CN211403424U - TCM embedded platform based on Feiteng 2000+ server - Google Patents
TCM embedded platform based on Feiteng 2000+ server Download PDFInfo
- Publication number
- CN211403424U CN211403424U CN202020294614.6U CN202020294614U CN211403424U CN 211403424 U CN211403424 U CN 211403424U CN 202020294614 U CN202020294614 U CN 202020294614U CN 211403424 U CN211403424 U CN 211403424U
- Authority
- CN
- China
- Prior art keywords
- tcm
- feiteng
- trusted
- server
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The utility model relates to the field of computers and servers, and discloses a TCM embedded platform based on Feiteng 2000+ server, which comprises a Feiteng 2000+ processor, a CPLD unit module, a credible password module TCM, a data selector MUX and a credible BIOS; the trusted cryptography module TCM is connected with the CPLD unit module through an LPC bus, the CPLD unit module is connected with a GPIO port of the Feiteng 2000+ processor, and the Feiteng 2000+ processor and the trusted cryptography module TCM are respectively connected with the data selector MUX through SPI buses. The utility model discloses use the credible cryptographic module TCM of china's autonomic research and development as the root of trust, store the sensitive data of Feiteng platform through credible cryptographic module TCM, the design is simple, and is with low costs to guaranteed the credible source, compensate in the past that the platform root of trust of Feiteng platform lies in credible BIOS beginning part and has had the not enough of being tampered, provide complete solution for the integrality of ensureing Feiteng platform storage server system data and the security that improves data storage.
Description
Technical Field
The utility model relates to a computer, server field especially relate to a TCM embedding platform based on 2000+ servers soar.
Background
In recent years, with the improvement of the information technology level, the importance of national information security is emphasized in all countries in the world, and particularly in the server industry, research of trusted servers is becoming a popular technical field. The current trusted server research is mainly based on the TPM technology of foreign TCG, so that the design of an autonomous trusted server by using key hardware based on a domestic platform is particularly necessary. In China, the national government strongly supports the research of trusted computing, and the China trusted computing platform alliance designs a trusted cryptography module TCM (trusted cryptography module) by taking a cryptographic algorithm as the center and adopting a relatively mature embedded chip technology as the basis and adopting the cryptographic algorithm and the engine which are completely and autonomously developed in China. From the aspect of national security strategy, independent and autonomous trusted computing specifications and technical systems must be established, and the TCM can also be used as the final defense line of information security in China. However, at present, the technology of embedding a trusted cryptographic module into a domestic platform server in China still has defects, particularly, the situation that a TCM trusted module occupies a GPIO port of a CPU alone exists in hardware design, and the number of GPIO ports of a processor based on Feiteng 2000+ is limited.
The traditional embedded design based on Feiteng 2000+ server TCM is complex, the cost is high, the utilization rate of processor IO ports is low, so that the server can not meet the performance requirement of a user on the server far, and the problem is to become a difficult problem to be solved urgently by researchers in the field.
SUMMERY OF THE UTILITY MODEL
An object of the utility model is to provide a TCM embedding platform based on 2000+ server soars to solve the above-mentioned problem among the prior art.
In order to realize the purpose, the utility model discloses a technical scheme as follows:
a TCM embedded platform based on Feiteng 2000+ server comprises a Feiteng 2000+ processor, a CPLD unit module, a trusted cryptography module TCM, a data selector MUX and a trusted BIOS; the trusted cryptography module TCM is connected with the CPLD unit module through an LPC bus, and the CPLD unit module is connected with a GPIO port of the Feiteng 2000+ processor; the CPLD unit module is respectively connected with the Feiteng 2000+ processor and the trusted cryptography module TCM through the LPC bus; the Feiteng 2000+ processor and the trusted cryptography module TCM are respectively connected with the data selector MUX through the SPI bus.
The Feiteng 2000+ processor adopts an ARM processor which is integrated with a GPIO (general purpose input/output) module, and a GPIO port of the GPIO module is used for realizing some specific purposes or functions for technicians based on the design of Feiteng 2000+ computer hardware. The CPLD unit module is used as a bridge between the trusted cryptography module TCM and the Feiteng processor, and is respectively connected with the Feiteng 2000+ processor and the trusted cryptography module TCM through the LPC bus, so that the GPIO port of the Feiteng 2000+ processor is expanded, the usability of the GPIO port of the Feiteng 2000+ processor is improved, and the performance of the Feiteng 2000+ processor is better exerted. The trusted Basic Input Output System (BIOS) is a set of programs that are fixed on a ROM chip on a main board in a computer, and stores the most important Basic Input and Output programs of the computer, a self-test program after power-on, and a System self-start program, and it can read and write specific information set by the System from the CMOS, and its main function is to provide the bottom layer and most direct hardware setting and control for the computer. The Feiteng 2000+ processor and the trusted cryptography module TCM are respectively connected with the data selector MUX through the SPI bus, so that the Feiteng processor and the TCM chip can exchange data with the trusted BIOS.
Furthermore, a cryptographic algorithm core based on a domestic security algorithm is integrated in the trusted cryptographic module TCM, and the trusted cryptographic module TCM is provided with a TCM calling port.
The TCM chip of the trusted cryptography module TCM adopts a domestic unique security algorithm, a cryptography algorithm core based on a domestic security algorithm is integrated inside the trusted cryptography module TCM, and the trusted cryptography module TCM is provided with a TCM calling port, can realize functions of data security storage, symmetric or asymmetric encryption and decryption and integrity measurement, and is a root of trust of the whole Feiteng storage server system.
Furthermore, the trusted BIOS is respectively connected to the FT 2000+ server and the trusted cryptography module TCM through the SPI bus, and after the FT 2000+ server is powered on, the trusted cryptography module TCM performs measurement authentication on the trusted BIOS to ensure that the BIOS is trusted.
After the self-check of the trusted cryptography module TCM is finished, the trusted cryptography module TCM performs measurement authentication on the trusted BIOS again, and after the integrity of the trusted BIOS is verified successfully by the trusted cryptography module TCM, the trusted cryptography module TCM sends a control signal to the Feiteng 2000+ processor through the GPIO port to inform the Feiteng platform to load the trusted BIOS for starting, and transfer the control right of the system to the trusted BIOS, so that a trust chain is transferred from the trusted cryptography module TCM to the trusted BIOS, and the defect that the original part of the Feiteng platform with the trusted measurement root located at the beginning of the BIOS is tampered is overcome.
Furthermore, the trusted cryptography module TCM comprises a TCM chip, and the TCM chip adopts a national technology model ssx 44-b.
The TCM chip is a highly secure controller, has the characteristics of integrating an algorithm core of a domestic independent security algorithm, an asymmetric key program, a security key storage, a unique key for identifying each TCM and the like, and can calculate a hash value of a trusted BIOS during starting to serve as integrity measurement. The TCM chip adopts a national technology model ssx44-b, realizes that a trusted subsystem (called a 'root of trust') is embedded into the Feiteng 2000+ server through the TCM chip, and can extend the trust to other parts of the whole platform by constructing a 'trust chain', wherein each link extends the trust to the next trust.
Further, the CPLD unit module adopts a MAX II CPLD EPM1270F256C5N chip.
The utility model discloses the CPLD unit module that sets up is as the bridge of credible cipher module TCM and Feiteng 2000+ treater, the chip that adopts is MAX II EPM1270F256C5N, MAX II CPLD EPM1270F256C5N chip has instantaneous power-on, nonvolatile storage, characteristics such as IO count height, inside still is integrated with the MAX II equipment of programmability (ISP) in User's Flash Memory (UFM) piece and the system of reinforcing, can reduce cost and power effectively, also be bus bridging simultaneously, IO extension and application such as sequencing control and equipment configuration control provide programmable solution.
The utility model has the advantages that: the utility model provides a TCM embedding design platform based on 2000+ server soars, the design is simple and the cost is lower, when having improved the usability of treater GPIO port, also imbeds credible cryptographic module TCM better, remedies that the platform credibility root of soaring in the past is located BIOS beginning part and has had the not enough of being tampered for can be better satisfy the user to 2000+ server safety and performance demands soaring.
Drawings
Fig. 1 is a schematic structural diagram of an embodiment of a fuiteng 2000+ server-based TCM embedded platform.
FIG. 2 is a flowchart illustrating the operation of an exemplary implementation of a Feiteng 2000+ server TCM embedded design.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clearly understood, the present invention is further described in detail below with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the invention, are given by way of illustration only.
In a first embodiment, a femtos 2000+ server-based TCM embedded platform is shown in fig. 1, and includes a femtos 2000+ processor, a CPLD unit module, a trusted cryptography module TCM, a data selector MUX, and a trusted BIOS. A cryptographic algorithm core based on a domestic security algorithm is integrated in the trusted cryptographic module TCM, and the trusted cryptographic module TCM is provided with a TCM calling port. The trusted cryptography module TCM is connected with the CPLD unit module through the LPC bus, and the CPLD unit module is connected with the GPIO port of the Feiteng 2000+ processor. The Feiteng 2000+ processor adopts an ARM processor which is integrated with a GPIO (general purpose input/output) module. The CPLD unit module is used as a bridge between the trusted cryptography module TCM and the Feiteng processor, and is respectively connected with the Feiteng 2000+ processor and the trusted cryptography module TCM through the LPC bus, so that the GPIO port of the Feiteng 2000+ processor is expanded, the usability of the GPIO port of the Feiteng 2000+ processor is improved, and the performance of the Feiteng 2000+ processor is better exerted.
The Feiteng 2000+ processor and the trusted cryptography module TCM are respectively connected with the data selector MUX through the SPI bus, so that the Feiteng processor and the TCM chip can exchange data with the trusted BIOS. The TCM chip of the trusted cryptography module TCM adopts a domestic unique security algorithm, a cryptography algorithm core based on a domestic security algorithm is integrated inside the trusted cryptography module TCM, and the trusted cryptography module TCM is provided with a TCM calling port, can realize functions of data security storage, symmetric or asymmetric encryption and decryption and integrity measurement, and is a root of trust of the whole Feiteng storage server system.
The trusted BIOS is respectively connected with the Feiteng 2000+ server and the trusted cryptography module TCM through the SPI bus, and after the Feiteng 2000+ server is powered on, the trusted cryptography module TCM can perform measurement authentication on the trusted BIOS so as to ensure the credibility of the BIOS. After the self-check of the trusted cryptography module TCM is finished, the trusted cryptography module TCM performs measurement authentication on the trusted BIOS again, and after the integrity of the trusted BIOS is verified successfully by the trusted cryptography module TCM, the trusted cryptography module TCM sends a control signal to the Feiteng 2000+ processor through the GPIO port to inform the Feiteng platform to load the trusted BIOS for starting, and transfer the control right of the system to the trusted BIOS, so that a trust chain is transferred from the trusted cryptography module TCM to the trusted BIOS, and the defect that the original part of the Feiteng platform with the trusted measurement root located at the beginning of the BIOS is tampered is overcome.
The trusted cryptography module TCM comprises a TCM chip, and the TCM chip adopts a national technology model ssx 44-b. The CPLD unit module adopts a MAX II CPLD EPM1270F256C5N chip.
The Feiteng 2000+ server-based TCM embedded platform further comprises a server mainboard, wherein a TCM chip of ssx44-b type and a MAX II CPLD EPM1270F256C5N chip are arranged on the server mainboard.
The hardware design of the TCM embedded design based on the Feiteng 2000+ server provided by the embodiment is simple, the cost is low, the performance is high, and the specification requirements of Feiteng products and the safety requirements of user use are completely met.
As shown in fig. 2, the operation of the TCM embedded design using the totem 2000+ server of the first embodiment includes the steps of:
s1) powering on the Feiteng 2000+ server embedded with the trusted cryptography module;
s2) after the Feiteng 2000+ server is powered on, the trusted cryptography module TCM firstly obtains the control right of the system, and initialization self-check and key loading deployment of the trusted cryptography module TCM are carried out;
s3) judging whether the initialization self-check of the trusted cryptography module TCM is abnormal, if not, entering the step S4); if yes, judging whether to reset, if so, returning to the step S2), and if not, enabling the server to interrupt the operation and enter a shutdown state;
s4) the trusted password module TCM carries out measurement authentication on the trusted BIOS, judges whether the measurement authentication is successful, if the measurement authentication is successful, the trusted BIOS obtains the control right of the system, and loads and executes the trusted BIOS; if the measurement authentication fails, judging whether the measurement authentication of the trusted BIOS is recovered to be normal, if so, entering step S5); if not, the server enters the shutdown state by interrupting the operation;
s5) the trusted BIOS performs measurement authentication on the feature data of the hardware environment of the Feiteng 2000+ server, judges whether the hardware environment measurement authentication passes, and if so, enters the step S6); if not, the server enters the shutdown state by interrupting the operation;
s6) carrying out integrity measurement authentication on the kernel file of the trusted operating system, judging whether the kernel file measurement authentication passes, and if the kernel file measurement authentication passes, entering the step S7); if the authentication is not passed, judging whether the kernel file measurement authentication is recovered to be normal, if so, entering step S7), and if not, entering the shutdown state by the server after the interruption operation;
s7), the control right of the server is transmitted to the credible operating system, the kernel of the loading system is guided, and the credible operating system is started.
The trusted cryptographic module TCM needs to perform measurement authentication on the trusted BIOS, after the measurement authentication is successful, the trusted BIOS obtains the control right of the system, the trusted BIOS is loaded and executed, and the trust chain is transferred from the trusted cryptographic module TCM to the trusted BIOS, so that the possibility that the trusted root is located at the beginning part of the BIOS and is tampered in the prior art is avoided, and the safety of the Feiteng 2000+ server is improved.
Only after the measurement authentication of the trusted BIOS, the measurement authentication of the trusted BIOS on the hardware environment of the Feiteng 2000+ server and the measurement authentication of the kernel file of the trusted operating system are successful, the trusted operating system can be started, and after the trusted operating system runs, the trusted operating system obtains a trust chain and calls related safety functions of a trusted cryptography module TCM to run various information safety authentication mechanisms, so that the safety of the Feiteng 2000+ server in local and remote states is enhanced.
Through adopting the utility model discloses an above-mentioned technical scheme has obtained following profitable effect:
the utility model discloses use the credible cryptographic module TCM of china's autonomic research and development as the root of trust, store the sensitive data of Feiteng platform through credible cryptographic module TCM, the design is simple, and is with low costs to guaranteed the credible source, compensate in the past that the platform root of trust of Feiteng platform lies in credible BIOS beginning part and has the not enough of being tampered, provide complete solution for the security of guaranteeing the integrality of platform storage server system data and improvement data storage.
The above is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, a plurality of improvements and decorations can be made without departing from the principle of the present invention, and these improvements and decorations should also be viewed as the protection scope of the present invention.
Claims (5)
1. A TCM embedded platform based on Feiteng 2000+ server is characterized by comprising a Feiteng 2000+ processor, a CPLD unit module, a trusted cryptography module TCM, a data selector MUX and a trusted BIOS; the trusted cryptography module TCM is connected with the CPLD unit module through an LPC bus, and the CPLD unit module is connected with a GPIO port of the Feiteng 2000+ processor; the CPLD unit module is respectively connected with the Feiteng 2000+ processor and the trusted cryptography module TCM through LPC buses; the Feiteng 2000+ processor and the trusted cryptography module TCM are respectively connected with the data selector MUX through an SPI bus.
2. The Feiteng 2000+ server-based TCM embedded platform according to claim 1, wherein the trusted cryptography module TCM has a cryptographic algorithm core based on a domestic security algorithm integrated therein, and the trusted cryptography module TCM is provided with a TCM call port.
3. A FT 2000+ server-based TCM embedded platform according to claim 1 or 2, wherein the trusted BIOS is connected to the FT 2000+ server and the trusted cryptography module TCM respectively through SPI buses; after the Feiteng 2000+ server is powered on, the trusted cryptography module TCM performs measurement authentication on the trusted BIOS so as to ensure the credibility of the BIOS.
4. A FT 2000+ server-based TCM embedded platform according to claim 3, wherein the trusted cryptography module TCM comprises a TCM chip, and the TCM chip is model ssx 44-b.
5. The Feiteng 2000+ server based TCM embedded platform of claim 4, wherein the CPLD unit module employs MAX IICPLD EPM1270F256C5N chip.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202020294614.6U CN211403424U (en) | 2020-03-11 | 2020-03-11 | TCM embedded platform based on Feiteng 2000+ server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202020294614.6U CN211403424U (en) | 2020-03-11 | 2020-03-11 | TCM embedded platform based on Feiteng 2000+ server |
Publications (1)
Publication Number | Publication Date |
---|---|
CN211403424U true CN211403424U (en) | 2020-09-01 |
Family
ID=72233697
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202020294614.6U Active CN211403424U (en) | 2020-03-11 | 2020-03-11 | TCM embedded platform based on Feiteng 2000+ server |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN211403424U (en) |
-
2020
- 2020-03-11 CN CN202020294614.6U patent/CN211403424U/en active Active
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6053786B2 (en) | Firmware-based Trusted Platform Module (TPM) for ARM® Trust Zone implementation | |
CN107025406B (en) | Motherboard, computer-readable storage device, and firmware verification method | |
AU2011285762B2 (en) | Providing fast non-volatile storage in a secure environment | |
CN101751534B (en) | Has the computer of biological authentication apparatus | |
CN111052118A (en) | Hardware-implemented firmware security | |
US11468170B2 (en) | Techniques for processor boot-up | |
US20200110869A1 (en) | Remote attestation for multi-core processor | |
CN110110526B (en) | Safety starting device and method based on safety chip | |
WO2018039027A1 (en) | Trusted platform module support on reduced instruction set computing architectures | |
TWI582632B (en) | Method and system of entering a secured computing environment using multiple authenticated code modules,and processor | |
WO2014043884A1 (en) | Isolated guest creation in vlrtualized computing system | |
CN114035842B (en) | Firmware configuration method, computing system configuration method, computing device and equipment | |
CN102063591A (en) | Methods for updating PCR (Platform Configuration Register) reference values based on trusted platform | |
CN110197070A (en) | Have the trust authentication of booting and the computer system and method for failover | |
CN111125707A (en) | BMC (baseboard management controller) safe starting method, system and equipment based on trusted password module | |
CN113452666A (en) | IP independent secure firmware loading | |
CN104346572A (en) | Construction method of universal external intelligent terminal safety operation environment | |
JP7402798B2 (en) | Security for programmable devices in data centers | |
US20240179001A1 (en) | Processor and operating method for a homogeneous dual computing system | |
CN110348222A (en) | A kind of construction method of the credible calculating platform of dual Architecture | |
CN211403424U (en) | TCM embedded platform based on Feiteng 2000+ server | |
CN111783165B (en) | Safe and trusted system chip architecture based on hardware isolation calling mode | |
KR20050123152A (en) | Physical presence determination in a trusted platform | |
US11734457B2 (en) | Technology for controlling access to processor debug features | |
CN112181860B (en) | Controller with flash memory simulation function and control method thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20210524 Address after: 100176 no.510, 5th floor, building 18, No.1, Disheng North Street, Beijing Economic and Technological Development Zone, Daxing District, Beijing Patentee after: Beijing Tiandi Huiyun Technology Co.,Ltd. Address before: 511458 room 1005, No.8 Jingang Avenue, Nansha street, Nansha District, Guangzhou City, Guangdong Province (office only) Patentee before: Guangzhou Chaoyun Technology Co.,Ltd. |