CN112487500A - Authentication method - Google Patents
Authentication method Download PDFInfo
- Publication number
- CN112487500A CN112487500A CN201910865451.4A CN201910865451A CN112487500A CN 112487500 A CN112487500 A CN 112487500A CN 201910865451 A CN201910865451 A CN 201910865451A CN 112487500 A CN112487500 A CN 112487500A
- Authority
- CN
- China
- Prior art keywords
- host
- management controller
- host unit
- bmc
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Mathematical Physics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
An authentication method implemented by a host unit included in a computer system, the computer system further including a baseboard management controller, the host unit storing a reference baseboard side public key related to a specific baseboard management controller, the authentication method comprising the steps of: (A) the host unit transmits a substrate end signature request to the substrate management controller; (B) after the host unit obtains the substrate end signature data from the substrate management controller, the host unit authenticates whether the substrate management controller is the specific substrate management controller according to the reference substrate end public key and the substrate end signature data; and (C) when the host unit authenticates that the baseboard management controller is the specific baseboard management controller, the host unit allows the baseboard management controller to access the host unit.
Description
[ technical field ] A method for producing a semiconductor device
The present invention relates to an authentication method, and more particularly, to an authentication method for a baseboard management control system.
[ background of the invention ]
A conventional computer system generally includes a Baseboard Management Controller (BMC) to monitor an operating condition of the computer system, wherein the BMC may monitor whether a sensing value sensed by a sensor disposed on the computer system is abnormal, record an abnormal state, and control the computer system to reset and issue a power supply to restart through the BMC. In some computer systems, system firmware, such as BIOS or U-Boot, may also be updated via the BMC. There is an increasing concern regarding BMC security, which exposes a computer system to a great risk and threat if a hacker attacks the computer system through BMC to tamper the firmware running in the computer system. On the other hand, although a Secure Boot (Secure Boot) mechanism is provided in a Unified Extensible Firmware Interface (UEFI) when a motherboard in a computer system is booted, when the motherboard is booted, a set of credentials pre-loaded in the motherboard by a motherboard hardware manufacturer are used to identify whether the booted operating system is trusted, and if not, the motherboard cannot be booted. If the computer system is attacked by hackers, not only the security of the computer system is compromised, but also the BMC is compromised, so how to enhance the security of the computer system is an urgent issue to be solved.
[ summary of the invention ]
The technical problem to be solved by the present invention is to provide an authentication method for improving the security of a computer system.
To solve the above technical problem, the present invention provides an authentication method for authenticating a baseboard management controller included in a computer system, and the authentication method is implemented by a host unit electrically connected to the baseboard management controller included in the computer system, the host unit storing a reference baseboard public key related to a specific baseboard management controller, the authentication method comprising the steps of:
(A) the host unit transmits a substrate end signature request related to the substrate management controller;
(B) after the host unit obtains the substrate end signature data from the substrate management controller in response to the substrate end signature request, the host unit authenticates whether the substrate management controller is the specific substrate management controller according to the reference substrate end public key and the substrate end signature data; and
(C) when the host unit authenticates that the baseboard management controller is the specific baseboard management controller, the host unit allows the baseboard management controller to access the host unit.
Another objective of the present invention is to provide an authentication method for improving the security of a computer system.
To solve the above technical problem, the present invention provides an authentication method for authenticating a host unit included in a computer system, and implemented by a baseboard management controller electrically connected to the host unit included in the computer system, wherein the baseboard management controller stores a reference host public key associated with a specific host, the authentication method comprising the steps of:
(A) the baseboard management controller transmits a host terminal signature request related to the host unit;
(B) after the baseboard management controller obtains host side signature data from the host unit responding to the host side signature request, the baseboard management controller authenticates whether the host unit is the specific host side according to the reference host side public key and the host side signature data; and
(C) when the baseboard management controller authenticates that the host unit is the specific host side, the baseboard management controller allows the host unit to access the baseboard management controller.
Compared with the prior art, the authentication method of the invention authenticates whether the substrate management controller is the specific substrate management controller by the host unit according to the reference substrate public key and the substrate signature data, and the host unit allows the substrate management controller to access the host unit only after the host unit successfully authenticates the substrate management controller, thereby improving the communication security between the substrate management controller and the host unit and further improving the security of a computer system.
[ description of the drawings ]
Other features and effects of the present invention will become apparent from the following detailed description of the embodiments with reference to the accompanying drawings, in which:
FIG. 1 is a block diagram illustrating a computer system implementing an embodiment of the authentication method of the present invention;
FIG. 2 is a flowchart illustrating a baseboard management controller authentication procedure according to an embodiment of the authentication method of the present invention
FIG. 3 is a flowchart illustrating the detailed process of how a host unit authenticates a BMC;
FIG. 4 is a flowchart illustrating a host unit authentication process according to an embodiment of the authentication method of the present invention; and
FIG. 5 is a flowchart illustrating the detailed process of how the BMC authenticates the host unit.
[ detailed description ] embodiments
Referring to fig. 1, the authentication method of the present invention is implemented by a computer system 1, wherein the computer system 1 includes a host unit 2 and a bmc 3 electrically connected to the host unit 2.
The host unit 2 includes a processing module 21, a storage module 22 electrically connected to the processing module 21, and a switch 23 controlled by the processing module 21 and used for controlling the write-in authority between the storage module 22 and the bmc 3, wherein the storage module 22 stores a reference bmc public key 222 associated with a specific bmc, a BIOS 223 run by the processing module 21, and a host-side digital signature 224 associated with a part of program fragment of the BIOS run by the host unit 2, and the host-side digital signature 224 is obtained by performing a hash operation such as MD5 message digest algorithm on the part of program fragment and encrypting the check code through a host-side private key. The Processing module 21 may be, for example, a Central Processing Unit (CPU), and the storage module 22 may be, for example, a BIOS chip. In the present embodiment, the host-side digital signature 224 is obtained by encrypting the hashed portion of the program fragment; however; in other embodiments, the corresponding check code can be obtained by performing the hash operation on the partial program segment and at least one of a BIOS header (header), a signature of a BIOS vendor, a BIOS version, a BIOS size, and a memory address associated with the partial program segment, and then encrypting the obtained check code through the host private key (not shown) to obtain the host digital signature 224, which is not limited to this.
The bmc 3 includes a processing unit 31, a storage unit 32 electrically connected to the processing unit 31, and a switch 33 controlled by the processing unit 31 for controlling the write permission between the storage unit 32 and the host unit 2. The storage unit 32 stores a reference host public key 321 associated with a specific host, a firmware 322 executed by the processing unit 31, and a substrate-side digital signature 323 associated with a part of the firmware segment of the firmware 322 executed by the substrate management controller 3, wherein the substrate-side digital signature 323 is obtained by performing the hash operation of the part of the firmware segment such as MD5 message digest algorithm to obtain another check code, and encrypting the another check code by a substrate-side private key (not shown). In this embodiment, the substrate-side digital signature 323 is obtained by encrypting the hashed portion of the firmware segment; however; in other embodiments, the corresponding check code can also be obtained by performing the hash operation on the partial firmware segment and at least one of the firmware header, the signature of the firmware supplier, the firmware version, the firmware size, and the memory address associated with the partial firmware segment, and then encrypting the obtained check code through the substrate-side private key to obtain the substrate-side digital signature 323, which is not limited thereto.
Referring to fig. 1, fig. 2 and fig. 4, the authentication method of the present invention is implemented by the host unit 2 and the bmc 3 executing the corresponding bios 223 and firmware 322, and includes the following steps.
In step 201, the processing module 21 of the host unit 2 transmits a substrate side signature request associated with the bmc 3 to the bmc 3.
In step 202, after the processing unit 31 of the bmc 3 receives the substrate-side signature request, the processing unit 31 of the bmc 3 generates the substrate-side signature data including the substrate-side digital signature 323 and a substrate-side plaintext data associated with the part of the firmware fragments according to the substrate-side digital signature 323 and the firmware 322 stored in the storage unit 32 in response to the substrate-side signature request, and transmits the substrate-side signature data to the host unit 2. It should be noted that, in this embodiment, since the check code corresponding to the substrate-side digital signature 323 is obtained according to the part of the firmware segment, the substrate-side plaintext data only includes the part of the firmware segment; however, in the case that the check code corresponding to the substrate-side digital signature 323 is obtained according to at least one of the signature, the firmware version, the firmware size, and the memory address related to the part of the firmware segment of the part of the firmware segment, the substrate-side plaintext data includes at least one of the signature, the firmware version, the firmware size, and the memory address related to the part of the firmware segment in addition to the part of the firmware segment. In addition, in the present embodiment, the processing unit 31 of the bmc 3 transmits the substrate end signature data to the host unit 2 through an Intelligent Platform Management Interface (IPMI).
In step 203, the processing module 21 of the host unit 2 determines whether there is any substrate-side signature data received in response to the substrate-side signature request within a first predetermined time interval. When the processing module 21 of the host unit 2 determines that the substrate end signature data is not received within the first predetermined time interval, the processing module 21 of the host unit 2 returns to step 201; when the processing module 21 of the host unit 2 determines that the substrate-side signature data is received within the first predetermined time interval, the processing module 21 of the host unit 2 proceeds to step 204.
In step 204, after the processing module 21 of the host unit 2 obtains the substrate side signature data in response to the substrate side signature request, the processing module 21 of the host unit 2 authenticates whether the substrate management controller 3 is the specific substrate management controller according to the reference substrate side public key 222 and the substrate side signature data. When the processing module 21 of the host unit 2 verifies that the bmc 3 is not the specific bmc, the process proceeds to step 205; when the processing module 21 of the host unit 2 authenticates that the bmc 3 is the specific bmc 3, the process proceeds to step 206.
In step 205, the processing module 21 of the host unit 2 controls the switch 23 of the host unit 2 to be turned off to prevent the bmc 3 from writing into the storage module 22 of the host unit 2.
In step 206, the processing module 21 of the host unit 2 controls the switch 23 of the host unit 2 to be turned on, so as to allow the bmc 3 to write into the storage module 22 of the host unit 2, and transmit an authentication success notification to the bmc 3. In other embodiments, the host unit 2 not only allows the bmc 3 to write to the storage module 22 of the host unit 2, but also allows the bmc 3 to control the host unit 2, and the host unit 2 can also perform an operation related to an operation request in response to the operation request of the bmc 3, that is, perform an operation including, for example, providing information of the computer system 1 to the bmc 3 or restarting the host unit 2 or the like in response to the operation request of the bmc 3.
Referring to fig. 1 and 3, it should be noted that step 204 includes the following sub-steps.
In the sub-step 241, the processing module 21 of the host unit 2 performs the hash operation according to the plaintext data of the substrate end to obtain check code data, and decrypts the digital signature 323 of the substrate end through the reference substrate public key 222 to obtain a check code to be compared.
In sub-step 242, the processing module 21 of the host unit 2 determines whether the check code data matches the check code to be compared, so as to verify whether the bmc 3 is the specific bmc 3. When the processing module 21 of the host unit 2 determines that the check code data does not conform to the check code to be compared, the bmc 3 is authenticated as not being the specific bmc 3; when the processing module 21 of the host unit 2 determines that the check code data matches the comparison check code, the bmc 3 is authenticated as the specific bmc 3.
With continued reference to fig. 1, 2 and 4, in step 207, the processing unit 31 of the bmc 3 determines whether the authentication success notification from the host unit 2 is received within a second predetermined time interval. When the processing unit 31 of the bmc 3 determines that the authentication success notification is not received within the second predetermined time interval, the processing unit 31 of the bmc 3 performs step 208; when the processing unit 31 of the bmc 3 determines that the authentication success notification is received within the second predetermined time interval, the processing unit 31 of the bmc 3 proceeds to step 209.
In step 208, the processing unit 31 of the bmc 3 waits for receiving the substrate-side signing request again, and returns to step 202 after receiving the substrate-side signing request.
In step 209, the processing unit 31 of the bmc 3 transmits a host-side signature request associated with the host unit 2 to the host unit 2.
In step 210, the processing module 21 of the host unit 2 determines whether the host-side signature request from the bmc 3 is received within a third predetermined time interval. When the processing module 21 of the host unit 2 determines that the host-side signature request is not received within the third predetermined time interval, the processing module 21 of the host unit 2 returns to step 201; when the processing module 21 of the host unit 2 determines that the host-side signature request is received within the third predetermined time interval, the processing module 21 of the host unit 2 proceeds to step 211.
In step 211, after the processing module 21 of the host unit 2 receives the host signature request, the processing module 21 of the host unit 2 responds to the host signature request, generates the host signature data including the host digital signature 224 and the host plaintext data related to the partial program fragment according to the host digital signature 224 and the bios 223 stored in the storage module 22, and transmits the host signature data to the bmc 3. It should be noted that, in the embodiment, since the check code corresponding to the host-side digital signature 224 is obtained according to the partial program segment, the host-side plaintext data only includes the partial program segment; however, in the case that the check code corresponding to the host-side digital signature 224 is obtained according to at least one of the signature, the BIOS version, the BIOS size, and the memory address of the BIOS vendor for the partial program fragment, the host-side plaintext data includes at least one of the signature, the BIOS version, the BIOS size, and the memory address of the BIOS vendor for the partial program fragment in addition to the partial program fragment. In addition, in the present embodiment, the processing module 21 of the host unit 2 transmits the host side signature data to the bmc 3 through an Intelligent Platform Management Interface (IPMI).
In step 212, the processing unit 31 of the bmc 3 determines whether the host signature data is received from the host unit 2 within a fourth predetermined time interval. When the processing unit 31 of the bmc 3 determines that the host signature data is not received within the fourth predetermined time interval, the processing unit 31 of the bmc 3 returns to step 209; when the processing unit 31 of the bmc 3 determines that the host signature data is received within the fourth predetermined time interval, the processing unit 31 of the bmc 3 proceeds to step 213.
In step 213, after the processing unit 31 of the bmc 3 obtains the host signature data in response to the host signature request, the processing unit 31 of the bmc 3 authenticates whether the host unit 2 is the specific host according to the reference host public key 321 and the host signature data. When the processing unit 31 of the bmc 3 authenticates that the host unit 2 is not the specific host, the flow proceeds to step 214; when the processing unit 31 of the bmc 3 authenticates the host unit 2 as the specific host, the process proceeds to step 215.
In step 214, the processing unit 31 of the bmc 3 controls the switch 23 of the bmc 3 to be turned off to prevent the host unit 2 from writing into the storage unit 32 of the bmc 3.
In step 215, the processing unit 31 of the bmc 3 controls the switch 23 of the bmc 3 to be turned on, so as to allow the host unit 2 to write into the storage unit 32 of the bmc 3, and transmits another authentication success notification to the host unit 2. In other embodiments, the bmc 3 not only allows the host unit 2 to write to the storage unit 32 of the bmc 3, but also allows the host unit 2 to receive a data request to report data related to the host unit 2, and allows the host unit 2 to update the firmware 322 stored in the storage unit 32 of the bmc 3, and the bmc 3 can also perform an operation related to the operation request in response to an operation request of the host unit 2, that is, perform an operation including, for example, retrieving a file from an external storage module or restarting the bmc 3 in response to the operation request of the host unit 2.
Referring to fig. 1 and 5, it should be noted that step 213 includes the following sub-steps.
In sub-step 231, the processing unit 31 of the bmc 3 performs the hash operation according to the host plaintext data to obtain another checksum data, and decrypts the host digital signature 224 through the reference host public key 321 to obtain another checksum to be compared.
In sub-step 232, the processing unit 31 of the bmc 3 determines whether the another checking code data matches the another checking code to be compared, so as to authenticate whether the bmc 3 is the specific bmc 3. When the processing unit 31 of the bmc 3 determines that the other check code data does not conform to the other to-be-compared check code, the host unit 2 is authenticated as not being the specific host; when the processing unit 31 of the bmc 3 determines that the another check code data matches the another comparison check code, the host unit 2 is authenticated as the specific host.
With continued reference to fig. 1, 2 and 4, in step 216, the processing module 21 of the host unit 2 determines whether another authentication success notification is received from the bmc 3 within a fifth predetermined time interval. When the processing module 21 of the host unit 2 determines that the other authentication success notification is not received within the fifth predetermined time interval, the processing module 21 of the host unit 2 performs step 217; when the processing module 21 of the host unit 2 determines that the other authentication success notification is received within the fifth predetermined time interval, the bmc 3 and the host unit 2 perform bidirectional authentication successfully.
It should be noted that, in this embodiment, when the baseboard management controller 3 and the host unit 2 are successfully authenticated with each other, it means that the reference baseboard side public Key 222 and the baseboard side private Key are mutually a set of Key pairs (Key pairs), and the reference mainframe side public Key 321 and the mainframe side private Key are also mutually a set of Key pairs (Key pairs), where the reference baseboard side public Key 222, the baseboard side private Key, the reference mainframe side public Key 321, the mainframe side private Key, the baseboard side digital signature 323, and the mainframe side digital signature 224 are all provided by a trusted third-party certificate authority using a Hardware Security Module (HSM), and the baseboard side private Key and the mainframe side private Key are stored by the third-party certificate authority and are not disclosed to the outside.
In step 217, the processing module 21 of the host unit 2 waits for receiving the host-side signature request again, and returns to step 211 after receiving the host-side signature request.
It should be noted that the embodiment of the authentication method of the present invention is executed again each time the computer system 1 is booted for the first time and the host unit 2 is restarted.
In summary, the authentication method of the present invention performs mutual bidirectional authentication by the host unit 2 and the bmc 3, and allows the bmc 3 to access the host unit 2 only after the bmc 3 is successfully authenticated by the host unit 2, and similarly allows the host unit 2 to access the bmc 3 only after the host unit 2 is successfully authenticated by the bmc 3, thereby improving the security of communication between the bmc 3 and the host unit 2, and further improving the security of the computer system 1, so as to achieve the object of the present invention.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (13)
1. An authentication method, suitable for authenticating a baseboard management controller included in a computer system, and implemented by a host unit electrically connected to the baseboard management controller included in the computer system, the host unit storing a reference baseboard side public key related to a specific baseboard management controller, the authentication method comprising the steps of:
(A) the host unit transmits a substrate end signature request related to the substrate management controller;
(B) after the host unit obtains the substrate end signature data responding to the substrate end signature request, the host unit authenticates whether the substrate management controller is the specific substrate management controller according to the reference substrate end public key and the substrate end signature data; and
(C) when the host unit authenticates that the baseboard management controller is the specific baseboard management controller, the host unit transmits an authentication success notice to the baseboard management controller and allows the baseboard management controller to access the host unit.
2. The authentication method of claim 1, wherein step (B) comprises the sub-steps of:
(B-1) the substrate end signature data comprises a substrate end digital signature related to a part of firmware segments of the firmware operated by the substrate management controller and substrate end plaintext data related to the part of firmware segments, the substrate end digital signature is obtained by performing a hash operation on the part of firmware segments to obtain an inspection code, the inspection code is obtained by encrypting a substrate end private key, the host unit performs the hash operation according to the substrate end plaintext data to obtain inspection code data, and the substrate end digital signature is decrypted by the reference substrate end public key to obtain an inspection code to be compared;
(B-2) the host unit authenticates whether the BMC is the specific BMC by determining whether the check code data corresponds to the checking code to be compared.
3. The method as claimed in claim 1, wherein the host unit includes a processing module, a storage module electrically connected to the processing module, and a switch controlled by the processing module for controlling the write permission between the storage module and the bmc, and the storage module further stores a bios program, wherein in the step (C), when the host unit authenticates that the bmc is the specific bmc, the processing module of the host unit controls the switch to be turned on, so as to allow the bmc to write to the storage module.
4. The method of claim 1, wherein the bmc stores a reference host public key associated with a specific host, and further comprising the following steps after step (C):
(D) after the host unit receives a host signature request which is from the substrate management controller and is related to the host unit, the host unit responds to the host signature request to transmit host signature data to the substrate management controller, so that the substrate management controller authenticates whether the host unit is the specific host according to the reference host public key and the host signature data;
(E) after the host unit receives a successful authentication notification from the baseboard management controller, the host unit can access the baseboard management controller.
5. The method as claimed in claim 4, wherein in step (D), the host-side signature data includes a host-side digital signature associated with a portion of the program fragment of the BIOS run by the host unit and host-side plaintext data associated with the portion of the program fragment, the host-side digital signature is obtained by performing a hash operation on the portion of the program fragment to obtain a check code, and the check code is encrypted by a host-side private key.
6. The authentication method as claimed in claim 4, wherein the bmc comprises a storage unit storing a firmware executed by the bmc, and a switch controlled by the bmc for controlling write permission between the storage unit and the host unit, wherein in the step (E), after the host unit receives the authentication success notification from the bmc, the host unit can write to the storage unit through the other switch which is turned on.
7. The authentication method of claim 4, further comprising, after step (C), the steps of:
(F) the host unit judges whether a signature request of the host terminal is received within a preset time; and
(G) when the host unit determines that the host terminal signature request is not received within the predetermined time, the host unit returns to the step (A);
when the host unit judges that the host terminal signature request is received within the preset time, the step (D) is carried out.
8. An authentication method is suitable for authenticating a host unit contained in a computer system and implemented by a baseboard management controller contained in the computer system and electrically connected with the host unit, wherein the host unit stores a reference baseboard end public key related to a specific baseboard management controller, and the baseboard management controller stores a reference host end public key related to a specific host end, and the authentication method comprises the following steps:
(A) after the baseboard management controller receives a baseboard end signature request from the host unit and related to the baseboard management controller, the baseboard management controller responds to the baseboard end signature request to transmit baseboard end signature data to the host unit, so that the host unit authenticates whether the baseboard management controller is the specific baseboard management controller according to the reference baseboard end public key and the baseboard end signature data;
(B) after the baseboard management controller receives an authentication success notice from the host unit, the baseboard management controller is allowed to access the host unit and transmits a host side signature request related to the host unit;
(C) after the baseboard management controller obtains the host terminal signature data responding to the host terminal signature request, the baseboard management controller authenticates whether the host unit is the specific host terminal according to the reference host terminal public key and the host terminal signature data; and
(D) when the baseboard management controller authenticates that the host unit is the specific host end, the baseboard management controller allows the host unit to access the baseboard management controller.
9. The authentication method of claim 8, wherein step (C) comprises the sub-steps of:
(C-1) the host signature data contains a host digital signature related to a part of program segments of the BIOS run by the host unit and host plaintext data related to the part of program segments, the host digital signature is obtained by performing a hash operation on the part of program segments to obtain a check code, and the check code is encrypted by a host private key, the baseboard management controller performs the hash operation according to the host plaintext data to obtain a check code data, and decrypts the host digital signature by the reference host public key to obtain a check code to be compared;
(C-2) the baseboard management controller authenticates whether the host unit is the specific host unit by determining whether the check code data is consistent with the check code to be compared.
10. The authentication method as claimed in claim 8, wherein the bmc comprises a storage unit storing a firmware to be executed by the bmc, and a switch controlled by the bmc for controlling write permission between the storage unit and the host unit, wherein in the step (D), when the bmc authenticates that the host unit is the specific host, the bmc controls the switch to be turned on to allow the host unit to write to the storage unit.
11. The method as claimed in claim 8, wherein the host unit comprises a processing module, a storage module electrically connected to the processing module, and a switch controlled by the processing module for controlling the write permission between the storage module and the bmc, wherein in the step (B), the bmc can write to the storage module through the switch that is turned on after the bmc receives the authentication success notification from the host unit.
12. The method of claim 8, wherein in step (a), the baseboard side signature data comprises a baseboard side digital signature associated with a portion of firmware fragments run by the baseboard management controller and baseboard side clear text data associated with the portion of firmware fragments, the baseboard side digital signature is obtained by performing a hash operation on the portion of firmware fragments to obtain a check code, and encrypting the check code through a baseboard side private key.
13. The authentication method of claim 8, further comprising, after step (B), the steps of:
(E) the baseboard management controller judges whether the host terminal signature data is received within another preset time; and
(F) when the baseboard management controller judges that the host terminal signature data is not received in the other preset time, the baseboard management controller returns to the step (B);
when the baseboard management controller determines that the host signature data is received within the other preset time, the step (C) is performed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910865451.4A CN112487500B (en) | 2019-09-12 | 2019-09-12 | Authentication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910865451.4A CN112487500B (en) | 2019-09-12 | 2019-09-12 | Authentication method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112487500A true CN112487500A (en) | 2021-03-12 |
| CN112487500B CN112487500B (en) | 2024-10-11 |
Family
ID=74920808
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910865451.4A Active CN112487500B (en) | 2019-09-12 | 2019-09-12 | Authentication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112487500B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100257597A1 (en) * | 2009-04-03 | 2010-10-07 | Jun Miyazaki | Authentication device, server system, and method of authenticating server between a plurality of cells and authentication program thereof |
| US20130304903A1 (en) * | 2012-05-09 | 2013-11-14 | Rackspace Us, Inc. | Market-Based Virtual Machine Allocation |
| CN103885869A (en) * | 2012-12-20 | 2014-06-25 | 鸿富锦精密工业(深圳)有限公司 | Substrate management controller safety protection system and method |
| CN104320251A (en) * | 2014-09-26 | 2015-01-28 | 大连声鹭科技有限公司 | Seal informatization device for offline use and online authentication, electronic seal management system and authentication method |
| CN104346556A (en) * | 2014-09-26 | 2015-02-11 | 中国航天科工集团第二研究院七〇六所 | Hard disk security protection system based on wireless security certification |
| CN104408364A (en) * | 2014-12-01 | 2015-03-11 | 浪潮集团有限公司 | Server management program protection method and system |
-
2019
- 2019-09-12 CN CN201910865451.4A patent/CN112487500B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100257597A1 (en) * | 2009-04-03 | 2010-10-07 | Jun Miyazaki | Authentication device, server system, and method of authenticating server between a plurality of cells and authentication program thereof |
| US20130304903A1 (en) * | 2012-05-09 | 2013-11-14 | Rackspace Us, Inc. | Market-Based Virtual Machine Allocation |
| CN103885869A (en) * | 2012-12-20 | 2014-06-25 | 鸿富锦精密工业(深圳)有限公司 | Substrate management controller safety protection system and method |
| CN104320251A (en) * | 2014-09-26 | 2015-01-28 | 大连声鹭科技有限公司 | Seal informatization device for offline use and online authentication, electronic seal management system and authentication method |
| CN104346556A (en) * | 2014-09-26 | 2015-02-11 | 中国航天科工集团第二研究院七〇六所 | Hard disk security protection system based on wireless security certification |
| CN104408364A (en) * | 2014-12-01 | 2015-03-11 | 浪潮集团有限公司 | Server management program protection method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112487500B (en) | 2024-10-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10931451B2 (en) | Securely recovering a computing device | |
| JP4855679B2 (en) | Encapsulation of reliable platform module functions by TCPA inside server management coprocessor subsystem | |
| US10719604B2 (en) | Baseboard management controller to perform security action based on digital signature comparison in response to trigger | |
| US9652755B2 (en) | Method and system for securely updating field upgradeable units | |
| TWI667586B (en) | System and method for verifying changes to uefi authenticated variables | |
| KR101066779B1 (en) | Secure booting a computing device | |
| US8789037B2 (en) | Compatible trust in a computing device | |
| CN116561826A (en) | Managing use of management controller secrets based on firmware ownership history | |
| US20210064734A1 (en) | Cross authentication method for computer system security | |
| WO2023179745A1 (en) | Trusted verification method and apparatus | |
| CN112148314B (en) | Mirror image verification method, device and equipment of embedded system and storage medium | |
| CN113190880B (en) | Determining whether to perform an action on a computing device based on analysis of endorsement information of a security co-processor | |
| CN114721693B (en) | Microprocessor, BIOS firmware updating method, computer equipment and storage medium | |
| US20250284790A1 (en) | Information processing apparatus, authenticity verification method, and program | |
| CN112487500B (en) | Authentication method | |
| TWI726406B (en) | Authentication method | |
| US20240037216A1 (en) | Systems And Methods For Creating Trustworthy Orchestration Instructions Within A Containerized Computing Environment For Validation Within An Alternate Computing Environment | |
| CN119848877A (en) | Credibility measuring method of baseboard management controller and terminal equipment | |
| CN119356744A (en) | Control circuit and electronic equipment | |
| CN120124116A (en) | Password calculation for memory area |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |