hardware encryption card.
2. The method of claim 1, wherein encrypting the boot partition and the root partition data with a hardware encryption card comprises:
Installing a second driver and a dm-crypt kernel module in the operating system, wherein the dm-crypt kernel module is used for calling the hardware encryption card to encrypt data of the boot partition and the root partition;
Creating root partition encryption volume equipment in the root partition, and creating boot partition encryption volume equipment in the boot partition;
Formatting the root partition encryption volume equipment to obtain a root partition file system, and formatting the boot partition encryption volume equipment to obtain a boot partition file system;
and calling the hardware encryption card through the second driver to encrypt the data written into the boot partition file system from the boot partition, and encrypting the data written into the root partition file system from the root partition.
3. The method of claim 2, wherein the invoking the hardware encryption card by the second driver encrypts data written to the boot partition file system from the boot partition and encrypts data written to the root partition file system from the root partition, comprising:
Writing all file catalogues of the root partition into the root partition file system, and writing all file catalogues of the boot partition into the boot partition file system, wherein in the process of writing all file catalogues of the root partition into the root partition file system, all file catalogues of the root partition pass through the root partition encryption volume device, and in the process of writing all file catalogues of the boot partition into the boot partition file system, all file catalogues of the boot partition pass through the boot partition encryption volume device;
Under the condition that all file catalogues of the root partition pass through the root partition encryption volume equipment, calling the hardware encryption card by the second driver to encrypt all file catalogues of the root partition;
and under the condition that all file directories of the boot partition pass through the boot partition encryption volume device, calling the hardware encryption card by the second driver to encrypt all file directories of the boot partition.
4. The method of claim 1, wherein the obtaining, by the bootloader program, the operating system kernel image and the temporary root file system image includes:
Loading a first driver through the bootloader program, and inquiring the boot partition;
Mounting the boot partition into a boot partition file system through the bootloader program, and reading ciphertext data of the kernel image of the operating system and ciphertext data of the temporary root file system image in the boot partition file system;
and calling the first driver to decrypt the ciphertext data of the kernel image of the operating system to obtain the kernel image of the operating system, and decrypting the ciphertext data of the temporary root file system to obtain the temporary root file system image.
5. The method of claim 1, further comprising, after the operating system kernel image and temporary root file system image are obtained by the bootloader program:
And loading the temporary root file system image into the memory and mounting the temporary root file system image as a memory file system type, so that the operating system accesses and uses systemd programs in the temporary root file system image through the memory file system type to start programs and/or components in the operating system.
6. The method of claim 1, wherein the decrypting, by the hardware encryption card, the ciphertext data of the boot partition and the root partition comprises:
installing a second driver and a dm-crypt kernel module in the operating system, wherein the dm-crypt kernel module is used for calling the hardware encryption card to decrypt ciphertext data of the boot partition and the root partition;
Creating root partition encryption volume equipment in the root partition, and creating boot partition encryption volume equipment in the boot partition;
Mounting the root partition encryption volume device as a root partition file system, so that the operating system accesses and uses systemd programs in the root partition file system to start programs and/or components in the operating system;
Reading ciphertext data of the root partition, and calling the second driver to decrypt the ciphertext data of the root partition through the root partition encryption volume equipment;
And mounting the boot partition encryption volume equipment as a boot partition file system, reading ciphertext data of the boot partition, and calling the second driver to decrypt the ciphertext data of the boot partition through the boot partition encryption volume equipment.
7. The method of claim 1, wherein the bootloader program includes an encryption and decryption module, and the encryption and decryption module is configured to drive the hardware encryption card to encrypt and decrypt data of the boot partition.
8. A data encryption and decryption device based on a hardware encryption card, comprising:
The encryption module is used for creating a boot partition and a root partition in an installation disk in the installation process of an operating system of the electronic equipment, and encrypting data of the boot partition and the root partition through a hardware encryption card, wherein after the operating system is installed, the data of the boot partition and the root partition are ciphertext data;
The operating system kernel running module is used for inquiring and loading bootloader programs through firmware in the starting process of the operating system, obtaining an operating system kernel image and a temporary root file system image through the bootloader programs, loading the operating system kernel image into a memory and running the operating system kernel image so as to run the operating system kernel in the memory;
and the decryption module is used for decrypting the ciphertext data of the boot partition and the root partition through the hardware encryption card after the kernel of the operating system runs.
9. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program, wherein the computer program is arranged to execute the method of any of the claims 1 to 7 when run.
10. An electronic device, comprising:
The apparatus according to claim 8;
a memory configured to store instructions; and
A processor configured to invoke the instructions from the memory and when executing the instructions is capable of implementing the hardware encryption card based data encryption and decryption method according to any one of claims 1 to 7.
CN202410598023.0A 2024-05-14 2024-05-14 Data encryption and decryption method, device, medium and equipment based on hardware encryption card Pending CN118568743A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410598023.0A CN118568743A (en) 2024-05-14 2024-05-14 Data encryption and decryption method, device, medium and equipment based on hardware encryption card

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410598023.0A CN118568743A (en) 2024-05-14 2024-05-14 Data encryption and decryption method, device, medium and equipment based on hardware encryption card

Publications (1)

Publication Number Publication Date
CN118568743A true CN118568743A (en) 2024-08-30

Family

ID=92475490

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410598023.0A Pending CN118568743A (en) 2024-05-14 2024-05-14 Data encryption and decryption method, device, medium and equipment based on hardware encryption card

Country Status (1)

Country Link
CN (1) CN118568743A (en)

Similar Documents

Publication Publication Date Title
US10417427B2 (en) Method for authenticating firmware volume and system therefor
US6892304B1 (en) System and method for securely utilizing basic input and output system (BIOS) services
EP2549380B1 (en) Information processing device, virtual machine generation method, and application software distribution system
US8667487B1 (en) Web browser extensions
TWI598814B (en) System and method for managing and diagnosing a computing device equipped with unified extensible firmware interface (uefi)-compliant firmware
US20070233880A1 (en) Methods, media and systems for enabling a consistent web browsing session on different digital processing devices
US10146942B2 (en) Method to protect BIOS NVRAM from malicious code injection by encrypting NVRAM variables and system therefor
CN105446713A (en) Safe storage method and equipment
CN113544675A (en) Secure execution of client owner environment control symbols
US6519659B1 (en) Method and system for transferring an application program from system firmware to a storage device
US6715043B1 (en) Method and system for providing memory-based device emulation
EP3785149B1 (en) Memory assignment for guest operating systems
US11216566B1 (en) System and method for encryption of ephemeral storage
CN112052446A (en) Password unit creation method, data processing method and device and electronic equipment
EP3764224B1 (en) Resource permission processing method and apparatus, and storage medium and chip
US20230376600A1 (en) Method and system for upgrading firmware of vehicle infotainment system
JP2001051858A (en) System and method for safely using basic input/output system(bios) service
US11928214B2 (en) Enabling SPI firmware updates at runtime
CN108021801B (en) Virtual desktop-based anti-leakage method, server and storage medium
CN118568743A (en) Data encryption and decryption method, device, medium and equipment based on hardware encryption card
US20210255873A1 (en) Systems and methods for binding secondary operating system to platform basic input/output system
WO2022019910A1 (en) Read protection for uefi variables
US11196832B2 (en) System and method for providing UEFI protocol access control
CN116186709B (en) Method, device and medium for unloading UEFI (unified extensible firmware interface) safe start based on virtualized VirtIO technology
CN115982699A (en) Malicious attack defense method, device, equipment and medium based on secure memory

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination