JPH07104882A - Portable computer system - Google Patents

Abstract

PURPOSE:To provide a device access right for an externally connected FDD and to provide an information security function at the external FDD for arbitrarily setting the permission/inhibition of use, concerning a portable computer system equipped with an external equipment connecting port for connecting the external FDD. CONSTITUTION:When an inputted password matches with any one of registered passwords, the access right registered on that password is set to a security register 100, when a bit provided for the security register 100 for setting the FDD access right is set, a gate for the respective motor-on signals (MOTON) of the external FDD connected to an internal FDD 45 and a printer port 43 is canceled, and the respective devices of the internal FDD 45 and the external FDD can be accessed.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a portable computer system having an external device connection port to which an external floppy disk drive can be connected, and more particularly, to an external floppy disk drive by giving a device access right to the externally connected floppy disk drive. The present invention relates to a portable computer system having an information security function in which use permission / prohibition of a disk drive can be arbitrarily set.

[0002]

2. Description of the Related Art In recent years, personal computers have become smaller and lighter, are more easily carried, and have higher performance and higher functionality. Particularly, in recent years, storage devices such as HDDs (hard disk devices) and RAM packs have increased in capacity, and battery-operable small personal computers such as laptop type and book type have become widespread.

This type of personal computer is characterized in that it is easy to carry and can be used easily by a simple operation in any place. Therefore, it is necessary to give sufficient consideration to the security function.

As a means for realizing this type of security function, a security mechanism based on password verification has heretofore been widely used. As a kind of this kind of security mechanism, a system having a password registration means capable of setting a plurality of passwords and an access right definition means for defining a unique access right for each of the registered passwords has been developed.

The access right includes a system access right for updating a specific memory, a password and a system access right for updating access, and a device access right for specifying a usable device.

On the other hand, in a personal computer that is easy to carry, in order to enhance the system function, generally,
The system body has an external device connection port to which an external floppy disk drive can be connected.

Conventionally, in this kind of personal computer, no measures have been taken regarding the security against access to the external floppy disk drive. Therefore, the information in the personal computer is externalized by using the floppy disk as a medium. Could be leaked to a third party.

[0008]

As described above, conventionally, no measures have been taken for security against access to an external floppy disk drive, and therefore, a personal computer using an externally connected roppy disk as a medium. There was a risk that the information inside would be leaked to an external third party.

The present invention has been made in view of the above circumstances,
In a portable computer system having an external device connection port to which an external floppy disk drive can be connected, the external floppy disk drive is given device access rights, and the external floppy disk drive is allowed / prohibited for use. An object of the present invention is to provide a portable computer system having an information security function that can be set arbitrarily.

[0010]

According to the present invention, in a portable computer to which an external floppy disk drive can be connected, an external floppy disk drive is provided with a floppy disk access right for enabling or disabling the floppy disk drive. When not connected, only the internal floppy disk drive can be enabled or disabled, and when an external floppy disk drive is connected, both the connected external floppy disk drive and internal floppy disk drive can be used or It is characterized by realizing an information security function that can be prohibited.

[0011]

In a portable computer to which external and internal floppy disk drives (hereinafter referred to as FDD) can be connected, when the user uses the password and sets the FDD access right to "permitted" on the setup screen or the like, “1” indicating access permission is set in a bit (bit 3) unique to the FDD access right of the security register provided in the device. By the access permission bit (“1”) associated with the setting of this FDD access right, the external FD is
The drive gates of the D motor and the internal FDD motor are released, and the external FDD and the internal FDD can be accessed.

When the FDD access right is set to "prohibit", "0" indicating access prohibition is set in the bit (bit 3) peculiar to the FDD access right of the security register. By the access prohibition bit (“0”) associated with the setting of the FDD access right, the drive gates of the external FDD motor and the internal FDD motor are closed, and the access of the external FDD and the internal FDD is prohibited. Therefore, in this case, even if an external floppy disk drive is connected to the portable computer main body, the external FDD floppy disk drive cannot be used and internal information can be prevented from leaking to the outside.

In the password registration process, the input maintenance password, user password, access right, operation password, etc. are written in a predetermined format.
It is set in the EPROM (see reference numeral 29 in FIG. 7). At this time, the settable access right includes a system access right that can update a specific memory, a system access right that can update a power-on password, and a device access right that specifies an available device. The set device access right includes the device access right of the FDD that selectively enables the use of the internal FDD and the external FDD.

After the access right is set, when the password key input is accepted and the password input is completed, the input passwords include a plurality of passwords (# 1 to # 1).
#N) is compared, and the result is compared. When the password matches any of the passwords (# 1 to #n), the access right (see FIGS. 5 and 6) registered in the matched password (#i) is set in the security register (see FIGS. 6 and 7). Set the input match response to the main CP
Output to U. When a bit in the security register is set, the gate corresponding to that bit opens, allowing access to the previously associated device. For example, if the bit for setting the device access right of the FDD provided in the security register is set, the internal F
The gates of DD and external FDD (see FIG. 7) are opened, and F
The DD motor-on signal (MOTON) can be input to the internal FDD and external FDD through the above gates.
The internal FDD and the external FDD can be accessed.

[0015]

Embodiments of the present invention will be described below with reference to the drawings. FIG. 1 is a block diagram showing the basic structure of the essential parts of a security mechanism according to an embodiment of the present invention.

In FIG. 1, reference numeral 1 denotes a password control means having a password registration / management and check function, which is used to register a maintenance password (for example, up to two) and a user password (for example, up to four). It has an update process, a password check process by comparing the registered password with the input password, and a hardware setting process function of an access right associated with the password match.

Reference numeral 2 is management (control) of the password control means 1.
It is a password storage means placed below, and a maintenance password and a user password are registered and updated under the control of the password control means 1. Here, a maximum of two passwords for maintenance, for general users are used. Up to four passwords can be set for each password, and each password is given a unique access right.

In the above structure, the password control means 1
Follows the command (password control command) by receiving the command generated in the setup process or the specific MS-DOS command, for example.
Register, update, or check the maintenance password and user password.

In the registration processing of the maintenance password and the user password according to the password control command, the password control means 1 registers the input maintenance password and user password together with the access right in the password storage means 2. At this time, a maximum of two maintenance passwords and a maximum of four user passwords can be registered. Each password has its own access right (system password for maintenance password, device access right for user password). ) Is set and given.

Further, the password control means 1 accesses the password storage means 2 in the check processing of the maintenance password and the user password according to the above command, compares the entered password with the registered password, Check the validity of the input password.
In this password check, if the password that matches the password is for maintenance, the function setting information (access right for maintenance) that gives a wide range of authority including specific functions specific to the maintenance is passed to the hardware control unit. When the matched password is for the user, the predetermined function setting information (user access right) permitted only to the user is passed to the hardware control unit. The hardware control unit controls the hardware according to the access right, and if the access right is for maintenance, for example, by releasing the memory by the privilege, B
The flash memory storing the IOS can be rewritten, the password and the access right registered in the password storage unit 2 can be updated, and the access right for the user is, for example, HDD, FDD, serial port, printer port. , PCMCIA specification card, SC mounted inside
Various device accesses such as SI (built-in SCSI hardware) are optionally enabled (released).

As described above, since a unique password can be set for each of the maintenance password and the user password, and the system function associated with the maintenance password match and the system password associated with the user password match can be made different. A system function (release function) associated with matching of user passwords can be arbitrarily specified, maintenance can be facilitated, confidential information leakage can be prevented, and a highly reliable security function can be realized.

The security function described above is implemented by SCSI.
2 to 9 are specific examples of implementation of the present invention applied to a laptop type or notebook type portable computer system incorporating (dedicated hardware for implementing the SCSI interface function) (standard equipment). Explain.

FIG. 2 is a block diagram showing a system configuration, FIG. 3 is a block diagram showing a partial bus connection configuration in FIG. 2, and FIG. 4 is a PCMCIA-GA (P) shown in FIGS. 2 and 3.
3 is a block diagram showing an internal configuration of a CMCIA gate array) 26. FIG.

In FIG. 2, the password control means 1 shown in FIG. 1 includes a keyboard controller (KBC) 30 and
PCMCIA Gate Array (PCMCIA / GA) 28
The password storage means 2 is implemented by a PCMCIA gate array (PCMCI).
A / GA) 28 via keyboard controller (KB
C) It is realized by the EEPROM 29 directly connected to 30. At this time, the command / parameter transfer from the CPU 21 to the keyboard controller (KBC) 30
And keyboard controller (KBC) 30 to CPU
Transfer of response (data / status) to 21
Status LCD control gate array (SLCD
C / GA) 26 data communication register, PCMCIA gate array (PCMCIA / GA)
Data and addresses are transferred between the EEPROM 28 and the EEPROM 29 via a dedicated line.

The portable computer in this embodiment is a system bus (ISA-BUS) 1 of ISA specification.
1, a peripheral interface bus (PI-BUS) 12 for high-speed graphic transfer, a keyboard interface bus (KBC-BUS) 13, a power supply interface bus (PSC-BUS) 14, and the like.

The system bus (ISA-BUS) 11 includes a CPU 21 and an I / O controller (I / O-C).
ONT) 22 is connected. The CPU 21 controls the entire system and executes the processing target program stored in the system memory 23. Here, a password control command (power-on password status command / power-on password mode command / operation lock password) is used in initialization processing (IRT processing), resume processing, operation lock release processing, etc. accompanying system power-on. (Status command / operation lock password mode command, etc.) is issued, and the keyboard controller (KB) is passed through the data communication register (CR) of the status LCD control gate array (SLDCCC / GA) 26 shown in FIG.
C) Has processing means for sending to 30. The details of the password control command will be described later.

At this time, the CPU 21 sends a password registration confirmation command (power-on password status command) to the status LCD control gate array (SLDCC / GA) shown in FIG. 3 in the initialization processing (IRT processing) at system power-on. ) Keyboard controller (KBC) 3 via 26 data communication register (CR)
Send to 0. When it is confirmed that the password is registered (the number of registered passwords ≠ 0) from the response contents (the number of registered passwords) from the keyboard controller (KBC) 30 accompanying this command issuance, the password input message data is converted to VGA by the BIOS call. Send the password input message to the controller 32 and enter LC
The power-on password mode command is displayed on the D panel 49 and the status LCD control gate array (S
LCDC / GA) 26 data communication register (CR)
Via the keyboard to the keyboard controller (KBC) 30. Then, it waits for the completion of the password input.

In response to each control of the CPU 21, the keyboard controller (KBC) 30 receives the password registration confirmation command, returns the number of registered passwords to the CPU 21 as a response, and receives the power-on password mode command, the key is input. Password EE
The password registered in the PROM 29 is compared and collated. When the passwords match, an ACK code (actually the matched password position in the EEPROM 29 and the status "00h") is returned. When the passwords do not match, the RESEND code (actually Returns "FFh" as the data and "01h" as the status indicating that there is no matching password, and the password control command processing is ended.

Further, during normal operation, the CPU 21 causes the data communication register (CR) of the status LCD control gate array (SLCDC / GA) 26 by an SMI interrupt, which will be described later, accompanying the operation of the hot key (Fn + F1). When the operation lock password mode command is received via the status LCD control gate array (SL).
It is issued to the power supply controller (PSC) 46 and the keyboard controller (KBC) 30 via the data communication register (CR) of the CDC / GA) 26. When the keyboard controller (KBC) 30 receives the above command, it prohibits transmission of the scan code (key input data) to the CPU 21. In addition, the power controller (PS
C) 46 stops power supply for screen display.

In this way, the operation lock control is executed in which the input of the keyboard, the mouse, etc. is ignored, the entire screen display is erased, and the system is put in the unusable state.

This operation lock can be released by inputting a password from the keyboard (KB) 51. At this time, the processing of the operation lock release notification is executed by the keyboard controller (KBC) 30. That is, when releasing the operation lock,
After inputting the password character string from the keyboard (KB) 51, the specific function key (here, the "Enter" key) is operated.

Keyboard controller (KBC) 30
When the input of the "Enter" key is detected, the key input password is compared and collated with the password registered in the EEPROM 29, and when the password is registered or when the password is not registered, an operation lock release notification is sent to the CPU 21. (Specifically, when the passwords match, the registered password position in the EEPROM 29 that matches the data and the status "00h" are sent to return to the normal key input processing. When there is no registered password, , "00h" as the data and "00h" as the status are transmitted to return to the normal key input processing).

As a result, the CPU 21 releases the operation lock. That is, the operation lock release command is sent to the status LCD control gate array (SLC
The data is sent to the power supply controller (PSC) 46 and the keyboard controller (KBC) 30 via the data communication register (CR) of the DC / GA) 26, and the keyboard,
Resume accepting mouse input and restore the screen display.

Further, the CPU 21 has a power management function for low power consumption such as powering down various I / Os at idle. This power management function is executed by an interrupt process called a system management interrupt (SMI).

Interrupts included in the CPU 21 include a non-maskable interrupt (NMI) and a maskable interrupt (INTR) in addition to the SMI. SMI is a type of non-maskable interrupt, but it is a hardware interrupt of the highest priority, which has a higher priority than NMI and INTR described above.
It is activated by activating the interrupt request input SMI of the CPU 21. Similarly, the non-maskable interrupt and the maskable interrupt are also activated by activating interrupt request inputs NMI and INTR (not shown) of the CPU 21.

The interrupt by the SMI is used not only for the operation lock function by the hot key operation described above, but also for executing the processing related to other hot key operations and the processing for power management.

The I / O controller 22 is a dedicated logic for realizing the support function of I / O, memory, etc., and controls the I / O equipment connected to the serial port 41 and the printer port (EPP). It controls the external printer connected to 43. The I / O controller 22 includes a DMA controller for direct memory access control and an interrupt controller (PI).
C), timer (PIT), serial I / O controller (SIO), real-time clock (RTC), etc. are built in. The real-time clock is a clock module that has its own battery for operation, and is a CMOS static RAM (CM
OS memory). This CMOS memory is used to store setup information indicating the system configuration.

Communication between the CPU 21 and the I / O controller 22 is executed via the system bus (ISA-BUS) 11 or a dedicated interface line provided between the CPU 21 and the I / O controller 22. It C
The interface signal between the PU 21 and the I / O controller 22 includes, for example, a signal for controlling the SMI function of the CPU 21.

That is, the interrupt request input SM of the CPU 21
For I, the I / O controller 22 or the status LCD control gate array (SL) is connected via the AND gate G1.
Active low S output from CDC / GA) 26
The MI signal is supplied. The SMI signal from the status LCD control gate array (SLCDC / GA) 26 is generated when the CPU 21 is requested to perform hot key processing, which will be described later, and the SMI signal from the I / O controller 22 is timed by the timer. I / O by monitoring
This occurs when the need for powering down is detected.

Here, the hot key is a key for directly requesting the CPU 21 to execute a special function such as setting / changing the system operating environment, and the keyboard 51.
The specific keys above are assigned as their hotkeys. When this hot key is operated, the CPU
Some functions related to setting / changing the system operating environment provided by 21 are directly called and executed. In this hot key processing, the system bus (ISA-
SMI is issued to the CPU 21 without performing normal key data transmission via the (BUS) 11 and via the keyboard interface bus (KBC-BUS) 13 and the status LCD control gate array (SLCDGA).
The key data of the hot key is transmitted to the CPU 21 at high speed.

C which can be called by a hot key
Functions of the PU 21 include a power save mode switching function, a resume / boot mode switching function, and an L function.
There are a CD / CRT display switching function, an LCD panel black / white inversion display function, and the like, but description of these functions will be omitted here.

The system bus (ISA-BUS) 1
A BIOS-ROM 25 is connected to 1. The BIOS-ROM 25 is composed of a flash memory (FLASH / MEM) so that the program can be rewritten. The basic input / output programs include a program for initialization processing at power-on, a driver program for controlling various input / output devices, and a program for performing processing related to hot key operation. ing.

The flash memory (FLASH / MEM) that constitutes the BIOS-ROM 25 is a PCMCIA.
Initialization is possible only when maintenance privilege is set as an access right in the security register of the gate array (PCMCIA / GA) 28, and its control will be described later.

The system bus (ISA-BUS) 11 further includes a status LCD control gate array (SLCD).
C / GA) 26, floppy disk controller (F
DC) 27, PCMCIA gate array (PCMCIA
・ GA) 28, keyboard controller (KBC) 3
0, an expansion connector 31 to which an expansion unit (Desk Station) can be attached, and a hard disk drive (HDD) 4
2 and the like are connected, and dedicated hardware (hereinafter referred to as built-in SCSI hardware) 53 that realizes a SCSI interface is connected.

Status LCD control gate array (SL
CDC / GA) 26 controls the display of the status LCD 44, communicates with the keyboard controller (KBC) 30,
And communication with the power supply controller (PSC) 46.

PCMCIA Gate Array (PCMCIA
-GA) 28 is a PCMC that is optionally installed in slots A and B of the PCMCIA port 48 as a main function.
It controls the read / write of the IA card and communicates with the keyboard controller (KBC) 30.

Further, this PCMCIA gate array (P
The CMCIA / GA) 28 also includes an interface logic with the EEPROM 29 in which a password is registered and a logic for realizing a security function. This PCMCIA gate array (PCMCIA
The specific configuration of the GA) 28 will be described later with reference to FIGS. 3 and 4.

This PCMCIA gate array (PCMC
Among the slots A and B of the two PCMCIA ports 48 connected to the IA / GA) 28, the slot A supports all types of PCMCIA cards and the slot B is
Supports two types of PCMCIA cards, type 2 and type 1. The PCMCIA card with a small size of 5.0 mm or 3.3 mm is used as a security card.

PCMCIA Gate Array (PCMCIA
・ GA) 28 security functions include the security code and EE read from the security card of PCMCIA specifications.
It includes a processing function of verifying the personal identification number of the PROM 29, and permitting the system to be started only when they match.

Further, the PCMCIA gate array (PCMC
The security function of the IA / GA) 28 includes an operation lock called instance security and its unlocking function. The instance security function by this operation lock is provided by a predetermined hot key (Fn + Fn) from the keyboard controller (KBC) 30.
1) It is realized by turning off the display screen of the LCD panel 49 or key-locking the keyboard 51 in response to an instruction accompanying the operation.

PCMCIA gate array (PCMCIA
The GA 28 communicates with the keyboard controller (KBC) 30 via the keyboard interface bus (KBC-BUS) 13 in order to receive an instruction to operate the hot key (Fn + F1).

Status LCD control gate array (SL
CDC / GA) 26 and keyboard controller (KB
C) 30 and communication between the PCMCIA gate array (PCMCIA GA) 28 and the keyboard controller (KBC) 30 are the control information between the CPU 21 and the keyboard controller (KBC) 30, respectively. It realizes a path for executing the transfer at high speed, and a dedicated keyboard interface bus (KBC-BUS) 13 is used for the communication.

That is, the status LCD control gate array (SLCDC / GA) 26 has an I / O register group for holding control information transmitted and received between the CPU 21 and the keyboard controller (KBC) 30. The controller (KBC) 30 reads / writes the register group via the keyboard interface bus (KBC-BUS) 13. The CPU 21 reads / writes these register groups via the system bus 11. This register group includes a data communication register (C
R), a register having a bit for supplying the SMI signal to the AND gate G1, a keyboard controller (KB
C) A hot key register for holding key data of hot keys transmitted from 30 is included.

Keyboard controller (KBC) 30
Is for controlling the built-in keyboard (KB) 51, which is standard equipment, and scans the key matrix of the built-in keyboard 51 to receive a signal corresponding to a pressed key and convert it into a predetermined key code. At this time, the built-in keyboard 51
The key code corresponding to the hot key provided above is the keyboard interface bus (KBC-BU
S) 13 to the status LCD control gate array (SLDC / GA) 26. On the other hand, key codes other than the hot key are transmitted to the CPU 21 by handshake serial communication via the system bus (ISA-BUS) 11 as usual. The keyboard controller (KBC) 30 also has a function of controlling a mouse 52 and an external keyboard 52b which are optionally connected.

The keyboard controller (KBC) 3
0 is a processor that realizes the security function,
It has various password control functions including password check.

This password control function has a CPU 21
Includes execution of various password control commands from the computer and transmission of their responses. Execution of password control commands includes setting / updating / releasing the power-on password, access right, and operation lock password, inputting and checking each password. , Access right control (setting /
Update / cancellation, etc.), response transmission control, etc., and access control of the EEPROM 29 for setting / updating / cancelling each password and access right. These controls will be described later.

Status LCD control gate array (SL
CDC / GA) 26 and power supply controller (PSC) 46
To communicate with the CPU21 and power supply controller (PS
C) Dedicated power supply interface bus (PSC-BUS) 1 for realizing high-speed transfer of various control information between 46
4 are provided.

Floppy disk controller (FD
C) 27 incorporates a variable frequency oscillator (VFO) and controls an internal floppy disk drive (FDD) 45. The expansion connector 31 is an expansion unit (Desk Stati).
It is used for function expansion by connecting (on).

Hard Disk Drive (HDD) 42
Has an IDE interface and is directly access-controlled by the CPU 21. A display controller (VGA controller) 32 conforming to the VGA specification is connected to the peripheral interface bus (PI-BUS) 12. The VGA controller 32 is used in the LCD panel 4
9 and a color CRT 50 for optional connection are displayed and controlled. Peripheral interface bus (PI-BU
The image data received from the CPU 21 via (S) 12 is drawn in the image memory (VRAM) 33.

The power supply controller (PSC) 46 is a CP
It is for controlling the supply of power supply voltage from the power supply circuit 47 to each unit in response to an instruction from U21.
21 is connected to the power interface bus (PS
C-BUS) 14 and the status LCD control gate array (SLCDC / GA) 26 through the data communication register (CR). The power supply circuit 47 generates an internal power supply of a predetermined voltage value to be supplied to each unit from an external power supply supplied via a battery or an AC adapter built in the computer main body, and
When the power is off, backup power (BK) is generated and supplied to a predetermined unit.

The EEPROM 29 includes a PCMCIA gate array (PCMCIA / GA) 28, and an EEPROM access dedicated line 15 including address and data lines.
Keyboard controller (KBC)
It is accessed under the control of 30. Here, 2 passwords for maintenance, 4 passwords for users, and a maximum of 6 power-on passwords, access rights, and operation passwords can be registered. Each of these passwords can be registered. The characteristics of the access right will be described later.

Initialization and writing to the EEPROM 29 are performed by the PCMCIA gate array (PCMCI).
When the supervisor privilege is set as the access right in the security register of A / GA) 28, all passwords and access right areas can be accessed for setting / updating / deleting. When set, it has access to update its own password. These controls will be described later.

Among the input / output devices described above, a serial port 41, a hard disk drive (HDD) 42, a printer port (EPP) 43 to which an external floppy disk drive can be connected, an internal floppy disk drive (FDD) 45, and a PCMCIA port 48. Etc. are subject to the access right (device access right) associated with the power-on password.

Next, the PCMCIA gate array (PC
MCIA / GA) 28 specific configuration example shown in FIGS.
Shown in. PCMCIA Gate Array (PCMCIA ・ G
A) 28 includes security registers (SR) and EEPRs to which access rights are set, as shown in FIGS.
Dedicated register group 20 including a plurality of EEPROM access control registers (MR) for controlling access to the OM 29
1. ISA-BUS interface logic 202 coupled to system bus (ISA-BUS) 11; KBC-BUS interface logic 20 coupled to keyboard interface bus (KBC-BUS) 13
3, E connected to the dedicated line 15 of the EEPROM 29
Under the control of the EPROM interface logic 204 and the keyboard controller (KBC) 30, the dedicated register group 201, the password control logic 205 for controlling the interface logics 202, 203, 204, etc. are provided.

The ISA-BUS interface logic 202 controls the interface with the system bus (ISA-BUS) 11, and controls the read / write operation of the dedicated register group 201 in response to a request from the CPU 21. CPU 2 via system bus 11
Address enable signal (AEN) supplied from 1
Dedicated register designation signal (SPREG), system address signal (SA0), I / O read signal (IORD), I
The / O write signal (IOWR) and the 8-bit system data bus (SD) data in the system bus 11 are used.

The KBC-BUS interface logic 203 controls the read / write operation of the dedicated register group 201 in response to a request from the keyboard controller (KBC) 30.
Read / write signal (R) supplied from the keyboard controller (KBC) 30 via the BC-BUS) 13.
/ W), strobe signal (STROB), and K in the keyboard interface bus (KBC-BUS) 13.
The address / data on the BC data line (KBS-DATA) is used. Further, the KBC-BUS interface logic 203 uses the data contents of the register set by the CPU 21 as a keyboard controller (KBC).
In order to notify 30, the request signal (REQUES) is sent to the keyboard controller (KBC) 30 via the keyboard interface bus (KBC-BUS) 13.
T) is output.

EEPROM interface logic 2
Under control of the keyboard controller (KBC) 30, reference numeral 04 designates an address (Address) and a read / write signal (R / W) according to the setting of the EEPROM access control register (MR) via a dedicated line.
To read / write data (password character string) from / to the EEPROM 29.

The contents and structure of the password and access right stored in the EEPROM 29 are shown in FIGS. 5 and 6, and the PCMCIA gate array (PCMCIA.G) is shown.
FIG. 7 shows an example of the access right control mechanism set in the security register (SR) 100 of A) 28.

The access right is as a device access right.
HDD access right, FDD access right, serial port access right, printer port access right, PCMCIA
Has access rights, etc.

Here, the security register (SR) 1
00 bit b3 to internal floppy disk drive 4
5 and a device access right (FDD access right) of an external floppy disk drive connected to the printer port 43.

The password check process hidden from the system side, that is, the keyboard controller (KBC) 3
8A and 8B show each processing procedure on the CPU 21 side and the keyboard controller (KBC) 30 side in the password check processing executed via the back bus under the control of 0.
FIG. 8B shows the procedure for setting the access right associated with the password check (power-on password check) (see FIG. 8).
Details of step S15) are shown in FIG.

Here, the features of the security function by the password check in the embodiment of the present invention will be described with a specific example. In the embodiment of the present invention, operators who use the system body (portable computer body) are divided into ranks (groups), different passwords are given to the respective operators, and a unique device access right can be defined for each password. By providing appropriate system usage environments according to rank classification, we are working to enhance security functions.

The password support and password control command in the above embodiment will now be described.
In this embodiment, the security function has a security function with a power-on password and a security function with an operation lock password.

These passwords are the access control of the keyboard controller (KBC) 30 and the EEPROM 2 directly connected to the keyboard controller (KBC) 30.
9 is stored. Check the password (character comparison, judgment) and set the access right also using the keyboard controller (K
BC) 30. The password registered in the EEPROM 29 cannot be read from the system due to the back bus function described above.

A "password control command" is provided here for password processing. The "password control command" is a status LCD control gate array (SLD
C / GA) 26 data communication register (CR), CPU 21 to keyboard controller (KBC)
Sent to 30.

CPU 21 is a keyboard controller (K
The command / parameter issued to the BC) 30 is a dedicated register group (PCMCIA gate array 28) provided in the status LCD control gate array (SLDC / GA) 26.
(Corresponding to the dedicated register group 201) of the first data communication register (CR-a). In order to inform the keyboard controller (KBC) 30 of the register setting state of this command / parameter, the CPU 21 sets the predetermined bit of the second data communication register (CR-b) to “1”, and thereby the keyboard controller A request signal (REQUEST) is issued to the (KBC) 30.

At this time, the command / parameter distinction is
It is performed with the value of a predetermined bit of the third data communication register (CR-c). Keyboard controller (KB
Upon receiving the request signal (REQUEST), the C) 30 receives the status LCD control gate array (SLDC).
.GA) 26 third data communication register (CR-c)
The value (command / parameter) stored in the first data communication register (CR-a) is read by determining whether it is a command or a parameter from the value of the predetermined bit. Then, the second data communication register (C
The predetermined bit of R-b) is cleared to "0" and the reception ends. When there are multiple bytes, the above data reading procedure is repeated.

The transmission of the response (parameter) from the keyboard controller (KBC) 30 to the CPU 21 is
1 byte of "data" and 1 byte of "status" are set.

For transmission, "data" is written in the fourth data communication register (CR-d) in the dedicated register group (corresponding to 201) provided in the status LCD control gate array (SLDC / GA) 26, and " Status "
Each of the data communication registers (CR-e) is written, and the predetermined bit of the sixth data communication register (CR-f) is set to "1" to notify the CPU 21 of this.

When the predetermined bit of the sixth data communication register (CR-f) is "1", the CPU 21 uses the fourth data communication register (CR-d) and the fifth data communication register. The value (data status) of the register (CR-e) is read, and the predetermined bit of the sixth data communication register (CR-f) is cleared to "0".

In this way, data communication is performed between the CPU 21 and the keyboard controller (KBC) 30. In the EEPROM 29 accessed by the keyboard controller (KBC) 30, as shown in FIG. 6, a maximum of six power-on passwords, two for maintenance and four for user registration, can be registered.

On the setup screen, it is possible to select whether the power-on password is checked or not, and register / update / delete the password. At this time, when "no password check" is set, the system starts up like a normal system without a password check function.

When "password is checked", the password is requested to be input at the time of the initialization process and the resume process when the power is turned on, and if the input password is correct, the system is started up.

When the "password check" is set in the above setup, the power-on password registered in the EEPROM 29 is referred to in the password check process in the initialization process at power-on.

If the password entered by the key does not match this registered password, the system will not start up. However, when the user password is not registered, the power-on password check is not performed (at this time, "supervisor privilege" is given as an access right).

Of these power-on passwords, a maximum of four passwords used by the user can be registered (the same password cannot be defined multiple times). At this time, the first is for supervisors and the second and later are for general users. Register / update power-on password by using this user
Deletion is done with a special utility.

As shown in FIGS. 5 to 7, each power-on password can be given an access right. The access right defines the range in which the user can operate when it is started up by the password data.

The access right includes supervisor privilege, password update right, HDD access right, FDD access right,
There are serial port access rights, printer port access rights, PCMCIA access rights, and SCSI access rights. In addition, there are maintenance privileges that are generally not released.

The power-on password has the following restrictions depending on the access right. (1) Maintenance privilege (bit 7 of the register 100) This is a privilege for all operations including rewriting of the EEPROM 29 and initial setting of the EEPROM 29, and is given only to the maintenance password.

The maintenance privilege is the BIOS-ROM2.
Rewrite 5 and all other rights. This right is not released to general users (maintenance only). Up to two power-on passwords with privilege for maintenance can be defined. This setting is performed by a dedicated program (T & D, etc.). If the user does not have this maintenance privilege, the write signal of the BIOS-ROM 25 is gated.

(2) Supervisor privilege (register 100
Bit 6) This is the right to set, update, and delete all user passwords and access rights including yourself. This includes all rights except maintenance privileges.

The user password initially set is given supervisor privilege by the utility. Two
Supervisor privileges can be set for the second and subsequent passwords. Those with supervisor privilege can register / update / delete all user passwords. That is, the supervisor privilege is the BIOS-R configured by the flash memory (FLASH / MEM).
Has all rights except rewriting of OM25. You can also set passwords and access rights for others.

(3) Password update right (register 100
Bit 5) Gives you the right to update your password. You cannot update other passwords. The password update right is a right to allow or not allow the update of the power-on password,
If not permitted, the user's own password cannot be updated by setup or power-on password update (the keyboard controller (KBC) 30 rejects the corresponding command).

Those who have neither supervisor privilege nor password update right are not allowed to set, update, or delete the password. When the password update right is given by the access right, the password can be updated for the first time by inputting the registered password to be updated and describing the new password after "/". At this time, the passwords are compared by the power-on password check command included in the password control command.

(4) HDD access right (register 100
4) (5) FDD access right (bit 3 of register 100) (6) Serial port access right (bit 2 of register 100) (7) Printer port access right (bit 1 of register 100) (8) PCMCIA access Right (bit 0 of register 100) Of the above access rights, the HDD access right, the FDD access right, the serial port access right, the printer port access right, and the PCMCIA access right are the rights whether or not to allow access to each unit. is there.

Unauthorized units cannot be accessed (also excluded from the system configuration list). In the hardware control by the security register (SR) 100, when the HDD access right is not permitted (when “1” is not set in bit 4 (b4) of the register 100), chip select of the hard disk drive (HDD) 42 Gate all.

When the FDD access right is not granted (when "1" is not set in bit 3 (b3) of the register 100), the motor-on signal (MOTON) of the internal floppy disk drive (FDD) 45 is gated. At the same time, the motor-on signal (MOTON) of the external floppy disk drive connected to the printer port 43 is gated.

When the serial port access right is not permitted (when "1" is not set in bit 2 (b2) of the register 100), the S of the serial port 41 is S.
The transmission data SD and the reception data RD of IO are gated.

Further, when the printer port access right is not permitted (when "1" is not set in bit 1 (b1) of the register 100), the chip select of the control chip of the printer port 43 is gated.

When the PCMCIA access right is not permitted (when "1" is not set in bit 0 (b0) of the register 100), the PCMCIA port 48
The control chip chip select is gated.

Regarding the HDD access right and the FDD access right in the above-mentioned apparatus access right, it is possible to avoid a troublesome state in which both the HDD (hard disk drive) and FDD (floppy disk drive) cannot be used and the system does not start up. HDD access right,
Use the utility to make sure that the usage right is granted to any of the FDD access rights.

Keyboard controller (KBC) 30
When the password check of the power-on password is found, the access right corresponding to the password is given to the PCMCIA gate array (PCMCIA.
GA) 28 security register (SR) 100. At this time, keyboard controller (KBC)
30 indicates to the CPU 21 that the data is “matched password position” and the status is “00h (normal end)”
Is transmitted, and after transmitting this data and status, it returns to the normal key input processing.

If there is no matching password, the entered password character string is cleared and "FFh (abnormal termination)" is sent as data and "01h (no matching password is found)" is sent as status. However, after sending, it will be again waiting for the password input. That is, the normal key input is not restored until the password input is normally completed.

As shown in FIGS. 6 and 7, the operation lock password (operation password) is stored in the EEPROM 29 together with the power-on password and the access right.

A total of four operation passwords can be set corresponding to the user power-on password. The operation password can be set even when the power-on password is not set.

When the power-on password is set, the data (character string) of the power-on password is used as it is as the operation password by default. In the password check for unlocking the operation lock, if the operation password and the power-on password are different, only the operation password is checked and the power-on password is invalid.

In the password check, the operation password is first compared with the input password, and if the operation password is not defined, the power-on password is next compared with the input password.

As for the response to the CPU 21, when no password (including the power-on password) is defined, the operation lock is released only by the "Enter" key input. If the matching password does not exist, the input buffer is cleared and the password input waiting state is entered again. If a matching password exists, the CPU 21 instructs the CPU 21 that the matched "password position" and the status is "00".
"h (normal end)" is transmitted, and normal key input processing is resumed.

The security of the floppy disk drive including an external device is targeted here, and other security functions and commands are detailed in Japanese Patent Application No. 4-248355 (portable computer). Is omitted.

The operation of the embodiment of the present invention will be described with reference to the flow charts shown in FIGS.
8 (a) and 8 (b) are for the password check processing,
CPU21 side and keyboard controller (KBC)
It is a flow chart which shows each processing procedure by the side of 30.

In the process on the CPU 21 side shown in FIG. 8A, S1 is a step of issuing a password input command to the keyboard controller (KBC) 30 and informing the keyboard controller (KBC) 30 to check the password. is there.

S2 is a keyboard controller (KBC)
This is a step of checking whether or not the result of password comparison on the side of 30 is returned. After the response from the keyboard controller (KBC) 30, the S3 checks whether or not the password comparison is in agreement. If they are in agreement, the processing is terminated (to the next initialization processing). If they are not in agreement, the password is input again. This is the step of shifting to the process of performing.

In the processing on the keyboard controller (KBC) 30 side shown in FIG. 8B, S11 is a step of checking whether or not a command is issued from the CPU 21 side to the keyboard controller (KBC) 30.

S12 is a step for checking whether or not the command from the CPU 21 side is a password input command. Steps S13 and S14 are steps of reading the password key input.

S15 is a step of comparing whether or not the input password matches the registered password. S16 is a step of returning a non-match response to the CPU 21 when the result of step S15 is non-match.

S17 is a step of returning a coincidence response to the main CPU 21 when the result of step S15 is coincidence. FIG. 9 is a flowchart showing the procedure for setting the access right associated with the password check (power-on password check) (details of step S15 in FIG. 8).

In FIG. 9, S23 to S25 and S31 to S
33 is a diagram for explaining the details of step S15 in FIG.
Reference numeral 23 is a step of comparing the entered password with the registered password # 1. S24 is a step of comparing the entered password with the registered password # 2. S25 is a step of comparing the entered password with the registered password #n.

S31 is a step of setting the access right of password # 1 in the security register 100. S
32 is a step of setting the access right of password # 2 in the security register 100. S33 is a step of setting the access right of the password #n in the access right register.

The security mechanism in the embodiment of the present invention comprises three operations of password registration, password input, and password check. In the password registration processing, the input maintenance password, user password, access right, and operation password are set in the EEPROM 29 in the format shown in FIG.

Among the access rights set in the security register 100, there are HDD access rights, FDD access rights, serial port access rights, printer port access rights, PCMCIA access rights and the like as device access rights.

In the embodiment of the present invention, the setting of permission / prohibition of the internal floppy disk drive 45 and the external floppy disk drive connected to the printer port 43 by the FDD access right is targeted.

FIG. 8 shows the password input and check processing.
And FIG. 9 will be described. First, when the system is started up, the CPU 21 will display a keyboard controller (KBC).
A password input command is issued to the keyboard 30 (step S1 in FIG. 8) to notify the keyboard controller (KBC) 30 side that there is a password input, and waits for a response from the keyboard controller (KBC) 30 side (steps S2 and S3 in FIG. 8). ).

When the keyboard controller (KBC) 30 knows that there is a command from the CPU 21 (step S11 in FIG. 8), it checks whether the command is a password command input (step S12 in FIG. 8).

In the case of the password command, the key input of the password is accepted (step S13 in FIG. 8), and when the password input is completed (step S14 in FIG. 8), the input password matches any one of the passwords # 1 to #n. Or compare (step S15 in FIG. 8; steps S23 to S in FIG. 9).
26).

Here, the passwords are passwords # 1 to #n.
If any of the passwords matches the password #n, the access right (see FIG. 6) registered in the matched password #n is set in the security register 100 (steps S31 to S33 in FIG. 9), and the input matching response is sent to the CPU 21 (FIG. 8 step S16).

When a bit indicating permission / prohibition of access right is set in the security register 100, permission (=
The gate corresponding to the "1") bit is opened, and the device having the access right corresponding to the permission bit is made accessible. For example, when bit 3 (b3) of the security register 100 is set (= “1”), the motor-on signals (MOTON) of the internal floppy disk drive 45 and the external floppy disk drive connected to the printer port 43 are set.
2), the internal floppy disk drive 45 and the external floppy disk drive connected to the printer port 43 can be used (device access).

If the passwords do not match, a non-matching response is output to the CPU 21 (step S17 in FIG. 8).
Wait for next password. When the CPU 21 receives the unmatched response (step S3 in FIG. 8), it continues to wait for the next response until the passwords match.

As described above, according to the embodiment of the present invention, in the password system having the security mechanism, F
By setting the DD access right, it is possible to specify and limit the device use of the internal floppy disk drive 45 and the external floppy disk drive connected to the printer port 43 to provide an effective security function.

In the above embodiment, bit 3 (b3) of the security register 100 is set to the motor-on signal (MOTON) of the internal floppy disk drive (FDD) 45.
) Gate and the motor-on signal (MOTON of the external floppy disk drive connected to the printer port 43).
) Gate is commonly used, but not limited to this, for example, in a personal computer not equipped with a floppy disk drive as standard, security register 1
00 is used to allow / prohibit access to an external (optional) floppy disk drive, or 2 bits of security register 100 are used to set internal floppy disk drive (FDD) 45 And the access to the external floppy disk drive connected to the printer port 43 may be individually permitted / prohibited, and the access permission / prohibition control at this time is limited to the gate of the motor-on signal (MOTON). Instead, another configuration such as a circuit configuration for invalidating a specific signal path may be used. Further, the above-described embodiment can be applied to other devices such as an external expansion box.

[0130]

As described above in detail, according to the present invention, an external device connection port to which an external floppy disk drive can be connected, a password registration means capable of setting a plurality of passwords, and a password input when the system is used. Password checking means for checking the registered password with the registered password, control means for specifying a system function according to the type of the password found to match by the same means, and access right defining means for defining the access right unique to each registered password. And a security register capable of canceling / prohibiting the FDD access right included in the device access right that specifies a usable device among the access rights, and the EEP capable of setting presence / absence of the device access right including the FDD access right.
A non-volatile memory such as a ROM is provided, and the device access right by the password includes the device access right for determining whether to use the internal floppy disk drive and the external floppy disk drive connected to the printer port 43. Since the disk drive and the external floppy disk drive are each provided with a security function, it is possible to prevent leakage of internal information via the floppy disk drive and realize a highly reliable security function.

[Brief description of drawings]

FIG. 1 is a diagram for explaining a basic configuration in an embodiment of the present invention, (a) is a block diagram showing a basic configuration of a main part of the present invention, and (b) is an operation example. Fig.

FIG. 2 is a block diagram showing a system configuration according to an embodiment of the present invention.

FIG. 3 is a block diagram showing a configuration of a main part of the embodiment shown in FIG.

FIG. 4 is a block diagram showing an internal configuration of the PCMCIA gate array shown in FIG.

5 is a diagram for explaining the contents and structure of a password and an access right stored in the EEPROM shown in FIGS. 2 and 3. FIG.

FIG. 6 is a diagram for explaining the contents and structure of a password and access right stored in the EEPROM shown in FIGS. 2 and 3;

FIG. 7 is a diagram showing a control mechanism unit of an access right set in a security register (SR) of the PCMCIA gate array shown in FIGS. 2 to 4;

FIG. 8 is a CPU side and a keyboard controller (KB) in the password check process in the above embodiment.
The flowchart which shows each processing procedure of C side.

9 is a flowchart showing the password check shown in FIG. 8 and the access right setting processing procedure associated with the password check.

[Explanation of symbols]

1 ... Password control means, 2 ... Password storage means, 1
1 ... System bus (ISA-BUS), 12 ... Peripheral interface bus (PI-BUS; PeripheralInterfac)
e BUS), 13 ... Keyboard interface bus (K
BC-BUS), 14 ... Power supply interface bus (P
SC-BUS), 15 ... EEPROM access dedicated line, 21 ... CPU, 22 ... I / O controller (I / O)
-CONT), 23 ... system memory, 24 ... DRAM
Card, 25 ... BIOS-ROM, 26 ... PCMCIA
-GA (PCMCIA gate array), 27 ... Floppy disk controller (FDC), 28 ... PCMCI
A gate array (PCMCIA / GA), 29 ... EEP
ROM, 30 ... Keyboard controller (KBC), 3
1 ... Expansion connector, 32 ... Display controller (VGA controller), 33 ... Image memory (VRAM), 41 ...
Serial port, 42 ... Hard disk drive (HD
D), 43 ... Printer port (EPP), 44 ... Status LCD, 45 ... Floppy disk drive (FD)
D), 46 ... Power supply controller (PSC), 51 ... Keyboard (KB), 52 ... Mouse, 53 ... External keyboard, 100 ... Security register (SR), 201 ...
Dedicated register group, 202 ... ISA-BUS interface logic, 203 ... KBC-BUS interface logic, 204 ... EEPROM interface logic, 205 ... Password control logic.

Claims (2)

[Claims] 1. An external device connection port to which an external floppy disk drive can be connected, a password registration means capable of setting a plurality of passwords, and a password check means for collating the password input when the system is used with the registration password. Control means for specifying a system function according to the type of password that is matched by the same means, access right definition means for defining the access right unique to each of the registered passwords, and an available device of the access rights Releasing the device access right of the external floppy disk drive included in the device access right specifying
It is equipped with a register that can be prohibited and a non-volatile memory that can set the presence or absence of the device access right of the external floppy disk drive, and the device access right by the password includes the device access right of the external floppy disk drive, and the external connection A portable computer system characterized in that the floppy disk drive used has a security function. 2. A standard internal floppy disk drive, an external device connection port to which an external floppy disk drive can be connected, a password registration means capable of setting a plurality of passwords, and a password input when the system is used. A password checking means for checking the registered password, a control means for specifying a system function according to the type of the password matched by the same means, and an access right defining means for defining the access right unique to each of the registered passwords, Of the above access rights, a device access right of the internal floppy disk drive and a device access right of the external floppy disk drive, which are included in the apparatus access right for specifying a usable device, can be respectively released / inhibited registers, and Floppy disk drive equipment A floppy disk equipped with a non-volatile memory capable of setting presence / absence of an access right, including a device access right by a password, an internal floppy disk drive device access right, and an external floppy disk drive device access right. A portable computer system characterized in that a disk drive and an externally connected floppy disk drive each have a security function.