RU128742U1 - COMPUTER TO START A THIN HYPERVISOR IN UEFI AT AN EARLY STAGE OF LOADING A COMPUTER - Google Patents

Abstract

1. A computer for starting a thin hypervisor in UEFI at an early stage of computer startup, including a motherboard with a system bus, a memory module containing UEFI, and at least one memory device with an operating system, the memory module containing a section for storing data the thin hypervisor module, and UEFI is configured so that immediately after the transition to the driver execution environment, it launches the thin hypervisor module. 2. A computer for starting a thin hypervisor in UEFI at an early stage of computer boot according to claim 1, characterized in that the memory module of the computer in which the UEFI is stored is a FLASH chip.3. A computer for starting a thin hypervisor in UEFI at an early stage of computer boot according to claim 1, characterized in that UEFI transmits information to the thin hypervisor about the necessary at least one storage device for loading the main operating system and the hypervisor itself loads the operating system.

Description

The proposed utility model relates to a computer containing an operating system that is protected from unauthorized access to information.

Currently, Unified Extensible Firmware (UEFI) is being developed for modern computers, or rather their motherboards. This interface is designed to replace the computer BIOS and is intended to correctly initialize the equipment when the system is turned on and transfer control to the bootloader of the operating system. UEFI has two phases: the preliminary EFI phase, at which the computer elements are initialized and the Driver Execution Environment (DXE) driver loading phase, after which the computer operating system is already loaded, see, for example, US2009319763A1 dated 12.24.2009. Thanks to the use of UEFI, the loading of the computer operating system is accelerated.

The closest technical solution is RU2446447C2, dated 03/27/2012, which describes a computer for controlling access to operating systems using a hypervisor. This computer contains a motherboard with a system bus, a memory module containing a BIOS and a storage device with an operating system, and a hypervisor module. The BIOS has a set of instructions executed at the boot stage, which launch the hypervisor. The disadvantage of this system is not sufficient computer protection, because The hypervisor is stored in a section on the storage device, which may be subject to change.

The proposed technical solution is aimed at creating a computer to run a thin hypervisor in UEFI at an early stage of computer boot. In the proposed solution, the hypervisor is located in the area of the memory module that is not subject to change when the operating system is loaded, and therefore such a computer has increased security of the operating system.

The task that the proposed utility model allows to solve is the possibility of guaranteed launch of the hypervisor before the start of any code located on accessible media / memory devices that are susceptible to virus attacks in order to prevent unauthorized access to information and launch additional information protection tools inside the hypervisor module itself.

The technical result of the proposed technical solution is to increase the security of the computer.

The technical result is achieved by the fact that the computer for starting a thin hypervisor in UEFI at an early stage of computer startup includes a motherboard with a system bus, a memory module containing UEFI, and at least one memory device with an operating system. At the same time, the memory module contains a section for storing the data of the thin hypervisor module, and the UEFI is configured so that immediately after the transition to the driver execution environment, it launches the thin hypervisor module.

The memory module of the computer in which the UEFI is stored is essentially a FLASH chip.

In this case, the UEFI transmits information to the thin hypervisor about the necessary at least one storage device for loading the main operating system, and the hypervisor itself loads the operating system.

Figure 1 shows a diagram of a computer for starting a thin hypervisor in UEFI at an early stage in computer startup.

Consider the work of the proposed computer device to run a thin hypervisor in UEFI at an early stage of computer boot. To operate the proposed computer, the motherboard of the computer is used, which has a memory module in the form of a FLASH chip, where instead of BIOS (BIOS) UEFI is recorded. In addition, the FLASH chip contains a section for storing data from the hypervisor module. The remaining elements of the computer represent standard computer elements: a processor with a cooling system, RAM, a video card, hard disks (SSD or HDD), a monitor, a case with a power supply, a keyboard and mouse.

The work of the proposed computer device to run a thin hypervisor in UEFI at an early stage of computer boot is as follows. The user turns on the computer, after which the UEFI download starts, and various graphic or textual design of the UEFI download can be formed on the monitor. After performing the UEFI transition to the driver execution environment - DXE, the hypervisor module is launched. The thin hypervisor module is a layer between the OS and interfaces, it virtualizes all device interfaces. That is, let's say the device has an interface for wireless access to the network, interfaces for a monitor, printer, and CD drive. In the usual case, the operating system sees these devices and accesses them directly. And a malicious program or an unauthorized user can, under certain conditions, gain access to these interfaces. When the thin hypervisor module is turned on, the OS sees only the hypervisor itself, without seeing the device interfaces directly, but only in the form that the hypervisor displays for it. Thus, certain users or programs (depending on the configuration of the hypervisor) simply will not see, for example, a printer, or wireless access to the network, because for them the hypervisor will not display these interfaces, and the system will assume that there is no such device on the computer. In contrast, a thin hypervisor can show the system any devices that do not really exist, such as a virtual printer or virtual hard disk. In addition, all traffic exchanged by the OS with any interfaces is processed by the hypervisor, and can be transmitted by the hypervisor for processing by the anti-virus module regardless of the OS, while the operating system itself, even if it is taken under the control of a malicious program, will not be to have information that such a check is carried out, which excludes the effect of viruses on the check process (and treatment). In our case, the peculiarity is that the launch of this thin hypervisor is carried out at the pre-boot stage described above, before launching any programs (and until the user has the ability to take actions) that could potentially affect the launch of the thin hypervisor or prevent it.

The hypervisor code is located inside the memory module microcircuit and is not subject to the possibility of changing or discrediting the code.

A specific embodiment of the proposed technical solution was disclosed above, but it is obvious to any person skilled in the art that based on the disclosed data, it is possible to create computer variations for launching a thin hypervisor in UEFI, for example, storing the code of a thin hypervisor on a separate FLASH chip. Thus, the scope of the utility model should not be limited to the specific embodiment described in the proposed utility model formula.

Claims (3)

1. A computer for starting a thin hypervisor in UEFI at an early stage of computer startup, including a motherboard with a system bus, a memory module containing UEFI, and at least one memory device with an operating system, the memory module containing a section for storing data the thin hypervisor module, and UEFI is configured so that immediately after the transition to the driver execution environment, it launches the thin hypervisor module. 2. A computer for starting a thin hypervisor in UEFI at an early stage of computer boot according to claim 1, characterized in that the memory module of the computer in which the UEFI is stored is a FLASH chip. 3. A computer for starting a thin hypervisor in UEFI at an early stage of computer boot according to claim 1, characterized in that UEFI transmits information to the thin hypervisor about the necessary at least one storage device for loading the main operating system and the hypervisor itself loads the operating system .

Images