[go: up one dir, main page]

CN114417301A - An information processing method, information processing apparatus, electronic device and storage medium - Google Patents

An information processing method, information processing apparatus, electronic device and storage medium Download PDF

Info

Publication number
CN114417301A
CN114417301A CN202111500871.6A CN202111500871A CN114417301A CN 114417301 A CN114417301 A CN 114417301A CN 202111500871 A CN202111500871 A CN 202111500871A CN 114417301 A CN114417301 A CN 114417301A
Authority
CN
China
Prior art keywords
access channel
management controller
band access
baseboard management
detection result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111500871.6A
Other languages
Chinese (zh)
Other versions
CN114417301B (en
Inventor
黄树福
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN202111500871.6A priority Critical patent/CN114417301B/en
Publication of CN114417301A publication Critical patent/CN114417301A/en
Application granted granted Critical
Publication of CN114417301B publication Critical patent/CN114417301B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Stored Programmes (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application discloses an information processing method, which comprises the following steps: under the condition that the mainboard is electrified and the in-band access channel is opened, obtaining a detection result of whether the in-band access channel accesses the substrate management controller and is in the running environment of the boot system; and if the detection result represents that the access to the substrate management controller is not in the running environment, informing the substrate management controller to close the in-band access channel. The embodiment of the application also discloses an information processing device, electronic equipment and a storage medium.

Description

一种信息处理方法、信息处理装置、电子设备和存储介质An information processing method, information processing apparatus, electronic device and storage medium

技术领域technical field

本申请涉及但不限于信息技术领域,尤其涉及一种信息处理方法、信息处理装置、电子设备和存储介质。The present application relates to, but is not limited to, the field of information technology, and in particular, relates to an information processing method, an information processing apparatus, an electronic device, and a storage medium.

背景技术Background technique

当前基板管理控制器(Baseboard Management Controller,BMC)带内常规访问通道,主要用于引导系统和操作系统下应用程序跟BMC进行通信使用。Currently, a baseboard management controller (Baseboard Management Controller, BMC) in-band conventional access channel is mainly used to guide the system and applications under the operating system to communicate with the BMC.

在攻击者能接触到服务器实体的场景中,很容易通过外界存储设备来启动服务器,从而轻松获得BMC访问权限,由此轻松获取BMC内数据,甚至修改系统配置。In a scenario where an attacker can access the server entity, it is easy to start the server through an external storage device, so as to easily obtain BMC access rights, thereby easily obtaining data in the BMC, and even modifying the system configuration.

发明内容SUMMARY OF THE INVENTION

本申请实施例期望提供一种信息处理方法、信息处理装置、电子设备和存储介质。The embodiments of the present application are expected to provide an information processing method, an information processing apparatus, an electronic device, and a storage medium.

本申请的技术方案是这样实现的:The technical solution of the present application is realized as follows:

一种信息处理方法,所述方法包括:An information processing method, the method comprising:

在主板上电完成且带内访问通道打开的情况下,获得通过所述带内访问通道对基板管理控制器进行访问,是否处于引导系统的运行环境下的检测结果;When the mainboard is powered on and the in-band access channel is open, obtain a detection result of whether the baseboard management controller is accessed through the in-band access channel, and whether it is in the operating environment of the boot system;

若检测结果表征对所述基板管理控制器进行访问不处于所述运行环境下,通知基板管理控制器关闭所述带内访问通道。If the detection result indicates that the access to the baseboard management controller is not in the operating environment, the baseboard management controller is notified to close the in-band access channel.

一种信息处理装置,所述信息处理装置,包括:An information processing device, the information processing device comprising:

获得模块,用于在主板上电完成且带内访问通道打开的情况下,获得通过所述带内访问通道对基板管理控制器进行访问,是否处于引导系统的运行环境下的检测结果;Obtaining a module for obtaining a detection result of whether the baseboard management controller is accessed through the in-band access channel and whether it is in the operating environment of the boot system when the mainboard is powered on and the in-band access channel is open;

处理模块,用于若检测结果表征对所述基板管理控制器进行访问不处于所述运行环境下,通知基板管理控制器关闭所述带内访问通道。The processing module is configured to notify the baseboard management controller to close the in-band access channel if the detection result indicates that the access to the baseboard management controller is not in the operating environment.

一种电子设备,所述电子设备包括:处理器、存储器和通信总线;An electronic device comprising: a processor, a memory and a communication bus;

所述通信总线用于实现处理器和存储器之间的通信连接;The communication bus is used to realize the communication connection between the processor and the memory;

所述处理器用于执行存储器中存储的信息处理程序,以实现上述的信息处理方法的步骤。The processor is configured to execute the information processing program stored in the memory, so as to realize the steps of the above-mentioned information processing method.

一种计算机存储介质,所述计算机存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现如上述的信息处理方法的步骤。A computer storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to implement the steps of the above-mentioned information processing method.

本申请实施例所提供的信息处理方法、信息处理装置、电子设备和存储介质,该方法包括:在主板上电完成且带内访问通道打开的情况下,获得通过带内访问通道对基板管理控制器进行访问,是否处于引导系统的运行环境下的检测结果;若检测结果表征对基板管理控制器进行访问不处于运行环境下,通知基板管理控制器关闭带内访问通道;也就是说,只要判定通过带内访问通道对基板管理控制器进行访问,不处于引导系统的运行环境下的检测结果,此时表征不具有带内访问通道的访问权限,则立即关闭带内访问通道,如此,即使攻击者能够接触到服务器实体,由于攻击者对基板管理控制器进行访问不处于引导系统的运行环境下,所以关闭了带内访问通道,阻止了攻击者的访问,提供了基板管理控制器的访问的安全性。The information processing method, information processing device, electronic device, and storage medium provided by the embodiments of the present application include: when the main board is powered on and the in-band access channel is opened, obtaining the management control of the substrate through the in-band access channel If the detection result indicates that the access to the baseboard management controller is not in the running environment, the baseboard management controller is notified to close the in-band access channel; that is, as long as it is determined The baseboard management controller is accessed through the in-band access channel, and the detection result is not in the operating environment of the boot system. At this time, it indicates that the access authority does not have the in-band access channel, and the in-band access channel is immediately closed. In this way, even if the attack The attacker can access the server entity. Since the attacker's access to the baseboard management controller is not in the operating environment of the boot system, the in-band access channel is closed, preventing the attacker's access and providing the access of the baseboard management controller. safety.

附图说明Description of drawings

图1为本申请的实施例提供的一种可选的信息处理方法的流程示意图;1 is a schematic flowchart of an optional information processing method provided by an embodiment of the present application;

图2为本申请的实施例提供的一种可选的信息处理方法的流程示意图;2 is a schematic flowchart of an optional information processing method provided by an embodiment of the present application;

图3为本申请的实施例提供的一种可选的信息处理方法的流程示意图;3 is a schematic flowchart of an optional information processing method provided by an embodiment of the present application;

图4为本申请的实施例提供的一种可选的信息处理方法的流程示意图;4 is a schematic flowchart of an optional information processing method provided by an embodiment of the present application;

图5为本申请的实施例提供的一种信息处理装置的结构示意图;5 is a schematic structural diagram of an information processing apparatus according to an embodiment of the present application;

图6为本申请的实施例提供的一种电子设备的结构示意图。FIG. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述。The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application.

除非另有定义,本文所使用的所有的技术和科学术语与属于本申请的技术领域的技术人员通常理解的含义相同。本文中所使用的术语只是为了描述本申请实施例的目的,不是旨在限制本申请。Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the technical field to which this application belongs. The terms used herein are only for the purpose of describing the embodiments of the present application, and are not intended to limit the present application.

对本申请实施例进行进一步详细说明之前,对本申请实施例中涉及的名词和术语进行说明,本申请实施例中涉及的名词和术语适用于如下的解释。Before further describing the embodiments of the present application in detail, the terms and terms involved in the embodiments of the present application are described, and the terms and terms involved in the embodiments of the present application are suitable for the following explanations.

当前BMC带内常规访问通道,主要用于引导系统和操作系统下应用程序跟BMC进行通信使用。The current BMC in-band conventional access channel is mainly used for the boot system and the application under the operating system to communicate with the BMC.

在攻击者能接触到服务器实体的场景中,很容易通过外界存储设备来启动服务器,从而轻松获得BMC访问权限,由此轻松获取BMC内数据,甚至修改系统配置。例如,边缘服务器不在机房,或者安防比较弱,对于边缘服务器而言,对基板管理控制器进行访问就存在重大的安全隐患。In a scenario where an attacker can access the server entity, it is easy to start the server through an external storage device, so as to easily obtain BMC access rights, thereby easily obtaining data in the BMC, and even modifying the system configuration. For example, if the edge server is not in the computer room, or the security protection is relatively weak, for the edge server, accessing the baseboard management controller poses a major security risk.

本申请的实施例提供一种信息处理方法,该信息处理方法可以应用于电子设备。参照图1所示,该方法包括以下步骤:The embodiments of the present application provide an information processing method, and the information processing method can be applied to an electronic device. Referring to Figure 1, the method includes the following steps:

步骤101、在主板上电完成且带内访问通道打开的情况下,获得通过带内访问通道对基板管理控制器进行访问,是否处于引导系统的运行环境下的检测结果。Step 101 , when the mainboard is powered on and the in-band access channel is open, obtain a detection result of whether the baseboard management controller is accessed through the in-band access channel and whether it is in the operating environment of the boot system.

本申请实施例中,带内访问通道包括但不限于键盘控制器样式(KeyboardController Style,KCS)通道、块传输(Block Transfer,BT)通道。In this embodiment of the present application, the in-band access channel includes but is not limited to a keyboard controller style (Keyboard Controller Style, KCS) channel and a block transfer (Block Transfer, BT) channel.

本申请实施例中,引导系统又称为固件系统,固件系统包括但不限于固定电子设备如个人计算机(Personal Computer,PC)的基本输入输出系统(Basic Input OutputSystem,BIOS),统一的可扩展固件接口系统(Unified Extensible Firmware Interface,UEFI)、可扩展固件接口系统(Extensible Firmware Interface,EFI),移动电子设备如手机的启动装载Bootloader系统。需要说明的是,本申请实施例中涉及的引导系统,具有安全引导(Secure Boot)功能,Secure Boot的核心就是利用数字签名来确认EFI驱动程序或者应用程序是否是受信任的,从而确保系统引导的安全可靠。In this embodiment of the present application, the boot system is also referred to as a firmware system, and the firmware system includes but is not limited to a basic input output system (BIOS) of a fixed electronic device such as a personal computer (Personal Computer, PC), a unified extensible firmware An interface system (Unified Extensible Firmware Interface, UEFI), an Extensible Firmware Interface (Extensible Firmware Interface, EFI), and a bootloader system for a mobile electronic device such as a mobile phone. It should be noted that the boot system involved in the embodiments of the present application has a secure boot (Secure Boot) function, and the core of Secure Boot is to use a digital signature to confirm whether the EFI driver or application is trusted, so as to ensure that the system boots safe and reliable.

示例性的,固件系统为UEFI时,UEFI中绝大部分代码采用C语言编写,UEFI应用程序和驱动可以用C++编写。UEFI通过固件操作系统接口为操作系统(Operating System,OS)和OS加载器屏蔽了底层硬件细节,使得UEFI上层应用可以方便重用。相比传统的BIOS,UEFI有了很大提升,从启动到进入操作系统的时间大大缩短。Exemplarily, when the firmware system is UEFI, most codes in UEFI are written in C language, and UEFI applications and drivers can be written in C++. UEFI shields the underlying hardware details for an operating system (Operating System, OS) and an OS loader through a firmware operating system interface, so that UEFI upper-layer applications can be easily reused. Compared with the traditional BIOS, UEFI has been greatly improved, and the time from booting to entering the operating system is greatly shortened.

本申请实施例中,主板,又叫主机板(mainboard),它安装在机箱内,是微机最基本的也是最重要的部件之一。主板一般为矩形电路板,上面安装了组成计算机的主要电路系统,一般有引导系统芯片、输入/输出(Input/Output,I/O)控制芯片、键盘和面板控制开关接口、指示灯插接件、扩充插槽、主板及插卡的直流电源供电接插件等元件。其中,控制芯片包括但不限于中央处理器(Central Processing Unit,CPU),现场可编程门阵列(Field-Programmable Gate Array,FPGA)或复杂可编程逻辑器件(Complex Programmable LogicDevice,CPLD)。In the embodiment of the present application, the mainboard, also called the mainboard, is installed in the chassis and is one of the most basic and important components of the microcomputer. The main board is generally a rectangular circuit board, on which the main circuit systems that make up the computer are installed, generally including a boot system chip, an input/output (I/O) control chip, a keyboard and panel control switch interfaces, and indicator light connectors. , Expansion slots, DC power supply connectors for motherboards and cards and other components. The control chip includes but is not limited to a central processing unit (Central Processing Unit, CPU), a field programmable gate array (Field-Programmable Gate Array, FPGA) or a complex programmable logic device (Complex Programmable Logic Device, CPLD).

在一些实施例中,在电子设备开机或者重启的场景中,会执行计算机的上电过程,在主板上电完成且带内访问通道打开的情况下,获得通过带内访问通道对基板管理控制器进行访问,是否处于引导系统的运行环境下的检测结果。这里,检测结果包括通过带内访问通道对基板管理控制器进行访问,处于引导系统的运行环境下的检测结果;或者,通过带内访问通道对基板管理控制器进行访问,不处于引导系统的运行环境下的检测结果。In some embodiments, in the scenario where the electronic device is powered on or restarted, the power-on process of the computer will be performed, and when the power-on of the motherboard is completed and the in-band access channel is opened, the baseboard management controller obtained through the in-band access channel is obtained. Access is made to check whether it is in the operating environment of the boot system. Here, the detection result includes the detection result of accessing the baseboard management controller through the in-band access channel and under the operating environment of the boot system; or, accessing the baseboard management controller through the in-band access channel and not in the operation of the boot system test results in the environment.

本申请实施例中,电子设备包括但不限于诸如手机、平板电脑、笔记本电脑、个人数字助理(Personal Digital Assistant,PDA)、相机、可穿戴设备、车载设备等移动终端设备,以及诸如台式计算机等固定终端设备。In the embodiments of the present application, electronic devices include but are not limited to mobile terminal devices such as mobile phones, tablet computers, notebook computers, personal digital assistants (PDAs), cameras, wearable devices, in-vehicle devices, etc., as well as desktop computers, etc. Fixed terminal equipment.

步骤102、若检测结果表征对基板管理控制器进行访问不处于运行环境下,通知基板管理控制器关闭带内访问通道。Step 102 , if the detection result indicates that the access to the baseboard management controller is not in the running environment, the baseboard management controller is notified to close the in-band access channel.

本申请实施例中,若检测结果表征对基板管理控制器进行访问不处于引导系统的运行环境下,通知基板管理控制器关闭带内访问通道,也就是说,本申请限制带内访问通道仅能在引导系统的运行环境下被访问,利用引导系统的安全可靠性,保证带内访问通道的带内访问都是在可信范围内,一旦发现不处于引导系统的运行环境下,则关闭带内访问通道,阻止不安全访问的发生。In the embodiment of the present application, if the detection result indicates that the access to the baseboard management controller is not in the operating environment of the boot system, the baseboard management controller is notified to close the in-band access channel, that is, the present application restricts the in-band access channel to only Accessed in the operating environment of the boot system, using the security and reliability of the boot system to ensure that the in-band access of the in-band access channel is within the trusted range, once it is found that it is not in the operating environment of the boot system, the in-band access is closed. Access channels to prevent unsafe access from occurring.

本申请实施例提供的信息处理方法,在主板上电完成且带内访问通道打开的情况下,获得通过带内访问通道对基板管理控制器进行访问,是否处于引导系统的运行环境下的检测结果;若检测结果表征对基板管理控制器进行访问不处于运行环境下,通知基板管理控制器关闭带内访问通道;也就是说,只要判定通过带内访问通道对基板管理控制器进行访问,不处于引导系统的运行环境下的检测结果,此时表征不具有带内访问通道的访问权限,则立即关闭带内访问通道,如此,即使攻击者能够接触到服务器实体,由于攻击者对基板管理控制器进行访问不处于引导系统的运行环境下,所以关闭了带内访问通道,阻止了攻击者的访问,提供了基板管理控制器的访问的安全性。In the information processing method provided by the embodiment of the present application, when the main board is powered on and the in-band access channel is open, the detection result of whether the baseboard management controller is accessed through the in-band access channel and whether it is in the operating environment of the boot system is obtained. ; If the detection result indicates that the access to the baseboard management controller is not in the operating environment, the baseboard management controller is notified to close the in-band access channel; The detection result in the operating environment of the boot system indicates that the in-band access channel does not have the access right at this time, and the in-band access channel is immediately closed. In this way, even if the attacker can access the server entity, the attacker cannot control the baseboard management controller. The access is not in the operating environment of the boot system, so the in-band access channel is closed, the access of the attacker is prevented, and the access security of the baseboard management controller is provided.

本申请的实施例提供一种信息处理方法,该信息处理方法可以应用于电子设备。参照图2所示,该方法包括以下步骤:The embodiments of the present application provide an information processing method, and the information processing method can be applied to an electronic device. Referring to Figure 2, the method includes the following steps:

步骤201、在主板上电完成且带内访问通道打开的情况下,获得通过带内访问通道对基板管理控制器进行访问,不处于引导系统的运行环境下的检测结果。Step 201 , when the mainboard is powered on and the in-band access channel is open, obtain a detection result that the baseboard management controller is accessed through the in-band access channel and is not in the operating environment of the boot system.

本申请实施例中,在如下两个场景中,均可以得到不处于引导系统的运行环境下的检测结果:In the embodiment of the present application, in the following two scenarios, detection results that are not in the operating environment of the boot system can be obtained:

场景一、在主板上电完成且带内访问通道打开的情况下,若引导系统自检完成,获得通过带内访问通道对基板管理控制器进行访问,不处于引导系统的运行环境下的检测结果。Scenario 1. When the mainboard is powered on and the in-band access channel is open, if the boot system self-check is completed, the test result of accessing the baseboard management controller through the in-band access channel and not in the operating environment of the boot system is obtained. .

在场景一中,在电子设备开机或者重启的场景中,会执行计算机的上电过程,在主板上电完成且带内访问通道打开的情况下,若引导系统自检完成,即引导系统接管系统控制权进行系统引导和自检完成,接下来,将会由操作系统接管系统控制权,此时,确定通过带内访问通道对基板管理控制器进行访问,不处于引导系统的运行环境下的检测结果。In scenario 1, in the scenario where the electronic device is powered on or restarted, the power-on process of the computer will be performed. When the motherboard is powered on and the in-band access channel is open, if the boot system self-check is completed, the boot system will take over the system. The system boot and self-check are completed for the control right. Next, the operating system will take over the system control right. At this time, it is determined that the baseboard management controller is accessed through the in-band access channel, and the detection is not in the operating environment of the boot system. result.

在一些实施例中,检测南桥芯片的通用输入输出(General-purpose input/output,GPIO)管脚的输出信号,以便根据这些信号状态的不同组合定位发生故障的元器件;南桥芯片的GPIO管脚输出信号是与引导系统在自检过程中不断输出的、表示系统当前进程和诊断结果的检查点(checkpoint)码相对应的。In some embodiments, the output signals of the general-purpose input/output (GPIO) pins of the south bridge chip are detected, so as to locate the faulty component according to different combinations of these signal states; the GPIO of the south bridge chip The pin output signal corresponds to the checkpoint code which is continuously output by the guiding system in the self-checking process, and represents the current process and diagnosis result of the system.

在引导和自检过程中,引导系统不断输出checkpoint码来表示目前系统执行的诊断进程,如果系统停止在某个checkpoint码,说明此时系统出现问题,这些问题可归结为主板、内存、I/O设备或外设部件互连标准(Peripheral Component Interconnect,PCI)设备;如果发现系统部件出现问题,引导系统通过解析该checkpoint码而将问题归结到某个具体部件,如CPU、或内存、或主板;且在通常情况下,会在显示屏出现相应的提示。During the booting and self-checking process, the booting system continuously outputs the checkpoint code to indicate the current diagnostic process performed by the system. If the system stops at a certain checkpoint code, it means that there is a problem with the system at this time. These problems can be attributed to the motherboard, memory, I/O O device or peripheral component interconnect standard (Peripheral Component Interconnect, PCI) device; if there is a problem with a system component, the system is guided to parse the checkpoint code and attribute the problem to a specific component, such as CPU, or memory, or motherboard. ; and under normal circumstances, a corresponding prompt will appear on the display.

场景二、在主板上电完成且带内访问通道打开的情况下,若引导系统自检完成,且基板管理控制器检测到第一系统中断信号,通过引导系统处理第一系统中断信号;若引导系统处理完第一系统中断信号,获得通过带内访问通道对基板管理控制器进行访问,不处于运行环境下的检测结果。Scenario 2. When the mainboard is powered on and the in-band access channel is open, if the boot system self-check is completed and the baseboard management controller detects the first system interrupt signal, the first system interrupt signal is processed by the boot system; After the system processes the first system interrupt signal, it obtains the detection result that the baseboard management controller is accessed through the in-band access channel and is not in the running environment.

在场景二中,第一系统中断信号又称为第一系统管理中断(System ManagementInterrupt,SMI)信号,SMI是CPU级别的中断信号。In the second scenario, the first system interrupt signal is also called a first system management interrupt (System Management Interrupt, SMI) signal, and the SMI is a CPU-level interrupt signal.

在主板上电完成且带内访问通道打开的情况下,若引导系统自检完成,且基板管理控制器检测到第一系统中断信号,进入第一SMI时,主板上的控制芯片通知BMC,BMC检测到当前在SMI模式且引导系统自检完成,则BMC临时打开带内访问通道,或者由引导系统根据需要主动通知BMC打开带内访问通道;引导系统在SMI中正常使用常规方法使用带内访问通道,通过引导系统处理第一系统中断信号;若引导系统处理完第一系统中断信号,此时,BMC检测SMI退出,获得通过带内访问通道对基板管理控制器进行访问,不处于运行环境下的检测结果。上述使用常规方法使用带内访问通道,包括但不限于利用带内通道跟BMC进行各种交互操作,包括发送数据给BMC,获取BMC的数据和信息,透过BMC进行系统控制等。When the mainboard is powered on and the in-band access channel is open, if the boot system self-check is completed, and the baseboard management controller detects the first system interrupt signal, when entering the first SMI, the control chip on the mainboard notifies the BMC, and the BMC If it is detected that it is currently in SMI mode and the self-check of the boot system is completed, the BMC temporarily opens the in-band access channel, or the boot system actively informs the BMC to open the in-band access channel as needed; the boot system uses the conventional method to use the in-band access channel normally in SMI. channel, process the first system interrupt signal through the bootstrap system; if the bootstrap system finishes processing the first system interrupt signal, at this time, the BMC detects that the SMI exits, and obtains access to the baseboard management controller through the in-band access channel, which is not in the running environment test results. The above-mentioned conventional methods use in-band access channels, including but not limited to using in-band channels to perform various interactive operations with the BMC, including sending data to the BMC, obtaining data and information from the BMC, and performing system control through the BMC.

本申请实施例中,SMI信号在系统运行期随时可能产生,SMI中断处理过程中,在需要BMC带内访问通道前打开带内通道,使用完带内访问通道或退出SMI时关闭带内访问通道。In the embodiment of the present application, the SMI signal may be generated at any time during the system running period. During the SMI interrupt processing process, the in-band channel is opened before the BMC in-band access channel is required, and the in-band access channel is closed when the in-band access channel is used or the SMI is exited. .

步骤202、通知基板管理控制器关闭带内访问通道。Step 202: Notify the baseboard management controller to close the in-band access channel.

也就是说,在上述两个场景中的任一场景中,均属于脱离了引导系统的运行环境即可信范围,此时,立刻自动关闭带内访问通道,阻止不安全访问的发生。That is to say, in any of the above two scenarios, it belongs to the trusted range that is separated from the operating environment of the boot system. In this case, the in-band access channel is automatically closed immediately to prevent the occurrence of unsafe access.

本申请的实施例提供一种信息处理方法,该信息处理方法可以应用于电子设备。参照图3所示,该方法包括以下步骤:The embodiments of the present application provide an information processing method, and the information processing method can be applied to an electronic device. Referring to Figure 3, the method includes the following steps:

步骤301、在主板上电完成且带内访问通道打开的情况下,若引导系统自检完成,获得通过带内访问通道对基板管理控制器进行访问,不处于运行环境下的检测结果。Step 301 , when the mainboard is powered on and the in-band access channel is open, if the boot system self-check is completed, a detection result of accessing the baseboard management controller through the in-band access channel and not in the running environment is obtained.

本申请实施例中,在引导系统自检完成的情况下,属于脱离了引导系统的运行环境即可信范围,此时,检测到通过带内访问通道对基板管理控制器进行访问,不处于运行环境下的检测结果,立刻自动关闭带内访问通道,阻止不安全访问的发生。In the embodiment of the present application, when the self-check of the boot system is completed, it belongs to the trusted range that is separated from the operating environment of the boot system. At this time, it is detected that the baseboard management controller is accessed through the in-band access channel, and it is not running. According to the detection results in the environment, the in-band access channel is automatically closed immediately to prevent the occurrence of unsafe access.

步骤302、通知基板管理控制器关闭带内访问通道。Step 302: Notify the baseboard management controller to close the in-band access channel.

步骤303、通过基板管理控制器检测到第一系统中断信号,生成满足权限验证条件的打开事件。Step 303 , the baseboard management controller detects the first system interruption signal, and generates an open event that satisfies the authority verification condition.

本申请实施例中,在主板上电完成且带内访问通道打开的情况下,若引导系统自检完成,先关闭的带内访问通道;进一步的,在通过基板管理控制器检测到第一系统中断信号的情况下,即进入第一SMI时,生成满足权限验证条件的打开事件。In the embodiment of the present application, when the main board is powered on and the in-band access channel is open, if the self-check of the boot system is completed, the in-band access channel is closed first; further, when the baseboard management controller detects the first system In the case of an interrupt signal, that is, when entering the first SMI, an open event that satisfies the authorization verification condition is generated.

步骤304、若打开事件满足引导系统的权限验证条件,响应于打开事件,打开带内访问通道。Step 304: If the open event satisfies the authorization verification condition of the bootstrap system, in response to the open event, open the in-band access channel.

本申请实施例中,确定打开事件表征引导系统自检完成且通过基板管理控制器检测到第一系统中断信号,则判定打开事件满足引导系统的权限验证条件,响应于打开事件,打开带内访问通道,此时,BMC临时打开带内访问通道,或者由引导系统根据需要主动通知BMC打开带内访问通道;引导系统在SMI中正常使用常规方法使用带内访问通道,通过引导系统处理第一系统中断信号In the embodiment of the present application, it is determined that the opening event indicates that the self-check of the bootstrap system is completed and the first system interrupt signal is detected by the baseboard management controller, then it is determined that the opening event satisfies the authority verification condition of the bootstrap system, and in-band access is enabled in response to the opening event. Channel, at this time, the BMC temporarily opens the in-band access channel, or the boot system actively informs the BMC to open the in-band access channel as needed; the boot system normally uses the in-band access channel in the SMI using the conventional method, and processes the first system through the boot system interrupt signal

本申请其他实施例中,在主板上电完成的情况下,还可以执行如下步骤:In other embodiments of the present application, when the main board is powered on, the following steps may also be performed:

首先,打开带内访问通道。First, open the in-band access channel.

这里,在主板上电完成的情况下,BMC自动打开带内访问通道。Here, when the mainboard is powered on, the BMC automatically opens the in-band access channel.

其次,在引导系统自检的过程中,若基板管理控制器检测到第二系统中断信号,通过带内访问通道访问基板管理控制器,以获得自检诊断信息。Secondly, in the process of guiding the system self-inspection, if the baseboard management controller detects the second system interrupt signal, it accesses the baseboard management controller through the in-band access channel to obtain self-inspection diagnosis information.

这里,在引导系统引导和自检过程中,引导系统不断输出checkpoint码来表示目前系统执行的诊断进程,如果系统停止在某个checkpoint码,说明此时系统出现问题,生成第二系统中断信号如第二SMI信号,进一步的,引导系统可以通过带内访问通道访问基板管理控制器,以获得自检诊断信息。Here, during the booting and self-checking process of the booting system, the booting system continuously outputs the checkpoint code to indicate the current diagnostic process performed by the system. If the system stops at a certain checkpoint code, it means that there is a problem with the system at this time, and a second system interrupt signal is generated such as The second SMI signal further enables the boot system to access the baseboard management controller through the in-band access channel to obtain self-check diagnostic information.

本申请的实施例提供一种信息处理方法,该信息处理方法可以应用于电子设备。参照图4所示,该方法包括以下步骤:The embodiments of the present application provide an information processing method, and the information processing method can be applied to an electronic device. Referring to Figure 4, the method includes the following steps:

步骤401、在主板上电完成且带内访问通道打开的情况下,若引导系统自检完成,且基板管理控制器检测到第一系统中断信号,通过引导系统处理第一系统中断信号。Step 401 , when the mainboard is powered on and the in-band access channel is open, if the bootstrap system self-check is completed and the baseboard management controller detects the first system interrupt signal, the bootstrap system processes the first system interrupt signal.

步骤402、若引导系统处理完第一系统中断信号,获得通过带内访问通道对基板管理控制器进行访问,不处于运行环境下的检测结果。Step 402: If the bootstrap system finishes processing the first system interrupt signal, obtain a detection result that the baseboard management controller is accessed through the in-band access channel and is not in the running environment.

步骤403、通知基板管理控制器关闭带内访问通道。Step 403: Notify the baseboard management controller to close the in-band access channel.

步骤404、获得对带内访问通道的打开事件。Step 404: Obtain an open event for the in-band access channel.

本申请实施例中,在引导系统自检结束,第一系统中断信号处理完成的情况下,会关闭带内访问通道,防止攻击者对基板管理控制器进行访问时不处于引导系统的运行环境下带来的安全隐患。为提升用户使用弹性,方便用户仍然期望引导系统在自检结束后保留带内通道,方便操作系统层面仍然可以反问BMC,本申请通过对带内访问通道进行有权限的开关控制,即确保对BMC带内访问通道的访问是在安全环境下进行的,同时,又确保操作者本身是满足安全验证条件的,如此,实现带内访问通道的安全管理,进一步的提升基板管理控制器的访问的安全性。In this embodiment of the present application, when the boot system self-check is completed and the first system interrupt signal processing is completed, the in-band access channel will be closed to prevent attackers from accessing the baseboard management controller from not being in the operating environment of the boot system. security risks. In order to improve the flexibility of users, it is convenient for users to still expect the guiding system to retain the in-band channel after the self-check is completed, so that the operating system can still ask the BMC. The access of the in-band access channel is carried out in a secure environment, and at the same time, it ensures that the operator itself meets the security verification conditions. In this way, the security management of the in-band access channel is realized, and the access security of the baseboard management controller is further improved. sex.

本申请实施例中,步骤404获得对带内访问通道的打开事件,可以通过如下步骤实现:In the embodiment of the present application, step 404 obtains the opening event of the in-band access channel, which may be implemented by the following steps:

首先,获得引导系统和/或基板管理控制器的安全验证信息。First, obtain security verification information for the boot system and/or the baseboard management controller.

其次,若安全验证信息满足安全验证条件,在引导系统的配置界面中显示带内访问通道的管理控件;其中,管理控件用于被触发时打开带内访问通道。Secondly, if the security verification information satisfies the security verification conditions, the management control of the in-band access channel is displayed in the configuration interface of the booting system; wherein, the management control is used to open the in-band access channel when triggered.

这里,安全验证信息可以是引导系统的安全验证信息、基板管理控制器的安全验证信息中的至少一种。引导系统的安全验证信息包括但不限于输入引导系统如UEFI的设置(Setup)界面的用户名和密码基板管理控制器的安全验证信息包括但不限于输入BMC的用户名和密码。Here, the security verification information may be at least one of the security verification information of the boot system and the security verification information of the baseboard management controller. The security verification information of the boot system includes but is not limited to entering the username and password of the setup interface of the boot system such as UEFI. The security verification information of the baseboard management controller includes but is not limited to entering the username and password of the BMC.

最后,若管理控件被触发,生成满足权限验证条件的打开事件。Finally, if the management control is triggered, an open event that satisfies the permission verification conditions is generated.

步骤405、若打开事件满足引导系统的权限验证条件,响应于打开事件,打开带内访问通道。Step 405: If the open event satisfies the authorization verification condition of the bootstrap system, in response to the open event, open the in-band access channel.

本申请实施例中,在引导系统自检结束,第一系统中断信号处理完成的情况下,会关闭带内访问通道,此时,如果想要打开带内访问通道,必须满足引导系统的权限验证条件,才能打开带内访问通道使用。In the embodiment of the present application, when the self-check of the bootstrap system is completed and the processing of the first system interrupt signal is completed, the in-band access channel will be closed. At this time, if you want to open the in-band access channel, the authorization verification of the bootstrap system must be satisfied. conditions before the in-band access channel can be opened.

本申请的实施例提供一种信息处理装置,该信息处理装置可以应用于图1至图4对应的实施例提供的一种信息处理方法中,参照图5所示,该信息处理装置5包括:An embodiment of the present application provides an information processing apparatus, and the information processing apparatus can be applied to an information processing method provided by the embodiments corresponding to FIG. 1 to FIG. 4 . Referring to FIG. 5 , the information processing apparatus 5 includes:

获得模块501,用于在主板上电完成且带内访问通道打开的情况下,获得通过带内访问通道对基板管理控制器进行访问,是否处于引导系统的运行环境下的检测结果;The obtaining module 501 is used to obtain the detection result of whether the baseboard management controller is accessed through the in-band access channel and whether it is in the operating environment of the boot system when the main board is powered on and the in-band access channel is open;

处理模块502,用于若检测结果表征对基板管理控制器进行访问不处于运行环境下,通知基板管理控制器关闭带内访问通道。The processing module 502 is configured to notify the baseboard management controller to close the in-band access channel if the detection result indicates that the access to the baseboard management controller is not in the running environment.

本申请其他实施例中,获得模块501,用于若引导系统自检完成,获得通过带内访问通道对基板管理控制器进行访问,不处于运行环境下的检测结果。In other embodiments of the present application, the obtaining module 501 is configured to obtain the detection result of accessing the baseboard management controller through the in-band access channel and not in the running environment if the self-check of the bootstrap system is completed.

本申请其他实施例中,处理模块502,用于若引导系统自检完成,且基板管理控制器检测到第一系统中断信号,通过引导系统处理第一系统中断信号;In other embodiments of the present application, the processing module 502 is configured to process the first system interrupt signal through the bootstrap system if the self-check of the bootstrap system is completed and the baseboard management controller detects the first system interrupt signal;

获得模块501,用于若引导系统处理完第一系统中断信号,获得通过带内访问通道对基板管理控制器进行访问,不处于运行环境下的检测结果。The obtaining module 501 is configured to obtain the detection result that the baseboard management controller is accessed through the in-band access channel and is not in the running environment if the guiding system finishes processing the first system interrupt signal.

本申请其他实施例中,获得模块501,用于获得对带内访问通道的打开事件;In other embodiments of the present application, an obtaining module 501 is configured to obtain an open event for an in-band access channel;

处理模块502,用于若打开事件满足引导系统的权限验证条件,响应于打开事件,打开带内访问通道。The processing module 502 is configured to open the in-band access channel in response to the open event if the open event satisfies the authorization verification condition of the bootstrap system.

本申请其他实施例中,获得模块501,用于获得引导系统和/或基板管理控制器的安全验证信息;In other embodiments of the present application, the obtaining module 501 is configured to obtain the security verification information of the boot system and/or the baseboard management controller;

进一步地,信息处理装置5还包括显示模块503,用于若安全验证信息满足安全验证条件,在引导系统的配置界面中显示带内访问通道的管理控件;其中,管理控件用于被触发时打开带内访问通道;Further, the information processing device 5 also includes a display module 503 for displaying the management control of the in-band access channel in the configuration interface of the guidance system if the security verification information satisfies the security verification condition; wherein, the management control is used to open when triggered In-band access channel;

处理模块502,用于若管理控件被触发,生成满足权限验证条件的打开事件。The processing module 502 is configured to generate an open event that satisfies the permission verification condition if the management control is triggered.

本申请其他实施例中,处理模块502,用于通过基板管理控制器检测到第一系统中断信号,生成满足权限验证条件的打开事件。In other embodiments of the present application, the processing module 502 is configured to detect the first system interruption signal through the baseboard management controller, and generate an open event that satisfies the authority verification condition.

本申请其他实施例中,处理模块502,用于在主板上电完成的情况下,打开带内访问通道;In other embodiments of the present application, the processing module 502 is configured to open the in-band access channel when the mainboard is powered on;

处理模块502,用于在引导系统自检的过程中,若基板管理控制器检测到第二系统中断信号,通过带内访问通道访问基板管理控制器,以获得自检诊断信息。The processing module 502 is configured to access the baseboard management controller through an in-band access channel to obtain self-inspection diagnosis information if the baseboard management controller detects the second system interrupt signal during the process of guiding the system self-inspection.

本申请实施例所提供的信息处理装置,在主板上电完成且带内访问通道打开的情况下,获得通过带内访问通道对基板管理控制器进行访问,是否处于引导系统的运行环境下的检测结果;若检测结果表征对基板管理控制器进行访问不处于运行环境下,通知基板管理控制器关闭带内访问通道;也就是说,只要判定通过带内访问通道对基板管理控制器进行访问,不处于引导系统的运行环境下的检测结果,此时表征不具有带内访问通道的访问权限,则立即关闭带内访问通道,如此,即使攻击者能够接触到服务器实体,由于攻击者对基板管理控制器进行访问不处于引导系统的运行环境下,所以关闭了带内访问通道,阻止了攻击者的访问,提供了基板管理控制器的访问的安全性。The information processing apparatus provided by the embodiment of the present application, when the main board is powered on and the in-band access channel is open, obtains access to the baseboard management controller through the in-band access channel, and detects whether it is in the operating environment of the boot system Result; if the detection result indicates that the access to the baseboard management controller is not in the running environment, the baseboard management controller is notified to close the in-band access channel; that is, as long as it is determined that the baseboard management controller is accessed through the in-band access channel, no The detection result in the operating environment of the boot system indicates that the in-band access channel does not have access rights at this time, and the in-band access channel is immediately closed. In this way, even if the attacker can access the server entity, due to the attacker's control over the baseboard management The access of the baseboard management controller is not in the operating environment of the boot system, so the in-band access channel is closed, the access of the attacker is prevented, and the access security of the baseboard management controller is provided.

本申请的实施例提供一种电子设备,该电子设备可以应用于图1至图4对应的实施例提供的一种信息处理方法中,参照图6所示,该电子设备6包括:处理器601、存储器602和通信总线603,其中:An embodiment of the present application provides an electronic device, which can be applied to an information processing method provided by the embodiments corresponding to FIG. 1 to FIG. 4 . Referring to FIG. 6 , the electronic device 6 includes: a processor 601 , memory 602 and communication bus 603, where:

通信总线603用于实现处理器601和存储器602之间的通信连接。The communication bus 603 is used to realize the communication connection between the processor 601 and the memory 602 .

处理器601用于执行存储器602中存储的信息处理程序,以实现以下步骤:The processor 601 is configured to execute the information processing program stored in the memory 602 to realize the following steps:

在主板上电完成且带内访问通道打开的情况下,获得通过带内访问通道对基板管理控制器进行访问,是否处于引导系统的运行环境下的检测结果;When the mainboard is powered on and the in-band access channel is open, obtain the detection result of whether the baseboard management controller is accessed through the in-band access channel and whether it is in the operating environment of the boot system;

若检测结果表征对基板管理控制器进行访问不处于运行环境下,通知基板管理控制器关闭带内访问通道。If the detection result indicates that the access to the baseboard management controller is not in the running environment, the baseboard management controller is notified to close the in-band access channel.

在本申请的其他实施例中,处理器601用于执行存储器602中存储的信息处理程序,以实现以下步骤:In other embodiments of the present application, the processor 601 is configured to execute the information processing program stored in the memory 602 to realize the following steps:

若引导系统自检完成,获得通过带内访问通道对基板管理控制器进行访问,不处于运行环境下的检测结果。If the self-test of the boot system is completed, the test result that the baseboard management controller is accessed through the in-band access channel and is not in the operating environment is obtained.

在本申请的其他实施例中,处理器601用于执行存储器602中存储的信息处理程序,以实现以下步骤:In other embodiments of the present application, the processor 601 is configured to execute the information processing program stored in the memory 602 to realize the following steps:

若引导系统自检完成,且基板管理控制器检测到第一系统中断信号,通过引导系统处理第一系统中断信号;If the boot system self-check is completed, and the baseboard management controller detects the first system interrupt signal, the first system interrupt signal is processed by the boot system;

若引导系统处理完第一系统中断信号,获得通过带内访问通道对基板管理控制器进行访问,不处于运行环境下的检测结果。If the guiding system finishes processing the first system interrupt signal, it obtains a detection result that the baseboard management controller is accessed through the in-band access channel and is not in the running environment.

在本申请的其他实施例中,处理器601用于执行存储器602中存储的信息处理程序,以实现以下步骤:In other embodiments of the present application, the processor 601 is configured to execute the information processing program stored in the memory 602 to realize the following steps:

获得对带内访问通道的打开事件;Get an open event for an in-band access channel;

若打开事件满足引导系统的权限验证条件,响应于打开事件,打开带内访问通道。If the open event satisfies the authorization verification condition of the boot system, the in-band access channel is opened in response to the open event.

在本申请的其他实施例中,处理器601用于执行存储器602中存储的信息处理程序,以实现以下步骤:In other embodiments of the present application, the processor 601 is configured to execute the information processing program stored in the memory 602 to realize the following steps:

获得引导系统和/或基板管理控制器的安全验证信息;Obtain security verification information for the boot system and/or baseboard management controller;

若安全验证信息满足安全验证条件,在引导系统的配置界面中显示带内访问通道的管理控件;其中,管理控件用于被触发时打开带内访问通道;If the security verification information satisfies the security verification conditions, the management control of the in-band access channel is displayed in the configuration interface of the boot system; wherein, the management control is used to open the in-band access channel when triggered;

若管理控件被触发,生成满足权限验证条件的打开事件。If the management control is triggered, an open event that satisfies the permission verification conditions is generated.

在本申请的其他实施例中,处理器601用于执行存储器602中存储的信息处理程序,以实现以下步骤:In other embodiments of the present application, the processor 601 is configured to execute the information processing program stored in the memory 602 to realize the following steps:

通过基板管理控制器检测到第一系统中断信号,生成满足权限验证条件的打开事件。The first system interruption signal is detected by the baseboard management controller, and an open event that satisfies the authorization verification condition is generated.

在本申请的其他实施例中,处理器601用于执行存储器602中存储的信息处理程序,以实现以下步骤:In other embodiments of the present application, the processor 601 is configured to execute the information processing program stored in the memory 602 to realize the following steps:

在主板上电完成的情况下,打开带内访问通道;After the mainboard is powered on, open the in-band access channel;

在引导系统自检的过程中,若基板管理控制器检测到第二系统中断信号,通过带内访问通道访问基板管理控制器,以获得自检诊断信息。In the process of guiding the system self-inspection, if the baseboard management controller detects the second system interruption signal, the baseboard management controller is accessed through the in-band access channel to obtain self-inspection diagnosis information.

作为示例,处理器可以是一种集成电路芯片,具有信号的处理能力,例如通用处理器、数字信号处理器(Digital Signal Processor,DSP),或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等,其中,通用处理器可以是微处理器或者任何常规的处理器等。As an example, the processor may be an integrated circuit chip with signal processing capabilities, such as a general-purpose processor, a Digital Signal Processor (DSP), or other programmable logic devices, discrete gate or transistor logic devices, Discrete hardware components, etc., where a general purpose processor may be a microprocessor or any conventional processor or the like.

本申请实施例所提供的电子设备,在主板上电完成且带内访问通道打开的情况下,获得通过带内访问通道对基板管理控制器进行访问,是否处于引导系统的运行环境下的检测结果;若检测结果表征对基板管理控制器进行访问不处于运行环境下,通知基板管理控制器关闭带内访问通道;也就是说,只要判定通过带内访问通道对基板管理控制器进行访问,不处于引导系统的运行环境下的检测结果,此时表征不具有带内访问通道的访问权限,则立即关闭带内访问通道,如此,即使攻击者能够接触到服务器实体,由于攻击者对基板管理控制器进行访问不处于引导系统的运行环境下,所以关闭了带内访问通道,阻止了攻击者的访问,提供了基板管理控制器的访问的安全性。In the electronic device provided by the embodiment of the present application, when the main board is powered on and the in-band access channel is opened, the detection result of whether the baseboard management controller is accessed through the in-band access channel and whether it is in the operating environment of the boot system is obtained. ; If the detection result indicates that the access to the baseboard management controller is not in the operating environment, the baseboard management controller is notified to close the in-band access channel; The detection result in the operating environment of the boot system indicates that the in-band access channel does not have the access right at this time, and the in-band access channel is immediately closed. In this way, even if the attacker can access the server entity, the attacker cannot control the baseboard management controller. The access is not in the operating environment of the boot system, so the in-band access channel is closed, the access of the attacker is prevented, and the access security of the baseboard management controller is provided.

本申请的实施例提供一种计算机可读存储介质,该计算机可读存储介质存储有一个或者多个程序,该一个或者多个程序可被一个或者多个处理器执行,以实现如图1至图4对应的实施例提供的信息处理方法中的实现过程,此处不再赘述。Embodiments of the present application provide a computer-readable storage medium, where one or more programs are stored in the computer-readable storage medium, and the one or more programs can be executed by one or more processors, so as to realize FIG. 1 to The implementation process in the information processing method provided by the embodiment corresponding to FIG. 4 will not be repeated here.

本申请实施例所提供的计算机可读存储介质,在主板上电完成且带内访问通道打开的情况下,获得通过带内访问通道对基板管理控制器进行访问,是否处于引导系统的运行环境下的检测结果;若检测结果表征对基板管理控制器进行访问不处于运行环境下,通知基板管理控制器关闭带内访问通道;也就是说,只要判定通过带内访问通道对基板管理控制器进行访问,不处于引导系统的运行环境下的检测结果,此时表征不具有带内访问通道的访问权限,则立即关闭带内访问通道,如此,即使攻击者能够接触到服务器实体,由于攻击者对基板管理控制器进行访问不处于引导系统的运行环境下,所以关闭了带内访问通道,阻止了攻击者的访问,提供了基板管理控制器的访问的安全性。In the computer-readable storage medium provided by the embodiment of the present application, when the mainboard is powered on and the in-band access channel is open, it is possible to obtain whether the baseboard management controller is accessed through the in-band access channel, and whether it is in the operating environment of the boot system If the detection result indicates that the access to the baseboard management controller is not in the operating environment, the baseboard management controller is notified to close the in-band access channel; that is, as long as it is determined that the baseboard management controller is accessed through the in-band access channel , the detection result that is not in the operating environment of the boot system, at this time, it indicates that the in-band access channel does not have access rights, and the in-band access channel is immediately closed. In this way, even if the attacker can access the server entity, because the attacker has no access to the substrate The access of the management controller is not in the operating environment of the booting system, so the in-band access channel is closed, the access of the attacker is prevented, and the access security of the baseboard management controller is provided.

本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。As will be appreciated by those skilled in the art, the embodiments of the present application may be provided as a method, a system, or a computer program product. Accordingly, the application may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied therein, including but not limited to disk storage, optical storage, and the like.

本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.

以上所述,仅为本申请的较佳实施例而已,并非用于限定本申请的保护范围。The above descriptions are only preferred embodiments of the present application, and are not intended to limit the protection scope of the present application.

Claims (10)

1.一种信息处理方法,所述方法包括:1. An information processing method, the method comprising: 在主板上电完成且带内访问通道打开的情况下,获得通过所述带内访问通道对基板管理控制器进行访问,是否处于引导系统的运行环境下的检测结果;When the mainboard is powered on and the in-band access channel is open, obtain a detection result of whether the baseboard management controller is accessed through the in-band access channel, and whether it is in the operating environment of the boot system; 若检测结果表征对所述基板管理控制器进行访问不处于所述运行环境下,通知基板管理控制器关闭所述带内访问通道。If the detection result indicates that the access to the baseboard management controller is not in the operating environment, the baseboard management controller is notified to close the in-band access channel. 2.根据权利要求1所述的方法,所述获得通过所述带内访问通道对基板管理控制器进行访问,是否处于引导系统的运行环境下的检测结果,包括:2 . The method according to claim 1 , wherein the obtaining a detection result of whether the baseboard management controller is accessed through the in-band access channel and whether it is in the operating environment of the boot system, comprising: 2 . 若所述引导系统自检完成,获得通过所述带内访问通道对所述基板管理控制器进行访问,不处于所述运行环境下的检测结果。If the self-check of the guidance system is completed, a check result of accessing the baseboard management controller through the in-band access channel and not in the operating environment is obtained. 3.根据权利要求1所述的方法,所述获得通过所述带内访问通道对基板管理控制器进行访问,是否处于引导系统的运行环境下的检测结果包括:3 . The method according to claim 1 , wherein the obtaining a detection result of whether the baseboard management controller is accessed through the in-band access channel and under the operating environment of the boot system comprises: 3 . 若所述引导系统自检完成,且所述基板管理控制器检测到第一系统中断信号,通过所述引导系统处理所述第一系统中断信号;If the boot system self-check is completed and the baseboard management controller detects a first system interrupt signal, process the first system interrupt signal through the boot system; 若所述引导系统处理完所述第一系统中断信号,获得通过所述带内访问通道对所述基板管理控制器进行访问,不处于所述运行环境下的检测结果。If the guidance system finishes processing the first system interrupt signal, a detection result of accessing the baseboard management controller through the in-band access channel and not being in the operating environment is obtained. 4.根据权利要求1所述的方法,所述若检测结果表征对所述基板管理控制器进行访问不处于所述运行环境下,通知基板管理控制器关闭所述带内访问通道之后,所述方法包括:4 . The method according to claim 1 , wherein if the detection result indicates that the access to the baseboard management controller is not in the operating environment, the baseboard management controller is notified to close the in-band access channel after the in-band access channel is notified. 5 . Methods include: 获得对所述带内访问通道的打开事件;obtain an open event for the in-band access channel; 若所述打开事件满足所述引导系统的权限验证条件,响应于所述打开事件,打开所述带内访问通道。If the open event satisfies the authorization verification condition of the boot system, the in-band access channel is opened in response to the open event. 5.根据权利要求4所述的方法,所述检测结果为所述引导系统处理完第一系统中断信号获得的检测结果,所述获得对所述带内访问通道的打开事件,包括:5. The method according to claim 4, wherein the detection result is a detection result obtained by the boot system after processing the first system interrupt signal, and the obtaining an open event for the in-band access channel comprises: 获得所述引导系统和/或所述基板管理控制器的安全验证信息;obtaining the security verification information of the boot system and/or the baseboard management controller; 若所述安全验证信息满足安全验证条件,在所述引导系统的配置界面中显示所述带内访问通道的管理控件;其中,所述管理控件用于被触发时打开所述带内访问通道;If the security verification information satisfies the security verification condition, the management control of the in-band access channel is displayed in the configuration interface of the guidance system; wherein, the management control is used to open the in-band access channel when triggered; 若所述管理控件被触发,生成满足所述权限验证条件的打开事件。If the management control is triggered, an open event that satisfies the permission verification condition is generated. 6.根据权利要求4所述的方法,所述检测结果为所述引导系统自检完成获得的检测结果,所述获得对所述带内访问通道的打开事件,包括:6. The method according to claim 4, wherein the detection result is a detection result obtained by completing a self-check of the guidance system, and the obtaining an open event for the in-band access channel comprises: 通过所述基板管理控制器检测到第一系统中断信号,生成满足所述权限验证条件的打开事件。The first system interruption signal is detected by the baseboard management controller, and an open event satisfying the permission verification condition is generated. 7.根据权利要求1至6中任一项所述的方法,所述方法还包括:7. The method of any one of claims 1 to 6, further comprising: 在所述主板上电完成的情况下,打开所述带内访问通道;When the mainboard is powered on, open the in-band access channel; 在所述引导系统自检的过程中,若所述基板管理控制器检测到第二系统中断信号,通过所述带内访问通道访问所述基板管理控制器,以获得自检诊断信息。In the process of guiding the system self-check, if the baseboard management controller detects the second system interruption signal, the baseboard management controller is accessed through the in-band access channel to obtain self-check diagnostic information. 8.一种信息处理装置,所述信息处理装置,包括:8. An information processing device, the information processing device comprising: 获得模块,用于在主板上电完成且带内访问通道打开的情况下,获得通过所述带内访问通道对基板管理控制器进行访问,是否处于引导系统的运行环境下的检测结果;an obtaining module for obtaining a detection result of whether the baseboard management controller is accessed through the in-band access channel when the mainboard is powered on and the in-band access channel is open, and whether it is in the operating environment of the boot system; 处理模块,用于若检测结果表征对所述基板管理控制器进行访问不处于所述运行环境下,通知基板管理控制器关闭所述带内访问通道。The processing module is configured to notify the baseboard management controller to close the in-band access channel if the detection result indicates that the access to the baseboard management controller is not in the operating environment. 9.一种电子设备,所述电子设备包括:处理器、存储器和通信总线;9. An electronic device comprising: a processor, a memory and a communication bus; 所述通信总线用于实现处理器和存储器之间的通信连接;the communication bus is used to realize the communication connection between the processor and the memory; 所述处理器用于执行存储器中存储的信息处理程序,以实现如权利要求1至7中任一项所述的信息处理方法的步骤。The processor is configured to execute the information processing program stored in the memory to implement the steps of the information processing method according to any one of claims 1 to 7. 10.一种存储介质,存储有可执行指令,用于引起处理器执行时,实现权利要求1至7中任一项所述的信息处理方法的步骤。10. A storage medium storing executable instructions for causing a processor to implement the steps of the information processing method according to any one of claims 1 to 7 when executed.
CN202111500871.6A 2021-12-09 2021-12-09 Information processing method, information processing device, electronic device and storage medium Active CN114417301B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111500871.6A CN114417301B (en) 2021-12-09 2021-12-09 Information processing method, information processing device, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111500871.6A CN114417301B (en) 2021-12-09 2021-12-09 Information processing method, information processing device, electronic device and storage medium

Publications (2)

Publication Number Publication Date
CN114417301A true CN114417301A (en) 2022-04-29
CN114417301B CN114417301B (en) 2025-04-22

Family

ID=81266170

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111500871.6A Active CN114417301B (en) 2021-12-09 2021-12-09 Information processing method, information processing device, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN114417301B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118708506A (en) * 2024-08-27 2024-09-27 苏州元脑智能科技有限公司 A channel control method, controller, computer device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090089624A1 (en) * 2007-10-02 2009-04-02 Christopher Harry Austen Mechanism to report operating system events on an intelligent platform management interface compliant server
CN102571478A (en) * 2010-12-31 2012-07-11 鸿富锦精密工业(深圳)有限公司 Server and method thereof for controlling channel to be opened or closed by server
CN107220553A (en) * 2017-05-25 2017-09-29 郑州云海信息技术有限公司 The device and control chip of the content stored in a kind of protection BIOS chips
CN109791515A (en) * 2016-08-04 2019-05-21 戴尔产品有限公司 System and method for security recovery host system code
CN110688263A (en) * 2019-09-30 2020-01-14 中国工程物理研究院计算机应用研究所 FPGA-based hard disk automatic switching device and application method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090089624A1 (en) * 2007-10-02 2009-04-02 Christopher Harry Austen Mechanism to report operating system events on an intelligent platform management interface compliant server
CN102571478A (en) * 2010-12-31 2012-07-11 鸿富锦精密工业(深圳)有限公司 Server and method thereof for controlling channel to be opened or closed by server
CN109791515A (en) * 2016-08-04 2019-05-21 戴尔产品有限公司 System and method for security recovery host system code
CN107220553A (en) * 2017-05-25 2017-09-29 郑州云海信息技术有限公司 The device and control chip of the content stored in a kind of protection BIOS chips
CN110688263A (en) * 2019-09-30 2020-01-14 中国工程物理研究院计算机应用研究所 FPGA-based hard disk automatic switching device and application method

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118708506A (en) * 2024-08-27 2024-09-27 苏州元脑智能科技有限公司 A channel control method, controller, computer device and storage medium

Also Published As

Publication number Publication date
CN114417301B (en) 2025-04-22

Similar Documents

Publication Publication Date Title
US11520894B2 (en) Verifying controller code
US10353831B2 (en) Trusted launch of secure enclaves in virtualized environments
US9292302B2 (en) Allowing bypassing of boot validation in a computer system having secure boot enabled by default only under certain circumstances
US8375221B1 (en) Firmware-based trusted platform module for arm processor architectures and trustzone security extensions
US20080288766A1 (en) Information processing apparatus and method for abortting legacy emulation process
EP3198399B1 (en) Detecting a change to system management mode bios code
US8819330B1 (en) System and method for updating a locally stored recovery image
CN107665308B (en) TPCM system for building and maintaining trusted operating environment and corresponding method
EP3241116B1 (en) Memory access protection using processor transactional memory support
US9081965B2 (en) Systems and methods for command-based entry into basic input/output system setup from operating system
US10489582B1 (en) Firmware security vulnerability verification service
US11003461B2 (en) Boot process security self-check system
US9448888B2 (en) Preventing a rollback attack in a computing system that includes a primary memory bank and a backup memory bank
TW201937366A (en) Computer system and method with credible verification and fault tolerant transfer of boot-up
US7984282B2 (en) Evasion of power on self test during an operating system initiated reboot
US20220179962A1 (en) Multi-domain boot and runtime status code drift detection
CN102467626A (en) Computer system data protection device and method
CN114417301B (en) Information processing method, information processing device, electronic device and storage medium
CN112579988B (en) Shadow stack data integrity protection method, device and computer equipment
CN111538993B (en) Device and method for introducing external hardware trust root to perform trusted measurement
US20210192085A1 (en) Technology For Controlling Access To Processor Debug Features
US20220222349A1 (en) Information handling system host to management controller attestation service channel
US11989562B2 (en) Device state data loading onto RFID chip
WO2018005375A1 (en) Non-unified code and data decoding to provide execute-only memory
US11960337B2 (en) Customized thermal and power policies in computers

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant