CN106341224A - Customized server-based TCM application system and system guidance method - Google Patents
Customized server-based TCM application system and system guidance method Download PDFInfo
- Publication number
- CN106341224A CN106341224A CN201610573108.9A CN201610573108A CN106341224A CN 106341224 A CN106341224 A CN 106341224A CN 201610573108 A CN201610573108 A CN 201610573108A CN 106341224 A CN106341224 A CN 106341224A
- Authority
- CN
- China
- Prior art keywords
- module
- trusted
- tcm
- credible
- application system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/40—Support for services or applications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Multimedia (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a customized server-based TCM application system and a guidance method thereof. The customized server-based TCM application system is characterized in that the TCM application system comprises a trusted root module, a trusted hardware layer module, a trusted operating system and a trusted application system. The customized server-based TCM application system guidance method is based on the customized server-based TCM application system. According to the customized server-based TCM application system and system guidance method of the invention, application research is carried out on TCM trusted computation based on the customized server of the State Grid Corporation of China, how to modify parts in the transfer of a trusted chain is researched; based on analysis on the startup process of the system, it is found that a trusted BIOS module and a trusted MBR module can be modified in a customized manner; with a trusted BIOS adopted as a trusted root, a trusted relation is transferred to a trusted MBR, and the trusted relation is finally transferred to the trusted application system; by means of the double credibility authentication of the BIOS and the MBR, the credibility of the BIOS and MBR which have been modified in a customized manner can be fully utilized; and therefore, some problems appearing when only single expansion is performed on the BIOS can be solved, and the security and credibility of the system can be achieved.
Description
Technical field
The present invention relates to a kind of tcm application system based on customization server and system boot method, more particularly, to one
Plant the high tcm application system based on customization server of information security controllability and system boot method.
Background technology
After continuous reinforcement information security realized with country, particularly " prism door " event occur, entirely country opens
Begin to carry forward vigorously raising information technology independently controlled ability.The commonly used external product of existing it architecture, independently controlled
Property is poor, is unfavorable for realizing the safely controllable of information system.The propulsion changed with it architecture, particularly " goes in recent years
Ioe " develops rapidly, and domestic large-scale central enterprise, finance, medical treatment, communication common carrier are in order to improve the safety of system, service application system
System all carries out x86 replacement for small machine with level in all fields, distributed storage substitutes the engineering of centralised storage, but is because
The advance of technology, the diversity of system with implement to require different, current industry it framework lacks unified, authoritative specification and refers to
Lead, be the big concentration of operation system, unitized construction brings hidden danger.Therefore pass through to customize server, formulate enterprise-level portion
Management side case, carries out the trust computing applied research customizing server, enhancing key technology is independently controlled and ensures information safety
Ability necessary.
Content of the invention
The technical problem to be solved is to provide a kind of tcm application system based on customization server and system
Bootstrap technique, has the characteristics that information security controllability is high.
For solving above-mentioned technical problem, the technical scheme is that a kind of application based on the tcm customizing server is
System, its innovative point is: described tcm application system is included credible root module and is connected by chain-of-trust with described credible root module
The trusted operating system that is connected by chain-of-trust with described reliable hardware layer module of reliable hardware layer module credible with described
The trusted application system that operating system is connected by chain-of-trust, described trusted operating system is credible mbr module, described credible hard
The credible bios module that part layer module include tcm chip module, is connected by lpc interface with described tcm chip module with described
Tcm chip module passes through the processor platform that bus is connected.
Preferably, described tcm chip is provided with i/o interface, tandom number generator, enforcement engine module, non-volatile deposits
Reservoir, volatile memory, other engine modules.
Preferably, described credible bios module include credible deployment module, credible metric module, authentication module, can
Letter recovery module, tcm driver module.
Preferably, the bus between described tcm chip module and described processor platform is connected as three bus runs, bag
Include and realize high-speed communication pci-e bus run, realize signal transmission and the gpio bus run controlling, realize data interaction
Lpc bus run.
Preferably, described trusted operating system includes initialization installation module, SIM, trusted bootstrap mould
Block.
A kind of system boot method based on customization server, based on a kind of based on the tcm application customizing server
System is it is characterised in that comprise the following steps:
Step a: before os starting, carry out the credible bios module of authenticating user identification and credible mbr module;
Step b: processor platform powers up, credible bios module starts to execute, and carries out power-on self-test, to reliable hardware layer mould
Various hardware devices in block are monitored and connect;
Step c: after credible bios module self-inspection terminates, according to the boot sequence setting of cmos, read in from guiding equipment
Boot loader, subsequently enters first order mbr of boot loader;
After step d:mbr starts execution, it will load the second level of boot loader, the i.e. load module of operating system;
Step e: operating system loading program will be loaded into operating system nucleus, then operating system nucleus start execute.
It is an advantage of the current invention that: the present invention is based on State Grid Corporation of China's customization server and tcm trust computing is carried out
Applied research, from trusted root, chain-of-trust, how research modifies to the part in chain-of-trust transmission, by analysis
System starting process finds, credible bios module and credible mbr module can be customized changing, be credible with credible bios
Root, then transmits trusted relationships to credible mbr, is ultimately transferred to trusted application system, dual credible using bios and mbr is tested
Card, can make full use of the credibility of bios and mbr after custom-modification, eliminate and exist when only bios being carried out with single extension
Some problems, finally realize the secure and trusted of system.
Brief description
The present invention is further detailed explanation with reference to the accompanying drawings and detailed description.
Fig. 1 is application system in a kind of tcm application system based on customization server of the present invention and system boot method
Structural representation;
Fig. 2 is application system in a kind of tcm application system based on customization server of the present invention and system boot method
Customization server rack composition;
Fig. 3 is application system in a kind of tcm application system based on customization server of the present invention and system boot method
The schematic diagram of credible bios module;
Fig. 4 is application system in a kind of tcm application system based on customization server of the present invention and system boot method
The schematic diagram of credible mbr module.
Specific embodiment
The tcm application system based on customization server of the present invention, is passed through with credible root module including credible root module
The trusted operating system that is connected by chain-of-trust with reliable hardware layer module of reliable hardware layer module that chain-of-trust connects and can
The trusted application system that letter operating system is connected by chain-of-trust, trusted operating system is credible mbr module, reliable hardware layer mould
Block is included tcm chip module, the credible bios module being connected by lpc interface with tcm chip module and tcm chip module and leads to
Cross the processor platform that bus is connected.
Be provided with above-mentioned tcm chip i/o interface, tandom number generator, enforcement engine module, nonvolatile storage,
Volatile memory, other engine modules.Tcm is the hardware module of credible calculating platform, provides password for credible calculating platform
Calculation function.I/o interface is the input/output interface of tcm, and tandom number generator is used for producing random number, enforcement engine module
It is computing performance element, nonvolatile storage is used for depositing of permanent data, volatile memory is used for depositing of ephemeral data,
Other engine modules are the arithmetic elements such as password, signature.
Above-mentioned credible bios module includes credible deployment module, credible metric module, authentication module, trusted recovery
Module, tcm driver module.The basic function of credible bios module is detection and the initial setting up of system hardware platform, outward
Connect scanning and the drive load of equipment, setting starts configuration and system bootstrap routine loading etc..In basic function, to bios portion
Divide and add trusted function, increased credible deployment module, credible metric module, authentication module, trusted recovery module, tcm
Driver module.Credible deployment module allows manager to carry out measure object setting, and related base values are stored for
Checking, thus judge system credibility.Credible metric module obtains environmental correclation parameter, configuration information, file statuss etc. and carries out
Tcm integrity measurement.Authentication module carries out cryptographic check to the identity starting user, thus realizing the confidentiality of system.
Trusted recovery modular system manager back up to trusted status, when mistake or abnormal conditions, carries out reference value
Recover.
Bus between above-mentioned tcm chip module and processor platform is connected as three bus runs, high including realizing
Speed communication pci-e bus run, realize signal transmission with control gpio bus run, realize data interaction lpc bus lead to
Road.The pith of reliable hardware layer is tcm chip module, is attached with bios by lpc interface, tcm chip after upper electricity
There is provided credible tolerance for bios it is ensured that bios's is credible.Processor platform realizes high-speed communication by pci-e bus, and tcm utilizes
Gpio carries out signal transmission and control to processor platform, realizes the start-up course after credible tolerance.Lpc interface provides tcm core
Piece and bios, processor platform carry out the function of data interaction.Reliable hardware layer provides trusted service for trusted software layer, will believe
Appoint relation transmission to operating system, finally realize the credible of application program.
Above-mentioned trusted operating system includes initialization and installs module, SIM, trusted boot module.Just
Beginningization installs module: user carries out credible installation and configuration by simple graphical interfaces, implements carefully without understanding bottom
Section, control system credibility on the whole.User carries out initialization and installs configuration, and the process of implementing is: first by user's body
Part Validation Code embeds in mbr, carries out Hash operation to mbr, and result is stored in formulation position.Afterwards with same side
Formula, carries out Hash operation to stage2, operating system nucleus etc. and stores.These Hash result can be credible as reference value
Carry out comparison inspection after calculating, credibility is judged with this.SIM: because mbr code only has 512 bytes, embedding
The code entering can not affect mbr normal function it is desirable to embedded code is short and pithy, to ensure the credibility of system.Credible draw
Guide module: in bootup process, the cryptographic Hash calculating and reference value are compared, if the same mbr user checks code
It is not modified with stage1, by transitive trust to stage2.Stage2 is carried out Hash operation and is compared with reference value, if one
Cause then to load stage2 and continue transmission credibility.After stage2 loads start-up parameter, integrity is carried out to operating system nucleus
Verification, if success, completes the transmission of chain-of-trust, starts trusted system.
A kind of system boot method based on customization server, based on a kind of based on the tcm application customizing server
System is it is characterised in that comprise the following steps: step a: before os starting, carries out the credible bios of authenticating user identification
Module and credible mbr module;Step b: processor platform powers up, credible bios module starts to execute, and carries out power-on self-test, to can
Various hardware devices in letter hardware layer module are monitored and connect;Step c: after credible bios module self-inspection terminates, according to
The boot sequence setting of cmos, reads in boot loader from guiding equipment, subsequently enters the first order of boot loader
mbr;After step d:mbr starts execution, it will load the second level of boot loader, the i.e. load module of operating system;Step
E: operating system loading program will be loaded into operating system nucleus, then operating system nucleus start execute.Open in operating system
Before dynamic, that function can be extended and provide authenticating user identification is bios and mbr.Trust authentication is carried out to bios it is ensured that
Its integrity, both can provide trusted root for the mbr of chain-of-trust next stage, when trusted relationships continue transmission along chain-of-trust,
After mbr carries out trust authentication, its integrity provides credible base for os starting, therefore credible to bios and mbr
Research, is highly important for guarantee the credible of system.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, although with reference to aforementioned reality
Apply example the present invention has been described in detail, for a person skilled in the art, it still can be to aforementioned each enforcement
Technical scheme described in example is modified, or carries out equivalent to wherein some technical characteristics.All essences in the present invention
Within god and principle, any modification, equivalent substitution and improvement made etc., should be included within the scope of the present invention.
Claims (6)
1. a kind of based on customize server tcm application system it is characterised in that: described tcm application system includes trusted root
The reliable hardware layer module that module is connected by chain-of-trust with described credible root module and described reliable hardware layer module are passed through
The trusted application system that the trusted operating system that chain-of-trust connects is connected by chain-of-trust with described trusted operating system, described
Trusted operating system is credible mbr module, and described reliable hardware layer module includes tcm chip module and described tcm chip module
The credible bios module being connected by lpc interface, the processor platform being connected by bus with described tcm chip module.
2. as claimed in claim 1 a kind of based on customize server tcm application system it is characterised in that: described credible
Bios module includes credible deployment module, credible metric module, authentication module, trusted recovery module, tcm driver mould
Block.
3. as claimed in claim 1 a kind of based on customize server tcm application system it is characterised in that: described tcm core
Bus between piece module and described processor platform is connected as three bus runs, including realizing high-speed communication pci-e bus
Passage, realize signal transmission and the gpio bus run controlling, realize the lpc bus run of data interaction.
4. as claimed in claim 1 a kind of based on customize server tcm application system it is characterised in that: described credible
Operating system includes initialization and installs module, SIM, trusted boot module.
5. as claimed in claim 1 a kind of based on customize server tcm encryption application system it is characterised in that: institute
State trusted application system to include reporting work system module, marketing module, synergetic office work module, erp module, financial system module, enterprise
Industry portal module.
6. a kind of based on the system boot method customizing server, based on described in claim 1 to 6 any of which one
The tcm application system based on customization server for the kind is it is characterised in that comprise the following steps:
Step a: before os starting, carry out the credible bios module of authenticating user identification and credible mbr module;
Step b: processor platform powers up, credible bios module starts to execute, and carries out power-on self-test, in reliable hardware layer module
Various hardware devices be monitored and connect;
Step c: after credible bios module self-inspection terminates, according to the boot sequence setting of cmos, boot is read in from guiding equipment
Loader, subsequently enters first order mbr of boot loader;
After step d:mbr starts execution, it will load the second level of boot loader, the i.e. load module of operating system;
Step e: operating system loading program will be loaded into operating system nucleus, then operating system nucleus start execute.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610573108.9A CN106341224A (en) | 2016-07-20 | 2016-07-20 | Customized server-based TCM application system and system guidance method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610573108.9A CN106341224A (en) | 2016-07-20 | 2016-07-20 | Customized server-based TCM application system and system guidance method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106341224A true CN106341224A (en) | 2017-01-18 |
Family
ID=57824180
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610573108.9A Pending CN106341224A (en) | 2016-07-20 | 2016-07-20 | Customized server-based TCM application system and system guidance method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106341224A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111338997A (en) * | 2020-03-05 | 2020-06-26 | 苏州浪潮智能科技有限公司 | Method, device, equipment and medium for ARM server BIOS supporting TCM communication |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101281577A (en) * | 2008-05-16 | 2008-10-08 | 北京工业大学 | Dependable computing system capable of protecting BIOS and method of use thereof |
| CN101458743A (en) * | 2007-12-12 | 2009-06-17 | 中国长城计算机深圳股份有限公司 | Method for protecting computer system |
| CN101794362A (en) * | 2010-01-22 | 2010-08-04 | 华北计算技术研究所 | Trusted computation trust root device for computer and computer |
| CN102332070A (en) * | 2011-09-30 | 2012-01-25 | 中国人民解放军海军计算技术研究所 | Trust chain transfer method for trusted computing platform |
| CN103927490A (en) * | 2014-04-25 | 2014-07-16 | 华为技术有限公司 | OS secure startup method and device |
-
2016
- 2016-07-20 CN CN201610573108.9A patent/CN106341224A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101458743A (en) * | 2007-12-12 | 2009-06-17 | 中国长城计算机深圳股份有限公司 | Method for protecting computer system |
| CN101281577A (en) * | 2008-05-16 | 2008-10-08 | 北京工业大学 | Dependable computing system capable of protecting BIOS and method of use thereof |
| CN101794362A (en) * | 2010-01-22 | 2010-08-04 | 华北计算技术研究所 | Trusted computation trust root device for computer and computer |
| CN102332070A (en) * | 2011-09-30 | 2012-01-25 | 中国人民解放军海军计算技术研究所 | Trust chain transfer method for trusted computing platform |
| CN103927490A (en) * | 2014-04-25 | 2014-07-16 | 华为技术有限公司 | OS secure startup method and device |
Non-Patent Citations (2)
| Title |
|---|
| TRUST-BO: "可信引导", 《CSDN博客HTTPS://BLOG.CSDN.NET/TRUSTBO/ ARTICLE/DETAILS/9292011》 * |
| 朱小波: "基于TCM的国产可信计算机的设计", 《信息技术》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111338997A (en) * | 2020-03-05 | 2020-06-26 | 苏州浪潮智能科技有限公司 | Method, device, equipment and medium for ARM server BIOS supporting TCM communication |
| US11669477B2 (en) | 2020-03-05 | 2023-06-06 | Inspur Suzhou Intelligent Technology Co., Ltd. | Method and apparatus for supporting TCM communication by BIOS of ARM server, device, and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106656502B (en) | Computer system and method for secure execution | |
| US10885197B2 (en) | Merging multiple compute nodes with trusted platform modules utilizing authentication protocol with active trusted platform module provisioning | |
| US20070180509A1 (en) | Practical platform for high risk applications | |
| KR101190479B1 (en) | Ticket authorized secure installation and boot | |
| CN100454324C (en) | Embed type platform guiding of credible mechanism | |
| CN105205401B (en) | Trusted computer system and its trusted bootstrap method based on security password chip | |
| DE102020122712A1 (en) | INTEGRITY MANIFESTO CERTIFICATE | |
| CN107506663A (en) | Server security based on credible BMC starts method | |
| CN102208000A (en) | Method and system for providing security mechanisms for virtual machine images | |
| KR20160138063A (en) | Techniques to operate a service with machine generated authentication tokens | |
| CN103927490A (en) | OS secure startup method and device | |
| US11354417B2 (en) | Enhanced secure boot | |
| US20200099536A1 (en) | Merging multiple compute nodes with trusted platform modules utilizing provisioned node certificates | |
| US10181956B2 (en) | Key revocation | |
| EP3859579B1 (en) | Trusted computing method, and server | |
| CN105117651B (en) | A kind of method, method and device of software packet upgrade for controlling veneer clean boot | |
| CN104484594B (en) | A kind of franchise distribution method of the Linux system based on capability mechanism | |
| CN105488418B (en) | trusted starting method and system of virtualization platform server | |
| CN103049293B (en) | A kind of startup method of embedded credible system | |
| CN104268477A (en) | Safety control method and network device | |
| CN115934194A (en) | Controller starting method and device, electronic equipment and storage medium | |
| CN115344871A (en) | Confidential computing environment construction method and system based on ARM architecture | |
| Gallery et al. | Trusted computing: Security and applications | |
| CN108021798A (en) | A kind of trusted operating system based on USBkey | |
| Zimmer et al. | Establishing the root of trust |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170118 |