WO2018072442A1 - System initialization method and device, and storage medium - Google Patents

System initialization method and device, and storage medium Download PDF

Info

Publication number
WO2018072442A1
WO2018072442A1 PCT/CN2017/085790 CN2017085790W WO2018072442A1 WO 2018072442 A1 WO2018072442 A1 WO 2018072442A1 CN 2017085790 W CN2017085790 W CN 2017085790W WO 2018072442 A1 WO2018072442 A1 WO 2018072442A1
Authority
WO
WIPO (PCT)
Prior art keywords
program
initialization
storage device
startup
external storage
Prior art date
Application number
PCT/CN2017/085790
Other languages
French (fr)
Chinese (zh)
Inventor
薛明星
Original Assignee
深圳市中兴微电子技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市中兴微电子技术有限公司 filed Critical 深圳市中兴微电子技术有限公司
Publication of WO2018072442A1 publication Critical patent/WO2018072442A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present invention relates to embedded system security technologies, and in particular, to a system initialization method and apparatus, and a storage medium.
  • the system startup starts from the execution hardware initialization and the operating system initialization.
  • This part mainly completes the initialization of the software and hardware to the normal working state, which is divided into two phases: the first phase, the processor (CPU), the memory control Hardware initialization, copy code to random access memory (RAM, Random Access Memory) space, initialization stack and other information; the second stage, jump to the beginning of the first stage code, flash (Flash), system memory, Hardware initialization such as the network, copy the operating system kernel from Flash to RAM space, set the operating system kernel boot parameters and call the kernel.
  • the security management of the initialization program of the embedded system and the initialization process of the embedded system there are two stages involved in the handling and execution of the code.
  • the initialization process of the embedded system requires the security management of this part of the program, which can complete the whole process. Security protection of the embedded system initialization process.
  • a partial read-only memory (ROM, Read Only Memory) space is used to store an initialization program of the startup program, and a Flash space stores an application for starting the program; the disadvantage of this method is that the initialization program is saved in a single operation, and there is no backup. If malicious code is implanted, the system will not start properly, or after the startup, the criminals will steal user data.
  • ROM Read Only Memory
  • Flash startup There are also some embedded systems that support Flash startup, put the startup program such as the initialization program into Flash, and support the error checking and correction technology (ECC) to verify the validity of the code in Flash; the disadvantage of this method: the startup program Occupy system space, ECC check code is easily falsified, resulting in invalid system startup, verification overhead; In addition, Flash space is large, large, and increased the cost of embedded systems.
  • ECC error checking and correction technology
  • Embodiments of the present invention are expected to provide a system initialization method and apparatus, and a storage medium, which can improve the security of the embedded system system initialization and reduce the cost of the embedded system.
  • An embodiment of the present invention provides a system initialization method, where the method includes:
  • Initializing a communication port by using a preset first initialization program, establishing communication with an external storage device through the communication port, and performing mutual authentication with the external storage device;
  • the startup program pre-stored in the external storage device is acquired, and the startup program is executed to complete the system startup.
  • the mutually authenticating with the external storage device includes:
  • Verifying that the external storage device verifies the encrypted information and the second digital certificate sent after the first digital certificate is successful.
  • the preset encryption information includes:
  • the encrypted information input device is initialized by the first initialization program, and the information acquired by the encrypted information input device.
  • the acquiring the startup program pre-stored in the external storage device includes:
  • the startup program Acquiring the startup program from the external storage device, the startup program being encrypted and stored by the external storage device using a first public key in the first digital certificate and an asymmetric cryptosystem.
  • the startup program includes at least one of the following: a second initialization program; a first stage code; and a second stage code.
  • the acquiring a startup program pre-stored in the external storage device, and executing the startup program includes: acquiring and executing the second initialization program, the first phase code, and the second phase At least one of the codes.
  • the embodiment of the present invention further provides a system initialization device, where the device includes: a communication establishment module and a startup control module;
  • the communication establishing module is configured to initialize a communication port by using a preset first initialization program, establish communication with an external storage device through the communication port, and perform mutual authentication with the external storage device;
  • the startup control module is configured to acquire an startup program pre-stored in the external storage device after the authentication succeeds, and execute the startup program to complete system startup.
  • the communication establishing module is specifically configured as:
  • Verifying that the external storage device verifies the encrypted information and the second digital certificate sent after the first digital certificate is successful.
  • the communication establishing module is specifically configured to: acquire pre-stored encrypted information; and/or initialize the encrypted information input device by the first initialization program, and the information obtained by the encrypted information input device.
  • the startup control module is specifically configured as follows:
  • the startup program Acquiring the startup program from the external storage device, the startup program being encrypted and stored by the external storage device using a first public key in the first digital certificate and an asymmetric cryptosystem.
  • the startup program includes: at least one of a second initialization program, a first stage code, and a second stage code;
  • the startup control module is specifically configured to: sequentially acquire and execute at least one of the second initialization program, the first phase code, and the second phase code.
  • the embodiment of the invention provides a storage medium, which stores an executable program, and the executable program is implemented by the processor to implement the system initialization method provided by the embodiment of the invention.
  • the embodiment of the invention provides a system initialization device, including:
  • a memory for storing an executable program
  • a processor configured to execute the executable program stored in the memory to implement the present invention
  • the system initialization method provided by the embodiment.
  • the system initialization method and device and the storage medium provided by the embodiment of the present invention initialize a communication port by using a preset first initialization program, establish communication with an external storage device through the communication port, and perform mutual authentication with the external storage device. After the authentication succeeds, the startup program pre-stored in the external storage device is acquired, and the startup program is executed to complete the system startup. In this way, the startup program is stored in the external storage device, the problem of being implanted with malicious code or re-rooting is reduced, and the security of the embedded system initialization is improved; since the startup program is stored in the external server, the embedding can be reduced.
  • the system is used to store the memory of the boot program, reducing the cost of the embedded system.
  • FIG. 1 is a schematic flowchart of a system initialization method according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of authentication according to an embodiment of the present invention.
  • FIG. 3 is a schematic structural diagram of an embedded system initialization system according to an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart of an initialization process of an embedded system in an embedded system initialization system according to an embodiment of the present invention
  • FIG. 5 is a schematic structural diagram of a system initialization apparatus according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a system initialization apparatus according to an embodiment of the present invention.
  • the communication port is initialized by using a preset first initialization program, communication with the external storage device is established through the communication port, and mutual authentication is performed with the external storage device; after the authentication is successful, the pre-storage is acquired. Launching a program in the external storage device and executing the startup program to complete system startup.
  • the system initialization method provided by the embodiment of the present invention is as shown in FIG. 1 , and the method includes:
  • Step 110 Initialize a communication port by using a preset first initialization program, establish communication with an external storage device through the communication port, and perform mutual authentication with the external storage device.
  • a small-capacity ROM or Flash may be disposed in the embedded system to store the first initialization program;
  • the communication port may include: a wired network port, a wireless compatibility authentication (WiFi) interface, a wireless communication air interface, and the like.
  • WiFi wireless compatibility authentication
  • the external storage device can include an external server or the like that can be used for storing and performing secure data transfer;
  • the first initialization program is configured to store a program for initializing a communication port, etc.
  • the specific steps of the authentication include:
  • Step 1101 The embedded system acquires preset encryption information, and sends its first digital certificate and the encrypted information to an external server.
  • the encrypted information may be encrypted information such as a password pre-stored in the small-capacity ROM or Flash, or may be initialized and input to the encrypted information input device of the embedded system by the first initialization program.
  • the encrypted information input device may be a fingerprint input device, and the encrypted information input device may be fingerprint information;
  • a digital certificate includes a digital signature and a public key, and the digital signature is used to verify the identity of the sender of the digital certificate;
  • Step 1102 The external server completes the verification of the encrypted information, and parses the first digital certificate of the embedded system, and saves the first public key in the first digital certificate of the embedded system;
  • Step 1103 The server sends a verification result of the first digital certificate of the embedded system, and carries a second digital certificate of the external server.
  • Step 1104 If the embedded system verifies the second digital certificate, the second public key of the digital certificate of the server is saved, and the authentication succeeds.
  • Step 120 After the authentication succeeds, acquiring an startup program pre-stored in the external storage device, and executing the startup program to complete system startup;
  • the embedded system successfully establishes communication with the external server, and the pre-stored startup program of the embedded system may be obtained from the external server, and the startup program is directly transported to the In the RAM of the embedded system; the embedded system runs the boot program directly in the RAM. Since the startup program is stored in the external server, since the startup program is not stored on the embedded system, illegal malicious implantation of the startup program on the embedded system can be prevented, and the security is improved; optionally, The security of the startup program is improved, and the startup program may be obtained by using an asymmetric key cryptosystem in a public key in the first digital certificate and the second digital certificate; wherein the asymmetric password is obtained.
  • the system includes: RSA public key encryption algorithm;
  • the embedded system encrypts the initiator request with the second public key of the external server and sends it to the external server; after obtaining the initiator request, the external server uses its own and the second public key The corresponding private key decrypts the request of the embedded system; the external server encrypts the stored startup program by using the first public key of the embedded system, and sends the startup program to the embedded system; the embedded system directly stores the encrypted startup program in the RAM, The encrypted boot program is decrypted with its own private key corresponding to the first public key, and the boot program is executed.
  • the startup program may include: an initialization program (second initialization program), and/or a first stage code, and/or a second stage code; wherein the second initialization program is used to initialize the embedded system CPU speed, clock frequency, etc. of the terminal; the first stage code for initializing system memory, NAND flash initialization, etc.; the second stage code for initializing the code of the operating system kernel, ie, the kernel Mirror code; the second initialization program is the basis of the first stage code operation, and the first stage code operation is the basis of the second stage code operation; therefore, the second initialization program, the first stage code, and the a two-stage code, after acquiring the second initialization program and running, acquiring the first-stage code, After acquiring the first stage code after running the first stage code, obtaining the second initialization program, or at least one of the first stage code and the second stage code, the asymmetric password may be used.
  • the system carries out data transmission.
  • the embedded system initialization system includes: an embedded system terminal 31, a server 32, and a network 33 connecting the embedded system terminal and the server; wherein
  • the embedded system terminal 31 is provided with a ROM, and the ROM is provided with a first initialization program, which is mainly to initialize a network port or an air interface, and the first part code executed after the embedded system terminal is powered on;
  • the server 32 is provided with a key management module and a stored startup program; wherein the startup program comprises: a second initialization program, a first stage (Stage1) code, a second stage (Stage2) code, and a key management module responsible for the key.
  • the Stage1 code mainly completes the related code of hardware initialization, such as the embedded system terminal 31 initializing the system memory, the NAND flash initialization, etc.; the Stage2 code is mainly the kernel image of the operating system of the embedded system terminal 31;
  • the network 33 may be a wired network or a wireless communication air interface or the like.
  • the specific working steps and interaction process of the embedded system initialization system include:
  • Step 401 The system resetting operation of the embedded system terminal 31 calls the first initialization procedure of initializing the network port or the air interface in the ROM.
  • the embedded system terminal 31 performs a power-on reset operation, copies the first initialization program in the ROM space to the RAM, and then executes the first initialization program to complete the initialization of the network port or the air interface;
  • Step 402 The user inputs a fingerprint, sends it to the server 32, and carries the embedded system terminal. 31 digital certificate;
  • Step 403 The server 32 completes the verification of the fingerprint, and parses the digital certificate of the embedded system terminal 31, and saves the public key of the embedded system terminal 31;
  • Step 404 The server 32 sends the digital certificate verification result to the embedded system terminal 31, and carries the digital certificate of the server 32.
  • Step 405 The embedded system terminal 31 performs digital certificate verification of the server 32, and if the verification is passed, saves the public key of the digital certificate of the server 32;
  • Step 406 The embedded system terminal 31 encrypts and sends a request for the second initialization procedure using the public key of the server 32;
  • Step 407 The server 32 decrypts the request of the embedded system terminal 31 by using its own private key
  • Step 408 The server 32 encrypts the second initialization program using the public key of the embedded system client, and sends it to the embedded system terminal 31;
  • Step 409 The embedded system terminal 31 uses its own private key to decrypt the second initialization program sent by the server 32, executes the second initialization procedure, completes hardware initialization, device exception vector table, memory controller and the like;
  • Step 410 The embedded system terminal 31 encrypts and sends a Stage1 code request using the public key of the server 32;
  • Step 411 The server 32 decrypts the Stage1 code request using its own private key
  • Step 412 The server 32 encrypts the code of the Stage1 using the public key of the embedded system terminal 31, and sends it to the embedded system terminal 31;
  • Step 413 The embedded system terminal 31 decrypts using the private key, executes the Stage1 code, and completes initializing the system memory, displaying, and the like;
  • Step 414 The embedded system terminal 31 encrypts and sends a Stage2 code request using the public key of the server 32;
  • Step 415 The server 32 decrypts the Stage2 code request by using its own private key.
  • Step 416 The server 32 encrypts the Stage2 code using the public key of the embedded system terminal 31, and sends it to the embedded system terminal 31;
  • Step 417 The embedded system terminal 31 decrypts using the private key, jumps to the Stage2 code entry point, and starts the kernel.
  • the system initialization device provided by the embodiment of the present invention, as shown in FIG. 5, the device includes: a communication establishment module 51 and a startup control module 52;
  • the communication establishing module 51 is configured to initialize a communication port by using a preset first initialization program, establish communication with an external storage device through the communication port, and perform mutual authentication with the external storage device;
  • a small-capacity ROM or Flash may be set in the embedded system to store the first initialization program;
  • the communication port may include: a wired network port, a WiFi, a wireless communication air interface, and the like, which can be used for data transmission.
  • a communication interface may include an external server or the like configured to store and perform secure data transfer;
  • the first initialization program is configured to store a program for initializing a communication port, etc., automatically after the embedded system is powered on The part of the code is moved, and an initialization operation such as initializing the communication port device is performed; after the physical connection with the external server is established by initializing the communication port, authentication can be performed to improve the security of data communication with the external server.
  • the specific steps of the authentication include:
  • Step 1101 The embedded system acquires preset encryption information, and sends its first digital certificate and the encrypted information to an external server.
  • the encrypted information may be encrypted information such as a password pre-stored in the small-capacity ROM or Flash, or may be initialized and input to the encrypted information input device of the embedded system by the first initialization program.
  • the encrypted information input device may be a fingerprint input device, and the encrypted information input device may be fingerprint information;
  • a digital certificate contains a digital signature and a public key that is used to verify the number.
  • Step 1102 The external server completes the verification of the encrypted information, and parses the first digital certificate of the embedded system, and saves the first public key in the first digital certificate of the embedded system;
  • Step 1103 The server sends a verification result of the first digital certificate of the embedded system, and carries a second digital certificate of the external server.
  • Step 1104 If the embedded system verifies the second digital certificate, the second public key of the digital certificate of the server is saved, and the authentication succeeds.
  • the startup control module 52 is configured to acquire an startup program pre-stored in the external storage device after the authentication succeeds, and execute the startup program to complete system startup;
  • the embedded system successfully establishes communication with the external server, and the pre-stored startup program of the embedded system may be obtained from the external server, and the startup program is directly transported to the In the RAM of the embedded system; the embedded system runs the boot program directly in the RAM. Since the startup program is stored in the external server, since the startup program is not stored on the embedded system, illegal malicious implantation of the startup program on the embedded system can be prevented, and the security is improved;
  • the startup program may be obtained by using an asymmetric key cryptosystem encryption method by using a public key in the first digital certificate and the second digital certificate;
  • the asymmetric cryptosystem includes: an RSA public key encryption algorithm;
  • the embedded system encrypts the initiator request with the second public key of the external server and sends it to the external server; after obtaining the initiator request, the external server uses its own and the second public key The corresponding private key decrypts the request of the embedded system; the external server encrypts the stored startup program by using the first public key of the embedded system, and sends the startup program to the embedded system; the embedded system directly stores the encrypted startup program in the RAM, The encrypted boot program is decrypted with its own private key corresponding to the first public key, and the boot program is executed.
  • the startup program may include: an initialization program (second initialization program), At least one of a first stage code and a second stage code; wherein the second initialization program is used to initialize a CPU speed of the embedded system terminal, a clock frequency, etc.; the first stage code is used to initialize system memory, NAND Flash initialization, etc.; the second stage code is used to initialize the code of the operating system kernel, that is, the kernel image code; the second initialization program is the basis of the first stage code operation, and the first stage code operation is the second stage code The basis of the operation; therefore, the second initialization program, the first stage code, and the second stage code may be sequentially acquired, and the first stage code is acquired after the second initialization program is acquired and executed, and then The second stage code is obtained and run after the first stage code is acquired; when at least one of the second initialization program, the first stage code, and the second stage code is obtained, the asymmetric transmission cryptosystem can be used for data transmission.
  • an initialization program (second initialization program), At least one of
  • the communication establishing module 51 and the startup control module 52 can be implemented by a CPU, a microprocessor (MPU), a digital signal processor (DSP), or a field programmable gate array (FPGA) in an embedded system. .
  • MPU microprocessor
  • DSP digital signal processor
  • FPGA field programmable gate array
  • FIG. 6 is a schematic diagram of a hardware structure of a device for initializing a system according to an embodiment of the present invention, including: at least one processor 601 and a memory 602, and communication Interface 603.
  • the various components in the system initialized device are coupled together by a bus system 604.
  • bus system 604 is used to implement connection communication between these components.
  • the bus system 604 includes a power bus, a control bus, and a status signal bus in addition to the data bus.
  • various buses are labeled as bus system 604 in FIG.
  • memory 602 can be either volatile memory or non-volatile memory, and can include both volatile and nonvolatile memory.
  • the non-volatile memory may be a ROM, a Programmable Read-Only Memory (PROM), or an Erasable Programmable Read-Only Memory (EPROM).
  • PROM Programmable Read-Only Memory
  • EPROM Erasable Programmable Read-Only Memory
  • the memory 602 described in the embodiments of the present invention is intended to include, but is not limited to, these and any other suitable types. Memory.
  • the memory 602 in the embodiment of the present invention is used to store various types of data to support the operation of the system initialized device. Examples of such data include any computer program for operating on a system initialized device, such as operating system 6021 and program 6022.
  • the operating system 6021 includes various system programs, such as a framework layer, a core library layer, a driver layer, and the like, for implementing various basic services and processing hardware-based tasks.
  • the program 6022 can include various programs, and the program for implementing the system initialization method of the embodiment of the present invention can be included in the program 6022.
  • the communication interface 603 is used for communication between the system initialization device and other devices in a wired or wireless manner.
  • the system initialization device can access a wireless network based on a communication standard, such as WiFi, 2G or 3G, or a combination thereof.
  • Processor 601 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 601 or an instruction in a form of software.
  • the processor 601 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, or the like.
  • the processor 601 can implement or execute the system initialization method, steps, and logic block diagrams described in the embodiments of the present invention.
  • a general purpose processor can be a microprocessor or any conventional processor or the like.
  • the steps of the method disclosed in the embodiment of the present invention may be directly implemented as a hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a storage medium located in memory 602, and processor 601 reads the information in memory 602, in conjunction with its hardware, to perform the steps of system initialization described above.
  • the system initialization device may be configured by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), and Complex Programmable Logic Devices (CPLDs). , Complex Programmable Logic Device), FPGA, General Purpose Processor, Controller, Microcontroller Implemented by a Micro Controller Unit (MCU), a microprocessor (Microprocessor), or other electronic components for performing the aforementioned system initialization method.
  • ASICs Application Specific Integrated Circuits
  • DSPs Programmable Logic Devices
  • PLDs Programmable Logic Devices
  • CPLDs Complex Programmable Logic Device
  • FPGA Field-programmable Logic Device
  • Controller Microcontroller Implemented by a Micro Controller Unit (MCU), a microprocessor (Microprocessor), or other electronic components for performing the aforementioned system initialization method.
  • MCU Micro Controller Unit
  • Microprocessor Microprocessor
  • Embodiments of the present invention further provide a storage medium storing an executable program, and the executable program is implemented by a processor to implement a system initialization method, such as the system initialization method shown in any of FIGS. 1, 2, and 4.
  • the storage medium may be the various types of non-volatile storage media described above.
  • An embodiment of the present invention provides a system initialization method, which uses a preset first initialization procedure to initialize a communication port, establishes communication with an external server through the communication port, and performs mutual authentication with the external server; after successful authentication And acquiring a startup program pre-stored in the external server, and executing the startup program to complete system startup.
  • the embodiment of the invention further provides a system initialization device and a storage medium.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)
  • Stored Programmes (AREA)

Abstract

Provided in an embodiment of the present invention is a system initialization method, comprising: using a preset first initialization program to initialize a communication port, establishing communication with an external server by means of the communication port, and performing mutual authentication with the external server; and upon successful authentication, acquiring an activation program pre-stored in the external server, and executing the activation program to complete system activation. Also provided in the embodiment of the present invention are a system initialization device and a storage medium.

Description

一种系统初始化方法和装置、存储介质System initialization method and device, storage medium
相关申请的交叉引用Cross-reference to related applications
本申请基于申请号为201610906227.1、申请日为2016年10月17日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的内容在此引入本申请作为参考。The present application is based on a Chinese patent application filed on Jan. 17, 2016, the entire disclosure of which is hereby incorporated by reference.
技术领域Technical field
本发明涉及嵌入式系统安全技术,尤其涉及一种系统初始化方法和装置、存储介质。The present invention relates to embedded system security technologies, and in particular, to a system initialization method and apparatus, and a storage medium.
背景技术Background technique
随着社会的发展,嵌入式控制与处理系统越来越广泛地应用,如在通信、医疗、智能家电等各领域,用户的需求不断提高;因此,嵌入式系统的功能也越来越丰富,人们的生活也越来越依赖于各种嵌入式系统;嵌入式系统代表了个性化、移动化、智能化;同时,嵌入式系统也引入一系列新问题,如容易引入恶意代码植入、容易被获取超级管理员权限(root)等问题;用户要求嵌入式系统提供可靠性的服务,嵌入式系统的安全也成为新的研究课题,其中,嵌入式系统的初始化的安全是嵌入式系统可靠工作的关键第一步。With the development of society, embedded control and processing systems are more and more widely used. For example, in the fields of communication, medical care, and smart home appliances, the needs of users are constantly increasing; therefore, the functions of embedded systems are becoming more and more abundant. People's lives are increasingly dependent on a variety of embedded systems; embedded systems represent personalization, mobility, and intelligence; at the same time, embedded systems also introduce a series of new problems, such as easy introduction of malicious code implantation, easy Obtained super administrator rights (root) and other issues; users require embedded systems to provide reliable services, embedded system security has also become a new research topic, in which the embedded system security is the embedded system reliable work The key first step.
嵌入式系统中,系统启动从执行硬件初始化、操作系统初始化开始,这部分主要完成初始化软件和硬件到正常的工作状态,具体分为两阶段:第一阶段,进行处理器(CPU)、内存控制器等硬件初始化,拷贝代码到随机访问存储器(RAM,Random Access Memory)空间、初始化堆栈等信息;第二阶段,跳转到第一阶段代码的起始位置,进行闪存(Flash)、系统内存、 网络等硬件初始化,将操作系统内核从Flash中拷贝到RAM空间中,设置操作系统内核启动参数并调用内核。嵌入式系统的初始化程序的安全管理和嵌入式系统的初始化过程中,有两个阶段都涉及代码的搬运和执行,嵌入式系统的初始化过程需要对这部分程序做安全管理,即可完成对整个嵌入式系统初始化过程的安全保护。In the embedded system, the system startup starts from the execution hardware initialization and the operating system initialization. This part mainly completes the initialization of the software and hardware to the normal working state, which is divided into two phases: the first phase, the processor (CPU), the memory control Hardware initialization, copy code to random access memory (RAM, Random Access Memory) space, initialization stack and other information; the second stage, jump to the beginning of the first stage code, flash (Flash), system memory, Hardware initialization such as the network, copy the operating system kernel from Flash to RAM space, set the operating system kernel boot parameters and call the kernel. In the security management of the initialization program of the embedded system and the initialization process of the embedded system, there are two stages involved in the handling and execution of the code. The initialization process of the embedded system requires the security management of this part of the program, which can complete the whole process. Security protection of the embedded system initialization process.
一般的嵌入式系统中,采用部分只读存储器(ROM,Read Only Memory)空间存放启动程序的初始化程序,Flash空间存放启动程序的应用程序;这种方式的缺点是:初始化程序单一保存,没有备份,如果植入恶意代码,系统无法正常启动,或者在启动后,被不法分子盗取用户数据等。也有一些嵌入式系统支持Flash启动,把初始化程序等启动程序放入Flash中,支持错误检查和纠正技术(ECC,Error Correction Code)校验Flash中代码的有效性;这种方式的缺点:启动程序占用系统空间,ECC校验码容易被篡改,导致系统无效启动,验证开销大;另外Flash空间大,体积大,提高增加了嵌入式系统成本。In a typical embedded system, a partial read-only memory (ROM, Read Only Memory) space is used to store an initialization program of the startup program, and a Flash space stores an application for starting the program; the disadvantage of this method is that the initialization program is saved in a single operation, and there is no backup. If malicious code is implanted, the system will not start properly, or after the startup, the criminals will steal user data. There are also some embedded systems that support Flash startup, put the startup program such as the initialization program into Flash, and support the error checking and correction technology (ECC) to verify the validity of the code in Flash; the disadvantage of this method: the startup program Occupy system space, ECC check code is easily falsified, resulting in invalid system startup, verification overhead; In addition, Flash space is large, large, and increased the cost of embedded systems.
因此,如何能提高嵌入式系统统初始化的安全性,并能减少嵌入式系统的成本,尚无有效解决方案。Therefore, there is no effective solution to how to improve the security of embedded system initialization and reduce the cost of embedded systems.
发明内容Summary of the invention
本发明实施例期望提供一种系统初始化方法和装置、存储介质,能提高嵌入式系统统初始化的安全性,并能减少嵌入式系统的成本。Embodiments of the present invention are expected to provide a system initialization method and apparatus, and a storage medium, which can improve the security of the embedded system system initialization and reduce the cost of the embedded system.
为达到上述目的,本发明实施例的技术方案是这样实现的:To achieve the above objective, the technical solution of the embodiment of the present invention is implemented as follows:
本发明实施例提供了一种系统初始化方法,所述方法包括:An embodiment of the present invention provides a system initialization method, where the method includes:
采用预设第一初始化程序初始化通信端口,通过所述通信端口建立与外部存储装置的通信,并与所述外部存储装置进行相互鉴权;Initializing a communication port by using a preset first initialization program, establishing communication with an external storage device through the communication port, and performing mutual authentication with the external storage device;
鉴权成功后,获取预先存储在所述外部存储装置中的启动程序,并执行所述启动程序完成系统启动。 After the authentication succeeds, the startup program pre-stored in the external storage device is acquired, and the startup program is executed to complete the system startup.
上述方案中,所述与所述外部存储装置进行相互鉴权,包括:In the above solution, the mutually authenticating with the external storage device includes:
预设加密信息,将第一数字证书和所述加密信息发送给外部存储装置;Presetting the encrypted information, and transmitting the first digital certificate and the encrypted information to an external storage device;
验证所述外部存储装置验证所述加密信息和所述第一数字证书成功后发送的第二数字证书。Verifying that the external storage device verifies the encrypted information and the second digital certificate sent after the first digital certificate is successful.
上述方案中,所述预设加密信息,包括:In the above solution, the preset encryption information includes:
预先存储的加密信息;和/或,Pre-stored encrypted information; and/or,
通过第一初始化程序初始化加密信息输入设备,由所述加密信息输入设备获取的信息。The encrypted information input device is initialized by the first initialization program, and the information acquired by the encrypted information input device.
上述方案中,所述获取预先存储在所述外部存储装置中的启动程序,包括:In the above solution, the acquiring the startup program pre-stored in the external storage device includes:
根据所述第二数字证书中的第二公钥,采用非对称密码体制加密并发送启动程序请求信息;And according to the second public key in the second digital certificate, encrypting and transmitting the startup program request information by using an asymmetric cryptosystem;
从所述外部存储装置获取所述启动程序,所述启动程序由所述外部存储装置采用所述第一数字证书中的第一公钥、以及非对称密码体制加密并存储。Acquiring the startup program from the external storage device, the startup program being encrypted and stored by the external storage device using a first public key in the first digital certificate and an asymmetric cryptosystem.
上述方案中,所述启动程序包括以下至少之一:第二初始化程序;第一阶段代码;第二阶段代码。In the above solution, the startup program includes at least one of the following: a second initialization program; a first stage code; and a second stage code.
上述方案中,所述获取预先存储在所述外部存储装置中的启动程序,并执行所述启动程序包括:获取并执行所述第二初始化程序、所述第一阶段代码和所述第二阶段代码至少之一。In the above solution, the acquiring a startup program pre-stored in the external storage device, and executing the startup program includes: acquiring and executing the second initialization program, the first phase code, and the second phase At least one of the codes.
本发明实施例还提供了一种系统初始化装置,所述装置包括:通信建立模块和启动控制模块;其中,The embodiment of the present invention further provides a system initialization device, where the device includes: a communication establishment module and a startup control module;
所述通信建立模块,配置为采用预设第一初始化程序初始化通信端口,通过所述通信端口建立与外部存储装置的通信,并与所述外部存储装置进行相互鉴权; The communication establishing module is configured to initialize a communication port by using a preset first initialization program, establish communication with an external storage device through the communication port, and perform mutual authentication with the external storage device;
所述启动控制模块,配置为鉴权成功后,获取预先存储在所述外部存储装置中的启动程序,并执行所述启动程序完成系统启动。The startup control module is configured to acquire an startup program pre-stored in the external storage device after the authentication succeeds, and execute the startup program to complete system startup.
上述方案中,所述通信建立模块,具体配置为:In the above solution, the communication establishing module is specifically configured as:
预设加密信息,将第一数字证书和所述加密信息,发送给外部存储装置;Presetting the encrypted information, and transmitting the first digital certificate and the encrypted information to an external storage device;
验证所述外部存储装置验证所述加密信息和所述第一数字证书成功后发送的第二数字证书。Verifying that the external storage device verifies the encrypted information and the second digital certificate sent after the first digital certificate is successful.
上述方案中,所述通信建立模块,具体配置为:获取预先存储的加密信息;和/或,通过第一初始化程序初始化加密信息输入设备,由所述加密信息输入设备获取的信息。In the above solution, the communication establishing module is specifically configured to: acquire pre-stored encrypted information; and/or initialize the encrypted information input device by the first initialization program, and the information obtained by the encrypted information input device.
上述方案中,所述启动控制模块,具体配置为:In the above solution, the startup control module is specifically configured as follows:
根据所述第二数字证书中的第二公钥,采用非对称密码体制加密并发送启动程序请求信息;And according to the second public key in the second digital certificate, encrypting and transmitting the startup program request information by using an asymmetric cryptosystem;
从所述外部存储装置获取所述启动程序,所述启动程序由所述外部存储装置采用所述第一数字证书中的第一公钥、以及非对称密码体制加密并存储。Acquiring the startup program from the external storage device, the startup program being encrypted and stored by the external storage device using a first public key in the first digital certificate and an asymmetric cryptosystem.
上述方案中,所述启动程序包括:第二初始化程序、第一阶段代码、和第二阶段代码至少之一;In the above solution, the startup program includes: at least one of a second initialization program, a first stage code, and a second stage code;
所述启动控制模块,具体配置为:依次获取并执行所述第二初始化程序、所述第一阶段代码和所述第二阶段代码至少之一。The startup control module is specifically configured to: sequentially acquire and execute at least one of the second initialization program, the first phase code, and the second phase code.
本发明实施例提供一种存储介质,存储有可执行程序,所述可执行程序被处理器运行时实现本发明实施例提供的系统初始化方法。The embodiment of the invention provides a storage medium, which stores an executable program, and the executable program is implemented by the processor to implement the system initialization method provided by the embodiment of the invention.
本发明实施例提供一种系统初始化装置,包括:The embodiment of the invention provides a system initialization device, including:
存储器,用于存储可执行程序;a memory for storing an executable program;
处理器,配置为运行所述存储器存储的所述可执行程序时,实现本发 明实施例提供的系统初始化方法。a processor configured to execute the executable program stored in the memory to implement the present invention The system initialization method provided by the embodiment.
本发明实施例所提供的系统初始化方法和装置、存储介质,采用预设第一初始化程序初始化通信端口,通过所述通信端口建立与外部存储装置的通信,并与所述外部存储装置进行相互鉴权;鉴权成功后,获取预先存储在所述外部存储装置中的启动程序,并执行所述启动程序完成系统启动。如此,将启动程序存储在外部存储装置中,减小了被植入恶意代码或重新root等问题,提高了嵌入式系统统初始化的安全性;由于启动程序存储在外服服务器中,可以减小嵌入式系统用于存储启动程序的存储器,减少嵌入式系统的成本。The system initialization method and device and the storage medium provided by the embodiment of the present invention initialize a communication port by using a preset first initialization program, establish communication with an external storage device through the communication port, and perform mutual authentication with the external storage device. After the authentication succeeds, the startup program pre-stored in the external storage device is acquired, and the startup program is executed to complete the system startup. In this way, the startup program is stored in the external storage device, the problem of being implanted with malicious code or re-rooting is reduced, and the security of the embedded system initialization is improved; since the startup program is stored in the external server, the embedding can be reduced. The system is used to store the memory of the boot program, reducing the cost of the embedded system.
附图说明DRAWINGS
图1为本发明实施例系统初始化方法的流程示意图;1 is a schematic flowchart of a system initialization method according to an embodiment of the present invention;
图2为本发明实施例鉴权的流程示意图;2 is a schematic flowchart of authentication according to an embodiment of the present invention;
图3为本发明实施例嵌入式系统初始化系统的组成结构示意图;3 is a schematic structural diagram of an embedded system initialization system according to an embodiment of the present invention;
图4为本发明实施例嵌入式系统初始化系统中嵌入式系统初始化步骤的流程示意图;4 is a schematic flowchart of an initialization process of an embedded system in an embedded system initialization system according to an embodiment of the present invention;
图5为本发明实施例系统初始化装置的组成结构示意图;FIG. 5 is a schematic structural diagram of a system initialization apparatus according to an embodiment of the present invention; FIG.
图6为本发明实施例系统初始化装置的组成结构示意图。FIG. 6 is a schematic structural diagram of a system initialization apparatus according to an embodiment of the present invention.
具体实施方式detailed description
本发明实施例中,采用预设第一初始化程序初始化通信端口,通过所述通信端口建立与外部存储装置的通信,并与所述外部存储装置进行相互鉴权;鉴权成功后,获取预先存储在所述外部存储装置中的启动程序,并执行所述启动程序完成系统启动。In the embodiment of the present invention, the communication port is initialized by using a preset first initialization program, communication with the external storage device is established through the communication port, and mutual authentication is performed with the external storage device; after the authentication is successful, the pre-storage is acquired. Launching a program in the external storage device and executing the startup program to complete system startup.
下面结合实施例对本发明再作进一步详细的说明。The present invention will be further described in detail below with reference to the embodiments.
本发明实施例提供的系统初始化方法,如图1所示,所述方法包括: The system initialization method provided by the embodiment of the present invention is as shown in FIG. 1 , and the method includes:
步骤110:采用预设第一初始化程序初始化通信端口,通过所述通信端口建立与外部存储装置的通信,并与所述外部存储装置进行相互鉴权;Step 110: Initialize a communication port by using a preset first initialization program, establish communication with an external storage device through the communication port, and perform mutual authentication with the external storage device.
这里,可以在嵌入式系统中设置一个小容量的ROM或者Flash来存储所述第一初始化程序;所述通信端口可以包括:有线网口、无线相容性认证(WiFi)接口、无线通信空口等可以用来进行数据传输的各种通信接口;所述外部存储装置可以包括外部服务器等可以用于存储及进行安全数据传送的装置;所述第一初始化程序用于存放初始化通信端口的程序等,在嵌入式系统上电后会自动搬移这部分代码,执行初始化通信端口设备等初始化操作;通过初始化通信端口建立与外部服务器的物理连接后,可以进行鉴权,提高与所述外部服务器数据通信的安全性。Here, a small-capacity ROM or Flash may be disposed in the embedded system to store the first initialization program; the communication port may include: a wired network port, a wireless compatibility authentication (WiFi) interface, a wireless communication air interface, and the like. Various communication interfaces that can be used for data transmission; the external storage device can include an external server or the like that can be used for storing and performing secure data transfer; the first initialization program is configured to store a program for initializing a communication port, etc. After the embedded system is powered on, the part of the code is automatically moved, and an initialization operation such as initializing the communication port device is performed; after the physical connection with the external server is established by initializing the communication port, authentication can be performed to improve data communication with the external server. safety.
可选的,如图2所示,所述鉴权的具体步骤包括:Optionally, as shown in FIG. 2, the specific steps of the authentication include:
步骤1101:嵌入式系统获取预设的加密信息,将自身的第一数字证书和所述加密信息,发送给外部服务器;Step 1101: The embedded system acquires preset encryption information, and sends its first digital certificate and the encrypted information to an external server.
这里,所述加密信息可以是预先存储在所述小容量的ROM或者Flash中的密码等加密信息,也可以是通过所述第一初始化程序对嵌入式系统的加密信息输入设备进行初始化,并输入所述加密信息;其中,所述加密信息输入设备可以是指纹输入设备,所述加密信息输入设备可以是指纹信息;Here, the encrypted information may be encrypted information such as a password pre-stored in the small-capacity ROM or Flash, or may be initialized and input to the encrypted information input device of the embedded system by the first initialization program. The encrypted information input device may be a fingerprint input device, and the encrypted information input device may be fingerprint information;
通常,数字证书中包含数字签名和公钥,所述数字签名用于验证数字证书发送者的身份;Generally, a digital certificate includes a digital signature and a public key, and the digital signature is used to verify the identity of the sender of the digital certificate;
步骤1102:外部服务器完成所述加密信息的验证,并且解析所述嵌入式系统的第一数字证书,保存所述嵌入式系统第一数字证书中的第一公钥;Step 1102: The external server completes the verification of the encrypted information, and parses the first digital certificate of the embedded system, and saves the first public key in the first digital certificate of the embedded system;
步骤1103:服务器发送对嵌入式系统的第一数字证书的验证结果,并携带外部服务器的第二数字证书;Step 1103: The server sends a verification result of the first digital certificate of the embedded system, and carries a second digital certificate of the external server.
步骤1104:如果嵌入式系统对所述第二数字证书验证通过,保存服务器的数字证书的第二公钥,鉴权成功。 Step 1104: If the embedded system verifies the second digital certificate, the second public key of the digital certificate of the server is saved, and the authentication succeeds.
步骤120:鉴权成功后,获取预先存储在所述外部存储装置中的启动程序,并执行所述启动程序完成系统启动;Step 120: After the authentication succeeds, acquiring an startup program pre-stored in the external storage device, and executing the startup program to complete system startup;
这里,鉴权成功后所述嵌入式系统与所述外部服务器成功建立通信,可以从所述外部服务器中获取预先存储的所述嵌入式系统的启动程序,并将所述启动程序直接搬运到所述嵌入式系统的RAM中;所述嵌入式系统直接在RAM中运行启动程序。由于所述启动程序存储在外部服务器中,由于嵌入式系统上没有存放启动程序,可以防止在嵌入式系统上对所述启动程序的非法恶意植入等,提高了安全性;可选的,为了提高所述启动程序传输过程中的安全性,可以利用在第一数字证书和第二数字证书中的公匙,采用非对称密码体制加密的方式获取所述启动程序;其中,所述非对称密码体制包括:RSA公钥加密算法;Here, after the authentication succeeds, the embedded system successfully establishes communication with the external server, and the pre-stored startup program of the embedded system may be obtained from the external server, and the startup program is directly transported to the In the RAM of the embedded system; the embedded system runs the boot program directly in the RAM. Since the startup program is stored in the external server, since the startup program is not stored on the embedded system, illegal malicious implantation of the startup program on the embedded system can be prevented, and the security is improved; optionally, The security of the startup program is improved, and the startup program may be obtained by using an asymmetric key cryptosystem in a public key in the first digital certificate and the second digital certificate; wherein the asymmetric password is obtained. The system includes: RSA public key encryption algorithm;
例如,嵌入式系统用所述外部服务器的第二公钥加密所述启动程序请求,并发送给所述外部服务器;获取启动程序请求后,所述外部服务器用自身的与所述第二公钥对应的私钥解密嵌入式系统的请求;外部服务器使用嵌入式系统的第一公钥加密存储的启动程序,发送给嵌入式系统;所述嵌入式系统将加密的启动程序直接存储在RAM中,用自身的与所述第一公钥对应的私钥解密所述加密的启动程序,并执行所述启动程序。For example, the embedded system encrypts the initiator request with the second public key of the external server and sends it to the external server; after obtaining the initiator request, the external server uses its own and the second public key The corresponding private key decrypts the request of the embedded system; the external server encrypts the stored startup program by using the first public key of the embedded system, and sends the startup program to the embedded system; the embedded system directly stores the encrypted startup program in the RAM, The encrypted boot program is decrypted with its own private key corresponding to the first public key, and the boot program is executed.
可选的,通常启动程序可以包括:初始化程序(第二初始化程序)、和/或第一阶段代码、和/或第二阶段代码;其中,所述第二初始化程序,用于初始化嵌入式系统终端的CPU速度,时钟频率等;所述第一阶段代码,用于初始化系统内存,与非门(NAND)闪存初始化等;所述第二阶段代码,用于初始化操作系统内核的代码,即内核镜像代码;第二初始化程序是第一阶段代码运行的基础,第一阶段代码运行是所述第二阶段代码运行的基础;因此,可以依次获取所述第二初始化程序、第一阶段代码和第二阶段代码,在获取所述第二初始化程序并运行后再获取所述第一阶段代码,然 后在运行所述第一阶段代码后在获取并运行所述第二阶段代码;获取所述第二初始化程序、或第一阶段代码和第二阶段代码至少之一时,均可以采用上述非对称密码体制进行数据传输。Optionally, the startup program may include: an initialization program (second initialization program), and/or a first stage code, and/or a second stage code; wherein the second initialization program is used to initialize the embedded system CPU speed, clock frequency, etc. of the terminal; the first stage code for initializing system memory, NAND flash initialization, etc.; the second stage code for initializing the code of the operating system kernel, ie, the kernel Mirror code; the second initialization program is the basis of the first stage code operation, and the first stage code operation is the basis of the second stage code operation; therefore, the second initialization program, the first stage code, and the a two-stage code, after acquiring the second initialization program and running, acquiring the first-stage code, After acquiring the first stage code after running the first stage code, obtaining the second initialization program, or at least one of the first stage code and the second stage code, the asymmetric password may be used. The system carries out data transmission.
下面结合具体示例对本发明产生的积极效果作进一步详细的描述;The positive effects produced by the present invention will be further described in detail below with reference to specific examples;
如图3所示,嵌入式系统初始化系统包括:嵌入式系统终端31、服务器32和连接所述嵌入式系统终端及服务器的网络33;其中,As shown in FIG. 3, the embedded system initialization system includes: an embedded system terminal 31, a server 32, and a network 33 connecting the embedded system terminal and the server; wherein
嵌入式系统终端31中设置有ROM,ROM中设置有第一初始化程序,主要是初始化网口或空口,嵌入式系统终端上电后执行的第一部分代码;The embedded system terminal 31 is provided with a ROM, and the ROM is provided with a first initialization program, which is mainly to initialize a network port or an air interface, and the first part code executed after the embedded system terminal is powered on;
服务器32中设置有密钥管理模块和存储的启动程序;其中,启动程序包括:第二初始化程序、第一阶段(Stage1)代码、第二阶段(Stage2)代码;密钥管理模块,负责密钥的产生和管理,维护和验证嵌入式系统终端31的加密信息;第二初始化程序,主要完成硬件的初始化的相关代码,如嵌入式系统终端31的CPU速度,时钟频率等。Stage1代码,主要完成硬件的初始化的相关代码,如嵌入式系统终端31初始化系统内存,NAND闪存初始化等;Stage2代码,主要是嵌入式系统终端31的操作系统的内核镜像;The server 32 is provided with a key management module and a stored startup program; wherein the startup program comprises: a second initialization program, a first stage (Stage1) code, a second stage (Stage2) code, and a key management module responsible for the key. The generation and management, maintenance and verification of the encrypted information of the embedded system terminal 31; the second initialization program, which mainly completes the initialization code of the hardware, such as the CPU speed of the embedded system terminal 31, the clock frequency, and the like. The Stage1 code mainly completes the related code of hardware initialization, such as the embedded system terminal 31 initializing the system memory, the NAND flash initialization, etc.; the Stage2 code is mainly the kernel image of the operating system of the embedded system terminal 31;
网络33可以是有线网络或无线通信空口等。The network 33 may be a wired network or a wireless communication air interface or the like.
所述嵌入式系统初始化系统的具体工作步骤及交互流程,如图4所示,包括:The specific working steps and interaction process of the embedded system initialization system, as shown in FIG. 4, include:
步骤401:嵌入式系统终端31系统上电复位操作,调用ROM中初始化网口或空口的第一初始化程序。Step 401: The system resetting operation of the embedded system terminal 31 calls the first initialization procedure of initializing the network port or the air interface in the ROM.
嵌入式系统终端31系统上电复位操作,拷贝ROM空间里的第一初始化程序至RAM,然后执行第一初始化程序,完成网口或空口的初始化等操作;The embedded system terminal 31 performs a power-on reset operation, copies the first initialization program in the ROM space to the RAM, and then executes the first initialization program to complete the initialization of the network port or the air interface;
步骤402:用户输入指纹,发送给服务器32,并携带嵌入式系统终端 31的数字证书;Step 402: The user inputs a fingerprint, sends it to the server 32, and carries the embedded system terminal. 31 digital certificate;
步骤403:服务器32完成指纹的验证,并且解析嵌入式系统终端31的数字证书,保存嵌入式系统终端31的公钥;Step 403: The server 32 completes the verification of the fingerprint, and parses the digital certificate of the embedded system terminal 31, and saves the public key of the embedded system terminal 31;
步骤404:服务器32发送对嵌入式系统终端31的数字证书验证结果,并携带服务器32的数字证书;Step 404: The server 32 sends the digital certificate verification result to the embedded system terminal 31, and carries the digital certificate of the server 32.
步骤405:嵌入式系统终端31进行服务器32的数字证书验证,如果验证通过,保存服务器32的数字证书的公钥;Step 405: The embedded system terminal 31 performs digital certificate verification of the server 32, and if the verification is passed, saves the public key of the digital certificate of the server 32;
步骤406:嵌入式系统终端31使用服务器32的公钥加密并发送第二初始化程序的请求;Step 406: The embedded system terminal 31 encrypts and sends a request for the second initialization procedure using the public key of the server 32;
步骤407:服务器32使用自身的私钥解密嵌入式系统终端31的请求;Step 407: The server 32 decrypts the request of the embedded system terminal 31 by using its own private key;
步骤408:服务器32使用嵌入式系统客户端的公钥加密第二初始化程序,发送给嵌入式系统终端31;Step 408: The server 32 encrypts the second initialization program using the public key of the embedded system client, and sends it to the embedded system terminal 31;
步骤409:嵌入式系统终端31使用自身的私钥解密服务器32发送来的第二初始化程序,执行第二初始化程序,完成硬件初始化,设备异常向量表,内存控制器等操作;Step 409: The embedded system terminal 31 uses its own private key to decrypt the second initialization program sent by the server 32, executes the second initialization procedure, completes hardware initialization, device exception vector table, memory controller and the like;
步骤410:嵌入式系统终端31使用服务器32的公钥加密并发送Stage1代码请求;Step 410: The embedded system terminal 31 encrypts and sends a Stage1 code request using the public key of the server 32;
步骤411:服务器32使用自身的私钥进行解密Stage1代码请求;Step 411: The server 32 decrypts the Stage1 code request using its own private key;
步骤412:服务器32使用嵌入式系统终端31的公钥加密Stage1的代码,发送给嵌入式系统终端31;Step 412: The server 32 encrypts the code of the Stage1 using the public key of the embedded system terminal 31, and sends it to the embedded system terminal 31;
步骤413:嵌入式系统终端31使用私钥进行解密,执行Stage1代码,完成初始化系统内存、显示等;Step 413: The embedded system terminal 31 decrypts using the private key, executes the Stage1 code, and completes initializing the system memory, displaying, and the like;
步骤414:嵌入式系统终端31使用服务器32的公钥加密并发送Stage2代码请求;Step 414: The embedded system terminal 31 encrypts and sends a Stage2 code request using the public key of the server 32;
步骤415:服务器32使用自身私钥进行解密Stage2代码请求; Step 415: The server 32 decrypts the Stage2 code request by using its own private key.
步骤416:服务器32使用嵌入式系统终端31的公钥加密Stage2代码,发送给嵌入式系统终端31;Step 416: The server 32 encrypts the Stage2 code using the public key of the embedded system terminal 31, and sends it to the embedded system terminal 31;
步骤417:嵌入式系统终端31使用私钥进行解密,跳转到Stage2代码入口点,启动内核。Step 417: The embedded system terminal 31 decrypts using the private key, jumps to the Stage2 code entry point, and starts the kernel.
本发明实施例提供的系统初始化装置,如图5所示,所述装置包括:通信建立模块51和启动控制模块52;其中,The system initialization device provided by the embodiment of the present invention, as shown in FIG. 5, the device includes: a communication establishment module 51 and a startup control module 52;
所述通信建立模块51,配置为采用预设第一初始化程序初始化通信端口,通过所述通信端口建立与外部存储装置的通信,并与所述外部存储装置进行相互鉴权;The communication establishing module 51 is configured to initialize a communication port by using a preset first initialization program, establish communication with an external storage device through the communication port, and perform mutual authentication with the external storage device;
这里,可以在嵌入式系统中设置一个小容量的ROM或者Flash来存储所述第一初始化程序;所述通信端口可以包括:有线网口、WiFi、无线通信空口等可以用来进行数据传输的各种通信接口;所述外部存储装置可以包括外部服务器等配置为存储及进行安全数据传送的装置;所述第一初始化程序用于存放初始化通信端口的程序等,在嵌入式系统上电后会自动搬移这部分代码,执行初始化通信端口设备等初始化操作;通过初始化通信端口建立与外部服务器的物理连接后,可以进行鉴权,提高与所述外部服务器数据通信的安全性。Here, a small-capacity ROM or Flash may be set in the embedded system to store the first initialization program; the communication port may include: a wired network port, a WiFi, a wireless communication air interface, and the like, which can be used for data transmission. a communication interface; the external storage device may include an external server or the like configured to store and perform secure data transfer; the first initialization program is configured to store a program for initializing a communication port, etc., automatically after the embedded system is powered on The part of the code is moved, and an initialization operation such as initializing the communication port device is performed; after the physical connection with the external server is established by initializing the communication port, authentication can be performed to improve the security of data communication with the external server.
可选的,如图2所示,所述鉴权的具体步骤包括:Optionally, as shown in FIG. 2, the specific steps of the authentication include:
步骤1101:嵌入式系统获取预设的加密信息,将自身的第一数字证书和所述加密信息,发送给外部服务器;Step 1101: The embedded system acquires preset encryption information, and sends its first digital certificate and the encrypted information to an external server.
这里,所述加密信息可以是预先存储在所述小容量的ROM或者Flash中的密码等加密信息,也可以是通过所述第一初始化程序对嵌入式系统的加密信息输入设备进行初始化,并输入所述加密信息;其中,所述加密信息输入设备可以是指纹输入设备,所述加密信息输入设备可以是指纹信息;Here, the encrypted information may be encrypted information such as a password pre-stored in the small-capacity ROM or Flash, or may be initialized and input to the encrypted information input device of the embedded system by the first initialization program. The encrypted information input device may be a fingerprint input device, and the encrypted information input device may be fingerprint information;
通常,数字证书中包含数字签名和公钥,所述数字签名用于验证数字 证书发送者的身份;Typically, a digital certificate contains a digital signature and a public key that is used to verify the number. The identity of the sender of the certificate;
步骤1102:外部服务器完成所述加密信息的验证,并且解析所述嵌入式系统的第一数字证书,保存所述嵌入式系统第一数字证书中的第一公钥;Step 1102: The external server completes the verification of the encrypted information, and parses the first digital certificate of the embedded system, and saves the first public key in the first digital certificate of the embedded system;
步骤1103:服务器发送对嵌入式系统的第一数字证书的验证结果,并携带外部服务器的第二数字证书;Step 1103: The server sends a verification result of the first digital certificate of the embedded system, and carries a second digital certificate of the external server.
步骤1104:如果嵌入式系统对所述第二数字证书验证通过,保存服务器的数字证书的第二公钥,鉴权成功。Step 1104: If the embedded system verifies the second digital certificate, the second public key of the digital certificate of the server is saved, and the authentication succeeds.
所述启动控制模块52,配置为鉴权成功后,获取预先存储在所述外部存储装置中的启动程序,并执行所述启动程序完成系统启动;The startup control module 52 is configured to acquire an startup program pre-stored in the external storage device after the authentication succeeds, and execute the startup program to complete system startup;
这里,鉴权成功后所述嵌入式系统与所述外部服务器成功建立通信,可以从所述外部服务器中获取预先存储的所述嵌入式系统的启动程序,并将所述启动程序直接搬运到所述嵌入式系统的RAM中;所述嵌入式系统直接在RAM中运行启动程序。由于所述启动程序存储在外部服务器中,由于嵌入式系统上没有存放启动程序,可以防止在嵌入式系统上对所述启动程序的非法恶意植入等,提高了安全性;Here, after the authentication succeeds, the embedded system successfully establishes communication with the external server, and the pre-stored startup program of the embedded system may be obtained from the external server, and the startup program is directly transported to the In the RAM of the embedded system; the embedded system runs the boot program directly in the RAM. Since the startup program is stored in the external server, since the startup program is not stored on the embedded system, illegal malicious implantation of the startup program on the embedded system can be prevented, and the security is improved;
可选的,为了提高所述启动程序传输过程中的安全性,可以利用在第一数字证书和第二数字证书中的公匙,采用非对称密码体制加密的方式获取所述启动程序;其中,所述非对称密码体制包括:RSA公钥加密算法;Optionally, in order to improve security in the process of transmitting the startup program, the startup program may be obtained by using an asymmetric key cryptosystem encryption method by using a public key in the first digital certificate and the second digital certificate; The asymmetric cryptosystem includes: an RSA public key encryption algorithm;
例如,嵌入式系统用所述外部服务器的第二公钥加密所述启动程序请求,并发送给所述外部服务器;获取启动程序请求后,所述外部服务器用自身的与所述第二公钥对应的私钥解密嵌入式系统的请求;外部服务器使用嵌入式系统的第一公钥加密存储的启动程序,发送给嵌入式系统;所述嵌入式系统将加密的启动程序直接存储在RAM中,用自身的与所述第一公钥对应的私钥,解密所述加密的启动程序,并执行所述启动程序。For example, the embedded system encrypts the initiator request with the second public key of the external server and sends it to the external server; after obtaining the initiator request, the external server uses its own and the second public key The corresponding private key decrypts the request of the embedded system; the external server encrypts the stored startup program by using the first public key of the embedded system, and sends the startup program to the embedded system; the embedded system directly stores the encrypted startup program in the RAM, The encrypted boot program is decrypted with its own private key corresponding to the first public key, and the boot program is executed.
可选的,通常启动程序可以包括:初始化程序(第二初始化程序)、第 一阶段代码和第二阶段代码至少之一;其中,所述第二初始化程序,用于初始化嵌入式系统终端的CPU速度,时钟频率等;所述第一阶段代码,用于初始化系统内存,NAND闪存初始化等;所述第二阶段代码,用于初始化操作系统内核的代码,即内核镜像代码;第二初始化程序是第一阶段代码运行的基础,第一阶段代码运行是所述第二阶段代码运行的基础;因此,可以依次获取所述第二初始化程序、第一阶段代码和第二阶段代码,在获取所述第二初始化程序并运行后再获取所述第一阶段代码,然后在运行所述第一阶段代码后在获取并运行所述第二阶段代码;获取所述第二初始化程序、第一阶段代码和第二阶段代码至少之一时,均可以采用上述非对称密码体制进行数据传输。Optionally, the startup program may include: an initialization program (second initialization program), At least one of a first stage code and a second stage code; wherein the second initialization program is used to initialize a CPU speed of the embedded system terminal, a clock frequency, etc.; the first stage code is used to initialize system memory, NAND Flash initialization, etc.; the second stage code is used to initialize the code of the operating system kernel, that is, the kernel image code; the second initialization program is the basis of the first stage code operation, and the first stage code operation is the second stage code The basis of the operation; therefore, the second initialization program, the first stage code, and the second stage code may be sequentially acquired, and the first stage code is acquired after the second initialization program is acquired and executed, and then The second stage code is obtained and run after the first stage code is acquired; when at least one of the second initialization program, the first stage code, and the second stage code is obtained, the asymmetric transmission cryptosystem can be used for data transmission.
在实际应用中,通信建立模块51和启动控制模块52均可以由嵌入式系统中的CPU、微处理器(MPU)、数字信号处理器(DSP)、或现场可编程门阵列(FPGA)等实现。In practical applications, the communication establishing module 51 and the startup control module 52 can be implemented by a CPU, a microprocessor (MPU), a digital signal processor (DSP), or a field programmable gate array (FPGA) in an embedded system. .
就图5示出的系统初始化装置的硬件结构举例来说,参见图6,图6是本发明实施例提供的系统初始化的装置的硬件结构示意图,包括:至少一个处理器601和存储器602、通信接口603。系统初始化的装置中的各个组件通过总线系统604耦合在一起。可理解,总线系统604用于实现这些组件之间的连接通信。总线系统604除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图6中将各种总线都标为总线系统604。For example, FIG. 6 is a schematic diagram of a hardware structure of a device for initializing a system according to an embodiment of the present invention, including: at least one processor 601 and a memory 602, and communication Interface 603. The various components in the system initialized device are coupled together by a bus system 604. It will be appreciated that bus system 604 is used to implement connection communication between these components. The bus system 604 includes a power bus, a control bus, and a status signal bus in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 604 in FIG.
可以理解,存储器602可以是易失性存储器或非易失性存储器,也可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是ROM、可编程只读存储器(PROM,Programmable Read-Only Memory)、可擦除可编程只读存储器(EPROM,Erasable Programmable Read-Only Memory)。本发明实施例描述的存储器602旨在包括但不限于这些和任意其它适合类型 的存储器。It will be appreciated that memory 602 can be either volatile memory or non-volatile memory, and can include both volatile and nonvolatile memory. The non-volatile memory may be a ROM, a Programmable Read-Only Memory (PROM), or an Erasable Programmable Read-Only Memory (EPROM). The memory 602 described in the embodiments of the present invention is intended to include, but is not limited to, these and any other suitable types. Memory.
本发明实施例中的存储器602用于存储各种类型的数据以支持系统初始化的装置的操作。这些数据的示例包括:用于在系统初始化的装置上操作的任何计算机程序,如操作系统6021和程序6022。其中,操作系统6021包含各种系统程序,例如框架层、核心库层、驱动层等,用于实现各种基础业务以及处理基于硬件的任务。程序6022可以包含各种程序,实现本发明实施例的系统初始化方法的程序可以包含在程序6022中。The memory 602 in the embodiment of the present invention is used to store various types of data to support the operation of the system initialized device. Examples of such data include any computer program for operating on a system initialized device, such as operating system 6021 and program 6022. The operating system 6021 includes various system programs, such as a framework layer, a core library layer, a driver layer, and the like, for implementing various basic services and processing hardware-based tasks. The program 6022 can include various programs, and the program for implementing the system initialization method of the embodiment of the present invention can be included in the program 6022.
通信接口603用于系统初始化装置与其他设备之间有线或无线方式的通信。系统初始化装置可以接入基于通信标准的无线网络,如WiFi、2G或3G、或它们的组合。The communication interface 603 is used for communication between the system initialization device and other devices in a wired or wireless manner. The system initialization device can access a wireless network based on a communication standard, such as WiFi, 2G or 3G, or a combination thereof.
上述本发明实施例揭示的方法可以应用于处理器601中,或者由处理器601实现。处理器601可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过处理器601中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器601可以是通用处理器、DSP,或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。处理器601可以实现或者执行本发明实施例中的记载的系统初始化方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本发明实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于存储器602,处理器601读取存储器602中的信息,结合其硬件完成前述系统初始化的步骤。The method disclosed in the foregoing embodiments of the present invention may be applied to the processor 601 or implemented by the processor 601. Processor 601 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 601 or an instruction in a form of software. The processor 601 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, or the like. The processor 601 can implement or execute the system initialization method, steps, and logic block diagrams described in the embodiments of the present invention. A general purpose processor can be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiment of the present invention may be directly implemented as a hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor. The software module can be located in a storage medium located in memory 602, and processor 601 reads the information in memory 602, in conjunction with its hardware, to perform the steps of system initialization described above.
在示例性实施例中,系统初始化装置可以被一个或多个应用专用集成电路(ASIC,Application Specific Integrated Circuit)、DSP、可编程逻辑器件(PLD,Programmable Logic Device)、复杂可编程逻辑器件(CPLD,Complex Programmable Logic Device)、FPGA、通用处理器、控制器、微控 制器(MCU,Micro Controller Unit)、微处理器(Microprocessor)、或其他电子元件实现,用于执行前述的系统初始化方法。In an exemplary embodiment, the system initialization device may be configured by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), and Complex Programmable Logic Devices (CPLDs). , Complex Programmable Logic Device), FPGA, General Purpose Processor, Controller, Microcontroller Implemented by a Micro Controller Unit (MCU), a microprocessor (Microprocessor), or other electronic components for performing the aforementioned system initialization method.
本发明实施例还提供一种存储介质,存储有可执行程序,所述可执行程序被处理器运行时实现系统初始化方法,如图1、2和4任一附图所示的系统初始化方法,存储介质可以为前述的各种类型的非易失性存储介质。Embodiments of the present invention further provide a storage medium storing an executable program, and the executable program is implemented by a processor to implement a system initialization method, such as the system initialization method shown in any of FIGS. 1, 2, and 4. The storage medium may be the various types of non-volatile storage media described above.
以上所述,仅为本发明的最佳实施例而已,并非用于限定本发明的保护范围,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。The above is only the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included. Within the scope of protection of the present invention.
工业实用性Industrial applicability
本发明实施例提供了一种系统初始化方法,采用预设第一初始化程序初始化通信端口,通过所述通信端口建立与外部服务器的通信,并与所述外部服务器进行相互鉴权;鉴权成功后,获取预先存储在所述外部服务器中的启动程序,并执行所述启动程序完成系统启动。本发明实施例还提供了一种系统初始化装置及存储介质。实施本发明,能提高嵌入式系统统初始化的安全性,并能减少嵌入式系统的成本。 An embodiment of the present invention provides a system initialization method, which uses a preset first initialization procedure to initialize a communication port, establishes communication with an external server through the communication port, and performs mutual authentication with the external server; after successful authentication And acquiring a startup program pre-stored in the external server, and executing the startup program to complete system startup. The embodiment of the invention further provides a system initialization device and a storage medium. By implementing the invention, the security of the embedded system system initialization can be improved, and the cost of the embedded system can be reduced.

Claims (13)

  1. 一种系统初始化方法,所述方法包括:A system initialization method, the method comprising:
    采用预设第一初始化程序初始化通信端口,通过所述通信端口建立与外部存储装置的通信,并与所述外部存储装置进行相互鉴权;Initializing a communication port by using a preset first initialization program, establishing communication with an external storage device through the communication port, and performing mutual authentication with the external storage device;
    鉴权成功后,获取预先存储在所述外部存储装置中的启动程序,并执行所述启动程序完成系统启动。After the authentication succeeds, the startup program pre-stored in the external storage device is acquired, and the startup program is executed to complete the system startup.
  2. 根据权利要求1所述的方法,其中,所述与所述外部存储装置进行相互鉴权,包括:The method of claim 1 wherein said authenticating with said external storage device comprises:
    预设加密信息,将第一数字证书和所述加密信息发送给外部存储装置;Presetting the encrypted information, and transmitting the first digital certificate and the encrypted information to an external storage device;
    验证所述外部存储装置验证所述加密信息和所述第一数字证书成功后发送的第二数字证书。Verifying that the external storage device verifies the encrypted information and the second digital certificate sent after the first digital certificate is successful.
  3. 根据权利要求2所述的方法,其中,所述预设加密信息,包括:The method of claim 2, wherein the preset encryption information comprises:
    预先存储的加密信息;和/或,Pre-stored encrypted information; and/or,
    通过第一初始化程序初始化加密信息输入设备,由所述加密信息输入设备获取的信息。The encrypted information input device is initialized by the first initialization program, and the information acquired by the encrypted information input device.
  4. 根据权利要求2所述的方法,其中,所述获取预先存储在所述外部存储装置中的启动程序,包括:The method of claim 2, wherein the obtaining an activation program pre-stored in the external storage device comprises:
    根据所述第二数字证书中的第二公钥,采用非对称密码体制加密并发送启动程序请求信息;And according to the second public key in the second digital certificate, encrypting and transmitting the startup program request information by using an asymmetric cryptosystem;
    从所述外部存储装置获取所述启动程序,所述启动程序由所述外部存储装置采用所述第一数字证书中的第一公钥、以及非对称密码体制加密并存储。Acquiring the startup program from the external storage device, the startup program being encrypted and stored by the external storage device using a first public key in the first digital certificate and an asymmetric cryptosystem.
  5. 根据权利要求1至4任一项所述的方法,其中,所述启动程序包括以下至少之一:第二初始化程序;第一阶段代码;第二阶段代码。The method according to any one of claims 1 to 4, wherein the startup program comprises at least one of: a second initialization program; a first stage code; a second stage code.
  6. 根据权利要求5所述的方法,其中,所述获取预先存储在所述外部 存储装置中的启动程序,并执行所述启动程序包括:The method of claim 5, wherein the obtaining is pre-stored on the outside The booting program in the storage device and executing the booting program includes:
    获取并执行所述第二初始化程序、所述第一阶段代码和所述第二阶段代码至少之一。Acquiring and executing at least one of the second initialization program, the first stage code, and the second stage code.
  7. 一种系统初始化装置,所述装置包括:通信建立模块和启动控制模块;其中,A system initialization device, the device comprising: a communication establishment module and a startup control module; wherein
    所述通信建立模块,配置为采用预设第一初始化程序初始化通信端口,通过所述通信端口建立与外部存储装置的通信,并与所述外部存储装置进行相互鉴权;The communication establishing module is configured to initialize a communication port by using a preset first initialization program, establish communication with an external storage device through the communication port, and perform mutual authentication with the external storage device;
    所述启动控制模块,配置为鉴权成功后,获取预先存储在所述外部存储装置中的启动程序,并执行所述启动程序完成系统启动。The startup control module is configured to acquire an startup program pre-stored in the external storage device after the authentication succeeds, and execute the startup program to complete system startup.
  8. 根据权利要求7所述的装置,其中,所述通信建立模块,具体配置为:The device according to claim 7, wherein the communication establishing module is specifically configured to:
    预设加密信息,将第一数字证书和所述加密信息,发送给外部存储装置;Presetting the encrypted information, and transmitting the first digital certificate and the encrypted information to an external storage device;
    验证所述外部存储装置验证所述加密信息和所述第一数字证书成功后发送的第二数字证书。Verifying that the external storage device verifies the encrypted information and the second digital certificate sent after the first digital certificate is successful.
  9. 根据权利要求8所述的装置,其中,所述通信建立模块,具体配置为:获取预先存储的加密信息;和/或,通过第一初始化程序初始化加密信息输入设备,由所述加密信息输入设备获取的信息。The device according to claim 8, wherein the communication establishing module is specifically configured to: acquire pre-stored encrypted information; and/or initialize an encrypted information input device by using the first initialization program, and the encrypted information input device Information obtained.
  10. 根据权利要求8所述的装置,其中,所述启动控制模块,具体配置为:The device according to claim 8, wherein the startup control module is specifically configured to:
    根据所述第二数字证书中的第二公钥,采用非对称密码体制加密并发送启动程序请求信息;And according to the second public key in the second digital certificate, encrypting and transmitting the startup program request information by using an asymmetric cryptosystem;
    从所述外部存储装置获取所述启动程序,所述启动程序由所述外部存储装置采用所述第一数字证书中的第一公钥、以及非对称密码体制加密并 存储。Acquiring the startup program from the external storage device, the startup program being encrypted by the external storage device using a first public key in the first digital certificate and an asymmetric cryptosystem storage.
  11. 根据权利要求7至10任一项所述的装置,其中,所述启动程序包括:第二初始化程序、第一阶段代码、和第二阶段代码至少之一;The apparatus according to any one of claims 7 to 10, wherein the startup program comprises: at least one of a second initialization program, a first stage code, and a second stage code;
    所述启动控制模块,具体配置为:依次获取并执行所述第二初始化程序、所述第一阶段代码和所述第二阶段代码至少之一。The startup control module is specifically configured to: sequentially acquire and execute at least one of the second initialization program, the first phase code, and the second phase code.
  12. 一种存储介质,存储有可执行程序,所述可执行程序被处理器运行时实现权利要求1至6任一项所述的系统初始化方法。A storage medium storing an executable program, the executable program being executed by a processor to implement the system initialization method according to any one of claims 1 to 6.
  13. 一种系统初始化装置,包括:A system initialization device includes:
    存储器,用于存储可执行程序;a memory for storing an executable program;
    处理器,配置为运行所述存储器存储的所述可执行程序时,实现权利要求1至6任一项所述的系统初始化方法。 The processor, configured to execute the executable program stored in the memory, implements the system initialization method of any one of claims 1 to 6.
PCT/CN2017/085790 2016-10-17 2017-05-24 System initialization method and device, and storage medium WO2018072442A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610906227.1A CN107958155A (en) 2016-10-17 2016-10-17 A kind of system initialization method and device
CN201610906227.1 2016-10-17

Publications (1)

Publication Number Publication Date
WO2018072442A1 true WO2018072442A1 (en) 2018-04-26

Family

ID=61953454

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/085790 WO2018072442A1 (en) 2016-10-17 2017-05-24 System initialization method and device, and storage medium

Country Status (2)

Country Link
CN (1) CN107958155A (en)
WO (1) WO2018072442A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110716660A (en) * 2019-09-02 2020-01-21 Oppo(重庆)智能科技有限公司 Touch screen starting method, terminal and storage medium
TWI729954B (en) * 2020-01-21 2021-06-01 慧榮科技股份有限公司 Flash memory initialization scheme for writing boot up information into selected storage locations averagely and randomly distributed over more storage locations and correspondingly method for reading boot up information from selected storage locations

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110716697B (en) * 2019-09-29 2021-09-14 联想(北京)有限公司 Information processing method and equipment
CN110750767B (en) * 2019-10-18 2023-05-02 神州数码融信软件有限公司 Login initialization method of intelligent terminal equipment and intelligent terminal equipment
TWI768255B (en) 2019-10-28 2022-06-21 瑞昱半導體股份有限公司 Cloud deployment boot image electronic device, boot image cloud deployment system and method thereof
CN112784275B (en) * 2019-11-01 2024-09-03 瑞昱半导体股份有限公司 Electronic device, cloud deployment system of boot image and method thereof
CN113254372A (en) * 2020-08-07 2021-08-13 广东高云半导体科技股份有限公司 Method and system for providing a programmable microcontroller with a two-stage configuration process

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212471A (en) * 2006-12-31 2008-07-02 中兴通讯股份有限公司 Data synchronization method in SyncML protocol
CN101472026A (en) * 2007-12-28 2009-07-01 东友科技股份有限公司 Startup system and method for image processing device
CN101557332A (en) * 2009-02-17 2009-10-14 刘利华 Intelligent household information management system
CN101567795A (en) * 2009-01-14 2009-10-28 闫军因 Intelligent community management system
CN105278974A (en) * 2014-06-30 2016-01-27 深圳市中兴微电子技术有限公司 Chip starting method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060285158A1 (en) * 2005-06-16 2006-12-21 Kabushiki Kaisha Toshiba Image forming apparatus
CN101997834B (en) * 2009-08-10 2015-01-07 北京多思科技发展有限公司 Device for supporting high-performance safety protocol

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212471A (en) * 2006-12-31 2008-07-02 中兴通讯股份有限公司 Data synchronization method in SyncML protocol
CN101472026A (en) * 2007-12-28 2009-07-01 东友科技股份有限公司 Startup system and method for image processing device
CN101567795A (en) * 2009-01-14 2009-10-28 闫军因 Intelligent community management system
CN101557332A (en) * 2009-02-17 2009-10-14 刘利华 Intelligent household information management system
CN105278974A (en) * 2014-06-30 2016-01-27 深圳市中兴微电子技术有限公司 Chip starting method and device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110716660A (en) * 2019-09-02 2020-01-21 Oppo(重庆)智能科技有限公司 Touch screen starting method, terminal and storage medium
TWI729954B (en) * 2020-01-21 2021-06-01 慧榮科技股份有限公司 Flash memory initialization scheme for writing boot up information into selected storage locations averagely and randomly distributed over more storage locations and correspondingly method for reading boot up information from selected storage locations
US11144223B2 (en) 2020-01-21 2021-10-12 Silicon Motion, Inc. Flash memory initialization scheme for writing boot up information into selected storage locations averagely and randomly distributed over more storage locations and correspondingly method for reading boot up information from selected storage locations
US11543982B2 (en) 2020-01-21 2023-01-03 Silicon Motion, Inc. Flash memory initialization scheme for writing boot up information into selected storage locations averagely and randomly distributed over more storage locations and correspondingly method for reading boot up information from selected storage locations

Also Published As

Publication number Publication date
CN107958155A (en) 2018-04-24

Similar Documents

Publication Publication Date Title
WO2018072442A1 (en) System initialization method and device, and storage medium
TWI489315B (en) System and method for temporary secure boot of an electronic device
US9749141B2 (en) Secure boot devices, systems, and methods
TWI436280B (en) Authentication method for accessing profile of basic input/output system
TWI632483B (en) Security device and method of providing security service to host therein, security apparatus and computer software product
US8019994B2 (en) Authentication of a request to alter at least one of a BIOS and a setting associated with the BIOS
CN110688660B (en) Method and device for safely starting terminal and storage medium
JP6927981B2 (en) Methods, systems, and devices that use forward secure cryptography for passcode verification.
WO2014079009A1 (en) Management control method, device and system for virtual machine
US9904806B2 (en) Hardware security module, method of updating integrity check value stored in hardware security module, and method of updating program stored in terminal by using hardware security module
CN109145628B (en) Data acquisition method and system based on trusted execution environment
US20080022124A1 (en) Methods and apparatus to offload cryptographic processes
JP5613596B2 (en) Authentication system, terminal device, authentication server, and program
CN110730159B (en) TrustZone-based secure and trusted hybrid system starting method
US11423150B2 (en) System and method for booting processors with encrypted boot image
US8341389B2 (en) Device, systems, and method for securely starting up a computer installation
JP2019192231A (en) Computer system and method for initializing computer system
WO2016101559A1 (en) Secure data access method and device, and computer storage medium
CN109508529B (en) Method for realizing safety starting verification of payment terminal
CN109891823B (en) Method, system, and non-transitory computer readable medium for credential encryption
JP6517435B2 (en) How to manage the application
CN108319848B (en) Starting-up control method and device
CN107317925B (en) Mobile terminal
CN109840409B (en) Core board and core board starting method
CN111357003A (en) Data protection in a pre-operating system environment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17863002

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17863002

Country of ref document: EP

Kind code of ref document: A1