JP2006012034A - Device control unit, computer, and device control method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To securely perform a control to a device without impairing the availability of a system. <P>SOLUTION: When a control for making the device 13 usable or unusable is requested from a hot key 11 or an AP 70, the AP 70 determines whether password authentication is necessary or not. When the password authentication is necessary, an ACPI BIOS 40 receives the effect through a device driver 50, suspends an OS 60. An SMI handler 30 displays a password prompt to a display 12 in this state, and if the input password is proper, the control of the device 13 is instructed to an embedded controller 20. At that time, the embedded controller 20 determines the control instruction from the SMI handler 30 by monitoring a signal for switching to SMM. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to operation control of a computer, and more particularly to operation control for a device used in a computer.

In recent years, computers are used in various companies, and important data in the companies are managed by the computers. Therefore, the computer is required to have high security so that, for example, data is not copied to an external storage medium and taken out.
One method for ensuring such high security is to use a security function of an OS (Operating System). That is, for each user attribute managed by the OS, a different authority is given regarding whether or not a device for writing data to an external storage medium (hereinafter referred to as “writing device”) can be used.

However, when the security function of the OS is used, security cannot be ensured if the hard disk installed with the OS is replaced.
For example, it is assumed that the IT department of a company sets whether or not the writing device can be used for each user attribute using a security function of the OS. In this case, if the hard disk on which the OS is installed is used as it is, each user can use only the writing device permitted to be used by the user. However, if a malicious user replaces the hard disk of the system with a hard disk on which the OS is installed, the OS can freely set whether or not the writing device can be used. It becomes possible to use all the writing devices.

2. Description of the Related Art Today, in a company, a computer system is generally used in which a server computer and a client computer are connected via a network, and the client computer acquires and uses data managed by the server computer. In this case, if it is necessary to prevent the data from being taken outside, the corporate IT department sets whether or not the writing device can be used for each user attribute to the OS of the client computer. . However, if the hard disk of the client computer is replaced, corporate data obtained from the server computer via the network may be copied to an external storage medium and taken out.
In the case of a desktop PC (Personal Computer), it is possible to prevent the hard disk from being replaced with a physical key. However, in a portable information terminal, it is difficult to adopt such a prevention method, and the fact is that the hard disk can be easily replaced.

Therefore, it is necessary to set whether or not the writing device can be used by BIOS (Basic Input Output System) / system hardware.
As the setting by such BIOS / system hardware, for example, there is a method in which the owner distinguishes whether the PC system can use the writing device between the owner and the user. Specifically, an administrator (supervisor) who is the owner of a PC system can use a specific writing device by entering an “administrator password (supervisor password)”, and the user must enter this password. The writing device cannot be used. Such an implementation is used today in many PC systems.
Examples of the writing device include a floppy (registered trademark) disk drive, a PC card, and a USB (Universal Serial Bus) port. It is considered that a PC administrator in the corporate IT department sets these devices in the PC system to be unusable in order to prevent leakage of important data from these devices. Once such a setting is made, the user cannot use the device without entering the administrator password.

However, there are cases where it is desired to temporarily change the use of a specific writing device from disabled to enabled or from enabled to disabled. In such a case, it is necessary to terminate the operating OS once, change the setting with the BIOS, and then restart the OS, which is inconvenient. That is, since the system is interrupted, the availability of the system is impaired.
On the other hand, it has also been proposed to make settings in the BIOS without impairing system availability by using an API (Application Program Interface) provided by the OS (see, for example, Patent Document 1). This is to release the access lock of the storage device housed in the expansion unit by inputting a password using a seamless user interface using API.

JP-A-9-237229 (6th, 7th page, 4th, 5th)

  However, since the technique of Patent Document 1 is only via the OS, there is a serious security problem such that spyware cannot be excluded.

  The present invention has been made to solve the technical problems as described above, and an object of the present invention is to enable secure control of devices without impairing system availability. is there.

  For this purpose, in the present invention, a device that cannot be used is temporarily usable in the following sequence. First, when it is desired to temporarily use a certain device in an operating system, a user or an administrator notifies the BIOS of the intention through a hardware mechanism or an application program. Then, the BIOS temporarily shifts the system to the suspended state (standby state) in order to interrupt the OS. After that, the device use / non-use setting is verified with the password, and the OS is resumed. Furthermore, the BIOS notifies the OS of the status of the device that has become available, and the OS enables access to the device. Also, when a device that can be used is temporarily disabled, processing is performed in a substantially similar sequence. However, resources are released prior to suspending the OS, and resources are not allocated after the OS is resumed.

In other words, the computer according to the present invention controls the device to enable or disable the device, and suspends the OS in response to the control request, requests the password, and the input password is valid. In this case, a BIOS for instructing control to the control means is provided. The computer of the present invention may be configured to further include an application program for making a control request or a hardware mechanism for making a control request. Further, the BIOS resumes the OS after inputting the password, and the OS allocates resources to the devices as necessary.
Thereby, the availability of the system can be increased. Further, since the OS is interrupted, there is no spyware or the like, and there is no security problem.

  The present invention can also be understood as a device control apparatus that can securely control whether or not a device can be used. In this case, the device control apparatus of the present invention includes a control unit that performs control to enable or disable a device, and a specific program that operates when the computer is in a specific operation mode, the control unit A program execution means for executing a program having a legitimate authority for instructing control, and a signal output means for outputting a signal indicating that the computer is in a specific operation mode. By monitoring the signal output by, control is performed when it is found that a specific program instructs control.

  Furthermore, the present invention can also be understood as a device control method for securely controlling whether or not a device can be used. In that case, the device control method of the present invention is such that the control means for performing control to enable or disable the device receives the control instruction, and the control means is such that the computer is in a specific operation mode. Monitoring a signal indicating whether or not a specific program operating in a specific operation mode outputs a control instruction, and the specific program outputs a control instruction. The control means includes a step of performing control when it is determined that the control is performed.

  According to the present invention, it becomes possible to control a device in a secure manner without impairing the availability of the system.

The best mode for carrying out the present invention (hereinafter referred to as “embodiment”) will be described below in detail with reference to the accompanying drawings.
FIG. 1 is a diagram showing a hardware configuration of a computer system 100 that realizes control of settings related to hardware according to the present embodiment.
In the computer system 100 shown in FIG. 1, a CPU 101 executes various arithmetic processes under program control to control the entire computer system 100.
The memory controller 102 is a chip having a function of connecting the CPU 101 and the memory 104 and the like. In Intel's hub architecture, it corresponds to MCH (Memory Controller Hub).
The video subsystem 103 is a subsystem for realizing functions related to image display, and includes a video controller. The video controller processes a drawing command from the CPU 101, writes the processed drawing information into the video memory, reads out the drawing information from the video memory, and outputs it as a drawing data to a monitor such as a liquid crystal display (LCD). Yes.
The memory 104 is a writable memory used as a storage area for a program executed by the CPU 101 or data processed by the program. For example, it is composed of a plurality of DRAM chips, and 128 MB and 256 MB are provided as standard, and can be expanded up to 4 GB. Note that the program executed by the CPU 101 includes various drivers for operating the OS and peripheral devices in hardware, application programs for specific tasks, and firmware such as BIOS stored in the flash ROM 108 described later.

The I / O controller 105 is a chip for connecting a PCI bus, USB, and the like to other components. In the Intel hub architecture, it corresponds to an ICH (I / O Controller Hub).
An ATA (AT Attachment) 106 indicates a device such as a hard disk conforming to the ATA standard. ATA is an official IDE standard that was standardized in 1989 by the American National Standards Institute (ANSI). According to the first ATA standard, the maximum data transfer rate is 3.3 MB / second, and the maximum capacity of one hard disk is up to 528 MB.
An ATAPI (AT Attachment Packet Interface) 107 indicates a device such as a CD-ROM drive conforming to the ATAPI standard. ATAPI is standardized by the American National Standards Institute (ANSI) to connect devices other than hard disks to the IDE controller.
The flash ROM 108 is a ROM that can electrically erase data and newly write data in batch or block units, and stores the BIOS as described above.
The PCIe (PCI Express) bus 109 is a bus that is attracting attention as a third-generation high-performance I / O bus following the ISA / EISA bus and the PCI / PCI-X bus, and is connected to the PCIe device 110.
The USB 111 is one of the standards for data transmission between peripheral devices such as a keyboard, mouse, modem, joystick, etc. and a personal computer, and the USB device 112 is connected to the USB 111.

The LPC (Low Pin Count) bus 113 is an interface standard for connecting a legacy device to a system that does not have an ISA bus. The command signal, address, and data are the same four signal lines (LAD signal) with a 33 MHz operation clock. ) (For example, 8 bits are transferred with 4 bits x 2 clocks for data).
The Super I / O controller 114 controls parallel data input / output (PIO) via the parallel port, serial data input / output (SIO) via the serial port, and FDD drive.
A TPM (Trusted Platform Module) 115 is a chip for providing a basic function for security, and has platform validity verification, integrity observation, encryption key protection, encryption processing function, and the like.
Of the KMC (Keyboard Mouse Controller) / EC (Embedded Controller) 116, the KMC is a controller that controls a keyboard and a mouse. EC is a one-chip microcomputer that monitors and controls various devices (peripheral devices, sensors, power supply circuits, etc.).

  The PCI bus 117 is a bus capable of relatively high-speed data transfer, and has a data bus width of 32 or 64 bits, a maximum operating frequency of 33 MHz or 66 MHz, and a maximum data transfer rate of 132 MB / second or 528 MB / second. It is standardized by the specification. A card bus bridge 118 is connected to the PCI bus 117, and data is transmitted to and received from the PC card 120 via the card bus 119.

Hereinafter, a characteristic configuration of the present embodiment will be described in detail.
In this embodiment, it is assumed that the system satisfies the following requirements.
(1) The administrator password necessary for system settings is retained.
(2) The administrator password has nothing to do with booting the OS. That is, the user can start the OS without this password.
(3) As a system setting protected by the administrator password, it has a function to set whether to use the writing device.
(4) The processor has a function equivalent to SMI (System Management Interrupt) in the Intel processor architecture.
(5) The memory area holding the code for realizing the same function as the SMI handler cannot be accessed in the normal operation mode of the processor.
(6) The operating OS has a plug-and-play function that can dynamically execute device initialization, shutdown, system resource allocation, and the like.
(7) The hardware can display the password prompt without using the VRAM (Video RAM) used by the OS, or the OS can initialize the screen after resuming even if the VRAM is broken to display the password prompt. .

Next, with reference to FIG. 2, the software configuration in the present embodiment will be described. Note that FIG. 2 also shows hardware 10 to be controlled by software. Specifically, the following devices are assumed as the hardware 10.
The first is FDD (Floppy Diskette Drive). The FDD has hardware capable of controlling a power signal to the motor, and the method for controlling the hardware is secure.
Second, it is a PC card. For PC cards, the system has hardware that can control the detection pin of the card slot and power supply (3.3 / 5 / 12V) to the card slot, and the method of controlling the hardware is secure And
Third, ExpressCard (trademark). With regard to ExpressCard (trademark), it is assumed that the system has hardware capable of controlling the supply of power to the card, and the method for controlling the hardware is secure.
Fourth, a USB connector. Regarding the USB connector, it is assumed that the system has hardware capable of controlling the power supply to the USB port accessible from the outside, and the method for controlling the hardware is secure.
The secure method for controlling the hardware described regarding each device will be described later.

The embedded controller 20 is a controller that controls whether the device can be used.
The SMI handler 30 is a main module in the present embodiment, and is a module for instructing the embedded controller 20 to control whether the device can be used or not, and for managing a password. This module is a module that processes the SMI of an Intel processor and equivalent functions. Further, it resides in an SMM (System Management Mode) memory area that cannot be accessed from general software, and execution cannot be interrupted by a normal interrupt during operation.
In the present embodiment, the SMI handler 30 is positioned as a program having a legitimate authority for instructing the embedded controller 20 to perform device availability control. Therefore, a secure method is required for communication between the embedded controller 20 and the SMI handler 30. This secure method will also be described later.

The ACPI (Advanced Configuration and Power Interface) BIOS 40 is a module for communicating with the device driver 50 and the OS 60.
The SMI handler 30 described above is also included in the BIOS. Therefore, the term “BIOS” simply means that includes the SMI handler 30 and the ACPI BIOS 40.

The device driver 50 is a kernel mode module for connecting the AP 70 and the ACPI BIOS 40.
The AP 70 is a module that provides a trigger and a user interface for setting whether or not the target device can be used. In cooperation with the SMI handler 30, it is determined whether the device requires an administrator password, and the next operation is determined based on the determination result.

On the other hand, FIG. 3 shows a functional configuration of the present embodiment.
In the computer system 100 according to the present embodiment, the embedded controller 20, the SMI handler 30, the ACPI BIOS 40, the device driver 50, the OS 60, and the AP 70 illustrated in FIG. 2 are related as illustrated and exchange information.
As hardware elements constituting the computer system 100, a hot key 11 for requesting device control, a display 12 on which a password prompt is displayed, and a device 13 to be controlled are shown.

Further, FIG. 4 shows an operation of the computer system 100 in the present embodiment.
The operation of the present embodiment will be described with reference to FIGS. Here, a case will be described in which the administrator temporarily enables / disables a device that is disabled / enabled. Further, in parentheses at the end of each operation step, first, an identification symbol attached to an arrow in FIG. 3 is shown, and second, a step number in the flowchart of FIG. 4 is shown.
First, in response to an instruction from the administrator, the AP 70 is activated to display a user interface (for example, a menu) for setting whether or not the device can be used (no arrow, step 101). When the administrator designates a device desired to be used on the user interface, the AP 70 identifies the designated device (no arrow, step 102).
Alternatively, the setting of whether or not the device can be used can be set using a hardware mechanism. For example, the administrator presses the hot key 11 assigned to the setting operation for enabling / disabling device use. As a result, the embedded controller 20 detects the press and notifies the ACPI BIOS 40 (arrow a, step 103). The ACPI BIOS 40 recognizes the request and transmits it to the device driver 50 (arrow b, step 104). Further, the device driver 50 transmits the request to the AP 70 via an API (Application Program Interface) provided by the OS 60 (arrow c, step 105), and the AP 70 identifies the designated device as described above (arrow). None, step 102).

Next, the AP 70 determines whether or not a password is necessary for setting whether or not the device can be used (no arrow, step 106). This determination is made by referring to information for managing whether or not a password is necessary for setting whether or not the device can be used. Such information may be held by the AP 70 or may be obtained by inquiring the BIOS.
As a result, if it is determined that a password is necessary, the device driver 50 receives information from the AP 70 and transmits a request for suspending (standby) the OS 60 to the ACPI BIOS 40 (arrow d, step 107). As a result, the ACPI BIOS 40 transmits a normal suspend request to the OS 60 (arrow e, step 108).

When receiving such a request, the OS 60 performs a normal suspend process and finally accesses an I / O port for entering a suspend state. However, the hardware actually passes control to the SMI handler 30 without entering the suspended state (arrow f, step 109).
For example, in the case of an Intel processor, such control is performed by setting “1” to bit 4 of “SMI Control and Enable Register”. That is, by doing this, even if the OS 60 sets “1” in the bit 13 of the “Power Management 1 Control Register” and shifts to the suspend state, it does not shift to the suspend state and generates “SMI #”. And move to SMM.

Thereafter, when the OS 60 shifts to the suspended state, the ACPI BIOS 40 receives the notification (arrow g, step 110). On the other hand, the SMI handler 30 displays a password prompt on the display 12 and prompts for an administrator password (arrow h, step 111). When the administrator password is entered, the validity is verified. The validity is verified here by checking whether or not the inputted administrator password matches the administrator password previously stored in the BIOS.
The ACPI BIOS 40 starts resume of the OS 60 (arrow i, step 112), and the OS 60 performs the resume process (no arrow, step 113). If it is determined in step 111 that the administrator password is valid, the device is set to be enabled / disabled.

  On the other hand, if it is determined in step 106 that a password is not required, the device driver 50 makes a request for setting whether or not the device can be used without going through the processes of suspending the OS 60, displaying the password prompt, and resuming the OS 60. This is transmitted to the SMI handler 30 (arrow j, step 114). In this case, the device can be used unconditionally.

After such processing, the device is set to be enabled / disabled as follows.
That is, first, the SMI handler 30 instructs the embedded controller 20 to set hardware (arrow k, step 115).
Thereby, the embedded controller 20 performs hardware setting (arrow l, step 116).
Next, the ACPI BIOS 40 informs the OS 60 of a change in the state of the device when a new system resource allocation is required due to the hardware setting (arrow m, step 117). As a result, the OS 60 allocates system resources to the device as necessary (no arrow, step 118).

In the present embodiment, as described above, a secure method is used for hardware control by the embedded controller 20. An example of this secure method will be described below. As a secure method, first, a general method such as an encryption method is conceivable. In the present embodiment, it is assumed that the method shown in FIG. 5 is used.
That is, in response to an instruction using the hot key 11 or the AP 70, a signal “SMI #” for shifting to SMM is sent to the CPU 101. In response to this, the CPU 101 sends a signal “SMMEM #” (also referred to as “SMMIACT #”) for switching the operation mode to SMM to the memory controller 102. “SMMEM #” is sent.
On the other hand, the embedded controller 20 communicates with the SMI handler 30 via a dedicated I / O port. Therefore, when using this port, by monitoring the signal “SMMEM #” from the CPU 101, it is possible to specify that the software module that is actually communicating is the SMI handler 30.
However, it is necessary to set so that the bus arbitration is not performed so that the embedded controller 20 does not receive a signal from the bus master.

Next, the processing of the embedded controller 20 in the method shown in FIG. 5 will be described with reference to the flowchart of FIG.
First, the embedded controller 20 receives a signal for instructing whether or not the device can be used (step 201). Here, it is not known whether the source of the signal is the SMI handler 30 or another program.
On the other hand, the embedded controller 20 monitors the signal “SMMEM #” for switching the operation mode to SMM, and determines whether or not “SMMEM #” has been received (step 202).
As a result, if it is determined that “SMMEM #” has not been received, a program other than the SMI handler 30 has transmitted a signal instructing whether or not the device can be used. finish. On the other hand, when it is determined that “SMMEM #” has been received, the SMI handler 30 has transmitted a signal instructing whether or not the device can be used. Impossibility is set (step 203).

  For FDD, the following method can also be adopted. That is, this is a method of monitoring the 3F2h, which is an I / O port to the FDD, and forcibly turning off the motor when it is detected that the motor is turned on through this port. If this method is adopted, no data will be released.

Finally, FIG. 7 shows the signal for securely controlling the device according to the present embodiment written in the hardware configuration diagram of FIG.
As shown in FIG. 7, a “SMI handler identification signal” is sent from the CPU 101 to the KMC / EC 116, so that the KMC / EC 116 receives an SMI from the program that is instructing control via the LPC bus 113. It recognizes that it is the handler 30 and sends a control signal to each device. Specifically, “FDD power supply control signal” for the power supply of the FDD, “card detection control signal” for the PC card, “USB power supply control signal” for the USB device, and “PCIe” for the PCIe device. Each of the “detection power control signals” is sent.

  In the present embodiment, the embedded controller 20 is assumed as hardware for controlling whether or not a device can be used. However, control means other than the embedded controller 20 may be used. In addition, although the hot key 11 is assumed as hardware for requesting control of whether or not the device can be used, any other hardware mechanism such as a button may be used. Furthermore, although the description has been made assuming that the device to be controlled is a writing device, the present invention can be applied to any device used in a computer.

As described above, this embodiment has a configuration in which control of whether or not a device can be used by the BIOS is performed through processes such as OS suspend, password input request, and validity verification of the input password. Adopted. With such a configuration, the problem of impairing availability when performing control by the BIOS while the OS is stopped and the problem of security problems when performing control by the BIOS while the OS is running are solved. .
In the present embodiment, by monitoring a signal for switching to SMM, the control instruction for the device is accepted only when it is determined that the program giving the control instruction for the device is the SMI handler. I am doing so. As a result, the device can be more securely realized.

It is the figure which showed the hardware constitutions of the computer system to which this invention is applied. It is the figure which showed the structure of the software in this Embodiment. It is the block diagram which showed the function structure of the computer system in this Embodiment. It is the flowchart which showed the processing operation of the computer system in this Embodiment. It is a block diagram for demonstrating the secure method in the case of controlling a device in this Embodiment. It is the flowchart which showed the processing operation of the embedded controller for implement | achieving the secure method in this Embodiment. It is the figure which showed on the hardware constitutions of the computer system to which this invention is applied the signal for controlling the device in this Embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 11 ... Hot key, 12 ... Display, 13 ... Device, 20 ... Embedded controller, 30 ... SMI handler, 40 ... ACPI BIOS, 50 ... Device driver, 60 ... OS, 70 ... AP, 101 ... CPU, 102 ... Memory controller

Claims (17)

An apparatus for controlling a device used in a computer,
Control means for performing control to enable or disable the device;
A program execution unit for executing a program having a proper authority to instruct the control unit to perform the control, which is a specific program that operates when the computer is in a specific operation mode;
Signal output means for outputting a signal indicating that the computer is in the specific operation mode;
The control unit performs the control when it is determined that the specific program instructs the control by monitoring the signal output by the signal output unit. Control device. The program execution means performs processing using a specific memory area when the computer is in the specific operation mode,
2. The device control apparatus according to claim 1, wherein the signal output unit outputs the signal for performing processing using the specific memory area to a memory controller.   3. The device control apparatus according to claim 2, wherein the control unit monitors the signal by receiving the signal output to the memory controller.   The device control apparatus according to claim 1, wherein the specific program functions as a program having the proper authority when a password input from the outside is valid.   The device control apparatus according to claim 4, wherein the specific program is included in a basic input output system (BIOS), and causes the password to be input in a state where an operating system (OS) is suspended. Control means for performing control to enable or disable the device;
And a BIOS for requesting input of a password after the OS is suspended in response to the control request and instructing the control means to perform the control when the input password is valid. And computer.   7. The computer according to claim 6, further comprising means for operating an application program for making the control request.   The computer according to claim 6, further comprising a hardware mechanism for performing the control request. The BIOS resumes the OS after entering the password,
The computer according to claim 6, wherein the OS allocates resources to the device as necessary.   The computer according to claim 6, wherein the control unit performs the control when a specific program in the BIOS instructs the control.   11. The control unit according to claim 10, wherein the control unit recognizes that the specific program has instructed the control by detecting a signal indicating that the specific program is operating. Computer.   The computer according to claim 10, wherein the specific program is a program for system management interruption. A method of controlling a device used in a computer,
A control means for performing control for enabling or disabling the device, receiving an instruction for the control; and
The control means monitors a signal indicating that the computer is in a specific operation mode, so that a specific program that operates when the computer is in the specific operation mode outputs the control instruction. Determining whether or not
And a step of performing the control when it is determined that the specific program is outputting the control instruction. A device control method comprising: When the computer is in the specific operation mode, processing is performed using a specific memory area,
The device control method according to claim 13, wherein the signal is a signal for performing processing using the specific memory area.   14. The device control method according to claim 13, wherein in the determination step, the signal is monitored by receiving the signal output to the memory controller.   14. The device control method according to claim 13, wherein the specific program outputs the control instruction when an externally input password is valid.   The device control method according to claim 16, wherein the specific program is included in the BIOS and causes the password to be input in a state where the OS is suspended.

Images