CN211403424U - TCM embedded platform based on Feiteng 2000+ server - Google Patents

TCM embedded platform based on Feiteng 2000+ server Download PDF

Info

Publication number
CN211403424U
CN211403424U CN202020294614.6U CN202020294614U CN211403424U CN 211403424 U CN211403424 U CN 211403424U CN 202020294614 U CN202020294614 U CN 202020294614U CN 211403424 U CN211403424 U CN 211403424U
Authority
CN
China
Prior art keywords
tcm
feiteng
trusted
server
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202020294614.6U
Other languages
Chinese (zh)
Inventor
付迪
熊涛
徐文
冯建东
陈映泽
雷宇
刘剑
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Tiandi Huiyun Technology Co.,Ltd.
Original Assignee
Guangzhou Chaoyun Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Chaoyun Technology Co ltd filed Critical Guangzhou Chaoyun Technology Co ltd
Priority to CN202020294614.6U priority Critical patent/CN211403424U/en
Application granted granted Critical
Publication of CN211403424U publication Critical patent/CN211403424U/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The utility model relates to the field of computers and servers, and discloses a TCM embedded platform based on Feiteng 2000+ server, which comprises a Feiteng 2000+ processor, a CPLD unit module, a credible password module TCM, a data selector MUX and a credible BIOS; the trusted cryptography module TCM is connected with the CPLD unit module through an LPC bus, the CPLD unit module is connected with a GPIO port of the Feiteng 2000+ processor, and the Feiteng 2000+ processor and the trusted cryptography module TCM are respectively connected with the data selector MUX through SPI buses. The utility model discloses use the credible cryptographic module TCM of china's autonomic research and development as the root of trust, store the sensitive data of Feiteng platform through credible cryptographic module TCM, the design is simple, and is with low costs to guaranteed the credible source, compensate in the past that the platform root of trust of Feiteng platform lies in credible BIOS beginning part and has had the not enough of being tampered, provide complete solution for the integrality of ensureing Feiteng platform storage server system data and the security that improves data storage.

Description

TCM embedded platform based on Feiteng 2000+ server
Technical Field
The utility model relates to a computer, server field especially relate to a TCM embedding platform based on 2000+ servers soar.
Background
In recent years, with the improvement of the information technology level, the importance of national information security is emphasized in all countries in the world, and particularly in the server industry, research of trusted servers is becoming a popular technical field. The current trusted server research is mainly based on the TPM technology of foreign TCG, so that the design of an autonomous trusted server by using key hardware based on a domestic platform is particularly necessary. In China, the national government strongly supports the research of trusted computing, and the China trusted computing platform alliance designs a trusted cryptography module TCM (trusted cryptography module) by taking a cryptographic algorithm as the center and adopting a relatively mature embedded chip technology as the basis and adopting the cryptographic algorithm and the engine which are completely and autonomously developed in China. From the aspect of national security strategy, independent and autonomous trusted computing specifications and technical systems must be established, and the TCM can also be used as the final defense line of information security in China. However, at present, the technology of embedding a trusted cryptographic module into a domestic platform server in China still has defects, particularly, the situation that a TCM trusted module occupies a GPIO port of a CPU alone exists in hardware design, and the number of GPIO ports of a processor based on Feiteng 2000+ is limited.
The traditional embedded design based on Feiteng 2000+ server TCM is complex, the cost is high, the utilization rate of processor IO ports is low, so that the server can not meet the performance requirement of a user on the server far, and the problem is to become a difficult problem to be solved urgently by researchers in the field.
SUMMERY OF THE UTILITY MODEL
An object of the utility model is to provide a TCM embedding platform based on 2000+ server soars to solve the above-mentioned problem among the prior art.
In order to realize the purpose, the utility model discloses a technical scheme as follows:
a TCM embedded platform based on Feiteng 2000+ server comprises a Feiteng 2000+ processor, a CPLD unit module, a trusted cryptography module TCM, a data selector MUX and a trusted BIOS; the trusted cryptography module TCM is connected with the CPLD unit module through an LPC bus, and the CPLD unit module is connected with a GPIO port of the Feiteng 2000+ processor; the CPLD unit module is respectively connected with the Feiteng 2000+ processor and the trusted cryptography module TCM through the LPC bus; the Feiteng 2000+ processor and the trusted cryptography module TCM are respectively connected with the data selector MUX through the SPI bus.
The Feiteng 2000+ processor adopts an ARM processor which is integrated with a GPIO (general purpose input/output) module, and a GPIO port of the GPIO module is used for realizing some specific purposes or functions for technicians based on the design of Feiteng 2000+ computer hardware. The CPLD unit module is used as a bridge between the trusted cryptography module TCM and the Feiteng processor, and is respectively connected with the Feiteng 2000+ processor and the trusted cryptography module TCM through the LPC bus, so that the GPIO port of the Feiteng 2000+ processor is expanded, the usability of the GPIO port of the Feiteng 2000+ processor is improved, and the performance of the Feiteng 2000+ processor is better exerted. The trusted Basic Input Output System (BIOS) is a set of programs that are fixed on a ROM chip on a main board in a computer, and stores the most important Basic Input and Output programs of the computer, a self-test program after power-on, and a System self-start program, and it can read and write specific information set by the System from the CMOS, and its main function is to provide the bottom layer and most direct hardware setting and control for the computer. The Feiteng 2000+ processor and the trusted cryptography module TCM are respectively connected with the data selector MUX through the SPI bus, so that the Feiteng processor and the TCM chip can exchange data with the trusted BIOS.
Furthermore, a cryptographic algorithm core based on a domestic security algorithm is integrated in the trusted cryptographic module TCM, and the trusted cryptographic module TCM is provided with a TCM calling port.
The TCM chip of the trusted cryptography module TCM adopts a domestic unique security algorithm, a cryptography algorithm core based on a domestic security algorithm is integrated inside the trusted cryptography module TCM, and the trusted cryptography module TCM is provided with a TCM calling port, can realize functions of data security storage, symmetric or asymmetric encryption and decryption and integrity measurement, and is a root of trust of the whole Feiteng storage server system.
Furthermore, the trusted BIOS is respectively connected to the FT 2000+ server and the trusted cryptography module TCM through the SPI bus, and after the FT 2000+ server is powered on, the trusted cryptography module TCM performs measurement authentication on the trusted BIOS to ensure that the BIOS is trusted.
After the self-check of the trusted cryptography module TCM is finished, the trusted cryptography module TCM performs measurement authentication on the trusted BIOS again, and after the integrity of the trusted BIOS is verified successfully by the trusted cryptography module TCM, the trusted cryptography module TCM sends a control signal to the Feiteng 2000+ processor through the GPIO port to inform the Feiteng platform to load the trusted BIOS for starting, and transfer the control right of the system to the trusted BIOS, so that a trust chain is transferred from the trusted cryptography module TCM to the trusted BIOS, and the defect that the original part of the Feiteng platform with the trusted measurement root located at the beginning of the BIOS is tampered is overcome.
Furthermore, the trusted cryptography module TCM comprises a TCM chip, and the TCM chip adopts a national technology model ssx 44-b.
The TCM chip is a highly secure controller, has the characteristics of integrating an algorithm core of a domestic independent security algorithm, an asymmetric key program, a security key storage, a unique key for identifying each TCM and the like, and can calculate a hash value of a trusted BIOS during starting to serve as integrity measurement. The TCM chip adopts a national technology model ssx44-b, realizes that a trusted subsystem (called a 'root of trust') is embedded into the Feiteng 2000+ server through the TCM chip, and can extend the trust to other parts of the whole platform by constructing a 'trust chain', wherein each link extends the trust to the next trust.
Further, the CPLD unit module adopts a MAX II CPLD EPM1270F256C5N chip.
The utility model discloses the CPLD unit module that sets up is as the bridge of credible cipher module TCM and Feiteng 2000+ treater, the chip that adopts is MAX II EPM1270F256C5N, MAX II CPLD EPM1270F256C5N chip has instantaneous power-on, nonvolatile storage, characteristics such as IO count height, inside still is integrated with the MAX II equipment of programmability (ISP) in User's Flash Memory (UFM) piece and the system of reinforcing, can reduce cost and power effectively, also be bus bridging simultaneously, IO extension and application such as sequencing control and equipment configuration control provide programmable solution.
The utility model has the advantages that: the utility model provides a TCM embedding design platform based on 2000+ server soars, the design is simple and the cost is lower, when having improved the usability of treater GPIO port, also imbeds credible cryptographic module TCM better, remedies that the platform credibility root of soaring in the past is located BIOS beginning part and has had the not enough of being tampered for can be better satisfy the user to 2000+ server safety and performance demands soaring.
Drawings
Fig. 1 is a schematic structural diagram of an embodiment of a fuiteng 2000+ server-based TCM embedded platform.
FIG. 2 is a flowchart illustrating the operation of an exemplary implementation of a Feiteng 2000+ server TCM embedded design.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clearly understood, the present invention is further described in detail below with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the invention, are given by way of illustration only.
In a first embodiment, a femtos 2000+ server-based TCM embedded platform is shown in fig. 1, and includes a femtos 2000+ processor, a CPLD unit module, a trusted cryptography module TCM, a data selector MUX, and a trusted BIOS. A cryptographic algorithm core based on a domestic security algorithm is integrated in the trusted cryptographic module TCM, and the trusted cryptographic module TCM is provided with a TCM calling port. The trusted cryptography module TCM is connected with the CPLD unit module through the LPC bus, and the CPLD unit module is connected with the GPIO port of the Feiteng 2000+ processor. The Feiteng 2000+ processor adopts an ARM processor which is integrated with a GPIO (general purpose input/output) module. The CPLD unit module is used as a bridge between the trusted cryptography module TCM and the Feiteng processor, and is respectively connected with the Feiteng 2000+ processor and the trusted cryptography module TCM through the LPC bus, so that the GPIO port of the Feiteng 2000+ processor is expanded, the usability of the GPIO port of the Feiteng 2000+ processor is improved, and the performance of the Feiteng 2000+ processor is better exerted.
The Feiteng 2000+ processor and the trusted cryptography module TCM are respectively connected with the data selector MUX through the SPI bus, so that the Feiteng processor and the TCM chip can exchange data with the trusted BIOS. The TCM chip of the trusted cryptography module TCM adopts a domestic unique security algorithm, a cryptography algorithm core based on a domestic security algorithm is integrated inside the trusted cryptography module TCM, and the trusted cryptography module TCM is provided with a TCM calling port, can realize functions of data security storage, symmetric or asymmetric encryption and decryption and integrity measurement, and is a root of trust of the whole Feiteng storage server system.
The trusted BIOS is respectively connected with the Feiteng 2000+ server and the trusted cryptography module TCM through the SPI bus, and after the Feiteng 2000+ server is powered on, the trusted cryptography module TCM can perform measurement authentication on the trusted BIOS so as to ensure the credibility of the BIOS. After the self-check of the trusted cryptography module TCM is finished, the trusted cryptography module TCM performs measurement authentication on the trusted BIOS again, and after the integrity of the trusted BIOS is verified successfully by the trusted cryptography module TCM, the trusted cryptography module TCM sends a control signal to the Feiteng 2000+ processor through the GPIO port to inform the Feiteng platform to load the trusted BIOS for starting, and transfer the control right of the system to the trusted BIOS, so that a trust chain is transferred from the trusted cryptography module TCM to the trusted BIOS, and the defect that the original part of the Feiteng platform with the trusted measurement root located at the beginning of the BIOS is tampered is overcome.
The trusted cryptography module TCM comprises a TCM chip, and the TCM chip adopts a national technology model ssx 44-b. The CPLD unit module adopts a MAX II CPLD EPM1270F256C5N chip.
The Feiteng 2000+ server-based TCM embedded platform further comprises a server mainboard, wherein a TCM chip of ssx44-b type and a MAX II CPLD EPM1270F256C5N chip are arranged on the server mainboard.
The hardware design of the TCM embedded design based on the Feiteng 2000+ server provided by the embodiment is simple, the cost is low, the performance is high, and the specification requirements of Feiteng products and the safety requirements of user use are completely met.
As shown in fig. 2, the operation of the TCM embedded design using the totem 2000+ server of the first embodiment includes the steps of:
s1) powering on the Feiteng 2000+ server embedded with the trusted cryptography module;
s2) after the Feiteng 2000+ server is powered on, the trusted cryptography module TCM firstly obtains the control right of the system, and initialization self-check and key loading deployment of the trusted cryptography module TCM are carried out;
s3) judging whether the initialization self-check of the trusted cryptography module TCM is abnormal, if not, entering the step S4); if yes, judging whether to reset, if so, returning to the step S2), and if not, enabling the server to interrupt the operation and enter a shutdown state;
s4) the trusted password module TCM carries out measurement authentication on the trusted BIOS, judges whether the measurement authentication is successful, if the measurement authentication is successful, the trusted BIOS obtains the control right of the system, and loads and executes the trusted BIOS; if the measurement authentication fails, judging whether the measurement authentication of the trusted BIOS is recovered to be normal, if so, entering step S5); if not, the server enters the shutdown state by interrupting the operation;
s5) the trusted BIOS performs measurement authentication on the feature data of the hardware environment of the Feiteng 2000+ server, judges whether the hardware environment measurement authentication passes, and if so, enters the step S6); if not, the server enters the shutdown state by interrupting the operation;
s6) carrying out integrity measurement authentication on the kernel file of the trusted operating system, judging whether the kernel file measurement authentication passes, and if the kernel file measurement authentication passes, entering the step S7); if the authentication is not passed, judging whether the kernel file measurement authentication is recovered to be normal, if so, entering step S7), and if not, entering the shutdown state by the server after the interruption operation;
s7), the control right of the server is transmitted to the credible operating system, the kernel of the loading system is guided, and the credible operating system is started.
The trusted cryptographic module TCM needs to perform measurement authentication on the trusted BIOS, after the measurement authentication is successful, the trusted BIOS obtains the control right of the system, the trusted BIOS is loaded and executed, and the trust chain is transferred from the trusted cryptographic module TCM to the trusted BIOS, so that the possibility that the trusted root is located at the beginning part of the BIOS and is tampered in the prior art is avoided, and the safety of the Feiteng 2000+ server is improved.
Only after the measurement authentication of the trusted BIOS, the measurement authentication of the trusted BIOS on the hardware environment of the Feiteng 2000+ server and the measurement authentication of the kernel file of the trusted operating system are successful, the trusted operating system can be started, and after the trusted operating system runs, the trusted operating system obtains a trust chain and calls related safety functions of a trusted cryptography module TCM to run various information safety authentication mechanisms, so that the safety of the Feiteng 2000+ server in local and remote states is enhanced.
Through adopting the utility model discloses an above-mentioned technical scheme has obtained following profitable effect:
the utility model discloses use the credible cryptographic module TCM of china's autonomic research and development as the root of trust, store the sensitive data of Feiteng platform through credible cryptographic module TCM, the design is simple, and is with low costs to guaranteed the credible source, compensate in the past that the platform root of trust of Feiteng platform lies in credible BIOS beginning part and has the not enough of being tampered, provide complete solution for the security of guaranteeing the integrality of platform storage server system data and improvement data storage.
The above is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, a plurality of improvements and decorations can be made without departing from the principle of the present invention, and these improvements and decorations should also be viewed as the protection scope of the present invention.

Claims (5)

1. A TCM embedded platform based on Feiteng 2000+ server is characterized by comprising a Feiteng 2000+ processor, a CPLD unit module, a trusted cryptography module TCM, a data selector MUX and a trusted BIOS; the trusted cryptography module TCM is connected with the CPLD unit module through an LPC bus, and the CPLD unit module is connected with a GPIO port of the Feiteng 2000+ processor; the CPLD unit module is respectively connected with the Feiteng 2000+ processor and the trusted cryptography module TCM through LPC buses; the Feiteng 2000+ processor and the trusted cryptography module TCM are respectively connected with the data selector MUX through an SPI bus.
2. The Feiteng 2000+ server-based TCM embedded platform according to claim 1, wherein the trusted cryptography module TCM has a cryptographic algorithm core based on a domestic security algorithm integrated therein, and the trusted cryptography module TCM is provided with a TCM call port.
3. A FT 2000+ server-based TCM embedded platform according to claim 1 or 2, wherein the trusted BIOS is connected to the FT 2000+ server and the trusted cryptography module TCM respectively through SPI buses; after the Feiteng 2000+ server is powered on, the trusted cryptography module TCM performs measurement authentication on the trusted BIOS so as to ensure the credibility of the BIOS.
4. A FT 2000+ server-based TCM embedded platform according to claim 3, wherein the trusted cryptography module TCM comprises a TCM chip, and the TCM chip is model ssx 44-b.
5. The Feiteng 2000+ server based TCM embedded platform of claim 4, wherein the CPLD unit module employs MAX IICPLD EPM1270F256C5N chip.
CN202020294614.6U 2020-03-11 2020-03-11 TCM embedded platform based on Feiteng 2000+ server Active CN211403424U (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202020294614.6U CN211403424U (en) 2020-03-11 2020-03-11 TCM embedded platform based on Feiteng 2000+ server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202020294614.6U CN211403424U (en) 2020-03-11 2020-03-11 TCM embedded platform based on Feiteng 2000+ server

Publications (1)

Publication Number Publication Date
CN211403424U true CN211403424U (en) 2020-09-01

Family

ID=72233697

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202020294614.6U Active CN211403424U (en) 2020-03-11 2020-03-11 TCM embedded platform based on Feiteng 2000+ server

Country Status (1)

Country Link
CN (1) CN211403424U (en)

Similar Documents

Publication Publication Date Title
JP6053786B2 (en) Firmware-based Trusted Platform Module (TPM) for ARM® Trust Zone implementation
CN107025406B (en) Motherboard, computer-readable storage device, and firmware verification method
AU2011285762B2 (en) Providing fast non-volatile storage in a secure environment
CN101751534B (en) Has the computer of biological authentication apparatus
CN111052118A (en) Hardware-implemented firmware security
US11468170B2 (en) Techniques for processor boot-up
US20200110869A1 (en) Remote attestation for multi-core processor
CN110110526B (en) Safety starting device and method based on safety chip
WO2018039027A1 (en) Trusted platform module support on reduced instruction set computing architectures
TWI582632B (en) Method and system of entering a secured computing environment using multiple authenticated code modules,and processor
WO2014043884A1 (en) Isolated guest creation in vlrtualized computing system
CN114035842B (en) Firmware configuration method, computing system configuration method, computing device and equipment
CN102063591A (en) Methods for updating PCR (Platform Configuration Register) reference values based on trusted platform
CN110197070A (en) Have the trust authentication of booting and the computer system and method for failover
CN111125707A (en) BMC (baseboard management controller) safe starting method, system and equipment based on trusted password module
CN113452666A (en) IP independent secure firmware loading
CN104346572A (en) Construction method of universal external intelligent terminal safety operation environment
JP7402798B2 (en) Security for programmable devices in data centers
US20240179001A1 (en) Processor and operating method for a homogeneous dual computing system
CN110348222A (en) A kind of construction method of the credible calculating platform of dual Architecture
CN211403424U (en) TCM embedded platform based on Feiteng 2000+ server
CN111783165B (en) Safe and trusted system chip architecture based on hardware isolation calling mode
KR20050123152A (en) Physical presence determination in a trusted platform
US11734457B2 (en) Technology for controlling access to processor debug features
CN112181860B (en) Controller with flash memory simulation function and control method thereof

Legal Events

Date Code Title Description
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20210524

Address after: 100176 no.510, 5th floor, building 18, No.1, Disheng North Street, Beijing Economic and Technological Development Zone, Daxing District, Beijing

Patentee after: Beijing Tiandi Huiyun Technology Co.,Ltd.

Address before: 511458 room 1005, No.8 Jingang Avenue, Nansha street, Nansha District, Guangzhou City, Guangdong Province (office only)

Patentee before: Guangzhou Chaoyun Technology Co.,Ltd.