CN120086834B

CN120086834B - Configuration recovery method of baseboard management controller and baseboard management controller

Info

Publication number: CN120086834B
Application number: CN202510574120.0A
Authority: CN
Inventors: 曹卫国; 张秀波; 王相宇
Original assignee: Suzhou Metabrain Intelligent Technology Co Ltd
Current assignee: Suzhou Metabrain Intelligent Technology Co Ltd
Priority date: 2025-05-06
Filing date: 2025-05-06
Publication date: 2025-07-15
Anticipated expiration: 2045-05-06
Also published as: CN120086834A

Abstract

The application discloses a configuration recovery method of a baseboard management controller and the baseboard management controller, wherein a first operating system and a second operating system are operated on different hardware resources of the baseboard management controller, and the execution of the configuration recovery is controlled by the first operating system operated in a trusted execution environment so as to improve the safety of the configuration recovery; the method comprises the steps that when a server is connected with a first external device of a designated type, a first operation system verifies the first external device to ensure the validity of the connected device, if the first external device passes verification, a recovery confirmation request is sent to the first external device through a second operation system, when a designated key is detected to be pressed, the first configuration information stored in the first external device is used for carrying out configuration recovery on a baseboard management controller, and as the configuration information is stored in the external device and is recovered through specific key confirmation, the risk of tampering of the configuration information can be reduced, and the safety of configuration recovery is ensured.

Description

Configuration recovery method of baseboard management controller and baseboard management controller

Technical Field

The present application relates to the field of server technologies, and in particular, to a configuration recovery method of a baseboard management controller and a baseboard management controller.

Background

In the server, the baseboard management controller is mainly used for remote management of the server, such as monitoring hardware status, restarting a system, upgrading firmware, and the like. When the baseboard management controller fails, the configuration recovery method of the baseboard management controller adopted in the related technology is to use the configuration file stored in the baseboard management controller to perform configuration recovery.

However, the configuration file for performing configuration recovery is easily tampered by malicious software, replaced by a malicious version, and the tampered configuration file is used for performing configuration recovery, so that the baseboard management controller is easily damaged, and the normal and stable operation of the server is further affected.

As can be seen from the above, the configuration recovery method of the baseboard management controller in the related art has a problem that the security of the baseboard management controller is poor due to the fact that the configuration file is easily tampered.

Disclosure of Invention

The application provides a configuration recovery method of a baseboard management controller and the baseboard management controller, which at least solve the problem that the configuration recovery method of the baseboard management controller in the related art has poor safety of the baseboard management controller caused by easy tampering of configuration files.

According to one aspect of the embodiment of the application, a first operating system and a second operating system are operated on different hardware resources of the baseboard management controller, the first operating system is operated in a trusted execution environment, the method comprises the steps of verifying the first external device through the first operating system when a server of the baseboard management controller is accessed to the first external device of a specified type, sending a recovery confirmation request to the first external device through the second operating system when the first external device is verified, wherein the specified type is a device type for storing configuration information of the baseboard management controller, the recovery confirmation request is used for requesting to confirm to recover the configuration through pressing a specified key on the first external device, obtaining first configuration information stored by the first external device through the second operating system when the specified key is detected to be pressed, and using the first configuration information to recover the configuration information of the baseboard management controller.

According to another aspect of the embodiment of the application, a first operating system and a second operating system are operated on different hardware resources of the baseboard management controller, the first operating system is operated in a trusted execution environment, the first operating system is used for verifying a first external device of a specified type when a server where the baseboard management controller is located is accessed to the first external device, sending a recovery confirmation request to the first external device through the second operating system when the first external device is verified, the specified type is a device type used for storing configuration information of the baseboard management controller, the recovery confirmation request is used for requesting configuration recovery through pressing a specified key on the first external device, obtaining the first configuration information stored by the first external device through the second operating system when the specified key is detected to be pressed, controlling the second operating system to send a recovery confirmation request to the first external device through the first configuration information, and sending the configuration recovery request to the first external device through the second operating system when the specified key is detected to be pressed, and the first configuration information is used for requesting the configuration recovery to the first external device to restore the baseboard management controller.

According to the embodiment of the application, the server comprises a baseboard management controller, a first operating system and a second operating system are operated on different hardware resources of the baseboard management controller, the first operating system is operated in a trusted execution environment, the first operating system is used for verifying a first external device of a specified type when the server is connected with the first external device, and sending a recovery confirmation request to the first external device through the second operating system when the first external device passes verification, the specified type is a device type used for storing configuration information of the baseboard management controller, the recovery confirmation request is used for requesting configuration recovery through pressing a specified key on the first external device, the first operating system is used for obtaining first configuration information stored by the first external device when the specified key is detected to be pressed, the second operating system is used for controlling the second operating system to verify the first external device, and the second operating system is used for sending the configuration recovery confirmation request to the first external device, and the first configuration information is used for requesting the configuration recovery to the first external device.

According to a further aspect of embodiments of the present application there is also provided an electronic device comprising a memory having a computer program stored therein and a processor arranged to perform the steps of any of the method embodiments described above by means of the computer program.

According to a further aspect of embodiments of the present application, there is also provided a computer readable storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.

According to yet another aspect of embodiments of the present application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium and executes the computer instructions to cause the computer device to perform the steps of any of the method embodiments described above.

The configuration recovery method comprises the steps of running a first operating system and a second operating system on different hardware resources of a baseboard management controller, controlling the execution of configuration recovery by the first operating system running in a trusted execution environment to improve the safety of configuration recovery, under the condition that a server where the baseboard management controller is located is connected with first external equipment of a designated type (equipment type for storing configuration information of the baseboard management controller), verifying the first external equipment through the first operating system to ensure the legality of the connected equipment, sending a recovery confirmation request to the first external equipment through a second operating system under the condition that the first external equipment is verified, requesting configuration recovery by pressing a designated key on the first external equipment, and carrying out configuration recovery by the specific key on the external equipment, thereby ensuring that the configuration recovery is executed under the condition of manual participation, reducing the possibility of configuration recovery by malicious software, under the condition that the designated key is detected to be pressed, obtaining the first configuration information stored by the first external equipment through the second operating system, and using the first operating system to verify the first configuration information stored by the first external equipment, and ensuring that the configuration information is easy to tamper the controller to change the configuration information of the baseboard management controller, thereby solving the problem that the configuration recovery is difficult to control the configuration recovery of the equipment in the technical problem that the configuration management device is easy to be tampered with, and the configuration management device is controlled, and the configuration recovery is difficult due to the configuration management device, and the problem is controlled in the configuration is controlled in the technical condition that the configuration recovery is easy to be controlled.

Drawings

For a clearer description of embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described, it being apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to the drawings without inventive effort for those skilled in the art.

Fig. 1 is a schematic application scenario diagram of a configuration recovery method of a baseboard management controller according to an embodiment of the present application.

Fig. 2 is a flow chart of an alternative configuration restoration method of a baseboard management controller according to an embodiment of the present application.

Fig. 3 is a system frame diagram of a baseboard management controller according to an embodiment of the present application.

FIG. 4 is a schematic flow chart of an alternative one-key recovery U-shield according to an embodiment of the application.

FIG. 5 is a flow chart of an alternative U-shield one-key recovery according to an embodiment of the application.

Fig. 6 is a block diagram of an alternative baseboard management controller according to an embodiment of the present application.

FIG. 7 is a block diagram of a computer system of an alternative electronic device in accordance with an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. Based on the embodiments of the present application, all other embodiments obtained by a person of ordinary skill in the art without making any inventive effort are within the scope of the present application.

It should be noted that in the description of the present application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. The terms "first," "second," and the like in this specification are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order.

The present application will be further described in detail below with reference to the drawings and detailed description for the purpose of enabling those skilled in the art to better understand the aspects of the present application.

According to an aspect of an embodiment of the present application, there is provided a configuration recovery method of a baseboard management controller. Alternatively, in the embodiment of the present application, the configuration recovery method of the baseboard management controller described above may be applied, but not limited to, in a hardware environment including a server 102 (including baseboard management controller 104), a configuration device 106, and an external device 108 as shown in fig. 1. The configuration device 106 may be connected to the server 102 via a network or a data line, and the external device 108 may be connected to the server 102 by directly plugging into an interface on the server 102, connecting to an interface on the server 102 via a data line, or the like. When the baseboard management controller 104 needs to perform configuration recovery, the configuration information stored on the external device 108 may be used to perform configuration recovery on the baseboard management controller 104.

The network may include, but is not limited to, at least one of a wired network, a wireless network. The wired network may include, but is not limited to, at least one of a wide area network, a metropolitan area network, and a local area network, and the wireless network may include, but is not limited to, at least one of WIFI (WIRELESS FIDELITY ), bluetooth. Server 102 may be, but is not limited to being, a cloud server, a server cluster, or other server type. Configuration device 106 may be, but is not limited to, a PC (Personal Computer ), cell phone, tablet, or the like. The external device 108 may include, but is not limited to, at least one of a USB memory device (e.g., USB flash disk), USB shield, etc.

The configuration recovery method of the baseboard management controller according to the embodiment of the present application may be executed by the baseboard management controller 104, or may be executed by the baseboard management controller 104 in combination with at least one of the configuration device 106 and the external device 108. The configuration method of the baseboard management controller performed by the configuration device 106 according to the embodiment of the present application may also be performed by a client installed thereon.

Taking the configuration recovery method of the baseboard management controller 104 in this embodiment as an example, fig. 2 is a schematic flow diagram of an alternative baseboard management controller according to an embodiment of the present application, and as shown in fig. 2, the flow of the method may include steps S202 to S204.

Step S202, when a server where the baseboard management controller is located is accessed to a first external device of a specified type, the first external device is verified through a first operating system, and when the first external device passes the verification, a recovery confirmation request is sent to the first external device through a second operating system, wherein the specified type is a device type for storing configuration information of the baseboard management controller, and the recovery confirmation request is used for requesting configuration recovery by pressing a specified key on the first external device.

Step S204, under the condition that the designated key is detected to be pressed, the first configuration information stored in the first external device is obtained through the second operation system by the first operation system, and the second operation system is controlled to perform configuration recovery on the baseboard management controller by using the first configuration information.

The configuration recovery method of the baseboard management controller in the embodiment of the application can be applied to the technical field of servers and is applied to the scene of configuration recovery of the baseboard management controller of the server. Servers are the core infrastructure that support the operation of various types of information systems and networks. In a server, a baseboard management controller (Baseboard Management Controller, abbreviated as BMC) is a component of the server responsible for monitoring and managing hardware status of the server, and is usually integrated on a server motherboard, and is mainly used for remote management of the server, such as monitoring hardware status (monitoring hardware health status through various sensors, such as temperature, voltage, fan rotation speed, etc.), restarting a system (such as remote on/off), firmware upgrade, etc. The baseboard management controller plays a vital role in ensuring the stable operation and performance of the server.

When the baseboard management controller fails (or other situations requiring configuration recovery), configuration files of the baseboard management controller need to be configured. The configuration recovery method of the baseboard management controller adopted in the related technology is that configuration recovery is carried out by using the configuration file stored in the baseboard management controller, and the configuration recovery method mainly depends on a mechanism of a software layer.

However, the above-mentioned configuration recovery mode of the baseboard management controller is not safe enough, and the recovery flow is easy to be tampered by malicious software, so that the configuration file for performing configuration recovery is replaced by a malicious version. The configuration file is stored in the baseboard management controller, after the baseboard management controller is invaded by a root (illegal), a malicious attacker can modify the configuration file or implant malicious codes and then trigger configuration recovery, so that the baseboard management controller is destroyed, and the normal and stable operation of the server is further affected.

Also, the configuration restoration function of the baseboard management controller in the related art is typically done at the web front end, redfish (a standardized protocol for server management) or IPMI (INTELLIGENT PLATFORM MANAGEMENT INTERFACE ) command, and is dependent on the network, and cannot be used when the network is disconnected or the network is attacked.

In order to at least partially solve the above-mentioned problem, in this embodiment, configuration information for performing configuration recovery on the baseboard management controller is stored on the external device, so that the opportunity of the external device accessing the server can be controlled, and the risk of tampering of the configuration information is reduced; and the first operating system and the second operating system are operated on different hardware resources of the baseboard management controller, the first operating system is operated in a trusted execution environment, the first operating system is used for verifying the external equipment and carrying out configuration recovery by combining with a physical confirmation key, so that the configuration recovery is carried out under the condition of manual supervision, the possibility of maliciously carrying out configuration recovery is reduced, and the safety of the baseboard management controller is improved.

The configuration recovery method of the baseboard management controller in the embodiment can be a one-key recovery scheme, and a user can automatically perform configuration recovery on the baseboard management controller by only pressing a specific key (button) or executing a simple operation, so that when the baseboard management controller fails, the one-key recovery is fast, accurate and safe, and the stable operation of the server can be ensured.

The baseboard management controller may have various hardware resources, such as a processor, a memory, a peripheral, and the like, and may run a first operating system and a second operating system on different hardware resources, where the first operating system runs in a trusted execution environment (Trusted Execution Environment, abbreviated as TEE). The division of the hardware resources may be implemented by a hardware mechanism, for example, some registers, memory areas, peripherals, etc. of the processor are explicitly divided into corresponding attributes to distinguish an Operating System (OS) to which the hardware resources belong.

It should be noted that, in consideration of the difference of the processor architecture adopted by the baseboard management controller and the difference of naming considerations (for example, from the viewpoint of functions, from the viewpoint of use frequency, etc.), the first operating system may also be referred to as a secure operating system or a trusted operating system, and the second operating system may also be referred to as a normal operating system or a normal operating system, so long as it is capable of satisfying that both operate on different hardware resources, and that one of the operating systems operates in a feasible execution environment.

A trusted execution environment is a combined technology of hardware and software that is designed to provide a secure, isolated environment for applications running on a device, the trusted execution environment being designed to run transparently without interfering with applications and services in an unsecure execution environment (Rich Execution Environment, abbreviated re). If the processor, firmware, operating system configuration, and runtime detection all indicate that TEE support exists and there is explicit secure storage, resource access, trusted applications, and access control, then it may be determined that the operating system is running in a trusted execution environment.

Taking as an example a baseboard management controller adopting an ARM (ADVANCED RISC MACHINES, advanced reduced instruction set machine) processor architecture, the ARM processor architecture is a RISC (reduced instruction set) processor and can be applied to mobile equipment, embedded systems and servers. Configuration recovery of a baseboard management controller adopting an ARM processor architecture can rely on ARM TrustZone technology to physically and safely isolate data to be protected, so that data security is guaranteed. Trust zone is a system-level security technology, and based on the ARM processor architecture, the trust zone divides the hardware resources of the whole system (e.g., chips, devices, etc., in this embodiment, baseboard management controllers) into two worlds, secure World (corresponding to the first operating system) and Non-Secure World (corresponding to the second operating system). This partitioning is accomplished through hardware mechanisms, e.g., certain registers, memory regions, peripherals, etc. of the processor are explicitly partitioned into secure or non-secure attributes. At the hardware level, the secure world and the non-secure world have independent running environments, including independent instruction set execution spaces, memory mapping and the like, just as two relatively independent subsystems are built in one baseboard management controller, the isolation degree between the subsystems is high, and the non-secure world cannot directly access the resources of the secure world except through a strictly defined secure interface.

It should be noted that, the baseboard management controller adopting the ARM processor architecture may run operating systems with different security levels using the multi-level execution environment of the ARM processor, for example, EL0 (EVENT LEVEL 0, ARM CPU non-privileged mode) to EL3 (EVENT LEVEL, ARM CPU secure mode). Among these, EL3 is the highest privileged execution level, typically used to run security related firmware, such as ARM Trusted Firmware (ARM trusted firmware, abbreviated ATF). In an ARM processor architecture, the baseboard management controller may include, but is not limited to, a series of hardware interfaces such as I2C (Inter-INTEGRATED CIRCUIT, integrated Circuit bus), SPI (SERIAL PERIPHERAL INTERFACE ), PCIe (PERIPHERAL COMPONENT INTERCONNECT EXPRESS, peripheral component interconnect express) and the like, through which the baseboard management controller may communicate with other components of the server to monitor sensor data, Control fans, communicate with a CPU, etc., one or more ARM processor cores for running management and monitoring software of a baseboard management controller, which cores may be run in the non-secure world or the secure world, or both, to perform different tasks and meet security requirements, memory resources for storing firmware, configuration files, monitoring data, etc., the memory resources may include at least one of, but not limited to, non-volatile memory (such as SPI NOR Flash), RAM, and, an OTP (One Time Programmable ) area for secure storage; a network interface for the baseboard management controller to communicate with the remote management platform, the network interface allowing an administrator to remotely monitor server status and perform management operations, which may include, but is not limited to, at least one of IPMI (INTELLIGENT PLATFORM MANAGEMENT INTERFACE ) protocol or REDFISH API (Application Programming Interface, application programming interface); an operating environment, which is divided into two parts, secure and non-secure, the secure operating system (i.e., the first operating system) being responsible for managing security-related tasks, such as key management, Secure communication and secure storage access, the non-secure operating system (i.e. the second operating system) is responsible for handling conventional monitoring and management tasks, one implementation is to use Linux as the second operating system, while the secure environment based on trust zone technology runs a small-sized secure operating system or trusted application, the security mechanism integration, the baseboard management controller can implement the security mechanism by using trust zone technology, for example, by running a key management module in the secure world, handling sensitive operations using EL3 level system calls, and security state detection and control by using dedicated GPIO (General-purpose input/output) pins, such as detecting the pressing of a specified key.

Configuration information for configuration restoration of the baseboard management controller may be stored on a specified type of storage device, such as a USB (Universal Serial Bus ) storage device, which may be a U-shield, accordingly. If the server accesses the first external device of the specified type, that is, if the server detects that the first external device of the specified type is accessed, the first operating system may start the configuration recovery verification process of the baseboard management controller, and verify the first external device, for example, verify the validity and the effectiveness of the first external device, so as to improve the security of configuration recovery. The first external device may be authenticated by authenticating authentication information (e.g., device identifier, device key, etc.) of the first external device, and the authentication may be performed by using a format of the authentication information, content of the authentication information, etc., which is not limited in this embodiment.

For example, taking the first external device as a U-shield, a configuration file for performing configuration recovery on the BMC is stored in an external U-shield, and the digital signature and the device fingerprint (for example, a unique serial number) of the configuration file are verified through the TEE, so that only the authorized U-shield can start recovery.

If the first external device passes the verification, the first operating system can send a recovery confirmation request to the first external device through the second operating system so as to request configuration recovery by pressing a designated key on the first external device. The recovery confirmation request is to request physical confirmation from the user, that is, the user is required to manually press a designated key on the first external device to finally confirm that the configuration recovery operation is performed, so that an additional security layer is added to the recovery confirmation, and the occurrence of unauthorized or tampered situations is reduced. The designated key may be a marked key on the first external device, a signal of which is only detected by the first operating system, and when the user presses the designated key, the first operating system can detect a signal triggered by the pressing of the designated key.

Alternatively, in this embodiment, a one-key recovery scheme may be used, and a security triggering mechanism is adopted, where a recovery procedure is triggered by a physical key (i.e., a specified key) or a specific hardware signal, and the signal is directly transferred to a first operating system (e.g., a trust zone security world, i.e., TEE), and bypasses a second operating system (e.g., a normal operating system, i.e., a re) to avoid interception. The safety of one-key recovery is physically ensured, the confirmation is needed to be manually participated, and the confirmation signal is not attacked by an attacker even if the baseboard management controller is root.

Under the condition that the designated key is pressed, the first operating system can acquire first configuration information stored in the first external device through the second operating system, wherein the first configuration information refers to configuration information stored in the first external device and used for carrying out configuration recovery on the baseboard management controller, and the configuration information can include but is not limited to network setting, security policies, user-defined options and the like. The configuration information is typically stored in the first external device under the control of the first operating system when the first external device is initialized.

For example, taking the first external device as a U shield, when a signal that a designated key on the U shield is pressed is detected by the secure OS, the secure OS may issue a command requesting for one-key configuration restoration to the general OS, and after receiving the command requesting for one-key configuration restoration from the secure OS, the general OS reads the stored configuration information from the U shield and transmits the configuration information to the secure OS.

The first operating system may use the first configuration information to control the second operating system to perform configuration recovery on the baseboard management controller. In the case where the first configuration information is encrypted configuration information, the first configuration information may be decrypted first. The configuration recovery of the baseboard management controller uses the decrypted first configuration information. Optionally, the first operating system may verify the first configuration information first to ensure validity and reliability, and then transmit the first configuration information that passes the verification to the second operating system for configuration recovery.

In addition, for the case that the first configuration information does not need to be decrypted, after the second operating system reads the first configuration information from the first external device, the second operating system may directly use the first configuration information to perform configuration recovery on the baseboard management controller, or first check the first configuration information and then use the first configuration information passing the check to perform configuration recovery on the baseboard management controller.

According to the embodiment of the application, a first operating system and a second operating system are operated on different hardware resources of a baseboard management controller, the first operating system is operated in a trusted execution environment, under the condition that a server where the baseboard management controller is located is accessed to a first external device of a specified type, the first external device is verified through the first operating system, and under the condition that the first external device is verified, a restoration confirmation request is sent to the first external device through the second operating system, wherein the specified type is a device type used for storing configuration information of the baseboard management controller, the restoration confirmation request is used for requesting configuration restoration through pressing a specified key on the first external device, under the condition that the specified key is pressed, the first configuration information stored by the first external device is acquired through the second operating system by the first operating system, and the second operating system is controlled to restore the baseboard management controller through the first configuration information, and the security of the related configuration file of the baseboard management controller is restored easily, so that the security of the controller is poor in the security of the security management controller is solved.

In some exemplary embodiments, after sending the resume confirm request to the first external device via the second operating system, the method further comprises accessing the designated port by the first operating system and determining whether a resume confirm signal is detected from the designated port.

In this embodiment, the detection of the pressing of the specified key may be performed by the first operating system, and the recovery process is triggered by the specified key, so that the specified key is pressed to trigger a recovery confirmation signal, and the signal is directly transmitted to the first operating system, so as to bypass the second operating system to avoid interception. The safety of one-key recovery is physically ensured, the confirmation is needed to be manually participated, and the confirmation signal is not attacked by an attacker even if the baseboard management controller is root.

The resume confirm signal may be communicated to the first operating system through the designated port. The port refers to a channel for data transmission and communication, and the designated port is a port that specifies that only the first operating system is allowed to access, for example, a GPIO port or the like. For the first operating system, after sending a resume confirm request to the first external device via the second operating system, the first operating system may access the designated port to detect whether a resume confirm signal is incoming from the designated port.

When the user receives the prompt for the resume confirm request, he can press the designated key, thereby triggering the resume confirm signal as described above. The first external device can send a recovery confirmation signal to the designated port through a certain communication mode (such as electric signal transmission and the like), the first operating system judges whether the recovery confirmation signal is detected or not through accessing the designated port, and if the recovery confirmation signal is detected by the first operating system, the user confirms that the configuration recovery is performed, and subsequent operations of reading the configuration information and executing the configuration recovery can be performed.

For example, the one-touch restoration module of the secure OS detects a secure key press through a GPIO that only the secure OS has access to, and issues a request for one-touch restoration of the configuration file to the BMC.

According to the embodiment, the first operating system accesses the designated port to detect the recovery confirmation signal, so that the physical security of the signal can be ensured, the attack on the software layer is prevented, and the physical isolation and the security control of the recovery confirmation are realized.

In some exemplary embodiments, the authentication of the first external device by the first operating system includes receiving, by the first operating system, first authentication information stored by the first external device and transferred by the second operating system, and authenticating, by the first operating system, the first authentication information using a specified key stored in a one-time programmable region, wherein the one-time programmable region only allows access by the first operating system.

When the second operating system detects that the first external device is accessed, the second operating system can read the first verification information stored by the first external device and transmit the first verification information to the first operating system. For the first operating system, the first operating system can receive first verification information stored in the first external device and transmitted by the second operating system. The first authentication information is information used for device authentication of the first external device, and may include, but is not limited to, at least one of a digital signature, a device key (which may also be referred to as a security key), a device identification, and a time stamp. The device identifier of the first external device is used to identify the first external device, and may include at least one of a device model Number, a Serial Number (SN for short), and a device name. The first authentication information is not particularly limited in this embodiment.

The first operating system may then verify the first verification information received from the first external device using the storage specification key. The verification process matches the information type of the first verification information and may include, but is not limited to, decrypting the first verification information, checking a digital signature or comparing a serial number of the first external device, etc., to confirm the validity of the first external device and the untampered state of the data.

The specified key may be a key for performing configuration recovery on the baseboard management controller, and for a case where the authentication information of the external device includes a device key, the specified key may be a seed key for generating a device key of the authorized device, which is a device that allows configuration recovery on the baseboard management controller. The designated key may be a key of an SFS (SAFE FILE SYSTEM, secure file system) that may contain functions such as data encryption, access control, rights management, logging, and auditing to protect data stored thereon from unauthorized access, tampering, or disclosure. For a baseboard management controller adopting an ARM processor architecture, SFS refers to a file system for encryption and security verification by using TrustZone technology, and is used for storing and protecting sensitive data such as configuration files, keys and the like used in the BMC configuration recovery process. The design of such a file system ensures the integrity and confidentiality of the data, and the data stored in the SFS remains secure and unaffected even if the normal operating system of the baseboard management controller is attacked.

The specified key may be stored in any storage area accessible to the first operating system. To avoid malicious modification of the specified key, the specified key may be stored in a one-time programmable area. The one-time programmable area is a non-volatile memory area that can only be written once, and is commonly used for storing key security parameters or keys, in this embodiment, a specified key is written in the one-time programmable area, and only the first operating system is allowed to access. It will be appreciated that even if the second operating system or any other software attempts to access, the data therein cannot be read or modified.

Taking the first external device as a U shield and the first verification information as a security key as an example, when a one-key recovery process of the common OS detects that the U shield is accessed, the security key of the U shield is obtained from the U shield, a one-key recovery request is initiated, and the security key of the U shield is transmitted to the security OS. After the one-key recovery module of the secure OS detects the one-key recovery request initiated by the normal OS, the secure key of the U-shield is verified by the key stored in the OTP, and if the verification is passed, a one-key recovery confirmation request (an example of a recovery confirmation request) is issued to the normal OS. After receiving the one-key restoration confirmation request of the secure OS, the normal OS prompts the user to press the one-key restoration secure key of the U shield (one example of the designated key).

By the embodiment, the verification information of the external device is verified by using the secret key stored in the one-time programmable region, so that the credibility of the device is ensured, the recovery operation triggered by malicious devices is avoided, and the controllability and the safety of the recovery flow are enhanced.

In some exemplary embodiments, the specified key may be a key preset for the baseboard management controller (independent of the authorized device), or may be generated according to a device identifier and a random number of the authorized device, which has higher flexibility and correlation than a scheme of presetting the key, and may be used in a more various verification manners. The authorization device is a device which allows configuration recovery of the baseboard management controller, and the device type is a specified type.

Correspondingly, before the first verification information stored in the first external device and transferred by the second operating system is received through the first operating system, the method further comprises the steps of inquiring the one-time programmable area through the first operating system under the condition that the server is connected to the second external device and the second external device is configured as an authorized device, acquiring the device identification of the second external device through the second operating system under the condition that data are not written in the one-time programmable area, generating a designated secret key according to the device identification and the random number of the second external device, and writing the generated designated secret key into the one-time programmable area.

In this embodiment, the user may access the second access device to the server and trigger the configuration of the second external device as the authorization device by a specific key or combination of keys on the second access device or by performing a specific operation on the configuration interface of the configuration device. For the baseboard management controller, when the server accesses the second external device and configures the second external device as an authorized device, the second operating system may detect information accessed by the second external device and feed the information back to the first operating system. After receiving the information transmitted by the second operating system, the first operating system can query the one-time programmable region. It should be noted that the second external device may be a USB storage device (e.g., a USB disk) or other devices that can be used for configuration recovery of the baseboard management controller, and the second external device is not particularly limited herein.

If no device has been configured as an authorised device before, the one-time programmable area is not written with data, the first operating system does not query the data from the one-time programmable area, in which case it may request the device identification of the second external device by the second operating system, after which a specified key is generated from the device identification of the second external device and the random number and the generated specified key is written into the one-time programmable area.

In order to improve the efficiency of information processing, the first operating system can receive the equipment identification of the second external equipment transmitted by the second operating system under the condition that the second external equipment is accessed to the server and is configured as an authorized equipment, and execute the operation of inquiring the one-time programmable area in response to the received equipment identification, and generate a designated secret key according to the equipment identification and the random number of the second external equipment under the condition that data is not written in the one-time programmable area.

Taking the example of manufacturing a one-key recovery U shield by using a USB flash disk, when a server is connected to the USB flash disk and the accessed USB flash disk is used for manufacturing the one-key recovery U shield, a one-key recovery module of the security OS inquires whether the OTP has written data or not, if not, the one-key recovery U shield is not manufactured, in this case, the security OS can request the equipment identifier of the USB flash disk through the common OS for generating a secret key to write the OTP, and only one U shield can be used by one machine.

The general OS may acquire the device identifier of the usb disk, and send the acquired device identifier to the secure OS. And the one-key recovery module of the secure OS generates a secret key of the secure SFS according to the device identifier and the random number of the USB flash disk.

Through the embodiment, when the authorization equipment is configured, the equipment identifier and the random number are combined to generate the secret key and stored in the OTP, so that the unique secret key in the OTP of the baseboard management controller can be ensured, the equipment authorization management is enhanced, the unique authorization and secret key generation of the equipment are realized, and the access of unauthorized equipment is prevented.

In some exemplary embodiments, after generating the specified key according to the device identifier and the random number of the second external device, the method further includes encrypting, by the first operating system, the device identifier and the current timestamp of the second external device using the specified key, to obtain second authentication information, and writing the second authentication information as the device key of the second external device to the second external device via the second operating system for storage.

In this embodiment, the first operating system may encrypt the device identifier of the second external device using the specified key to obtain the second authentication information, transmit the second authentication information to the second operating system, and the second operating system writes the second authentication information into the second external device as the device key of the second external device. The second external device may store second authentication information that may be used in a subsequent configuration recovery process.

To ensure the integrity and traceability of the key, the device identification of the second external device and the current timestamp may be encrypted using a specified key, resulting in the aforementioned second authentication information. The current timestamp may be a timestamp when the second external device transmits the device identifier to the first operating system, or may be a timestamp when the specified key is generated, or may be another timestamp. Here, the time stamp can record a specific time, and the time stamp may be a number or a character string containing information such as year, month, day, and second, or may be other forms, which are not limited herein.

Taking the second external device as a USB flash disk as an example, the secure OS uses the device identifier and time of the current USB flash disk to generate encrypted data by using the key of the secure SFS as the unique secure key of the USB flash disk, and returns the encrypted data to the common OS. The common OS writes the obtained encrypted data into the U disk, and prompts the user that the key is lost and the configuration cannot be restored by one key.

By the embodiment, the device key is generated through the encrypted device identifier and the time stamp, so that the integrity and traceability of the key can be ensured, and the validity of the device key can be judged through the time stamp even if the device is tampered.

In some example embodiments, after generating the specified key from the device identification and the random number of the second external device, the method further comprises:

And receiving second configuration information transmitted by a second operating system through the first operating system, encrypting the second configuration information by using a designated secret key, and writing the encrypted second configuration information into a second external device for storage through the second operating system, wherein the second configuration information is the configuration information of the baseboard management controller at the first moment.

In the related art, a configuration file for performing configuration restoration on a baseboard management controller is stored in an internal storage of a device, and generally encryption processing is not performed, which may cause failure due to storage damage or physical access of an attacker. Thus, the storage medium of the configuration file presents a security risk. And, the configuration recovery of the baseboard management controller is to directly recover factory settings, and if the middle user modifies the related configuration, the configuration recovery is lost.

For this reason, in the present embodiment, the configuration information of the baseboard management controller may be encrypted using a specified key, and the encrypted data (encrypted configuration information) may be written to the authorized device for storage. The configuration information is encrypted, so that the security of the configuration information can be improved, and the configuration information is the configuration information at a certain moment, not the configuration information when leaving the factory, so that the configuration information can be supported to be restored to the configured version, and the flexibility of configuration restoration is improved.

After generating the specified key, the first operating system may obtain configuration information of the baseboard management controller (or configuration information of the server, related to the baseboard management controller) from the second operating system, obtain second configuration information, then encrypt the second configuration information using the specified key, and transmit the encrypted second configuration information to the second operating system. After receiving the encrypted second configuration information returned by the first operating system, the second operating system writes the encrypted second configuration information into the second external device for storage.

Taking the second external device as a USB flash disk as an example, the common OS transfers the configuration information of the current server to the secure OS for encryption. The secure OS encrypts the configuration data transferred by the normal OS by adopting the key of the secure SFS and transfers the configuration data back to the normal OS. And the common OS writes the encrypted configuration file returned by the secure OS into the U disk.

By using the specified key to encrypt the configuration information, the embodiment allows the user to save the configuration state at different time points, enhances the flexibility and the safety of configuration recovery, and protects the user-defined configuration from being reset.

In some exemplary embodiments, obtaining, by the first operating system, the device identification of the second external device via the second operating system includes obtaining, by the first operating system, the device model number of the second external device and the serial number of the second external device via the second operating system.

In this embodiment, at least one of the device model number and the serial number may be used as the device identifier, and in order to improve the security level of the specified key and the device key (two kinds of information generation are used, which is higher in security than single information generation), the specified key and the device key may be generated using the device model number and the serial number as the device identifier. Correspondingly, the second operating system may acquire the device model number of the second external device and the serial number of the second external device, and the second operating system transmits the information of the device model number of the second external device to the first operating system. The device identification of the second external device includes a device model number of the second external device and a serial number of the second external device.

Taking the second external device as a USB flash disk as an example, the common OS obtains information such as the model number, the SN and the like of the USB flash disk and sends the information to the security OS. And the one-key recovery module of the secure OS generates a secret key of a secure SFS (secure file system) according to the model and SN of the USB flash disk and the random number, and uses the model, SN and time of the current USB flash disk to generate encrypted data as a unique secure secret key of the USB flash disk, and returns the encrypted data to the common OS.

By the embodiment, the equipment model and the serial number are used as the equipment identifier to generate the appointed secret key and the equipment secret key, so that the comprehensiveness and the uniqueness of the equipment identifier can be ensured, and the accuracy of equipment verification is enhanced.

In some exemplary embodiments, the method further comprises receiving, by the second operating system, a configuration instruction sent by the first configuration device, where the configuration instruction is used to instruct the second external device to be configured as an authorization device, and sending, by the second operating system, a query request to the first operating system, where the query request is used to request whether the authorization device is configured for the baseboard management controller. The querying of the one-time programmable region is performed after receiving a query request.

The configuration of the first external device as an authorizing device may be triggered by operation of the second external device. The possibilities of related operations are limited in view of the limited functionality of the second external device itself. To this end, the first external device may be configured as an authorization device by an additional configuration device trigger. The connection manner between the configuration device and the server may be as shown in fig. 1, which has already been described, and will not be described herein.

In this embodiment, the user may access the second external device to the server, and send a configuration instruction to the server through the first configuration device (a communication connection is established between the second external device and the server) to instruct to configure the second external device as an authorized device, where the configuration instruction may instruct to configure the currently accessed external device as an authorized device, and since the currently accessed external device is the second external device, the configuration instruction actually instructs to configure the second external device as the authorized device.

The second operating system may receive the configuration instruction, and in response to receiving the configuration instruction, send a query request to the first operating system, where the query request is for querying whether the authorization device has been configured for the baseboard management controller, and the first operating system queries the one-time programmable region and executes the query after receiving the query request.

For example, a user accesses a USB storage device to a server and sends a configuration instruction on a computer through management software, indicating that the USB storage device of the server is configured as a one-touch recovery U-shield. The general OS receives the configuration instruction and responds to the received configuration instruction to send a query request to the secure OS. The secure OS queries the OTP to determine if a one-key recovery U shield has been fabricated.

According to the embodiment, the configuration device sends the configuration instruction to trigger the accessed external device to be configured as the authorized device, and the second operating system triggers the first operating system to inquire whether the authorized device exists after receiving the configuration instruction, so that repeated configuration can be avoided, and standardization of configuration management is enhanced.

In some exemplary embodiments, before receiving the configuration instruction sent by the first configuration device through the second operating system, the method further includes displaying an interactive interface of the baseboard management controller on a display screen of the first configuration device, where the interactive interface is an interface for configuring an authorization device for the baseboard management controller, a configuration trigger control is displayed on the interactive interface, and sending the configuration instruction to the baseboard management controller in response to a trigger operation performed on the configuration trigger control.

In this embodiment, the configuration of the authorized device may be performed through an interactive interface (e.g., a BMC web human-machine interactive interface) of the baseboard management controller. The interactive interface is an interface for configuring the authorization device for the baseboard management controller, and a configuration trigger control (which may be a button, icon, or other interactable control) may be displayed on the interactive interface. By means of the configuration triggering control, configuration of the authorized equipment can be triggered.

The user may run management software (which may be application software, applet or web page) on the first configuration device, and through a certain operation, cause the interactive interface of the baseboard management controller to be displayed on the display screen of the first configuration device. The management software may be triggered to send the above configuration instructions to the server by clicking, double clicking, long pressing or other triggering operations.

For example, after the BMC completes the configuration, the one-key recovery U shield may be initialized. The server accesses the U disk, clicks a button for manufacturing a one-key recovery U shield on the BMC web man-machine interaction interface, and triggers the accessed U disk to be manufactured into the one-key recovery U shield.

According to the embodiment, the configuration of equipment authorization is realized through the configuration triggering control, so that the user operation is simplified, the controllability and the user experience of the configuration flow are improved, and the friendliness of man-machine interaction is improved.

In some exemplary embodiments, after the one-time programmable area is queried through the first operating system, the method further comprises the steps of acquiring second verification information stored by the second external device through the second operating system and verifying the second verification information through the second operating system under the condition that a designated secret key is written in the one-time programmable area, receiving third configuration information transmitted by the second operating system through the first operating system under the condition that the second verification information is verified, encrypting the third configuration information through the designated secret key, and writing the encrypted third configuration information into the second external device through the second operating system for storage.

If the configuration information is only allowed to be stored when a certain external device is configured as the authorized device, the configuration information stored in the authorized device is the configuration information at a certain moment, and although the configuration before a certain moment can be stored in comparison with the mode of restoring factory settings, the configuration information is lost once stored, the configuration information is lost after the moment, and the reconfiguration has the problems that the information configuration process is complex and easy to lose. For this reason, in the present embodiment, the configuration information stored in the authorized device is allowed to be updated, and the updating of the configuration information may be performed by reconfiguring the device.

Correspondingly, if the specified key is already written in the one-time programmable area, the second operating system may acquire the second authentication information stored by the second external device, and transmit the acquired second authentication information to the first operating system, where the second authentication information may be obtained by encrypting, by the first operating system, the device identifier of the second external device and a certain timestamp (for example, a timestamp of an encryption time or a timestamp of any one of the foregoing possible times) using the specified key. The first operating system may verify the acquired second verification information using a specified key within the one-time programmable region in the same or similar manner as the first verification information using the specified key.

Alternatively, the second authentication information and the device identification of the second external device may be acquired together. In this case, the second authentication information stored by the second external device and the device identification (for example, the aforementioned device model number, serial number, and the like) of the second external device may be acquired by the first operating system via the second operating system. The device identification of the second external device may be used to verify the second verification information or perform other processing operations.

In an optional implementation manner, when the server accesses the second external device and configures the second external device as an authorized device, and when the second external device stores the second verification information, the first operating system receives the second verification information (or the second verification information and the device identifier of the second external device) transmitted by the first operating system, queries the one-time programmable area, and if no data is written in the one-time programmable area, the second verification information can be ignored at this time, or in order to improve the utilization rate of the device and the flexibility of the device utilization, the verification information can be regenerated for the second external device based on the device identifier of the second external device, and the regenerated verification information is sent to the second external device for storage via the second operating system.

As another alternative implementation mode, when the server accesses the second external device and configures the second external device as an authorized device, when the second external device stores the second verification information, the second verification information (or the second verification information and the device identifier of the second external device) transmitted by the first operating system is received by the first operating system, the one-time programmable area is queried, and if a specified secret key is written in the one-time programmable area, the specified secret key can be used for verifying the second verification information. In the case of simultaneously acquiring the second verification information and the device identifier of the second external device, one way to verify the second verification information may be to encrypt the device identifier of the second external device using a specified key, and compare whether the encryption result is consistent with the second verification information, or may be other verification ways, which is not limited in this embodiment.

If the second authentication information is authenticated, it is indicated that the second external device is an authorized device (i.e., an authorized device), at which point an update operation of the configuration information stored by the authorized device may be performed. The first operating system may receive third configuration information transmitted by the second operating system, that is, the third configuration information is the configuration information of the baseboard management controller at a second time, where the second time may be a time point after the system performs an operation (such as updating, adjusting, etc.), and the second time is different from the first time. Then, the first operating system encrypts the third configuration information by using the designated key, then transmits the encrypted third configuration information to the second operating system, and the second operating system writes the encrypted third configuration information into the second external device for storage.

By means of the embodiment, after verification information (for example, a device key) of the external device is verified, configuration information stored in the external device is updated, so that flexibility of configuration information storage and safety of configuration information updating can be improved.

In some exemplary embodiments, before the second authentication information stored by the second external device is acquired by the first operating system via the second operating system, the method further includes sending, by the first operating system, a reconfiguration confirmation request to the second configuration device via the second operating system, and sending, by the first operating system, an information acquisition request to the second external device to request acquisition of the authentication information stored by the second external device, in the case of receiving a reconfiguration confirmation signal returned by the second configuration device in response to the reconfiguration confirmation request.

The obtaining of the second authentication information stored by the second external device may be performed automatically, i.e. the first operating system directly obtains the second authentication information stored by the second external device via the second operating system in case the specified key has been written in the one-time programmable area. In order to improve the reliability of the configuration information update, the obtaining of the second authentication information stored by the second external device may be performed in response to a received reconfiguration confirmation signal indicating confirmation of reconfiguration of the configuration information stored by the second external device.

Correspondingly, before the first operating system obtains the second verification information stored in the second external device through the second operating system, the first operating system may send a reconfiguration confirmation request to the second configuration device through the second operating system, so as to request confirmation of reconfiguration of the configuration information stored in the second external device. The second configuration device may be a device, such as a computer, console, etc., that triggers the configuration of the second external device as an authorized device. It will be appreciated that the reconfiguration confirmation request is sent in order to confirm whether or not a subsequent operation is to be performed, i.e., to reconfigure the configuration information stored by the second external device.

The user may trigger a reconfiguration confirmation signal by a physical key (e.g., the aforementioned designated key) or other means on the second external device to confirm reconfiguration of the authentication information stored by the second external device. Similar to the previous embodiments, the first operating system may detect the reconfiguration confirmation signal in a similar manner to the detection of the restoration confirmation signal described above (e.g., the first operating system may access the designated port and determine whether the reconfiguration confirmation signal was detected from the designated port).

After receiving the reconfiguration confirmation signal returned by the second configuration device in response to the reconfiguration confirmation request, the first operating system may send an information acquisition request to the second external device via the second operating system to request acquisition of the authentication information stored by the second external device. If the first operating system does not receive the reconfiguration confirmation signal returned by the second configuration device in response to the reconfiguration confirmation request within a certain time, the user can be considered to not want to reconfigure the configuration information, and subsequent processing can be omitted, so that unnecessary operations are reduced.

For example, after initializing a one-key recovery U shield, the U shield may be recreated. The server accesses the U disk and clicks a button for manufacturing a one-key recovery U shield on the BMC web man-machine interaction interface, a one-key recovery module of the security OS inquires whether the OTP is written, if the key is written, the manufactured U shield is returned, the general OS is informed that the key of the U disk (or the model, the SN and the key of the U disk) is requested, after verifying that the U shield is legal, the configuration data transmitted by the general OS are encrypted by adopting the key of the security SFS written into the OTP and transmitted back to the general OS. The common OS writes the encrypted configuration data returned by the secure OS into the usb disk, and prompts the user that the data cannot be changed or deleted (here, the data cannot be changed or deleted means that the user cannot modify or delete by himself).

By means of the embodiment, the configuration device is interacted with to reconfigure the configuration information after the reconfiguration confirmation signal is obtained, so that human errors can be reduced, and accuracy and efficiency of reconfiguration of the configuration information can be improved.

In some exemplary embodiments, the specific key may be generated by one or more methods, and random numbers and pseudo random numbers may be used as the specific key, or the specific key may be obtained by hashing the device identifier of the authorized device (the authorized device is a device that allows configuration recovery of the baseboard management controller, and the device type of the authorized device is a specific type), or the device identifier of the authorized device and other information (for example, random numbers, pseudo random numbers, time stamps, etc.). The hash process is an algorithm for converting data of an arbitrary length into a fixed length value (hash value), and the hash value has uniqueness and varies even if there is a slight variation in the data. In this case, the specified key includes a first hash value obtained by hashing the device identification of the authorized device.

For example, the general OS may acquire information such as a model number, SN, etc. of the U disk, and send the information to the secure OS. And the one-key recovery module of the secure OS generates a hash value as a secret key of the secure SFS according to the model and the SN of the USB flash disk and the random number.

Optionally, in this embodiment, the first verification information is verified by the first operating system using the specified key stored in the one-time programmable area, including decrypting the first verification information by the first operating system using the specified key to obtain decrypted verification information, where the decrypted verification information includes a device identification portion, hashing the device identification portion by the first operating system, and comparing the obtained second hash value with the first hash value to verify the device identification portion.

In order to verify the first verification information, the first operating system may decrypt the first verification information using the specified key to obtain decrypted verification information. The manner of decrypting the first verification information corresponds to the manner of encrypting the verification information, and different encryption and decryption manners can be selected according to the use requirement, which is not limited in this embodiment.

The resulting decrypted authentication information includes a device identification portion that can be authenticated. There are a number of ways in which the device identification portion can be verified. For example, the device identification section may be subjected to format verification based on the set data format, and if the format verification is passed, the device identification section is considered to be passed. In order to improve the reliability of data verification, the device identification part may be subjected to hash processing, and the obtained second hash value and the first hash value may be compared, so as to verify the device identification part. If the second hash value is the same as the first hash value, the device identification portion is considered to be authenticated, and if the second hash value is different from the first hash value, the device identification portion is considered to be not authenticated.

By the method, the device identifier is verified by using the hash value of the device identifier, so that the irreversibility of the verification process and the non-tamper-resistance of the device identifier are ensured, and the reliability and the safety of the verification are enhanced.

In some exemplary embodiments, to improve the reliability of the authentication information, the authentication information (device identification) of the authorized device may be generated in combination with a device identification and a time stamp, in which case the decrypted authentication information further includes a time stamp portion, where the time stamp may be a mark of a recording information generation or operation transmission time point, including information of year, month, day, time, and the like.

For example, the secure OS may return the current type, SN, and time of the usb disk to the general OS using the key generated in the OTP to generate encrypted data as a unique secure key of the usb disk. The common OS writes the obtained encrypted data into the usb disk, and may also prompt the user that the key cannot be recovered if it is lost.

Correspondingly, the first verification information is verified by the first operating system by using the appointed secret key stored in the one-time programmable region, and the method further comprises the step of analyzing the time stamp part according to the appointed time format by the first operating system so as to verify the time stamp part.

For the timestamp portion, the first operating system may parse the timestamp portion according to a predetermined specified time format. The specified time format may be a standard format prescribed by the system for specifying the presentation and interpretation of the time stamps. For example, the time stamp may be stored in a "year-month-day: minute: second" format in which the first operating system may parse the content of the time stamp portion.

The first operating system verifies the parsed timestamp, which may include, but is not limited to, checking whether the timestamp is within a reasonable time range, such as within a valid time interval set by the system, or within an acceptable error range from the current system time, etc.

By the method, the device and the system, the time stamp is analyzed and verified, the time stamp is prevented from being tampered, timeliness of equipment verification information is ensured, and the configuration recovery mechanism is prevented from being utilized by outdated or malicious information.

In some exemplary embodiments, using the first configuration information to control the second operating system to perform configuration restoration on the baseboard management controller includes decrypting the first configuration information using a specified key to obtain decrypted configuration information, and returning the decrypted configuration information to the second operating system for configuration restoration on the baseboard management controller by the second operating system using the decrypted configuration information.

In order to ensure the security and reliability of the configuration information, the first configuration information may be encrypted configuration information. In this case, the first operating system may decrypt the first configuration information using the specified key. Similar to the previous embodiments, the specified key is stored in a one-time programmable area and only allowed to be accessed by the first operating system. The first operating system may communicate the decrypted configuration information back to the second operating system, which may use the decrypted configuration information to perform configuration recovery for the baseboard management controller. For example, the decrypted configuration information may include network configuration parameters (e.g., IP address, subnet mask, etc.) of the baseboard management controller, hardware monitoring transmissions (e.g., temperature threshold, fan speed control transmissions, etc.), and the second operating system may reconfigure corresponding modules and functions of the baseboard management controller based on the configuration information, such that the baseboard management controller returns to the configuration state desired by the user.

For example, after receiving a command for requesting one-key configuration restoration sent by the secure OS, the general OS reads current encryption configuration information from the usb disk and transmits the current encryption configuration information to the secure OS for decryption. The secure OS decrypts the encrypted configuration information transferred by the normal OS by using the key of the secure SFS written into the OTP and transfers the encrypted configuration information back to the normal OS. After the common OS receives the decrypted configuration information transmitted by the secure OS, the BMC is configured to complete the system one-key recovery function.

In addition, when the first configuration information is unencrypted configuration information, the first operating system may send a configuration recovery instruction to the second operating system, where the second operating system obtains the first configuration information from the first external device and directly uses the first configuration information to perform configuration recovery on the baseboard management controller, or when the first operating system detects that the designated key is pressed, obtain the first configuration information stored in the first external device through the second operating system, check the first configuration information, and after the check passes, control the second operating system to perform configuration recovery on the baseboard management controller by using the first configuration information. If the second operating system has the function of checking the configuration information, the second operating system can also acquire the first configuration information from the first external device, check the first configuration information, and after the verification is passed, use the first configuration information to perform configuration recovery on the baseboard management controller.

By means of the method, the device and the system, the configuration information is decrypted in the first operating system, safety in a decryption process is guaranteed, the decrypted configuration information is transmitted to the second operating system for configuration recovery, and controllable use of the safety configuration information is achieved.

In some exemplary embodiments, the method further comprises initiating a security monitoring mode call to the first operating system via the second operating system and communicating first authentication information to the first operating system prior to authenticating the first external device via the first operating system.

The isolation between the first operating system and the second operating system is high, and the first operating system can be used as a bridge for connecting the two operating systems (the secure world and the non-secure world) through a secure monitoring mode, and can enter the secure monitoring mode when switching between the two operating systems is required (for example, invoking functions or data interaction of the secure world from the non-secure world). In this mode, the system performs a series of security checks and state transition operations to ensure the security of the data and operations. For example, it is checked whether the call request meets a preset security policy, and the hardware resources involved (e.g. register state) are correctly switched and protected.

In this embodiment, the second operating system may initiate a security monitoring mode call to the first operating system when the server accesses the first external device. Taking a baseboard management controller adopting an ARM processor architecture as an example, a normal OS calls to a state of a kernel, the state of the kernel is called to an ATF (ARM Trusted Firmware ) through SMC (Supervisor Mode Call, running a program in the normal world to request a security service) in an interrupt mode, and the state of the kernel enters the security OS.

The second operating system can acquire first verification information when interacting with the first external device, and the first verification information is used for verifying the validity and the security of the first external device. The second operating system may communicate first authentication information to the first operating system while initiating the security monitoring mode call to the first operating system, so that the first operating system may authenticate the first external device using the first authentication information in the security monitoring mode.

According to the embodiment, the second operating system initiates the security monitoring mode call, so that the security information exchange with the first operating system is realized, the leakage risk of the information in the transmission process is avoided, and the security of the information exchange is enhanced.

The configuration restoration method of the baseboard management controller in the embodiment of the present application is explained below with reference to an alternative example. In this optional example, the baseboard management controller is a BMC adopting an ARM processor architecture, the first operating system is a Secure OS, corresponding to a Secure World (Secure World), the second operating system is a Normal OS, corresponding to a non-Secure World (Normal World), the designated port is a GPIO port, the authorized device is a U-shield (one-key recovery U-shield), the first external device and the second external device are U-discs (U-shields are U-discs allowing configuration recovery to the BMC after authorization), and the designated key is a one-key recovery confirmation key.

The system frame diagram of the BMC may be as shown in fig. 3, and the baseboard management controller may be divided into a general world and a secure world based on the division of hardware resources, and a U disk (U shield) may be accessed to a server (i.e., added to the general world) through a USB interface. The common world corresponds to unprotected hardware resources (Unprotected Hardware Resources), and can comprise a one-key recovery monitoring module running on an EL0 application layer, which is used for monitoring access of a U-shield, triggering a recovery flow and carrying out interactive confirmation with a user, and a baseboard management controller operating system (which can be a Linux system) running on an EL1 system layer, namely a common OS, wherein communication can be carried out between the EL0 application layer and the EL1 system layer through SVC (Supervisory Call, system Call is trapped in a kernel space) interruption. The common world and the secure world can interact through the EL3 ATF layer. The EL3 ATF layer is an ARM chip security layer, which provides isolation and security control for the common world and the security world at the physical level and provides a security communication channel for the common world and the security world while isolating. The secure world corresponds to a secured hardware resource (Protected Hardware Resources) that may include a Trusted operating system (Trusted OS), i.e., secure OS, and Trusted applications (TA for short), such as a one-key recovery module for controlling a one-key recovery process and a key management module that has access to a one-time programmable area (OTP) for managing keys stored therein. The usb disk may be used as an SFS, and thus the key stored in the one-time programmable area is the key of the secure SFS. The secure OS may access the GPIO corresponding to the one-key resume confirm key to determine whether the one-key resume confirm key is pressed. The one-key recovery confirmation key is a physical key on the U shield for confirming that one-key recovery is performed.

Based on the system frame diagram shown in fig. 3, this alternative example provides a scheme of a secure one-key recovery system of a BMC based on a trust zone security file check and a USB storage medium, when a U-shield is manufactured, a configuration file and an authentication file encrypted by a trust zone can be stored in the USB storage device as the U-shield, because an encryption key is generated by a USB serial number, one machine is guaranteed, and based on a series of security check and state transition operations performed by a secure OS in a security monitoring mode, both a key required for configuring recovery and a key required for encrypting the configuration file (the foregoing specified key) are stored in an OTP area accessible by the secure OS, so that security of the key is guaranteed, and security of encrypted data is guaranteed. The mechanism can realize the key recovery function of the system in a safe completion mode under the scene of not accessing the network.

Fig. 4 is a schematic flow chart of an alternative process of manufacturing a one-key recovery U shield according to an embodiment of the present application, as shown in fig. 4, the process of manufacturing a one-key recovery U shield may include the following steps S401 to S412, where the BMC of the common world refers to the aforementioned baseboard management controller operating system.

In step S401, after the BMC completes configuration, the one-key recovery U shield is initialized. The user U disk is accessed to the server, and a one-key recovery U shield is clicked and manufactured on the BMC web man-machine interaction interface. In this case, the BMC initializes the one-touch recovery U shield.

In step S402, the BMC initiates an SMC call, and sends a query request to the secure OS to query whether the server has made a U-shield.

In step S403, the one-key recovery module of the secure OS queries whether the OTP has data to be written. And if the data is written, returning the query result of the one-key recovery U shield which is already manufactured. If the U-disk is not manufactured, a query result of the U-disk which is not manufactured by one key is returned, so that the information such as the model number, the SN and the like of the U-disk can be requested through the BMC. The information such as the model number, the SN and the like of the requested USB flash disk is used for generating a secret key, and the generated secret key is written into the OTP to ensure that one machine can only use one U shield.

In step S404, the secure OS returns the query result.

In step S405, the BMC sends the obtained information such as the type and SN of the usb disk to the secure OS, and may send the information through a key generation command.

In step S406, the one-key recovery module of the secure OS generates a hash value according to the model and SN of the usb disk and the random number as a key of the secure SFS, and uses the current model, SN and time of the usb disk to generate encrypted data as a unique secure key of the usb disk.

In step S407, the secure OS returns the command execution result and the encrypted data.

In step S408, the BMC writes the obtained encrypted data into the usb disk, and prompts the user that the key is lost and cannot be restored to the factory by one key.

In step S409, the BMC initiates a configuration encryption command and transfers the configuration file of the current server (including configuration information related to the BMC) to the secure OS.

For the case of configuration allowing to recreate the U-shield (allowing to update the configuration information stored in the U-shield), if there is data written in the OTP, which indicates that the U-shield has been recreated by one key, the secure OS may request the secure key of the usb (which may be the key derived in step S406) through the BMC, or may request information such as the model number, SN, etc. of the usb, and then recreate after verifying that the U-shield is legitimate. For the case of reproducing the U shield, after verifying that the U shield is legal, steps S406 to S408 may be skipped, and step S409 may be performed.

In step S410, the secure OS encrypts the configuration file transferred by the BMC using the secure SFS key written to the OTP.

In step S411, the secure OS returns the command execution result and the encrypted configuration file.

In step S412, the BMC writes the encrypted configuration file returned by the secure OS into the usb disk, and prompts the user that the data cannot be changed or deleted.

Fig. 5 is a schematic diagram of an alternative U-shield one-key recovery flow according to an embodiment of the present application, as shown in fig. 5, the one-key recovery flow may include the following steps S501 to S512, where the BMC in the general world refers to the aforementioned baseboard management controller operating system.

In step S501, after the server accesses the one-key recovery U-boot, the one-key recovery process of the BMC detects the access of the U-boot, and obtains the security key of the U-boot from the U-boot.

In step S502, the BMC initiates an SMC call, sends a one-key recovery system request to the secure OS, and transfers the secure key of the usb disk to the secure OS.

In step S503, after the one-key recovery module of the secure OS detects the one-key recovery system request sent by the BMC, the secure key of the usb disk is verified through the key stored in the OTP.

In step S504, if the verification is passed, the secure OS issues a one-touch resume confirm request to the BMC. If the verification is not passed, the one-key recovery system request is ignored, or a request result of rejecting the one-key recovery is returned.

In step S505, the BMC receives a one-key recovery confirmation request returned by the secure OS, and prompts the user to press a one-key recovery confirmation key. The user may press the one-touch resume confirm button on the U-shield based on the prompt.

In step S506, the one-key recovery module of the secure OS detects that the one-key recovery confirm key is pressed (through the GPIO that is accessible to the secure OS only).

In step S507, the secure OS issues a command to the BMC requesting a one-touch restoration of the configuration file.

In step S508, the BMC receives the command for requesting one-key restoration of the configuration file sent by the secure OS, and reads the encrypted configuration file stored in the U-shield.

In step S509, the BMC transfers the encrypted configuration file to the secure OS.

In step S510, the secure OS decrypts the encrypted configuration file transferred by the BMC using the key of the secure SFS written to the OTP.

In step S511, the secure OS returns the decrypted configuration file to the BMC.

In step S512, after receiving the decrypted configuration file returned by the secure OS, the BMC performs configuration recovery on the BMC.

Although the present alternative example is described with respect to a server architecture of a specific platform, the configuration restoration method provided is not limited to the server of the specific platform, and is applicable to servers of other platforms and computer platforms.

According to the method, the configuration file and the physical confirmation key of the one-key recovery function of the server BMC are placed in a safe TEE environment, the configuration file is decrypted and integrity check is achieved through encryption of a TEE internal key only after verification is passed, the decryption is achieved through hash value comparison to prevent tampering, the whole configuration recovery process is completed under TEE monitoring, REE intervention is blocked, the integrity of system firmware and partition writing is ensured, in addition, the configuration of the BMC can be recovered to a specified time point without network connection, the robustness of the server is improved, and the stability of big data service is guaranteed.

From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment.

According to another aspect of the embodiments of the present application, there is further provided a baseboard management controller, which may be used to implement a configuration recovery method of a baseboard management controller provided in any one of the foregoing embodiments, and will not be described in detail. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.

Fig. 6 is a block diagram of an alternative baseboard management controller according to an embodiment of the present application, as shown in fig. 6, with a first operating system 602 and a second operating system 604 running on different hardware resources of the baseboard management controller, the first operating system 602 running in a trusted execution environment.

The first operating system 602 is configured to perform verification on the first external device when a server where the baseboard management controller is located accesses to the first external device of a specified type, and send a recovery confirmation request to the first external device via the second operating system when the first external device passes the verification, where the specified type is a device type for storing configuration information of the baseboard management controller, and the recovery confirmation request is configured to confirm that the configuration is recovered by pressing a specified key on the first external device.

The second operating system 604 is configured to send a recovery confirmation request to the first external device, and perform configuration recovery on the baseboard management controller.

According to the embodiment of the application, a first operating system and a second operating system are operated on different hardware resources of the baseboard management controller, the first operating system is operated in a trusted execution environment, under the condition that a server of the baseboard management controller is accessed to a first external device of a specified type, the first external device is verified through the first operating system, and under the condition that the first external device is verified, a recovery confirmation request is sent to the first external device through the second operating system, wherein the specified type is a device type for storing configuration information of the baseboard management controller, the recovery confirmation request is used for requesting configuration recovery through pressing a specified key on the first external device, under the condition that the specified key is pressed, the first operating system is used for acquiring the first configuration information stored by the first external device through the second operating system, and the second operating system is controlled to carry out configuration recovery on the baseboard management controller through the first configuration information, so that the configuration recovery method of the baseboard management controller in related technology solves the problem that the safety of the baseboard management controller is poor due to the fact that the configuration file is easy to be tampered, and the safety of the baseboard management controller is improved.

In some exemplary embodiments, the second operating system 604 is further configured to obtain first authentication information stored by the first external device, and transmit the first authentication information to the first operating system 602.

The first operating system 602 is further configured to receive the first authentication information transmitted by the second operating system 604, and authenticate the first authentication information using a specified key stored in the one-time programmable area, where the one-time programmable area only allows the first operating system to access.

In some exemplary embodiments, the designated key is generated from a device identification and a random number of an authorized device, the authorized device being a device that allows configuration recovery of the baseboard management controller, the device type of the authorized device being a designated type.

The first operating system 602 is further configured to query the one-time programmable area when the server accesses the second external device and configures the second external device as an authorized device, obtain, via the second operating system 604, a device identifier of the second external device when no data is written in the one-time programmable area, generate a specified key according to the device identifier and the random number of the second external device, and write the generated specified key in the one-time programmable area.

The second operating system 604 is further configured to obtain a device identifier of the second external device, and transmit the obtained device identifier of the second external device to the first operating system 602.

In some exemplary embodiments, the first operating system 602 is further configured to encrypt the device identifier of the second external device and the current timestamp using the specified key, obtain second authentication information, and transmit the second authentication information to the second operating system 604.

The second operating system 604 is further configured to write the second authentication information to the second external device as a device key of the second external device for storage.

In some exemplary embodiments, the first operating system 602 is further configured to receive second configuration information transferred by the second operating system 604, encrypt the second configuration information with a specified key, and write the encrypted second configuration information to the second external device for storage via the second operating system 604, where the second configuration information is configuration information of the baseboard management controller at the first moment.

The second operating system 604 is further configured to transfer second configuration information to the first operating system 602, and write the encrypted second configuration information to a second external device for storage.

In some exemplary embodiments, the first operating system 602 is further configured to obtain, via the second operating system 604, a device model number of the second external device and a serial number of the second external device, where the device identification of the second external device includes the device model number of the second external device and the serial number of the second external device.

The second operating system 604 is further configured to obtain a device model number of the second external device and a serial number of the second external device, and transfer the obtained device model number of the second external device and the obtained serial number of the second external device to the first operating system 602.

In some exemplary embodiments, the second operating system 604 is further configured to receive a configuration instruction sent by the first configuration device when the server accesses the second external device, where the configuration instruction is used to instruct the second external device to be configured as an authorized device, and send a query request to the first operating system 602, where the query request is used to request whether the query is that the baseboard management controller has configured the authorized device, and the querying the one-time programmable region is performed after receiving the query request.

In some exemplary embodiments, the first configuration device includes a display screen, where the display screen is configured to display an interactive interface of the baseboard management controller, where the interactive interface is an interface for configuring the authorization device for the baseboard management controller, and a configuration trigger control is displayed on the interactive interface.

And the first configuration device is used for responding to the triggering operation executed on the configuration triggering control and sending a configuration instruction to the baseboard management controller.

In some exemplary embodiments, the first operating system 602 is further configured to obtain, via the second operating system 604, second verification information stored in the second external device and verify the second verification information using the specified key when the specified key is written in the one-time programmable area, and receive third configuration information transmitted by the second operating system 604 when the second verification information passes the verification, encrypt the third configuration information using the specified key, and write the encrypted third configuration information to the second external device via the second operating system 604 for storage, where the third configuration information is configuration information of the baseboard management controller at the second moment.

The second operating system 604 is further configured to obtain second verification information stored in the second external device, and write the encrypted third configuration information into the second external device for storage.

In some exemplary embodiments, the first operating system 602 is further configured to send a reconfiguration confirmation request to the second configuration device via the second operating system 604, where the second configuration device is a device that triggers the second external device to be configured as the authorized device, and send an information acquisition request to the second external device via the second operating system 604 to request to acquire the authentication information stored by the second external device when receiving a reconfiguration confirmation signal returned by the second configuration device in response to the reconfiguration confirmation request.

The second operating system 604 is further configured to send a reconfiguration confirmation request to the second configuration device, and is further configured to send an information acquisition request to the second external device.

In some exemplary embodiments, the designated key includes a first hash value obtained by hashing a device identifier of an authorized device, the authorized device being a device that allows configuration recovery of the baseboard management controller, the device type of the authorized device being a designated type.

The first operating system 602 is further configured to decrypt the first verification information using the specified key to obtain decrypted verification information, where the decrypted verification information includes a device identifier portion, hash the device identifier portion, and compare the obtained second hash value with the first hash value to verify the device identifier portion.

In some exemplary embodiments, the decrypted authentication information further includes a timestamp portion.

The first operating system 602 is further configured to parse the timestamp portion according to a specified time format to verify the timestamp portion.

In some exemplary embodiments, the first operating system 602 is further configured to decrypt the first configuration information using the specified key to obtain decrypted configuration information, and transmit the decrypted configuration information back to the second operating system 604 for configuration recovery of the baseboard management controller by the second operating system 604 using the decrypted configuration information.

The second operating system 604 is further configured to use the decrypted configuration information to perform configuration restoration for the baseboard management controller.

In some exemplary embodiments, the second operating system 604 is further configured to initiate a security monitoring mode call to the first operating system 602 and to communicate first authentication information to the first operating system 602.

In some exemplary embodiments, the first operating system 602 is further configured to access a designated port and determine whether a resume confirm signal is detected from the designated port, where the resume confirm signal is triggered by a designated key being pressed, and the designated port is a port that only allows access by the first operating system 602.

According to still another aspect of the embodiments of the present application, a server is provided, and the server may include a baseboard management controller provided in any one of the foregoing embodiments, which is not described herein. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.

The server provided by the embodiment of the application comprises a baseboard management controller, wherein a first operating system and a second operating system are operated on different hardware resources of the baseboard management controller, and the first operating system is operated in a trusted execution environment.

The system comprises a first operating system, a second operating system and a substrate management controller, wherein the first operating system is used for verifying the first external equipment when a server is connected with the first external equipment of a designated type, and sending a recovery confirmation request to the first external equipment through the second operating system when the first external equipment passes the verification, the designated type is used for storing configuration information of the substrate management controller, the recovery confirmation request is used for requesting configuration recovery through pressing a designated key on the first external equipment, and the first configuration information stored by the first external equipment is acquired through the second operating system and is used for controlling the second operating system to perform configuration recovery on the substrate management controller when the designated key is detected to be pressed.

The second operating system is used for sending a recovery confirmation request to the first external equipment and carrying out configuration recovery on the baseboard management controller.

The server is arranged to run a computer program to perform the steps of any of the configuration restoration method embodiments of the baseboard management controller described above.

It should be noted that each of the above modules may be implemented by software or hardware, and the latter may be implemented by, but not limited to, the above modules all being located in the same processor, or each of the above modules being located in different processors in any combination.

According to a further aspect of the embodiments of the present application, there is provided a computer readable storage medium comprising a stored program, wherein the program when run performs the steps of any of the method embodiments described above.

In one exemplary embodiment, the computer readable storage medium may include, but is not limited to, a USB flash disk, ROM, RAM, a removable hard disk, a magnetic or optical disk, and the like, various nonvolatile storage media (non-transitory or non-transitory storage media) that can store computer programs.

According to a further aspect of an embodiment of the application there is provided an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor being arranged to perform the steps of any of the method embodiments described above by the computer program. In an exemplary embodiment, the electronic device may further include a transmission device connected to the processor, and an input/output device connected to the processor.

Specific examples in this embodiment may refer to the examples described in the foregoing embodiments and the exemplary implementation, and this embodiment is not described herein.

According to yet another aspect of an embodiment of the present application, there is also provided a computer program product comprising a computer program/instruction containing program code for executing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 709, and/or installed from the removable medium 711. When executed by the central processor 701, performs the various functions provided by embodiments of the present application. The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.

Fig. 7 schematically shows a block diagram of a computer system of an electronic device for implementing an embodiment of the application. As shown in fig. 7, the computer system 700 includes a CPU (Central Processing Unit ) 701 that can perform various appropriate actions and processes according to a program stored in a ROM 702 or a program loaded from a storage portion 708 into a RAM 703. In the random access memory 703, various programs and data necessary for the system operation are also stored. The central processing unit 701, the read only memory 702, and the random access memory 703 are connected to each other via a bus 704. An I/O (Input/Output) interface 705 is also connected to bus 704.

Connected to the I/O interface 705 are an input section 706 including a keyboard, a mouse, and the like, an output section 707 including a CRT (Cathode Ray Tube), an LCD (Liquid CRYSTAL DISPLAY), and the like, a speaker, and the like, a storage section 708 including a hard disk, and the like, and a communication section 709 including a network interface card such as a lan card, a modem, and the like. The communication section 709 performs communication processing via a network such as the internet. The drive 710 is also connected to the input/output interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read therefrom is mounted into the storage section 708 as necessary.

In particular, the processes described in the various method flowcharts may be implemented as computer software programs according to embodiments of the application. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 709, and/or installed from the removable medium 711. The computer programs, when executed by the central processor 701, perform the various functions defined in the system of the present application.

It should be noted that, the computer system 700 of the electronic device shown in fig. 7 is only an example, and should not impose any limitation on the functions and the application scope of the embodiments of the present application.

It will be appreciated by those skilled in the art that the modules or steps of the application described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, they may be implemented in program code executable by computing devices, so that they may be stored in a memory device for execution by computing devices, and in some cases, the steps shown or described may be performed in a different order than herein, or they may be separately fabricated into individual integrated circuit modules, or multiple modules or steps within them may be fabricated into a single integrated circuit module. Thus, the present application is not limited to any specific combination of hardware and software.

The above is only a preferred embodiment of the present application, and is not intended to limit the present application, but various modifications and variations can be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the principle of the present application should be included in the protection scope of the present application.

Claims

1. The configuration recovery method of the baseboard management controller is characterized in that a first operating system and a second operating system are operated on different hardware resources of the baseboard management controller, the first operating system is operated in a trusted execution environment, and the method comprises the following steps:

When a server where the baseboard management controller is located is accessed to a first external device of a specified type, verifying the first external device through the first operating system, and sending a recovery confirmation request to the first external device through the second operating system when the first external device passes the verification, wherein the specified type is a device type for storing configuration information of the baseboard management controller, and the recovery confirmation request is used for requesting configuration recovery by pressing a specified key on the first external device;

And under the condition that the designated key is pressed, acquiring first configuration information stored by the first external device through the second operating system by the first operating system, and controlling the second operating system to perform configuration recovery on the baseboard management controller by using the first configuration information.

2. The method of claim 1, wherein the verifying, by the first operating system, the first external device comprises:

And verifying the first verification information by the first operating system by using a designated secret key stored in a one-time programmable area, wherein the one-time programmable area only allows the first operating system to access.

3. The method of claim 2, wherein the specified key is generated from a device identification and a random number of an authorized device, the authorized device being a device that allows configuration recovery of the baseboard management controller, the authorized device being of the specified type;

Before the first verification information stored by the first external device and transferred by the second operating system is received by the first operating system, the method further includes:

Querying the one-time programmable region through the first operating system under the condition that the server is accessed to a second external device and the second external device is configured as the authorization device;

and under the condition that no data is written in the one-time programmable area, acquiring the equipment identifier of the second external equipment through the second operating system by the first operating system, generating the specified secret key according to the equipment identifier of the second external equipment and the random number, and writing the generated specified secret key into the one-time programmable area.

4. A method according to claim 3, wherein after said generating said specified key from said random number and said device identification of said second external device, said method further comprises:

encrypting the equipment identifier and the current time stamp of the second external equipment by using the specified secret key through the first operating system to obtain second verification information, and writing the second verification information serving as the equipment secret key of the second external equipment into the second external equipment through the second operating system for storage.

5. A method according to claim 3, wherein after said generating said specified key from said random number and said device identification of said second external device, said method further comprises:

And receiving second configuration information transmitted by the second operating system through the first operating system, encrypting the second configuration information by using the appointed secret key, and writing the encrypted second configuration information into the second external equipment for storage through the second operating system, wherein the second configuration information is the configuration information of the baseboard management controller at the first moment.

6. A method according to claim 3, wherein said obtaining, by the first operating system, the device identification of the second external device via the second operating system, comprises:

and acquiring the equipment model number of the second external equipment and the serial number of the second external equipment through the second operating system by the first operating system, wherein the equipment identifier of the second external equipment comprises the equipment model number of the second external equipment and the serial number of the second external equipment.

7. A method according to claim 3, characterized in that the method further comprises:

Receiving a configuration instruction sent by a first configuration device through the second operating system under the condition that the server is accessed to the second external device, wherein the configuration instruction is used for indicating the second external device to be configured as the authorization device;

and sending a query request to the first operating system through the second operating system, wherein the query request is used for requesting whether the query is the baseboard management controller configured with the authorization device, and the query of the one-time programmable region is performed after the query request is received.

8. The method of claim 7, wherein prior to receiving the configuration instruction sent by the first configuration device via the second operating system, the method further comprises:

displaying an interactive interface of the baseboard management controller on a display screen of the first configuration device, wherein the interactive interface is an interface for configuring the authorization device for the baseboard management controller, and a configuration trigger control is displayed on the interactive interface;

and responding to the triggering operation executed on the configuration triggering control, and sending the configuration instruction to the baseboard management controller.

9. The method of claim 3, wherein after said querying the one-time programmable region by the first operating system, the method further comprises:

Acquiring second verification information stored by the second external device through the second operating system by the first operating system under the condition that the appointed secret key is written in the one-time programmable area, and verifying the second verification information by using the appointed secret key;

And under the condition that the second verification information passes verification, receiving third configuration information transmitted by the second operation system through the first operation system, encrypting the third configuration information by using the appointed secret key, and writing the encrypted third configuration information into the second external equipment for storage through the second operation system, wherein the third configuration information is the configuration information of the baseboard management controller at a second moment.

10. The method of claim 9, wherein prior to the obtaining, by the first operating system via the second operating system, second authentication information stored by the second external device, the method further comprises:

Sending, by the first operating system, a reconfiguration confirmation request to a second configuration device via the second operating system, wherein the second configuration device is a device that triggers configuration of the second external device as the authorization device;

And under the condition that a reconfiguration confirmation signal returned by the second configuration device in response to the reconfiguration confirmation request is received, sending an information acquisition request to the second external device through the first operating system by the second operating system so as to request to acquire verification information stored by the second external device.

11. The method according to claim 2, wherein the specified key includes a first hash value obtained by hashing a device identifier of an authorized device, the authorized device being a device that allows configuration recovery of the baseboard management controller, the device type of the authorized device being the specified type;

Said verifying, by the first operating system, the first verification information using a specified key stored in a one-time programmable region, comprising:

decrypting, by the first operating system, the first authentication information using the specified key to obtain decrypted authentication information, where the decrypted authentication information includes a device identification portion;

and carrying out hash processing on the equipment identification part through the first operating system, and comparing the obtained second hash value with the first hash value to verify the equipment identification part.

12. The method of claim 11, wherein the decrypted authentication information further comprises a timestamp portion;

The verifying, by the first operating system, the first verification information using a specified key stored in a one-time programmable area, further includes:

And analyzing the timestamp part according to a specified time format by the first operating system so as to verify the timestamp part.

13. The method of claim 2, wherein the controlling the second operating system to perform configuration restoration for the baseboard management controller using the first configuration information comprises:

Decrypting the first configuration information by using the appointed secret key to obtain decrypted configuration information;

And transmitting the decrypted configuration information back to the second operating system so that the configuration recovery of the baseboard management controller is carried out by the second operating system by using the decrypted configuration information.

14. The method of claim 2, wherein prior to said authenticating the first external device by the first operating system, the method further comprises:

and initiating a security monitoring mode call to the first operating system through the second operating system, and transmitting the first verification information to the first operating system.

15. The method according to any one of claims 1 to 14, wherein after the sending of a resume confirm request to the first external device via the second operating system, the method further comprises:

And accessing a designated port through the first operating system, and judging whether a recovery confirmation signal is detected from the designated port, wherein the recovery confirmation signal is triggered by the fact that the designated key is pressed, and the designated port is a port only allowing the first operating system to access.

16. A baseboard management controller is characterized in that a first operating system and a second operating system are operated on different hardware resources of the baseboard management controller, the first operating system is operated in a trusted execution environment, wherein,

The first operating system is used for verifying the first external equipment when a server where the baseboard management controller is located is accessed to the first external equipment of a specified type, and sending a recovery confirmation request to the first external equipment through the second operating system when the first external equipment passes the verification, wherein the specified type is an equipment type used for storing configuration information of the baseboard management controller, and the recovery confirmation request is used for requesting configuration recovery through pressing a specified key on the first external equipment;

The second operating system is used for sending the recovery confirmation request to the first external device and carrying out configuration recovery on the baseboard management controller.

17. The server is characterized by comprising a baseboard management controller, wherein a first operating system and a second operating system are operated on different hardware resources of the baseboard management controller, the first operating system is operated in a trusted execution environment, wherein,

The first operating system is used for verifying the first external equipment when the server is connected with the first external equipment of a specified type, sending a recovery confirmation request to the first external equipment through the second operating system when the first external equipment passes the verification, wherein the specified type is an equipment type used for storing configuration information of the baseboard management controller, and the recovery confirmation request is used for requesting configuration recovery through pressing a specified key on the first external equipment;

18. An electronic device, comprising:

A memory for storing a computer program;

A processor for implementing the method of any one of claims 1 to 15 when executing the computer program.

19. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program, wherein the computer program, when executed by a processor, implements the method of any of claims 1 to 15.

20. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the method of any one of claims 1 to 15.