CN110321715A - Credible measurement method, apparatus and processor - Google Patents
Credible measurement method, apparatus and processor Download PDFInfo
- Publication number
- CN110321715A CN110321715A CN201910612209.6A CN201910612209A CN110321715A CN 110321715 A CN110321715 A CN 110321715A CN 201910612209 A CN201910612209 A CN 201910612209A CN 110321715 A CN110321715 A CN 110321715A
- Authority
- CN
- China
- Prior art keywords
- code
- trusted
- measurement
- module
- firmware
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
This application discloses a kind of credible measurement method, apparatus and processors.This method comprises: controlling starting before central processing unit starting of the objective chip on computer motherboard after for credible accounting system power supply;After objective chip starting, credible platform control module firmware, trusted software base and credible password module firmware are loaded and execute, and read the BIOS/firmware on computer motherboard using preset interface and measured;In the believable situation of measurement results of BIOS/firmware, the central processing unit starting on computer motherboard, and load and execution BIOS/firmware are controlled.By the application, solve the problems, such as that the trusted computing method realized in a manner of TPM in the related technology is difficult to promote the defence capability of computer system.
Description
Technical Field
The present application relates to the field of trusted computing, and in particular, to a method, an apparatus, and a processor for measuring trust.
Background
The current network space is extremely fragile, and network attack events which cause great influences by a seismic network, Wannacry Lesso virus, Mirai and the like are layered endlessly and rampant day by day. The root of the attack is that the problem is not solved from the actual reason of the network security risk, a passive defense means of blocking, checking and killing represented by a firewall, a virus checking and killing, intrusion detection and the like is adopted at one step, the attack is not enough to be prevented, and particularly, the attack initiated by the target system aiming at the loophole cannot be effectively prevented at all.
In order to solve the problem of the security of the current network space, the international TCG organization provides a trusted computing method, and provides a method which takes TPM and BIOS initial codes as trust roots and measures the first level and the second level, thereby further constructing a trust chain of a computer, protecting important resources of the computer from being illegally tampered and damaged, and achieving a better effect. TPM functions as a computer peripheral device by being passively hooked through a host software call, and is capable of performing static measurement only on resources such as firmware and executable programs of the computer. The trusted computing platform realized in the TPM manner is substantially a single system architecture, and only called by a host program can play a role, the security capability of the trusted computing platform is completely dependent on the security of the host system, and cannot substantially improve the active defense capability of the computer system. Windows 10, for example, fully implements the trusted computing architecture of TCG, but fails to thwart the attacks of wannary lemonavirus.
In addition, the trusted computing platform implemented by the TPM is essentially a single system architecture, and the TPM has limitations in terms of resource access and control of the computer. The TPM can only perform static measurements on resources such as firmware and executable programs of the computer, and cannot perform dynamic measurements on application execution and the execution environment on which the application depends.
Aiming at the problem that the trusted computing method realized in a TPM mode in the related technology is difficult to improve the defense capability of a computer system, an effective solution is not provided at present.
Disclosure of Invention
The application provides a trusted measurement method, a trusted measurement device and a processor, which are used for solving the problem that the defense capability of a computer system is difficult to improve by a trusted computing method realized in a TPM mode in the related technology.
According to one aspect of the present application, a confidence metric method is provided. The method comprises the following steps: after supplying power for the trusted computing system, the control target chip is started before the central processing unit on the computer mainboard is started, wherein the trusted computing system comprises a computing subsystem and a protection subsystem which run in parallel, the computing subsystem at least comprises a computer mainboard, the protection subsystem at least comprises a trusted computing module, the trusted computing module is connected with the computer mainboard through a PCIE interface and a preset interface, and the trusted computing module at least comprises: the target storage area is connected with the target chip and used for storing trusted platform control module firmware, a trusted software base and trusted password module firmware; after the target chip is started, loading and executing the trusted platform control module firmware, the trusted software base and the trusted password module firmware, and reading the BIOS firmware on the computer mainboard by using a preset interface for measurement; and under the condition that the measurement result of the BIOS firmware is credible, controlling a central processing unit on a computer mainboard to start, and loading and executing the BIOS firmware.
Further, the starting of the control target chip before the central processing unit on the computer mainboard is started comprises: the target chip sends a control signal to a time sequence control circuit on a computer mainboard through a preset interface; the time sequence control circuit controls the power-on time sequence of the computer mainboard based on the control signal, so that the target chip is started before the central processing unit is started.
Further, the method further comprises: in the process of executing the BIOS firmware, a measurement agent module in the BIOS firmware intercepts the loading operation of the BIOS firmware on an OSLoader code; the target chip acquires an OSLoader code from a target storage area and measures the OSLoader code; and under the condition that the measurement result of the OSLoader code is credible, the interception operation is removed, and the BIOS firmware loads and executes the OSLoader code.
Further, the method further comprises: in the process of executing the OSLoader code, a measurement agent module in the OSLoader code intercepts the loading operation of the OSLoader code on an OS kernel code; the target chip acquires the OS kernel code from the target storage area and measures the OS kernel code; and under the condition that the measurement result of the OS kernel code is credible, the interception operation is removed, and the OS loader code loads and executes the OS kernel code.
Further, the method further comprises: in the process of executing the OS kernel code, a measurement proxy module in the OS kernel code intercepts the loading operation of the OS kernel code on the OS system service code; the target chip acquires an OS system service code from the target storage area and measures the OS system service code; and in the case that the measurement result of the OS system service code is credible, the interception operation is released, and the OS kernel code loads and executes the OS system service code.
Further, the method further comprises: in the process of executing the OS system service code, a measurement proxy module in the OS system service code intercepts the loading operation of the OS system service code on an application program code; the target chip acquires the application program code from the target storage area and measures the application program code; and in the case that the measurement result of the application program code is credible, the interception operation is released, and the OS system service code loads and executes the application program code.
Further, in the process of executing the OSLoader, after the measurement agent module in the OSLoader code intercepts the loading operation of the OSLoader code on the OS kernel code, the method further includes: the target chip acquires memory data in a computer mainboard through a PCIE interface and measures the memory data; and under the condition that the measurement result of the memory data is credible, the execution target chip acquires the OS kernel code from the target storage area and measures the OS kernel code.
Further, the obtaining, by the target chip, memory data in the computer motherboard through the PCIE interface includes: the target chip directly reads memory data in a computer mainboard through a PCIE interface; or, the target chip receives memory data in the computer motherboard, which is acquired by a measurement proxy module in the OSLoader code, through the PCIE interface; or, the target chip receives the address of the memory data acquired by the measurement proxy module in the OSLoader code through the PCIE interface, and acquires the memory data through the PCIE interface based on the address of the memory data.
According to another aspect of the present application, a trusted metrics apparatus is provided. The device includes: the control unit is used for controlling the target chip to be started before the central processing unit on the computer mainboard is started after the power is supplied to the trusted computing system, wherein the trusted computing system comprises a computing subsystem and a protection subsystem which run in parallel, the computing subsystem at least comprises a computer mainboard, the protection subsystem at least comprises a trusted computing module, the trusted computing module is connected with the computer mainboard through a PCIE interface and a preset interface, and the trusted computing module at least comprises: the target storage area is connected with the target chip and used for storing trusted platform control module firmware, a trusted software base and trusted password module firmware; the first execution unit is used for loading and executing the trusted platform control module firmware, the trusted software base and the trusted password module firmware after the target chip is started, and reading the BIOS firmware on the computer mainboard by using the preset interface for measurement; and the second execution unit is used for controlling the central processing unit on the computer mainboard to start and load and execute the BIOS firmware under the condition that the measurement result of the BIOS firmware is credible.
To achieve the above object, according to another aspect of the present application, there is provided a processor for executing a program, wherein the program executes to perform any one of the above confidence metrics methods.
Through the application, the following steps are adopted: after supplying power for the trusted computing system, the control target chip is started before the central processing unit on the computer mainboard is started, wherein the trusted computing system comprises a computing subsystem and a protection subsystem which run in parallel, the computing subsystem at least comprises a computer mainboard, the protection subsystem at least comprises a trusted computing module, the trusted computing module is connected with the computer mainboard through a PCIE interface and a preset interface, and the trusted computing module at least comprises: the target storage area is connected with the target chip and used for storing trusted platform control module firmware, a trusted software base and trusted password module firmware; after the target chip is started, loading and executing the trusted platform control module firmware, the trusted software base and the trusted password module firmware, and reading the BIOS firmware on the computer mainboard by using a preset interface for measurement; under the condition that the measurement result of the BIOS firmware is credible, the central processing unit on the computer mainboard is controlled to start, and the BIOS firmware is loaded and executed, so that the problem that the defense capability of a computer system is difficult to improve by a credible computing method realized in a TPM mode in the related technology is solved. By controlling the target chip to be started before the central processing unit on the computer mainboard is started and loading and executing the BIOS firmware after the central processing unit is started, the effect of improving the defense capability of the trusted computing system on the computer system is achieved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the application and, together with the description, serve to explain the application and are not intended to limit the application. In the drawings:
FIG. 1 is a flow chart of a confidence measure method provided according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a trusted computing system provided in accordance with an embodiment of the present application; and
fig. 3 is a schematic diagram of a confidence measuring apparatus provided according to an embodiment of the present application.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be used. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For convenience of description, some terms or expressions referred to in the embodiments of the present application are explained below:
TCM: the trusted cryptographic module and the hardware module of the trusted computing platform provide cryptographic operation function for the trusted computing platform and have protected storage space.
TPCM (thermoplastic vulcanizate): a trusted platform control module is a hardware core module integrated in a trusted computing platform and used for establishing and guaranteeing a trusted source point and providing functions of integrity measurement, safe storage, trusted reports, cryptographic services and the like for trusted computing.
TSB: a trusted software base, a collection of software elements that provide support for the trustworthiness of a trusted computing platform.
According to an embodiment of the application, a confidence measure method is provided.
Fig. 1 is a flowchart of a confidence measure method according to an embodiment of the present application. As shown in fig. 1, the method comprises the steps of:
step S101, after supplying power to a trusted computing system, controlling a target chip to be started before a central processing unit on a computer mainboard is started, wherein the trusted computing system comprises a computing subsystem and a protection subsystem which run in parallel, the computing subsystem at least comprises a computer mainboard, the protection subsystem at least comprises a trusted computing module, the trusted computing module is connected with the computer mainboard through a PCIE interface and a preset interface, and the trusted computing module at least comprises: the target storage area is connected with the target chip and used for storing the trusted platform control module firmware, the trusted software base and the trusted password module firmware.
Specifically, after a mainboard of the trusted computer is powered on, the trusted computing module is controlled to be started before a CPU of the mainboard, and active measurement and active control are performed on the host by taking the trusted computing module as a trust root.
It should be noted that, in the trusted computing system, as shown in fig. 2, the target chip is an embedded chip, a connection between the embedded chip and the persistent storage area is established, so as to form a trusted computing module, and the embedded chip can run the trusted platform control module firmware, the trusted software base, and the trusted cryptographic module by data transmission between the embedded chip and the persistent storage area. The trusted computing module is connected with a computer mainboard through a PCIE interface and a preset interface to construct a trusted computing system with a double-system structure, and a CPU, a memory, a CPLD, a BIOS Flash, a peripheral and the like on the mainboard are matched to realize the execution of computing tasks.
The PCIE interface is a user data access interface, data transmission and command interaction between the protection subsystem and a CPU on the mainboard are achieved through the PCIE interface, the preset interface is used for controlling a time sequence control circuit on the computing subsystem through a first bus, and/or reading BIOS firmware through a second bus, and/or controlling an external device on the computing subsystem through a third bus, and through the preset interface, the protection subsystem can control a time sequence control circuit CPLD on the mainboard through a GPIO bus and control an embedded chip in the protection subsystem to start before the CPU on the mainboard, so that the embedded chip performs static measurement on the computing system, and a static trust chain is established. Through the preset interface, the protection subsystem can also access the BIOS Flash through the SPI bus to read the BIOS firmware, so that the BIOS can be measured in the starting process of the computing system. Through the preset interface, the protection subsystem can also control the peripheral equipment on the mainboard by using BMC through an SMBUS according to the measurement result. The embodiment of the application does not specifically limit the form of the preset interface, for example, the preset interface can be implemented in an SPI mode based on modes such as a mainboard pin, a connector, a slot and a golden finger, and the number of the specific interfaces can be designed and implemented according to actual conditions.
The embedded chip at least comprises a chip central processing unit, a memory and an interface, wherein the chip central processing unit in the embedded chip is responsible for executing service logic control, mainly comprises TPCM service and logic control of storage service, the memory comprises a plurality of memories, and the memories are respectively used for storing different data generated in trusted computing, for example, an OTP register is responsible for storing hardware configuration information, a unique root key of the chip and part of public key data used for signature verification; the DDR (double data rate synchronous dynamic memory) support in the card enlarges the RAM (random access memory) capacity of the system; the on-chip memory is mainly used for caching transfer data and using internal firmware; DMA (direct memory access) connects the memory with an external device having DMA capability through a dedicated bus; the ROM (read only memory) mainly comprises a first signature checking function in mass production and a system safety guiding function after mass production. It should be noted that the operation related to the cryptographic key of the present application can be performed in a storage area in the embedded chip, and the cryptographic key encrypted and protected by the TPCM key management mechanism is decrypted by SDRAM (synchronous dynamic random access memory) to an on-chip OCM (on-chip memory) area for use. Data transmission is carried out between the OCM and the encryption and decryption engine through SDMA (direct memory access for data encryption and decryption), and similarly, in the TPCM key generation stage, a plaintext key generated by the cryptographic algorithm engine is sent into the OCM through SDMA, is encrypted through a storage key and then is sent into an SDRAM outside a chip, and finally is stored in a persistent storage area. The interface at least comprises a first interface, a second interface and a third interface, wherein the first interface can be a DDR interface, and the embedded chip can access the SDRAM through the DDR interface. The second interface can be a Flash interface, the embedded chip can access the persistent storage area through the Flash interface, for example, Flash, the third interface can be an SPI (serial peripheral interface) and an I2C interface, the SPI interface is used for transmitting measurement information, core data and the like, and the I2C is responsible for providing a low-speed data access interface for the TPCM and is mainly used for self-defined command interaction. In addition, the target chip also comprises a TIMER TIMER which is used for counting the clock pulse in the chip; and the GPIO (general purpose input/output port) is responsible for sending control signals and state signals to the outside.
Wherein the trusted platform control module firmware at least comprises: the system comprises an instruction processing module, an initialization module, an input/output driving module, a trusted function module and a measurement module, wherein the instruction processing module is responsible for analyzing and executing instructions sent by an external entity, the initialization module is responsible for module initialization, module self-checking, trusted computing system state initialization and the like, the input/output driving module is mainly an input/output driving function library in the module, the active measurement module is responsible for active measurement of a memory, and the trusted function module is mainly used for providing basic trusted support.
In addition, the trusted computing module includes a Dynamic Random Access Memory (DRAM) coupled to the target chip for storing data generated during trusted computing, in addition to the persistent storage.
It should be noted that the trusted computing module has independent resources such as computing and storage, and can reduce resource occupation on the computer motherboard when performing security protection on the computer motherboard, and the computer motherboard obtains security protection while the performance of the business application is not affected, and the trusted computing module does not provide services to the outside, so that the trusted computing module is difficult to be attacked by the outside, and the security performance of the trusted computing module is improved.
In addition, the present application embodiment does not specifically limit the existence form of the trusted computing module, for example, the trusted computing module may be a hard disk with both trusted computing and disk control, and the present application embodiment also does not specifically limit the existence form of the trusted computer motherboard with a dual architecture, for example, the trusted computing module may be a server, a PC, or the like.
Step S102, after the target chip is started, loading and executing the trusted platform control module firmware, the trusted software base and the trusted password module firmware, and reading the BIOS firmware on the computer mainboard by using the preset interface for measurement.
Specifically, the embedded chip with the TPCM function accesses the BIOS flash through the SPI bus by using a preset interface, measures the BIOS firmware, and stores the measurement result in a storage area in the embedded chip, or sends the measurement result to a persistent storage area in the trusted computing module, and an SDRAM for storage.
And step S103, controlling a central processing unit on the computer mainboard to start and load and execute the BIOS firmware under the condition that the measurement result of the BIOS firmware is credible.
It should be noted that, if the BIOS measurement result is trusted, the embedded chip with TPCM function controls the CPLD through the GPIO bus by using the preset interface, so that the CPU on the motherboard is started, and the CPU loads and executes the BIOS through the south bridge chip, the embedded chip with TPCM function reads the OSLoader code, the OS kernel code, the OS system service code, and the application program code in the persistent storage area in sequence through the Flash interface to perform the trusted measurement until the static trust chain is established, and meanwhile, in the process of establishing the static trust chain, the embedded chip with TPCM function can also read the memory data through the PCIE bus to perform the trusted measurement.
If the measurement result of the BIOS is not trusted, the embedded chip having the TPCM function may perform control processing according to a trusted policy, for example, a timing control circuit on the motherboard controls a trusted computing platform to forcibly restart, power off, and the like.
According to the credibility measuring method provided by the embodiment of the application, after the power is supplied to the credible computing system, the control target chip is started before the central processing unit on the computer mainboard is started, wherein the credible computing system comprises a computing subsystem and a protection subsystem which run in parallel, the computing subsystem at least comprises the computer mainboard, the protection subsystem at least comprises a credible computing module, the credible computing module is connected with the computer mainboard through a PCIE interface and a preset interface, and the credible computing module at least comprises: the target storage area is connected with the target chip and used for storing trusted platform control module firmware, a trusted software base and trusted password module firmware; after the target chip is started, loading and executing the trusted platform control module firmware, the trusted software base and the trusted password module firmware, and reading the BIOS firmware on the computer mainboard by using a preset interface for measurement; under the condition that the measurement result of the BIOS firmware is credible, the central processing unit on the computer mainboard is controlled to start, and the BIOS firmware is loaded and executed, so that the problem that the defense capability of a computer system is difficult to improve by a credible computing method realized in a TPM mode in the related technology is solved. By controlling the target chip to be started before the central processing unit on the computer mainboard is started and loading and executing the BIOS firmware after the central processing unit is started, the effect of improving the defense capability of the trusted computing system on the computer system is achieved.
Optionally, in the trusted measurement method provided in this embodiment of the present application, the controlling the target chip to be started before the central processing unit on the computer motherboard is started includes: the target chip sends a control signal to a time sequence control circuit on a computer mainboard through a preset interface; the time sequence control circuit controls the power-on time sequence of the computer mainboard based on the control signal, so that the target chip is started before the central processing unit is started.
Specifically, the embedded chip with the TPCM function sends a control signal to the CPLD through the GPIO bus by using the preset interface, and the CPLD controls the power-on timing, so that the embedded chip with the TPCM function is started before the CPU on the motherboard, and then the embedded chip with the TPCM function loads and executes the TPCM operating system and the TSB program.
When the BIOS firmware is loaded and executed, the OSLoader code needs to be measured, and optionally, in the trusted measurement method provided in this embodiment of the present application, the method further includes: in the process of executing the BIOS firmware, a measurement agent module in the BIOS firmware intercepts the loading operation of the BIOS firmware on an OSLoader code; the target chip acquires an OSLoader code from a target storage area and measures the OSLoader code; and under the condition that the measurement result of the OSLoader code is credible, the interception operation is removed, and the BIOS firmware loads and executes the OSLoader code.
Specifically, in the BIOS firmware execution process, a measurement proxy module in the BIOS code first intercepts the BIOS to load the OSLoader code, then sends a notification message to the embedded chip with the TPCM function through the PCIE interface to notify address information of the OSLoader, and then the embedded chip with the TPCM function reads the OSLoader code from the persistent storage area through the Flash interface according to the address information to perform measurement. Or, the measurement agent module in the BIOS code directly reads the OSLoader code in the persistent storage area and sends the OSLoader code to the embedded chip with the TPCM function, and the embedded chip with the TPCM function performs trusted measurement on the OSLoader code, specifically, the measurement includes integrity, signature verification, key information check, and the like. If the measurement result of the OSLoader code is not credible, performing control processing according to a strategy; and if the measurement result of the OSLoader code is credible, the embedded chip with the TPCM function sends a control instruction to the measurement agent module in the BIOS code, the measurement agent module in the BIOS code is intercepted, and the BIOS firmware loads and executes the OSLoader code.
In the process of executing the OSLoader code, measurement needs to be performed on the OS kernel code, and optionally, in the trusted measurement method provided in the embodiment of the present application, the method further includes: in the process of executing the OSLoader code, a measurement agent module in the OSLoader code intercepts the loading operation of the OSLoader code on an OS kernel code; the target chip acquires the OS kernel code from the target storage area and measures the OS kernel code; and under the condition that the measurement result of the OS kernel code is credible, the interception operation is removed, and the OS loader code loads and executes the OS kernel code.
Specifically, in the process of executing the OSLoader code, a measurement agent module in the OSLoader code first intercepts the OSLoader code and loads an OS kernel code, then sends a notification message to an embedded chip with a TPCM function through a PCIE interface to notify address information of the OS kernel code, and the embedded chip with the TPCM function reads the OS kernel code from a persistent storage area through a Flash interface according to the address information to perform measurement. If the measurement result of the OS kernel code is not credible, performing control processing according to a strategy; and if the measurement result of the OS kernel code is credible, the embedded chip with the TPCM function sends a control instruction to a measurement agent module in the OSLoader code, the measurement agent module in the OSLoader code is intercepted, and the OSLoader code loads and executes the OS kernel code.
In the process of executing the OS kernel code, measurement needs to be performed on OS system service code, and optionally, in the trusted measurement method provided in the embodiment of the present application, the method further includes: in the process of executing the OS kernel code, a measurement proxy module in the OS kernel code intercepts the loading operation of the OS kernel code on the OS system service code; the target chip acquires an OS system service code from the target storage area and measures the OS system service code; and in the case that the measurement result of the OS system service code is credible, the interception operation is released, and the OS kernel code loads and executes the OS system service code.
Specifically, in the execution process of the OS kernel code, a measurement proxy module in the OS kernel code first intercepts the OS kernel code and loads an OS system service code, then sends a notification message to the embedded chip having the TPCM function through a PCIE interface to notify address information of the OS system service code, and then the embedded chip having the TPCM function reads the OS system service code from the persistent storage area through the Flash interface according to the address information to perform the trusted measurement. If the measurement result of the OS system service code is not credible, performing control processing according to a strategy; and if the measurement result of the OS system service code is credible, the embedded chip with the TPCM function sends a control instruction to a measurement agent module in the OS kernel code, the measurement agent module in the OS kernel code releases interception, and the OS kernel code loads and executes the OS system service code.
In the process of executing the OS system service code, measurement needs to be performed on the application program code, and optionally, in the trusted measurement method provided in the embodiment of the present application, the method further includes: in the process of executing the OS system service code, a measurement proxy module in the OS system service code intercepts the loading operation of the OS system service code on an application program code; the target chip acquires the application program code from the target storage area and measures the application program code; and in the case that the measurement result of the application program code is credible, the interception operation is released, and the OS system service code loads and executes the application program code.
Specifically, in the process of executing the OS system service code, a measurement proxy module in the OS system service code first intercepts the OS system service code and loads an application program code, then sends a notification message to the embedded chip having the TPCM function through the PCIE interface to notify address information of the application program code, and then the embedded chip having the TPCM function reads the application program code from the persistent storage area through the Flash interface according to the address information to perform the trusted measurement. If the measurement result of the application program is not credible, performing control processing according to a strategy, for example, preventing application program code from loading, alarming and the like; and if the measurement result of the application program is credible, the embedded chip with the TPCM function sends a control instruction to the measurement agent module in the OS system service code, the measurement agent module in the OS system service code releases the interception, and the OS system service code loads and executes the application program code.
Optionally, in the trusted measurement method provided in this embodiment of the present application, in a process of executing OSLoader, after a measurement proxy module in OSLoader code intercepts a load operation of the OSLoader code on an OS kernel code, the method further includes: the target chip acquires memory data in a computer mainboard through a PCIE interface and measures the memory data; and under the condition that the measurement result of the memory data is credible, the execution target chip acquires the OS kernel code from the target storage area and measures the OS kernel code.
Specifically, in the process of executing the OSLoader code, a measurement agent module in the OSLoader code first intercepts the OSLoader code and loads an OS kernel code, then sends a notification message to the embedded chip with the TPCM function through the PCIE interface to notify address information of the OS kernel code, and then the embedded chip with the TPCM function directly accesses the memory through the PCIE interface first, and reads memory data to perform measurement. Or, the measurement agent module in the OSLoader code may also transmit the memory data to the embedded chip with TPCM function for measurement). And if the memory data measurement result is not credible, performing control processing according to the strategy. And if the memory data measurement result is credible, reading the OS kernel code from the persistent storage area for measurement by the embedded chip with the TPCM function through the Flash interface according to the address information. If the measurement result of the OS kernel code is not credible, performing control processing according to a strategy; and if the measurement result of the OS kernel code is credible, the embedded chip with the TPCM function sends a control instruction to a measurement agent module in the OSLoader code, the measurement agent module in the OSLoader code is intercepted, and the OSLoader code loads and executes the OS kernel code.
It should be noted that, in the embodiment of the present application, the memory data may be obtained and measured at any stage in the boot process according to the trusted policy, and the method is not limited to the measurement of the memory data in the execution process of the OSLoader code and before the OS kernel code is loaded as described in the above example.
Optionally, in the method for measuring reliability provided in the embodiment of the present application, the obtaining, by the target chip through the PCIE interface, memory data in the computer motherboard includes: the target chip directly reads memory data in a computer mainboard through a PCIE interface; or, the target chip receives memory data in the computer motherboard, which is acquired by a measurement proxy module in the OSLoader code, through the PCIE interface; or, the target chip receives the address of the memory data acquired by the measurement proxy module in the OSLoader code through the PCIE interface, and acquires the memory data through the PCIE interface based on the address of the memory data.
Specifically, when the embedded chip with the TPCM function measures the memory data, the measurement proxy module may actively send the memory data to the embedded chip with the TPCM function for measurement, or the measurement proxy module sends the address of the data to the embedded chip with the TPCM function, and the embedded chip with the TPCM function obtains the data from the memory for measurement, where when the embedded chip with the TPCM function actively obtains the data from the memory according to the address, the PCIE bus obtains the data from the memory.
In addition, it should be noted that, when the trigger condition of the dynamic measurement is satisfied, the embedded chip with the TPCM function may perform the dynamic measurement on one or more objects in the memory, the CPU, the peripheral device, and the TSB according to the trusted policy, and comprehensively determine to obtain the control processing method, where the trigger condition of the dynamic measurement includes, but is not limited to: behavioral triggers, temporal triggers, etc., the metric results and the metric logs may be stored in a persistent storage or SDRAM in a trusted computing module.
For example, the embedded chip with the TPCM function dynamically measures the memory, so that data in the memory of the computing system can be guaranteed not to be illegally tampered, the memory environment for loading a next-stage program is guaranteed to be trusted, the security is improved, and the dynamic metrics of the memory can include timing metrics and real-time metrics, wherein the timing metrics are active metrics of the embedded chip with the TPCM function on the memory according to a trusted policy when a predetermined time point and/or a predetermined measurement period is reached. The real-time measurement is active measurement of the memory by the embedded chip with the TPCM function according to a credible strategy when action trigger and/or event trigger occurs.
Specifically, in the timing metric, according to a predetermined metric period, the manner in which the embedded chip with TPCM function acquires the memory data in the following manner may include, but is not limited to: the TSB agent program directly sends data to the embedded chip with the TPCM function through the PCIE bus, the TSB agent program sends a data address to the embedded chip with the TPCM function through the PCIE bus, and the embedded chip with the TPCM function directly accesses the memory through the PCIE bus to obtain the data from the memory. The measurement process may include: step 1, when a preset time point and/or a preset measurement period are reached, an embedded chip with a TPCM function acquires current host memory data, such as execution environment information, from a memory, wherein the execution environment information comprises a process environment and a system environment, such as an operating system kernel code, kernel data, a process code, process data and the like; step 2, measuring the execution environment information according to the matched credible strategy, and storing a measurement result and a measurement log in the TPCM; step 3, judging according to the measurement result and a judging method in the credible strategy, determining a control processing method, such as whether to report or repair, and generating a report; and 4, correspondingly controlling the host according to the control processing method.
In real-time measurement, since the TPCM has two measurement modes, a direct measurement mode and a proxy measurement mode. In the proxy measurement mode, the TSB agent may be embedded in the kernel of the host operating system, and the agent may obtain related information (e.g., behavior information) in the memory, and meanwhile, the agent may also receive a control instruction of the TPCM to assist in controlling the host, for example, killing a host process, shutting down, performing data processing, and controlling a device. In the proxy measurement mode, taking system call behavior triggering as an example, the dynamic measurement process of the embedded chip with TPCM function on the memory may include: step 1, when the TSB agent detects a system call behavior, four-tuple information, namely, a subject, an object, an operation environment, and an execution environment, which specifically include a process environment and a system environment, related to the system call behavior is obtained from context information. The TSB agent may directly send the obtained quadruple information to the embedded chip with TPCM function through the PCIE bus for measurement, or the TSB agent may also send the address of the quadruple information to the embedded chip with TPCM function through the PCIE bus, and the embedded chip with TPCM function obtains the quadruple information from the memory through the PCIE bus for measurement; step 2, measuring the system calling behavior according to the matched credible strategy, and storing a measurement result and a measurement log in the TPCM; step 3, judging according to the measurement result and a judging method in the credible strategy, determining a control processing method, such as whether to report or repair, and generating a report; and 4, correspondingly controlling the host according to the control processing method. The control processing method may include, but is not limited to: whether to allow execution of the computing system's current system call behavior, to directly recover the computing system's corrupted data, to report metrology errors, to kill the computing system's host processes, to control in coordination with other security mechanisms, and the like.
It should be noted that, when the TSB agent detects the system call behavior, the TSB agent may intercept the system call behavior first, and after the embedded chip with the TPCM function measures the system call behavior, determine whether to allow the system call behavior to be executed according to a measurement result. According to the measurement result, the embedded chip with the TPCM function can send a control instruction to the TSB agent program through the PCIE bus, the TSB agent program can control the system calling behavior according to the control instruction, if the measurement result of the memory is not credible, the embedded chip with the TPCM function can send the control instruction to the TSB agent program through the PCIE bus, and the TSB agent program assists in controlling according to the control instruction. Alternatively, when the TSB agent detects a system call behavior, it may allow its execution first, and the embedded chip with the TPCM function measures the system call behavior, and determines a control processing manner for a subsequent behavior of the system call behavior according to a measurement result, for example, when it is determined that the system call behavior is not trusted, it is prevented from being executed when the system call behavior occurs again.
For another example, the embedded chip with TPCM function measures the dynamic state of the CPU, and specifically, when a trigger condition of the dynamic state is satisfied, the embedded chip with TPCM function can directly read the CPU running state data through the PCIE (or a preset interface), so as to realize active measurement on the CPU. If the measurement result of the CPU is not trusted, the embedded chip with the TPCM function may directly send a control instruction to the motherboard, for example, control a timing control circuit on the motherboard to control the CPU to restart or power off forcibly, or realize the control by a preset interface, and realize the restart or power off by the SPI.
For another example, the embedded chip with the TPCM function may measure the peripheral device dynamically, specifically, when a trigger condition of the dynamic measurement is satisfied, the embedded chip with the TPCM function may obtain operating state data of the peripheral device through the system management bus SMBUS, and perform active measurement on the peripheral device according to a trusted policy, and if a measurement result of the peripheral device is not trusted, the embedded chip with the TPCM function may send a control instruction to a BMC (baseboard management controller) through the SMBUS, so as to implement control of the peripheral device.
For another example, after the embedded chip with the TPCM function performs dynamic measurement on the TSB, specifically, after the trusted software base TSB runs, the physical memory address of the core data in the running space of the embedded chip can be issued to the TPCM through the TPCM interface, where the core data in the running space of the embedded chip includes a policy library, a reference library, an execution code segment of each function mechanism, a dynamic library, and the like. The TPCM periodically measures the integrity of key data in a trusted software base memory space in a PCIE-DMA mode through a dynamic measurement function so as to guarantee the operation safety of the trusted software base, and the TPCM provides a safe storage space for the operating data of the trusted software base through a storage space and an encryption mechanism of the TPCM. The trusted software base can store other key data such as own strategy, configuration information, a reference library and the like in the TPCM, and the storage security guarantee of the trusted software base is enhanced.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
The embodiment of the present application further provides a trusted measurement apparatus, and it should be noted that the trusted measurement apparatus according to the embodiment of the present application may be used to execute the method for trusted measurement provided by the embodiment of the present application. The following describes a trusted measurement apparatus provided in an embodiment of the present application.
Fig. 3 is a schematic diagram of a confidence metric apparatus according to an embodiment of the present application. As shown in fig. 3, the apparatus includes: a control unit 10, a first execution unit 20 and a second execution unit 30.
Specifically, the control unit 10 is configured to control the target chip to be started before the central processing unit on the computer motherboard is started after power is supplied to the trusted computing system, where the trusted computing system includes a computing subsystem and a protection subsystem that run in parallel, the computing subsystem at least includes the computer motherboard, the protection subsystem at least includes a trusted computing module, the trusted computing module is connected with the computer motherboard through a PCIE interface and a preset interface, and the trusted computing module at least includes: the target storage area is connected with the target chip and used for storing trusted platform control module firmware, a trusted software base and trusted password module firmware;
the first execution unit 20 is configured to load and execute the trusted platform control module firmware, the trusted software base, and the trusted cryptography module firmware after the target chip is started, and read the BIOS firmware on the computer motherboard by using the preset interface to perform measurement;
and the second execution unit 30 is configured to control the central processing unit on the computer motherboard to start up and load and execute the BIOS firmware when the measurement result of the BIOS firmware is authentic.
The utility model provides a credibility measuring device, through the control unit 10 after for the power supply of trusted computing system, control target chip starts before the central processing unit on the computer mainboard starts, wherein, trusted computing system includes parallel operation's computing subsystem and protection subsystem, the computing subsystem includes the computer mainboard at least, the protection subsystem includes trusted computing module at least, trusted computing module passes through the PCIE interface and presets the interface and is connected with the computer mainboard, trusted computing module includes at least: the target storage area is connected with the target chip and used for storing trusted platform control module firmware, a trusted software base and trusted password module firmware; after the target chip is started, the first execution unit 20 loads and executes the trusted platform control module firmware, the trusted software base and the trusted cryptography module firmware, and reads the BIOS firmware on the computer motherboard by using the preset interface for measurement; the second execution unit 30 controls the central processing unit on the computer motherboard to start and load and execute the BIOS firmware under the condition that the measurement result of the BIOS firmware is trusted, so as to solve the problem that the trusted computing method implemented in a TPM manner in the related art is difficult to improve the defense capability of the computer system.
Optionally, in the trusted metric apparatus provided in the embodiment of the present application, the control unit 10 includes: the sending module is used for sending a control signal to a sequential control circuit on a computer mainboard by adopting a target chip through a preset interface; and the control module is used for controlling the power-on time sequence of the computer mainboard through the time sequence control circuit based on the control signal so as to start the target chip before the central processing unit is started.
Optionally, in the trusted measuring apparatus provided in the embodiment of the present application, the apparatus further includes: the first interception unit is used for intercepting the loading operation of the BIOS firmware on the OSLoader code through a measurement agent module in the BIOS firmware in the process of executing the BIOS firmware; the first measurement unit is used for acquiring an OSLoader code from a target storage area through a target chip and measuring the OSLoader code; and the first removing unit is used for removing the interception operation under the condition that the measurement result of the OSLoader code is credible, and loading and executing the OSLoader code by the BIOS firmware.
Optionally, in the trusted measuring apparatus provided in the embodiment of the present application, the apparatus further includes: the second interception unit is used for intercepting the loading operation of the OSLoader code on the OS kernel code through a measurement proxy module in the OSLoader code in the process of executing the OSLoader code; the second measurement unit is used for acquiring the OS kernel code from the target storage area through the target chip and measuring the OS kernel code; and the second removing unit is used for removing the interception operation under the condition that the measurement result of the OS kernel code is credible, and loading and executing the OS kernel code by the OSLoader code.
Optionally, in the trusted measuring apparatus provided in the embodiment of the present application, the apparatus further includes: the third intercepting unit is used for intercepting the loading operation of the OS kernel code on the OS system service code through a measurement proxy module in the OS kernel code in the process of executing the OS kernel code; a third measurement unit, configured to acquire the OS system service code from the target storage area through the target chip, and measure the OS system service code; and a third releasing unit for releasing the interception operation, and the OS kernel code loads and executes the OS system service code when the measurement result of the OS system service code is credible.
Optionally, in the trusted measuring apparatus provided in the embodiment of the present application, the apparatus further includes: a fourth intercepting unit, configured to intercept, by a metric proxy module in the OS system service code, a loading operation of the OS system service code on the application program code in the process of executing the OS system service code; the fourth measurement unit is used for acquiring the application program codes from the target storage area through the target chip and measuring the application program codes; and a fourth releasing unit for releasing the interception operation, and the OS system service code loads and executes the application program code, in case that the measurement result of the application program code is authentic.
Optionally, in the trusted measuring apparatus provided in the embodiment of the present application, the apparatus further includes: the device comprises an acquisition unit, a measurement proxy module and a target chip, wherein the acquisition unit is used for acquiring memory data in a computer mainboard by adopting the target chip through a PCIE interface and measuring the memory data after a measurement proxy module in an OSLoader code intercepts the loading operation of the OSLoader code on an OS kernel code in the process of executing the OSLoader; and the third execution unit is used for acquiring the OS kernel code from the target storage area by the execution target chip and measuring the OS kernel code under the condition that the measurement result of the memory data is credible.
Optionally, in the trusted metric apparatus provided in this embodiment of the present application, the obtaining unit includes: the first acquisition module is used for directly reading memory data in a computer mainboard by adopting a target chip through a PCIE interface; or, the second obtaining module is configured to receive, by using the target chip, memory data in the computer motherboard obtained by the measurement proxy module in the OSLoader code through the PCIE interface; or, the third obtaining module is configured to receive, by using the target chip, the address of the memory data obtained by the metric proxy module in the OSLoader code through the PCIE interface, and obtain the memory data through the PCIE interface based on the address of the memory data.
The credibility measuring device comprises a processor and a memory, wherein the control unit 10, the first execution unit 20, the second execution unit 30 and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be set to be one or more, and the problem that the defense capability of the computer system is difficult to improve by a trusted computing method realized in a TPM mode is solved by adjusting kernel parameters.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
An embodiment of the present invention provides a storage medium on which a program is stored, and the program implements the confidence measuring method when executed by a processor.
The embodiment of the invention provides a processor, which is used for running a program, wherein the credibility measurement method is executed when the program runs.
The embodiment of the invention provides equipment, which comprises a processor, a memory and a program which is stored on the memory and can run on the processor, wherein the processor executes the program and realizes the following steps: after supplying power for the trusted computing system, the control target chip is started before the central processing unit on the computer mainboard is started, wherein the trusted computing system comprises a computing subsystem and a protection subsystem which run in parallel, the computing subsystem at least comprises a computer mainboard, the protection subsystem at least comprises a trusted computing module, the trusted computing module is connected with the computer mainboard through a PCIE interface and a preset interface, and the trusted computing module at least comprises: the target storage area is connected with the target chip and used for storing trusted platform control module firmware, a trusted software base and trusted password module firmware; after the target chip is started, loading and executing the trusted platform control module firmware, the trusted software base and the trusted password module firmware, and reading the BIOS firmware on the computer mainboard by using a preset interface for measurement; and under the condition that the measurement result of the BIOS firmware is credible, controlling a central processing unit on a computer mainboard to start, and loading and executing the BIOS firmware.
The control target chip is started before the central processing unit on the computer mainboard is started, and the control target chip comprises the following steps: the target chip sends a control signal to a time sequence control circuit on a computer mainboard through a preset interface; the time sequence control circuit controls the power-on time sequence of the computer mainboard based on the control signal, so that the target chip is started before the central processing unit is started.
The method further comprises the following steps: in the process of executing the BIOS firmware, a measurement agent module in the BIOS firmware intercepts the loading operation of the BIOS firmware on an OSLoader code; the target chip acquires an OSLoader code from a target storage area and measures the OSLoader code; and under the condition that the measurement result of the OSLoader code is credible, the interception operation is removed, and the BIOS firmware loads and executes the OSLoader code.
The method further comprises the following steps: in the process of executing the OSLoader code, a measurement agent module in the OSLoader code intercepts the loading operation of the OSLoader code on an OS kernel code; the target chip acquires the OS kernel code from the target storage area and measures the OS kernel code; and under the condition that the measurement result of the OS kernel code is credible, the interception operation is removed, and the OS loader code loads and executes the OS kernel code.
The method further comprises the following steps: in the process of executing the OS kernel code, a measurement proxy module in the OS kernel code intercepts the loading operation of the OS kernel code on the OS system service code; the target chip acquires an OS system service code from the target storage area and measures the OS system service code; and in the case that the measurement result of the OS system service code is credible, the interception operation is released, and the OS kernel code loads and executes the OS system service code.
The method further comprises the following steps: in the process of executing the OS system service code, a measurement proxy module in the OS system service code intercepts the loading operation of the OS system service code on an application program code; the target chip acquires the application program code from the target storage area and measures the application program code; and in the case that the measurement result of the application program code is credible, the interception operation is released, and the OS system service code loads and executes the application program code.
In the process of executing the OSLoader, after a measurement agent module in the OSLoader code intercepts a loading operation of the OSLoader code on an OS kernel code, the method further includes: the target chip acquires memory data in a computer mainboard through a PCIE interface and measures the memory data; and under the condition that the measurement result of the memory data is credible, the execution target chip acquires the OS kernel code from the target storage area and measures the OS kernel code.
The target chip acquiring memory data in the computer motherboard through the PCIE interface includes: the target chip directly reads memory data in a computer mainboard through a PCIE interface; or, the target chip receives memory data in the computer motherboard, which is acquired by a measurement proxy module in the OSLoader code, through the PCIE interface; or, the target chip receives the address of the memory data acquired by the measurement proxy module in the OSLoader code through the PCIE interface, and acquires the memory data through the PCIE interface based on the address of the memory data. The device herein may be a server, a PC, a PAD, a mobile phone, etc.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device: after supplying power for the trusted computing system, the control target chip is started before the central processing unit on the computer mainboard is started, wherein the trusted computing system comprises a computing subsystem and a protection subsystem which run in parallel, the computing subsystem at least comprises a computer mainboard, the protection subsystem at least comprises a trusted computing module, the trusted computing module is connected with the computer mainboard through a PCIE interface and a preset interface, and the trusted computing module at least comprises: the target storage area is connected with the target chip and used for storing trusted platform control module firmware, a trusted software base and trusted password module firmware; after the target chip is started, loading and executing the trusted platform control module firmware, the trusted software base and the trusted password module firmware, and reading the BIOS firmware on the computer mainboard by using a preset interface for measurement; and under the condition that the measurement result of the BIOS firmware is credible, controlling a central processing unit on a computer mainboard to start, and loading and executing the BIOS firmware.
The control target chip is started before the central processing unit on the computer mainboard is started, and the control target chip comprises the following steps: the target chip sends a control signal to a time sequence control circuit on a computer mainboard through a preset interface; the time sequence control circuit controls the power-on time sequence of the computer mainboard based on the control signal, so that the target chip is started before the central processing unit is started.
The method further comprises the following steps: in the process of executing the BIOS firmware, a measurement agent module in the BIOS firmware intercepts the loading operation of the BIOS firmware on an OSLoader code; the target chip acquires an OSLoader code from a target storage area and measures the OSLoader code; and under the condition that the measurement result of the OSLoader code is credible, the interception operation is removed, and the BIOS firmware loads and executes the OSLoader code.
The method further comprises the following steps: in the process of executing the OSLoader code, a measurement agent module in the OSLoader code intercepts the loading operation of the OSLoader code on an OS kernel code; the target chip acquires the OS kernel code from the target storage area and measures the OS kernel code; and under the condition that the measurement result of the OS kernel code is credible, the interception operation is removed, and the OS loader code loads and executes the OS kernel code.
The method further comprises the following steps: in the process of executing the OS kernel code, a measurement proxy module in the OS kernel code intercepts the loading operation of the OS kernel code on the OS system service code; the target chip acquires an OS system service code from the target storage area and measures the OS system service code; and in the case that the measurement result of the OS system service code is credible, the interception operation is released, and the OS kernel code loads and executes the OS system service code.
The method further comprises the following steps: in the process of executing the OS system service code, a measurement proxy module in the OS system service code intercepts the loading operation of the OS system service code on an application program code; the target chip acquires the application program code from the target storage area and measures the application program code; and in the case that the measurement result of the application program code is credible, the interception operation is released, and the OS system service code loads and executes the application program code.
In the process of executing the OSLoader, after a measurement agent module in the OSLoader code intercepts a loading operation of the OSLoader code on an OS kernel code, the method further includes: the target chip acquires memory data in a computer mainboard through a PCIE interface and measures the memory data; and under the condition that the measurement result of the memory data is credible, the execution target chip acquires the OS kernel code from the target storage area and measures the OS kernel code.
The target chip acquiring memory data in the computer motherboard through the PCIE interface includes: the target chip directly reads memory data in a computer mainboard through a PCIE interface; or, the target chip receives memory data in the computer motherboard, which is acquired by a measurement proxy module in the OSLoader code, through the PCIE interface; or, the target chip receives the address of the memory data acquired by the measurement proxy module in the OSLoader code through the PCIE interface, and acquires the memory data through the PCIE interface based on the address of the memory data.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A method for trustworthiness measurement, comprising:
after supplying power to a trusted computing system, a control target chip is started before a central processing unit on a computer mainboard is started, wherein the trusted computing system comprises a computing subsystem and a protection subsystem which run in parallel, the computing subsystem at least comprises the computer mainboard, the protection subsystem at least comprises a trusted computing module, the trusted computing module is connected with the computer mainboard through a PCIE interface and a preset interface, and the trusted computing module at least comprises: the target storage area is connected with the target chip and is used for storing trusted platform control module firmware, a trusted software base and trusted password module firmware;
after the target chip is started, loading and executing the trusted platform control module firmware, the trusted software base and the trusted password module firmware, and reading the BIOS firmware on the computer mainboard by using the preset interface for measurement;
and under the condition that the measurement result of the BIOS firmware is credible, controlling a central processing unit on the computer mainboard to start, and loading and executing the BIOS firmware.
2. The method of claim 1, wherein the booting of the control target chip before the booting of the central processing unit on the computer motherboard comprises:
the target chip sends a control signal to a sequential control circuit on the computer mainboard through the preset interface;
the time sequence control circuit controls the power-on time sequence of the computer mainboard based on the control signal so as to enable the target chip to be started before the central processing unit is started.
3. The method of claim 1, further comprising:
in the process of executing the BIOS firmware, a measurement agent module in the BIOS firmware intercepts the loading operation of the BIOS firmware on an OSLoader code;
the target chip acquires the OSLoader code from the target storage area and measures the OSLoader code;
and under the condition that the measurement result of the OSLoader code is credible, the interception operation is removed, and the BIOS firmware loads and executes the OSLoader code.
4. The method of claim 3, further comprising:
in the process of executing the OSLoader code, a measurement agent module in the OSLoader code intercepts the loading operation of the OSLoader code on an OS kernel code;
the target chip acquires the OS kernel code from the target storage area and measures the OS kernel code;
and under the condition that the measurement result of the OS kernel code is credible, the interception operation is removed, and the OS loader code loads and executes the OS kernel code.
5. The method of claim 4, further comprising:
in the process of executing the OS kernel code, a measurement proxy module in the OS kernel code intercepts the loading operation of the OS kernel code on OS system service codes;
the target chip acquires the OS system service code from the target storage area and measures the OS system service code;
and under the condition that the measurement result of the OS system service code is credible, the interception operation is removed, and the OS kernel code loads and executes the OS system service code.
6. The method of claim 5, further comprising:
in the process of executing the OS system service code, a measurement proxy module in the OS system service code intercepts the loading operation of the OS system service code on an application program code;
the target chip acquires the application program code from the target storage area and measures the application program code;
and under the condition that the measurement result of the application program code is credible, the interception operation is removed, and the OS system service code loads and executes the application program code.
7. The method of claim 4, wherein during execution of the OSLoader, after a measurement agent module in the OSLoader code intercepts a load operation of the OSLoader code on OS kernel code, the method further comprises:
the target chip acquires memory data in the computer mainboard through the PCIE interface and measures the memory data;
and under the condition that the measurement result of the memory data is credible, executing the target chip to acquire the OS kernel code from the target storage area, and measuring the OS kernel code.
8. The method of claim 7, wherein the obtaining, by the target chip through the PCIE interface, memory data in the computer motherboard comprises:
the target chip directly reads memory data in the computer mainboard through the PCIE interface; or,
the target chip receives memory data in the computer mainboard, which is acquired by a measurement agent module in the OSLoader code, through the PCIE interface; or,
and the target chip receives the address of the memory data acquired by the measurement agent module in the OSLoader code through the PCIE interface, and acquires the memory data through the PCIE interface based on the address of the memory data.
9. A trusted metrics apparatus, comprising:
the control unit is used for controlling a target chip to be started before a central processing unit on a computer mainboard is started after power is supplied to a trusted computing system, wherein the trusted computing system comprises a computing subsystem and a protection subsystem which run in parallel, the computing subsystem at least comprises the computer mainboard, the protection subsystem at least comprises a trusted computing module, the trusted computing module is connected with the computer mainboard through a PCIE interface and a preset interface, and the trusted computing module at least comprises: the target storage area is connected with the target chip and is used for storing trusted platform control module firmware, a trusted software base and trusted password module firmware;
the first execution unit is used for loading and executing the trusted platform control module firmware, the trusted software base and the trusted password module firmware after the target chip is started, and reading the BIOS firmware on the computer mainboard by using the preset interface for measurement;
and the second execution unit is used for controlling the central processing unit on the computer mainboard to start and load and execute the BIOS firmware under the condition that the measurement result of the BIOS firmware is credible.
10. A processor configured to run a program, wherein the program when running performs the trust metric method of any one of claims 1 to 8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910612209.6A CN110321715A (en) | 2019-07-08 | 2019-07-08 | Credible measurement method, apparatus and processor |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910612209.6A CN110321715A (en) | 2019-07-08 | 2019-07-08 | Credible measurement method, apparatus and processor |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110321715A true CN110321715A (en) | 2019-10-11 |
Family
ID=68123064
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910612209.6A Pending CN110321715A (en) | 2019-07-08 | 2019-07-08 | Credible measurement method, apparatus and processor |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110321715A (en) |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110929263A (en) * | 2019-11-21 | 2020-03-27 | 山东超越数控电子股份有限公司 | Remote management method and equipment based on active measurement |
CN111159714A (en) * | 2019-12-23 | 2020-05-15 | 北京工业大学 | Method and system for verifying credibility of main body in operation in access control |
CN111737701A (en) * | 2020-06-19 | 2020-10-02 | 全球能源互联网研究院有限公司 | A server trusted root system and its trusted startup method |
CN112306754A (en) * | 2020-11-05 | 2021-02-02 | 中国电子信息产业集团有限公司 | Trusted UEFI (unified extensible firmware interface) -based firmware recovery method, device, medium and equipment |
CN112347468A (en) * | 2020-11-05 | 2021-02-09 | 中国电子信息产业集团有限公司 | Memory data update method, device, device and storage medium |
CN112784276A (en) * | 2019-11-11 | 2021-05-11 | 阿里巴巴集团控股有限公司 | Method and device for realizing credibility measurement |
CN113127879A (en) * | 2019-12-31 | 2021-07-16 | 杭州海康威视数字技术股份有限公司 | Trusted firmware starting method, electronic equipment and readable storage medium |
CN113420297A (en) * | 2020-09-16 | 2021-09-21 | 阿里巴巴集团控股有限公司 | Credibility verification system, credibility verification method, mainboard, miniature board card and storage medium |
CN113486353A (en) * | 2021-06-24 | 2021-10-08 | 邦彦技术股份有限公司 | Credibility measuring method, system, equipment and storage medium |
WO2022037346A1 (en) * | 2020-08-21 | 2022-02-24 | 华为技术有限公司 | Peripheral component interconnect express device startup method and apparatus, and storage medium |
CN114153782A (en) * | 2022-01-24 | 2022-03-08 | 阿里云计算有限公司 | Data processing system, method and storage medium |
CN114385248A (en) * | 2020-10-22 | 2022-04-22 | 四零四科技股份有限公司 | Computing system and device for processing trust chain |
CN114666103A (en) * | 2022-03-04 | 2022-06-24 | 阿里巴巴(中国)有限公司 | Credible measuring device, equipment and system and credible identity authentication method |
CN115017496A (en) * | 2022-06-27 | 2022-09-06 | 成都卫士通信息产业股份有限公司 | Trusted boot method, secure processor and medium |
CN115237843A (en) * | 2022-09-23 | 2022-10-25 | 粤港澳大湾区数字经济研究院(福田) | Trusted computing system and method |
WO2022237551A1 (en) * | 2021-05-12 | 2022-11-17 | 华为技术有限公司 | Secure boot device and method |
CN116088659A (en) * | 2023-02-13 | 2023-05-09 | 江苏云涌电子科技股份有限公司 | Reset judging system and method for domestic processor |
WO2025103021A1 (en) * | 2023-11-17 | 2025-05-22 | 华为技术有限公司 | Computing device, method for calling security service, method for starting ftpm, and related device |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101356536A (en) * | 2005-11-18 | 2009-01-28 | 高通股份有限公司 | Mobile security system and method |
US20150356299A1 (en) * | 2014-06-04 | 2015-12-10 | Dell Products L.P. | Bios secure data management system |
WO2019025762A1 (en) * | 2017-08-03 | 2019-02-07 | Arm Limited | Counter integrity tree for memory security |
CN109871694A (en) * | 2019-03-14 | 2019-06-11 | 沈昌祥 | A kind of staticametric method based on dual Architecture credible calculating platform |
CN109871695A (en) * | 2019-03-14 | 2019-06-11 | 沈昌祥 | A kind of credible calculating platform of calculating and the parallel dual Architecture of protection |
CN109918915A (en) * | 2019-03-14 | 2019-06-21 | 沈昌祥 | A kind of dynamic measurement method based on dual Architecture credible calculating platform |
CN109948344A (en) * | 2019-03-14 | 2019-06-28 | 沈昌祥 | A kind of system interaction method based on dual Architecture credible calculating platform |
-
2019
- 2019-07-08 CN CN201910612209.6A patent/CN110321715A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101356536A (en) * | 2005-11-18 | 2009-01-28 | 高通股份有限公司 | Mobile security system and method |
US20150356299A1 (en) * | 2014-06-04 | 2015-12-10 | Dell Products L.P. | Bios secure data management system |
WO2019025762A1 (en) * | 2017-08-03 | 2019-02-07 | Arm Limited | Counter integrity tree for memory security |
CN109871694A (en) * | 2019-03-14 | 2019-06-11 | 沈昌祥 | A kind of staticametric method based on dual Architecture credible calculating platform |
CN109871695A (en) * | 2019-03-14 | 2019-06-11 | 沈昌祥 | A kind of credible calculating platform of calculating and the parallel dual Architecture of protection |
CN109918915A (en) * | 2019-03-14 | 2019-06-21 | 沈昌祥 | A kind of dynamic measurement method based on dual Architecture credible calculating platform |
CN109948344A (en) * | 2019-03-14 | 2019-06-28 | 沈昌祥 | A kind of system interaction method based on dual Architecture credible calculating platform |
Non-Patent Citations (1)
Title |
---|
赵波 等: "基于USBKey的安全增强密钥生成方案", 《计算机工程与应用》 * |
Cited By (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112784276B (en) * | 2019-11-11 | 2024-02-23 | 阿里巴巴集团控股有限公司 | Method and device for realizing trusted measurement |
CN112784276A (en) * | 2019-11-11 | 2021-05-11 | 阿里巴巴集团控股有限公司 | Method and device for realizing credibility measurement |
CN110929263A (en) * | 2019-11-21 | 2020-03-27 | 山东超越数控电子股份有限公司 | Remote management method and equipment based on active measurement |
CN111159714B (en) * | 2019-12-23 | 2022-03-11 | 北京工业大学 | A method and system for trusted verification at runtime of a subject in access control |
CN111159714A (en) * | 2019-12-23 | 2020-05-15 | 北京工业大学 | Method and system for verifying credibility of main body in operation in access control |
CN113127879A (en) * | 2019-12-31 | 2021-07-16 | 杭州海康威视数字技术股份有限公司 | Trusted firmware starting method, electronic equipment and readable storage medium |
CN113127879B (en) * | 2019-12-31 | 2023-09-05 | 杭州海康威视数字技术股份有限公司 | Firmware trusted starting method, electronic equipment and readable storage medium |
CN111737701A (en) * | 2020-06-19 | 2020-10-02 | 全球能源互联网研究院有限公司 | A server trusted root system and its trusted startup method |
US12182580B2 (en) | 2020-08-21 | 2024-12-31 | Huawei Technologies Co., Ltd. | Peripheral component interconnect express device startup method and apparatus, and storage medium |
WO2022037346A1 (en) * | 2020-08-21 | 2022-02-24 | 华为技术有限公司 | Peripheral component interconnect express device startup method and apparatus, and storage medium |
CN113420297A (en) * | 2020-09-16 | 2021-09-21 | 阿里巴巴集团控股有限公司 | Credibility verification system, credibility verification method, mainboard, miniature board card and storage medium |
US12393692B2 (en) * | 2020-09-16 | 2025-08-19 | Alibaba Group Holding Limited | Trusted authentication system, method, mainboard, micro board, and storage medium |
CN113420297B (en) * | 2020-09-16 | 2025-07-25 | 阿里巴巴集团控股有限公司 | System, method, main board, micro board card and storage medium for trusted verification |
CN114385248A (en) * | 2020-10-22 | 2022-04-22 | 四零四科技股份有限公司 | Computing system and device for processing trust chain |
CN114385248B (en) * | 2020-10-22 | 2024-04-23 | 四零四科技股份有限公司 | Computing system and device for processing trust chain |
CN112306754B (en) * | 2020-11-05 | 2024-05-24 | 中国电子信息产业集团有限公司 | Trusted UEFI firmware recovery method, device, medium and equipment |
CN112306754A (en) * | 2020-11-05 | 2021-02-02 | 中国电子信息产业集团有限公司 | Trusted UEFI (unified extensible firmware interface) -based firmware recovery method, device, medium and equipment |
CN112347468A (en) * | 2020-11-05 | 2021-02-09 | 中国电子信息产业集团有限公司 | Memory data update method, device, device and storage medium |
WO2022237551A1 (en) * | 2021-05-12 | 2022-11-17 | 华为技术有限公司 | Secure boot device and method |
CN113486353A (en) * | 2021-06-24 | 2021-10-08 | 邦彦技术股份有限公司 | Credibility measuring method, system, equipment and storage medium |
CN114153782B (en) * | 2022-01-24 | 2022-05-06 | 阿里云计算有限公司 | Data processing system, method and storage medium |
CN114153782A (en) * | 2022-01-24 | 2022-03-08 | 阿里云计算有限公司 | Data processing system, method and storage medium |
CN114666103A (en) * | 2022-03-04 | 2022-06-24 | 阿里巴巴(中国)有限公司 | Credible measuring device, equipment and system and credible identity authentication method |
CN114666103B (en) * | 2022-03-04 | 2023-08-15 | 阿里巴巴(中国)有限公司 | Trusted measurement device, equipment, system and trusted identity authentication method |
CN115017496A (en) * | 2022-06-27 | 2022-09-06 | 成都卫士通信息产业股份有限公司 | Trusted boot method, secure processor and medium |
CN115237843B (en) * | 2022-09-23 | 2023-02-14 | 粤港澳大湾区数字经济研究院(福田) | Trusted computing system and method |
CN115237843A (en) * | 2022-09-23 | 2022-10-25 | 粤港澳大湾区数字经济研究院(福田) | Trusted computing system and method |
CN116088659B (en) * | 2023-02-13 | 2023-11-07 | 江苏云涌电子科技股份有限公司 | Reset judging system and method for domestic processor |
CN116088659A (en) * | 2023-02-13 | 2023-05-09 | 江苏云涌电子科技股份有限公司 | Reset judging system and method for domestic processor |
WO2025103021A1 (en) * | 2023-11-17 | 2025-05-22 | 华为技术有限公司 | Computing device, method for calling security service, method for starting ftpm, and related device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110334521B (en) | Trusted computing system construction method and device, trusted computing system and processor | |
CN110321715A (en) | Credible measurement method, apparatus and processor | |
CN110321714B (en) | Dynamic measurement method and device of trusted computing platform based on dual-architecture | |
CN109871695B (en) | Trusted computing platform with computing and protection parallel dual-architecture | |
KR102092453B1 (en) | Secured execution context data | |
US7953980B2 (en) | Signed manifest for run-time verification of software program identity and integrity | |
US8364973B2 (en) | Dynamic generation of integrity manifest for run-time verification of software program | |
US9690498B2 (en) | Protected mode for securing computing devices | |
JP5164285B2 (en) | Computer system with anti-malware | |
US11379586B2 (en) | Measurement methods, devices and systems based on trusted high-speed encryption card | |
CN110414235B (en) | Active immune double-system based on ARM TrustZone | |
US9177153B1 (en) | Verifying integrity and guaranteeing execution of code on untrusted computer platform | |
CN109918916A (en) | A kind of Dual system credible accounting system and method | |
CN110334515B (en) | Method and device for generating measurement report based on trusted computing platform | |
CN110321713B (en) | Dynamic measurement method and device of trusted computing platform based on dual-system architecture | |
CN110334519A (en) | The staticametric method of credible calculating platform based on dual Architecture | |
CN110309659A (en) | A kind of dynamic measurement method of the credible calculating platform based on dual Architecture | |
CN110321712A (en) | The staticametric method and device of credible calculating platform based on dual Architecture | |
Caulfield et al. | {ACFA}: Secure runtime auditing & guaranteed device healing via active control flow attestation | |
CN110334509B (en) | Method and device for constructing trusted computing platform of dual-system architecture | |
Neto et al. | ISC-FLAT: On the conflict between control flow attestation and real-time operations | |
CN113641463A (en) | Virtualization system credibility authentication method, system and computer readable storage medium | |
CN113419905A (en) | Method and device for realizing credible verification and security module | |
US8800052B2 (en) | Timer for hardware protection of virtual machine monitor runtime integrity watcher | |
US20210266181A1 (en) | Data security processing method and terminal thereof, and server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191011 |