CN104966022A - Chain-of-trust construction method and device based on chip - Google Patents
Chain-of-trust construction method and device based on chip Download PDFInfo
- Publication number
- CN104966022A CN104966022A CN201510321340.9A CN201510321340A CN104966022A CN 104966022 A CN104966022 A CN 104966022A CN 201510321340 A CN201510321340 A CN 201510321340A CN 104966022 A CN104966022 A CN 104966022A
- Authority
- CN
- China
- Prior art keywords
- module
- code
- bios
- hash value
- block
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
The invention provides a chain-of-trust construction method and a chain-of-trust construction device based on a chip. The method comprise the steps that an SM3 algorithm is established in the chip and a reference value of each module of a chain-of-trust is stored in a corresponding configuration register PCR; a code in a current pre-loading module of the chain-of-trust is measured by using the SM3 algorithm in a gradual measurement manner so as to acquire a Hash value corresponding to the current pre-loading module; whether the Hash value corresponding to the current pre-loading module is consistent to a reference value corresponding to the current pre-loading module or not is determined; if so, the code and the data in the current pre-loading module are loaded; otherwise, the current pre-loading module is not loaded, and the measurement of the next pre-loading module by the current pre-loading module is finished, and therefore, the safety of the chain-of-trust construction process is improved.
Description
Technical field
The present invention relates to computer safety field, particularly a kind of trust chain constructing method and apparatus based on chip.
Background technology
Self-check program and system self-triggered program after the program of the basic input and output of Basic Input or Output System (BIOS) (BIOS) in store computing machine, system set-up information, start, for computing machine provide the bottom, the most direct hardware setting and control, make BIOS usually by viral Trojan attack.At present, mainly through the integrality of the trust chain technology for detection BIOS of trust computing, namely detect BIOS and whether be destroyed.
In existing trust chain technology, the SHA-1 algorithm usually provided with reliable platform module (TPM) detects the integrality of BIOS, and builds trust chain startup server.In the prior art, the SHA-1 arithmetic result of 128 is cracked, and makes the security of trust chain lower.
Summary of the invention
The invention provides a kind of trust chain constructing method and apparatus based on chip, to improve the security of trust chain.
A kind of trust chain constructing method based on chip, set up SM3 algorithm in the chips, be configuration register PCR corresponding to each block configuration of trust chain in the chips, and the reference value of each module of described trust chain is stored in the configuration register PCR of described correspondence, described trust chain, comprise: CRTM module, platform start-up code module, BIOS Boot Block module, the version information module of BIOS, BIOS Main Block module, mainboard peripheral module, any one or more module in Bootloader Grub module and operating system nucleus module, also comprise:
Utilize described SM3 algorithm, by the mode of measuring step by step, the code in the current preloaded components of trust chain is measured, according to 16 binary data of code in described current preloaded components, obtain the hash value that described current preloaded components is corresponding;
Judge that whether the reference value in the configuration register PCR that hash value that described current preloaded components is corresponding is corresponding with being stored in described current preloaded components is consistent, if, then load the code in described current preloaded components and data, otherwise described current preloaded components is not loaded, and terminate described current preloaded components to the tolerance of next preloaded components.
Preferably, the method comprises further: determine that one section of initial code in BIOS is absolute confidence code;
Each module that described chip is described trust chain provides corresponding interface;
Each module of described trust chain obtains described SM3 algorithm by corresponding interface;
Describedly utilize described SM3 algorithm, by the mode of measuring step by step, the code in the current preloaded components of trust chain is measured, according to 16 binary data of code in described current preloaded components, obtain the hash value that described current preloaded components is corresponding, comprising:
Described absolute confidence code utilizes the described SM3 algorithm obtained, and measures, according to 16 binary data of code in described CRTM module, obtain the first hash value that described CRTM module is corresponding to described CRTM module;
Described CRTM module utilizes the described SM3 algorithm obtained, described platform start-up code module and described BIOS Boot Block module are measured, according to 16 binary data of code in described platform start-up code module and described BIOS Boot Block module, obtain described platform start-up code module and the second hash value corresponding to described BIOS Boot Block module and the 3rd hash value;
Described BIOS Boot Block module utilizes the described SM3 algorithm obtained, the version information module of described BIOS and described BIOS Main Block block code and data are measured, according to 16 binary data of code in the version information module of described BIOS and described BIOS Main Block module, obtain the version information module of described BIOS and the 4th hash value corresponding to described BIOS Main Block module and the 5th hash value;
Described BIOS Main Block module utilizes the described SM3 algorithm obtained, described mainboard peripheral module and described Bootloader Grub block code and data are measured, according to 16 binary data of peripheral data and code in described mainboard peripheral module and described Bootloader Grub module, obtain described mainboard peripheral module and the 6th hash value corresponding to described Bootloader Grub module and the 7th hash value;
Described Bootloader Grub module utilizes the described SM3 algorithm obtained, described operating system nucleus block code and configuration file are measured, according to 16 binary data of profile information and code in described operating system nucleus module, obtain the 8th hash value that described operating system nucleus module is corresponding.
Preferably, whether the reference value in the configuration register PCR that the described hash value judging that described current preloaded components is corresponding is corresponding with being stored in described current preloaded components is consistent, if, then load the code in described current preloaded components and data, otherwise described current preloaded components is not loaded, and terminate described current preloaded components to the tolerance of next preloaded components, comprising:
Judge that whether the reference value in the configuration register PCR that described first hash value is corresponding with being stored in described CRTM module is consistent, if, then load described CRTM module, otherwise, described CRTM module is not loaded, and terminate the tolerance of described CRTM module to platform start-up code module and described BIOS Boot Block module;
Judge that whether described second hash value and the 3rd hash value be consistent with the reference value be stored in described platform start-up code module and configuration register PCR corresponding to described BIOS Boot Block module, if, then load described platform start-up code module and described BIOS Boot Block module, otherwise, described platform start-up code module and described BIOS Boot Block module are not loaded, and terminate the tolerance of described BIOS Boot Block module to the version information module of described BIOS and described BIOS MainBlock module;
Judge that whether the reference value in the configuration register PCR that described 4th hash value is corresponding with the version information module and described BIOS Main Block module that are stored in described BIOS with the 5th hash value is consistent, if, then load the version information module of described BIOS and described BIOS Main Block module, otherwise, the version information module of described BIOS and described BIOS Main Block module are not loaded, and terminate the tolerance of described BIOS Main Block module to described mainboard peripheral module and described BootloaderGrub module;
Judge that whether described 6th hash value and the 7th hash value be consistent with the reference value be stored in described mainboard peripheral module and configuration register PCR corresponding to described Bootloader Grub module, if, then load described mainboard peripheral module and described Bootloader Grub module, otherwise, described mainboard peripheral module and described Bootloader Grub module are not loaded, and terminate described Bootloader Grub module to the tolerance of described operating system nucleus module;
Judge that whether the reference value in the configuration register PCR that described 8th hash value is corresponding with being stored in described operating system nucleus module is consistent, if, then load described operating system nucleus module, otherwise, described operating system nucleus module is not loaded.
Preferably, the method comprises further: divide described Bootloader Grub module, forms Stage1, Stage1.5 and Stage2 tri-modules;
The described mode by measuring step by step, code in the current preloaded components of trust chain is measured, comprise: when described current preloaded components is described Bootloader Grub module, described BIOSMain Block module is measured described Stage1 module, described Stage1 module is measured described Stage1.5 module, and described Stage1.5 module is measured described Stage2 module;
When described current preloaded components is described operating system nucleus module, described Stage2 module is measured described operating system nucleus block code and configuration file.
Preferably, described chip is Z32H320TC chip;
Described is configuration register PCR corresponding to each block configuration, comprising:
For the configuration register PCR0 of any one or more block configuration Z32H320TC chip in the version information module of described CRTM module, described platform start-up code module, described BIOS Boot Block module, BIOS and BIOS Main Block module;
For the configuration register PCR2 of described mainboard peripheral module configuration Z32H320TC chip;
For the configuration register PCR4 of described Bootloader Grub block configuration Z32H320TC chip;
For the configuration register PCR5 of described operating system nucleus block configuration Z32H320TC chip.
Preferably, the method comprises further:
When system initial start-up in platform, utilize described SM3 algorithm, by the mode of measuring step by step, obtain the initial hash value that each module is corresponding successively, and by described CRTM module, described platform start-up code module, described BIOS Boot Block module, version information module and the described BIOS Main Block module initial hash value separately of described BIOS are stored in described configuration register PCR as reference value, the initial hash value of described mainboard peripheral module is stored in configuration register PCR2, the initial hash value of described Bootloader Grub module is stored in configuration register PCR4, the initial hash value of described operating system nucleus module is stored in configuration register PCR5.
A kind of trust chain constructing device, comprising:
Setup unit, for setting up SM3 algorithm in the chips;
Dispensing unit, the configuration register PCR that each block configuration for being trust chain is in the chips corresponding;
Storage unit, reference value for each module by described trust chain is stored in the configuration register PCR of described correspondence, each module of described trust chain, comprising: the version information module of CRTM module, platform start-up code module, BIOS Boot Block module, BIOS, BIOS Main Block module, mainboard peripheral module, Bootloader Grub module and operating system nucleus module;
Tolerance acquiring unit, the described SM3 algorithm set up for utilizing described setup unit, by the mode of measuring step by step, code in the current preloaded components of trust chain is measured, according to 16 binary data of code in described current preloaded components, obtain the hash value that described current preloaded components is corresponding;
Judging unit, whether consistent for judging the reference value in the configuration register PCR that hash value that current preloaded components that described tolerance acquiring unit obtains is corresponding is corresponding with being stored in described current preloaded components, if so, then trigger loading unit;
Described loading unit, for receiving the triggering of described judging unit, loads the code in described current preloaded components and data.
Preferably, this device comprises further: determining unit and SM3 algorithm providing unit, wherein,
Described determining unit, for determining that one section of initial code in BIOS is absolute confidence code;
Described SM3 algorithm providing unit, each module that described chip is described trust chain provides corresponding interface, and the module that the interface of this correspondence is correspondence provides described SM3 algorithm;
Described tolerance acquiring unit, for controlling the described SM3 algorithm that described absolute confidence code utilizes described SM3 algorithm providing unit to provide, described CRTM module is measured, according to 16 binary data of code in described CRTM module, obtains the first hash value that described CRTM module is corresponding; Control the described SM3 algorithm that described CRTM module utilizes described SM3 algorithm providing unit to provide, described platform start-up code module and described BIOS Boot Block module are measured, according to 16 binary data of code in described platform start-up code module and described BIOS Boot Block module, obtain described platform start-up code module and the second hash value corresponding to described BIOS Boot Block module and the 3rd hash value; Control the described SM3 algorithm that described BIOS Boot Block module utilizes described SM3 algorithm providing unit to provide, the version information module of described BIOS and described BIOS Main Block block code and data are measured, according to 16 binary data of code in the version information module of described BIOS and described BIOS MainBlock module, obtain the version information module of described BIOS and the 4th hash value corresponding to described BIOS Main Block module and the 5th hash value; Control the described SM3 algorithm that described BIOSMain Block module utilizes described SM3 algorithm providing unit to provide, described mainboard peripheral module and described Bootloader Grub block code and data are measured, according to 16 binary data of peripheral data and code in described mainboard peripheral module and described Bootloader Grub module, obtain described mainboard peripheral module and the 6th hash value corresponding to described Bootloader Grub module and the 7th hash value; Control the described SM3 algorithm that described Bootloader Grub module utilizes described SM3 algorithm providing unit to provide, described operating system nucleus block code and configuration file are measured, according to 16 binary data of profile information and code in described operating system nucleus module, obtain the 8th hash value that described operating system nucleus module is corresponding.
Preferably, described judging unit, for: judging that whether the reference value in the configuration register PCR that described first hash value is corresponding with being stored in described CRTM module is consistent, if so, then triggering described loading unit, loading described CRTM module;
Judge that whether described second hash value and the 3rd hash value be consistent with the reference value be stored in described platform start-up code module and configuration register PCR corresponding to described BIOS Boot Block module, if, then trigger described loading unit, load described platform start-up code module and described BIOS BootBlock module;
Judge that whether the reference value in the configuration register PCR that described 4th hash value is corresponding with the version information module and described BIOS Main Block module that are stored in described BIOS with the 5th hash value is consistent, if, then trigger described loading unit, load the version information module of described BIOS and described BIOSMain Block module;
Judge that whether described 6th hash value and the 7th hash value be consistent with the reference value be stored in described mainboard peripheral module and configuration register PCR corresponding to described Bootloader Grub module, if, then trigger described loading unit, load described mainboard peripheral module and described Bootloader Grub module;
Judging that whether the reference value in the configuration register PCR that described 8th hash value is corresponding with being stored in described operating system nucleus module is consistent, if so, then triggering described loading unit, loading described operating system nucleus module.
Preferably, this device comprises further: division unit, wherein,
Described division unit, for dividing described Bootloader Grub module, forms Stage1, Stage1.5 and Stage2 tri-modules;
Described metrics acquisition module, be further used for: when described current preloaded components is described Bootloader Grub module, described BIOS Main Block module is measured described Stage1 module, described Stage1 module is measured described Stage1.5 module, and described Stage1.5 module is measured described Stage2 module; When described current preloaded components is described operating system nucleus module, described Stage2 module is measured described operating system nucleus module.
Preferably, described chip is Z32H320TC chip;
Described dispensing unit, for the configuration register PCR0 for any one or more block configuration Z32H320TC chip in the version information module of described CRTM module, described platform start-up code module, described BIOS Boot Block module, BIOS and BIOS Main Block module; For the configuration register PCR2 of described mainboard peripheral module configuration Z32H320TC chip; For the configuration register PCR4 of described Bootloader Grub block configuration Z32H320TC chip; For the configuration register PCR5 of described operating system nucleus block configuration Z32H320TC chip.
Preferably, this device comprises further: reference value acquiring unit, wherein,
Described reference value acquiring unit, for when system initial start-up in platform, utilize described SM3 algorithm, by the mode of measuring step by step, obtain the initial hash value that each module is corresponding successively, and using the reference value of the respective initial hash value of each module described as respective modules.
Embodiments provide a kind of trust chain constructing method and apparatus based on chip, by setting up SM3 algorithm in the chips, for the configuration register PCR that each block configuration of trust chain is corresponding, the reference value of each module of described trust chain is stored in the configuration register PCR of described correspondence, this trust chain, comprise: CRTM module, platform start-up code module, BIOS Boot Block module, the version information module of BIOS, BIOS Main Block module, mainboard peripheral module, any one or more module in BootloaderGrub module and operating system nucleus module, and utilize described SM3 algorithm, by the mode of measuring step by step, code in the current preloaded components of trust chain is measured, according to 16 binary data of code in described current preloaded components, obtain the hash value that described current preloaded components is corresponding, judge that whether the reference value in the configuration register PCR that hash value that described current preloaded components is corresponding is corresponding with being stored in described current preloaded components is consistent, if, then load the code in described current preloaded components and data, otherwise described current preloaded components is not loaded, and terminate described current preloaded components to the tolerance of next preloaded components, effectively can improve the security of trust chain.
Accompanying drawing explanation
A kind of trust chain constructing method flow diagram based on chip that Fig. 1 provides for the embodiment of the present invention;
A kind of trust chain constructing method flow diagram based on chip that Fig. 2 provides for another embodiment of the present invention;
A kind of trust chain constructing apparatus structure schematic diagram based on chip that Fig. 3 provides for the embodiment of the present invention;
A kind of trust chain constructing apparatus structure schematic diagram based on chip that Fig. 4 provides for the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described.Obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
As shown in Figure 1, the embodiment of the present invention provides a kind of trust chain constructing method based on chip, and it is as follows that the method comprising the steps of:
Step 101: set up SM3 algorithm in the chips;
Step 102: be configuration register PCR corresponding to each block configuration of trust chain in the chips;
Step 103: the configuration register PCR reference value of each module of described trust chain being stored in described correspondence, described trust chain, comprising: any one or more module in the version information module of CRTM module, platform start-up code module, BIOS BootBlock module, BIOS, BIOS Main Block module, mainboard peripheral module, Bootloader Grub module and operating system nucleus module;
Step 104: utilize described SM3 algorithm, by the mode of measuring step by step, code in the current preloaded components of trust chain is measured, according to 16 binary data of code in described current preloaded components, obtains the hash value that described current preloaded components is corresponding;
Step 105: judging that whether the reference value in the configuration register PCR that hash value that described current preloaded components is corresponding is corresponding with being stored in described current preloaded components is consistent, if so, then performing step 106, otherwise, perform step 107;
Step 106: load the code in described current preloaded components and data;
Step 107: described current preloaded components is not loaded, and terminate described current preloaded components to the tolerance of next preloaded components.
In an embodiment of the invention, in order to the reliability of chain of enhancing trust, and realize by each module in the SM3 algorithm tolerance trust chain in chip, the embodiment of the present invention comprises further: determine that one section of initial code in BIOS is absolute confidence code, each module that described chip is described trust chain provides corresponding interface, and each module of described trust chain obtains described SM3 algorithm by corresponding interface; The embodiment of step 104: described absolute confidence code utilizes the described SM3 algorithm obtained, and measures, according to 16 binary data of code in described CRTM module, obtain the first hash value that described CRTM module is corresponding to described CRTM module; Described CRTM module utilizes the described SM3 algorithm obtained, described platform start-up code module and described BIOS Boot Block module are measured, according to 16 binary data of code in described platform start-up code module and described BIOS Boot Block module, obtain described platform start-up code module and the second hash value corresponding to described BIOS Boot Block module and the 3rd hash value; Described BIOS Boot Block module utilizes the described SM3 algorithm obtained, the version information module of described BIOS and described BIOS Main Block block code and data are measured, according to 16 binary data of code in the version information module of described BIOS and described BIOS Main Block module, obtain the version information module of described BIOS and the 4th hash value corresponding to described BIOS Main Block module and the 5th hash value; Described BIOS Main Block module utilizes the described SM3 algorithm obtained, described mainboard peripheral module and described Bootloader Grub block code and data are measured, according to 16 binary data of peripheral data and code in described mainboard peripheral module and described Bootloader Grub module, obtain described mainboard peripheral module and the 6th hash value corresponding to described Bootloader Grub module and the 7th hash value; Described Bootloader Grub module utilizes the described SM3 algorithm obtained, described operating system nucleus block code and configuration file are measured, according to 16 binary data of profile information and code in described operating system nucleus module, obtain the 8th hash value that described operating system nucleus module is corresponding.
In an embodiment of the invention, in order to improve the security that in trust chain, modules loads, step 105 is to the embodiment of step 107: judge that whether the reference value in the configuration register PCR that described first hash value is corresponding with being stored in described CRTM module is consistent, if, then load described CRTM module, otherwise, described CRTM module is not loaded, and terminates the tolerance of described CRTM module to platform start-up code module and described BIOS Boot Block module; Judge that whether described second hash value and the 3rd hash value be consistent with the reference value be stored in described platform start-up code module and configuration register PCR corresponding to described BIOS BootBlock module, if, then load described platform start-up code module and described BIOS Boot Block module, otherwise, described platform start-up code module and described BIOS Boot Block module are not loaded, and terminate the tolerance of described BIOS BootBlock module to the version information module of described BIOS and described BIOS Main Block module; Judge that whether the reference value in the configuration register PCR that described 4th hash value is corresponding with the version information module and described BIOS Main Block module that are stored in described BIOS with the 5th hash value is consistent, if, then load the version information module of described BIOS and described BIOS Main Block module, otherwise, the version information module of described BIOS and described BIOS Main Block module are not loaded, and terminate the tolerance of described BIOS Main Block module to described mainboard peripheral module and described BootloaderGrub module; Judge that whether described 6th hash value and the 7th hash value be consistent with the reference value be stored in described mainboard peripheral module and configuration register PCR corresponding to described Bootloader Grub module, if, then load described mainboard peripheral module and described Bootloader Grub module, otherwise, described mainboard peripheral module and described Bootloader Grub module are not loaded, and terminate described Bootloader Grub module to the tolerance of described operating system nucleus module; Judge that whether the reference value in the configuration register PCR that described 8th hash value is corresponding with being stored in described operating system nucleus module is consistent, if, then load described operating system nucleus module, otherwise, described operating system nucleus module is not loaded.
In an embodiment of the invention, in order to improve the security of Bootloader Grub module, comprising further: divide described Bootloader Grub module, forming Stage1, Stage1.5 and Stage2 tri-modules; The embodiment of step 104: when described current preloaded components is described BootloaderGrub module, described BIOS Main Block module is measured described Stage1 module, described Stage1 module is measured described Stage1.5 module, and described Stage1.5 module is measured described Stage2 module; When described current preloaded components is described operating system nucleus module, described Stage2 module is measured described operating system nucleus block code and configuration file.
In an embodiment of the invention in order to make SM3 algorithm be well used, chip described in the embodiment of the present invention is Z32H320TC chip; The embodiment of step 102: be the configuration register PCR0 of any one or more block configuration Z32H320TC chip in the version information module of described CRTM module, described platform start-up code module, described BIOS Boot Block module, BIOS and BIOS Main Block module; For the configuration register PCR2 of described mainboard peripheral module configuration Z32H320TC chip; For the configuration register PCR4 of described Bootloader Grub block configuration Z32H320TC chip; For the configuration register PCR5 of described operating system nucleus block configuration Z32H320TC chip.
In an embodiment of the invention, in order to make reference value, there is credibility and practicality, the embodiment of the present invention comprises further: when system initial start-up in platform, utilize described SM3 algorithm, by the mode of measuring step by step, obtain the initial hash value that each module is corresponding successively, and by described CRTM module, described platform start-up code module, described BIOS Boot Block module, version information module and the described BIOS Main Block module initial hash value separately of described BIOS are stored in described configuration register PCR as reference value, the initial hash value of described mainboard peripheral module is stored in configuration register PCR2, the initial hash value of described Bootloader Grub module is stored in configuration register PCR4, the initial hash value of described operating system nucleus module is stored in configuration register PCR5.
By the method for above-described embodiment, the security of trust chain effectively can be improved.
Z32H320TC safety chip is a high performance trust computing safety chip, chip itself had both comprised special algorithm process circuit, comprise again a complete high-performance low-power-consumption arithmetic system (high performance 32 bit processors, high capability flash program's memory space, ROM data storage space and Large Copacity RAM are as inner buffer), possess standard LPC interface.Be mainly trusted computing password support platform integrity measurement is provided, store with report, identity is credible services such as proof, data security protecting.
As shown in Figure 2, the embodiment of the present invention illustrates the trust chain constructing method based on chip for Z32H320TC chip, should comprise step as follows based on the trust chain constructing method of Z32H320TC chip:
Step 200: determine that one section of initial code in BIOS is absolute confidence code, each module that Z32H320TC chip is described trust chain provides corresponding interface;
Module in embodiments of the present invention in trust chain, comprise: the version information module of CRTM module, platform start-up code module, BIOS Boot Block module, BIOS, BIOS Main Block module, mainboard peripheral module, Bootloader Grub module and operating system nucleus module, plateform system is all had to start necessary code and data in these modules, wherein, mainboard peripheral module comprises the peripheral hardware of the mainboard such as video card, hard disk, network interface card, PCI-E card of mainboard; As: the interface 3 that the interface 2 that the corresponding Z32H320TC chip of interface 1, BIOS Boot Block module that the corresponding Z32H320TC chip of CRTM module provides provides, the corresponding Z32H320TC chip of BIOS Main Block module provide and the interface 4 that the corresponding Z32H320TC chip of BootloaderGrub module provides.
Step 201: divide described Bootloader Grub module, forms Stage1, Stage1.5 and Stage2 tri-modules;
Bootloader Grub module is the amendment that the Trusted Grub software used to structure trust chain carries out, and the code in above-mentioned Stage1 is the Main Boot Record being positioned at hard disk.
Step 202: set up SM3 algorithm in Z32H320TC chip;
SM3 algorithm is that national standard " trusted computing password support platform function and interface specification " proposes, its result is 256, and the result length of the SHA-1 algorithm used compared with prior art doubles, therefore, compared with SHA-1 algorithm, the hash value security of being measured by SM3 algorithm is higher.
Step 203: each module of trust chain obtains described SM3 algorithm by corresponding interface;
Such as: CRTM module obtains described SM3 algorithm by interface 1, BIOS Boot Block module obtains described SM3 algorithm, BIOS Main Block module by interface 2 and obtains described SM3 algorithm by interface 3 and Bootloader Grub module obtains described SM3 algorithm by interface 4.
Step 204: be configuration register PCR corresponding to each block configuration of trust chain in Z32H320TC chip;
There is multiple configuration register PCR at Z32H320TC chip, these configuration registers PCR can be distributed or be configured according to customer demand;
Such as: be the version information module of described CRTM module, described platform start-up code module, described BIOS Boot Block module, BIOS and the configuration register PCR0 of BIOS Main Block block configuration Z32H320TC chip; For the configuration register PCR2 of described mainboard peripheral module configuration Z32H320TC chip; For the configuration register PCR4 of described Bootloader Grub block configuration Z32H320TC chip; For the configuration register PCR5 of described operating system nucleus block configuration Z32H320TC chip.
Step 205: the system initial start-up in platform, utilizes described SM3 algorithm, by the mode of measuring step by step, obtains the initial hash value that each module is corresponding successively, and using this initial hash value as reference value, is stored in the configuration register PCR of described correspondence;
Such as: described CRTM module obtains SM3 algorithm from interface 1, this SM3 algorithm is utilized to measure described platform start-up code module and described BIOS Boot Block module, obtain described platform start-up code module and initial hash value corresponding to described BIOS Boot Block module, and using this initial hash value as reference value, be stored in configuration register PCR0; Then, after loading the success of described BIOS Boot Block module, from interface 2, SM3 algorithm is obtained by described BIOS Boot Block module, this SM3 algorithm is utilized to measure the version information module of described BIOS and described BIOS Main Block module, equally, the initial hash value obtained is stored in configuration register PCR0 as reference value; After the success of loading BIOS Main Block module, BIOS Main Block module measures the stage1 module in mainboard peripheral module and Bootloader Grub module, the initial hash value of described mainboard peripheral module is stored in configuration register PCR2, the initial hash value of described stage1 module is stored in configuration register PCR4, by that analogy, level metric one-level, and by the first hash value that obtains after tolerance stored in the PCR of correspondence.
Step 206: utilize described SM3 algorithm, by the mode of measuring step by step, code in the current preloaded components of trust chain is measured, according to 16 binary data of code in described current preloaded components, obtains the hash value that described current preloaded components is corresponding;
Step 207: judging that whether the reference value in the configuration register PCR that hash value that described current preloaded components is corresponding is corresponding with being stored in described current preloaded components is consistent, if so, then performing step 208, otherwise, perform step 209;
Step 208: load the code in described current preloaded components and data;
Step 209: described current preloaded components is not loaded, and terminate described current preloaded components to the tolerance of next preloaded components.
Above-mentioned steps 206 to step 209 is realized by level metric one-level, such as: first, after plateform system powers on, the absolute confidence code that plateform system will load in BIOS, after this absolute confidence code has loaded, it, by utilizing the described SM3 algorithm obtained from chip, is measured described CRTM module, according to 16 binary data of code in described CRTM module, obtain the first hash value that described CRTM module is corresponding; Judge that whether described first hash value is consistent with the reference value be stored in configuration register PCR0, if so, then load described CRTM module, otherwise, described CRTM module is not loaded;
After the described CRTM module of loading completes, described CRTM module just can utilize the described SM3 algorithm of acquisition, described platform start-up code module and described BIOS Boot Block module are measured, and according to 16 binary data of code in described platform start-up code module and described BIOS Boot Block module, obtain described platform start-up code module and the second hash value corresponding to described BIOS Boot Block module and the 3rd hash value; Judge that whether described second hash value is consistent with the reference value be stored in configuration register PCR0 with the 3rd hash value, if, then load described platform start-up code module and described BIOS Boot Block module, otherwise, described platform start-up code module and described BIOS Boot Block module are not loaded;
After described platform start-up code module and described BIOS Boot Block module loading complete, described BIOS Boot Block module utilizes the described SM3 algorithm obtained, the version information module of described BIOS and described BIOS Main Block block code and data are measured, according to 16 binary data of code in the version information module of described BIOS and described BIOS Main Block module, obtain the version information module of described BIOS and the 4th hash value corresponding to described BIOS Main Block module and the 5th hash value; Judge that whether described 4th hash value is consistent with the reference value be stored in configuration register PCR0 with the 5th hash value, if, then load the version information module of described BIOS and described BIOS Main Block module, otherwise, the version information module of described BIOS and described BIOS Main Block module are not loaded, and terminate the tolerance of described BIOS Main Block module to described mainboard peripheral module and described Bootloader Grub module;
After described BIOS Main Block module loading completes, described BIOS Main Block module utilizes the described SM3 algorithm obtained, described Stage1 block code in described mainboard peripheral module and described Bootloader Grub module and data are measured, according to 16 binary data of peripheral data and code in described mainboard peripheral module and described Stage1 module, obtain described mainboard peripheral module and the 6th hash value corresponding to described Stage1 module and the 7th hash value; Judge that whether described 6th hash value is consistent with the reference value be stored in respectively in configuration register PCR2 and configuration register PCR4 with the 7th hash value, if, then load described mainboard peripheral module and described Stage1 module, otherwise, described mainboard peripheral module and described Stage1 module are not loaded, and terminate the tolerance of described Stage1 module to described Stage1.5 module;
After the code of described Stage1 module and Data import complete, the described SM3 algorithm that described Stage1 module utilizes Bootloader Grub module to obtain, measures described Stage1.5 module, obtains the hash value that described Stage1.5 module is corresponding; Judge that whether hash value corresponding to described Stage1.5 module be consistent with the reference value be stored in configuration register PCR4, if, then load described Stage1.5 module, otherwise, described Stage1.5 module is not loaded, and terminate the tolerance of described Stage1.5 module to described operating system nucleus module;
After the code of described Stage1.5 module and Data import complete, the described SM3 algorithm that described Stage1.5 module utilizes Bootloader Grub module to obtain, carries out measuring to described Stage2 module and obtains hash value corresponding to described Stage2 module; Judge that whether hash value corresponding to described Stage2 module be consistent with the reference value be stored in configuration register PCR4, if, then load described Stage2 module, otherwise, described Stage2 module is not loaded, and terminate the tolerance of described Stage2 module to described operating system nucleus module;
After the code of described Stage2 module and Data import complete, the described SM3 algorithm that described Stage2 module utilizes Bootloader Grub module to obtain, described operating system nucleus block code and configuration file are measured, according to 16 binary data of profile information and code in described operating system nucleus module, obtain the 8th hash value that described operating system nucleus module is corresponding; Judge that whether described 8th hash value is consistent with the reference value be stored in configuration register PCR5, if so, then load described operating system nucleus module, otherwise, described operating system nucleus module is not loaded.
As shown in Figure 3, one embodiment of the invention provides a kind of device of the trust chain constructing based on chip, and this device comprises:
Setup unit 301, for setting up SM3 algorithm in the chips;
Dispensing unit 302, the configuration register PCR that each block configuration for being trust chain is in the chips corresponding;
Storage unit 303, reference value for each module by described trust chain is stored in the configuration register PCR of described correspondence, each module of described trust chain, comprising: the version information module of CRTM module, platform start-up code module, BIOS Boot Block module, BIOS, BIOS MainBlock module, mainboard peripheral module, Bootloader Grub module and operating system nucleus module;
Tolerance acquiring unit 304, the described SM3 algorithm set up for utilizing described setup unit, by the mode of measuring step by step, code in the current preloaded components of trust chain is measured, according to 16 binary data of code in described current preloaded components, obtain the hash value that described current preloaded components is corresponding;
Judging unit 305, whether consistent for judging the reference value in the configuration register PCR that hash value that current preloaded components that described tolerance acquiring unit obtains is corresponding is corresponding with being stored in described current preloaded components, if so, then trigger loading unit;
Described loading unit 306, for receiving the triggering of described judging unit, loads the code in described current preloaded components and data.
Another embodiment of the present invention provides a kind of trust chain constructing device based on chip, and this device comprises further: determining unit and SM3 algorithm providing unit (not illustrating in the drawings), wherein,
Described determining unit, for determining that one section of initial code in BIOS is absolute confidence code;
Described SM3 algorithm providing unit, each module that described chip is described trust chain provides corresponding interface, and the module that the interface of this correspondence is correspondence provides described SM3 algorithm;
Described tolerance acquiring unit, for controlling the described SM3 algorithm that described absolute confidence code utilizes described SM3 algorithm providing unit to provide, described CRTM module is measured, according to 16 binary data of code in described CRTM module, obtains the first hash value that described CRTM module is corresponding; Control the described SM3 algorithm that described CRTM module utilizes described SM3 algorithm providing unit to provide, described platform start-up code module and described BIOS Boot Block module are measured, according to 16 binary data of code in described platform start-up code module and described BIOS Boot Block module, obtain described platform start-up code module and the second hash value corresponding to described BIOS Boot Block module and the 3rd hash value; Control the described SM3 algorithm that described BIOS Boot Block module utilizes described SM3 algorithm providing unit to provide, the version information module of described BIOS and described BIOS Main Block block code and data are measured, according to 16 binary data of code in the version information module of described BIOS and described BIOS MainBlock module, obtain the version information module of described BIOS and the 4th hash value corresponding to described BIOS Main Block module and the 5th hash value; Control the described SM3 algorithm that described BIOSMain Block module utilizes described SM3 algorithm providing unit to provide, described mainboard peripheral module and described Bootloader Grub block code and data are measured, according to 16 binary data of peripheral data and code in described mainboard peripheral module and described Bootloader Grub module, obtain described mainboard peripheral module and the 6th hash value corresponding to described Bootloader Grub module and the 7th hash value; Control the described SM3 algorithm that described Bootloader Grub module utilizes described SM3 algorithm providing unit to provide, described operating system nucleus block code and configuration file are measured, according to 16 binary data of profile information and code in described operating system nucleus module, obtain the 8th hash value that described operating system nucleus module is corresponding.
In still another embodiment of the process, described judging unit, for: judge that whether the reference value in the configuration register PCR that described first hash value is corresponding with being stored in described CRTM module is consistent, if, then trigger described loading unit, load described CRTM module;
Judge that whether described second hash value and the 3rd hash value be consistent with the reference value be stored in described platform start-up code module and configuration register PCR corresponding to described BIOS Boot Block module, if, then trigger described loading unit, load described platform start-up code module and described BIOS BootBlock module;
Judge that whether the reference value in the configuration register PCR that described 4th hash value is corresponding with the version information module and described BIOS Main Block module that are stored in described BIOS with the 5th hash value is consistent, if, then trigger described loading unit, load the version information module of described BIOS and described BIOSMain Block module;
Judge that whether described 6th hash value and the 7th hash value be consistent with the reference value be stored in described mainboard peripheral module and configuration register PCR corresponding to described Bootloader Grub module, if, then trigger described loading unit, load described mainboard peripheral module and described Bootloader Grub module;
Judging that whether the reference value in the configuration register PCR that described 8th hash value is corresponding with being stored in described operating system nucleus module is consistent, if so, then triggering described loading unit, loading described operating system nucleus module.
In another embodiment of the present invention, said apparatus comprises further: division unit (not shown), wherein,
Described division unit, for dividing described Bootloader Grub module, forms Stage1, Stage1.5 and Stage2 tri-modules;
Described metrics acquisition module, be further used for: when described current preloaded components is described Bootloader Grub module, described BIOS Main Block module is measured described Stage1 module, described Stage1 module is measured described Stage1.5 module, and described Stage1.5 module is measured described Stage2 module; When described current preloaded components is described operating system nucleus module, described Stage2 module is measured described operating system nucleus module.
In still another embodiment of the process, described chip is Z32H320TC chip;
Described dispensing unit, for the configuration register PCR0 for any one or more block configuration Z32H320TC chip in the version information module of described CRTM module, described platform start-up code module, described BIOS Boot Block module, BIOS and BIOS Main Block module; For the configuration register PCR2 of described mainboard peripheral module configuration Z32H320TC chip; For the configuration register PCR4 of described Bootloader Grub block configuration Z32H320TC chip; For the configuration register PCR5 of described operating system nucleus block configuration Z32H320TC chip.
As shown in Figure 4, in still another embodiment of the process, said apparatus comprises further: reference value acquiring unit 401, wherein,
Described reference value acquiring unit 401, for when system initial start-up in platform, utilize described SM3 algorithm, by the mode of measuring step by step, obtain the initial hash value that each module is corresponding successively, and using the reference value of the respective initial hash value of each module described as respective modules.
It should be noted that, in this article, the relational terms of such as first and second and so on is only used for an entity or operation to separate with another entity or operational zone, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thus make to comprise the process of a series of key element, method, article or equipment and not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, article or equipment.When not more restrictions, the key element " being comprised " limited by statement, and be not precluded within process, method, article or the equipment comprising described key element and also there is other same factor.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (10)
1. the trust chain constructing method based on chip, it is characterized in that, set up SM3 algorithm in the chips, be configuration register PCR corresponding to each block configuration of trust chain in the chips, and the reference value of each module of described trust chain is stored in the configuration register PCR of described correspondence, described trust chain, comprise: CRTM module, platform start-up code module, BIOS Boot Block module, the version information module of BIOS, BIOS Main Block module, mainboard peripheral module, any one or more module in Bootloader Grub module and operating system nucleus module, also comprise:
Utilize described SM3 algorithm, by the mode of measuring step by step, the code in the current preloaded components of trust chain is measured, according to 16 binary data of code in described current preloaded components, obtain the hash value that described current preloaded components is corresponding;
Judge that whether the reference value in the configuration register PCR that hash value that described current preloaded components is corresponding is corresponding with being stored in described current preloaded components is consistent, if, then load the code in described current preloaded components and data, otherwise described current preloaded components is not loaded, and terminate described current preloaded components to the tolerance of next preloaded components.
2. method according to claim 1, is characterized in that, comprises further: determine that one section of initial code in BIOS is absolute confidence code;
Each module that described chip is described trust chain provides corresponding interface;
Each module of described trust chain obtains described SM3 algorithm by corresponding interface;
Describedly utilize described SM3 algorithm, by the mode of measuring step by step, the code in the current preloaded components of trust chain is measured, according to 16 binary data of code in described current preloaded components, obtain the hash value that described current preloaded components is corresponding, comprising:
Described absolute confidence code utilizes the described SM3 algorithm obtained, and measures, according to 16 binary data of code in described CRTM module, obtain the first hash value that described CRTM module is corresponding to described CRTM module;
Described CRTM module utilizes the described SM3 algorithm obtained, described platform start-up code module and described BIOS Boot Block module are measured, according to 16 binary data of code in described platform start-up code module and described BIOS Boot Block module, obtain described platform start-up code module and the second hash value corresponding to described BIOS Boot Block module and the 3rd hash value;
Described BIOS Boot Block module utilizes the described SM3 algorithm obtained, the version information module of described BIOS and described BIOS Main Block block code and data are measured, according to 16 binary data of code in the version information module of described BIOS and described BIOS Main Block module, obtain the version information module of described BIOS and the 4th hash value corresponding to described BIOS Main Block module and the 5th hash value;
Described BIOS Main Block module utilizes the described SM3 algorithm obtained, described mainboard peripheral module and described Bootloader Grub block code and data are measured, according to 16 binary data of peripheral data and code in described mainboard peripheral module and described Bootloader Grub module, obtain described mainboard peripheral module and the 6th hash value corresponding to described Bootloader Grub module and the 7th hash value;
Described Bootloader Grub module utilizes the described SM3 algorithm obtained, described operating system nucleus block code and configuration file are measured, according to 16 binary data of profile information and code in described operating system nucleus module, obtain the 8th hash value that described operating system nucleus module is corresponding.
3. method according to claim 2, it is characterized in that, whether the reference value in the configuration register PCR that the described hash value judging that described current preloaded components is corresponding is corresponding with being stored in described current preloaded components is consistent, if, then load the code in described current preloaded components and data, otherwise described current preloaded components is not loaded, and terminates described current preloaded components to the tolerance of next preloaded components, comprising:
Judge that whether the reference value in the configuration register PCR that described first hash value is corresponding with being stored in described CRTM module is consistent, if, then load described CRTM module, otherwise, described CRTM module is not loaded, and terminate the tolerance of described CRTM module to platform start-up code module and described BIOS Boot Block module;
Judge that whether described second hash value and the 3rd hash value be consistent with the reference value be stored in described platform start-up code module and configuration register PCR corresponding to described BIOS Boot Block module, if, then load described platform start-up code module and described BIOS Boot Block module, otherwise, described platform start-up code module and described BIOS Boot Block module are not loaded, and terminate the tolerance of described BIOS Boot Block module to the version information module of described BIOS and described BIOS MainBlock module;
Judge that whether the reference value in the configuration register PCR that described 4th hash value is corresponding with the version information module and described BIOS Main Block module that are stored in described BIOS with the 5th hash value is consistent, if, then load the version information module of described BIOS and described BIOS Main Block module, otherwise, the version information module of described BIOS and described BIOS Main Block module are not loaded, and terminate the tolerance of described BIOS Main Block module to described mainboard peripheral module and described BootloaderGrub module;
Judge that whether described 6th hash value and the 7th hash value be consistent with the reference value be stored in described mainboard peripheral module and configuration register PCR corresponding to described Bootloader Grub module, if, then load described mainboard peripheral module and described Bootloader Grub module, otherwise, described mainboard peripheral module and described Bootloader Grub module are not loaded, and terminate described Bootloader Grub module to the tolerance of described operating system nucleus module;
Judge that whether the reference value in the configuration register PCR that described 8th hash value is corresponding with being stored in described operating system nucleus module is consistent, if, then load described operating system nucleus module, otherwise, described operating system nucleus module is not loaded.
4. method according to claim 1, is characterized in that, comprises further: divide described Bootloader Grub module, forms Stage1, Stage1.5 and Stage2 tri-modules;
The described mode by measuring step by step, code in the current preloaded components of trust chain is measured, comprise: when described current preloaded components is described Bootloader Grub module, described BIOSMain Block module is measured described Stage1 module, described Stage1 module is measured described Stage1.5 module, and described Stage1.5 module is measured described Stage2 module;
When described current preloaded components is described operating system nucleus module, described Stage2 module is measured described operating system nucleus block code and configuration file.
5. method according to claim 1, is characterized in that, described chip is Z32H320TC chip;
Described is configuration register PCR corresponding to each block configuration, comprising:
For the configuration register PCR0 of any one or more block configuration Z32H320TC chip in the version information module of described CRTM module, described platform start-up code module, described BIOS Boot Block module, BIOS and BIOS Main Block module;
For the configuration register PCR2 of described mainboard peripheral module configuration Z32H320TC chip;
For the configuration register PCR4 of described Bootloader Grub block configuration Z32H320TC chip;
For the configuration register PCR5 of described operating system nucleus block configuration Z32H320TC chip.
6. method according to claim 5, is characterized in that, comprises further:
When system initial start-up in platform, utilize described SM3 algorithm, by the mode of measuring step by step, obtain the initial hash value that each module is corresponding successively, and by described CRTM module, described platform start-up code module, described BIOS Boot Block module, version information module and the described BIOS Main Block module initial hash value separately of described BIOS are stored in described configuration register PCR as reference value, the initial hash value of described mainboard peripheral module is stored in configuration register PCR2, the initial hash value of described Bootloader Grub module is stored in configuration register PCR4, the initial hash value of described operating system nucleus module is stored in configuration register PCR5.
7. a trust chain constructing device, is characterized in that, comprising:
Setup unit, for setting up SM3 algorithm in the chips;
Dispensing unit, the configuration register PCR that each block configuration for being trust chain is in the chips corresponding;
Storage unit, reference value for each module by described trust chain is stored in the configuration register PCR of described correspondence, each module of described trust chain, comprising: the version information module of CRTM module, platform start-up code module, BIOS Boot Block module, BIOS, BIOS Main Block module, mainboard peripheral module, Bootloader Grub module and operating system nucleus module;
Tolerance acquiring unit, the described SM3 algorithm set up for utilizing described setup unit, by the mode of measuring step by step, code in the current preloaded components of trust chain is measured, according to 16 binary data of code in described current preloaded components, obtain the hash value that described current preloaded components is corresponding;
Judging unit, whether consistent for judging the reference value in the configuration register PCR that hash value that current preloaded components that described tolerance acquiring unit obtains is corresponding is corresponding with being stored in described current preloaded components, if so, then trigger loading unit;
Described loading unit, for receiving the triggering of described judging unit, loads the code in described current preloaded components and data.
8. device according to claim 7, is characterized in that, comprises further: determining unit and SM3 algorithm providing unit, wherein,
Described determining unit, for determining that one section of initial code in BIOS is absolute confidence code;
Described SM3 algorithm providing unit, each module that described chip is described trust chain provides corresponding interface, and the module that the interface of this correspondence is correspondence provides described SM3 algorithm;
Described tolerance acquiring unit, for controlling the described SM3 algorithm that described absolute confidence code utilizes described SM3 algorithm providing unit to provide, described CRTM module is measured, according to 16 binary data of code in described CRTM module, obtains the first hash value that described CRTM module is corresponding; Control the described SM3 algorithm that described CRTM module utilizes described SM3 algorithm providing unit to provide, described platform start-up code module and described BIOS Boot Block module are measured, according to 16 binary data of code in described platform start-up code module and described BIOS Boot Block module, obtain described platform start-up code module and the second hash value corresponding to described BIOS Boot Block module and the 3rd hash value; Control the described SM3 algorithm that described BIOS Boot Block module utilizes described SM3 algorithm providing unit to provide, the version information module of described BIOS and described BIOS Main Block block code and data are measured, according to 16 binary data of code in the version information module of described BIOS and described BIOS MainBlock module, obtain the version information module of described BIOS and the 4th hash value corresponding to described BIOS Main Block module and the 5th hash value; Control the described SM3 algorithm that described BIOSMain Block module utilizes described SM3 algorithm providing unit to provide, described mainboard peripheral module and described Bootloader Grub block code and data are measured, according to 16 binary data of peripheral data and code in described mainboard peripheral module and described Bootloader Grub module, obtain described mainboard peripheral module and the 6th hash value corresponding to described Bootloader Grub module and the 7th hash value; Control the described SM3 algorithm that described Bootloader Grub module utilizes described SM3 algorithm providing unit to provide, described operating system nucleus block code and configuration file are measured, according to 16 binary data of profile information and code in described operating system nucleus module, obtain the 8th hash value that described operating system nucleus module is corresponding.
9. device according to claim 8, is characterized in that,
Described judging unit, for: judging that whether the reference value in the configuration register PCR that described first hash value is corresponding with being stored in described CRTM module is consistent, if so, then triggering described loading unit, loading described CRTM module;
Judge that whether described second hash value and the 3rd hash value be consistent with the reference value be stored in described platform start-up code module and configuration register PCR corresponding to described BIOS Boot Block module, if, then trigger described loading unit, load described platform start-up code module and described BIOS BootBlock module;
Judge that whether the reference value in the configuration register PCR that described 4th hash value is corresponding with the version information module and described BIOS Main Block module that are stored in described BIOS with the 5th hash value is consistent, if, then trigger described loading unit, load the version information module of described BIOS and described BIOSMain Block module;
Judge that whether described 6th hash value and the 7th hash value be consistent with the reference value be stored in described mainboard peripheral module and configuration register PCR corresponding to described Bootloader Grub module, if, then trigger described loading unit, load described mainboard peripheral module and described Bootloader Grub module;
Judging that whether the reference value in the configuration register PCR that described 8th hash value is corresponding with being stored in described operating system nucleus module is consistent, if so, then triggering described loading unit, loading described operating system nucleus module.
10. device according to claim 7, is characterized in that,
Comprise further: division unit, wherein,
Described division unit, for dividing described Bootloader Grub module, forms Stage1, Stage1.5 and Stage2 tri-modules;
Described metrics acquisition module, be further used for: when described current preloaded components is described Bootloader Grub module, described BIOS Main Block module is measured described Stage1 module, described Stage1 module is measured described Stage1.5 module, and described Stage1.5 module is measured described Stage2 module; When described current preloaded components is described operating system nucleus module, described Stage2 module is measured described operating system nucleus module;
And/or,
Described chip is Z32H320TC chip;
Described dispensing unit, for the configuration register PCR0 for any one or more block configuration Z32H320TC chip in the version information module of described CRTM module, described platform start-up code module, described BIOS Boot Block module, BIOS and BIOS Main Block module; For the configuration register PCR2 of described mainboard peripheral module configuration Z32H320TC chip; For the configuration register PCR4 of described Bootloader Grub block configuration Z32H320TC chip; For the configuration register PCR5 of described operating system nucleus block configuration Z32H320TC chip;
And/or,
Comprise further: reference value acquiring unit, wherein,
Described reference value acquiring unit, for when system initial start-up in platform, utilize described SM3 algorithm, by the mode of measuring step by step, obtain the initial hash value that each module is corresponding successively, and using the reference value of the respective initial hash value of each module described as respective modules.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510321340.9A CN104966022A (en) | 2015-06-12 | 2015-06-12 | Chain-of-trust construction method and device based on chip |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510321340.9A CN104966022A (en) | 2015-06-12 | 2015-06-12 | Chain-of-trust construction method and device based on chip |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104966022A true CN104966022A (en) | 2015-10-07 |
Family
ID=54220060
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510321340.9A Pending CN104966022A (en) | 2015-06-12 | 2015-06-12 | Chain-of-trust construction method and device based on chip |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104966022A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106127057A (en) * | 2016-06-23 | 2016-11-16 | 浪潮电子信息产业股份有限公司 | A kind of method building credible startup control based on TPM |
| CN106384053A (en) * | 2016-09-14 | 2017-02-08 | 江苏北弓智能科技有限公司 | Trusted boot method and apparatus for mobile operation system |
| CN107196755A (en) * | 2017-03-28 | 2017-09-22 | 山东超越数控电子有限公司 | A kind of VPN device safe starting method and system |
| CN107451479A (en) * | 2017-07-31 | 2017-12-08 | 浪潮(北京)电子信息产业有限公司 | The construction method and system of a kind of trust chain |
| CN107729069A (en) * | 2017-10-12 | 2018-02-23 | 浪潮(北京)电子信息产业有限公司 | A kind of method, apparatus of clean boot video card, computer-readable recording medium |
| CN108256333A (en) * | 2018-01-24 | 2018-07-06 | 郑州云海信息技术有限公司 | Execution method, system, equipment and the readable storage medium storing program for executing of BIOS/firmware |
| CN109871694A (en) * | 2019-03-14 | 2019-06-11 | 沈昌祥 | A kind of staticametric method based on dual Architecture credible calculating platform |
| CN109948327A (en) * | 2017-12-20 | 2019-06-28 | 北京可信华泰信息技术有限公司 | A kind of abnormality check method and terminal |
| CN113468535A (en) * | 2020-03-31 | 2021-10-01 | 华为技术有限公司 | Credibility measuring method and related device |
| CN116049866A (en) * | 2022-06-27 | 2023-05-02 | 荣耀终端有限公司 | Data protection method, electronic equipment and chip system |
| CN116795452A (en) * | 2023-07-20 | 2023-09-22 | 龙芯中科(北京)信息技术有限公司 | Method, device and equipment for determining compatibility of driving program |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060015717A1 (en) * | 2004-07-15 | 2006-01-19 | Sony Corporation And Sony Electronics, Inc. | Establishing a trusted platform in a digital processing system |
| CN101739624A (en) * | 2008-11-06 | 2010-06-16 | 同方股份有限公司 | Trusted payment network system |
| CN102760213A (en) * | 2012-06-04 | 2012-10-31 | 中国电力科学研究院 | Credible Agent based MT (Mobile Terminal) credible state monitoring method |
| CN103106373A (en) * | 2011-11-10 | 2013-05-15 | 国民技术股份有限公司 | Trusted computing chip and trusted computing system |
| CN103916246A (en) * | 2014-03-31 | 2014-07-09 | 中国科学院软件研究所 | Method and system for preventing cheating during examination based on trusted computing |
| CN103927490A (en) * | 2014-04-25 | 2014-07-16 | 华为技术有限公司 | OS secure startup method and device |
| CN104333451A (en) * | 2014-10-21 | 2015-02-04 | 广东金赋信息科技有限公司 | Trusted self-help service system |
-
2015
- 2015-06-12 CN CN201510321340.9A patent/CN104966022A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060015717A1 (en) * | 2004-07-15 | 2006-01-19 | Sony Corporation And Sony Electronics, Inc. | Establishing a trusted platform in a digital processing system |
| CN101739624A (en) * | 2008-11-06 | 2010-06-16 | 同方股份有限公司 | Trusted payment network system |
| CN103106373A (en) * | 2011-11-10 | 2013-05-15 | 国民技术股份有限公司 | Trusted computing chip and trusted computing system |
| CN102760213A (en) * | 2012-06-04 | 2012-10-31 | 中国电力科学研究院 | Credible Agent based MT (Mobile Terminal) credible state monitoring method |
| CN103916246A (en) * | 2014-03-31 | 2014-07-09 | 中国科学院软件研究所 | Method and system for preventing cheating during examination based on trusted computing |
| CN103927490A (en) * | 2014-04-25 | 2014-07-16 | 华为技术有限公司 | OS secure startup method and device |
| CN104333451A (en) * | 2014-10-21 | 2015-02-04 | 广东金赋信息科技有限公司 | Trusted self-help service system |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106127057A (en) * | 2016-06-23 | 2016-11-16 | 浪潮电子信息产业股份有限公司 | A kind of method building credible startup control based on TPM |
| CN106384053A (en) * | 2016-09-14 | 2017-02-08 | 江苏北弓智能科技有限公司 | Trusted boot method and apparatus for mobile operation system |
| CN107196755A (en) * | 2017-03-28 | 2017-09-22 | 山东超越数控电子有限公司 | A kind of VPN device safe starting method and system |
| CN107451479A (en) * | 2017-07-31 | 2017-12-08 | 浪潮(北京)电子信息产业有限公司 | The construction method and system of a kind of trust chain |
| CN107729069A (en) * | 2017-10-12 | 2018-02-23 | 浪潮(北京)电子信息产业有限公司 | A kind of method, apparatus of clean boot video card, computer-readable recording medium |
| CN109948327A (en) * | 2017-12-20 | 2019-06-28 | 北京可信华泰信息技术有限公司 | A kind of abnormality check method and terminal |
| CN108256333A (en) * | 2018-01-24 | 2018-07-06 | 郑州云海信息技术有限公司 | Execution method, system, equipment and the readable storage medium storing program for executing of BIOS/firmware |
| CN109871694A (en) * | 2019-03-14 | 2019-06-11 | 沈昌祥 | A kind of staticametric method based on dual Architecture credible calculating platform |
| CN113468535A (en) * | 2020-03-31 | 2021-10-01 | 华为技术有限公司 | Credibility measuring method and related device |
| CN116049866A (en) * | 2022-06-27 | 2023-05-02 | 荣耀终端有限公司 | Data protection method, electronic equipment and chip system |
| CN116795452A (en) * | 2023-07-20 | 2023-09-22 | 龙芯中科(北京)信息技术有限公司 | Method, device and equipment for determining compatibility of driving program |
| CN116795452B (en) * | 2023-07-20 | 2024-04-02 | 龙芯中科(北京)信息技术有限公司 | Method, device and equipment for determining compatibility of driving program |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104966022A (en) | Chain-of-trust construction method and device based on chip | |
| CN109710315B (en) | BIOS (basic input output System) flash writing method and BIOS mirror image file processing method | |
| EP2962241B1 (en) | Continuation of trust for platform boot firmware | |
| US10032030B2 (en) | Trusted kernel starting method and apparatus | |
| CN104850792A (en) | Establishment method and apparatus of trust chain of server | |
| CN101515316B (en) | Trusted computing terminal and trusted computing method | |
| CN109714303B (en) | BIOS starting method and data processing method | |
| CN107506663A (en) | Server security based on credible BMC starts method | |
| CN111259401B (en) | Trusted measurement method, device, system, storage medium and computer equipment | |
| CN104160403A (en) | Measuring platform components with a single trusted platform module | |
| CN105447391A (en) | Operating system secure startup method, startup manager and operating system secure startup system | |
| WO2012064171A1 (en) | A method for enabling a trusted platform in a computing system | |
| US11349651B2 (en) | Measurement processing of high-speed cryptographic operation | |
| JP2013538404A (en) | Authenticating Use of Interactive Components During the Startup Process | |
| CN110875819A (en) | Password operation processing method, device and system | |
| JP6391439B2 (en) | Information processing apparatus, server apparatus, information processing system, control method, and computer program | |
| CN107480535A (en) | The reliable hardware layer design method and device of a kind of two-way server | |
| CN112039900A (en) | Network security risk detection method, system, computer device and storage medium | |
| CN106936768B (en) | White list network control system and method based on trusted chip | |
| US9928367B2 (en) | Runtime verification | |
| CN109117643A (en) | The method and relevant device of system processing | |
| CN106980800B (en) | Measurement method and system for authentication partition of encrypted solid state disk | |
| JP5568696B1 (en) | Password management system and program for password management system | |
| CN104268461A (en) | Credibility measuring method and device | |
| CN111651769A (en) | Method and device for obtaining measurement of secure boot |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20151007 |