CN208210006U - A kind of high safety trusted servers based on domestic TPM - Google Patents
A kind of high safety trusted servers based on domestic TPM Download PDFInfo
- Publication number
- CN208210006U CN208210006U CN201820896248.4U CN201820896248U CN208210006U CN 208210006 U CN208210006 U CN 208210006U CN 201820896248 U CN201820896248 U CN 201820896248U CN 208210006 U CN208210006 U CN 208210006U
- Authority
- CN
- China
- Prior art keywords
- tpm
- module
- bmc
- domestic
- high safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The utility model discloses a kind of high safety trusted servers based on domestic TPM, it is related to the fields such as domestic computer of soaring, data encrypting and deciphering and authentication, with TPM module as the root of trust of whole equipment, it is support with credible software stack, TPM module carries out integrity measurement to BIOS, the kernel of server computing module, carries out integrity measurement to firmware, the kernel of BMC module;TPM module monitors the remote operation of BMC module in real time, and the instruction for seriously affecting equipment state to remote on-off judges.The utility model is to support with cryptographic technique, using secure operating system as core, is architecturally ensured computer information safe based on credible platform;It can effectively ensure that the safety of local data and transmit the confidentiality of information, completeness and efficiency, while safety, perfect key management mechanism can also be provided.
Description
Technical field
The utility model relates to the fields such as domestic computer of soaring, data encrypting and deciphering and authentication, specifically
A kind of high safety trusted servers based on domestic TPM.
Background technique
With the continuous development of information technology, the importance of information security is self-evident.Researcher is it is also recognized that many
The safety problem of computer systems and networks is derived from terminal itself, so only ensure that the information of computer itself
These problems could be fundamentally resolved by safety.And this requires technical staff from integrated circuit, the body in computer
Architecture and operating system etc. start with to break through, and reliable computing technology comes into being in this case.
For most common microcomputer, only adopted from the bottom software such as the hardware such as chip, mainboard and BIOS, operating system synthesis
Measure is taken, its safety can be just effectively improved.It is based on the rapid development that this thought has expedited the emergence of trust computing.Root of trust
It is the key technology of credible calculating platform with trust chain.One trusted computer system is by trusted root, reliable hardware platform, credible
Operating system and trusted application composition.Trust chain is by constructing a root of trust, to hardware platform, to behaviour since root of trust
Make system, arrive application again, level-one authenticates level-one, and level-one trusts level-one.To which this trust is expanded to entire computer system.
Wherein the credible of root of trust is ensured by physical security and management safety.
In view of the development of the believable demand of current computer security and related reliable computing technology, using TPM as trusted root
The research and development of the autonomous controllable server of high safety are imperative.
Summary of the invention
The utility model is directed to the demand and shortcoming of current technology development, provides a kind of Gao An based on domestic TPM
Full trusted servers.
A kind of high safety trusted servers based on domestic TPM described in the utility model solve above-mentioned technical problem and use
Technical solution it is as follows: the high safety trusted servers based on domestic TPM, including server computing module, TPM module,
BMC module and redundant power module;
The server computing module is as credible platform, including CPU, bridge piece, memory, network module, memory module;
The TPM module includes domestic TCM, SRAM, NOR FLASH;TPM module is the high safety trusted servers
Root of trust is support with credible software stack, integrity measurement is carried out to BIOS, the kernel of server computing module, to BMC module
Firmware, kernel carry out integrity measurement;TPM module monitors the remote operation of BMC module in real time, and serious to remote on-off
The instruction for influencing equipment state is judged;
It is support with credible software stack, from BIOS, kernel, operating system with TPM module as the root of trust of whole equipment
And software application, the certification level-one of level-one measurement from bottom to top, level-one trust level-one, trusting relationship are expanded to entire server
System.
Specifically, the TPM module and BMC module are powered using STAND BY, the high safety trusted servers access
It can work after 220V Alternating Current Power Supply.
Specifically, a two-way buffer is arranged in the server computing module, the TCM passes through PCIEx4 signal and CPU
Interconnection, CPU, TCM pass through spi bus and the two-way buffer is interconnected, and the two-way buffer passes through spi bus and BIOS
Interconnection.
Specifically, carry out user identity authentication is combined by smart card and password when local user is switched on, if by testing
Card can then be switched on;After booting, the TPM carries out active measurement to BIOS, kernel integrity by spi bus, bus switch.
Specifically, the TCM is interconnected by PCIEx4 signal and CPU into after system, carried out under system by application
Key generates, key imports, a series of local services of data encrypting and deciphering.
Specifically, a two-way buffer is arranged in the BMC module, the TCM is interconnected by I2C and BMC, the TCM,
BMC passes through spi bus and the two-way buffer is interconnected, and the two-way buffer is interconnected by spi bus and BMC firmware.
Specifically, carry out user identity authentication is combined by smart card and password when local user is switched on, if by testing
Card can then be switched on;The TPM module carries out integrity measurement to BMC firmware, and the reset letter of BMC is discharged if being verified
Number, allow BMC normally to read the starting of BMC firmware;The BMC backed up in NOR FLASH if verifying does not pass through through TPM module is solid
Part writes with a brush dipped in Chinese ink firmware again, then normal starting again.
Specifically, SRAM, NOR FLASH of the TPM module are interconnected with TCM, the TCM is mutual by I2C and BMC
Even, the network PHY of the BMC and network module interconnects, and the network PHY and management network port interconnect;The BMC passes through a CPLD
CPU is connected, power on, reboot signal are sent to it;
The high safety trusted servers are operated normally into after system, and the TCM is interconnected by PCIEx4 signal and CPU
The network chip of the locally, remotely data encrypting and deciphering service of offer, CPU and the network module interconnects, and the network chip passes through
One analog switch and RJ45 network interface interconnect.
Specifically, having root certificate in the TPM module;When remote user carries out switching on and shutting down operation, pass through the TPM mould
Block verifies the legal identity of remote user, and order is normally executed if being verified;Into after system, is driven and called by PCIE
TPM module, the TCM send signal EN_CTRL to analog switch, control analog switch to control the on-off of network.
Specifically, the smart card uses 7816 smart cards.
A kind of high safety trusted servers based on domestic TPM described in the utility model, have compared with prior art
Beneficial effect is: the utility model is to support with cryptographic technique based on credible platform, using secure operating system as core,
Architecturally ensure computer information safe;
There is following feature: 1) integrity measurement of the onboard TCM to whole system resource;2) smart card and password are based on
The user identity combined is recognized;3) data encrypting and deciphering;4) digital signature and verifying;5) it can control the shutdown of network;
There are higher safety, reliability to upper layer application from hardware bottom layer, can effectively ensure that the safety of local data
And confidentiality, the completeness and efficiency of transmission information, while safety, perfect key management mechanism can also be provided.
Detailed description of the invention
Illustrate the utility model embodiment or technology contents in the prior art in order to clearer, it is practical new to this below
Type embodiment or in the prior art required for attached drawing do simple introduction.It will be apparent that attached drawing disclosed below is only this
A part of the embodiment of utility model without creative efforts, may be used also to those skilled in the art
To obtain other drawings based on these drawings, but it both is within the protection scope of the present invention.
Attached drawing 1 is the schematic block diagram that TPM module carries out integrity measurement to BIOS and BMC firmware;
Attached drawing 2 is the architecture diagram of BMC Telnet and network-control.
Specific embodiment
The technical issues of to make the technical solution of the utility model, solving and technical effect are more clearly understood, and tie below
Specific embodiment is closed, the technical solution of the utility model is checked, is completely described, it is clear that described embodiment is only
It is only a part of the embodiment of the utility model, instead of all the embodiments.Based on the embodiments of the present invention, this field
All embodiments that technical staff obtains without making creative work, all in the protection scope of the utility model
Within.
Embodiment 1:
The present embodiment proposes a kind of high safety trusted servers based on domestic TPM, including server computing module, TPM
Module, BMC module and redundant power module;
The server computing module is as credible platform, including CPU, bridge piece, memory, network module, memory module;
The TPM module includes domestic TCM, SRAM, NOR FLASH;TPM module is the high safety trusted servers
Root of trust is support with credible software stack, integrity measurement is carried out to BIOS, the kernel of server computing module, to BMC module
Firmware, kernel carry out integrity measurement;TPM module monitors the remote operation of BMC module in real time, and serious to remote on-off
The instruction for influencing equipment state is judged.
Here, TPM (Trusted Platform Module) module, i.e. TPM safety chip refers to that meet TPM (believable
Console module) standard safety chip, it can be effectively protected PC, prevent unauthorized users to access.TCM(Trusted
Cryptography Module), also known as TCM credible password module is the hardware module of credible calculating platform, is trust computing
Platform provides crypto-operation function, has shielded memory space.SRAM (Static Random-Access Memory),
It is static random access memory, as long as remaining powered on, the data of the inside storage constant can be kept.SRAM does not need to refresh
Circuit can save the data of its storage inside, performance with higher.NOR Flash is a kind of nonvolatile flash memory technology.
The TPM module and BMC module are powered using STAND BY, and high safety trusted servers access 220V is only needed to hand over
It can work after stream power supply.
High safety trusted servers of the present embodiment based on domestic TPM, based on credible platform module, with cryptographic technique
To support, using secure operating system as core, architecturally ensure computer information safe.The present embodiment with TPM as
The root of trust of whole equipment is support with credible software stack, from BIOS, kernel, operating system and software application, from bottom to top
Level-one measurement certification level-one, level-one trust level-one, trusting relationship are expanded to entire server system;Perfect in shape and function has
BIOS is actively measured, BMC firmware active measurement, KVMoverIP, is supported the functions such as credible software stack, and there is extensive system to answer
Use potentiality.
Embodiment 2:
A kind of high safety trusted servers based on domestic TPM that the present embodiment proposes, are another of the utility model
Specific embodiment provides TPM module to BIOS on the basis of high safety trusted servers of the embodiment 1 based on domestic TPM
And BMC firmware carry out integrity measurement specific implementation technology, further increase the present embodiment technical solution feasibility and
Practicability.
Attached drawing 1 is the schematic block diagram that TPM module carries out integrity measurement to BIOS and BMC firmware, as shown in Fig. 1, institute
It stating server computing module and one two-way buffer is set, the TCM of the TPM module is interconnected by PCIEx4 signal and CPU, CPU,
TCM passes through SPI (Serial Peripheral Interface-- Serial Peripheral Interface (SPI)) bus and the two-way buffer is mutual
Even, the two-way buffer is interconnected by spi bus and BIOS;
When local user is switched on, carry out user identity is combined by smart card (can use 7816 smart cards) and password
Certification can be only switched on by verifying;After booting, TPM by spi bus, bus switch to BIOS, kernel integrity into
Row is actively measured;Into after system, TCM is interconnected by PCIEx4 signal and CPU, raw by application progress key under system
It is imported at, key, a series of local services of data encrypting and deciphering.
Attached drawing 1 is the schematic block diagram that TPM module carries out integrity measurement to BIOS and BMC firmware, as shown in Fig. 1, institute
It states BMC module and one two-way buffer is set, the TCM of the TPM module is interconnected by I2C and BMC, and it is total that TCM, BMC pass through SPI
Line and the two-way buffer are interconnected, and the two-way buffer is interconnected by spi bus and BMC firmware;
Carry out user identity authentication is combined by smart card and password when local user is switched on, only passes through verifying ability
Enough bootings;TPM module carries out integrity measurement to BMC firmware, and the reset signal of BMC is discharged if being verified, makes BMC normal
Read the starting of BMC firmware;The BMC firmware backed up in NOR FLASH if verifying does not pass through through TPM module carries out firmware
Again it writes with a brush dipped in Chinese ink, then normal starting again.
Attached drawing 2 is the architecture diagram of BMC Telnet and network-control, as shown in Fig. 2, the SRAM of the TPM module,
NOR FLASH is interconnected with TCM, and TCM is interconnected by I2C and BMC, and the network PHY of BMC and network module interconnects, network PHY with
Management network port interconnection;The BMC is sent to it power on (powering on), reboot (restarting) letter by a CPLD connection CPU
Number;
High safety trusted servers are operated normally into after system, and TCM provides this by PCIEx4 signal and CPU interconnection
The network chip of ground, teledata encryption and decryption service, CPU and network module interconnects, network chip by an analog switch with
The interconnection of RJ45 network interface;
The BMC module has the function of remote on-off, has root certificate in the TPM module;When remote user carries out
When switching on and shutting down operate, by the legal identity of TPM module verification remote user, order could normally be executed by being only verified;
It into after system, is driven by PCIE and calls TPM module, TCM sends signal EN_CTRL to analog switch, controls analog switch
To control the on-off of network.
Use above specific case elaborates the principles of the present invention and embodiment, these embodiments
It is merely used to help understand the core technology content of the utility model, the protection scope being not intended to limit the utility model, sheet
The technical solution of utility model is not limited in above-mentioned specific embodiment.Above-mentioned specific embodiment based on the utility model,
Those skilled in the art are without departing from the principle of this utility model, any to made by the utility model to change
Into and modification, should all fall into the scope of patent protection of the utility model.
Claims (10)
1. a kind of high safety trusted servers based on domestic TPM, which is characterized in that including server computing module, TPM mould
Block, BMC module and redundant power module;
The server computing module is as credible platform, including CPU, bridge piece, memory, network module, memory module;
The TPM module includes domestic TCM, SRAM, NOR FLASH;TPM module is the trust of the high safety trusted servers
Root is support with credible software stack, carries out integrity measurement to BIOS, the kernel of server computing module, consolidates to BMC module
Part, kernel carry out integrity measurement;TPM module monitors the remote operation of BMC module in real time, and seriously affects to remote on-off
The instruction of equipment state is judged;
Be support with credible software stack with TPM module as the root of trust of whole equipment, from BIOS, kernel, operating system and
Software application, the certification level-one of level-one measurement from bottom to top, level-one trust level-one, trusting relationship are expanded to entire server system
System.
2. a kind of high safety trusted servers based on domestic TPM according to claim 1, which is characterized in that the TPM mould
Block and BMC module are powered using STAND BY, can be worked after the high safety trusted servers access 220V Alternating Current Power Supply.
3. a kind of high safety trusted servers based on domestic TPM according to claim 2, which is characterized in that the service
A two-way buffer is arranged in device computing module, and the TCM is interconnected by PCIEx4 signal and CPU, and it is total that CPU, TCM pass through SPI
Line and the two-way buffer are interconnected, and the two-way buffer is interconnected by spi bus and BIOS.
4. a kind of high safety trusted servers based on domestic TPM according to claim 3, which is characterized in that local user
When booting, carry out user identity authentication is combined by smart card and password, can be switched on if through verifying;After booting, institute
It states TPM and active measurement is carried out to BIOS, kernel integrity by spi bus, bus switch.
5. a kind of high safety trusted servers based on domestic TPM according to claim 4, which is characterized in that enter system
Afterwards, the TCM is interconnected by PCIEx4 signal and CPU, carries out key generation by application under system, key imports, data
A series of local services of encryption and decryption.
6. a kind of high safety trusted servers based on domestic TPM according to claim 4, which is characterized in that the intelligence
Card uses 7816 smart cards.
7. a kind of high safety trusted servers based on domestic TPM according to claim 6, which is characterized in that the BMC mould
A two-way buffer is arranged in block, and the TCM is interconnected by I2C and BMC, described TCM, BMC pass through spi bus with it is described two-way
Buffer interconnection, the two-way buffer are interconnected by spi bus and BMC firmware.
8. a kind of high safety trusted servers based on domestic TPM according to claim 7, which is characterized in that local user
When booting, carry out user identity authentication is combined by smart card and password, can be switched on if through verifying;The TPM mould
Block carries out integrity measurement to BMC firmware, and the reset signal of BMC is discharged if being verified, BMC is allowed normally to read BMC firmware
Starting;The BMC firmware backed up in NOR FLASH if verifying does not pass through through TPM module writes with a brush dipped in Chinese ink firmware again, so
Normal starting again afterwards.
9. a kind of high safety trusted servers based on domestic TPM according to claim 8, which is characterized in that the TPM mould
SRAM, NOR FLASH of block are interconnected with TCM, and the TCM is interconnected by I2C and BMC, the network of the BMC and network module
PHY interconnection, the network PHY and management network port interconnect;The BMC by a CPLD connection CPU, be sent to it power on,
Reboot signal;
The high safety trusted servers are operated normally into after system, and the TCM is provided by PCIEx4 signal and CPU interconnection
The network chip of locally, remotely data encrypting and deciphering service, CPU and the network module interconnects, and the network chip passes through a mould
Quasi- switch is interconnected with RJ45 network interface.
10. a kind of high safety trusted servers based on domestic TPM according to claim 9, which is characterized in that the TPM
There is root certificate in module;When remote user carries out switching on and shutting down operation, pass through the legal body of the TPM module verification remote user
Part, order is normally executed if being verified;It into after system, is driven by PCIE and calls TPM module, the TCM is to simulation
Switch sends signal EN_CTRL, controls analog switch to control the on-off of network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201820896248.4U CN208210006U (en) | 2018-06-11 | 2018-06-11 | A kind of high safety trusted servers based on domestic TPM |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201820896248.4U CN208210006U (en) | 2018-06-11 | 2018-06-11 | A kind of high safety trusted servers based on domestic TPM |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN208210006U true CN208210006U (en) | 2018-12-07 |
Family
ID=64496693
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201820896248.4U Active CN208210006U (en) | 2018-06-11 | 2018-06-11 | A kind of high safety trusted servers based on domestic TPM |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN208210006U (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109992973A (en) * | 2019-04-10 | 2019-07-09 | 北京可信华泰信息技术有限公司 | A kind of starting measure and device using OPROM mechanism |
| CN110909394A (en) * | 2019-11-24 | 2020-03-24 | 苏州浪潮智能科技有限公司 | Configuration file monitoring method of server |
| CN110929263A (en) * | 2019-11-21 | 2020-03-27 | 山东超越数控电子股份有限公司 | Remote management method and equipment based on active measurement |
| CN112449143A (en) * | 2021-01-28 | 2021-03-05 | 北京电信易通信息技术股份有限公司 | Implementation method and implementation system of secure video |
| CN113591094A (en) * | 2021-07-30 | 2021-11-02 | 超越科技股份有限公司 | SOC verification device and method based on double BIOS platforms and storage medium |
| CN114666103A (en) * | 2022-03-04 | 2022-06-24 | 阿里巴巴(中国)有限公司 | Credible measuring device, equipment and system and credible identity authentication method |
| CN115618366A (en) * | 2022-12-19 | 2023-01-17 | 苏州浪潮智能科技有限公司 | Authentication method and device for server |
-
2018
- 2018-06-11 CN CN201820896248.4U patent/CN208210006U/en active Active
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109992973A (en) * | 2019-04-10 | 2019-07-09 | 北京可信华泰信息技术有限公司 | A kind of starting measure and device using OPROM mechanism |
| CN109992973B (en) * | 2019-04-10 | 2021-04-20 | 北京可信华泰信息技术有限公司 | Starting measurement method and device by using OPROM mechanism |
| CN110929263A (en) * | 2019-11-21 | 2020-03-27 | 山东超越数控电子股份有限公司 | Remote management method and equipment based on active measurement |
| CN110909394A (en) * | 2019-11-24 | 2020-03-24 | 苏州浪潮智能科技有限公司 | Configuration file monitoring method of server |
| CN112449143A (en) * | 2021-01-28 | 2021-03-05 | 北京电信易通信息技术股份有限公司 | Implementation method and implementation system of secure video |
| CN113591094A (en) * | 2021-07-30 | 2021-11-02 | 超越科技股份有限公司 | SOC verification device and method based on double BIOS platforms and storage medium |
| CN113591094B (en) * | 2021-07-30 | 2023-11-14 | 超越科技股份有限公司 | SOC verification device and method based on dual BIOS platform and storage medium |
| CN114666103A (en) * | 2022-03-04 | 2022-06-24 | 阿里巴巴(中国)有限公司 | Credible measuring device, equipment and system and credible identity authentication method |
| CN114666103B (en) * | 2022-03-04 | 2023-08-15 | 阿里巴巴(中国)有限公司 | Trusted measurement device, equipment, system and trusted identity authentication method |
| WO2023165401A1 (en) * | 2022-03-04 | 2023-09-07 | 阿里巴巴(中国)有限公司 | Trusted measurement apparatus, device, system, and trusted identity authentication method |
| CN115618366A (en) * | 2022-12-19 | 2023-01-17 | 苏州浪潮智能科技有限公司 | Authentication method and device for server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN208210006U (en) | A kind of high safety trusted servers based on domestic TPM | |
| US7200758B2 (en) | Encapsulation of a TCPA trusted platform module functionality within a server management coprocessor subsystem | |
| US7900058B2 (en) | Methods and arrangements for remote communications with a trusted platform module | |
| CN104160403B (en) | Use single credible platform module measuring table part | |
| CN101751534B (en) | Has the computer of biological authentication apparatus | |
| Parno | Bootstrapping Trust in a" Trusted" Platform. | |
| CN107506663A (en) | Server security based on credible BMC starts method | |
| CN111158906B (en) | Active immunity credible cloud system | |
| US9652253B2 (en) | Field replaceable unit authentication system | |
| CN111052118A (en) | Hardware-implemented firmware security | |
| US9596085B2 (en) | Secure battery authentication | |
| US20110093693A1 (en) | Binding a cryptographic module to a platform | |
| US12105859B2 (en) | Managing storage of secrets in memories of baseboard management controllers | |
| TWI779711B (en) | Distributed secure communication system, information handling system and method for providing distributed secure communications | |
| CN108629206A (en) | A kind of safe encryption method, encryption equipment and terminal device | |
| CN102024115B (en) | Computer with user security subsystem | |
| CN111737698B (en) | Secure trusted card based on heterogeneous computing and secure trusted method | |
| CN103984901B (en) | A kind of trusted computer system and its application process | |
| CN101582765A (en) | User bound portable trusted mobile device | |
| CN207573453U (en) | A kind of trustable network video camera based on domestic commercial cipher algorithm | |
| Papa et al. | Placement of trust anchors in embedded computer systems | |
| CN201845340U (en) | Safety computer provided with user safety subsystem | |
| CN104486127A (en) | Redundancy trusted server management method based on trusted management unit | |
| CN2914500Y (en) | Portable and reliable platform module | |
| CN201203867Y (en) | Credible computing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| GR01 | Patent grant | ||
| GR01 | Patent grant |