JP2009223729A - Method for authenticating physical presence based on tcg specification and computer - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an authentication method for acknowledging physical presence only when an authentic owner operates a platform. <P>SOLUTION: In this computer, a processor provided with a security chip 26 suitable for TCG (Trusted Computing Group) specifications, an organismic authentication unit 41 and a start button 101. A processor executes a CRTM (Core Root of Trust for Measurement) authentication code 121 to perform authentication. The depression of the start button determines whether the computer is subjected to a cold start from an S4 state or S5 state. The CRTM authentication code receives a result of organismic authentication performed by the organismic authentication unit 41. When the computer confirms that the cold start is performed and also that the organismic authentication is successful, a command indicating that physical presence is affirmative is sent to the security chip. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a technique for authenticating a physical presence based on TCG specifications, and more particularly to a technique for authenticating a physical presence only to a genuine user.

  In recent years, computers have come to handle a lot of important information related to commerce and privacy. Since a computer is used in a state where it is connected to a network or used in a mobile environment, it is exposed to a risk of attack or theft by software such as a computer virus or spyware. In order to build a reliable computer platform with a high security level, an industry group called TCG (Trusted Computing Group) has created and published specifications (Non-Patent Document 1 to Non-Patent Document 3). Non-Patent Document 1 can be obtained from the URL https://www.trustedcomputinggroup.org/specs/TPM/ on the Web.

  The TPM (Trusted Platform Module) defined in Non-Patent Document 1 is a security chip also called “TPM chip”, “Fritz chip”, “TPM Security Device” or the like, and is attached to a mother board of a computer. . The TPM has a function of verifying the validity of the platform and a function of checking the integrity of the software.

  Non-Patent Document 1 discloses that the TPM mounted on each computer cannot be ported to another computer, or that the computer does not start when the TPM is removed from the mother board. It defines how to build a reliable environment. In order to operate the TPM, the TPM is requested to input a secret character string (Shared Secret) indicating TPM ownership. In addition, for some privileged operations that are allowed based on TPM ownership, physical presence authentication is required.

  Non-Patent Document 1 defines two methods for proving a physical presence. One is a hardware method that is connected to the TPM and sets a flag inside the TPM by pressing a button formed on the platform. The hardware method can prove that the user who physically owns the platform is operating. The other is a command method performed by software in an environment that can prove that the user is operating at the same level as the hardware method. In the command method, a protected program called CRTM (Core Root of Trust for Measurement) is executed during bootstrapping before being connected to a network or running untrusted software.

  If the physical presence is affirmed and TPM ownership is authenticated, the user can use privileged commands for the TPM. The contents of the privileged command are described in Non-Patent Document 1. Non-Patent Document 2 and Non-Patent Document 3 describe the details of physical presence. Non-Patent Document 2 and Non-Patent Document 3 can be obtained from the website at the URL https://www.trustedcomputinggroup.org/specs/PCClient.

  Patent Document 1 discloses a technique for authenticating a physical presence related to TPM. In this document, a status register indicating how the power is turned on is provided on the motherboard, and the BIOS CRTM reads it and operates the power-on switch that is attached to the surface of the system. When it is determined that the TPM is, the privileged operation for the TPM is permitted.

Patent Document 2 discloses a technique for permitting a privileged operation on the TPM from a remote location. In this document, when the BIOS CRTM detects that a reliable OS is loaded, it is determined that the physical presence has been confirmed and notified to the TPM, and when not detected, the physical presence confirmation routine by the power switch Migrate to Patent Document 3 discloses a technique for authenticating a physical presence of a TPM for a user on a list when a biometric sensor and a processing unit are attached to a computer and a fingerprint matches.
US Pat. No. 7,269,747 US Patent Application Publication No. 2007/0192580 US Patent Application Publication No. 2007/0237366 TCG TPM Specification Version 1.2 Revision 103 TCG Physical Presence Interface Specification Version 1.0 TCG PC Specific Implementation Specification Version 1.1

  In the inventions described in Patent Document 1 and Patent Document 2, even if the computer is not the true owner, the physical presence is authenticated by pressing the power switch of an unspecified user in front of the computer. . These inventions are effective for illegally accessing the TPM via the network, but cannot cope with the case where the power switch of a stolen PC is pressed. Therefore, notebook personal computers (hereinafter referred to as notebook PCs) that are easily exposed to the risk of theft need to be further protected from unauthorized access to the TPM.

  The invention described in Patent Document 3 can prove that the user registered in the fingerprint authentication system swipes the fingerprint on the sensor, but when the fingerprint authentication processing unit itself is replaced or on the computer. It cannot cope with the case where the fingerprint authentication system is controlled by malicious software executed.

  Therefore, an object of the present invention is to provide an authentication method for affirming a physical presence only when a genuine owner is operating a platform. Furthermore, an object of the present invention is to provide a computer and a computer program for realizing such a method.

  The present invention relates to authentication of physical presence in a computer conforming to the TCG specification. The computer includes a security chip (TPM), a biometric authentication unit, and an activation button. When the start button is pressed, it means that the user who operates the computer physically controls the computer. The first nonvolatile memory stores a CRTM authentication code constituting the CRTM. The CRTM authentication code is executed before the OS starts operating at the cold start. The processor executing the CRTM authentication code refers to the first status register to confirm that the computer has been cold-started, and when the biometric authentication unit succeeds in biometric authentication, the physical presence is added to the security chip. Send a command indicating that is positive.

  Therefore, the physical presence can be asserted to the security chip only when a genuine user physically operates the start button of the computer. Conventionally, physical presence is affirmed when an unspecified user presses the start button. However, according to the present invention, physical presence can be affirmed under a condition in which security is further enhanced. . The processor can send biometric unit binding data to the security chip for the security chip to authenticate the biometric unit. Further, the processor can send a fingerprint ownership key stored by the security chip to the biometric unit for the biometric unit to authenticate the security chip when the binding data is valid.

  In this way, it is possible to authenticate that the relationship between the two is consistent in both directions, and the biometric authentication unit can be used safely for physical presence authentication. If the hardware logic circuit causes the biometric authentication unit to start biometric authentication when the activation button is pressed and the computer recognizes that it will cold start, the most secure hardware for biometric authentication Can be realized in the environment. At that time, the hardware logic circuit may set the PP bit.

  The hardware logic can present a prompt by a light emitting diode to input biometric information when the PP bit is set. When the CRTM authentication code is stored in a small boot block, maintenance is facilitated, but since an LCD that requires a large code cannot be used, the use of a light emitting diode is convenient.

  The hardware logic circuit can indicate to the user via a light emitting diode that the biometric unit has failed authentication. The user recognizes that the privileged command for the security chip cannot be used or the single sign-on cannot be used due to the failure of the biometric authentication. The hardware logic circuit sets the POP bit when the activation button is pressed and the computer cold starts and the mutual authentication between the biometric authentication unit and the security chip succeeds, and the processor sets the POP bit. A command can be sent to the security chip indicating that the physical presence is affirmed.

  The processor can send a command to the security chip indicating that the physical presence is denied when it determines that neither the PP bit nor the POP bit is set. The processor can execute a password authentication code stored in the first non-volatile memory when the POP bit is set to allow single sign-on. In this case, since the single sign-on is performed only when the physical ownership presence is authenticated, the security level can be improved as compared with the conventional case.

  If the processor clears the authentication result of the biometric unit before the operating system boots, the authentication result can be prevented from being stolen, so biometric authentication is used to authenticate the physical ownership presence. The security level of is improved. The first nonvolatile memory may be constituted by a boot block and a system block, and a CRTM authentication code may be stored in the boot block and a code for allowing single sign-on may be stored in the system block.

  According to the present invention, it is possible to provide an authentication method that affirms a physical presence only when a genuine owner operates a platform. Furthermore, the present invention can provide a computer and a computer program for realizing such a method.

[Overall hardware configuration]
FIG. 1 is a schematic block diagram showing a main hardware configuration of the notebook PC 10. The CPU 11 is an arithmetic processing unit having a central function of the notebook PC 10 and executes an operating system (OS), a BIOS, a device driver, an application program, or the like. The CPU 11 controls the north bridge 13 and each device connected to the north bridge 13 via various buses. The north bridge 13 is connected to the main memory 15, the video controller 17, and the south bridge 21, and has a memory controller function for controlling an access operation to the main memory 15, and between the CPU 11 and other devices. Includes a data buffer function to absorb the difference in data transfer speed.

  The video controller 17 includes a graphic accelerator and a VRAM, receives a drawing command from the CPU 11, generates an image to be drawn, writes the image to the VRAM, and sends the image read from the VRAM to the LCD 19 as drawing data. The main memory 15 is a random access memory used as a reading area for a program executed by the CPU 11 and a work area for writing processing data. The south bridge 21 has various standard interface functions, and is connected to a hard disk drive (HDD) 23, an Ethernet (registered trademark) controller 22, a fingerprint authentication module 41, and a wireless module 24. The south bridge 21 includes a status register 111 as shown in FIG. When transitioning the power state of the notebook PC 10, the power control software sets a bit indicating the power state of the transition destination and a bit indicating that the transition is executed in the status register 111. Since the bit of the status register 111 is maintained even when it is not in the power-on state, the transition source bit is set in the status register 111 when the notebook PC 10 transitions to the power-on state. Become.

  The HDD 23 stores known programs such as an OS, a device driver, and an application program. The Ethernet controller 22 is an expansion card for connecting to an Ethernet standard wired LAN, connected to the south bridge 21 via a PCI Express bus, and further connected to a connector called RJ45 attached to the casing of the notebook PC 10. Has been. The notebook PC 10 can receive a magic packet from the network via the Ethernet controller 22 in a predetermined power state, and can be activated by a so-called wake on LAN (WOL). The wireless module 24 is compatible with, for example, multi-input multiple-output (MIMO) wireless communication conforming to IEEE 802.11n, and is connected to the south bridge 21 via the PCI Express X1 bus or USB, such as WAN or LAN. Controls data communication with the wireless network.

  Further, the south bridge 21 is connected to a legacy device conventionally used for the notebook PC 10 or a device that does not require high-speed data transfer via the PCI bus or the LPC bus 25. The LPC bus 25 includes a security chip (TPM: Trusted Platform Module) 26, a BIOS_ROM 27, an embedded controller (EC) 29, a secure NVRAM 43, a keyboard / keyboard / A mouse controller 45 is connected.

  The security chip 26, BIOS_ROM 27, and secure NVRAM 43 will be described later with reference to FIG. 2, FIG. 4, and FIG. The EC 29 is a microcomputer composed of an 8 to 16 bit CPU, ROM, RAM, and the like, and further includes a multi-channel A / D input terminal, a D / A output terminal, a timer, and a digital input / output terminal. Yes. The EC 29 can execute a program related to management of the operating environment inside the notebook PC 10 independently of the CPU 11.

  The power controller 31 is connected to the EC 29 and the DC / DC converter 33 and controls the DC / DC converter 33 based on an instruction from the EC 29. The DC / DC converter 33 converts a DC voltage supplied from the AC / DC adapter 39 or the battery 35 into a plurality of voltages necessary for operating the notebook PC 10, and further, power defined according to the power state. Power is supplied to each device based on the supply category. When connected to the notebook PC 10, the AC / DC adapter 39 supplies power to the DC / DC converter 33 and the charger 37 that charges the battery 35.

  The notebook PC 10 supports an ACPI (Advanced Configuration and Power Interface) power saving function and a plug-and-play method. In ACPI, five sleeping states are defined. The S1 state to S3 state are states in which the time until activation is shortened. In the S1 state, the system context is maintained. The S2 state is the same as the S1 state except that the CPU 11 and system cache contexts disappear.

  In the S3 state, the context of the north bridge 13 and the south bridge 21 disappears in addition to the S2 state, but the storage of the main memory 15 is retained. The S3 state is called so-called suspend or suspend to RAM, and the notebook PC 10 turns off power to devices other than the main memory 15, the south bridge 21, the EC 29, and the Ethernet controller 22.

  The S4 state is the state that takes the longest time to start among the ACPI supported, and is called so-called suspend to disk or hibernation. When the notebook PC 10 transitions from the S0 state to the S4 state, the OS stores the context immediately before the notebook PC 10 in the HDD 23 and then turns off the power to devices other than the power controller 31. The S5 state is so-called soft-off, and is the same as the S4 state except that the OS does not store the context in the HDD 23. When the WOL is set in the S4 state and the S5 state, power is supplied to the Ethernet controller 22 and the south bridge 21 so that the magic packet can be received and activated.

  The S0 state is a power-on state. In the notebook PC 10, only the S0 state, the S3 state, and the S4 state are defined. In this embodiment, the S1 state and the S2 state are processed in the same manner as the S3 state, and the S5 state is processed in the same manner as the S4 state. Therefore, it explains including all the states.

  The EC 29 controls the DC / DC converter 33 via the power controller 31 to set the soft off state (S5), hibernation state (S4), and suspend state (S3) defined according to the power state of the notebook PC 10. ), Or a device that operates in accordance with each power supply state such as a power-on state (S0) can be selected to supply power. As shown in FIG. 6, the power controller 31 includes status registers 113 and 115 for setting a PP (Physical Presence) bit and a POP (Physical Ownership Presence) bit.

  The keyboard / mouse controller 45 provides an interface function for input from a keyboard 47 or a mouse (not shown). The fingerprint authentication module 41 is connected to the south bridge 21 by USB and further connected to the power controller 31. The fingerprint sensor 42 is a swipe type fingerprint sensor and generates a fingerprint image of the user. Each of the fingerprint authentication module 41 and the fingerprint sensor 42 is attached so as to be physically integrated with the casing of the notebook PC 10. The fingerprint module 41 will be described later with reference to FIG.

[Security chip configuration]
FIG. 2 is a block diagram showing the configuration of the security chip 26. The configuration of the security chip 26 is well known as described in Non-Patent Documents 1 to 3. The security chip 26 is connected to the mother board of the notebook PC 10 by soldering and cannot be moved to another computer. Even if the security chip 26 is moved to another computer, the computer does not operate.

  The security chip 26 is a validity verification function for verifying whether the platform is genuine and compliant with TCG, an integrity function for confirming that the hardware and software have not been tampered with, and an encryption stored inside. It has an encryption key protection function that prevents keys from being released to the outside, and various encryption processing functions. The platform refers to a collection of hardware resources and software resources for providing computer services.

  The interface 51 bi-directionally converts a protocol between the LPC bus 25 and the internal bus, and controls data transfer between each component inside the security chip 26 and the outside. The encryption coprocessor 53 performs encryption processing inside the security chip 26. The HMAC engine 55 calculates HMAC (Keyed-Hashing for Message Authentication code). The SHA-1 engine 57 calculates a hash value for a given value.

  The Opt-In 59 provides a mechanism for turning the security chip 26 on or off. The encryption key generation unit 63 generates a symmetric key and an asymmetric key used for encryption. The random number generator 65 generates a random number used inside the security chip 26. The power detection unit 67 manages the power state of the security chip 26 in cooperation with the power state of the platform. The execution engine 69 executes the command received from the interface 51.

[Configuration of fingerprint authentication module]
FIG. 3 is a block diagram showing the configuration of the fingerprint authentication module 41. The feature extraction unit 83 extracts the feature points by making the fingerprint image received from the fingerprint sensor 42 into a core line, and further quantifies the correlation between the extracted feature points to create collation fingerprint data. The template storage unit 87 stores authentic user verification fingerprint data registered in advance as a template. The collating unit 85 compares the collated fingerprint data generated by the fingerprint sensor 42 for authentication with the template, and determines that the authentication is successful when the matching point exceeds a predetermined score.

  The data storage unit 91 is a secure nonvolatile memory that stores the fingerprint ownership key 93, the authentication success flag 94, the binding data 95, the power-on password 96, the supervisor password 97, and the HDD password 98. . In order to rewrite the data stored in the data storage unit 91, the user needs to authenticate by the fingerprint module 41 or input a supervisor password before the OS starts operating. The input / output control unit 89 controls data transfer with the outside through the south bridge 21 and accesses the data storage unit 91. The input / output control unit 89 further sends a high / low binary signal to the power controller 31.

  The fingerprint ownership key 93 is a code associated with a template registered for each user. The authentication success flag 94 is set by the input / output control unit 89 when the verification unit 85 determines that the template 87 matches the verification fingerprint data. The binding data 95 is data associated with a registered user template. The power-on password 96 is a password required by the BIOS when starting the notebook PC 10. The supervisor password 97 is a password required by the BISO when changing the BIOS setting. The HDD password 98 is a password required by the BIOS to access the HDD 23.

[Configuration of BIOS_ROM 27]
FIG. 4 is a diagram showing the configuration of the BIOS_ROM 27. The BIOS_ROM 27 is a non-volatile memory that can electrically rewrite stored contents, and adopts a boot block method in order to reduce the risk associated with rewriting. The boot block 27a is a storage area that is write-protected, and the program (also referred to as code or instruction) stored here is treated as a CRTM defined in the TPM specifications and cannot be rewritten without special authority. It is like that.

  The CRTM is configured as a consistent part of the platform initialization code and must be executed first whenever the platform is reset. CRTM is first executed when the notebook PC is cold booted from the S4 state or the S5 state to the S0 state. All consistency measurements for the laptop 10 platform are based on this CRTM.

  In the boot block 27a, the CRTM authentication code 121 for authenticating the physical presence according to the present embodiment and the minimum other code 123 are stored as CRTM. The other code 123 tests and initializes the CPU 11, the main memory 15, the south bridge 21, the fingerprint authentication module 41, and the security chip 26, which are the minimum hardware necessary for physical presence authentication. Includes functions to perform. Further, the other code 123 includes a function necessary for rewriting the BIOS_ROM 27.

  The system block 27b stores code responsible for BIOS functions that are not executed by the other code 123. The consistency of the code stored in the system block 27b is calculated based on the CRTM stored in the boot block 27a. A POST (Power-On Self Test) 125 performs hardware testing and initialization, and a peripheral device control code 127 controls input / output for accessing the LCD 19, HDD 23, keyboard 47, and the like under the control of the BIOS. To do. The utility 129 manages the power source and the temperature in the housing. The password authentication code 131 authenticates the power-on password, the supervisor password, and the HDD password. The password authentication code 131 further performs a process for the user to set whether or not to validate the physical ownership presence according to the present invention and single sign-on authentication.

  As shown in FIG. 4B, the BIOS_ROM 27 can collectively write protect the entire program stored in the CRTM. In this case, the size of the CRTM becomes large and updating the BIOS_ROM 27 becomes complicated. However, in this embodiment, when the physical presence is authenticated, the LCD 19 is used to provide a prompt with a larger amount of information than the diode. There is merit that we can do.

[Configuration of secure NVRAM]
FIG. 5 is a diagram showing a configuration of the secure NVRAM 43. The secure NVRAM 43 is a non-volatile memory with restricted access under the OS environment. The secure NVRAM 43 stores a POP authentication valid flag 151, a power-on password 153, and a supervisor password 155 indicating that the user has set the physical ownership presence authentication to be valid. The POP authentication valid flag 151 is used to authenticate the physical ownership presence according to the present invention by the password authentication code 131 stored in the system block 27b of the BIOS_ROM 27 at the initial stage after the notebook PC 10 is activated. Or based on the selection result of whether to authenticate the physical presence as before.

[Functional configuration to realize physical presence]
FIG. 6 is a functional block diagram showing a hardware and software configuration related to physical presence authentication. The start button 101 is attached to the casing of the notebook PC 10 so as to be physically integrated, and only a user who physically controls the notebook PC 10 can press it. When the start button 101 is pressed, a start signal can be sent to the power controller 31. When the power controller 31 receives the activation signal from the activation button 101 through the line 102, the power controller 31 controls the DC / DC converter 33 to supply power to each device of the notebook PC 10 in a predetermined sequence and shift to the S0 state.

  One terminal of the switch 103 is connected to the activation button 101, and the other terminal of the switch 103 is connected to the power controller 31. The control terminal of the switch 103 is connected to the south bridge 21. The switch 103 is controlled to be turned on / off based on the value of the status register 111 of the south bridge 21. One terminal of the switch 105 is connected to the DC / DC converter 33, and the other terminal of the switch 105 is connected to the fingerprint authentication module 41. One terminal of the switch 107 is connected to the DC / DC converter 33, and the other terminal is connected to the light emitting diode 109. Control terminals of the switches 105 and 107 are connected to the power controller 31. The light emitting diode 109 is attached to the casing of the notebook PC 10 in the vicinity of the fingerprint sensor 42. The CRTM authentication code 121 or the password authentication code 131 is executed by the CPU 11 to access the power controller 31, the fingerprint authentication module 41, the south bridge 21, and the security chip 26 to authenticate the physical presence.

[Power State]
FIG. 7 is a diagram for explaining a power state transition method for power-on and related operations in the notebook PC 10. FIG. 7 shows a case of transition from any of the S1 state to S5 state to the S0 state. Pressing of the start button 101 can be executed from any power state. In WOL, it can be executed in cases other than the transition from the S5 state. Pressing the function key (Fn key) of the keyboard 47 can be executed in cases other than the transition from the S4 state or the S5 state.

  The CRTM authentication code 121 and other codes 123 of the boot block 27a are executed before the boot of the OS starts only when the S4 state or the S5 state transits to the S0 state. Transition from the S4 state or S5 state to the S0 state is referred to as cold start or cold boot, and transition from another power state to the S0 state is referred to as warm start or warm boot. As will be described later, the PP bit is set in the status register 113 only when the start button 101 is pressed to cold start.

[Authentication method of physical presence]
Next, a physical presence authentication method will be described with reference to FIGS. FIGS. 8 to 10 are flowcharts showing authentication procedures based on the software and hardware shown in FIGS. FIG. 8 shows a procedure for fingerprint authentication under a hardware environment, FIG. 9 shows a procedure for authentication of physical presence and physical ownership presence using the CRTM authentication code 121, and FIG. 10 shows a password authentication code. 131 shows a single sign-on authentication procedure according to 131.

  In block 200 of FIG. 8, the notebook PC 10 transitions from one of the power states shown in FIG. 7 to the power-on state (S0 state) by pressing the activation button 101, WOL, or the Fn key of the keyboard 47. Block 201 indicates that the process proceeds to block 203 when the power is turned on by the start button 101, and the process proceeds to reference symbol A when the power is turned on by other triggers.

  When the start button 101 is pressed, the notebook PC 10 transitions from any of the S1 state to S5 state to the S0 state. When the start button 101 is pressed and a start signal is received through the line 102, the power controller 31 controls the DC / DC converter 33 to supply power to each device. The south bridge 21 refers to the status register 111 and turns on the switch 103 only during a cold start. When the activation button 101 is pressed while the switch 103 is on, a PP bit setting signal is sent to the power controller 31 via the line 104.

  In the case of a cold start, the south bridge 21 places the CPU 11 in an idle state until fingerprint authentication after block 205 is completed. In block 203, when the PP bit setting signal is received through the line 104, the hardware logic circuit of the power controller 31 determines that the notebook PC 10 has been cold-started by pressing the start button 101, and the status in block 204. The PP bit is set in the register 113, and the switch 107 is turned on / off in block 205 to cause the light emitting diode 109 provided near the fingerprint sensor 42 to blink to generate a prompt for the user to swipe the finger. Further, the power controller 31 turns on the switch 105 to supply power to the fingerprint authentication module 41 to cause the user to start fingerprint authentication.

  Since the CPU 11 is in an idle state at this time, it is impossible to execute a program and prompt the LCD 19 to input a fingerprint. Even if the CPU 11 is operated to execute CRTM, the BIOS_ROM 27 adopts the boot block method, so that the LCD 19 does not operate until the code of the system block 27b is executed. Accordingly, in block 205, the light emitting diode 109 is blinked in order to prompt the user to swipe the finger by means other than the LCD 19.

  However, as shown in FIG. 4B, if all codes stored in the BIOS_ROM 27 are converted to CRTM, a prompt for swiping a finger can be displayed on the LCD 19 at this time. If the power controller 31 does not receive the PP bit setting signal in block 203, the notebook PC 10 has been warm-started by pressing the start button 101, and the PP bit is not set and the process proceeds to reference symbol B. It is processed. Since the CRTM authentication code 27a is not executed during a warm start, the physical presence is not authenticated.

  In block 205, the user swipes his finger on the fingerprint sensor 42. The fingerprint authentication module 41 compares the user's template registered in advance in the template storage unit 87 in block 207 with the verification fingerprint data extracted from the input fingerprint, and performs fingerprint authentication. When the fingerprint authentication is successful, the input / output control unit 89 sets the authentication success flag 94 in the data storage unit 91, terminates the fingerprint authentication in block 211, and is configured with a high / low binary value in the power controller 31. Send an end signal. Receiving the end signal, the power controller 31 stops the light emitting diode 109 from blinking. Since this end signal is generated only by hardware and sent without software, the level of security can be maintained high.

  The collation unit 85 shifts to block 209 to send a signal indicating an authentication failure to the power controller 31 when the input fingerprint image does not match the template even after a predetermined number of collations, and when time-out occurs. Recognizing that the authentication has failed, the power controller 31 turns on / off the switch 107 and causes the light emitting diode 109 to blink at a different period from the blinking of the block 205 for a predetermined time. 107 is turned off, the blinking of the light emitting diode 109 is stopped, and the process proceeds to reference symbol A. At this time, the power controller 31 may turn off the switch 105 in order to prevent the fingerprint authentication module 41 from performing subsequent fingerprint authentication. The procedure from block 203 to block 211 is safe because the fingerprint authentication module 41 is controlled only by the hardware logic circuit, and the operation of the fingerprint authentication module 41 is not controlled by tampered software or spyware. is there.

  Subsequently, the description proceeds to FIG. FIG. 9 begins with reference symbols A and B in FIG. Receiving the signal from the fingerprint authentication module 41 in block 211 and recognizing that the fingerprint authentication is completed, the south bridge 21 sends a signal to the CPU 11 operating in the idle state to start the operation. The first pointer executed by the CPU 11 is set with the start address of the CRTM stored in the boot block 27a, and testing and initialization of main chips such as the CPU 11, the north bridge 13, and the south bridge 21 are performed. After completing the above, the CPU 11 starts executing the CRTM authentication code 121.

  In block 213, the CRTM authentication code 121 refers to the status register 111 of the south bridge 21 to determine whether the notebook PC 10 has been cold started or warm started. The TCG specification defines a physical method, a command method, and a method of combining them in order to authenticate a physical presence that a user actually exists in front of the platform. The physical method is a method of sending a signal directly from a switch or jumper provided on the platform to the TPM. The command method is a method in which the CRTM sends a signal to the TPM before the PC is turned on and control is transferred to the OS.

  In the present invention, as described below, the CRTM authentication code 121 controls the PP bit setting signal generated by pressing the start button 101, the fingerprint authentication module 41, the power controller, and the south bridge 21 to control the physical presence. Authenticate. When the CRTM authentication code 121 determines in block 213 that the notebook PC 10 has warm-started, the process proceeds to block 227. When the CRTM authentication code 121 determines in block 213 that the notebook PC 10 has been cold-started, the process proceeds to block 215.

  In block 215, the CRTM authentication code 121 determines whether the physical ownership presence authentication is set to be valid with reference to the POP authentication valid flag 151 of the secure NVRAM 43. If the POP authentication valid flag 151 is set in the NVRAM 49 so that the user does not authenticate the physical ownership presence, the process proceeds to block 219 in order to authenticate the physical presence by the conventional method.

  In block 219, the CRTM authentication code 121 refers to the status register 113 of the power controller 31 to determine whether the PP bit is set. When a cold start is made by pressing the start button 101, the PP bit is set in the status register 113 in block 203, the physical presence is affirmed, and the flow proceeds to block 225. When a cold start is made by WOL, the PP bit is not set in the status register 113, so that the physical presence is denied and the process proceeds to block 227.

  Returning to block 215, if the POP authentication valid flag 151 is set in the NVRAM 49 so that the user authenticates the physical ownership presence, the process proceeds to block 216, where the CRTM authentication code 121 is sent to the status register. Referring to 113, it is determined whether or not the PP bit is set. If the PP bit is not set, the process proceeds to block 227 because the activation is based on WOL. If the PP bit is set, the process goes to block 217 to authenticate the fingerprint authentication module 41 by the security chip 26. The CRTM authentication code 121 requests the binding data 95 from the fingerprint authentication module 41. When the authentication success flag 94 indicating that the fingerprint authentication is successful in the block 207 is set, the input / output control unit 89 of the fingerprint authentication module 41 extracts the binding data 95 from the data storage unit 91 and performs CRTM. Passed to the authentication code 121. The CRTM authentication code 121 sends the binding data 95 to the security chip 26. If the authentication success flag 94 is not set, the input / output control unit 89 does not pass the binding data 95 to the CRTM authentication code 121, so that the block for processing that the physical ownership presence authentication has failed. 227. The security chip 26 stores the received binding data 95 in an internal PCR (Platform Configuration Register) in block 221.

  The security chip 26 that has received the binding data 95 calculates a hash value of the binding data 95 stored in the PCR and compares it with the binding data of the fingerprint authentication module 41 that has been pre-hashed and registered in the PCR. If the two match as a result of the comparison, the security chip 26 sends the fingerprint ownership key stored therein to the CRTM authentication code 121. If they do not match, the security chip 26 sends the fingerprint ownership key to the CRTM authentication code 121. Do not send to. If the CRTM authentication code 121 receives the fingerprint ownership key from the security chip 26, it sends it to the fingerprint authentication module 41 and proceeds to block 221. Otherwise, the physical ownership presence authentication failed. Proceed to block 227 for processing as a thing.

  The fingerprint ownership key is a value corresponding to the template of the fingerprint image generated by the fingerprint sensor 42 for registration, and the same value is also stored in the data storage unit 91 of the fingerprint authentication module 41. In block 221, the fingerprint authentication module 41 determines whether or not the fingerprint ownership key sent from the security chip 26 by the CRTM authentication code 121 matches the fingerprint ownership key 93 stored in the data storage unit 91. The input / output control unit 89 determines. If they match, the physical ownership presence is affirmed, and the input / output control unit 89 of the fingerprint authentication module 41 sends a high / low binary signal to the status register 115 of the power controller 31 to send POP. Set the bit. The fingerprint authentication module 41 improves the security level by setting the POP bit without using software.

  In block 217 and block 221, when either or both are maliciously reassigned from the platform by authenticating each other in both directions between the fingerprint authentication module 41 and the security chip 26 Makes sure that physical ownership presence can be denied. In block 225, when the POP authentication valid flag 151 is set in the secure NVRAM 43 and the POP bit is set in the status register 115, the POP authentication valid flag 151 is not set in the secure NVRAM 43, and the status The CRTM authentication code 121 that detects one of the cases where the PP bit is set in the register 113 sends a command TSC_PhysicalPresencePresent to the security chip 26. The security chip 26 that has received the command internally sets the TPM_PhysicalPresence flag to affirmative (true).

  In this case, the TPM_PhysicalPresence flag is set to affirmative (true) in two cases. When the POP bit is set in block 223, the physical ownership presence according to the present invention is affirmed, and the user whose fingerprint is registered as the owner in advance presses the start button 101 to start the notebook PC 10 become. If it is determined in block 219 that only the PP bit is set, the physical presence is affirmed by the conventional method, and an unspecified user presses the start button to start the notebook PC 10. .

  However, even if the TPM_PhysicalPresence flag is set to affirmative after any process, the security chip 26 permits the execution of the privilege command of the same level at that time. The privileged command clears information indicating the existing owner from the security chip 26, temporarily deactivates the security chip 26, and disables the security chip 26. Including that. The specific contents of the privileged command are described in Non-Patent Document 1.

  In block 227, either the POP authentication valid flag 151 is set in the secure NVRAM 43 and the POP bit is not set in the status register 115 or the PP bit is not set in the status register 113. The detected CRTM authentication code 121 sends a command TSC_PhysicalPresenceNotPresent to the security chip 26, and sets the TPM_PhysicalPresence flag to negative (false).

  In this case, the security chip 26 does not allow privileged commands. When the setting of the TPM_PhysicalPresence flag is completed in block 225 or 227, the process proceeds to block 229, and POST 125 stored in the system block 27b is executed. The subsequent procedure will be described with reference to FIG. FIG. 10 begins with reference C in FIG.

  In block 231, the password authentication code 131 stored in the system block 27 b is executed following or during the execution of the POST 125. At this point, the LCD 19 and the keyboard 47 can be used through the BIOS screen. In block 233, the password authentication code 131 inquires of the fingerprint authentication module 41 whether or not the fingerprint authentication is successful at the current activation. The input / output control unit 89 refers to the authentication success flag 94 in the data storage unit 91 and notifies the password authentication code 131 of the result.

  The password authentication code 131 proceeds to block 235 when it is determined that the fingerprint authentication has succeeded in this activation, and proceeds to block 247 when it is determined that the fingerprint authentication has failed. In block 235, the password authentication code 131 determines whether the POP bit is set in the status register 115. When the POP bit is set, the process proceeds to block 237, and when the POP bit is not set, the process proceeds to block 247.

  In block 237, the password authentication code 131 obtains the power-on password 96, the supervisor password 97, and the HDD password 98 from the data storage unit 91 of the fingerprint authentication module 41. The password authentication code 131 compares the power-on password 153, supervisor password 155, and HDD password obtained from the HDD 23 stored in the NVRAM 43 at block 239 and completes these authentications without user intervention. A method of performing a plurality of individual authentications performed by the user at this time is referred to as single sign-on (SSO). Individual authentication requires separate authentication for the purpose of strengthening security, but it cannot be denied that the user is bothered.

  Therefore, user convenience can be improved by single sign-on, but when it is recognized, it is necessary to prevent the security level from being lowered as compared with individual authentication. The single sign-on at block 239 is performed under the condition that physical ownership presence is affirmed, and the security level is higher than the conventional single sign-on. .

  In block 241, the password authentication code 131 resets the PP flag and POP flag of the status registers 113 and 115, and further requests the fingerprint authentication module 41 to reset the authentication success flag 94 of the data storage unit 91. . Upon receiving this request, the input / output control unit 89 resets the authentication success flag 94. In block 243, the password authentication code 131 sends a command TSC_PhysicalPresenceNotPresent to the security chip 26 to set the TPM_PhysicalPresence flag to negative, and further sends a command TSC_PhysicalPresenceLock to prevent the TPM_PhysicalPresence flag from being rewritten.

  Thereafter, booting of the OS is started in block 245, but the security chip 26 does not permit the privileged command thereafter, and does not accept the command TSC_PhysicalPresencePresent. The locked state of the TPM_PhysicalPresence flag is released every time the notebook PC 10 is cold started. In blocks 247 to 251, since single sign-on is not permitted, the user inputs a power-on password, a supervisor password, and an HDD password from the keyboard in response to a request for the password authentication code 131 by individual authentication. The physical ownership presence according to the present invention can use a biometric authentication unit using other biometric information such as a palm, retina, iris, voice, or vein instead of the fingerprint authentication unit.

  Although the present invention has been described with the specific embodiments shown in the drawings, the present invention is not limited to the embodiments shown in the drawings, and is known so far as long as the effects of the present invention are achieved. It goes without saying that any configuration can be adopted.

It is a schematic block diagram which shows the structure of the main hardware of a notebook PC. It is a block diagram which shows the structure of a security chip. It is a block diagram which shows the structure of a fingerprint authentication module. It is a figure which shows the structure of BIOS_ROM. It is a figure which shows the structure of secure NVRAM. It is a functional block diagram which shows the structure of the hardware and software relevant to the authentication of physical presence. It is a figure explaining the transition method and related operation | movement of the power state of notebook PC. It is a flowchart which shows the authentication procedure of physical presence. It is a flowchart which shows the authentication procedure of physical presence. It is a flowchart which shows the authentication procedure of a single sign on.

Explanation of symbols

26 ... Security chip 41 ... Fingerprint authentication module 101 ... Start button 103, 105, 107 ... Switch with control terminal 109 ... Light emitting diode 111, 113, 115 ... Status register

Claims (20)

A computer conforming to the TCG specification,
Security chip,
An activation button attached to the computer;
A first non-volatile memory storing a CRTM authentication code;
A processor for executing the CRTM authentication code;
A first status register for storing the power state of the computer;
A biometric authentication unit attached to the computer,
The processor executes the CRTM authentication code before the operating system is executed when the start button is pressed and refers to the first status register to confirm that the computer is cold started. And a computer that sends a command indicating that a physical presence is affirmed to the security chip when the biometric authentication unit succeeds in biometric authentication.   The computer according to claim 1, wherein the processor sends binding data from the biometric unit to the security chip for the security chip to authenticate the biometric unit.   The processor sends a fingerprint ownership key stored in the security chip to the biometric unit when the binding data is valid for the biometric unit to authenticate the security chip. The listed computer.   A hardware logic circuit that sets a PP bit when the computer is cold-started when the activation button is pressed, and the hardware logic circuit sends a biometric authentication unit to the biometric authentication unit when the PP bit is set The computer according to any one of claims 1 to 3, wherein authentication is started.   5. The computer according to claim 4, wherein the hardware logic circuit presents a prompt by a light emitting diode for inputting biometric information when the PP bit is set.   The computer according to claim 5, wherein the hardware logic circuit presents to the user by a light emitting diode that the biometric authentication unit has failed authentication.   The hardware logic circuit sets a POP bit when the activation button is pressed to cold start the computer and successful mutual authentication between the biometric unit and the security chip, and the processor 7. The computer according to claim 4, wherein when the POP bit is set, a command indicating that a physical presence is affirmed is sent to the security chip.   8. The processor according to any one of claims 4 to 7, wherein when the processor determines that neither the PP bit nor the POP bit is set, the processor sends a command indicating that a physical presence is denied to the security chip. Computer.   9. The computer of claim 8, wherein the processor executes a password authentication code stored in the first non-volatile memory and permits single sign-on when the POP bit is set.   The computer according to any one of claims 1 to 9, wherein the processor clears an authentication result of the biometric unit before booting of the operating system starts.   The computer according to any one of claims 1 to 10, wherein the first nonvolatile memory includes a boot block and a system block, and the CRTM authentication code is stored in the boot block.   The computer according to claim 11, wherein the password authentication code is stored in the system block. In a computer comprising a biometric authentication unit, an activation button, and a security chip that conforms to TCG specifications, a processor executes a CRTM authentication code to authenticate a physical presence,
Determining whether the computer is cold started by pressing the start button;
The biometric authentication unit performs biometric authentication;
And a step of sending a command indicating that a physical presence is affirmed to the security chip when the computer is cold-started by pressing the start button and the biometric authentication is successful.   14. The method of performing mutual authentication between the biometric authentication unit and the security chip using binding data stored in the biometric authentication unit and a fingerprint ownership key stored in the security chip. Authentication method described in.   14. A step of displaying a prompt for a user to input to the biometric unit when the hardware logic of the computer recognizes that the computer has been cold started by pressing the activation button. Item 15. The authentication method according to Item 14.   The authentication method according to claim 14 or 15, further comprising the step of recognizing that the step of performing the biometric authentication is completed, and the hardware logic circuit stops the operation of the biometric authentication unit. Enabling or disabling physical ownership presence authentication;
Determining whether the computer has been cold-started by pressing the activation button when physical ownership presence authentication is disabled;
The authentication method according to claim 13, further comprising a step of sending a command indicating that a physical presence is affirmed to the security chip when it is determined that the cold start has occurred.   Performing a single sign-on for a power-on password, a supervisor password, and a hard disk password when the activation button is pressed and the computer is cold started and the biometric unit is successful in biometric authentication The authentication method according to any one of claims 13 to 17, further comprising:   The authentication method according to claim 13, further comprising a step of sending a command indicating that the physical presence is denied to the security chip before an operating system boots. In a computer equipped with a security chip, a biometric authentication unit and a start button that meet the TCG specifications,
A function of determining whether or not the computer is cold-started by pressing the start button;
A function of causing the biometric authentication unit to perform biometric authentication;
A computer constituting a CRTM that realizes a function of sending a command indicating that a physical presence is affirmed to the security chip when the computer is cold-started by pressing the start button and the biometric authentication is successful. ·program.

Images