CN103927490A - OS secure startup method and device - Google Patents
OS secure startup method and device Download PDFInfo
- Publication number
- CN103927490A CN103927490A CN201410172838.9A CN201410172838A CN103927490A CN 103927490 A CN103927490 A CN 103927490A CN 201410172838 A CN201410172838 A CN 201410172838A CN 103927490 A CN103927490 A CN 103927490A
- Authority
- CN
- China
- Prior art keywords
- operating system
- measurement result
- measure
- trust
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
本发明实施例提供一种操作系统安全启动方法及装置。本发明操作系统安全启动方法,包括:对UEFI BIOS进行签名认证,若认证通过后,对操作系统引导程序进行签名认证;使用安全哈希算法对认证通过后的操作系统引导程序进行度量,将得出的度量结果作为可信根;将可信根作为初始值,依次度量多个操作系统配置文件;获取最终的度量结果与期望的安全值进行比较,验证是否安全启动操作系统。本发明实施例实现了操作系统引导程序通过数字签名认证的方法校验安全性,度量安全的操作系统引导程序产生可信根,根据可信根逐级度量操作系统OS,将可信链由BIOS延伸至OS,解决现有技术中无法保证BootLoader之后启动程序的安全。
Embodiments of the present invention provide a method and device for safely starting an operating system. The method for safely starting the operating system of the present invention includes: performing signature authentication on UEFI BIOS, and if the authentication is passed, performing signature authentication on the operating system boot program; using a secure hash algorithm to measure the operating system boot program after the authentication is passed, and the The measured results are taken as the root of trust; the root of trust is used as the initial value, and multiple operating system configuration files are measured in turn; the final measured result is compared with the expected security value, and the operating system is verified to be safe to start. The embodiment of the present invention realizes the security check of the operating system boot program through the method of digital signature authentication, measures the safe operating system boot program to generate a root of trust, measures the operating system OS step by step according to the root of trust, and passes the chain of trust to the BIOS Extending to the OS, it solves the problem that in the prior art, the safety of the startup program after the BootLoader cannot be guaranteed.
Description
技术领域technical field
本发明实施例涉及计算机技术领域,尤其涉及一种操作系统安全启动方法及装置。The embodiments of the present invention relate to the field of computer technology, and in particular, to a method and device for safely starting an operating system.
背景技术Background technique
在当今的信息时代,保护信息安全,提供一个可信赖的计算环境已经成为信息化的必然要求。随着恶意软件的快速演变,恶意软件正在将基本输入输出系统(Basic Input Output System,简称BIOS)作为首选攻击目标,对底层固件和启动程序进行攻击的病毒较难防御,所以保护计算机启动过程的可信及安全性尤为重要。In today's information age, protecting information security and providing a reliable computing environment has become an inevitable requirement of informatization. With the rapid evolution of malware, malware is taking the Basic Input Output System (BIOS) as the preferred attack target, and it is difficult to defend against viruses that attack the underlying firmware and startup programs. Credibility and security are particularly important.
BIOS固化在计算机主板上的一个只读内存(Read-Only Memory,简称ROM)芯片内,它保存着计算机最重要的基本输入输出的程序、开机自检程序和系统自启动程序、菜单程序。其主要功能是为计算机提供最底层的、最直接的硬件设置、控制和访问。安全启动是统一的可扩展固定接口(UnifiedExtensible Firmware Interface,简称UEFI)标准规范定义的一种固件验证方法,规范描述了平台固件如何管理安全证书、固件验证,以及固件和操作系统之间的接口,目的是防止恶意软件的侵入。安全启动采用数据签名和密钥的认证方法。在主板出厂的时候,可以内置一些可靠的公钥,任何想要在这块主板上加载的操作系统或者硬件驱动程序,都必须通过这些密钥的认证,也就是说,这些软件必须用对应的私钥签署过,否则主板拒绝加载。The BIOS is solidified in a Read-Only Memory (ROM) chip on the computer motherboard, which stores the most important basic input and output programs, power-on self-test programs, system self-start programs, and menu programs of the computer. Its main function is to provide the computer with the lowest and most direct hardware settings, control and access. Secure boot is a firmware verification method defined by the Unified Extensible Firmware Interface (UEFI) standard specification, which describes how platform firmware manages security certificates, firmware verification, and the interface between firmware and operating system. The purpose is to prevent the intrusion of malicious software. Secure boot uses data signature and key authentication methods. When the motherboard leaves the factory, some reliable public keys can be built in. Any operating system or hardware driver that wants to be loaded on this motherboard must pass the authentication of these keys, that is, these software must use the corresponding The private key is signed, otherwise the board refuses to load.
整个操作系统的启动过程大致可以分为BIOS启动、启动加载器BootLoader启动、操作系统启动。Boot Loader是操作系统内核运行之前运行的一段小程序,位于主引导记录(Master Boot Record,简称MBR)中,即操作系统引导程序,BIOS启动完成后将控制权移交给BootLoader完成操作系统的加载启动任务。安全启动只能保证启动过程中BIOS及BootLoader程序的可信,无法保证BootLoader之后启动程序的安全。The booting process of the entire operating system can be roughly divided into BIOS booting, BootLoader booting, and operating system booting. Boot Loader is a small program that runs before the operation of the operating system kernel. It is located in the Master Boot Record (MBR for short), that is, the operating system boot program. Task. Secure boot can only guarantee the trustworthiness of BIOS and BootLoader programs during the boot process, but cannot guarantee the security of boot programs after BootLoader.
发明内容Contents of the invention
本发明实施例提供一种操作系统安全启动方法及装置,以克服现有技术中无法保证BootLoader之后启动程序的安全。Embodiments of the present invention provide a method and device for safely starting an operating system, so as to overcome the inability to guarantee the safety of a startup program after BootLoader in the prior art.
第一方面,本发明实施例提供一种操作系统安全启动方法,包括:In a first aspect, an embodiment of the present invention provides a method for safely starting an operating system, including:
对统一的可扩展固件接口基本输入输出系统UEFI BIOS进行签名认证,若认证通过后,对操作系统引导程序进行签名认证;Signature authentication is performed on the UEFI BIOS of the unified extensible firmware interface basic input and output system, and if the authentication is passed, the signature authentication is performed on the operating system boot program;
使用安全哈希算法对认证通过后的所述操作系统引导程序进行度量,将得出的度量结果作为可信根;Using a secure hash algorithm to measure the boot program of the operating system after passing the authentication, and use the obtained measurement result as a root of trust;
将所述可信根作为初始值,依次度量多个操作系统配置文件;Using the root of trust as an initial value, measure multiple operating system configuration files in sequence;
获取最终的度量结果与期望的安全值进行比较,验证是否安全启动所述操作系统。The final measurement result obtained is compared with the expected security value to verify whether the operating system is safely started.
结合第一方面,在第一方面的第一种可能的实现方式中,所述将所述可信根作为初始值,依次度量多个操作系统配置文件,包括:With reference to the first aspect, in a first possible implementation manner of the first aspect, taking the root of trust as an initial value and sequentially measuring multiple operating system configuration files includes:
对所述操作系统配置文件使用安全哈希算法进行度量,将度量结果与所述初始值作为安全哈希算法的输入值再次进行度量,将得出的值作为度量结果,并将所述度量结果作为新的初始值对下一个操作系统配置文件进行度量,直至对所有操作系统配置文件度量完成。Using a secure hash algorithm to measure the operating system configuration file, measure the measurement result and the initial value as the input value of the secure hash algorithm again, use the obtained value as the measurement result, and use the measurement result Measure the next operating system profile as the new initial value until all operating system profiles are measured.
结合第一方面、第一方面的第一种可能的实现方式,在第一方面的第二种可能的实现方式中,所述获取最终的度量结果与期望的安全值进行比较,验证是否安全启动所述操作系统,包括:In combination with the first aspect and the first possible implementation of the first aspect, in the second possible implementation of the first aspect, the obtained final measurement result is compared with the expected security value to verify whether it is safe to start The operating system includes:
若最终的所述度量结果与所述期望的安全值一致,则安全启动所述操作系统;若不一致,则不启动所述操作系统。If the final measurement result is consistent with the expected security value, the operating system is safely started; if not, the operating system is not started.
结合第一方面的第二种可能的实现方式,在第一方面的第三种可能的实现方式中,还包括:In combination with the second possible implementation of the first aspect, the third possible implementation of the first aspect further includes:
在可信平台模块TPM上进行安全哈希算法的度量;Perform the measurement of the secure hash algorithm on the trusted platform module TPM;
将所述度量结果存储在所述TPM中的平台配置寄存器PCR中。The measurement result is stored in a platform configuration register PCR in the TPM.
第二方面,本发明实施例提供一种操作系统安全启动装置,包括:In a second aspect, an embodiment of the present invention provides an operating system secure boot device, including:
签名认证模块,用于对统一的可扩展固件接口基本输入输出系统UEFIBIOS进行签名认证,若认证通过后,对操作系统引导程序进行签名认证;The signature authentication module is used to perform signature authentication on the unified extensible firmware interface basic input and output system UEFIBIOS. If the authentication is passed, the signature authentication is performed on the operating system boot program;
度量模块,用于使用安全哈希算法对认证通过后的所述操作系统引导程序进行度量,将得出的度量结果作为可信根;A measurement module, configured to use a secure hash algorithm to measure the boot program of the operating system after passing the authentication, and use the obtained measurement result as a root of trust;
所述度量模块,还用于将所述可信根作为初始值,依次度量多个操作系统配置文件;The measurement module is further configured to use the root of trust as an initial value to sequentially measure multiple operating system configuration files;
验证模块,用于获取最终的度量结果与期望的安全值进行比较,验证是否安全启动所述操作系统。The verification module is configured to obtain the final measurement result and compare it with the expected security value, and verify whether the operating system is safely started.
结合第二方面,在第二方面的第一种可能的实现方式中,所述度量模块,具体用于:With reference to the second aspect, in a first possible implementation manner of the second aspect, the measurement module is specifically configured to:
对所述操作系统配置文件使用安全哈希算法进行度量,将度量结果与所述初始值作为安全哈希算法的输入值再次进行度量,将得出的值作为度量结果,并将所述度量结果作为新的初始值对下一个操作系统配置文件进行度量,直至对所有操作系统配置文件度量完成。Using a secure hash algorithm to measure the operating system configuration file, measure the measurement result and the initial value as the input value of the secure hash algorithm again, use the obtained value as the measurement result, and use the measurement result Measure the next operating system profile as the new initial value until all operating system profiles are measured.
结合第二方面、第二方面的第一种可能的实现方式,在第二方面的第二种可能的实现方式中,所述验证模块,具体用于:In combination with the second aspect and the first possible implementation of the second aspect, in the second possible implementation of the second aspect, the verification module is specifically used to:
若最终的所述度量结果与所述期望的安全值一致,则安全启动所述操作系统;若不一致,则不启动所述操作系统。If the final measurement result is consistent with the expected security value, the operating system is safely started; if not, the operating system is not started.
结合第二方面的第二种可能的实现方式,在第二方面的第三种可能的实现方式中,所述度量模块包括可信平台模块TPM,用于在所述TPM上进行安全哈希算法的度量;With reference to the second possible implementation of the second aspect, in a third possible implementation of the second aspect, the measurement module includes a trusted platform module (TPM), configured to perform a secure hash algorithm on the TPM measure of
所述装置还包括:平台配置寄存器PCR,用于存储所述度量结果。The device further includes: a platform configuration register PCR, configured to store the measurement result.
本发明实施例操作系统安全启动方法及装置,通过对UEFI BIOS进行签名认证,若认证通过后,对操作系统引导程序进行签名认证;使用安全哈希算法对认证通过后的所述操作系统引导程序进行度量,将得出的度量结果作为可信根;将所述可信根作为初始值,依次度量多个操作系统配置文件;获取最终的度量结果与期望的安全值进行比较,验证是否安全启动所述操作系统,实现了操作系统引导程序通过数字签名认证的方法校验安全性,度量安全的操作系统引导程序产生可信根,根据可信根逐级度量操作系统OS,将可信链由BIOS延伸至OS,解决现有技术中无法保证BootLoader之后启动程序即OS启动程序的安全。The method and device for safely starting the operating system in the embodiment of the present invention, by performing signature authentication on UEFI BIOS, if the authentication is passed, the operating system boot program is signed and authenticated; the operating system boot program after the authentication is passed using a secure hash algorithm Perform measurement, and use the obtained measurement result as the root of trust; use the root of trust as the initial value, measure multiple operating system configuration files in turn; obtain the final measurement result and compare it with the expected security value, and verify whether it is safe to start The operating system realizes the security verification of the operating system boot program through digital signature authentication, the operating system boot program for measuring security generates a root of trust, and the operating system OS is measured step by step according to the root of trust, and the chain of trust is divided into The BIOS is extended to the OS, which solves the problem that in the prior art, the safety of the startup program after the BootLoader, that is, the OS startup program cannot be guaranteed.
附图说明Description of drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained according to these drawings without any creative effort.
图1为本发明操作系统安全启动方法实施例一的流程图;FIG. 1 is a flow chart of Embodiment 1 of the safe startup method of the operating system of the present invention;
图1A为本发明操作系统安全启动方法实施例一的执行过程示意图;FIG. 1A is a schematic diagram of the execution process of Embodiment 1 of the method for safely starting an operating system according to the present invention;
图2为本发明操作系统安全启动装置实施例一的结构示意图;FIG. 2 is a schematic structural diagram of Embodiment 1 of an operating system security startup device of the present invention;
图3为本发明操作系统安全启动设备实施例一的结构示意图。FIG. 3 is a schematic structural diagram of Embodiment 1 of an operating system secure boot device according to the present invention.
具体实施方式Detailed ways
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.
图1为本发明操作系统安全启动方法实施例一的流程图。图1A为本发明操作系统安全启动方法实施例一的执行过程示意图。本实施例的执行主体为操作系统安全启动装置,该装置可以通过软件和/或硬件实现。如图1所示,本实施例的方法可以包括:FIG. 1 is a flow chart of Embodiment 1 of a method for securely starting an operating system according to the present invention. FIG. 1A is a schematic diagram of the execution process of Embodiment 1 of the method for safely starting an operating system according to the present invention. The execution subject of this embodiment is the device for securely starting the operating system, and the device may be implemented by software and/or hardware. As shown in Figure 1, the method of this embodiment may include:
步骤101、对统一的可扩展固件接口基本输入输出系统UEFI BIOS进行签名认证,若认证通过后,对操作系统引导程序进行签名认证。Step 101, performing signature authentication on the unified extensible firmware interface basic input and output system UEFI BIOS, and if the authentication is passed, performing signature authentication on the boot program of the operating system.
具体地,如图1A所示,操作系统启动时,首先对UEFI BIOS进行签名认证,认证通过后,读取磁盘中的操作系统引导程序,进行签名认证。签名认证可以采用CA数字签名认证。使用安全启动的方法保证BIOS的安全性,签名认证过程透明,用户接受度高。Specifically, as shown in FIG. 1A, when the operating system is started, the UEFI BIOS is first authenticated by signature, and after the authentication is passed, the operating system boot program in the disk is read for signature authentication. Signature authentication can use CA digital signature authentication. The secure boot method is used to ensure the security of the BIOS, the signature authentication process is transparent, and the user acceptance is high.
多操作系统启动程序(GRand Unified Bootloader,简称GRUB)是一种操作系统引导程序。用来引导不同系统,如windows,linux等。GRUB是多启动规范的实现,它允许用户可以在计算机内同时拥有多个操作系统,并在计算机启动时选择希望运行的操作系统。GRUB可用于选择操作系统分区上的不同内核,也可用于向这些内核传递启动参数。The multi-operating system bootloader (GRand Unified Bootloader, GRUB for short) is an operating system bootloader. Used to guide different systems, such as windows, linux, etc. GRUB is the implementation of the multi-boot specification, which allows users to have multiple operating systems in the computer at the same time, and choose the operating system they want to run when the computer starts. GRUB can be used to select different kernels on an operating system partition, and can also be used to pass boot parameters to those kernels.
在UEFI BIOS签名认证时,同时可以认证Option Rom签名,硬件单板会兼容第三方网卡以及独立磁盘冗余阵列(Redundant Array of IndependentDisks,简称RAID)卡等外设,并且外接卡的厂商都会提供传统的Option Rom二进制文件或者可扩展固件接口(Extensible Firmware Interface简称EFI)驱动程序给操作系统UEFI BIOS,在操作系统启动过程中UEFI BIOS会通过调用Option Rom代码来完成外接卡的初始化。During the UEFI BIOS signature authentication, the Option Rom signature can be authenticated at the same time. The hardware board will be compatible with third-party network cards and peripherals such as Redundant Array of Independent Disks (Redundant Array of Independent Disks, referred to as RAID) cards, and the manufacturers of external cards will provide traditional The Option Rom binary file or the Extensible Firmware Interface (Extensible Firmware Interface referred to as EFI) driver is given to the operating system UEFI BIOS. During the startup process of the operating system, the UEFI BIOS will complete the initialization of the external card by calling the Option Rom code.
步骤102、使用安全哈希算法对认证通过后的操作系统引导程序进行度量,将得出的度量结果作为可信根。Step 102: Use a secure hash algorithm to measure the boot program of the operating system after the authentication has passed, and use the obtained measurement result as a root of trust.
具体地,安全哈希算法(Secure Hash Algorithm,简称SHA)的思想是接收一段明文,然后以一种不可逆的方式将它转换成一段(通常更小)密文,也可以简单的理解为取一串输入码(称为预映射或信息),并把它们转化为长度较短、位数固定的输出序列即散列值(也称为信息摘要或信息认证代码)的过程。Specifically, the idea of Secure Hash Algorithm (SHA for short) is to receive a piece of plaintext, and then convert it into a piece of (usually smaller) ciphertext in an irreversible way, which can also be simply understood as taking a The process of converting a string of input codes (called pre-mapping or information) and converting them into a short-length, fixed-digit output sequence that is a hash value (also known as a message digest or message authentication code).
使用安全哈希算法对认证通过后的操作系统引导程序进行度量,得出信息摘要即度量结果,作为可信根,进一步对操作系统内核文件等进行度量。Use the secure hash algorithm to measure the boot program of the operating system after passing the authentication, and obtain the information summary, which is the measurement result, as the root of trust, and further measure the operating system kernel file.
步骤103、将可信根作为初始值,依次度量多个操作系统配置文件。Step 103, using the root of trust as an initial value, sequentially measure multiple operating system configuration files.
可选地,将可信根作为初始值,依次度量多个操作系统配置文件,包括:Optionally, using the root of trust as an initial value, multiple operating system profiles are sequentially measured, including:
对操作系统配置文件使用安全哈希算法进行度量,将度量结果与初始值作为安全哈希算法的输入值再次进行度量,将得出的值作为度量结果,并将度量结果作为新的初始值对下一个操作系统配置文件进行度量,直至对所有操作系统配置文件度量完成。Use the secure hash algorithm to measure the operating system configuration file, use the measurement result and the initial value as the input value of the secure hash algorithm to measure again, use the obtained value as the measurement result, and use the measurement result as the new initial value pair The next operating system profile is measured until all operating system profiles are measured.
具体地,如图1A所示,操作系统配置文件包括虚拟机监视器Xen、操作系统内核文件如linux Kernel、根文件系统Initrd、模块Module、关键系统文件等,对多个操作系统配置文件进行度量可以采用如下方法:将可信根作为初始值N0,对第一个操作系统配置文件使用安全哈希算法进行度量,将度量结果VALUE与初始值N0作为安全哈希算法的输入值再次进行度量,将得出的值作为度量结果N1,并存储该度量结果,即可以采用公式N1=SHA(N0+VALUE),并将度量结果作为新的初始值对下一个操作系统配置文件进行度量,即令N0=N1,进行上述过程,直至对所有操作系统配置文件度量完成,并保存所有操作系统配置文件度量的度量结果。Specifically, as shown in Figure 1A, the operating system configuration files include virtual machine monitor Xen, operating system kernel files such as linux Kernel, root file system Initrd, module Module, key system files, etc., and multiple operating system configuration files are measured The following method can be used: use the root of trust as the initial value N0, measure the first operating system configuration file using a secure hash algorithm, and use the measurement result VALUE and the initial value N0 as the input value of the secure hash algorithm to measure again. Use the obtained value as the measurement result N1 and store the measurement result, that is, the formula N1=SHA(N0+VALUE) can be used, and the measurement result can be used as a new initial value to measure the next operating system configuration file, that is, N0 =N1, carry out the above process until the measurement of all operating system configuration files is completed, and save the measurement results of the measurement of all operating system configuration files.
步骤104、获取最终的度量结果与期望的安全值进行比较,验证是否安全启动操作系统。Step 104: Obtaining the final measurement result and comparing it with the expected security value to verify whether the operating system is safely started.
可选地,获取最终的度量结果与期望的安全值进行比较,验证是否安全启动操作系统,包括:Optionally, compare the obtained final measurement result with the expected security value, and verify whether the operating system is safely started, including:
若最终的度量结果与期望的安全值一致,则安全启动操作系统;若不一致,则不启动操作系统。If the final measurement result is consistent with the expected security value, the operating system will be safely started; if not, the operating system will not be started.
具体地,获取步骤103中存储的最终的度量结果与预先设定的期望的安全值进行比较,若一致,则安全启动操作系统;若不一致,则不启动操作系统。Specifically, the final measurement result stored in the acquisition step 103 is compared with the preset expected security value, and if they are consistent, the operating system will be safely started; if not, the operating system will not be started.
可选地,本实施例的方法,还可以包括:Optionally, the method of this embodiment may also include:
在可信平台模块TPM上进行安全哈希算法的度量;Perform the measurement of the secure hash algorithm on the trusted platform module TPM;
将度量结果存储在TPM中的平台配置寄存器PCR中。The measurement results are stored in the platform configuration register PCR in the TPM.
具体地,可以采用可信计算模块(Trusted Platform Module,简称TPM)2.0进行安全哈希算法的度量,TPM2.0芯片符合可信计算组织(TrustedComputing Group,简称TCG)定义的TPM标准规范。度量过程中的度量结果可以存储在TPM中的平台配置寄存器(Platform Configuration Registers,简称PCR)中。Specifically, a Trusted Computing Module (Trusted Platform Module, referred to as TPM) 2.0 can be used to measure the secure hash algorithm. The TPM2.0 chip complies with the TPM standard specification defined by the Trusted Computing Group (Trusted Computing Group, referred to as TCG). The measurement results in the measurement process may be stored in platform configuration registers (Platform Configuration Registers, PCR for short) in the TPM.
本实施例,通过对基本输入输出系统BIOS进行签名认证,若认证通过后,对操作系统引导程序进行签名认证;使用安全哈希算法对认证通过后的所述操作系统引导程序进行度量,将得出的度量结果作为可信根;将所述可信根作为初始值,依次度量多个操作系统配置文件;获取最终的度量结果与期望的安全值进行比较,验证是否安全启动所述操作系统,实现了操作系统引导程序通过数字签名认证的方法校验安全性,度量安全的操作系统引导程序产生可信根,根据可信根逐级度量操作系统OS,将可信链由BIOS延伸至OS,解决现有技术中无法保证BootLoader之后启动程序即OS启动程序的安全。In this embodiment, by performing signature authentication on the basic input and output system BIOS, if the authentication is passed, the operating system boot program is signed and authenticated; using a secure hash algorithm to measure the operating system boot program after the authentication is passed, will be obtained The obtained measurement result is used as the root of trust; the root of trust is used as the initial value, and multiple operating system configuration files are measured in turn; the final measurement result is compared with the expected security value, and it is verified whether the operating system is safely started. The method of verifying the safety of the operating system boot program through digital signature authentication is realized, and the safe operating system boot program is measured to generate a root of trust. According to the root of trust, the operating system OS is measured step by step, and the chain of trust is extended from BIOS to OS. The solution is that in the prior art, the security of the startup program after the BootLoader, that is, the OS startup program cannot be guaranteed.
图2为本发明操作系统安全启动装置实施例一的结构示意图,如图2所示,本实施例的操作系统安全启动装置20可以包括:签名认证模块201、度量模块202、验证模块203,其中,签名认证模块201,用于对统一的可扩展固件接口基本输入输出系统UEFI BIOS进行签名认证,若认证通过后,对操作系统引导程序进行签名认证;度量模块202,用于使用安全哈希算法对认证通过后的所述操作系统引导程序进行度量,将得出的度量结果作为可信根;度量模块202,还用于将所述可信根作为初始值,依次度量多个操作系统配置文件;验证模块203,用于获取最终的度量结果与期望的安全值进行比较,验证是否安全启动所述操作系统。FIG. 2 is a schematic structural diagram of Embodiment 1 of the device for securely starting an operating system in the present invention. As shown in FIG. , the signature authentication module 201 is used to carry out signature authentication to the unified Extensible Firmware Interface Basic Input and Output System UEFI BIOS, and if the authentication is passed, the signature authentication is performed to the operating system boot program; the measurement module 202 is used to use the secure hash algorithm Measure the boot program of the operating system after passing the authentication, and use the obtained measurement result as a root of trust; the measurement module 202 is also used to use the root of trust as an initial value, and measure multiple operating system configuration files in sequence ; The verification module 203 is used to obtain the final measurement result and compare it with the expected security value to verify whether the operating system is safely started.
可选地,度量模块202,具体用于:Optionally, the measurement module 202 is specifically used for:
对所述操作系统配置文件使用安全哈希算法进行度量,将度量结果与所述初始值作为安全哈希算法的输入值再次进行度量,将得出的值作为度量结果,并将所述度量结果作为新的初始值对下一个操作系统配置文件进行度量,直至对所有操作系统配置文件度量完成。Using a secure hash algorithm to measure the operating system configuration file, measure the measurement result and the initial value as the input value of the secure hash algorithm again, use the obtained value as the measurement result, and use the measurement result Measure the next operating system profile as the new initial value until all operating system profiles are measured.
可选地,验证模块203,具体用于:Optionally, the verification module 203 is specifically used for:
若最终的所述度量结果与所述期望的安全值一致,则安全启动所述操作系统;若不一致,则不启动所述操作系统。If the final measurement result is consistent with the expected security value, the operating system is safely started; if not, the operating system is not started.
可选地,度量模块202可以包括可信平台模块TPM2020,用于在所述TPM上进行安全哈希算法的度量;Optionally, the measurement module 202 may include a trusted platform module TPM2020, which is used to measure the secure hash algorithm on the TPM;
操作系统安全启动装置20还可以包括:平台配置寄存器PCR204,用于存储所述度量结果。The device 20 for safely booting the operating system may further include: a platform configuration register PCR204 for storing the measurement result.
本实施例的装置,可以用于执行图1所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。The device of this embodiment can be used to implement the technical solution of the method embodiment shown in FIG. 1 , and its implementation principle and technical effect are similar, and will not be repeated here.
图3为本发明操作系统安全启动设备实施例一的结构示意图。如图3所示,本实施例提供的操作系统安全启动设备30包括处理器301和存储器302。操作系统安全启动设备30还可以包括发射器303、接收器304。发射器303和接收器304可以和处理器301相连。在硬件实现上,发射器、接收器、处理器可以封闭到一个芯片,或者分别用一个芯片来实现。其中,发射器303用于发送数据或信息,接收器304用于接收数据或信息,存储器302存储执行指令,当操作系统安全启动设备30运行时,处理器301与存储器302之间通信,处理器301调用存储器302中的执行指令,用于执行方法实施例一所述的技术方案,其实现原理和技术效果类似,此处不再赘述。FIG. 3 is a schematic structural diagram of Embodiment 1 of an operating system secure boot device according to the present invention. As shown in FIG. 3 , the operating system secure boot device 30 provided in this embodiment includes a processor 301 and a memory 302 . The operating system security boot device 30 may further include a transmitter 303 and a receiver 304 . The transmitter 303 and the receiver 304 may be connected to the processor 301 . In terms of hardware implementation, the transmitter, receiver, and processor can be enclosed in one chip, or implemented with one chip respectively. Wherein, the transmitter 303 is used to send data or information, the receiver 304 is used to receive data or information, the memory 302 stores execution instructions, and when the operating system security boot device 30 is running, the processor 301 communicates with the memory 302, and the processor 301 invokes the execution instruction in the memory 302 to execute the technical solution described in the first method embodiment. The implementation principle and technical effect are similar, and will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的设备和方法,可以通过其它的方式实现。例如,以上所描述的设备实施例仅仅是示意性的,例如,所述单元或模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或模块可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,设备或模块的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed devices and methods may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units or modules is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or modules can be Incorporation may either be integrated into another system, or some features may be omitted, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or modules may be in electrical, mechanical or other forms.
所述作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理模块,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。The modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical modules, that is, they may be located in one place, or may also be distributed to multiple network units. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
本领域普通技术人员可以理解:实现上述各方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成。前述的程序可以存储于一计算机可读取存储介质中。该程序在执行时,执行包括上述各方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps for implementing the above method embodiments can be completed by program instructions and related hardware. The aforementioned program can be stored in a computer-readable storage medium. When the program is executed, it executes the steps including the above-mentioned method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes.
最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than limiting them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: It is still possible to modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the various embodiments of the present invention. scope.
Claims (8)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410172838.9A CN103927490A (en) | 2014-04-25 | 2014-04-25 | OS secure startup method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410172838.9A CN103927490A (en) | 2014-04-25 | 2014-04-25 | OS secure startup method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103927490A true CN103927490A (en) | 2014-07-16 |
Family
ID=51145708
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410172838.9A Pending CN103927490A (en) | 2014-04-25 | 2014-04-25 | OS secure startup method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103927490A (en) |
Cited By (46)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104331666A (en) * | 2014-11-10 | 2015-02-04 | 成都卫士通信息产业股份有限公司 | Trusted measurement method for computer systems |
| CN104809398A (en) * | 2015-04-21 | 2015-07-29 | 深圳怡化电脑股份有限公司 | Tamper-proof method and tamper-proof device for bootstrap firmware of password keyboard |
| CN104866392A (en) * | 2015-05-20 | 2015-08-26 | 浪潮电子信息产业股份有限公司 | Virtual machine security protection method and apparatus |
| CN104866768A (en) * | 2015-05-15 | 2015-08-26 | 深圳怡化电脑股份有限公司 | Startup control method and device for ATM (Automatic Teller Machine) operating system |
| CN104966022A (en) * | 2015-06-12 | 2015-10-07 | 浪潮电子信息产业股份有限公司 | Chain-of-trust construction method and device based on chip |
| CN105447391A (en) * | 2015-12-09 | 2016-03-30 | 浪潮电子信息产业股份有限公司 | Operating system secure startup method, startup manager and operating system secure startup system |
| CN106095468A (en) * | 2016-07-20 | 2016-11-09 | 杭州华澜微电子股份有限公司 | A kind of computer starting method and device |
| CN106250760A (en) * | 2016-07-26 | 2016-12-21 | 浪潮电子信息产业股份有限公司 | A U‑Boot trusted startup method based on TPM2.0 chip |
| CN106341224A (en) * | 2016-07-20 | 2017-01-18 | 国网安徽省电力公司信息通信分公司 | Customized server-based TCM application system and system guidance method |
| CN106506166A (en) * | 2016-10-26 | 2017-03-15 | 泰山医学院 | Terminal Trusted Platform System in Cloud Computing Environment |
| CN106548063A (en) * | 2016-11-01 | 2017-03-29 | 广东浪潮大数据研究有限公司 | A kind of credible tolerance methods, devices and systems |
| CN106845243A (en) * | 2016-12-13 | 2017-06-13 | 北京元心科技有限公司 | Improve the method and system for starting safety |
| CN106886473A (en) * | 2017-04-24 | 2017-06-23 | 郑州云海信息技术有限公司 | A kind of startup method of server, device and server |
| WO2017133559A1 (en) * | 2016-02-05 | 2017-08-10 | 中兴通讯股份有限公司 | Secure boot method and device |
| CN107357908A (en) * | 2017-07-17 | 2017-11-17 | 浪潮(北京)电子信息产业有限公司 | A kind of detection method and device of dummy machine system file |
| CN107870788A (en) * | 2016-09-26 | 2018-04-03 | 展讯通信(上海)有限公司 | The startup method and terminal device of terminal device under more credible performing environment |
| WO2018090823A1 (en) * | 2016-11-21 | 2018-05-24 | 惠州Tcl移动通信有限公司 | Method and system for protecting system partition key data, and terminal |
| CN108256330A (en) * | 2016-12-29 | 2018-07-06 | 联想(上海)信息技术有限公司 | Facility information safeguard method and device |
| WO2018176125A1 (en) * | 2017-03-28 | 2018-10-04 | Sierra Wireless, Inc. | Method and apparatus for secure computing device start up |
| CN108804325A (en) * | 2018-06-08 | 2018-11-13 | 郑州云海信息技术有限公司 | A kind of test method to Secure Boot |
| CN109508535A (en) * | 2018-10-30 | 2019-03-22 | 百富计算机技术(深圳)有限公司 | Firmware safety certifying method, device and payment terminal |
| CN109598126A (en) * | 2018-12-03 | 2019-04-09 | 贵州华芯通半导体技术有限公司 | A kind of safety startup of system methods, devices and systems based on national secret algorithm |
| CN109684849A (en) * | 2017-10-18 | 2019-04-26 | 佳能株式会社 | Information processing unit, its control method and storage medium |
| CN109997140A (en) * | 2018-09-10 | 2019-07-09 | 深圳市汇顶科技股份有限公司 | Accelerate the low-power-consumption embedded equipment of clean boot from the sleep state of equipment using write-once register |
| CN110543769A (en) * | 2019-08-29 | 2019-12-06 | 武汉大学 | A trusted startup method based on encrypted TF card |
| CN111045743A (en) * | 2019-12-12 | 2020-04-21 | 海光信息技术有限公司 | Operating system secure boot method, management method, device, and device |
| CN111046392A (en) * | 2019-11-26 | 2020-04-21 | 深圳中电长城信息安全系统有限公司 | BIOS (basic input output System) credibility measuring method and device and terminal equipment |
| CN111241548A (en) * | 2020-01-07 | 2020-06-05 | 天津飞腾信息技术有限公司 | Computer starting method |
| CN112016090A (en) * | 2019-05-30 | 2020-12-01 | 阿里巴巴集团控股有限公司 | Secure computing card, and measurement method and system based on secure computing card |
| CN112395621A (en) * | 2020-11-27 | 2021-02-23 | 中电科技(北京)有限公司 | Operating system boot method, firmware, security certificate and computer |
| CN112464271A (en) * | 2021-01-27 | 2021-03-09 | 信联科技(南京)有限公司 | Method and system for constructing high-reliability execution environment of power Internet of things edge Internet of things agent |
| CN112487435A (en) * | 2020-11-06 | 2021-03-12 | 麒麟软件有限公司 | Secure starting method based on X86 architecture |
| CN112560011A (en) * | 2021-02-07 | 2021-03-26 | 浙江地芯引力科技有限公司 | External adapter equipment safety authentication system and method based on encryption chip |
| CN112636928A (en) * | 2020-12-29 | 2021-04-09 | 广东国腾量子科技有限公司 | Decentralized trusted authentication method based on block chain, storage device and mobile terminal |
| CN112800429A (en) * | 2021-01-28 | 2021-05-14 | 北京工业大学 | Method for protecting driver in UEFI BIOS firmware system based on foundation |
| CN113051584A (en) * | 2021-05-31 | 2021-06-29 | 武汉深之度科技有限公司 | System secure starting method and device, computing equipment and readable storage medium |
| CN113190853A (en) * | 2021-03-24 | 2021-07-30 | 中国电力科学研究院有限公司 | Computer credibility authentication system, method, equipment and readable storage medium |
| CN113420299A (en) * | 2021-04-15 | 2021-09-21 | 麒麟软件有限公司 | Computer system safe starting and guiding method based on SM3 cryptographic algorithm |
| CN113553109A (en) * | 2021-07-12 | 2021-10-26 | 华东师范大学 | A method for verifying operating system pre-installation software |
| CN113553108A (en) * | 2021-07-12 | 2021-10-26 | 华东师范大学 | System for checking front software of operating system |
| CN114077739A (en) * | 2020-08-21 | 2022-02-22 | 华为技术有限公司 | Method and device for starting rapid Peripheral Component Interconnect (PCI) equipment and storage medium |
| CN114201747A (en) * | 2021-11-29 | 2022-03-18 | 海光信息技术股份有限公司 | Dynamic measurement root implementation method, device, system and storage medium |
| CN114417305A (en) * | 2021-12-31 | 2022-04-29 | 联想(北京)有限公司 | A control method and control device |
| CN114510249A (en) * | 2021-12-30 | 2022-05-17 | 中电科技(北京)股份有限公司 | UEFI-based OS installation image and OS kernel signature verification method and device |
| CN117874773A (en) * | 2024-03-12 | 2024-04-12 | 麒麟软件有限公司 | Operating system secure startup method and device based on security level control strategy |
| CN119918063A (en) * | 2025-01-17 | 2025-05-02 | 苏州元脑智能科技有限公司 | Operating system startup security verification method, device, system and related equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101038556A (en) * | 2007-04-30 | 2007-09-19 | 中国科学院软件研究所 | Trusted bootstrap method and system thereof |
| CN101576944A (en) * | 2008-11-20 | 2009-11-11 | 武汉大学 | Computer secure startup system based on trusted platform module |
| CN101599025A (en) * | 2009-07-07 | 2009-12-09 | 武汉大学 | Safety virtualization method of trusted crypto module |
| US20120151223A1 (en) * | 2010-09-20 | 2012-06-14 | Conde Marques Ricardo Nuno De Pinho Coelho | Method for securing a computing device with a trusted platform module-tpm |
-
2014
- 2014-04-25 CN CN201410172838.9A patent/CN103927490A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101038556A (en) * | 2007-04-30 | 2007-09-19 | 中国科学院软件研究所 | Trusted bootstrap method and system thereof |
| CN101576944A (en) * | 2008-11-20 | 2009-11-11 | 武汉大学 | Computer secure startup system based on trusted platform module |
| CN101599025A (en) * | 2009-07-07 | 2009-12-09 | 武汉大学 | Safety virtualization method of trusted crypto module |
| US20120151223A1 (en) * | 2010-09-20 | 2012-06-14 | Conde Marques Ricardo Nuno De Pinho Coelho | Method for securing a computing device with a trusted platform module-tpm |
Non-Patent Citations (5)
| Title |
|---|
| 刘东丽: ""基于UEFI的信任链设计及TPM驱动程序实现"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 师俊芳,李小将,李新明: ""基于TPM的安全操作系统的设计研究"", 《装备指挥技术学院学报》 * |
| 韦荣,鞠磊,方勇,杨波: ""可信计算度量机制在信任链中的应用"", 《网络安全技术与应用》 * |
| 黄海彬: ""基于EFI固件文件系统的平台安全策略研究与实现"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 黄涛,沈昌祥: ""一种基于可信服务器的可信引导方案"", 《武汉大学学报(理学版)》 * |
Cited By (60)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104331666A (en) * | 2014-11-10 | 2015-02-04 | 成都卫士通信息产业股份有限公司 | Trusted measurement method for computer systems |
| CN104809398A (en) * | 2015-04-21 | 2015-07-29 | 深圳怡化电脑股份有限公司 | Tamper-proof method and tamper-proof device for bootstrap firmware of password keyboard |
| CN104866768A (en) * | 2015-05-15 | 2015-08-26 | 深圳怡化电脑股份有限公司 | Startup control method and device for ATM (Automatic Teller Machine) operating system |
| CN104866392A (en) * | 2015-05-20 | 2015-08-26 | 浪潮电子信息产业股份有限公司 | Virtual machine security protection method and apparatus |
| CN104966022A (en) * | 2015-06-12 | 2015-10-07 | 浪潮电子信息产业股份有限公司 | Chain-of-trust construction method and device based on chip |
| CN105447391A (en) * | 2015-12-09 | 2016-03-30 | 浪潮电子信息产业股份有限公司 | Operating system secure startup method, startup manager and operating system secure startup system |
| WO2017133559A1 (en) * | 2016-02-05 | 2017-08-10 | 中兴通讯股份有限公司 | Secure boot method and device |
| CN106095468A (en) * | 2016-07-20 | 2016-11-09 | 杭州华澜微电子股份有限公司 | A kind of computer starting method and device |
| CN106341224A (en) * | 2016-07-20 | 2017-01-18 | 国网安徽省电力公司信息通信分公司 | Customized server-based TCM application system and system guidance method |
| CN106095468B (en) * | 2016-07-20 | 2019-07-19 | 杭州华澜微电子股份有限公司 | A kind of computer starting method and device |
| CN106250760A (en) * | 2016-07-26 | 2016-12-21 | 浪潮电子信息产业股份有限公司 | A U‑Boot trusted startup method based on TPM2.0 chip |
| CN107870788A (en) * | 2016-09-26 | 2018-04-03 | 展讯通信(上海)有限公司 | The startup method and terminal device of terminal device under more credible performing environment |
| CN107870788B (en) * | 2016-09-26 | 2020-10-02 | 展讯通信(上海)有限公司 | Starting method of terminal equipment under multiple trusted execution environments and terminal equipment |
| CN106506166A (en) * | 2016-10-26 | 2017-03-15 | 泰山医学院 | Terminal Trusted Platform System in Cloud Computing Environment |
| CN106506166B (en) * | 2016-10-26 | 2020-02-11 | 泰山医学院 | Terminal trusted platform system under cloud computing environment |
| CN106548063A (en) * | 2016-11-01 | 2017-03-29 | 广东浪潮大数据研究有限公司 | A kind of credible tolerance methods, devices and systems |
| US11057216B2 (en) | 2016-11-21 | 2021-07-06 | Huizhou Tcl Mobile Communication Co., Ltd. | Protection method and protection system of system partition key data and terminal |
| WO2018090823A1 (en) * | 2016-11-21 | 2018-05-24 | 惠州Tcl移动通信有限公司 | Method and system for protecting system partition key data, and terminal |
| CN106845243A (en) * | 2016-12-13 | 2017-06-13 | 北京元心科技有限公司 | Improve the method and system for starting safety |
| CN108256330A (en) * | 2016-12-29 | 2018-07-06 | 联想(上海)信息技术有限公司 | Facility information safeguard method and device |
| WO2018176125A1 (en) * | 2017-03-28 | 2018-10-04 | Sierra Wireless, Inc. | Method and apparatus for secure computing device start up |
| US11048801B2 (en) | 2017-03-28 | 2021-06-29 | Sierra Wireless, Inc. | Method and apparatus for secure computing device start up |
| CN106886473A (en) * | 2017-04-24 | 2017-06-23 | 郑州云海信息技术有限公司 | A kind of startup method of server, device and server |
| CN107357908B (en) * | 2017-07-17 | 2020-07-03 | 浪潮(北京)电子信息产业有限公司 | Method and device for detecting virtual machine system files |
| CN107357908A (en) * | 2017-07-17 | 2017-11-17 | 浪潮(北京)电子信息产业有限公司 | A kind of detection method and device of dummy machine system file |
| CN109684849A (en) * | 2017-10-18 | 2019-04-26 | 佳能株式会社 | Information processing unit, its control method and storage medium |
| CN108804325A (en) * | 2018-06-08 | 2018-11-13 | 郑州云海信息技术有限公司 | A kind of test method to Secure Boot |
| CN109997140A (en) * | 2018-09-10 | 2019-07-09 | 深圳市汇顶科技股份有限公司 | Accelerate the low-power-consumption embedded equipment of clean boot from the sleep state of equipment using write-once register |
| CN109508535A (en) * | 2018-10-30 | 2019-03-22 | 百富计算机技术(深圳)有限公司 | Firmware safety certifying method, device and payment terminal |
| CN109598126A (en) * | 2018-12-03 | 2019-04-09 | 贵州华芯通半导体技术有限公司 | A kind of safety startup of system methods, devices and systems based on national secret algorithm |
| CN112016090B (en) * | 2019-05-30 | 2024-01-23 | 阿里巴巴集团控股有限公司 | Secure computing card, and measuring method and system based on secure computing card |
| CN112016090A (en) * | 2019-05-30 | 2020-12-01 | 阿里巴巴集团控股有限公司 | Secure computing card, and measurement method and system based on secure computing card |
| CN110543769B (en) * | 2019-08-29 | 2023-09-15 | 武汉大学 | A trusted boot method based on encrypted TF card |
| CN110543769A (en) * | 2019-08-29 | 2019-12-06 | 武汉大学 | A trusted startup method based on encrypted TF card |
| CN111046392A (en) * | 2019-11-26 | 2020-04-21 | 深圳中电长城信息安全系统有限公司 | BIOS (basic input output System) credibility measuring method and device and terminal equipment |
| CN111045743B (en) * | 2019-12-12 | 2024-02-13 | 海光信息技术股份有限公司 | Operating system secure startup method, management method, device, equipment |
| CN111045743A (en) * | 2019-12-12 | 2020-04-21 | 海光信息技术有限公司 | Operating system secure boot method, management method, device, and device |
| CN111241548B (en) * | 2020-01-07 | 2022-09-09 | 飞腾信息技术有限公司 | Computer starting method |
| CN111241548A (en) * | 2020-01-07 | 2020-06-05 | 天津飞腾信息技术有限公司 | Computer starting method |
| CN114077739A (en) * | 2020-08-21 | 2022-02-22 | 华为技术有限公司 | Method and device for starting rapid Peripheral Component Interconnect (PCI) equipment and storage medium |
| CN112487435A (en) * | 2020-11-06 | 2021-03-12 | 麒麟软件有限公司 | Secure starting method based on X86 architecture |
| CN112395621A (en) * | 2020-11-27 | 2021-02-23 | 中电科技(北京)有限公司 | Operating system boot method, firmware, security certificate and computer |
| CN112636928A (en) * | 2020-12-29 | 2021-04-09 | 广东国腾量子科技有限公司 | Decentralized trusted authentication method based on block chain, storage device and mobile terminal |
| CN112636928B (en) * | 2020-12-29 | 2023-01-17 | 广东国腾量子科技有限公司 | Decentralized trusted authentication method based on block chain, storage device and mobile terminal |
| CN112464271A (en) * | 2021-01-27 | 2021-03-09 | 信联科技(南京)有限公司 | Method and system for constructing high-reliability execution environment of power Internet of things edge Internet of things agent |
| CN112800429B (en) * | 2021-01-28 | 2024-05-24 | 北京工业大学 | A method for driver protection in a basic UEFI BIOS firmware system |
| CN112800429A (en) * | 2021-01-28 | 2021-05-14 | 北京工业大学 | Method for protecting driver in UEFI BIOS firmware system based on foundation |
| CN112560011B (en) * | 2021-02-07 | 2021-06-01 | 浙江地芯引力科技有限公司 | External adapter equipment safety authentication system and method based on encryption chip |
| CN112560011A (en) * | 2021-02-07 | 2021-03-26 | 浙江地芯引力科技有限公司 | External adapter equipment safety authentication system and method based on encryption chip |
| CN113190853A (en) * | 2021-03-24 | 2021-07-30 | 中国电力科学研究院有限公司 | Computer credibility authentication system, method, equipment and readable storage medium |
| CN113420299A (en) * | 2021-04-15 | 2021-09-21 | 麒麟软件有限公司 | Computer system safe starting and guiding method based on SM3 cryptographic algorithm |
| CN113051584A (en) * | 2021-05-31 | 2021-06-29 | 武汉深之度科技有限公司 | System secure starting method and device, computing equipment and readable storage medium |
| CN113553108A (en) * | 2021-07-12 | 2021-10-26 | 华东师范大学 | System for checking front software of operating system |
| CN113553109A (en) * | 2021-07-12 | 2021-10-26 | 华东师范大学 | A method for verifying operating system pre-installation software |
| CN114201747A (en) * | 2021-11-29 | 2022-03-18 | 海光信息技术股份有限公司 | Dynamic measurement root implementation method, device, system and storage medium |
| CN114510249A (en) * | 2021-12-30 | 2022-05-17 | 中电科技(北京)股份有限公司 | UEFI-based OS installation image and OS kernel signature verification method and device |
| CN114417305A (en) * | 2021-12-31 | 2022-04-29 | 联想(北京)有限公司 | A control method and control device |
| CN117874773A (en) * | 2024-03-12 | 2024-04-12 | 麒麟软件有限公司 | Operating system secure startup method and device based on security level control strategy |
| CN119918063A (en) * | 2025-01-17 | 2025-05-02 | 苏州元脑智能科技有限公司 | Operating system startup security verification method, device, system and related equipment |
| CN119918063B (en) * | 2025-01-17 | 2026-01-30 | 苏州元脑智能科技有限公司 | Operating system startup security verification method, device, system and related equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103927490A (en) | OS secure startup method and device | |
| US8892858B2 (en) | Methods and apparatus for trusted boot optimization | |
| CN104995629B (en) | The method, apparatus and system that trust for platform boot firmware continues | |
| US10152600B2 (en) | Methods and systems to measure a hypervisor after the hypervisor has already been measured and booted | |
| US8544092B2 (en) | Integrity verification using a peripheral device | |
| US10635821B2 (en) | Method and apparatus for launching a device | |
| US11194586B2 (en) | Secure boot override in a computing device equipped with unified-extensible firmware interface (UEFI)-compliant firmware | |
| US11455396B2 (en) | Using trusted platform module (TPM) emulator engines to measure firmware images | |
| CN102270288B (en) | Method for performing trusted boot on operation system based on reverse integrity verification | |
| US20090172378A1 (en) | Method and system for using a trusted disk drive and alternate master boot record for integrity services during the boot of a computing platform | |
| EP3701411B1 (en) | Software packages policies management in a securela booted enclave | |
| CN106462711B (en) | verified boot | |
| US10776493B2 (en) | Secure management and execution of computing code including firmware | |
| CN119377944A (en) | Data processing method and related equipment | |
| US11803454B2 (en) | Chained loading with static and dynamic root of trust measurements | |
| US11809876B2 (en) | Trusted platform module protection for non-volatile memory express (NVMe) recovery | |
| US11861011B2 (en) | Secure boot process | |
| US12072982B2 (en) | Pre-authorized virtualization engine for dynamic firmware measurement | |
| CN115061735A (en) | Processing method and device | |
| US11669618B2 (en) | Systems and methods for securing and loading bios drivers and dependencies in a predefined and measured load order | |
| CN115687039B (en) | Cloud platform verification method, cloud platform verification component and ARM cloud platform | |
| US20180322291A1 (en) | Operational verification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140716 |
|
| RJ01 | Rejection of invention patent application after publication |