[go: up one dir, main page]

CN116701006A - A component communication method and computing device - Google Patents

A component communication method and computing device Download PDF

Info

Publication number
CN116701006A
CN116701006A CN202210188431.XA CN202210188431A CN116701006A CN 116701006 A CN116701006 A CN 116701006A CN 202210188431 A CN202210188431 A CN 202210188431A CN 116701006 A CN116701006 A CN 116701006A
Authority
CN
China
Prior art keywords
component
request
access
management module
access credential
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210188431.XA
Other languages
Chinese (zh)
Inventor
吴玲玲
李小川
张超
李宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202210516329.8A priority Critical patent/CN115061826B/en
Priority to CN202210188431.XA priority patent/CN116701006A/en
Priority to PCT/CN2023/078424 priority patent/WO2023160701A1/en
Publication of CN116701006A publication Critical patent/CN116701006A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Storage Device Security (AREA)

Abstract

本申请提供一种组件通信方法及计算设备,该计算设备至少包括第一组件、第二组件、管理模块;第一组件在访问第二组件之前,向管理模块发送第一请求;管理模块在对第一组件的访问权限验证通过后,向第一组件发送第二组件的访问凭证;第一组件基于该访问凭证向第二组件发送第二请求,第二请求用于请求访问第二组件。本申请中,在计算设备内设置组件的管理模块,该管理模块负责各组件的访问凭证的生成及管理,组件之间基于访问凭证进行通信,有效消减多厂商组件模式下的组件被仿冒、数据被篡改、信息被泄漏以及组件间非法访问的风险,保障了跨组件间的总线通信安全。

The present application provides a component communication method and a computing device, the computing device at least includes a first component, a second component, and a management module; the first component sends a first request to the management module before accessing the second component; After the access right of the first component is verified, the access credential of the second component is sent to the first component; the first component sends a second request to the second component based on the access credential, and the second request is used to request access to the second component. In this application, a component management module is set in the computing device. The management module is responsible for the generation and management of the access credentials of each component. The risk of tampering, information leakage and illegal access between components ensures the security of bus communication between components.

Description

一种组件通信方法及计算设备A component communication method and computing device

技术领域technical field

本申请涉及计算机技术领域,尤其涉及一种组件通信方法及计算设备。The present application relates to the field of computer technology, in particular to a component communication method and computing equipment.

背景技术Background technique

在全量组件化的服务器架构中,将传统的主板拆分为基础板、扩展板和扩展组件。与传统的服务器相比,全量组件化的服务器具有组件易扩展、维修等便利性,同时存在组件可能被仿冒篡改的风险。In the fully componentized server architecture, the traditional motherboard is split into basic boards, expansion boards and expansion components. Compared with traditional servers, fully componentized servers have the convenience of easy expansion and maintenance of components, and at the same time, there is a risk that components may be counterfeited and tampered with.

在全量组件化的服务器内,组件之间可以通过内存互联(Compute Express Link,CXL)、或统一总线(unified bus,UB或Ubus)等高速互联总线进行连接,组件之间可以直接访问各自的内存数据,也因此,跨组件的内存访问对计算组件和内存扩展组件均带来安全性挑战,一旦被仿冒篡改的组件接入计算设备,将可能导致组件能力被劫持、滥用、内存数据泄露等问题,存在诸多安全风险。In a fully componentized server, components can be connected through high-speed interconnection buses such as memory interconnection (Compute Express Link, CXL) or unified bus (unified bus, UB or Ubus), and components can directly access their respective memory Data, and therefore, cross-component memory access brings security challenges to both computing components and memory expansion components. Once a counterfeit and tampered component is connected to a computing device, it may lead to hijacking of component capabilities, abuse, and memory data leakage. , there are many security risks.

发明内容Contents of the invention

本申请提供一种组件通信方法及计算设备,用于提高计算设备内的组件之间进行总线通信的安全性,降低数据泄露的风险。The present application provides a component communication method and a computing device, which are used to improve the security of bus communication between components in the computing device and reduce the risk of data leakage.

第一方面,本申请实施例提供了一种计算设备,该计算设备至少包括第一组件、第二组件、管理模块;In the first aspect, the embodiment of the present application provides a computing device, the computing device at least includes a first component, a second component, and a management module;

在访问第二组件之前,第一组件,用于向所述管理模块发送请求(记为第一请求);管理模块,用于接收第一组件的第一请求对第一组件的访问权限验证通过后,向第一组件发送第二组件的访问凭证;第一组件,还用于基于第二组件的访问凭证向第二组件发送请求(记为第二请求),第二请求用于请求访问第二组件。Before accessing the second component, the first component is used to send a request (denoted as the first request) to the management module; the management module is used to receive the first request of the first component and pass the access verification of the first component After that, send the access credential of the second component to the first component; the first component is also used to send a request to the second component based on the access credential of the second component (denoted as the second request), and the second request is used to request access to the second component Two components.

通过上述设计,第一组件在访问第二组件之前,向管理模块发送第一请求;管理模块在对第一组件的访问权限验证通过后,向第一组件发送第二组件的访问凭证;第一组件基于该访问凭证向第二组件发送第二请求,第二请求用于请求访问第二组件。这样,可以有效消减多厂商组件模式下的组件被仿冒、数据被篡改、信息被泄漏以及组件间非法访问的风险,保障了总线上各组件通信的安全可信。Through the above design, the first component sends the first request to the management module before accessing the second component; the management module sends the access credential of the second component to the first component after the access authority verification of the first component is passed; the first The component sends a second request to the second component based on the access credential, and the second request is used to request access to the second component. In this way, the risks of component counterfeiting, data tampering, information leakage and illegal access between components in the multi-vendor component mode can be effectively reduced, and the security and reliability of communication between components on the bus are guaranteed.

在一种可能的实现方式中,第二组件,用于向管理模块发送注册请求,该注册请求用于请求注册所述第二组件的可访问资源;管理模块,用于生成并存储第二组件的可访问资源的访问凭证。In a possible implementation manner, the second component is configured to send a registration request to the management module, where the registration request is used to request registration of the accessible resources of the second component; the management module is configured to generate and store the second component Access credentials for accessible resources.

通过上述设计,在计算设备内设置组件的管理模块,该管理模块负责各组件的访问凭证的生成及管理,从而实现组件之间基于访问凭证进行通信,以保障跨组件间的总线通信安全。Through the above design, a component management module is set in the computing device, and the management module is responsible for the generation and management of the access credentials of each component, so as to realize the communication between components based on the access credentials, so as to ensure the security of bus communication between components.

在一种可能的实现方式中,第二组件的访问凭证为管理模块根据第二组件的内存度量值生成的。In a possible implementation manner, the access credential of the second component is generated by the management module according to the memory measurement value of the second component.

通过上述设计,采用组件的内存度量值生成组件的访问凭证,有效消减组件可能面临的被仿冒的风险。Through the above design, the memory measurement value of the component is used to generate the access credential of the component, which effectively reduces the risk of counterfeiting that the component may face.

在一种可能的实现方式中,第一组件在基于第二组件的访问凭证向第二组件发送第二请求时,具体用于:使用数据密钥对该访问凭证进行加密,得到加密后的访问凭证;其中,第二请求包括加密后的访问凭证;该数据密钥为第一组件从管理模块接收到的。In a possible implementation manner, when the first component sends the second request to the second component based on the access credential of the second component, it is specifically used to: encrypt the access credential with a data key to obtain the encrypted access credential Credentials; wherein, the second request includes encrypted access credentials; the data key is received by the first component from the management module.

通过上述设计,第一组件使用数据密钥对第二组件的访问凭证进行加密,并通过第二请求将加密后的访问凭证发送给第二组件,通过该设计,可以增强数据通信的安全性,通过数据密钥加密以及第二组件的访问凭证进行组件间通信,实现双层安全保障防护,有效消减第二组件的访问凭证被泄露的风险。Through the above design, the first component uses the data key to encrypt the access credentials of the second component, and sends the encrypted access credentials to the second component through the second request. Through this design, the security of data communication can be enhanced. Through the data key encryption and the access credentials of the second component for inter-component communication, two-layer security protection is realized, which effectively reduces the risk of the access credentials of the second component being leaked.

在一种可能的实现方式中,第二组件还用于:接收并存储管理模块发送的访问凭证;第二组件在接收到所述第一组件发送的第二请求之后,还用于:使用数据密钥对加密后的访问凭证进行解密,得到解密后的访问凭证;数据密钥为所述第二组件从管理模块接收到的;若解密后的访问凭证与所述第二组件存储的所述访问凭证相同,则所述第二组件还用于响应所述第二请求;或者,若不同,则所述第二组件还用于丢弃所述第二请求。In a possible implementation manner, the second component is further configured to: receive and store the access credentials sent by the management module; after receiving the second request sent by the first component, the second component is further configured to: use the data The key decrypts the encrypted access credential to obtain the decrypted access credential; the data key is received by the second component from the management module; if the decrypted access credential is the same as the If the access credentials are the same, the second component is further configured to respond to the second request; or, if they are different, the second component is further configured to discard the second request.

在一种可能的实现方式中,管理模块为主板管理控制器(Baseboard ManagementController,BMC)。In a possible implementation manner, the management module is a baseboard management controller (Baseboard Management Controller, BMC).

第二方面,本申请实施例提供了一种组件通信方法,该方法可以由计算机执行,其中,计算机至少包括主板管理控制器(Baseboard Management Controller,BMC)、第一组件和第二组件,在该方法中,第一组件,用于在访问所述第二组件之前,向所述管理模块发送第一请求;第一组件在访问所述第二组件之前,向所述管理模块发送第一请求;第一请求用于请求获取第二组件的访问凭证;在对第一组件的访问权限验证通过后,管理模块向第一组件发送第二组件的访问凭证;第一组件基于该访问凭证向第二组件发送第二请求,所述第二请求用于请求访问所述第二组件。In the second aspect, the embodiment of the present application provides a component communication method, which can be executed by a computer, wherein the computer includes at least a baseboard management controller (Baseboard Management Controller, BMC), a first component, and a second component. In the method, the first component is configured to send a first request to the management module before accessing the second component; the first component sends a first request to the management module before accessing the second component; The first request is used to request to obtain the access credentials of the second component; after the access authority verification of the first component is passed, the management module sends the access credentials of the second component to the first component; the first component sends the second component based on the access credentials The component sends a second request, where the second request is used to request access to the second component.

在一种可能的实现方式中,所述方法还包括:管理模块接收所述第二组件发送的注册请求,该注册请求用于请求注册第二组件的可访问资源;管理模块生成并存储第二组件的可访问资源的访问凭证。In a possible implementation manner, the method further includes: the management module receives a registration request sent by the second component, and the registration request is used to request to register the accessible resources of the second component; the management module generates and stores the second Access credentials for the component's accessible resources.

在一种可能的实现方式中,第二组件的访问凭证为管理模块使用第二组件的内存度量值生成的。In a possible implementation manner, the access credential of the second component is generated by the management module using the memory measurement value of the second component.

在一种可能的实现方式中,管理模块为BMC。In a possible implementation manner, the management module is a BMC.

第三方面,本申请提供了一种计算机可读存储介质,所述计算机可读存储介质被计算设备执行时,所述计算设备执行前述第一方面或第一方面的任意可能的实现方式中提供的方法。该存储介质中存储了程序。该存储介质包括但不限于易失性存储器,例如随机访问存储器,非易失性存储器,例如快闪存储器、硬盘(hard disk drive,HDD)、固态硬盘(solid state drive,SSD)。In a third aspect, the present application provides a computer-readable storage medium. When the computer-readable storage medium is executed by a computing device, the computing device executes the aforementioned first aspect or any possible implementation of the first aspect. Methods. The program is stored in the storage medium. The storage medium includes but not limited to volatile memory, such as random access memory, and non-volatile memory, such as flash memory, hard disk drive (hard disk drive, HDD), and solid state drive (solid state drive, SSD).

第四方面,本申请提供了一种计算机程序产品,所述计算设备程序产品包括计算机指令,在被计算设备执行时,所述计算设备执行前述第一方面或第一方面的任意可能的实现方式中提供的方法。该计算机程序产品可以为一个软件安装包,在需要使用前述第一方面或第一方面的任意可能的实现方式中提供的方法的情况下,可以下载该计算机程序产品并在计算设备上执行该计算机程序产品。In a fourth aspect, the present application provides a computer program product, the computing device program product includes computer instructions, and when executed by the computing device, the computing device executes the aforementioned first aspect or any possible implementation of the first aspect method provided in . The computer program product may be a software installation package, and if the method provided in the aforementioned first aspect or any possible implementation of the first aspect needs to be used, the computer program product may be downloaded and executed on a computing device. program product.

第五方面,本申请还提供一种芯片,所述芯片用于通过执行软件程序,实现上述第一方面以及第一方面的各个可能的实现方式中所述的方法。In a fifth aspect, the present application further provides a chip, which is configured to implement the method described in the above first aspect and each possible implementation manner of the first aspect by executing a software program.

上述第二方面至第五方面中任一实现方式的有益效果请参见第一方面的描述,此处不再赘述。Please refer to the description of the first aspect for the beneficial effect of any implementation manner in the second aspect to the fifth aspect, and details are not repeated here.

附图说明Description of drawings

图1为本申请实施例提供的一种计算设备的架构示意图;FIG. 1 is a schematic structural diagram of a computing device provided by an embodiment of the present application;

图2为本申请实施例提供的一种组件通信方法的流程示意图。FIG. 2 is a schematic flowchart of a component communication method provided by an embodiment of the present application.

具体实施方式Detailed ways

为了便于理解本申请实施例所提供的锁管理的方法,首先对本申请实施例所涉及的概念和术语进行简单说明。In order to facilitate the understanding of the lock management method provided by the embodiment of the present application, the concepts and terms involved in the embodiment of the present application are briefly described first.

1,主板管理控制器(Baseboard Management Controller,BMC),作为一个平台管理系统,其硬件通常是计算设备的主板上第一个上电启动的部件,具备一系列的监控和控制功能,具体的,BMC连接各种传感器,这些传感器分布在计算设备的若干部件上,BMC通过这些传感器管理计算机的各个部件,如使能组件上电、下电等。1. Baseboard Management Controller (BMC), as a platform management system, its hardware is usually the first component to be powered on and started on the motherboard of a computing device, and has a series of monitoring and control functions. Specifically, The BMC is connected to various sensors, and these sensors are distributed on several components of the computing device. The BMC manages various components of the computer through these sensors, such as enabling components to be powered on and off.

2,本申请中涉及的第一、第二等各种数字编号仅为描述方便进行的区分,并不用来限制本申请实施例的范围,也表示先后顺序。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。“至少一个”是指一个或者多个。至少两个是指两个或者多个。2. The first, second, and other numbers involved in this application are only for the convenience of description, and are not used to limit the scope of the embodiments of this application, and also indicate the sequence. "And/or" describes the association relationship of associated objects, indicating that there may be three types of relationships, for example, A and/or B may indicate: A exists alone, A and B exist simultaneously, and B exists independently. The character "/" generally indicates that the contextual objects are an "or" relationship. "At least one" means one or more. At least two means two or more.

本申请所涉及的计算设备可以是一台独立的物理机,如服务器、台式计算机、笔记本电脑等。该计算设备可以部署在用户侧,作为用户设备。也可以部署在服务端侧,可以是一台独立的服务器,也可以是由多个物理服务器构成服务器集群或者分布式系统。The computing device involved in this application may be an independent physical machine, such as a server, a desktop computer, a notebook computer, and the like. The computing device can be deployed on the user side as user equipment. It can also be deployed on the server side, which can be an independent server, or a server cluster or distributed system composed of multiple physical servers.

图1为本申请实施例提供的一种计算设备10的架构示意图。在该架构中,将传统的主板拆分为基础板(Basic Computing Unit,BCU)100和扩展板200(Extension Unit,EXU)200和若干扩展组件,以基础板100配合扩展板200的方式实现对不同场景所需的主板的规格和形态的支持。具体的,同一计算设备10中可以包括一个基础板100和一个扩展板200,或者,同一计算设备10也可以包括多个基础板100和一个扩展板200,或者,同一计算设备10还可以包括一个基础板100和多个扩展板200。或者,同一计算设备10还可以包括多个基础板100和多个扩展板200。FIG. 1 is a schematic structural diagram of a computing device 10 provided by an embodiment of the present application. In this architecture, the traditional mainboard is split into a basic computing unit (Basic Computing Unit, BCU) 100, an expansion board 200 (Extension Unit, EXU) 200 and a number of extension components, and the basic computing unit 100 cooperates with the expansion board 200. The specifications and forms of motherboards required for different scenarios are supported. Specifically, the same computing device 10 may include one base board 100 and one expansion board 200, or the same computing device 10 may also include multiple base boards 100 and one expansion board 200, or the same computing device 10 may also include a A base board 100 and a plurality of expansion boards 200 . Alternatively, the same computing device 10 may also include multiple base boards 100 and multiple expansion boards 200 .

基础板100包括CPU1011、双倍数据速率(double data rate,DDR)1012以及相关电源1013,提供通用计算能力及外围存储、输入输出(input/output,IO)、加速等扩展接口。基础板100支持等不同系列的CPU。可选地,基础板100支持异构处理器,即基础板100可以支持不同类型的处理器,例如,基础板100支持一个或多个CPU1011(图1仅示出一个,但本申请对此不做限定),以及专用集成电路(application-specificintegrated circuit,ASIC)、可编程逻辑器件(programmable logic device,PLD)、复杂程序逻辑器件(complex programmable logical device,CPLD)、现场可编程门阵列(field-programmable gate array,FPGA)、通用阵列逻辑(generic array logic,GAL)、片上系统(system on chip,SoC)、软件定义架构(software-defined infrastructure,SDI)芯片、人工智能(artificial intelligence,AI)芯片等任意一种处理器或其任意组合。可选地,基础板100还可以包括其他组件,如BIOS芯片1014。The base board 100 includes a CPU 1011 , a double data rate (DDR) 1012 and related power supply 1013 , providing general computing capability and peripheral storage, input/output (IO), acceleration and other expansion interfaces. Baseboard 100 support And other different series of CPU. Optionally, the base board 100 supports heterogeneous processors, that is, the base board 100 can support different types of processors, for example, the base board 100 supports one or more CPUs 1011 (only one is shown in FIG. limited), and application-specific integrated circuit (ASIC), programmable logic device (programmable logic device, PLD), complex program logic device (complex programmable logical device, CPLD), field programmable gate array (field- programmable gate array (FPGA), generic array logic (GAL), system on chip (SoC), software-defined architecture (software-defined infrastructure, SDI) chips, artificial intelligence (AI) chips Any processor or any combination thereof. Optionally, the base board 100 may also include other components, such as a BIOS chip 1014 .

进一步地,根据业务需求和硬件属性本申请实施例提供了至少6种不同形态的基础板100,分别针对不同的计算性能和内存配置。为了方便描述,姑且将这6种基础板100分别称为A1、A2、B1、B2、C1、C2。并且,在本实施例中利用“P”表示处理器的个数,P为大于0的整数,“DPC”则表示每个通道双列直插内存模块(dual in-line memory module perchannel,DIMM Per Channel)。例如,A1形态的基础板100支持一个处理器,每个通道插一根DIMM(简称为1P1DPC);A2形态的基础板100支持一个处理器,每通道插一根或二根DIMM(简称为1P2DPC或1P1DPC);B1形态的基础板100支持两个处理器,每通道插一根DIMM(简称为2P1DPC),或者,一个处理器,每通道插一根或二根DIMM(简称为1P2DPC或1P1DPC);B2形态的基础板100支持两个处理器,每通道插一根或二根DIMM(简称为2P2DPC或2P1DPC),或者,一个处理器,每通道插一根或两根DIMM(简称为1P2DPC或1P1DPC);C1形态的基础板100支持四个处理器,每个通道插一根DIMM(简称为4P1DPC),或者,两个处理器,每通道插一根或两根DIMM(简称为2P2DPC或2P1DPC);C2形态的基础板100支持四个处理器,每通道插一根或两根DIMM(简称为4P2DPC或4P1DPC),或者,两个处理器,每通道插一根或两根DIMM(简称为2P2DPC或2P1DPC)。随着技术发展,CPU封装尺寸、内存通道和DIMM数可能变化,但主板的标准尺寸和安装孔位将保持不变,这样能确保基础板100更新换代时能够跨代跨系列兼容演进。例如:B2形态的基础板100在当前每CPU 8通道DDR时,支持2P2DPC(2P32DIMM)。在CPU内存通道数提升到12以后,将无法实现2P2DPC(2P48DIMM)。那么,B2形态可以支持2P1DPC(2P24DIMM),而2P2DPC(2P48DIMM)可以用C1等其他形态实现,因为安装孔位置和基础板100尺寸是标准的,直接更换和安装即可。Furthermore, according to business requirements and hardware attributes, the embodiment of the present application provides at least six different types of basic boards 100 , respectively aiming at different computing performance and memory configurations. For the convenience of description, these six types of base plates 100 are called A1, A2, B1, B2, C1, and C2 respectively. In addition, in this embodiment, "P" is used to represent the number of processors, P is an integer greater than 0, and "DPC" represents a dual in-line memory module per channel (DIMM Per Channel) of each channel. Channel). For example, the base board 100 of A1 form supports one processor, and each channel inserts one DIMM (abbreviated as 1P1DPC); the base board 100 of A2 form supports one processor, and each channel inserts one or two DIMMs (abbreviated as 1P2DPC). or 1P1DPC); the basic board 100 of B1 form supports two processors, and each channel inserts one DIMM (abbreviated as 2P1DPC), or, one processor, each channel inserts one or two DIMMs (abbreviated as 1P2DPC or 1P1DPC) ; The basic board 100 of B2 form supports two processors, and each channel inserts one or two DIMMs (abbreviated as 2P2DPC or 2P1DPC), or one processor, and each channel inserts one or two DIMMs (abbreviated as 1P2DPC or 2P1DPC). 1P1DPC); the basic board 100 of C1 form supports four processors, and each channel inserts one DIMM (abbreviated as 4P1DPC), or, two processors, each channel inserts one or two DIMMs (abbreviated as 2P2DPC or 2P1DPC ); the basic board 100 of C2 form supports four processors, and each channel inserts one or two DIMMs (abbreviated as 4P2DPC or 4P1DPC), or two processors, and each channel inserts one or two DIMMs (abbreviated as 2P2DPC or 2P1DPC). With the development of technology, the package size of the CPU, the number of memory channels and the number of DIMMs may change, but the standard size and mounting holes of the motherboard will remain unchanged, so as to ensure that the basic board 100 can be compatible and evolved across generations and series when it is updated. For example: the basic board 100 of B2 form supports 2P2DPC (2P32DIMM) when each CPU currently has 8 channels of DDR. After the number of CPU memory channels is increased to 12, 2P2DPC (2P48DIMM) will not be realized. Then, the B2 form can support 2P1DPC (2P24DIMM), and 2P2DPC (2P48DIMM) can be realized with other forms such as C1, because the position of the mounting hole and the size of the base plate 100 are standard, and it can be replaced and installed directly.

扩展板200包括主板管理控制器(Baseboard Management Controller,BMC)芯片2011(简称为BMC2011)、管理系统(图1未示出)和桥片(例如,Intel系统的平台路径控制器(Platform Controller Hub,PCH)2012),是对基础板100的管理扩展,作为整个系统的管理中心,提供设备、安全、能效、可靠性等管理功能。其中,BMC2011也可以称为基板管理控制器,用于为基础板100及各扩展组件提供管理功能及供电。The expansion board 200 includes a motherboard management controller (Baseboard Management Controller, BMC) chip 2011 (abbreviated as BMC2011), a management system (not shown in FIG. PCH) 2012), is the management extension of the basic board 100, and as the management center of the entire system, it provides management functions such as equipment, security, energy efficiency, and reliability. Wherein, the BMC2011 may also be called a baseboard management controller, and is used to provide management functions and power supply for the base board 100 and various expansion components.

在该架构中,基础板100通过PCIe、内存互联(Compute Express Link,CXL)、或统一总线(unified bus,UB或Ubus)等高速总线与组件通信连接,并与扩展板200通过管理接口相连。具体实施中,上述基础板100与组件,以及基础板100与扩展板200的具体连接方式包括:以线缆实现上述连接的软连接方式,或者,以连接器实现上述连接的硬连接方式。In this architecture, the base board 100 communicates with components through a high-speed bus such as PCIe, Compute Express Link (CXL), or unified bus (UB or Ubus), and connects with the expansion board 200 through a management interface. In a specific implementation, the specific connection methods of the base board 100 and the components, and the base board 100 and the expansion board 200 include: a soft connection method using cables to realize the above connection, or a hard connection method using connectors to realize the above connection.

组件是一类电子器件或电子设备的统称,其中,组件按照功能可以被划分为计算组件4011、存储组件(STorage Unit,STU)4012、IO组件(Input Output Unit,IOU)4013、加速组件(ACceleration Unit,ACU)4014、内存扩展组件(Memory Expansion Unit,MEU)4015和散热组件4016。其中,计算组件4011,如CPU1011和内存(如DDR1012)等可位于基础板100中,可选的,计算组件4011还可以作为扩展组件,与基础板100连接;BMC2011等可位于扩展板200中。如下分别对各类组件进行介绍:Components are a general term for a class of electronic devices or electronic devices. According to their functions, components can be divided into computing components 4011, storage components (STorage Unit, STU) 4012, IO components (Input Output Unit, IOU) 4013, acceleration components (ACceleration Unit, ACU) 4014, memory expansion unit (Memory Expansion Unit, MEU) 4015, and cooling unit 4016. Wherein, the computing component 4011, such as CPU1011 and memory (such as DDR1012), etc. can be located in the base board 100, optionally, the computing component 4011 can also be used as an expansion component, connected with the base board 100; BMC2011, etc. can be located in the expansion board 200. Each component is introduced as follows:

其中,存储组件4012包括硬盘背板、扩展板(Expander)、PCIe交换机(switch)等,为系统存储扩展,支持机械硬盘(hard disk drive,HDD)/固态硬盘(solid-state drive,SSD)/非易失性高速传输总线(Non-Volatile Memory express,NVMe)/存储级内存(Storage Class Memory,SCM)等多种介质、形态。Among them, the storage component 4012 includes a hard disk backplane, an expansion board (Expander), a PCIe switch (switch), etc., which are system storage expansion and support a mechanical hard disk (hard disk drive, HDD)/solid-state drive (solid-state drive, SSD)/ Non-volatile high-speed transmission bus (Non-Volatile Memory express, NVMe) / storage class memory (Storage Class Memory, SCM) and other media and forms.

IO组件4013包括Riser等组件,实现对系统IO的扩展,支持PCIe标卡、开放计算项目(Open Compute Project,OCP)卡。The IO component 4013 includes components such as a Riser to implement system IO expansion, and supports PCIe standard cards and Open Compute Project (Open Compute Project, OCP) cards.

加速组件4014包括载板、加速卡互连交换机(switch)等,提供系统加速组件扩展和互连功能。The acceleration component 4014 includes a carrier board, an accelerator card interconnection switch (switch), etc., and provides system acceleration component expansion and interconnection functions.

内存扩展组件4015包括载板、内存扩展芯片、双列直插内存模块(dual in-linememory module,DIMM)、SCM介质等,提供系统扩展内存带宽、内存容量的功能。The memory expansion component 4015 includes a carrier board, a memory expansion chip, a dual in-line memory module (DIMM), an SCM medium, etc., and provides the system with the function of expanding memory bandwidth and memory capacity.

散热组件4016,用于对计算设备或计算设备中硬件进行散热,包括风冷散热、液冷散热或二者结合等几种散热方式的组合。应理解的是,散热组件的结构、类型和数量不构成对本申请所要保护技术方案的限定。The heat dissipation component 4016 is used to dissipate heat from the computing device or the hardware in the computing device, including a combination of several heat dissipation methods such as air cooling, liquid cooling, or a combination of the two. It should be understood that the structure, type and quantity of the heat dissipation components do not constitute a limitation on the technical solution to be protected in this application.

需要说明的是,(1)上述所列举的组件仅为部分组件示例,如组件还可以包括供电组件等,本申请中的组件是服务器架构所包含的电子器件或者电子设备的统称,某些组件可位于基础板上,某些组件可位于扩展板上,既不属于基础板又不属于扩展板的组件在本实施例称为扩展组件。总之,任何可以接入基础板或扩展板的电子器件或电子设备均属于本申请保护的组件范围。(2)图1所示的各组件的位置仅为示例,本申请实际产品内的部署形态和连接方式不做限定。(3)图1所示的计算设备10的架构仅为示例,在实际应用中,计算设备10可以包括相比图1更多或更少的部件,比如,计算设备10还可以包括散热组件、外设(鼠标、键盘)等。又比如,计算设备10还可以不包括存储组件4012等。本申请对此均不做具体限定。It should be noted that (1) the components listed above are only examples of some components. For example, the components may also include power supply components. Some components may be located on the base board, and certain components may be located on the expansion board, and components that do not belong to the base board nor to the expansion board are called expansion components in this embodiment. In a word, any electronic device or electronic equipment that can be connected to the base board or the expansion board falls within the scope of components protected by the present application. (2) The position of each component shown in FIG. 1 is only an example, and the deployment form and connection method in the actual product of this application are not limited. (3) The architecture of the computing device 10 shown in FIG. 1 is only an example. In practical applications, the computing device 10 may include more or fewer components than in FIG. Peripherals (mouse, keyboard), etc. For another example, the computing device 10 may not include the storage component 4012 and the like. This application does not specifically limit it.

另一方面,在传统的服务器架构中,由于供电、内存通道数、IO数、速率等演进原因,处理器(例如,中央处理器(central processing unit,CPU))的插槽(Socket)一般只能做到每代(Tick/Tock两个小升级)兼容,很难跨代兼容。本申请提供的主板可以采用标准化方式设置对外接口,并以线缆等软连接方式进行各种外部扩展,可屏蔽处理器相关供电、不同处理器与组件以及组件之间互连所带来的差异。使得内存等组件的变化仅包含在了主板内部,实现主板跨代兼容的功能。这样对于各厂商来说,当处理器更新换代时,配套的整机、组件等可以不更换,因此配套的组件具备了更长的生命周期。对于客户来说,在不需要更换机箱、不增加硬件开发工作量的前提下,能够随时更换最新的组件,最快用上业界最新的算力。对整机厂家来说,服务器新架构跨代升级、跨系列演进实现之后,处理器的升级、或者更换不同处理器厂家,只需要简单更换基础板即可,颠覆了原有的开发模式,衍生了新的产业模式。On the other hand, in the traditional server architecture, due to evolution reasons such as power supply, number of memory channels, number of IOs, speed, etc., the socket (Socket) of the processor (for example, central processing unit (CPU)) generally only It can be compatible with each generation (Tick/Tock two small upgrades), but it is difficult to be compatible across generations. The main board provided by this application can set external interfaces in a standardized way, and perform various external expansions with soft connections such as cables, which can shield processor-related power supply, differences between different processors and components, and the interconnection between components. . The changes of memory and other components are only included in the motherboard, and the function of cross-generation compatibility of the motherboard is realized. In this way, for each manufacturer, when the processor is updated, the supporting complete machine and components do not need to be replaced, so the supporting components have a longer life cycle. For customers, the latest components can be replaced at any time without changing the chassis or increasing the workload of hardware development, and the fastest use of the latest computing power in the industry. For complete machine manufacturers, after the realization of cross-generational upgrade and cross-series evolution of the new server architecture, the upgrade of the processor or the replacement of different processor manufacturers only needs to simply replace the basic board, which subverts the original development model and derives a new industrial model.

上述设计,将传统的主板拆分为基础板、扩展板和扩展组件,传统的主板上的功能离散为独立的组件,这样,组件可以被独立的生产、销售和安装等,提供了计算设备扩展、组件维修等灵活性和便利性。然而,也正因此这些组件更容易被仿冒篡改,进一步地,基础板与组件之间通过CXL等高速互联总线通信连接时,基础板与组件之间、组件与组件之间可以直接访问各自或对方的内存数据。跨组件的内存访问对计算组件和内存扩展组件均带来安全性挑战,一旦被仿冒篡改的组件接入计算设备,将可能导致组件能力被劫持、滥用、内存数据泄露等问题,存在诸多安全风险。The above design splits the traditional motherboard into basic boards, expansion boards and expansion components. The functions on the traditional motherboard are discrete into independent components. In this way, the components can be independently produced, sold and installed, etc., providing computing equipment expansion , component maintenance and other flexibility and convenience. However, it is precisely because of this that these components are more likely to be counterfeited and tampered with. Further, when the basic board and the components are connected through a high-speed interconnection bus such as CXL, the basic board and the components, and between the components can directly access each other or each other. memory data. Cross-component memory access brings security challenges to both computing components and memory expansion components. Once a counterfeit and tampered component is connected to a computing device, it may lead to component capability hijacking, abuse, and memory data leakage. There are many security risks. .

为此,本申请实施例提供了一种通信方法,在该方法中,针对组件之间的访问,管理模块对组件的访问权限进行验证,验证通过才能允许其进行访问,该方法可以有效消减多厂商组件模式下的组件被仿冒、数据被篡改、信息被泄漏以及组件间非法访问的风险,保障了跨组件间的总线通信安全。To this end, the embodiment of the present application provides a communication method. In this method, for the access between components, the management module verifies the access rights of the components, and the access is allowed only after the verification is passed. This method can effectively reduce many The risk of component counterfeiting, data tampering, information leakage and illegal access between components in the vendor component mode ensures the security of bus communication between components.

接下来结合图2,以本申请实施例应用于图1所示的计算设备10的架构为例,对本申请实施例提供的通信方法进行详细介绍。该方法可以由图1中的计算设备10执行。为便于说明,如下以该方法由计算设备10中的两个组件(分别记为第一组件、第二组件)和管理模块执行为例进行说明,其中,管理模块可以是软件模块,或硬件模块,或软件模块和硬件模块的组合。示例性地,管理模块可以是计算设备10中一个独立的组件,也可以是一个已有的组件中,如BMC,还可以是其他组件,具体不做限定。如下以BMC具备该管理模块的功能为例进行介绍,应理解,下文中的BMC均可以被替换为管理模块。Next, with reference to FIG. 2 , taking the architecture of the embodiment of the present application applied to the computing device 10 shown in FIG. 1 as an example, the communication method provided by the embodiment of the present application will be described in detail. The method may be performed by computing device 10 in FIG. 1 . For ease of description, the method is executed by two components (respectively denoted as the first component and the second component) and the management module in the computing device 10 as an example to illustrate, wherein the management module can be a software module or a hardware module , or a combination of software modules and hardware modules. Exemplarily, the management module may be an independent component in the computing device 10, or an existing component, such as BMC, or other components, which are not specifically limited. The following uses the BMC having the function of the management module as an example for introduction. It should be understood that the BMC in the following can be replaced by the management module.

图2为本申请实施例提供的通信方法所对应的流程示意图,如图2所示,该方法包括如下步骤:Fig. 2 is a schematic flow chart corresponding to the communication method provided by the embodiment of the present application. As shown in Fig. 2, the method includes the following steps:

步骤200,BMC分别向第一组件、第二组件发送数据密钥(记为Tkey)。对应的,第一组件、第二组件接收并保存该数据密钥。In step 200, the BMC sends a data key (denoted as Tkey) to the first component and the second component respectively. Correspondingly, the first component and the second component receive and save the data key.

本申请中,BMC用于生成数据密钥,并将数据密钥分发给各个组件。应理解,图2以第一组件和第二组件为例,仅示出BMC向第一组件和第二组件分发数据密钥的过程,其余组件未示出。In this application, the BMC is used to generate data keys and distribute the data keys to various components. It should be understood that FIG. 2 takes the first component and the second component as examples, and only shows the process of the BMC distributing data keys to the first component and the second component, and other components are not shown.

示例性地,第一组件可以是基础板100,第二组件可以是计算设备10中除该基础板100之外的任一个组件,如IO组件,或内存扩展组件,或加速组件,或存储组件等。Exemplarily, the first component may be the base board 100, and the second component may be any component in the computing device 10 other than the base board 100, such as an IO component, or a memory expansion component, or an acceleration component, or a storage component wait.

又示例性地,第一组件还可以是计算设备10中的其中一个IO组件,第二组件为计算设备10的另一个IO组件,或者,第一组件可以是IO组件,第二组件为内存扩展组件,等等,具体不做限定。In another example, the first component may also be one of the IO components in the computing device 10, and the second component may be another IO component of the computing device 10, or the first component may be an IO component, and the second component may be a memory expansion Components, etc., are not specifically limited.

再示例性地,本申请实施例提供的通信方法还可以应用于组件内部之间的通信,如第一组件为基础板100的CPU1011,第二组件为该基础板100的DDR1012,等。As another example, the communication method provided by the embodiment of the present application may also be applied to communication between components, for example, the first component is the CPU 1011 of the base board 100 , the second component is the DDR 1012 of the base board 100 , and so on.

需要说明的是,BMC还可以具有其他功能,具体不做限定。如BMC还用于生成并管理组件的访问凭证,下文会进行介绍。It should be noted that the BMC may also have other functions, which are not specifically limited. For example, BMC is also used to generate and manage component access credentials, which will be introduced below.

步骤201,第二组件向BMC发送注册请求,该注册请求用于请求注册第二组件的可被远程访问的资源。In step 201, the second component sends a registration request to the BMC, where the registration request is used for requesting to register a resource of the second component that can be accessed remotely.

该注册请求携带第二组件的身份信息,该第二组件的身份信息包括但不限于下列中的一项或多项:第二组件的组件标识(unique device secret,UDS),第二组件的内存度量值。其中,组件标识用于唯一标识一个组件。The registration request carries the identity information of the second component, and the identity information of the second component includes but is not limited to one or more of the following: the component identification (unique device secret, UDS) of the second component, the memory of the second component metric. Among them, the component identifier is used to uniquely identify a component.

内存度量值可以是基于第二组件的代码段生成的,具体的,可以是基于第二组件的一段或多段动态代码段生成的,也可以是基于第二组件的一段或多段静态代码段生成,还可以是基于第二组件的至少一段动态代码段和至少一段静态代码段生成的。该内存度量值可以是用于生成内存度量值的代码段本身,也可以是取用于生成内存度量值的代码段的哈希值等,具体不做限定。The memory measurement value may be generated based on the code segment of the second component, specifically, it may be generated based on one or more dynamic code segments of the second component, or may be generated based on one or more static code segments of the second component, It may also be generated based on at least one dynamic code segment and at least one static code segment of the second component. The memory metric value may be the code segment used to generate the memory metric value itself, or may be a hash value obtained from the code segment used to generate the memory metric value, and is not specifically limited.

步骤202,BMC基于第二组件的身份信息,生成并保存第二组件的访问凭证(记为Ukey_2)。Step 202, based on the identity information of the second component, the BMC generates and saves the access credential of the second component (denoted as Ukey_2).

基于该设计,BMC采用第二组件的内存值度量参与生成第二组件的访问凭证,可以有效消减该第二组件可能面临的被仿冒风险。Based on this design, the BMC uses the memory value measurement of the second component to participate in the generation of the access credentials of the second component, which can effectively reduce the risk of counterfeiting that the second component may face.

步骤203,BMC将该第二组件的访问凭证发送给第二组件。对应的,第二组件接收并保存该访问凭证。In step 203, the BMC sends the access credential of the second component to the second component. Correspondingly, the second component receives and saves the access credential.

步骤204,第一组件在访问第二组件之前,向BMC发送请求(记为第一请求),该第一请求用于请求获取第二组件的访问凭证。对应的,BMC接收第一组件发送的第一请求。Step 204, before accessing the second component, the first component sends a request (denoted as the first request) to the BMC, where the first request is used to request to acquire the access credential of the second component. Correspondingly, the BMC receives the first request sent by the first component.

第一请求包括但不限于:第一组件的组件标识、第二组件的组件标识。第二组件的组件标识可以是预置于第一组件中的,也可以是第二组件广播的,或其他方式获取的,具体不做限定。The first request includes, but is not limited to: the component identifier of the first component, and the component identifier of the second component. The component identifier of the second component may be preset in the first component, broadcast by the second component, or obtained in other ways, which is not specifically limited.

步骤205,BMC对第一组件的访问权限进行验证,若未验证通过,则执行步骤206;若验证通过,则执行步骤207。In step 205, the BMC verifies the access authority of the first component, and if the verification fails, then executes step 206; if the authentication passes, executes step 207.

BMC基于互访策略判断第一组件是否具有对第二组件的访问权限。The BMC judges whether the first component has access rights to the second component based on the mutual access policy.

具体的,BMC内存储有计算设备10中各组件之间的互访策略。其中,该互访策略包括但不限于:组件的组件标识、该组件的访问清单。访问清单中记录有可以访问该组件的一个或多个组件,换言之,该访问清单上记录的组件具有访问权限。需要说明的是,互访策略中还可以包括其他信息,比如该组件的访问凭证等,本申请实施例对此不做限定。比如,BMC内存储的互访策略如下表1所示,应理解,表1仅示出了该互访策略中的部分组件。Specifically, the BMC stores mutual access policies between components in the computing device 10 . Wherein, the mutual access policy includes, but is not limited to: a component identifier of a component, and an access list of the component. One or more components that can access the component are recorded in the access list, in other words, the components recorded in the access list have access rights. It should be noted that the mutual access policy may also include other information, such as the access credentials of the component, which is not limited in this embodiment of the present application. For example, the mutual access policy stored in the BMC is shown in Table 1 below. It should be understood that Table 1 only shows some components in the mutual access policy.

表1Table 1

组件标识Component ID 访问凭证access credentials 访问清单visit list UDS_2UDS_2 Ukey_2Ukey_2 UDS_1、UDS_3UDS_1, UDS_3

其中,UDS_1表示第一组件的组件标识;UDS_2表示第二组件的组件标识;UDS_3表示为第三组件的组件标识;Ukey_2表示第二组件的访问凭证。Wherein, UDS_1 represents the component identifier of the first component; UDS_2 represents the component identifier of the second component; UDS_3 represents the component identifier of the third component; Ukey_2 represents the access credential of the second component.

据表1的记载可以看出,第二组件的访问清单包括第一组件和第三组件,也就是说,第一组件和第三组件均可以访问第二组件,也即具有对第二组件的访问权限,换言之,计算设备10中除第一组件和第三组件之外的组件,不能访问第二组件。According to the records in Table 1, it can be seen that the access list of the second component includes the first component and the third component, that is to say, both the first component and the third component can access the second component, that is, they have access to the second component Access rights, in other words, components of computing device 10 other than the first component and the third component cannot access the second component.

BMC中的互访策略可以是预置于BMC中的,或者是BMC生成的,如在第二组件发送的注册请求中还可以携带第二组件的访问清单,BMC基于各组件的注册请求生成互访策略,或者也可以由用户配置。若由用户设备,则计算设备10可以提供相应的配置界面,用于用户配置该互访策略。The mutual access policy in the BMC can be preset in the BMC or generated by the BMC. For example, the registration request sent by the second component can also carry the access list of the second component. access policy, or can be configured by the user. If it is a user device, the computing device 10 may provide a corresponding configuration interface for the user to configure the mutual access policy.

基于此,在步骤205中,若第二组件的访问清单包括第一组件的组件标识,则BMC确定第一组件具有对第二组件的访问权限。或者,若BMC不能识别第一组件的组件标识,或第二组件的访问清单中不包括第一组件的组件标识,则确定第一组件不具有对第二组件的访问权限。可选的,若BMC不能识别第一组件的组件标识,则第一组件可能是被仿冒篡改的或与BMC不兼容的组件,BMC可以执行进一步处理,如发出对第一组件的告警,会将第一组件下电等。Based on this, in step 205, if the access list of the second component includes the component identifier of the first component, the BMC determines that the first component has access rights to the second component. Alternatively, if the BMC cannot identify the component identifier of the first component, or the access list of the second component does not include the component identifier of the first component, then it is determined that the first component does not have access authority to the second component. Optionally, if the BMC cannot recognize the component identification of the first component, the first component may be a component that has been counterfeited or tampered with or is incompatible with the BMC, and the BMC may perform further processing, such as sending an alarm to the first component, and will Power off the first component, etc.

步骤206,BMC拒绝第一组件的第一请求。Step 206, the BMC rejects the first request of the first component.

如,BMC不响应该第一组件的第一请求,或者BMC向第一组件发送指示信息,该指示信息用于指示拒绝第一组件的第一请求,等等,具体不做限定。For example, the BMC does not respond to the first request of the first component, or the BMC sends indication information to the first component, where the indication information is used to indicate that the first request of the first component is rejected, etc., which are not specifically limited.

步骤207,BMC将第二组件的访问凭证发送给第一组件。对应的,第一组件接收BMC发送的第二组件的访问凭证。In step 207, the BMC sends the access credential of the second component to the first component. Correspondingly, the first component receives the access credential of the second component sent by the BMC.

在一种实施方式中,BMC可以直接将该访问凭证发送给第一组件。在另一种实施方式中,BMC还可以使用数据密钥(Tkey)对该访问凭证进行加密,将加密后的访问凭证发送给第一组件。对应的,第一组件接收到BMC发送的加密后的访问凭证之后,可以使用BMC分发的Tkey对接收到的数据进行解密,以得到第二组件的访问凭证。通过该设计,可以增强数据通信的安全性,消减第二组件的访问凭证被泄露的风险。In an implementation manner, the BMC may directly send the access credential to the first component. In another implementation manner, the BMC may also use a data key (Tkey) to encrypt the access credential, and send the encrypted access credential to the first component. Correspondingly, after the first component receives the encrypted access credential sent by the BMC, it can use the Tkey distributed by the BMC to decrypt the received data to obtain the access credential of the second component. Through this design, the security of data communication can be enhanced, and the risk of the access credential of the second component being leaked can be reduced.

步骤208,第一组件基于该第二组件的访问凭证向第二组件发送请求(记为第二请求)。该第二请求用于请求访问第二组件。对应的,第二组件接收第一组件发送的第二请求。Step 208, the first component sends a request (denoted as a second request) to the second component based on the access credential of the second component. The second request is used to request access to the second component. Correspondingly, the second component receives the second request sent by the first component.

第二请求可以是读数据请求,用于请求获取第二组件的数据,或者,还可以是写数据请求,用于请求将待写入数据写入第二组件。具体的,该第二请求包括该第二组件的访问凭证或使用Tkey加密后的访问凭证,还可以包括其他信息,如第一组件的组件标识,又如若第二请求为写数据请求,则第二请求中还可以包括待写入数据或使用Tkey加密后的待写入数据。The second request may be a read data request for requesting to obtain data of the second component, or may also be a write data request for requesting to write data to be written into the second component. Specifically, the second request includes the access credential of the second component or the access credential encrypted using Tkey, and may also include other information, such as the component identifier of the first component, and if the second request is a write data request, the second The second request may also include the data to be written or the data to be written encrypted with the Tkey.

步骤209,第二组件验证第一组件的访问权限,若验证通过,则执行步骤210;否则,执行步骤211。In step 209, the second component verifies the access authority of the first component, and if the verification is passed, execute step 210; otherwise, execute step 211.

在一种实施方式中,第二组件对第二请求中携带的访问凭证进行验证,应理解的是,若第二请求中携带为加密后的访问凭证,则第二组件首先使用Tkey进行解密,以获得解密后的访问凭证,之后,第二组件将第二请求中携带的访问凭证和第二组件保存的第二组件自身的访问凭证进行比对,若一致,则验证通过;若不一致,则验证不通过。In one embodiment, the second component verifies the access credential carried in the second request. It should be understood that, if the encrypted access credential is carried in the second request, the second component first uses Tkey to decrypt, To obtain the decrypted access credentials, after that, the second component compares the access credentials carried in the second request with the access credentials of the second component itself saved by the second component, and if they are consistent, then the verification is passed; if not, then Authentication failed.

步骤210,第二组件响应该第二请求。Step 210, the second component responds to the second request.

具体的,如该第二请求为写数据请求,则第二组件将该第二请求中携带的待写入数据写入第二组件,应理解的是,若第二请求中携带的为加密后的待写入数据,则第二组件先使用Tkey进行解密,以获得解密后的待写入数据。又如,该第二请求为读数据请求,则第二组件获取该第二请求所请求读取的数据,并将获取到的数据,或使用Tkey对该获取到的数据进行加密后发送给第一组件。Specifically, if the second request is a write data request, the second component writes the data to be written carried in the second request into the second component. It should be understood that if the encrypted data carried in the second request is the data to be written, the second component first uses the Tkey to decrypt to obtain the decrypted data to be written. As another example, if the second request is a read data request, the second component obtains the data requested by the second request, and sends the obtained data, or encrypts the obtained data using Tkey, to the first a component.

需要说明的是,第二组件响应第一组件的方式可以与第一组件访问第二组件的方式相同,即第二组件先从BMC获取第一组件的访问凭证,再基于第一组件的访问凭证向第一组件发送数据,如第二请求为读数据请求时,第二组件将第一组件的访问凭证(或使用Tkey加密后的访问凭证)和第二请求所请求读取的数据(或使用Tkey加密后的数据)发送给第一组件。或者,由于第二组件为被请求交互的一方,第二组件也可以直接响应第一组件,如第二请求为读数据请求中,第二组件直接将该第二请求所请求读取的数据发送给第一组件。值得注意的是,若第二组件主动发起对第一组件的访问,则第二组件访问第一组件的方式与第一组件访问第二组件的方式相同,即均需要基于被访问的组件的访问凭证进行通信。It should be noted that the way the second component responds to the first component can be the same as the way the first component accesses the second component, that is, the second component first obtains the access credentials of the first component from the BMC, and then based on the access credentials of the first component Send data to the first component, if the second request is a read data request, the second component will use the access credentials of the first component (or access credentials encrypted with Tkey) and the data requested by the second request (or use Tkey encrypted data) is sent to the first component. Or, since the second component is the party requested to interact, the second component can also directly respond to the first component. For example, if the second request is a read data request, the second component directly sends the data requested by the second request. to the first component. It is worth noting that if the second component actively initiates access to the first component, the way the second component accesses the first component is the same as the way the first component accesses the second component, that is, access based on the accessed component is required Credentials for communication.

上述设计,第一组件可以使用数据密钥对数据进行加密,并基于第二组件的访问凭证与第二组件通信,实现双层安全保障防护。第二组件在对第一组件的访问权限验证通过后,再响应第一组件的请求。有效消减多厂商组件模式下的组件被仿冒、数据被篡改、信息被泄漏以及组件间非法访问的风险,保障了总线上各组件通信的安全可信。In the above design, the first component can use the data key to encrypt data, and communicate with the second component based on the access credentials of the second component, so as to realize double-layer security protection. The second component responds to the request of the first component after the access right verification of the first component is passed. Effectively reduce the risk of component counterfeiting, data tampering, information leakage, and illegal access between components in the multi-vendor component mode, ensuring the security and reliability of communication between components on the bus.

步骤211,第二组件不响应该第二请求。Step 211, the second component does not respond to the second request.

第二组件不响应第一组件的第二请求,如可以丢弃该第二请求等。The second component does not respond to the second request of the first component, for example, the second request may be discarded.

在一种可选的实施方式中,BMC可以定期更新数据密钥(Tkey),并将更新后的数据密钥同步至各个组件。在另一种可选的实施方式中,本申请还可以定期更新组件的访问凭证,该过程可以由组件主动发起,如第二组件向BMC发送更新请求(或称为新的注册请求),该更新请求中携带用于生成第二组件访问凭证的信息(如第二组件的身份信息),BMC基于该更新请求中携带的信息生成第二组件的新的访问凭证(记为Ukey_2'),生成访问凭证的方式参见前述的相关说明,此处不再赘述。之后,BMC将该新的访问凭证发送给第二组件,第二组件接收并保存该新的访问凭证,也即使用新的访问凭证(如Ukey_2')替换掉原来的访问凭证(Ukey_2)。值得注意的是,第二组件在相邻两次更新请求中携带的用于生成访问凭证的信息不同,以使Ukey_2'与Ukey_2不同。In an optional implementation manner, the BMC may periodically update the data key (Tkey), and synchronize the updated data key to each component. In another optional implementation, the application can also periodically update the access credentials of the components. This process can be actively initiated by the components. For example, the second component sends an update request (or called a new registration request) to the BMC. The update request carries the information used to generate the access credential of the second component (such as the identity information of the second component), and the BMC generates a new access credential (denoted as Ukey_2') of the second component based on the information carried in the update request, and generates For the method of accessing credentials, refer to the above-mentioned related instructions, and will not repeat them here. Afterwards, the BMC sends the new access credential to the second component, and the second component receives and saves the new access credential, that is, replaces the original access credential (Ukey_2) with the new access credential (such as Ukey_2'). It should be noted that the information used to generate access credentials carried by the second component in two adjacent update requests is different, so that Ukey_2' is different from Ukey_2.

上述设计,BMC通过动态更新数据密钥和组件的访问凭证,以实现对数据密钥和组件的访问凭证的动态管理,增强数据密钥和组件的访问凭证的可靠性,降低两者被泄露的风险。In the above design, BMC realizes the dynamic management of data keys and component access credentials by dynamically updating data keys and component access credentials, enhances the reliability of data keys and component access credentials, and reduces the risk of both being leaked. risk.

上文介绍了第一组件访问第二组件的一次完整的方法流程,若在此之后,第一组件再次访问第二组件,则在一种实施方式中,第一组件可以不重复获取第二组件的访问凭证,而是直接使用上一次获取的第二组件的访问凭证,并基于该访问凭证与第二组件通信。若在通信失败后,如第二组件一次或多次未响应或拒绝第一组件的访问请求时,第一组件再重新获取该第二组件的新的访问凭证,之后,基于该新的访问凭证与第二组件通信。在另一种实施方式中,第一组件在每次访问第二组件之前,均重新获取第二组件的访问凭证,并基于重新获取的访问凭证与第二组件通信,这样可以保证第一组件使用的为第二组件的最新的访问凭证。在第三种实施方式中,第一组件周期性的获取第二组件的访问凭证,可选的,若在一个周期内第一组件没有对第二组件的访问需求,则可以不获取第二组件的访问凭证。The above describes a complete method flow for the first component to access the second component. If after that, the first component accesses the second component again, in one implementation, the first component may not obtain the second component repeatedly Instead, directly use the access credentials of the second component obtained last time, and communicate with the second component based on the access credentials. If after the communication fails, if the second component fails to respond to or rejects the access request of the first component one or more times, the first component will reacquire the new access credential of the second component, and then, based on the new access credential Communicate with the second component. In another embodiment, the first component reacquires the access credentials of the second component before each access to the second component, and communicates with the second component based on the reacquired access credentials, which can ensure that the first component uses is the latest access credential for the second component. In the third embodiment, the first component periodically obtains the access credentials of the second component. Optionally, if the first component has no access requirements for the second component within a cycle, the second component may not be obtained access credentials.

本申请实施例还提供一种计算机存储介质,该计算机存储介质中存储有计算机指令,当该计算机指令在计算机上运行时,使得计算机执行上述相关方法步骤以实现上述实施例中的计算设备10所执行的方法,参见图2各步骤的描述,此处不再赘述。The embodiment of the present application also provides a computer storage medium, the computer storage medium stores computer instructions, and when the computer instructions are run on the computer, the computer executes the steps of the above-mentioned related methods to realize the computing device 10 in the above-mentioned embodiments. For the execution method, refer to the description of each step in FIG. 2 , which will not be repeated here.

本申请实施例还提供了一种计算机程序产品,当该计算机程序产品在计算机上运行时,使得计算机执行上述相关步骤,以实现上述实施例中计算设备10所执行的方法,参见图2各步骤的描述,此处不再赘述。The embodiment of the present application also provides a computer program product. When the computer program product is run on a computer, it causes the computer to execute the above-mentioned related steps, so as to realize the method performed by the computing device 10 in the above-mentioned embodiment. See the steps in FIG. 2 description, which will not be repeated here.

另外,本申请的实施例还提供一种装置,这个装置具体可以是芯片,组件或模块,该装置可包括相连的处理器和供电电路;其中,供电电路用于为处理器运行提供电能,当装置运行时,处理器可执行计算机执行指令,以使芯片执行上述各方法实施例中的计算设备10所执行的方法,参见图2各步骤的描述,此处不再赘述。In addition, the embodiment of the present application also provides a device, which may specifically be a chip, a component or a module, and the device may include a connected processor and a power supply circuit; wherein the power supply circuit is used to provide power for the operation of the processor, when When the device is running, the processor can execute computer-executed instructions, so that the chip executes the methods executed by the computing device 10 in the above-mentioned method embodiments. See the description of each step in FIG. 2 , and details will not be repeated here.

其中,本申请实施例提供的计算机存储介质、计算机程序产品或芯片均用于执行上文所提供的计算设备10所执行的方法,其所能达到的有益效果可参考上文所提供的对应的方法中的有益效果,此处不再赘述。Wherein, the computer storage media, computer program products or chips provided in the embodiments of the present application are all used to implement the method performed by the computing device 10 provided above, and the beneficial effects that can be achieved can refer to the corresponding The beneficial effects in the method will not be repeated here.

可选的,本申请实施例中的计算机执行指令也可以称之为应用程序代码,本申请实施例对此不作具体限定。Optionally, the computer-executed instructions in the embodiments of the present application may also be referred to as application program codes, which is not specifically limited in the embodiments of the present application.

在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包括一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘(Solid State Disk,SSD))等。In the above embodiments, all or part of them may be implemented by software, hardware, firmware or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server, or data center by wired (eg, coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device including a server, a data center, and the like integrated with one or more available media. The available medium may be a magnetic medium (for example, a floppy disk, a hard disk, or a magnetic tape), an optical medium (for example, DVD), or a semiconductor medium (for example, a solid state disk (Solid State Disk, SSD)) and the like.

本申请实施例中所描述的各种说明性的逻辑单元和电路可以通过通用处理器,数字信号处理器,专用集成电路(ASIC),现场可编程门阵列(FPGA)或其它可编程逻辑装置,离散门或晶体管逻辑,离散硬件部件,或上述任何组合的设计来实现或操作所描述的功能。通用处理器可以为微处理器,可选地,该通用处理器也可以为任何传统的处理器、控制器、微控制器或状态机。处理器也可以通过计算装置的组合来实现,例如数字信号处理器和微处理器,多个微处理器,一个或多个微处理器联合一个数字信号处理器核,或任何其它类似的配置来实现。The various illustrative logic units and circuits described in the embodiments of the present application can be implemented by a general-purpose processor, a digital signal processor, an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA) or other programmable logic devices, Discrete gate or transistor logic, discrete hardware components, or any combination of the above designed to implement or operate the described functions. The general-purpose processor may be a microprocessor, and optionally, the general-purpose processor may also be any conventional processor, controller, microcontroller or state machine. A processor may also be implemented by a combination of computing devices, such as a digital signal processor and a microprocessor, multiple microprocessors, one or more microprocessors combined with a digital signal processor core, or any other similar configuration to accomplish.

本申请实施例中所描述的方法或算法的步骤可以直接嵌入硬件、处理器执行的软件单元、或者这两者的结合。软件单元可以存储于RAM存储器、闪存、ROM存储器、EPROM存储器、EEPROM存储器、寄存器、硬盘、可移动磁盘、CD-ROM或本领域中其它任意形式的存储媒介中。示例性地,存储媒介可以与处理器连接,以使得处理器可以从存储媒介中读取信息,并可以向存储媒介存写信息。可选地,存储媒介还可以集成到处理器中。处理器和存储媒介可以设置于ASIC中。The steps of the method or algorithm described in the embodiments of the present application may be directly embedded in hardware, a software unit executed by a processor, or a combination of both. The software unit may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable disk, CD-ROM or any other storage medium in the art. Exemplarily, the storage medium can be connected to the processor, so that the processor can read information from the storage medium, and can write information to the storage medium. Optionally, the storage medium can also be integrated into the processor. The processor and storage medium can be provided in an ASIC.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

尽管结合具体特征及其实施例对本申请进行了描述,显而易见的,在不脱离本申请的精神和范围的情况下,可对其进行各种修改和组合。相应地,本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明,且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包括这些改动和变型在内。Although the application has been described in conjunction with specific features and embodiments thereof, it will be apparent that various modifications and combinations can be made thereto without departing from the spirit and scope of the application. Accordingly, the specification and drawings are merely illustrative of the application as defined by the appended claims and are deemed to cover any and all modifications, variations, combinations or equivalents within the scope of this application. Apparently, those skilled in the art can make various changes and modifications to the present application without departing from the scope of the present application. In this way, if these modifications and variations of the application fall within the scope of the claims of the application and their equivalent technologies, the application also intends to include these modifications and variations.

Claims (13)

1. A computing device, wherein the computing device comprises at least a first component, a second component, and a management module;
the first component is configured to send a first request to the management module before accessing the second component;
the management module is used for sending the access certificate of the second component to the first component after the access right of the first component is verified;
the first component is further configured to send a second request to the second component based on the access credential, the second request being for requesting access to the second component.
2. The device of claim 1, wherein the second component is to send a registration request to the management module, the registration request to request registration of an accessible resource of the second component;
the management module is used for generating and storing access credentials of the accessible resources of the second component.
3. The device of claim 2, wherein the access credential is generated by the management module based on a memory metric of the second component.
4. A device according to any of claims 1-3, wherein the first component is configured to, when sending a second request to the second component based on the access credentials, in particular to: encrypting the access credential by using a data key to obtain an encrypted access credential; wherein the data key is received by the first component from the management module, and the second request includes the encrypted access credential.
5. The apparatus of claim 4, wherein the second component is further to: receiving and storing the access credentials sent by the management module;
the second component, after receiving the second request sent by the first component, is further configured to: decrypting the encrypted access credential by using a data key to obtain a decrypted access credential; the data key is received by the second component from the management module;
if the decrypted access credential is the same as the access credential stored by the second component, the second component is further configured to respond to the second request; or if different, the second component is further configured to discard the second request.
6. The apparatus of any of claims 1-5, wherein the management module is a baseboard management controller, BMC.
7. A component communication method, wherein a computing device comprises at least a first component, a second component, and a management module: the method comprises the following steps:
the first component sending a first request to the management module before accessing the second component;
after the access right of the first component passes the verification, the management module sends an access certificate of the second component to the first component;
the first component sends a second request to the second component based on the access credential, the second request requesting access to the second component.
8. The method of claim 7, wherein the method further comprises:
the second component sends a registration request to the management module, wherein the registration request is used for requesting to register accessible resources of the second component;
the management module generates and stores access credentials for the accessible resources of the second component.
9. The method of claim 8, wherein the access credential is generated by the management module based on a memory metric of the second component.
10. The method of any of claims 7-9, wherein the first component sending a second request to the second component based on the access credential comprises:
the first component encrypts the access credential by using a data key to obtain an encrypted access credential; wherein the data key is obtained by the first component from the management module, and the second request includes the encrypted access credential.
11. The method of claim 10, wherein the method further comprises:
the second component receives and stores the access credentials sent by the management module;
after the first component sends a second request to the second component based on the access credential, the method further includes:
the second component decrypts the encrypted access credential by using a data key to obtain a decrypted access credential; the data key is acquired by the second component from the management module;
if the decrypted access credential is the same as the access credential stored by the second component, the second component responds to the second request; or alternatively; if not, the second component discards the second request.
12. The method according to any of the claims 7-11, wherein the management module is a baseboard management controller, BMC.
13. A computer readable storage medium, characterized in that the computer readable storage medium, when executed by a storage device, performs the method of any of the preceding claims 7 to 12.
CN202210188431.XA 2022-02-28 2022-02-28 A component communication method and computing device Pending CN116701006A (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN202210516329.8A CN115061826B (en) 2022-02-28 2022-02-28 A component communication method and computing device
CN202210188431.XA CN116701006A (en) 2022-02-28 2022-02-28 A component communication method and computing device
PCT/CN2023/078424 WO2023160701A1 (en) 2022-02-28 2023-02-27 Component communication method and computing device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210188431.XA CN116701006A (en) 2022-02-28 2022-02-28 A component communication method and computing device

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202210516329.8A Division CN115061826B (en) 2022-02-28 2022-02-28 A component communication method and computing device

Publications (1)

Publication Number Publication Date
CN116701006A true CN116701006A (en) 2023-09-05

Family

ID=83225963

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202210516329.8A Active CN115061826B (en) 2022-02-28 2022-02-28 A component communication method and computing device
CN202210188431.XA Pending CN116701006A (en) 2022-02-28 2022-02-28 A component communication method and computing device

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202210516329.8A Active CN115061826B (en) 2022-02-28 2022-02-28 A component communication method and computing device

Country Status (2)

Country Link
CN (2) CN115061826B (en)
WO (1) WO2023160701A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115061826B (en) * 2022-02-28 2024-02-13 华为技术有限公司 A component communication method and computing device

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060136717A1 (en) * 2004-12-20 2006-06-22 Mark Buer System and method for authentication via a proximate device
CN103795692B (en) * 2012-10-31 2017-11-21 中国电信股份有限公司 Open authorization method, system and certification authority server
CN104618096B (en) * 2014-12-30 2018-10-30 华为技术有限公司 Protect method, equipment and the TPM key administrative center of key authorization data
CN104836664B (en) * 2015-03-27 2019-05-14 腾讯科技(深圳)有限公司 A kind of methods, devices and systems executing business processing
CN106714075B (en) * 2015-08-10 2020-06-26 华为技术有限公司 A method and apparatus for processing authorization
US11050730B2 (en) * 2017-09-27 2021-06-29 Oracle International Corporation Maintaining session stickiness across authentication and authorization channels for access management
US10972449B1 (en) * 2018-06-28 2021-04-06 Amazon Technologies, Inc. Communication with components of secure environment
WO2020102974A1 (en) * 2018-11-20 2020-05-28 深圳市欢太科技有限公司 Data access method, data access apparatus, and mobile terminal
CN109992976B (en) * 2019-02-27 2024-07-02 平安科技(深圳)有限公司 Access credential verification method, device, computer equipment and storage medium
CN110266657A (en) * 2019-05-30 2019-09-20 浙江大华技术股份有限公司 Authentication method and device, resource access method and device, storage medium
CN110443049B (en) * 2019-07-17 2023-05-23 南方电网科学研究院有限责任公司 Method and system for secure data storage management and secure storage management module
US11334501B2 (en) * 2020-01-28 2022-05-17 Hewlett Packard Enterprise Development Lp Access permissions for memory regions
CN111399980A (en) * 2020-03-16 2020-07-10 中国联合网络通信集团有限公司 Safety authentication method, device and system for container organizer
CN113395289A (en) * 2021-06-30 2021-09-14 北京奇艺世纪科技有限公司 Authentication method, authentication device, electronic equipment and storage medium
CN114039792B (en) * 2021-11-19 2023-08-11 度小满科技(北京)有限公司 Data access authority control method, device, equipment and readable storage medium
CN115061826B (en) * 2022-02-28 2024-02-13 华为技术有限公司 A component communication method and computing device

Also Published As

Publication number Publication date
WO2023160701A1 (en) 2023-08-31
CN115061826B (en) 2024-02-13
CN115061826A (en) 2022-09-16

Similar Documents

Publication Publication Date Title
US12348567B2 (en) Attestation service for enforcing payload security policies in a data center
US11487852B2 (en) Blockchain-based license management
EP3809625B1 (en) Chip, method for generating private key, and method for trusted verification
EP3805968B1 (en) Technologies for secure hardware and software attestation for trusted i/o
US20240419776A1 (en) Component Authentication Method and Apparatus
US11868474B2 (en) Securing node groups
US11599378B2 (en) Data encryption key management system
US11416615B2 (en) Configuring trusted remote management communications using UEFI
US11977640B2 (en) Systems and methods for authenticating the identity of an information handling system
US20230008885A1 (en) Systems and methods for importing security credentials for use by an information handling system
US20230010345A1 (en) Systems and methods for authenticating hardware of an information handling system
WO2023196045A1 (en) Confidential compute architecture integrated with direct swap caching
US20230011005A1 (en) Systems and methods for authenticating configurations of an information handling system
US12413421B2 (en) Trusted and validated platform device certificate provisioning using security protocol data model (SPDM)
US20220171884A1 (en) System and method for supporting multiple independent silicon-rooted trusts per system-on-a-chip
WO2023160701A1 (en) Component communication method and computing device
CN116702149A (en) A trusted measurement method, server and chip
US20250247376A1 (en) Systems and methods to support certificates and data protection for components without a root of trust
US12026561B2 (en) Dynamic authentication and authorization of a containerized process
US20250062891A1 (en) Systems and methods for secure modular hardware binding
US20250103755A1 (en) Systems and methods for establishing and using device identity in information handling systems
US12328388B2 (en) Systems and methods for secure secret provisioning of remote access controllers
US11720517B2 (en) Information handling system bus out of band message access control
US20240036744A1 (en) Information handling system configured for authentication of memory expansion capabilities
US20240073007A1 (en) Enforcing access control for embedded controller resources and interfaces

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination